core: new feature MountImages

[thirdparty/systemd.git] / src / core / execute.c

diff --git a/src/core/execute.c b/src/core/execute.c
index 39ffcba5802dff4b4e78c4b216fcef9239da1514..123396f6f0b6c7bdef71e033c521f76ed4c6f44d 100644 (file)
--- a/src/core/execute.c
+++ b/src/core/execute.c
@@ -1932,6 +1932,9 @@ static bool exec_needs_mount_namespace(
         if (context->n_temporary_filesystems > 0)
                 return true;
 
+        if (context->n_mount_images > 0)
+                return true;
+
         if (!IN_SET(context->mount_flags, 0, MS_SHARED))
                 return true;
 
@@ -2570,6 +2573,9 @@ static bool insist_on_sandboxing(
         if (root_dir || root_image)
                 return true;
 
+        if (context->n_mount_images > 0)
+                return true;
+
         if (context->dynamic_user)
                 return true;
 
@@ -2669,6 +2675,8 @@ static int apply_mount_namespace(
                             n_bind_mounts,
                             context->temporary_filesystems,
                             context->n_temporary_filesystems,
+                            context->mount_images,
+                            context->n_mount_images,
                             tmp_dir,
                             var_tmp_dir,
                             context->log_namespace,
@@ -4234,6 +4242,7 @@ void exec_context_done(ExecContext *c) {
         temporary_filesystem_free_many(c->temporary_filesystems, c->n_temporary_filesystems);
         c->temporary_filesystems = NULL;
         c->n_temporary_filesystems = 0;
+        c->mount_images = mount_image_free_many(c->mount_images, &c->n_mount_images);
 
         cpu_set_reset(&c->cpu_set);
         numa_policy_reset(&c->numa_policy);
@@ -5025,6 +5034,12 @@ void exec_context_dump(const ExecContext *c, FILE* f, const char *prefix) {
                 else
                         fprintf(f, "%d\n", c->syscall_errno);
         }
+
+        for (i = 0; i < c->n_mount_images; i++)
+                fprintf(f, "%sMountImages: %s%s:%s\n", prefix,
+                        c->mount_images[i].ignore_enoent ? "-": "",
+                        c->mount_images[i].source,
+                        c->mount_images[i].destination);
 }
 
 bool exec_context_maintains_privileges(const ExecContext *c) {