From cdde6ba6b6949bd7922368962c569a22131b199a Mon Sep 17 00:00:00 2001 From: Lennart Poettering Date: Mon, 30 Apr 2018 21:20:50 +0200 Subject: [PATCH] nspawn: mount boot ID from temporary file in /tmp Let's not make /run too special and let's make sure the source file is not guessable: let's use our regular temporary file helper calls to create the source node. --- src/nspawn/nspawn.c | 22 +++++++++++++--------- 1 file changed, 13 insertions(+), 9 deletions(-) diff --git a/src/nspawn/nspawn.c b/src/nspawn/nspawn.c index 47ceb0c6342..f16413bda69 100644 --- a/src/nspawn/nspawn.c +++ b/src/nspawn/nspawn.c @@ -1470,31 +1470,35 @@ static int setup_resolv_conf(const char *dest) { } static int setup_boot_id(void) { + _cleanup_(unlink_and_freep) char *from = NULL; + _cleanup_free_ char *path = NULL; sd_id128_t rnd = SD_ID128_NULL; - const char *from, *to; + const char *to; int r; /* Generate a new randomized boot ID, so that each boot-up of * the container gets a new one */ - from = "/run/proc-sys-kernel-random-boot-id"; - to = "/proc/sys/kernel/random/boot_id"; + r = tempfn_random_child(NULL, "proc-sys-kernel-random-boot-id", &path); + if (r < 0) + return log_error_errno(r, "Failed to generate random boot ID path: %m"); r = sd_id128_randomize(&rnd); if (r < 0) return log_error_errno(r, "Failed to generate random boot id: %m"); - r = id128_write(from, ID128_UUID, rnd, false); + r = id128_write(path, ID128_UUID, rnd, false); if (r < 0) return log_error_errno(r, "Failed to write boot id: %m"); + from = TAKE_PTR(path); + to = "/proc/sys/kernel/random/boot_id"; + r = mount_verbose(LOG_ERR, from, to, NULL, MS_BIND, NULL); - if (r >= 0) - r = mount_verbose(LOG_ERR, NULL, to, NULL, - MS_BIND|MS_REMOUNT|MS_RDONLY|MS_NOSUID|MS_NODEV, NULL); + if (r < 0) + return r; - (void) unlink(from); - return r; + return mount_verbose(LOG_ERR, NULL, to, NULL, MS_BIND|MS_REMOUNT|MS_RDONLY|MS_NOSUID|MS_NOEXEC|MS_NODEV, NULL); } static int copy_devnodes(const char *dest) { -- 2.39.5