Remount /dev/mqueue in unshared mount namespace for PrivateIPC

author Xℹ Ruoyao <xry111@mengyan1223.wang>

Wed, 3 Mar 2021 16:08:09 +0000 (00:08 +0800)

committer Xℹ Ruoyao <xry111@mengyan1223.wang>

Wed, 3 Mar 2021 16:08:09 +0000 (00:08 +0800)
author Xℹ Ruoyao <xry111@mengyan1223.wang>
Wed, 3 Mar 2021 16:08:09 +0000 (00:08 +0800)
committer Xℹ Ruoyao <xry111@mengyan1223.wang>
Wed, 3 Mar 2021 16:08:09 +0000 (00:08 +0800)
diff --git a/src/core/execute.c b/src/core/execute.c

index 684b5a233e7919dc12df7ab2d76f130bb395e494..0214cee65e3809e60e7706456aeb5e3c3360c724 100644 (file)
--- a/src/core/execute.c
+++ b/src/core/execute.c
@@ -2037,7 +2037,9 @@ bool exec_needs_mount_namespace(
              context->protect_kernel_logs ||
              context->protect_control_groups ||
              context->protect_proc != PROTECT_PROC_DEFAULT ||
-            context->proc_subset != PROC_SUBSET_ALL)
+            context->proc_subset != PROC_SUBSET_ALL ||
+            context->private_ipc ||
+            context->ipc_namespace_path)
                  return true;
  
          if (context->root_directory) {
@@ -3178,6 +3180,7 @@ static int apply_mount_namespace(
                          .protect_system = context->protect_system,
                          .protect_proc = context->protect_proc,
                          .proc_subset = context->proc_subset,
+                        .private_ipc = context->private_ipc || context->ipc_namespace_path,
                  };
          } else if (!context->dynamic_user && root_dir)
                  /*
diff --git a/src/core/namespace.c b/src/core/namespace.c

index d484ce7d67fd55a5c41b02d58916dd9888b55290..c5897c6c944be52fda33757abdf39c6c5663cb01 100644 (file)
--- a/src/core/namespace.c
+++ b/src/core/namespace.c
@@ -64,6 +64,7 @@ typedef enum MountMode {
          EXEC,
          TMPFS,
          EXTENSION_IMAGES, /* Mounted outside the root directory, and used by subsequent mounts */
+        MQUEUEFS,
          READWRITE_IMPLICIT, /* Should have the lowest priority. */
          _MOUNT_MODE_MAX,
  } MountMode;
@@ -228,6 +229,7 @@ static const char * const mount_mode_table[_MOUNT_MODE_MAX] = {
          [READWRITE_IMPLICIT]   = "rw-implicit",
          [EXEC]                 = "exec",
          [NOEXEC]               = "noexec",
+        [MQUEUEFS]             = "mqueuefs",
  };
  
  DEFINE_PRIVATE_STRING_TABLE_LOOKUP_TO_STRING(mount_mode, MountMode);
@@ -1113,6 +1115,24 @@ static int mount_run(const MountEntry *m) {
          return mount_tmpfs(m);
  }
  
+static int mount_mqueuefs(const MountEntry *m) {
+        int r;
+        const char *entry_path;
+
+        assert(m);
+
+        entry_path = mount_entry_path(m);
+
+        (void) mkdir_p_label(entry_path, 0755);
+        (void) umount_recursive(entry_path, 0);
+
+        r = mount_nofollow_verbose(LOG_DEBUG, "mqueue", entry_path, "mqueue", m->flags, mount_entry_options(m));
+        if (r < 0)
+                return r;
+
+        return 0;
+}
+
  static int mount_image(const MountEntry *m, const char *root_directory) {
  
          _cleanup_free_ char *host_os_release_id = NULL, *host_os_release_version_id = NULL,
@@ -1317,6 +1337,9 @@ static int apply_one_mount(
          case RUN:
                  return mount_run(m);
  
+        case MQUEUEFS:
+                return mount_mqueuefs(m);
+
          case MOUNT_IMAGES:
                  return mount_image(m, NULL);
  
@@ -1516,7 +1539,8 @@ static size_t namespace_calculate_mounts(
                  (creds_path ? 2 : 1) +
                  !!log_namespace +
                  setup_propagate + /* /run/systemd/incoming */
-                !!notify_socket;
+                !!notify_socket +
+                ns_info->private_ipc; /* /dev/mqueue */
  }
  
  static void normalize_mounts(const char *root_directory, MountEntry *mounts, size_t *n_mounts) {
@@ -2027,6 +2051,14 @@ int setup_namespace(
                          };
                  }
  
+                if (ns_info->private_ipc) {
+                        *(m++) = (MountEntry) {
+                                .path_const = "/dev/mqueue",
+                                .mode = MQUEUEFS,
+                                .flags = MS_NOSUID | MS_NODEV | MS_NOEXEC | MS_RELATIME,
+                        };
+                }
+
                  if (creds_path) {
                          /* If our service has a credentials store configured, then bind that one in, but hide
                           * everything else. */
diff --git a/src/core/namespace.h b/src/core/namespace.h

index 81bce8255508a7d251d56dbb5565ec16866ee007..2806db8fd1bf0aace57b52a8d4628f39f77ace16 100644 (file)
--- a/src/core/namespace.h
+++ b/src/core/namespace.h
@@ -73,6 +73,7 @@ struct NamespaceInfo {
          bool protect_kernel_logs;
          bool mount_apivfs;
          bool protect_hostname;
+        bool private_ipc;
          ProtectHome protect_home;
          ProtectSystem protect_system;
          ProtectProc protect_proc;
author	Xℹ Ruoyao <xry111@mengyan1223.wang>
	Wed, 3 Mar 2021 16:08:09 +0000 (00:08 +0800)
committer	Xℹ Ruoyao <xry111@mengyan1223.wang>
	Wed, 3 Mar 2021 16:08:09 +0000 (00:08 +0800)
src/core/execute.c		patch \| blob \| blame \| history
src/core/namespace.c		patch \| blob \| blame \| history
src/core/namespace.h		patch \| blob \| blame \| history