From: Lennart Poettering <lennart@poettering.net>
Date: Tue, 18 Dec 2018 23:01:22 +0000 (+0100)
Subject: nspawn: explicitly refuse mounts over /
X-Git-Tag: v242-rc1~217^2~17
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=0646d3c3dd27bab1ec6bd73c37325318f8578393;p=thirdparty%2Fsystemd.git

nspawn: explicitly refuse mounts over /

Previously this would fail later on, but let's filter this out at the
time of parsing.
---

diff --git a/src/nspawn/nspawn-mount.c b/src/nspawn/nspawn-mount.c
index a9af889747b..1c0c6d8ff1b 100644
--- a/src/nspawn/nspawn-mount.c
+++ b/src/nspawn/nspawn-mount.c
@@ -212,6 +212,8 @@ int bind_mount_parse(CustomMount **l, size_t *n, const char *s, bool read_only)
 
         if (!path_is_absolute(destination))
                 return -EINVAL;
+        if (empty_or_root(destination))
+                return -EINVAL;
 
         m = custom_mount_add(l, n, CUSTOM_MOUNT_BIND);
         if (!m)
@@ -251,6 +253,8 @@ int tmpfs_mount_parse(CustomMount **l, size_t *n, const char *s) {
 
         if (!path_is_absolute(path))
                 return -EINVAL;
+        if (empty_or_root(path))
+                return -EINVAL;
 
         m = custom_mount_add(l, n, CUSTOM_MOUNT_TMPFS);
         if (!m)
@@ -310,6 +314,9 @@ int overlay_mount_parse(CustomMount **l, size_t *n, const char *s, bool read_onl
                         return -EINVAL;
         }
 
+        if (empty_or_root(destination))
+                return -EINVAL;
+
         m = custom_mount_add(l, n, CUSTOM_MOUNT_OVERLAY);
         if (!m)
                 return -ENOMEM;