From: Lennart Poettering <lennart@poettering.net>
Date: Wed, 4 Apr 2018 08:14:25 +0000 (+0200)
Subject: namespace: don't consider raw image read-only if /home in it is writable
X-Git-Tag: v239~391^2~3
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=c9ef8573be8e170fc0166d58406c4f9805fa323e;p=thirdparty%2Fsystemd.git

namespace: don't consider raw image read-only if /home in it is writable
---

diff --git a/src/core/namespace.c b/src/core/namespace.c
index e138d3ba02a..0cce2b45845 100644
--- a/src/core/namespace.c
+++ b/src/core/namespace.c
@@ -1105,7 +1105,9 @@ int setup_namespace(
         if (root_image) {
                 dissect_image_flags |= DISSECT_IMAGE_REQUIRE_ROOT;
 
-                if (protect_system == PROTECT_SYSTEM_STRICT && strv_isempty(read_write_paths))
+                if (protect_system == PROTECT_SYSTEM_STRICT &&
+                    protect_home != PROTECT_HOME_NO &&
+                    strv_isempty(read_write_paths))
                         dissect_image_flags |= DISSECT_IMAGE_READ_ONLY;
 
                 r = loop_device_make_by_path(root_image,