|
|
923a60 |
From ccf46ebc548054f876a418fc2e949a05a74a9c2a Mon Sep 17 00:00:00 2001
|
|
|
923a60 |
From: Lennart Poettering <lennart@poettering.net>
|
|
|
923a60 |
Date: Wed, 13 May 2015 16:34:02 +0200
|
|
|
923a60 |
Subject: [PATCH] core: make exec code a bit more readable
|
|
|
923a60 |
|
|
|
923a60 |
Let's add a function that checks whether we need fs namespacing, to make
|
|
|
923a60 |
things easier to read, instead of using a humungous if expression...
|
|
|
923a60 |
|
|
|
923a60 |
Cherry-picked from: 8b44a3d22c1fdfc5ce5fcb77e38a90ec02ba8019
|
|
|
923a60 |
Related: #1421181
|
|
|
923a60 |
---
|
|
|
923a60 |
src/core/execute.c | 41 +++++++++++++++++++++++++++++++----------
|
|
|
923a60 |
1 file changed, 31 insertions(+), 10 deletions(-)
|
|
|
923a60 |
|
|
|
923a60 |
diff --git a/src/core/execute.c b/src/core/execute.c
|
|
|
923a60 |
index e9b4359a7f..59340ec051 100644
|
|
|
923a60 |
--- a/src/core/execute.c
|
|
|
923a60 |
+++ b/src/core/execute.c
|
|
|
923a60 |
@@ -1256,6 +1256,36 @@ static int build_environment(
|
|
|
923a60 |
return 0;
|
|
|
923a60 |
}
|
|
|
923a60 |
|
|
|
923a60 |
+static bool exec_needs_mount_namespace(
|
|
|
923a60 |
+ const ExecContext *context,
|
|
|
923a60 |
+ const ExecParameters *params,
|
|
|
923a60 |
+ ExecRuntime *runtime) {
|
|
|
923a60 |
+
|
|
|
923a60 |
+ assert(context);
|
|
|
923a60 |
+ assert(params);
|
|
|
923a60 |
+
|
|
|
923a60 |
+ if (!strv_isempty(context->read_write_dirs) ||
|
|
|
923a60 |
+ !strv_isempty(context->read_only_dirs) ||
|
|
|
923a60 |
+ !strv_isempty(context->inaccessible_dirs))
|
|
|
923a60 |
+ return true;
|
|
|
923a60 |
+
|
|
|
923a60 |
+ if (context->mount_flags != 0)
|
|
|
923a60 |
+ return true;
|
|
|
923a60 |
+
|
|
|
923a60 |
+ if (context->private_tmp && runtime && (runtime->tmp_dir || runtime->var_tmp_dir))
|
|
|
923a60 |
+ return true;
|
|
|
923a60 |
+
|
|
|
923a60 |
+ if (params->bus_endpoint_path)
|
|
|
923a60 |
+ return true;
|
|
|
923a60 |
+
|
|
|
923a60 |
+ if (context->private_devices ||
|
|
|
923a60 |
+ context->protect_system != PROTECT_SYSTEM_NO ||
|
|
|
923a60 |
+ context->protect_home != PROTECT_HOME_NO)
|
|
|
923a60 |
+ return true;
|
|
|
923a60 |
+
|
|
|
923a60 |
+ return false;
|
|
|
923a60 |
+}
|
|
|
923a60 |
+
|
|
|
923a60 |
static int exec_child(
|
|
|
923a60 |
ExecCommand *command,
|
|
|
923a60 |
const ExecContext *context,
|
|
|
923a60 |
@@ -1563,16 +1593,7 @@ static int exec_child(
|
|
|
923a60 |
}
|
|
|
923a60 |
}
|
|
|
923a60 |
|
|
|
923a60 |
- if (!strv_isempty(context->read_write_dirs) ||
|
|
|
923a60 |
- !strv_isempty(context->read_only_dirs) ||
|
|
|
923a60 |
- !strv_isempty(context->inaccessible_dirs) ||
|
|
|
923a60 |
- context->mount_flags != 0 ||
|
|
|
923a60 |
- (context->private_tmp && runtime && (runtime->tmp_dir || runtime->var_tmp_dir)) ||
|
|
|
923a60 |
- params->bus_endpoint_path ||
|
|
|
923a60 |
- context->private_devices ||
|
|
|
923a60 |
- context->protect_system != PROTECT_SYSTEM_NO ||
|
|
|
923a60 |
- context->protect_home != PROTECT_HOME_NO) {
|
|
|
923a60 |
-
|
|
|
923a60 |
+ if (exec_needs_mount_namespace(context, params, runtime)) {
|
|
|
923a60 |
char *tmp = NULL, *var = NULL;
|
|
|
923a60 |
|
|
|
923a60 |
/* The runtime struct only contains the parent
|