execute: fix the condition of private mounts for user namespacing

author Haochen Tong <i@hexchain.org>

Wed, 14 Jun 2023 15:55:56 +0000 (23:55 +0800)

committer Lennart Poettering <lennart@poettering.net>

Thu, 15 Jun 2023 11:12:24 +0000 (13:12 +0200)
author Haochen Tong <i@hexchain.org>
Wed, 14 Jun 2023 15:55:56 +0000 (23:55 +0800)
committer Lennart Poettering <lennart@poettering.net>
Thu, 15 Jun 2023 11:12:24 +0000 (13:12 +0200)
diff --git a/src/core/execute.c b/src/core/execute.c

index f9a8ae9f154abce6f83a9a2cb7bac6142babce04..e46875f5b0f72728d1d12bad4dd4b27db90a8746 100644 (file)
--- a/src/core/execute.c
+++ b/src/core/execute.c
@@ -4584,7 +4584,7 @@ static bool exec_context_need_unprivileged_private_users(const ExecContext *cont
                 context->network_namespace_path ||
                 context->private_ipc ||
                 context->ipc_namespace_path ||
-               context->private_mounts ||
+               context->private_mounts > 0 ||
                 context->mount_apivfs ||
                 context->n_bind_mounts > 0 ||
                 context->n_temporary_filesystems > 0 ||
diff --git a/src/test/test-execute.c b/src/test/test-execute.c

index a63afa873b9170f434690a3c888d1662447310d2..b2721a0c7b890d7414516116af866e2f9b2defee 100644 (file)
--- a/src/test/test-execute.c
+++ b/src/test/test-execute.c
@@ -448,9 +448,9 @@ static void test_exec_privatedevices(Manager *m) {
          }
  
          test(m, "exec-privatedevices-yes-capability-mknod.service", can_unshare || MANAGER_IS_SYSTEM(m) ? 0 : EXIT_NAMESPACE, CLD_EXITED);
-        test(m, "exec-privatedevices-no-capability-mknod.service", 0, CLD_EXITED);
+        test(m, "exec-privatedevices-no-capability-mknod.service", MANAGER_IS_SYSTEM(m) ? 0 : EXIT_FAILURE, CLD_EXITED);
          test(m, "exec-privatedevices-yes-capability-sys-rawio.service", MANAGER_IS_SYSTEM(m) ? 0 : EXIT_NAMESPACE, CLD_EXITED);
-        test(m, "exec-privatedevices-no-capability-sys-rawio.service", 0, CLD_EXITED);
+        test(m, "exec-privatedevices-no-capability-sys-rawio.service", MANAGER_IS_SYSTEM(m) ? 0 : EXIT_FAILURE, CLD_EXITED);
  }
  
  static void test_exec_protecthome(Manager *m) {
@@ -480,7 +480,7 @@ static void test_exec_protectkernelmodules(Manager *m) {
                  return;
          }
  
-        test(m, "exec-protectkernelmodules-no-capabilities.service", 0, CLD_EXITED);
+        test(m, "exec-protectkernelmodules-no-capabilities.service", MANAGER_IS_SYSTEM(m) ? 0 : EXIT_FAILURE, CLD_EXITED);
          test(m, "exec-protectkernelmodules-yes-capabilities.service", MANAGER_IS_SYSTEM(m) ? 0 : EXIT_NAMESPACE, CLD_EXITED);
          test(m, "exec-protectkernelmodules-yes-mount-propagation.service", can_unshare ? 0 : MANAGER_IS_SYSTEM(m) ? EXIT_FAILURE : EXIT_NAMESPACE, CLD_EXITED);
  }
@@ -1118,12 +1118,12 @@ static void test_exec_unsetenvironment(Manager *m) {
  }
  
  static void test_exec_specifier(Manager *m) {
-        test(m, "exec-specifier.service", can_unshare || MANAGER_IS_SYSTEM(m) ? 0 : EXIT_FAILURE, CLD_EXITED);
+        test(m, "exec-specifier.service", 0, CLD_EXITED);
          if (MANAGER_IS_SYSTEM(m))
                  test(m, "exec-specifier-system.service", 0, CLD_EXITED);
          else
                  test(m, "exec-specifier-user.service", 0, CLD_EXITED);
-        test(m, "exec-specifier@foo-bar.service", can_unshare || MANAGER_IS_SYSTEM(m) ? 0 : EXIT_FAILURE, CLD_EXITED);
+        test(m, "exec-specifier@foo-bar.service", 0, CLD_EXITED);
          test(m, "exec-specifier-interpolation.service", 0, CLD_EXITED);
  }
author	Haochen Tong <i@hexchain.org>
	Wed, 14 Jun 2023 15:55:56 +0000 (23:55 +0800)
committer	Lennart Poettering <lennart@poettering.net>
	Thu, 15 Jun 2023 11:12:24 +0000 (13:12 +0200)
src/core/execute.c		patch \| blob \| blame \| history
src/test/test-execute.c		patch \| blob \| blame \| history