diff options
| author | Jan Synacek <jsynacek@redhat.com> | 2018-06-12 10:03:08 +0200 |
|---|---|---|
| committer | Lennart Poettering <lennart@poettering.net> | 2018-06-14 10:25:16 +0200 |
| commit | 0722b359342d2a9f9e0d453875624387a0ba1be2 (patch) | |
| tree | 478905767e84f09ab586e7b421b2251051cc2646 | |
| parent | c7e6744fa8a1f7fe6254c8731f164799e82154fc (diff) | |
| download | systemd-0722b359342d2a9f9e0d453875624387a0ba1be2.tar.gz | |
namespace: always use a root directory when setting up namespace
1) mv /var/tmp /var/tmp.old
2) mkdir /tmp/varrr
3) ln -s /tmp/varrr /var/tmp
Now, when a service has PrivateTmp=yes, during namespace setup,
/tmp is first mounted over with a new mount. Then, when /var/tmp
is being resolved, it points to /tmp/varrr, which by then doesn't
exist, because it had already been obscured.
| -rw-r--r-- | src/core/namespace.c | 16 |
1 files changed, 7 insertions, 9 deletions
diff --git a/src/core/namespace.c b/src/core/namespace.c index bb19e18e43..ae2b920503 100644 --- a/src/core/namespace.c +++ b/src/core/namespace.c @@ -1173,19 +1173,17 @@ int setup_namespace( if (root_directory) root = root_directory; - else if (root_image || n_bind_mounts > 0 || n_temporary_filesystems > 0) { - - /* If we are booting from an image, create a mount point for the image, if it's still missing. We use - * the same mount point for all images, which is safe, since they all live in their own namespaces - * after all, and hence won't see each other. We also use such a root directory whenever there are bind - * mounts configured, so that their source mounts are never obstructed by mounts we already applied - * while we are applying them. */ + else { + /* Always create the mount namespace in a temporary directory, instead of operating + * directly in the root. The temporary directory prevents any mounts from being + * potentially obscured my other mounts we already applied. + * We use the same mount point for all images, which is safe, since they all live + * in their own namespaces after all, and hence won't see each other. */ root = "/run/systemd/unit-root"; (void) mkdir_label(root, 0700); require_prefix = true; - } else - root = NULL; + } n_mounts = namespace_calculate_mounts( root, |