return _NAMESPACE_TYPE_INVALID;
}
+bool namespace_type_supported(NamespaceType type) {
+ assert(type >= 0 && type < _NAMESPACE_TYPE_MAX);
+
+ const char *p = pid_namespace_path(0, type);
+ return access(p, F_OK) >= 0;
+}
+
static int pidref_namespace_open_by_type_internal(const PidRef *pidref, NamespaceType type, bool *need_verify) {
int r;
NamespaceType clone_flag_to_namespace_type(unsigned long clone_flag);
+bool namespace_type_supported(NamespaceType type);
+
int pidref_namespace_open_by_type(const PidRef *pidref, NamespaceType type);
int namespace_open_by_type(NamespaceType type);
if (c->protect_hostname == PROTECT_HOSTNAME_NO)
return 0;
- if (ns_type_supported(NAMESPACE_UTS)) {
+ if (namespace_type_supported(NAMESPACE_UTS)) {
if (unshare(CLONE_NEWUTS) < 0) {
if (!ERRNO_IS_NOT_SUPPORTED(errno) && !ERRNO_IS_PRIVILEGE(errno)) {
*ret_exit_status = EXIT_NAMESPACE;
* own user namespace). We need CAP_NET_ADMIN to be able to configure the loopback device in
* the new network namespace. And if we don't have that, then we could only create a network
* namespace without the ability to set up "lo". Hence gracefully skip things then. */
- if (ns_type_supported(NAMESPACE_NET) && have_effective_cap(CAP_NET_ADMIN) > 0) {
+ if (namespace_type_supported(NAMESPACE_NET) && have_effective_cap(CAP_NET_ADMIN) > 0) {
r = setup_shareable_ns(runtime->shared->netns_storage_socket, CLONE_NEWNET);
if (ERRNO_IS_NEG_PRIVILEGE(r))
log_exec_notice_errno(context, params, r,
exec_namespace_is_delegated(context, params, have_cap_sys_admin, CLONE_NEWIPC) == delegate &&
runtime->shared && runtime->shared->ipcns_storage_socket[0] >= 0) {
- if (ns_type_supported(NAMESPACE_IPC)) {
+ if (namespace_type_supported(NAMESPACE_IPC)) {
r = setup_shareable_ns(runtime->shared->ipcns_storage_socket, CLONE_NEWIPC);
if (ERRNO_IS_NEG_PRIVILEGE(r))
log_exec_warning_errno(context, params, r,
* use cgroup namespace, we ignore the setting and do not unshare the namespace.
* ProtectControlGroups=private and strict get downgraded to no and yes respectively. This ensures
* that strict always gets a read-only mount of /sys/fs/cgroup/. */
- if (needs_cgroup_namespace(context->protect_control_groups) && !ns_type_supported(NAMESPACE_CGROUP)) {
+ if (needs_cgroup_namespace(context->protect_control_groups) && !namespace_type_supported(NAMESPACE_CGROUP)) {
if (context->protect_control_groups == PROTECT_CONTROL_GROUPS_PRIVATE)
return PROTECT_CONTROL_GROUPS_NO;
if (context->protect_control_groups == PROTECT_CONTROL_GROUPS_STRICT)
bool exec_needs_pid_namespace(const ExecContext *context) {
assert(context);
- return context->private_pids != PRIVATE_PIDS_NO && ns_type_supported(NAMESPACE_PID);
+ return context->private_pids != PRIVATE_PIDS_NO && namespace_type_supported(NAMESPACE_PID);
}
bool exec_needs_mount_namespace(
return 1;
}
-bool ns_type_supported(NamespaceType type) {
- const char *t, *ns_proc;
-
- t = namespace_type_to_string(type);
- if (!t) /* Don't know how to translate this? Then it's not supported */
- return false;
-
- ns_proc = strjoina("/proc/self/ns/", t);
- return access(ns_proc, F_OK) == 0;
-}
-
static const char *const protect_home_table[_PROTECT_HOME_MAX] = {
[PROTECT_HOME_NO] = "no",
[PROTECT_HOME_YES] = "yes",
DEFINE_STRING_TABLE_LOOKUP_WITH_BOOLEAN(protect_control_groups, ProtectControlGroups, PROTECT_CONTROL_GROUPS_YES);
-static const char* const namespace_type_table[] = {
- [NAMESPACE_MOUNT] = "mnt",
- [NAMESPACE_CGROUP] = "cgroup",
- [NAMESPACE_UTS] = "uts",
- [NAMESPACE_IPC] = "ipc",
- [NAMESPACE_USER] = "user",
- [NAMESPACE_PID] = "pid",
- [NAMESPACE_NET] = "net",
- [NAMESPACE_TIME] = "time",
-};
-
-DEFINE_STRING_TABLE_LOOKUP(namespace_type, NamespaceType);
-
static const char* const protect_proc_table[_PROTECT_PROC_MAX] = {
[PROTECT_PROC_DEFAULT] = "default",
[PROTECT_PROC_NOACCESS] = "noaccess",
MountImage* mount_image_free_many(MountImage *m, size_t *n);
int mount_image_add(MountImage **m, size_t *n, const MountImage *item);
-
-const char* namespace_type_to_string(NamespaceType t) _const_;
-NamespaceType namespace_type_from_string(const char *s) _pure_;
-
-bool ns_type_supported(NamespaceType type);
s->exec_runtime->shared &&
s->exec_runtime->shared->netns_storage_socket[0] >= 0) {
- if (ns_type_supported(NAMESPACE_NET)) {
+ if (namespace_type_supported(NAMESPACE_NET)) {
r = setup_shareable_ns(s->exec_runtime->shared->netns_storage_socket, CLONE_NEWNET);
if (r < 0) {
log_unit_error_errno(UNIT(s), r, "Failed to join network namespace: %m");
test_table(mount_result, MOUNT_RESULT);
test_table(mount_state, MOUNT_STATE);
test_table(name_policy, NAMEPOLICY);
- test_table(namespace_type, NAMESPACE_TYPE);
test_table(notify_access, NOTIFY_ACCESS);
test_table(notify_state, NOTIFY_STATE);
test_table(output_mode, OUTPUT_MODE);
projects / thirdparty / systemd.git / commitdiff
