From: bauen1 Date: Fri, 25 Sep 2020 16:45:29 +0000 (+0200) Subject: core: ensure that namespace tmp directories always get the correct label X-Git-Tag: v247-rc1~164 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=19cd4e1967ddb0a576688793a050a9f01e714928;p=thirdparty%2Fsystemd.git core: ensure that namespace tmp directories always get the correct label If a namespace with PrivateTmp=true is constructed we need to restore the context of the namespaces /tmp directory (i.e. /tmp/systemd-private-XXXXX/tmp) to the (default) context of /tmp . Otherwise filetransitions might result in the namespaces tmp directory having the wrong context. --- diff --git a/src/core/namespace.c b/src/core/namespace.c index 565dc468262..92df97c4fb2 100644 --- a/src/core/namespace.c +++ b/src/core/namespace.c @@ -2114,25 +2114,9 @@ static int make_tmp_prefix(const char *prefix) { } -static int make_tmp_subdir(const char *parent, char **ret) { - _cleanup_free_ char *y = NULL; - - y = path_join(parent, "/tmp"); - if (!y) - return -ENOMEM; - - RUN_WITH_UMASK(0000) { - if (mkdir(y, 0777 | S_ISVTX) < 0) - return -errno; - } - - if (ret) - *ret = TAKE_PTR(y); - return 0; -} - static int setup_one_tmp_dir(const char *id, const char *prefix, char **path, char **tmp_path) { _cleanup_free_ char *x = NULL; + _cleanup_free_ char *y = NULL; char bid[SD_ID128_STRING_MAX]; sd_id128_t boot_id; bool rw = true; @@ -2166,9 +2150,21 @@ static int setup_one_tmp_dir(const char *id, const char *prefix, char **path, ch } if (rw) { - r = make_tmp_subdir(x, tmp_path); + y = strjoin(x, "/tmp"); + if (!y) + return -ENOMEM; + + RUN_WITH_UMASK(0000) { + if (mkdir(y, 0777 | S_ISVTX) < 0) + return -errno; + } + + r = label_fix_container(y, prefix, 0); if (r < 0) return r; + + if (tmp_path) + *tmp_path = TAKE_PTR(y); } else { /* Trouble: we failed to create the directory. Instead of failing, let's simulate /tmp being * read-only. This way the service will get the EROFS result as if it was writing to the real