From 0722b359342d2a9f9e0d453875624387a0ba1be2 Mon Sep 17 00:00:00 2001 From: Jan Synacek Date: Tue, 12 Jun 2018 10:03:08 +0200 Subject: [PATCH] namespace: always use a root directory when setting up namespace 1) mv /var/tmp /var/tmp.old 2) mkdir /tmp/varrr 3) ln -s /tmp/varrr /var/tmp Now, when a service has PrivateTmp=yes, during namespace setup, /tmp is first mounted over with a new mount. Then, when /var/tmp is being resolved, it points to /tmp/varrr, which by then doesn't exist, because it had already been obscured. --- src/core/namespace.c | 16 +++++++--------- 1 file changed, 7 insertions(+), 9 deletions(-) diff --git a/src/core/namespace.c b/src/core/namespace.c index bb19e18e435..ae2b9205032 100644 --- a/src/core/namespace.c +++ b/src/core/namespace.c @@ -1173,19 +1173,17 @@ int setup_namespace( if (root_directory) root = root_directory; - else if (root_image || n_bind_mounts > 0 || n_temporary_filesystems > 0) { - - /* If we are booting from an image, create a mount point for the image, if it's still missing. We use - * the same mount point for all images, which is safe, since they all live in their own namespaces - * after all, and hence won't see each other. We also use such a root directory whenever there are bind - * mounts configured, so that their source mounts are never obstructed by mounts we already applied - * while we are applying them. */ + else { + /* Always create the mount namespace in a temporary directory, instead of operating + * directly in the root. The temporary directory prevents any mounts from being + * potentially obscured my other mounts we already applied. + * We use the same mount point for all images, which is safe, since they all live + * in their own namespaces after all, and hence won't see each other. */ root = "/run/systemd/unit-root"; (void) mkdir_label(root, 0700); require_prefix = true; - } else - root = NULL; + } n_mounts = namespace_calculate_mounts( root, -- 2.39.2