core: lets apply working directory just after mount namespaces

This makes applying groups after applying the working directory, this
may allow some flexibility but at same it is not a big deal since we
don't execute or do anything between applying working directory and
droping groups.

diff --git a/src/core/execute.c b/src/core/execute.c
index 0b6fcc9ac76fcf1fd7e30ee8cbcd321a4d4c4f2c..a9e39f6fd76fe7c56ce1b9f11fa4b2fae0751fcd 100644 (file)
--- a/src/core/execute.c
+++ b/src/core/execute.c
@@ -2559,6 +2559,13 @@ static int exec_child(
                 }
         }
 
+        /* Apply just after mount namespace setup */
+        r = apply_working_directory(context, params, home, needs_mount_namespace);
+        if (r < 0) {
+                *exit_status = EXIT_CHROOT;
+                return r;
+        }
+
         /* Drop group as early as possbile */
         if ((params->flags & EXEC_APPLY_PERMISSIONS) && !command->privileged) {
                 r = enforce_groups(context, gid, supplementary_gids, ngids);
@@ -2568,12 +2575,6 @@ static int exec_child(
                 }
         }
 
-        r = apply_working_directory(context, params, home, needs_mount_namespace);
-        if (r < 0) {
-                *exit_status = EXIT_CHROOT;
-                return r;
-        }
-
 #ifdef HAVE_SELINUX
         if ((params->flags & EXEC_APPLY_PERMISSIONS) &&
             mac_selinux_use() &&