namespace: Apply MountAPIVFS= only when a Root directory is set

The MountAPIVFS= documentation says that this options has no effect
unless used in conjunction with RootDirectory= or RootImage= ,lets fix
this and avoid to create private mount namespaces where it is not
needed.

diff --git a/src/core/execute.c b/src/core/execute.c
index d7798387c52cb51e2da67579257af045e1860fd9..b2e6828239d147c37f558bf2ca17fc8ff508ac5d 100644 (file)
--- a/src/core/execute.c
+++ b/src/core/execute.c
@@ -1670,7 +1670,7 @@ static bool exec_needs_mount_namespace(
             context->protect_control_groups)
                 return true;
 
-        if (context->mount_apivfs)
+        if (context->mount_apivfs && (context->root_image || context->root_directory))
                 return true;
 
         return false;

diff --git a/src/core/namespace.c b/src/core/namespace.c
index 673b8364895a15ad38ddce7d4325e9ef213237f4..8235a64406e166aabdb68bbc082021e770cbf60c 100644 (file)
--- a/src/core/namespace.c
+++ b/src/core/namespace.c
@@ -816,18 +816,24 @@ static int make_read_only(MountEntry *m, char **blacklist) {
         return r;
 }
 
-static bool namespace_info_mount_apivfs(const NameSpaceInfo *ns_info) {
+static bool namespace_info_mount_apivfs(const char *root_directory, const NameSpaceInfo *ns_info) {
         assert(ns_info);
 
-        /* ProtectControlGroups= and ProtectKernelTunables= imply MountAPIVFS=, since to protect the API VFS mounts,
-         * they need to be around in the first place... */
+        /*
+         * ProtectControlGroups= and ProtectKernelTunables= imply MountAPIVFS=,
+         * since to protect the API VFS mounts, they need to be around in the
+         * first place... and RootDirectory= or RootImage= need to be set.
+         */
 
-        return ns_info->mount_apivfs ||
-                ns_info->protect_control_groups ||
-                ns_info->protect_kernel_tunables;
+        /* root_directory should point to a mount point */
+        return root_directory &&
+                (ns_info->mount_apivfs ||
+                 ns_info->protect_control_groups ||
+                 ns_info->protect_kernel_tunables);
 }
 
 static unsigned namespace_calculate_mounts(
+                const char* root_directory,
                 const NameSpaceInfo *ns_info,
                 char** read_write_paths,
                 char** read_only_paths,
@@ -864,7 +870,7 @@ static unsigned namespace_calculate_mounts(
                 (ns_info->protect_control_groups ? 1 : 0) +
                 (ns_info->protect_kernel_modules ? ELEMENTSOF(protect_kernel_modules_table) : 0) +
                 protect_home_cnt + protect_system_cnt +
-                (namespace_info_mount_apivfs(ns_info) ? ELEMENTSOF(apivfs_table) : 0);
+                (namespace_info_mount_apivfs(root_directory, ns_info) ? ELEMENTSOF(apivfs_table) : 0);
 }
 
 int setup_namespace(
@@ -932,6 +938,7 @@ int setup_namespace(
         }
 
         n_mounts = namespace_calculate_mounts(
+                        root_directory,
                         ns_info,
                         read_write_paths,
                         read_only_paths,
@@ -1010,7 +1017,7 @@ int setup_namespace(
                 if (r < 0)
                         goto finish;
 
-                if (namespace_info_mount_apivfs(ns_info)) {
+                if (namespace_info_mount_apivfs(root_directory, ns_info)) {
                         r = append_static_mounts(&m, apivfs_table, ELEMENTSOF(apivfs_table), ns_info->ignore_protect_paths);
                         if (r < 0)
                                 goto finish;