core: insist on sandboxing if ExtensionImages/Directories are configured

author Luca Boccassi <bluca@debian.org>

Thu, 17 Mar 2022 23:37:29 +0000 (23:37 +0000)

committer Lennart Poettering <lennart@poettering.net>

Fri, 18 Mar 2022 09:02:47 +0000 (10:02 +0100)
author Luca Boccassi <bluca@debian.org>
Thu, 17 Mar 2022 23:37:29 +0000 (23:37 +0000)
committer Lennart Poettering <lennart@poettering.net>
Fri, 18 Mar 2022 09:02:47 +0000 (10:02 +0100)
diff --git a/src/core/execute.c b/src/core/execute.c

index ba57bbc279149f9edd62c3ef954a04fd8165a023..b6021397ce35286823ff2ec786592cf09cf58cd3 100644 (file)
--- a/src/core/execute.c
+++ b/src/core/execute.c
@@ -3415,6 +3415,9 @@ static bool insist_on_sandboxing(
          if (context->dynamic_user)
                  return true;
  
+        if (context->n_extension_images > 0 || !strv_isempty(context->extension_directories))
+                return true;
+
          /* If there are any bind mounts set that don't map back onto themselves, fs namespacing becomes
           * essential. */
          for (size_t i = 0; i < n_bind_mounts; i++)
author	Luca Boccassi <bluca@debian.org>
	Thu, 17 Mar 2022 23:37:29 +0000 (23:37 +0000)
committer	Lennart Poettering <lennart@poettering.net>
	Fri, 18 Mar 2022 09:02:47 +0000 (10:02 +0100)