Skip to content

Commit 52b3d65

Browse files
poetteringpoettering
committed
namespace: move protect_{home|system} into NamespaceInfo
it's not entirely clear what shall be passed via parameter and what via struct, but these two definitely fit well with the other protect_xyz fields, hence let's move them over. We probably should move a lot more more fields into the structure actuall (most? all even?).
1 parent 68dd195 commit 52b3d65

File tree

5 files changed

+16
-25
lines changed

5 files changed

+16
-25
lines changed

src/core/execute.c

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -2650,6 +2650,8 @@ static int apply_mount_namespace(
26502650
.protect_hostname = context->protect_hostname,
26512651
.mount_apivfs = context->mount_apivfs,
26522652
.private_mounts = context->private_mounts,
2653+
.protect_home = context->protect_home,
2654+
.protect_system = context->protect_system,
26532655
};
26542656
} else if (!context->dynamic_user && root_dir)
26552657
/*
@@ -2680,8 +2682,6 @@ static int apply_mount_namespace(
26802682
tmp_dir,
26812683
var_tmp_dir,
26822684
context->log_namespace,
2683-
needs_sandboxing ? context->protect_home : PROTECT_HOME_NO,
2684-
needs_sandboxing ? context->protect_system : PROTECT_SYSTEM_NO,
26852685
context->mount_flags,
26862686
context->root_hash, context->root_hash_size, context->root_hash_path,
26872687
context->root_hash_sig, context->root_hash_sig_size, context->root_hash_sig_path,

src/core/namespace.c

Lines changed: 12 additions & 17 deletions
Original file line numberDiff line numberDiff line change
@@ -1233,25 +1233,23 @@ static size_t namespace_calculate_mounts(
12331233
size_t n_mount_images,
12341234
const char* tmp_dir,
12351235
const char* var_tmp_dir,
1236-
const char* log_namespace,
1237-
ProtectHome protect_home,
1238-
ProtectSystem protect_system) {
1236+
const char* log_namespace) {
12391237

12401238
size_t protect_home_cnt;
12411239
size_t protect_system_cnt =
1242-
(protect_system == PROTECT_SYSTEM_STRICT ?
1240+
(ns_info->protect_system == PROTECT_SYSTEM_STRICT ?
12431241
ELEMENTSOF(protect_system_strict_table) :
1244-
((protect_system == PROTECT_SYSTEM_FULL) ?
1242+
((ns_info->protect_system == PROTECT_SYSTEM_FULL) ?
12451243
ELEMENTSOF(protect_system_full_table) :
1246-
((protect_system == PROTECT_SYSTEM_YES) ?
1244+
((ns_info->protect_system == PROTECT_SYSTEM_YES) ?
12471245
ELEMENTSOF(protect_system_yes_table) : 0)));
12481246

12491247
protect_home_cnt =
1250-
(protect_home == PROTECT_HOME_YES ?
1248+
(ns_info->protect_home == PROTECT_HOME_YES ?
12511249
ELEMENTSOF(protect_home_yes_table) :
1252-
((protect_home == PROTECT_HOME_READ_ONLY) ?
1250+
((ns_info->protect_home == PROTECT_HOME_READ_ONLY) ?
12531251
ELEMENTSOF(protect_home_read_only_table) :
1254-
((protect_home == PROTECT_HOME_TMPFS) ?
1252+
((ns_info->protect_home == PROTECT_HOME_TMPFS) ?
12551253
ELEMENTSOF(protect_home_tmpfs_table) : 0)));
12561254

12571255
return !!tmp_dir + !!var_tmp_dir +
@@ -1355,8 +1353,6 @@ int setup_namespace(
13551353
const char* tmp_dir,
13561354
const char* var_tmp_dir,
13571355
const char *log_namespace,
1358-
ProtectHome protect_home,
1359-
ProtectSystem protect_system,
13601356
unsigned long mount_flags,
13611357
const void *root_hash,
13621358
size_t root_hash_size,
@@ -1389,10 +1385,10 @@ int setup_namespace(
13891385

13901386
/* Make the whole image read-only if we can determine that we only access it in a read-only fashion. */
13911387
if (root_read_only(read_only_paths,
1392-
protect_system) &&
1388+
ns_info->protect_system) &&
13931389
home_read_only(read_only_paths, inaccessible_paths, empty_directories,
13941390
bind_mounts, n_bind_mounts, temporary_filesystems, n_temporary_filesystems,
1395-
protect_home) &&
1391+
ns_info->protect_home) &&
13961392
strv_isempty(read_write_paths))
13971393
dissect_image_flags |= DISSECT_IMAGE_READ_ONLY;
13981394

@@ -1461,8 +1457,7 @@ int setup_namespace(
14611457
n_temporary_filesystems,
14621458
n_mount_images,
14631459
tmp_dir, var_tmp_dir,
1464-
log_namespace,
1465-
protect_home, protect_system);
1460+
log_namespace);
14661461

14671462
if (n_mounts > 0) {
14681463
m = mounts = new0(MountEntry, n_mounts);
@@ -1559,11 +1554,11 @@ int setup_namespace(
15591554
};
15601555
}
15611556

1562-
r = append_protect_home(&m, protect_home, ns_info->ignore_protect_paths);
1557+
r = append_protect_home(&m, ns_info->protect_home, ns_info->ignore_protect_paths);
15631558
if (r < 0)
15641559
goto finish;
15651560

1566-
r = append_protect_system(&m, protect_system, false);
1561+
r = append_protect_system(&m, ns_info->protect_system, false);
15671562
if (r < 0)
15681563
goto finish;
15691564

src/core/namespace.h

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -57,6 +57,8 @@ struct NamespaceInfo {
5757
bool protect_kernel_logs:1;
5858
bool mount_apivfs:1;
5959
bool protect_hostname:1;
60+
ProtectHome protect_home;
61+
ProtectSystem protect_system;
6062
};
6163

6264
struct BindMount {
@@ -98,8 +100,6 @@ int setup_namespace(
98100
const char *tmp_dir,
99101
const char *var_tmp_dir,
100102
const char *log_namespace,
101-
ProtectHome protect_home,
102-
ProtectSystem protect_system,
103103
unsigned long mount_flags,
104104
const void *root_hash,
105105
size_t root_hash_size,

src/test/test-namespace.c

Lines changed: 0 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -163,8 +163,6 @@ static void test_protect_kernel_logs(void) {
163163
NULL,
164164
NULL,
165165
NULL,
166-
PROTECT_HOME_NO,
167-
PROTECT_SYSTEM_NO,
168166
0,
169167
NULL,
170168
0,

src/test/test-ns.c

Lines changed: 0 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -76,8 +76,6 @@ int main(int argc, char *argv[]) {
7676
tmp_dir,
7777
var_tmp_dir,
7878
NULL,
79-
PROTECT_HOME_NO,
80-
PROTECT_SYSTEM_NO,
8179
0,
8280
NULL,
8381
0,

0 commit comments

Comments
 (0)