diff --git a/src/core/execute.c b/src/core/execute.c index d2c684f44b53f..879078a76fb11 100644 --- a/src/core/execute.c +++ b/src/core/execute.c @@ -2071,55 +2071,6 @@ static int setup_smack( return 0; } -static int compile_read_write_paths( - const ExecContext *context, - const ExecParameters *params, - char ***ret) { - - _cleanup_strv_free_ char **l = NULL; - char **rt; - ExecDirectoryType i; - - /* Compile the list of writable paths. This is the combination of - * the explicitly configured paths, plus all runtime directories. */ - - if (strv_isempty(context->read_write_paths)) { - for (i = 0; i < _EXEC_DIRECTORY_TYPE_MAX; i++) - if (!strv_isempty(context->directories[i].paths)) - break; - - if (i == _EXEC_DIRECTORY_TYPE_MAX) { - *ret = NULL; /* NOP if neither is set */ - return 0; - } - } - - l = strv_copy(context->read_write_paths); - if (!l) - return -ENOMEM; - - for (i = 0; i < _EXEC_DIRECTORY_TYPE_MAX; i++) { - if (!params->prefix[i]) - continue; - - STRV_FOREACH(rt, context->directories[i].paths) { - char *s; - - s = strjoin(params->prefix[i], "/", *rt); - if (!s) - return -ENOMEM; - - if (strv_consume(&l, s) < 0) - return -ENOMEM; - } - } - - *ret = l; - l = NULL; - - return 0; -} - static int compile_bind_mounts( const ExecContext *context, const ExecParameters *params, @@ -2264,7 +2215,7 @@ static int apply_mount_namespace( const ExecParameters *params, ExecRuntime *runtime) { - _cleanup_strv_free_ char **rw = NULL, **empty_directories = NULL; + _cleanup_strv_free_ char **empty_directories = NULL; char *tmp = NULL, *var = NULL; const char *root_dir = NULL, *root_image = NULL; NamespaceInfo ns_info = { @@ -2293,10 +2244,6 @@ static int apply_mount_namespace( var = strjoina(runtime->var_tmp_dir, "/tmp"); } - r = compile_read_write_paths(context, params, &rw); - if (r < 0) - return r; - if (params->flags & EXEC_APPLY_CHROOT) { root_image = context->root_image; @@ -2319,7 +2266,7 @@ static int apply_mount_namespace( needs_sandboxing = (params->flags & EXEC_APPLY_SANDBOXING) && !(command->flags & EXEC_COMMAND_FULLY_PRIVILEGED); r = setup_namespace(root_dir, root_image, - &ns_info, rw, + &ns_info, context->read_write_paths, needs_sandboxing ? context->read_only_paths : NULL, needs_sandboxing ? context->inaccessible_paths : NULL, empty_directories, diff --git a/src/core/namespace.c b/src/core/namespace.c index 9624d8aa69d31..33349f288e1f7 100644 --- a/src/core/namespace.c +++ b/src/core/namespace.c @@ -191,7 +191,7 @@ static void mount_entry_done(MountEntry *p) { p->source_malloc = mfree(p->source_malloc); } -static int append_access_mounts(MountEntry **p, char **strv, MountMode mode) { +static int append_access_mounts(MountEntry **p, char **strv, MountMode mode, bool forcibly_require_prefix) { char **i; assert(p); @@ -219,7 +219,7 @@ static int append_access_mounts(MountEntry **p, char **strv, MountMode mode) { .path_const = e, .mode = mode, .ignore = ignore, - .has_prefix = !needs_prefix, + .has_prefix = !needs_prefix && !forcibly_require_prefix, }; } @@ -983,6 +983,7 @@ int setup_namespace( bool make_slave = false; const char *root; unsigned n_mounts; + bool require_prefix = false; int r = 0; assert(ns_info); @@ -1027,6 +1028,7 @@ int setup_namespace( root = "/run/systemd/unit-root"; (void) mkdir_label(root, 0700); + require_prefix = true; } else root = NULL; @@ -1047,15 +1049,15 @@ int setup_namespace( if (n_mounts > 0) { m = mounts = (MountEntry *) alloca0(n_mounts * sizeof(MountEntry)); - r = append_access_mounts(&m, read_write_paths, READWRITE); + r = append_access_mounts(&m, read_write_paths, READWRITE, require_prefix); if (r < 0) goto finish; - r = append_access_mounts(&m, read_only_paths, READONLY); + r = append_access_mounts(&m, read_only_paths, READONLY, require_prefix); if (r < 0) goto finish; - r = append_access_mounts(&m, inaccessible_paths, INACCESSIBLE); + r = append_access_mounts(&m, inaccessible_paths, INACCESSIBLE, require_prefix); if (r < 0) goto finish;