From: Lennart Poettering Date: Tue, 17 Feb 2026 14:46:45 +0000 (+0100) Subject: core: introduce exec_context_with_rootfs_strict() as a stricter version of exec_conte... X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=087f2ec34410061216a91a3a00987a73ec504e44;p=thirdparty%2Fsystemd.git core: introduce exec_context_with_rootfs_strict() as a stricter version of exec_context_with_rootfs() We have two very similar checks in place: in some contexts we want to know if *any* RootDirectory= is configured, in the other we want to suppress if it is configured to our regular root. Let's add a helper for both (even if we only need it once), to make the mirrored behaviour clear. --- diff --git a/src/core/exec-invoke.c b/src/core/exec-invoke.c index a0b0a87a659..298fd0754e7 100644 --- a/src/core/exec-invoke.c +++ b/src/core/exec-invoke.c @@ -4530,10 +4530,8 @@ static bool exec_needs_cap_sys_admin(const ExecContext *context, const ExecParam context->bind_log_sockets > 0 || context->n_bind_mounts > 0 || context->n_temporary_filesystems > 0 || - context->root_directory || - context->root_directory_as_fd || + exec_context_with_rootfs_strict(context) || !strv_isempty(context->extension_directories) || - context->root_image || context->n_mount_images > 0 || context->n_extension_images > 0 || context->protect_system != PROTECT_SYSTEM_NO || diff --git a/src/core/execute.c b/src/core/execute.c index 51d6996e720..8e5796b92ac 100644 --- a/src/core/execute.c +++ b/src/core/execute.c @@ -2063,6 +2063,16 @@ bool exec_context_with_rootfs(const ExecContext *c) { return !empty_or_root(c->root_directory) || c->root_image || c->root_directory_as_fd; } +bool exec_context_with_rootfs_strict(const ExecContext *c) { + assert(c); + + /* just like exec_context_with_rootfs(), but doesn't suppress a root directory of "/", i.e. returns + * true in more cases: when a root directory is explicitly configured, even if it's our usual + * root. */ + + return c->root_directory || c->root_image || c->root_directory_as_fd; +} + int exec_context_has_vpicked_extensions(const ExecContext *context) { int r; diff --git a/src/core/execute.h b/src/core/execute.h index 6624c3a71ce..6fe0d5e5707 100644 --- a/src/core/execute.h +++ b/src/core/execute.h @@ -577,6 +577,7 @@ char** exec_context_get_restrict_filesystems(const ExecContext *c); bool exec_context_restrict_namespaces_set(const ExecContext *c); bool exec_context_restrict_filesystems_set(const ExecContext *c); bool exec_context_with_rootfs(const ExecContext *c); +bool exec_context_with_rootfs_strict(const ExecContext *c); int exec_context_has_vpicked_extensions(const ExecContext *context);