continue;
if (exec_directory_is_private(context, t) &&
- !(context->root_directory || context->root_image)) {
+ !exec_context_with_rootfs(context)) {
char *private_root;
/* So this is for a dynamic user, and we need to make sure the process can access its own
}
if (exec_directory_is_private(context, t) &&
- (context->root_directory || context->root_image))
+ exec_context_with_rootfs(context))
/* When RootDirectory= or RootImage= are set, then the symbolic link to the private
* directory is not created on the root directory. So, let's bind-mount the directory
* on the 'non-private' place. */
return c->mount_apivfs;
/* Default to "yes" if root directory or image are specified */
- if (c->root_image || !empty_or_root(c->root_directory))
+ if (exec_context_with_rootfs(c))
return true;
return false;
#include "namespace.h"
#include "nsflags.h"
#include "numa-util.h"
+#include "path-util.h"
#include "time-util.h"
#define EXEC_STDIN_DATA_MAX (64U*1024U*1024U)
return (c->restrict_namespaces & NAMESPACE_FLAGS_ALL) != NAMESPACE_FLAGS_ALL;
}
+static inline bool exec_context_with_rootfs(const ExecContext *c) {
+ assert(c);
+
+ /* Checks if RootDirectory= or RootImage= are used */
+
+ return !empty_or_root(c->root_directory) || c->root_image;
+}
+
typedef enum ExecFlags {
EXEC_APPLY_SANDBOXING = 1 << 0,
EXEC_APPLY_CHROOT = 1 << 1,