From 6818c54ca6663c008fad77d2677c61758c7215f5 Mon Sep 17 00:00:00 2001 From: Lennart Poettering Date: Sun, 12 Feb 2017 06:44:46 +0100 Subject: core: skip ReadOnlyPaths= and other permission-related mounts on PermissionsStartOnly= (#5309) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit ReadOnlyPaths=, ProtectHome=, InaccessiblePaths= and ProtectSystem= are about restricting access and little more, hence they should be disabled if PermissionsStartOnly= is used or ExecStart= lines are prefixed with a "+". Do that. (Note that we will still create namespaces and stuff, since that's about a lot more than just permissions. We'll simply disable the effect of the four options mentioned above, but nothing else mount related.) This also adds a test for this, to ensure this works as intended. No documentation updates, as the documentation are already vague enough to support the new behaviour ("If true, the permission-related execution options…"). We could clarify this further, but I think we might want to extend the switches' behaviour a bit more in future, hence leave it at this for now. Fixes: #5308 --- test/test-execute/exec-read-only-path-succeed.service | 8 ++++++++ 1 file changed, 8 insertions(+) create mode 100644 test/test-execute/exec-read-only-path-succeed.service (limited to 'test') diff --git a/test/test-execute/exec-read-only-path-succeed.service b/test/test-execute/exec-read-only-path-succeed.service new file mode 100644 index 0000000000..b54d48f281 --- /dev/null +++ b/test/test-execute/exec-read-only-path-succeed.service @@ -0,0 +1,8 @@ +[Service] +Type=oneshot +# This should work, as we explicitly disable the effect of ReadOnlyPaths= +ExecStart=+/bin/touch /tmp/thisisasimpletest +# This should also work, as we do not disable the effect of ReadOnlyPaths= but invert the exit code +ExecStart=/bin/sh -x -c '! /bin/touch /tmp/thisisasimpletest' +ExecStart=+/bin/rm /tmp/thisisasimpletest +ReadOnlyPaths=/tmp -- cgit v1.2.3-54-g00ecf