From: Luca Boccassi <bluca@debian.org>
Date: Thu, 19 Oct 2023 15:00:00 +0000 (+0100)
Subject: mount tunnel: use PidRef
X-Git-Tag: v255-rc1~196^2~1
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=5f48198af82e5a6f40adf887291fdd47bcecf64c;p=thirdparty%2Fsystemd.git

mount tunnel: use PidRef
---

diff --git a/src/core/dbus-service.c b/src/core/dbus-service.c
index 5bc487bc399..41f4ee399ef 100644
--- a/src/core/dbus-service.c
+++ b/src/core/dbus-service.c
@@ -198,7 +198,7 @@ static int bus_service_method_mount(sd_bus_message *message, void *userdata, sd_
         propagate_directory = strjoina("/run/systemd/propagate/", u->id);
         if (is_image)
                 r = mount_image_in_namespace(
-                                unit_pid->pid,
+                                unit_pid,
                                 propagate_directory,
                                 "/run/systemd/incoming/",
                                 src, dest,
@@ -208,7 +208,7 @@ static int bus_service_method_mount(sd_bus_message *message, void *userdata, sd_
                                 c->mount_image_policy ?: &image_policy_service);
         else
                 r = bind_mount_in_namespace(
-                                unit_pid->pid,
+                                unit_pid,
                                 propagate_directory,
                                 "/run/systemd/incoming/",
                                 src, dest,
diff --git a/src/machine/machine-dbus.c b/src/machine/machine-dbus.c
index 6341335c4dd..347cc9b0c0b 100644
--- a/src/machine/machine-dbus.c
+++ b/src/machine/machine-dbus.c
@@ -881,7 +881,7 @@ int bus_machine_method_bind_mount(sd_bus_message *message, void *userdata, sd_bu
 
         propagate_directory = strjoina("/run/systemd/nspawn/propagate/", m->name);
         r = bind_mount_in_namespace(
-                        m->leader.pid,
+                        &m->leader,
                         propagate_directory,
                         "/run/host/incoming/",
                         src, dest,
diff --git a/src/shared/mount-util.c b/src/shared/mount-util.c
index b6d2b6b6159..e385f217773 100644
--- a/src/shared/mount-util.c
+++ b/src/shared/mount-util.c
@@ -1067,7 +1067,7 @@ finish:
 }
 
 static int mount_in_namespace(
-                pid_t target,
+                PidRef *target,
                 const char *propagate_path,
                 const char *incoming_path,
                 const char *src,
@@ -1087,24 +1087,29 @@ static int mount_in_namespace(
         pid_t child;
         int r;
 
-        assert(target > 0);
         assert(propagate_path);
         assert(incoming_path);
         assert(src);
         assert(dest);
         assert(!options || is_image);
 
-        r = namespace_open(target, &pidns_fd, &mntns_fd, NULL, NULL, &root_fd);
+        if (!pidref_is_set(target))
+                return -ESRCH;
+
+        r = namespace_open(target->pid, &pidns_fd, &mntns_fd, NULL, NULL, &root_fd);
         if (r < 0)
                 return log_debug_errno(r, "Failed to retrieve FDs of the target process' namespace: %m");
 
-        r = in_same_namespace(target, 0, NAMESPACE_MOUNT);
+        r = in_same_namespace(target->pid, 0, NAMESPACE_MOUNT);
         if (r < 0)
                 return log_debug_errno(r, "Failed to determine if mount namespaces are equal: %m");
         /* We can't add new mounts at runtime if the process wasn't started in a namespace */
         if (r > 0)
                 return log_debug_errno(SYNTHETIC_ERRNO(EINVAL), "Failed to activate bind mount in target, not running in a mount namespace");
 
+        if (pidref_verify(target) < 0)
+                return log_debug_errno(SYNTHETIC_ERRNO(ESRCH), "Failed to verify target process '" PID_FMT "': %m", target->pid);
+
         r = chase(src, NULL, 0, &chased_src_path, &chased_src_fd);
         if (r < 0)
                 return log_debug_errno(r, "Failed to resolve source path of %s: %m", src);
@@ -1241,7 +1246,7 @@ static int mount_in_namespace(
 }
 
 int bind_mount_in_namespace(
-                pid_t target,
+                PidRef * target,
                 const char *propagate_path,
                 const char *incoming_path,
                 const char *src,
@@ -1253,7 +1258,7 @@ int bind_mount_in_namespace(
 }
 
 int mount_image_in_namespace(
-                pid_t target,
+                PidRef * target,
                 const char *propagate_path,
                 const char *incoming_path,
                 const char *src,
diff --git a/src/shared/mount-util.h b/src/shared/mount-util.h
index 7c0189480e3..f06fd6de8c6 100644
--- a/src/shared/mount-util.h
+++ b/src/shared/mount-util.h
@@ -10,6 +10,7 @@
 #include "dissect-image.h"
 #include "errno-util.h"
 #include "macro.h"
+#include "pidref.h"
 
 int repeat_unmount(const char *path, int flags);
 
@@ -98,8 +99,8 @@ static inline char *umount_and_free(char *p) {
 }
 DEFINE_TRIVIAL_CLEANUP_FUNC(char*, umount_and_free);
 
-int bind_mount_in_namespace(pid_t target, const char *propagate_path, const char *incoming_path, const char *src, const char *dest, bool read_only, bool make_file_or_directory);
-int mount_image_in_namespace(pid_t target, const char *propagate_path, const char *incoming_path, const char *src, const char *dest, bool read_only, bool make_file_or_directory, const MountOptions *options, const ImagePolicy *image_policy);
+int bind_mount_in_namespace(PidRef *target, const char *propagate_path, const char *incoming_path, const char *src, const char *dest, bool read_only, bool make_file_or_directory);
+int mount_image_in_namespace(PidRef *target, const char *propagate_path, const char *incoming_path, const char *src, const char *dest, bool read_only, bool make_file_or_directory, const MountOptions *options, const ImagePolicy *image_policy);
 
 int make_mount_point(const char *path);
 int fd_make_mount_point(int fd);