From: Yu Watanabe Date: Fri, 25 May 2018 08:25:17 +0000 (+0900) Subject: core: make StateDirectory= or friends works with DynamicUser= and RootDirectory=... X-Git-Tag: v239~194^2~1 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=5609f6888ba4cbe706ba415e5a94e09d6ef4c122;p=thirdparty%2Fsystemd.git core: make StateDirectory= or friends works with DynamicUser= and RootDirectory=/RootImage= The symbolic links to private directories specified by StateDirectory= or its friends are created on the host. So, when DynamicUser= and RootDirectory=/RootImage= are set, then the executed process cannot access private directory. This makes the private directories are mounted on the non-private place when both DynamicUser= and RootDirectory=/RootImage= are set. Fixes #8965. --- diff --git a/src/core/execute.c b/src/core/execute.c index 939bc12b565..285fe5bf397 100644 --- a/src/core/execute.c +++ b/src/core/execute.c @@ -2220,7 +2220,8 @@ static int compile_bind_mounts( continue; if (context->dynamic_user && - !IN_SET(t, EXEC_DIRECTORY_RUNTIME, EXEC_DIRECTORY_CONFIGURATION)) { + !IN_SET(t, EXEC_DIRECTORY_RUNTIME, EXEC_DIRECTORY_CONFIGURATION) && + !(context->root_directory || context->root_image)) { char *private_root; /* So this is for a dynamic user, and we need to make sure the process can access its own @@ -2251,7 +2252,15 @@ static int compile_bind_mounts( goto finish; } - d = strdup(s); + if (context->dynamic_user && + !IN_SET(t, EXEC_DIRECTORY_RUNTIME, EXEC_DIRECTORY_CONFIGURATION) && + (context->root_directory || context->root_image)) + /* When RootDirectory= or RootImage= are set, then the symbolic link to the private + * directory is not created on the root directory. So, let's bind-mount the directory + * on the 'non-private' place. */ + d = strjoin(params->prefix[t], "/", *suffix); + else + d = strdup(s); if (!d) { free(s); r = -ENOMEM;