From: Yu Watanabe <watanabe.yu+github@gmail.com>
Date: Wed, 8 Nov 2017 06:26:40 +0000 (+0900)
Subject: core/execute: RuntimeDirectory= or friends requires mount namespace
X-Git-Tag: v236~258^2~3
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=652bb2637aee54e3503a22d2928a929ecd7a84b3;p=thirdparty%2Fsystemd.git

core/execute: RuntimeDirectory= or friends requires mount namespace

Since #6940, RuntimeDirectory= or their friends imply BindPaths=.
So, if at least one of them are set, mount namespace is required.
---

diff --git a/src/core/execute.c b/src/core/execute.c
index 80e5d9d30c7..3fb832d6fd4 100644
--- a/src/core/execute.c
+++ b/src/core/execute.c
@@ -1705,7 +1705,12 @@ static bool exec_needs_mount_namespace(
             !strv_isempty(context->inaccessible_paths))
                 return true;
 
-        if (context->n_bind_mounts > 0)
+        if (context->n_bind_mounts > 0 ||
+            !strv_isempty(context->directories[EXEC_DIRECTORY_RUNTIME].paths) ||
+            !strv_isempty(context->directories[EXEC_DIRECTORY_STATE].paths) ||
+            !strv_isempty(context->directories[EXEC_DIRECTORY_CACHE].paths) ||
+            !strv_isempty(context->directories[EXEC_DIRECTORY_LOGS].paths) ||
+            !strv_isempty(context->directories[EXEC_DIRECTORY_CONFIGURATION].paths))
                 return true;
 
         if (context->mount_flags != 0)
@@ -1725,13 +1730,6 @@ static bool exec_needs_mount_namespace(
         if (context->mount_apivfs && (context->root_image || context->root_directory))
                 return true;
 
-        if (context->dynamic_user &&
-            (!strv_isempty(context->directories[EXEC_DIRECTORY_RUNTIME].paths) ||
-             !strv_isempty(context->directories[EXEC_DIRECTORY_STATE].paths) ||
-             !strv_isempty(context->directories[EXEC_DIRECTORY_CACHE].paths) ||
-             !strv_isempty(context->directories[EXEC_DIRECTORY_LOGS].paths)))
-                return true;
-
         return false;
 }