]> git.ipfire.org Git - thirdparty/systemd.git/blobdiff - src/core/execute.h
projects / thirdparty / systemd.git / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
core: use LSM BPF functions to implement RestrictFileSystems=
[thirdparty/systemd.git] / src / core / execute.h
diff --git a/src/core/execute.h b/src/core/execute.h
index 64a38b2d26a277e0d321f81f2c583be0e53d8dae..560dcbcc5eb57b6ee675852699be4bc2061d4afa 100644 (file)
--- a/src/core/execute.h
+++ b/src/core/execute.h
@@ -314,6 +314,9 @@ struct ExecContext {
 
         unsigned long restrict_namespaces; /* The CLONE_NEWxyz flags permitted to the unit's processes */
 
+        Set *restrict_filesystems;
+        bool restrict_filesystems_allow_list:1;
+
         Hashmap *syscall_filter;
         Set *syscall_archs;
         int syscall_errno;
@@ -342,6 +345,13 @@ static inline bool exec_context_restrict_namespaces_set(const ExecContext *c) {
         return (c->restrict_namespaces & NAMESPACE_FLAGS_ALL) != NAMESPACE_FLAGS_ALL;
 }
 
+static inline bool exec_context_restrict_filesystems_set(const ExecContext *c) {
+        assert(c);
+
+        return c->restrict_filesystems_allow_list ||
+          !set_isempty(c->restrict_filesystems);
+}
+
 static inline bool exec_context_with_rootfs(const ExecContext *c) {
         assert(c);
 
Unnamed repository; edit this file 'description' to name the repository.