]> git.ipfire.org Git - thirdparty/systemd.git/commit
projects / thirdparty / systemd.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: d85a0f8) | patch
core: on DynamicUser= make sure that protecting sensitive paths is enforced (#4596)
authorDjalal Harouni <tixxdz@opendz.org>
Sun, 6 Nov 2016 22:31:55 +0000 (23:31 +0100)
committerZbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl>
Wed, 9 Nov 2016 02:57:32 +0000 (21:57 -0500)
commitaf964954c6a44bd664efe89052ced9584a966baa
treee54b31af3547951962576bf0486765284cc6b489tree | snapshot
parentd85a0f802851e79efdb09acaa1ce517f7127ad28commit | diff
core: on DynamicUser= make sure that protecting sensitive paths is enforced (#4596)

This adds a variable that is always set to false to make sure that
protect paths inside sandbox are always enforced and not ignored. The only
case when it is set to true is on DynamicUser=no and RootDirectory=/chroot
is set. This allows users to use more our sandbox features inside RootDirectory=

The only exception is ProtectSystem=full|strict and when DynamicUser=yes
is implied. Currently RootDirectory= is not fully compatible with these
due to two reasons:

* /chroot/usr|etc has to be present on ProtectSystem=full
* /chroot// has to be a mount point on ProtectSystem=strict.
src/core/execute.c diff | blob | blame | history
src/core/namespace.c diff | blob | blame | history
src/core/namespace.h diff | blob | blame | history
Unnamed repository; edit this file 'description' to name the repository.