char *tmp = NULL, *var = NULL;
const char *root_dir = NULL;
NameSpaceInfo ns_info = {
+ .ignore_protect_paths = false,
.private_dev = context->private_devices,
.protect_control_groups = context->protect_control_groups,
.protect_kernel_tunables = context->protect_kernel_tunables,
if (params->flags & EXEC_APPLY_CHROOT)
root_dir = context->root_directory;
+ /*
+ * If DynamicUser=no and RootDirectory= is set then lets pass a relaxed
+ * sandbox info, otherwise enforce it, don't ignore protected paths and
+ * fail if we are enable to apply the sandbox inside the mount namespace.
+ */
+ if (!context->dynamic_user && root_dir)
+ ns_info.ignore_protect_paths = true;
+
r = setup_namespace(root_dir, &ns_info, rw,
context->read_only_paths,
context->inaccessible_paths,
return 0;
}
-static int append_target_mounts(BindMount **p, const char *root_directory, const TargetMount *mounts, const size_t size) {
+static int append_target_mounts(BindMount **p, const char *root_directory,
+ const TargetMount *mounts, const size_t size, bool ignore_protect) {
unsigned i;
assert(p);
assert(mounts);
for (i = 0; i < size; i++) {
+ bool ignore;
/*
* Here we assume that the ignore field is set during
* declaration we do not support "-" at the beginning.
if (!path_is_absolute(path))
return -EINVAL;
- set_bind_mount((*p)++, path, m->mode, m->ignore);
+ /*
+ * Ignore paths if they are not present. First we use our
+ * static tables otherwise fallback to Unit context.
+ */
+ ignore = m->ignore || ignore_protect;
+
+ set_bind_mount((*p)++, path, m->mode, ignore);
}
return 0;
}
-static int append_protect_kernel_tunables(BindMount **p, const char *root_directory) {
+static int append_protect_kernel_tunables(BindMount **p, const char *root_directory, bool ignore_protect) {
assert(p);
return append_target_mounts(p, root_directory, protect_kernel_tunables_table,
- ELEMENTSOF(protect_kernel_tunables_table));
+ ELEMENTSOF(protect_kernel_tunables_table), ignore_protect);
}
-static int append_protect_kernel_modules(BindMount **p, const char *root_directory) {
+static int append_protect_kernel_modules(BindMount **p, const char *root_directory, bool ignore_protect) {
assert(p);
return append_target_mounts(p, root_directory, protect_kernel_modules_table,
- ELEMENTSOF(protect_kernel_modules_table));
+ ELEMENTSOF(protect_kernel_modules_table), ignore_protect);
}
-static int append_protect_home(BindMount **p, const char *root_directory, ProtectHome protect_home) {
+static int append_protect_home(BindMount **p, const char *root_directory, ProtectHome protect_home, bool ignore_protect) {
int r = 0;
assert(p);
switch (protect_home) {
case PROTECT_HOME_READ_ONLY:
r = append_target_mounts(p, root_directory, protect_home_read_only_table,
- ELEMENTSOF(protect_home_read_only_table));
+ ELEMENTSOF(protect_home_read_only_table),
+ ignore_protect);
break;
case PROTECT_HOME_YES:
r = append_target_mounts(p, root_directory, protect_home_yes_table,
- ELEMENTSOF(protect_home_yes_table));
+ ELEMENTSOF(protect_home_yes_table), ignore_protect);
break;
default:
r = -EINVAL;
return r;
}
-static int append_protect_system(BindMount **p, const char *root_directory, ProtectSystem protect_system) {
+static int append_protect_system(BindMount **p, const char *root_directory, ProtectSystem protect_system, bool ignore_protect) {
int r = 0;
assert(p);
switch (protect_system) {
case PROTECT_SYSTEM_STRICT:
r = append_target_mounts(p, root_directory, protect_system_strict_table,
- ELEMENTSOF(protect_system_strict_table));
+ ELEMENTSOF(protect_system_strict_table), ignore_protect);
break;
case PROTECT_SYSTEM_YES:
r = append_target_mounts(p, root_directory, protect_system_yes_table,
- ELEMENTSOF(protect_system_yes_table));
+ ELEMENTSOF(protect_system_yes_table), ignore_protect);
break;
case PROTECT_SYSTEM_FULL:
r = append_target_mounts(p, root_directory, protect_system_full_table,
- ELEMENTSOF(protect_system_full_table));
+ ELEMENTSOF(protect_system_full_table), ignore_protect);
break;
default:
r = -EINVAL;
return log_debug_errno(r, "Failed to determine whether %s is already a mount point: %m", m->path);
if (r > 0) /* Nothing to do here, it is already a mount. We just later toggle the MS_RDONLY bit for the mount point if needed. */
return 0;
-
/* This isn't a mount point yet, let's make it one. */
what = m->path;
break;
}
if (ns_info->protect_kernel_tunables) {
- r = append_protect_kernel_tunables(&m, root_directory);
+ r = append_protect_kernel_tunables(&m, root_directory,
+ ns_info->ignore_protect_paths);
if (r < 0)
goto finish;
}
if (ns_info->protect_kernel_modules) {
- r = append_protect_kernel_modules(&m, root_directory);
+ r = append_protect_kernel_modules(&m, root_directory,
+ ns_info->ignore_protect_paths);
if (r < 0)
goto finish;
}
goto finish;
}
- r = append_protect_home(&m, root_directory, protect_home);
+ r = append_protect_home(&m, root_directory, protect_home,
+ ns_info->ignore_protect_paths);
if (r < 0)
goto finish;
- r = append_protect_system(&m, root_directory, protect_system);
+ r = append_protect_system(&m, root_directory, protect_system, false);
if (r < 0)
goto finish;
projects / thirdparty / systemd.git / commitdiff
