[systemd-devel] [PATCH] Apply ProtectSystem to non-merged /usr directories

Sun, 19 Oct 2014 15:48:44 -0700 

Hello all,

in Debian/Ubuntu we don't use the merged /usr tree for now. systemd
generally supports that (HAVE_SPLIT_USR), but doesn't consider that
for ProtectSystem=.

Ansgar (CC'ed) wrote a Debian specific patch for that some months ago.
I generalized it for upstream now.

Thanks for considering,

Martin
-- 
Martin Pitt                        | http://www.piware.de
Ubuntu Developer (www.ubuntu.com)  | Debian Developer  (www.debian.org)

>From 84133fed054b02702955d9371a553c213a45ee9e Mon Sep 17 00:00:00 2001
From: Martin Pitt <martin.p...@ubuntu.com>
Date: Sun, 19 Oct 2014 11:56:45 -0400
Subject: [PATCH] Apply ProtectSystem to non-merged /usr directories

For systems that don't use a merged /usr, also protect /bin, /sbin, /lib, and
/lib64.

Separately handle /etc (for ProtectSystem=full) to make the code a bit easier
to read.

Replace hard-coded length of systemd dirs list with strv_length() to avoid
pitfalls.
---
 src/core/namespace.c | 15 +++++++++++++--
 1 file changed, 13 insertions(+), 2 deletions(-)

diff --git a/src/core/namespace.c b/src/core/namespace.c
index ab03aeb..ac48f4d 100644
--- a/src/core/namespace.c
+++ b/src/core/namespace.c
@@ -420,6 +420,12 @@ static int make_read_only(BindMount *m) {
         return r;
 }
 
+#ifdef HAVE_SPLIT_USR
+#define SYSTEM_DIRS STRV_MAKE("/usr", "/bin", "/sbin", "/lib", "-/lib64", "-/boot")
+#else
+#define SYSTEM_DIRS STRV_MAKE("/usr", "-/boot")
+#endif
+
 int setup_namespace(
                 char** read_write_dirs,
                 char** read_only_dirs,
@@ -448,7 +454,7 @@ int setup_namespace(
                 strv_length(inaccessible_dirs) +
                 private_dev +
                 (protect_home != PROTECT_HOME_NO ? 3 : 0) +
-                (protect_system != PROTECT_SYSTEM_NO ? 2 : 0) +
+                (protect_system != PROTECT_SYSTEM_NO ? strv_length(SYSTEM_DIRS) : 0) +
                 (protect_system == PROTECT_SYSTEM_FULL ? 1 : 0);
 
         if (n > 0) {
@@ -496,9 +502,14 @@ int setup_namespace(
                 }
 
                 if (protect_system != PROTECT_SYSTEM_NO) {
-                        r = append_mounts(&m, protect_system == PROTECT_SYSTEM_FULL ? STRV_MAKE("/usr", "-/boot", "/etc") : STRV_MAKE("/usr", "-/boot"), READONLY);
+                        r = append_mounts(&m, SYSTEM_DIRS, READONLY);
                         if (r < 0)
                                 return r;
+                        if (protect_system == PROTECT_SYSTEM_FULL) {
+                                r = append_mounts(&m, STRV_MAKE("/etc"), READONLY);
+                                if (r < 0)
+                                        return r;
+                        }
                 }
 
                 assert(mounts + n == m);
-- 
2.1.0


_______________________________________________
systemd-devel mailing list
systemd-devel@lists.freedesktop.org
http://lists.freedesktop.org/mailman/listinfo/systemd-devel

Reply via email to