core/namespace: make bind mounted journal sockets nosuid + noexec + nodev

author Mike Yuan <me@yhndnzj.com>

Wed, 4 Sep 2024 13:36:52 +0000 (15:36 +0200)

committer Mike Yuan <me@yhndnzj.com>

Wed, 4 Sep 2024 19:44:24 +0000 (21:44 +0200)
author Mike Yuan <me@yhndnzj.com>
Wed, 4 Sep 2024 13:36:52 +0000 (15:36 +0200)
committer Mike Yuan <me@yhndnzj.com>
Wed, 4 Sep 2024 19:44:24 +0000 (21:44 +0200)
diff --git a/src/core/namespace.c b/src/core/namespace.c

index 940052b04541aa47b8268eef76e01a3a33720854..026018438c8d5070377b2482ac4137dd16fb4b0d 100644 (file)
--- a/src/core/namespace.c
+++ b/src/core/namespace.c
@@ -121,9 +121,9 @@ typedef struct MountList {
  } MountList;
  
  static const BindMount bind_journal_sockets_table[] = {
-        { (char*) "/run/systemd/journal/socket",  (char*) "/run/systemd/journal/socket",  .read_only = true, .ignore_enoent = true },
-        { (char*) "/run/systemd/journal/stdout",  (char*) "/run/systemd/journal/stdout",  .read_only = true, .ignore_enoent = true },
-        { (char*) "/run/systemd/journal/dev-log", (char*) "/run/systemd/journal/dev-log", .read_only = true, .ignore_enoent = true },
+        { (char*) "/run/systemd/journal/socket",  (char*) "/run/systemd/journal/socket",  .read_only = true, .nosuid = true, .noexec = true, .nodev = true, .ignore_enoent = true },
+        { (char*) "/run/systemd/journal/stdout",  (char*) "/run/systemd/journal/stdout",  .read_only = true, .nosuid = true, .noexec = true, .nodev = true, .ignore_enoent = true },
+        { (char*) "/run/systemd/journal/dev-log", (char*) "/run/systemd/journal/dev-log", .read_only = true, .nosuid = true, .noexec = true, .nodev = true, .ignore_enoent = true },
  };
  
  /* If MountAPIVFS= is used, let's mount /sys, /proc, /dev and /run into the it, but only as a fallback if the user hasn't mounted
@@ -447,6 +447,8 @@ static int append_bind_mounts(MountList *ml, const BindMount *binds, size_t n) {
                          .mode = b->recursive ? MOUNT_BIND_RECURSIVE : MOUNT_BIND,
                          .read_only = b->read_only,
                          .nosuid = b->nosuid,
+                        .noexec = b->noexec,
+                        .flags = b->nodev ? MS_NODEV : 0,
                          .source_const = b->source,
                          .ignore = b->ignore_enoent,
                  };
@@ -2797,7 +2799,9 @@ int bind_mount_add(BindMount **b, size_t *n, const BindMount *item) {
                  .source = TAKE_PTR(s),
                  .destination = TAKE_PTR(d),
                  .read_only = item->read_only,
+                .nodev = item->nodev,
                  .nosuid = item->nosuid,
+                .noexec = item->noexec,
                  .recursive = item->recursive,
                  .ignore_enoent = item->ignore_enoent,
          };
diff --git a/src/core/namespace.h b/src/core/namespace.h

index 538d23753c292d85f797fedaaab29b79a84e570f..b05daa669e9178cdfa045f5326881bb8369f9b13 100644 (file)
--- a/src/core/namespace.h
+++ b/src/core/namespace.h
@@ -65,7 +65,9 @@ struct BindMount {
          char *source;
          char *destination;
          bool read_only;
+        bool nodev;
          bool nosuid;
+        bool noexec;
          bool recursive;
          bool ignore_enoent;
  };
author	Mike Yuan <me@yhndnzj.com>
	Wed, 4 Sep 2024 13:36:52 +0000 (15:36 +0200)
committer	Mike Yuan <me@yhndnzj.com>
	Wed, 4 Sep 2024 19:44:24 +0000 (21:44 +0200)
src/core/namespace.c		patch \| blob \| blame \| history
src/core/namespace.h		patch \| blob \| blame \| history