diff options
| author | Anita Zhang <the.anitazha@gmail.com> | 2019-11-19 14:24:52 -0800 |
|---|---|---|
| committer | Anita Zhang <the.anitazha@gmail.com> | 2019-12-18 11:09:30 -0800 |
| commit | e5f10cafe0bb1034505cba934cd6fae5f332b1dc (patch) | |
| tree | 73b0aeade6ba5c0a0fb527449d3cecb394f9eb5a /src/shared/dev-setup.c | |
| parent | a49ad4c482b8336f62f53da1a574e5b57e803271 (diff) | |
| download | systemd-e5f10cafe0bb1034505cba934cd6fae5f332b1dc.tar.gz | |
core: create inaccessible nodes for users when making runtime dirs
To support ProtectHome=y in a user namespace (which mounts the inaccessible
nodes), the nodes need to be accessible by the user. Create these paths and
devices in the user runtime directory so they can be used later if needed.
Diffstat (limited to 'src/shared/dev-setup.c')
| -rw-r--r-- | src/shared/dev-setup.c | 18 |
1 files changed, 9 insertions, 9 deletions
diff --git a/src/shared/dev-setup.c b/src/shared/dev-setup.c index 071ff7b30c..4bce8b167b 100644 --- a/src/shared/dev-setup.c +++ b/src/shared/dev-setup.c @@ -61,20 +61,20 @@ int make_inaccessible_nodes(const char *root, uid_t uid, gid_t gid) { const char *name; mode_t mode; } table[] = { - { "/run/systemd", S_IFDIR | 0755 }, - { "/run/systemd/inaccessible", S_IFDIR | 0000 }, - { "/run/systemd/inaccessible/reg", S_IFREG | 0000 }, - { "/run/systemd/inaccessible/dir", S_IFDIR | 0000 }, - { "/run/systemd/inaccessible/fifo", S_IFIFO | 0000 }, - { "/run/systemd/inaccessible/sock", S_IFSOCK | 0000 }, + { "", S_IFDIR | 0755 }, + { "/inaccessible", S_IFDIR | 0000 }, + { "/inaccessible/reg", S_IFREG | 0000 }, + { "/inaccessible/dir", S_IFDIR | 0000 }, + { "/inaccessible/fifo", S_IFIFO | 0000 }, + { "/inaccessible/sock", S_IFSOCK | 0000 }, /* The following two are likely to fail if we lack the privs for it (for example in an userns * environment, if CAP_SYS_MKNOD is missing, or if a device node policy prohibit major/minor of 0 * device nodes to be created). But that's entirely fine. Consumers of these files should carry - * fallback to use a different node then, for example /run/systemd/inaccessible/sock, which is close + * fallback to use a different node then, for example <root>/inaccessible/sock, which is close * enough in behaviour and semantics for most uses. */ - { "/run/systemd/inaccessible/chr", S_IFCHR | 0000 }, - { "/run/systemd/inaccessible/blk", S_IFBLK | 0000 }, + { "/inaccessible/chr", S_IFCHR | 0000 }, + { "/inaccessible/blk", S_IFBLK | 0000 }, }; _cleanup_umask_ mode_t u; |