From: Luca Boccassi <bluca@debian.org>
Date: Thu, 17 Mar 2022 23:37:29 +0000 (+0000)
Subject: core: insist on sandboxing if ExtensionImages/Directories are configured
X-Git-Tag: v251-rc1~118
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=4355c04fef3e5217944e481456ce9c3839f66fda;p=thirdparty%2Fsystemd.git

core: insist on sandboxing if ExtensionImages/Directories are configured

Same as other image mounting in the namespace
---

diff --git a/src/core/execute.c b/src/core/execute.c
index ba57bbc2791..b6021397ce3 100644
--- a/src/core/execute.c
+++ b/src/core/execute.c
@@ -3415,6 +3415,9 @@ static bool insist_on_sandboxing(
         if (context->dynamic_user)
                 return true;
 
+        if (context->n_extension_images > 0 || !strv_isempty(context->extension_directories))
+                return true;
+
         /* If there are any bind mounts set that don't map back onto themselves, fs namespacing becomes
          * essential. */
         for (size_t i = 0; i < n_bind_mounts; i++)