diff options
| author | Anita Zhang <the.anitazha@gmail.com> | 2019-11-19 14:24:52 -0800 |
|---|---|---|
| committer | Anita Zhang <the.anitazha@gmail.com> | 2019-12-18 11:09:30 -0800 |
| commit | e5f10cafe0bb1034505cba934cd6fae5f332b1dc (patch) | |
| tree | 73b0aeade6ba5c0a0fb527449d3cecb394f9eb5a /src/nspawn | |
| parent | a49ad4c482b8336f62f53da1a574e5b57e803271 (diff) | |
| download | systemd-e5f10cafe0bb1034505cba934cd6fae5f332b1dc.tar.gz | |
core: create inaccessible nodes for users when making runtime dirs
To support ProtectHome=y in a user namespace (which mounts the inaccessible
nodes), the nodes need to be accessible by the user. Create these paths and
devices in the user runtime directory so they can be used later if needed.
Diffstat (limited to 'src/nspawn')
| -rw-r--r-- | src/nspawn/nspawn-mount.c | 7 | ||||
| -rw-r--r-- | src/nspawn/nspawn.c | 5 |
2 files changed, 8 insertions, 4 deletions
diff --git a/src/nspawn/nspawn-mount.c b/src/nspawn/nspawn-mount.c index 0fb83a4ff3..f423f62590 100644 --- a/src/nspawn/nspawn-mount.c +++ b/src/nspawn/nspawn-mount.c @@ -883,8 +883,7 @@ static int mount_overlay(const char *dest, CustomMount *m) { } static int mount_inaccessible(const char *dest, CustomMount *m) { - _cleanup_free_ char *where = NULL; - const char *source; + _cleanup_free_ char *where = NULL, *source = NULL; struct stat st; int r; @@ -897,7 +896,9 @@ static int mount_inaccessible(const char *dest, CustomMount *m) { return m->graceful ? 0 : r; } - assert_se(source = mode_to_inaccessible_node(st.st_mode)); + r = mode_to_inaccessible_node("/run/systemd", st.st_mode, &source); + if (r < 0) + return m->graceful ? 0 : r; r = mount_verbose(m->graceful ? LOG_DEBUG : LOG_ERR, source, where, NULL, MS_BIND, NULL); if (r < 0) diff --git a/src/nspawn/nspawn.c b/src/nspawn/nspawn.c index 27ea592158..9113f6e323 100644 --- a/src/nspawn/nspawn.c +++ b/src/nspawn/nspawn.c @@ -3252,6 +3252,7 @@ static int outer_child( int netns_fd) { _cleanup_close_ int fd = -1; + const char *p; pid_t pid; ssize_t l; int r; @@ -3447,7 +3448,9 @@ static int outer_child( return r; (void) dev_setup(directory, arg_uid_shift, arg_uid_shift); - (void) make_inaccessible_nodes(directory, arg_uid_shift, arg_uid_shift); + + p = prefix_roota(directory, "/run/systemd"); + (void) make_inaccessible_nodes(p, arg_uid_shift, arg_uid_shift); r = setup_pts(directory); if (r < 0) |