From: Lennart Poettering <lennart@poettering.net>
Date: Wed, 21 Oct 2015 23:33:06 +0000 (+0200)
Subject: nspawn: don't try to resolve passed binary before entering namespace
X-Git-Tag: v228~164^2~1
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=16fb773ee33a5b4e85605bf18a0572bead1b8224;p=thirdparty%2Fsystemd.git

nspawn: don't try to resolve passed binary before entering namespace

Othewise we might follow the symlinks on the host, instead of the
container.

Fixes #1400
---

diff --git a/src/nspawn/nspawn.c b/src/nspawn/nspawn.c
index 4093f58e3d0..99e24cf4ff7 100644
--- a/src/nspawn/nspawn.c
+++ b/src/nspawn/nspawn.c
@@ -3148,10 +3148,9 @@ int main(int argc, char *argv[]) {
                 } else {
                         const char *p;
 
-                        p = strjoina(arg_directory,
-                                       argc > optind && path_is_absolute(argv[optind]) ? argv[optind] : "/usr/bin/");
-                        if (access(p, F_OK) < 0) {
-                                log_error("Directory %s lacks the binary to execute or doesn't look like a binary tree. Refusing.", arg_directory);
+                        p = strjoina(arg_directory, "/usr/");
+                        if (laccess(p, F_OK) < 0) {
+                                log_error("Directory %s doesn't look like it has an OS tree. Refusing.", arg_directory);
                                 r = -EINVAL;
                                 goto finish;
                         }