return context->private_network || context->network_namespace_path;
}
+static bool exec_needs_ipc_namespace(const ExecContext *context) {
+ assert(context);
+
+ return context->private_ipc || context->ipc_namespace_path;
+}
+
bool exec_needs_mount_namespace(
const ExecContext *context,
const ExecParameters *params,
context->protect_control_groups ||
context->protect_proc != PROTECT_PROC_DEFAULT ||
context->proc_subset != PROC_SUBSET_ALL ||
- context->private_ipc ||
- context->ipc_namespace_path)
+ exec_needs_ipc_namespace(context))
return true;
if (context->root_directory) {
.protect_system = context->protect_system,
.protect_proc = context->protect_proc,
.proc_subset = context->proc_subset,
- .private_ipc = context->private_ipc || context->ipc_namespace_path,
+ .private_ipc = exec_needs_ipc_namespace(context),
/* If NNP is on, we can turn on MS_NOSUID, since it won't have any effect anymore. */
.mount_nosuid = context->no_new_privileges && !mac_selinux_use(),
};
log_unit_warning(unit, "PrivateNetwork=yes is configured, but the kernel does not support network namespaces, ignoring.");
}
- if ((context->private_ipc || context->ipc_namespace_path) && runtime && runtime->ipcns_storage_socket[0] >= 0) {
+ if (exec_needs_ipc_namespace(context) && runtime && runtime->ipcns_storage_socket[0] >= 0) {
if (ns_type_supported(NAMESPACE_IPC)) {
r = setup_shareable_ns(runtime->ipcns_storage_socket, CLONE_NEWIPC);
assert(id);
/* It is not necessary to create ExecRuntime object. */
- if (!exec_needs_network_namespace(c) && !c->private_ipc && !c->private_tmp) {
+ if (!exec_needs_network_namespace(c) && !exec_needs_ipc_namespace(c) && !c->private_tmp) {
*ret = NULL;
return 0;
}
return -errno;
}
- if (c->private_ipc || c->ipc_namespace_path) {
+ if (exec_needs_ipc_namespace(c)) {
if (socketpair(AF_UNIX, SOCK_DGRAM|SOCK_CLOEXEC, 0, ipcns_storage_socket) < 0)
return -errno;
}