namespace: drop all mounts outside of the new root directory

author Lennart Poettering <lennart@poettering.net>

Fri, 26 Aug 2016 15:25:40 +0000 (17:25 +0200)

committer Djalal Harouni <tixxdz@opendz.org>

Sun, 25 Sep 2016 08:52:57 +0000 (10:52 +0200)
author Lennart Poettering <lennart@poettering.net>
Fri, 26 Aug 2016 15:25:40 +0000 (17:25 +0200)
committer Djalal Harouni <tixxdz@opendz.org>
Sun, 25 Sep 2016 08:52:57 +0000 (10:52 +0200)
diff --git a/src/core/namespace.c b/src/core/namespace.c

index a7451ffbdc2f5f794e1a65ce9e852e5470a6edb0..c9b2154985f4532113a4021beaeead4ab3144cc3 100644 (file)
--- a/src/core/namespace.c
+++ b/src/core/namespace.c
@@ -199,6 +199,31 @@ static void drop_nop(BindMount *m, unsigned *n) {
          *n = t - m;
  }
  
+static void drop_outside_root(const char *root_directory, BindMount *m, unsigned *n) {
+        BindMount *f, *t;
+
+        assert(m);
+        assert(n);
+
+        if (!root_directory)
+                return;
+
+        /* Drops all mounts that are outside of the root directory. */
+
+        for (f = m, t = m; f < m+*n; f++) {
+
+                if (!path_startswith(f->path, root_directory)) {
+                        log_debug("%s is outside of root directory.", f->path);
+                        continue;
+                }
+
+                *t = *f;
+                t++;
+        }
+
+        *n = t - m;
+}
+
  static int mount_dev(BindMount *m) {
          static const char devnodes[] =
                  "/dev/null\0"
@@ -631,6 +656,7 @@ int setup_namespace(
                  qsort(mounts, n, sizeof(BindMount), mount_path_compare);
  
                  drop_duplicates(mounts, &n);
+                drop_outside_root(root_directory, mounts, &n);
                  drop_inaccessible(mounts, &n);
                  drop_nop(mounts, &n);
          }
author	Lennart Poettering <lennart@poettering.net>
	Fri, 26 Aug 2016 15:25:40 +0000 (17:25 +0200)
committer	Djalal Harouni <tixxdz@opendz.org>
	Sun, 25 Sep 2016 08:52:57 +0000 (10:52 +0200)