namespace: move protect_{home|system} into NamespaceInfo

it's not entirely clear what shall be passed via parameter and what via
struct, but these two definitely fit well with the other protect_xyz
fields, hence let's move them over.

We probably should move a lot more more fields into the structure
actuall (most? all even?).

diff --git a/src/core/execute.c b/src/core/execute.c
index fd041e6ed34dba4d44b26c7c96db3f77529a418f..c3a87197f714d6fcb454e071e144499db2ca259a 100644 (file)
--- a/src/core/execute.c
+++ b/src/core/execute.c
@@ -2650,6 +2650,8 @@ static int apply_mount_namespace(
                         .protect_hostname = context->protect_hostname,
                         .mount_apivfs = context->mount_apivfs,
                         .private_mounts = context->private_mounts,
+                        .protect_home = context->protect_home,
+                        .protect_system = context->protect_system,
                 };
         } else if (!context->dynamic_user && root_dir)
                 /*
@@ -2680,8 +2682,6 @@ static int apply_mount_namespace(
                             tmp_dir,
                             var_tmp_dir,
                             context->log_namespace,
-                            needs_sandboxing ? context->protect_home : PROTECT_HOME_NO,
-                            needs_sandboxing ? context->protect_system : PROTECT_SYSTEM_NO,
                             context->mount_flags,
                             context->root_hash, context->root_hash_size, context->root_hash_path,
                             context->root_hash_sig, context->root_hash_sig_size, context->root_hash_sig_path,

diff --git a/src/core/namespace.c b/src/core/namespace.c
index 671d0dc92510989203ba799c4dab264e91986c7d..4e33fcac3c81e226aa9c0d7c90e43e09c16c102c 100644 (file)
--- a/src/core/namespace.c
+++ b/src/core/namespace.c
@@ -1233,25 +1233,23 @@ static size_t namespace_calculate_mounts(
                 size_t n_mount_images,
                 const char* tmp_dir,
                 const char* var_tmp_dir,
-                const char* log_namespace,
-                ProtectHome protect_home,
-                ProtectSystem protect_system) {
+                const char* log_namespace) {
 
         size_t protect_home_cnt;
         size_t protect_system_cnt =
-                (protect_system == PROTECT_SYSTEM_STRICT ?
+                (ns_info->protect_system == PROTECT_SYSTEM_STRICT ?
                  ELEMENTSOF(protect_system_strict_table) :
-                 ((protect_system == PROTECT_SYSTEM_FULL) ?
+                 ((ns_info->protect_system == PROTECT_SYSTEM_FULL) ?
                   ELEMENTSOF(protect_system_full_table) :
-                  ((protect_system == PROTECT_SYSTEM_YES) ?
+                  ((ns_info->protect_system == PROTECT_SYSTEM_YES) ?
                    ELEMENTSOF(protect_system_yes_table) : 0)));
 
         protect_home_cnt =
-                (protect_home == PROTECT_HOME_YES ?
+                (ns_info->protect_home == PROTECT_HOME_YES ?
                  ELEMENTSOF(protect_home_yes_table) :
-                 ((protect_home == PROTECT_HOME_READ_ONLY) ?
+                 ((ns_info->protect_home == PROTECT_HOME_READ_ONLY) ?
                   ELEMENTSOF(protect_home_read_only_table) :
-                  ((protect_home == PROTECT_HOME_TMPFS) ?
+                  ((ns_info->protect_home == PROTECT_HOME_TMPFS) ?
                    ELEMENTSOF(protect_home_tmpfs_table) : 0)));
 
         return !!tmp_dir + !!var_tmp_dir +
@@ -1355,8 +1353,6 @@ int setup_namespace(
                 const char* tmp_dir,
                 const char* var_tmp_dir,
                 const char *log_namespace,
-                ProtectHome protect_home,
-                ProtectSystem protect_system,
                 unsigned long mount_flags,
                 const void *root_hash,
                 size_t root_hash_size,
@@ -1389,10 +1385,10 @@ int setup_namespace(
 
                 /* Make the whole image read-only if we can determine that we only access it in a read-only fashion. */
                 if (root_read_only(read_only_paths,
-                                   protect_system) &&
+                                   ns_info->protect_system) &&
                     home_read_only(read_only_paths, inaccessible_paths, empty_directories,
                                    bind_mounts, n_bind_mounts, temporary_filesystems, n_temporary_filesystems,
-                                   protect_home) &&
+                                   ns_info->protect_home) &&
                     strv_isempty(read_write_paths))
                         dissect_image_flags |= DISSECT_IMAGE_READ_ONLY;
 
@@ -1461,8 +1457,7 @@ int setup_namespace(
                         n_temporary_filesystems,
                         n_mount_images,
                         tmp_dir, var_tmp_dir,
-                        log_namespace,
-                        protect_home, protect_system);
+                        log_namespace);
 
         if (n_mounts > 0) {
                 m = mounts = new0(MountEntry, n_mounts);
@@ -1559,11 +1554,11 @@ int setup_namespace(
                         };
                 }
 
-                r = append_protect_home(&m, protect_home, ns_info->ignore_protect_paths);
+                r = append_protect_home(&m, ns_info->protect_home, ns_info->ignore_protect_paths);
                 if (r < 0)
                         goto finish;
 
-                r = append_protect_system(&m, protect_system, false);
+                r = append_protect_system(&m, ns_info->protect_system, false);
                 if (r < 0)
                         goto finish;
 

diff --git a/src/core/namespace.h b/src/core/namespace.h
index dac53c76ef7c57d9905b11fd4b8f892b0527f42b..ec1ab4e2a743d2618b2638c084964468ecfb0080 100644 (file)
--- a/src/core/namespace.h
+++ b/src/core/namespace.h
@@ -57,6 +57,8 @@ struct NamespaceInfo {
         bool protect_kernel_logs:1;
         bool mount_apivfs:1;
         bool protect_hostname:1;
+        ProtectHome protect_home;
+        ProtectSystem protect_system;
 };
 
 struct BindMount {
@@ -98,8 +100,6 @@ int setup_namespace(
                 const char *tmp_dir,
                 const char *var_tmp_dir,
                 const char *log_namespace,
-                ProtectHome protect_home,
-                ProtectSystem protect_system,
                 unsigned long mount_flags,
                 const void *root_hash,
                 size_t root_hash_size,

diff --git a/src/test/test-namespace.c b/src/test/test-namespace.c
index f70b7e778ed01be72911b4eecaddd86aa4b50273..af48e696684a88f5b69fbb80dbab86dc235991aa 100644 (file)
--- a/src/test/test-namespace.c
+++ b/src/test/test-namespace.c
@@ -163,8 +163,6 @@ static void test_protect_kernel_logs(void) {
                                     NULL,
                                     NULL,
                                     NULL,
-                                    PROTECT_HOME_NO,
-                                    PROTECT_SYSTEM_NO,
                                     0,
                                     NULL,
                                     0,

diff --git a/src/test/test-ns.c b/src/test/test-ns.c
index cba8ee2b2b0ddc9054d5c4003429e0906145cd78..d3804b50d7d7a0ccdd378085d923e4c78a15f62d 100644 (file)
--- a/src/test/test-ns.c
+++ b/src/test/test-ns.c
@@ -76,8 +76,6 @@ int main(int argc, char *argv[]) {
                             tmp_dir,
                             var_tmp_dir,
                             NULL,
-                            PROTECT_HOME_NO,
-                            PROTECT_SYSTEM_NO,
                             0,
                             NULL,
                             0,