_cleanup_strv_free_ char **empty_directories = NULL;
const char *tmp_dir = NULL, *var_tmp_dir = NULL;
const char *root_dir = NULL, *root_image = NULL;
+ _cleanup_free_ char *creds_path = NULL;
NamespaceInfo ns_info;
bool needs_sandboxing;
BindMount *bind_mounts = NULL;
if (context->mount_flags == MS_SHARED)
log_unit_debug(u, "shared mount propagation hidden by other fs namespacing unit settings: ignoring");
+ if (exec_context_has_credentials(context) && params->prefix[EXEC_DIRECTORY_RUNTIME]) {
+ creds_path = path_join(params->prefix[EXEC_DIRECTORY_RUNTIME], "credentials", u->id);
+ if (!creds_path)
+ return -ENOMEM;
+ }
+
r = setup_namespace(root_dir, root_image, context->root_image_options,
&ns_info, context->read_write_paths,
needs_sandboxing ? context->read_only_paths : NULL,
context->n_mount_images,
tmp_dir,
var_tmp_dir,
+ creds_path,
context->log_namespace,
context->mount_flags,
context->root_hash, context->root_hash_size, context->root_hash_path,
(void) mkdir_label("/run/systemd", 0755);
(void) mkdir_label("/run/systemd/system", 0755);
+ /* Make sure we have a mount point to hide in sandboxes */
+ (void) mkdir_label("/run/credentials", 0755);
+
/* Also create /run/systemd/inaccessible nodes, so that we always have something to mount
* inaccessible nodes from. If we run in a container the host might have created these for us already
* in /run/host/inaccessible/. Use those if we can, since tht way we likely get access to block/char
size_t n_mount_images,
const char* tmp_dir,
const char* var_tmp_dir,
+ const char *creds_path,
const char* log_namespace) {
size_t protect_home_cnt;
protect_home_cnt + protect_system_cnt +
(ns_info->protect_hostname ? 2 : 0) +
(namespace_info_mount_apivfs(ns_info) ? ELEMENTSOF(apivfs_table) : 0) +
+ (creds_path ? 2 : 1) +
!!log_namespace;
}
size_t n_mount_images,
const char* tmp_dir,
const char* var_tmp_dir,
+ const char *creds_path,
const char *log_namespace,
unsigned long mount_flags,
const void *root_hash,
n_temporary_filesystems,
n_mount_images,
tmp_dir, var_tmp_dir,
+ creds_path,
log_namespace);
if (n_mounts > 0) {
};
}
+ if (creds_path) {
+ /* If our service has a credentials store configured, then bind that one in, but hide
+ * everything else. */
+
+ *(m++) = (MountEntry) {
+ .path_const = "/run/credentials",
+ .mode = TMPFS,
+ .read_only = true,
+ .options_const = "mode=0755" TMPFS_LIMITS_EMPTY_OR_ALMOST,
+ .flags = MS_NODEV|MS_STRICTATIME|MS_NOSUID|MS_NOEXEC,
+ };
+
+ *(m++) = (MountEntry) {
+ .path_const = creds_path,
+ .mode = BIND_MOUNT,
+ .read_only = true,
+ .source_const = creds_path,
+ };
+ } else {
+ /* If our service has no credentials store configured, then make the whole
+ * credentials tree inaccessible wholesale. */
+
+ *(m++) = (MountEntry) {
+ .path_const = "/run/credentials",
+ .mode = INACCESSIBLE,
+ .ignore = true,
+ };
+ }
+
if (log_namespace) {
_cleanup_free_ char *q;
size_t n_mount_images,
const char *tmp_dir,
const char *var_tmp_dir,
+ const char *creds_path,
const char *log_namespace,
unsigned long mount_flags,
const void *root_hash,
NULL,
NULL,
NULL,
+ NULL,
0,
NULL,
0,
tmp_dir,
var_tmp_dir,
NULL,
+ NULL,
0,
NULL,
0,
projects / thirdparty / systemd.git / commitdiff
