core/namespace: use ProtectHostname in NamespaceParameters

To make the type of NamespaceParameters.protect_hostname consistent
with the one in ExecContext.

Addresses https://github.com/systemd/systemd/pull/35447#discussion_r1880372452.
Fixes #35566.

diff --git a/src/core/exec-invoke.c b/src/core/exec-invoke.c
index fd306f1143125ba442b1739ff37080dae421917c..91ee10ac6568bb3802271f6c92d08214a1c14ebd 100644 (file)
--- a/src/core/exec-invoke.c
+++ b/src/core/exec-invoke.c
@@ -3419,16 +3419,12 @@ static int apply_mount_namespace(
                 .protect_kernel_tunables = needs_sandboxing && context->protect_kernel_tunables,
                 .protect_kernel_modules = needs_sandboxing && context->protect_kernel_modules,
                 .protect_kernel_logs = needs_sandboxing && context->protect_kernel_logs,
-                /* Only mount /proc/sys/kernel/hostname and domainname read-only if ProtectHostname=yes. Otherwise, ProtectHostname=no
-                 * allows changing hostname for the host and ProtectHostname=private allows changing the hostname in the unit's UTS
-                 * namespace. */
-                .protect_hostname = needs_sandboxing && context->protect_hostname == PROTECT_HOSTNAME_YES,
 
                 .private_dev = needs_sandboxing && context->private_devices,
                 .private_network = needs_sandboxing && exec_needs_network_namespace(context),
                 .private_ipc = needs_sandboxing && exec_needs_ipc_namespace(context),
                 .private_pids = needs_sandboxing && exec_needs_pid_namespace(context) ? context->private_pids : PRIVATE_PIDS_NO,
-                .private_tmp = needs_sandboxing ? context->private_tmp : false,
+                .private_tmp = needs_sandboxing ? context->private_tmp : PRIVATE_TMP_NO,
 
                 .mount_apivfs = needs_sandboxing && exec_context_get_effective_mount_apivfs(context),
                 .bind_log_sockets = needs_sandboxing && exec_context_get_effective_bind_log_sockets(context),
@@ -3436,10 +3432,11 @@ static int apply_mount_namespace(
                 /* If NNP is on, we can turn on MS_NOSUID, since it won't have any effect anymore. */
                 .mount_nosuid = needs_sandboxing && context->no_new_privileges && !mac_selinux_use(),
 
-                .protect_home = needs_sandboxing ? context->protect_home : false,
-                .protect_system = needs_sandboxing ? context->protect_system : false,
-                .protect_proc = needs_sandboxing ? context->protect_proc : false,
-                .proc_subset = needs_sandboxing ? context->proc_subset : false,
+                .protect_home = needs_sandboxing ? context->protect_home : PROTECT_HOME_NO,
+                .protect_hostname = needs_sandboxing ? context->protect_hostname : PROTECT_HOSTNAME_NO,
+                .protect_system = needs_sandboxing ? context->protect_system : PROTECT_SYSTEM_NO,
+                .protect_proc = needs_sandboxing ? context->protect_proc : PROTECT_PROC_DEFAULT,
+                .proc_subset = needs_sandboxing ? context->proc_subset : PROC_SUBSET_ALL,
         };
 
         r = setup_namespace(&parameters, reterr_path);

diff --git a/src/core/namespace.c b/src/core/namespace.c
index 2f3b8f03d130892afe0f879129bf384dd1667de3..c3acfa203c84ba67917ec2daf7701a2c5efc07b4 100644 (file)
--- a/src/core/namespace.c
+++ b/src/core/namespace.c
@@ -2637,9 +2637,11 @@ int setup_namespace(const NamespaceParameters *p, char **reterr_path) {
                         return r;
         }
 
-        /* Note, if proc is mounted with subset=pid then neither of the two paths will exist, i.e. they are
-         * implicitly protected by the mount option. */
-        if (p->protect_hostname) {
+        /* Only mount /proc/sys/kernel/hostname and domainname read-only if ProtectHostname=yes. Otherwise,
+         * ProtectHostname=no allows changing hostname for the host, and ProtectHostname=private allows
+         * changing the hostname in the unit's UTS namespace. Note, if proc is mounted with subset=pid then
+         * neither of the two paths will exist, i.e. they are implicitly protected by the mount option. */
+        if (p->protect_hostname == PROTECT_HOSTNAME_YES) {
                 r = append_static_mounts(
                                 &ml,
                                 protect_hostname_yes_table,

diff --git a/src/core/namespace.h b/src/core/namespace.h
index 96f62be30a2690b033d60f1d617b63ef363c1631..21ae5a991db2387efd27b91fe08c66d58318083b 100644 (file)
--- a/src/core/namespace.h
+++ b/src/core/namespace.h
@@ -181,7 +181,6 @@ struct NamespaceParameters {
         bool protect_kernel_tunables;
         bool protect_kernel_modules;
         bool protect_kernel_logs;
-        bool protect_hostname;
 
         bool private_dev;
         bool private_network;
@@ -193,6 +192,7 @@ struct NamespaceParameters {
 
         ProtectControlGroups protect_control_groups;
         ProtectHome protect_home;
+        ProtectHostname protect_hostname;
         ProtectSystem protect_system;
         ProtectProc protect_proc;
         ProcSubset proc_subset;