X-Git-Url: http://www.chiark.greenend.org.uk/ucgi/~ianmdlvl/git?a=blobdiff_plain;f=src%2Fcore%2Fnamespace.c;h=b6deab7081166a023424511676f0b2a93df96dea;hb=be8f4e9e8eb3b0c34a49c2e80a5c5b7dc6d175f0;hp=16540043ab19cad428597a6cfc59b0d05b24b9b7;hpb=82d252404a7ee6bd5f24482a0b50a8e91aa93257;p=elogind.git diff --git a/src/core/namespace.c b/src/core/namespace.c index 16540043a..b6deab708 100644 --- a/src/core/namespace.c +++ b/src/core/namespace.c @@ -143,7 +143,7 @@ static int mount_dev(BindMount *m) { "/dev/tty\0"; char temporary_mount[] = "/tmp/namespace-dev-XXXXXX"; - const char *d, *dev = NULL, *devpts = NULL, *devshm = NULL, *devkdbus = NULL, *devhugepages = NULL, *devmqueue = NULL, *devlog = NULL; + const char *d, *dev = NULL, *devpts = NULL, *devshm = NULL, *devkdbus = NULL, *devhugepages = NULL, *devmqueue = NULL, *devlog = NULL, *devptmx = NULL; _cleanup_umask_ mode_t u; int r; @@ -168,6 +168,9 @@ static int mount_dev(BindMount *m) { goto fail; } + devptmx = strappenda(temporary_mount, "/dev/ptmx"); + symlink("pts/ptmx", devptmx); + devshm = strappenda(temporary_mount, "/dev/shm"); mkdir(devshm, 01777); r = mount("/dev/shm", devshm, NULL, MS_BIND, NULL); @@ -334,8 +337,8 @@ int setup_namespace( char* tmp_dir, char* var_tmp_dir, bool private_dev, - ProtectedHome protected_home, - bool read_only_system, + ProtectHome protect_home, + ProtectSystem protect_system, unsigned mount_flags) { BindMount *m, *mounts = NULL; @@ -353,8 +356,9 @@ int setup_namespace( strv_length(read_only_dirs) + strv_length(inaccessible_dirs) + private_dev + - (protected_home != PROTECTED_HOME_NO ? 2 : 0) + - (read_only_system ? 2 : 0); + (protect_home != PROTECT_HOME_NO ? 2 : 0) + + (protect_system != PROTECT_SYSTEM_NO ? 1 : 0) + + (protect_system == PROTECT_SYSTEM_FULL ? 1 : 0); if (n > 0) { m = mounts = (BindMount *) alloca(n * sizeof(BindMount)); @@ -388,14 +392,14 @@ int setup_namespace( m++; } - if (protected_home != PROTECTED_HOME_NO) { - r = append_mounts(&m, STRV_MAKE("-/home", "-/run/user"), protected_home == PROTECTED_HOME_READ_ONLY ? READONLY : INACCESSIBLE); + if (protect_home != PROTECT_HOME_NO) { + r = append_mounts(&m, STRV_MAKE("-/home", "-/run/user"), protect_home == PROTECT_HOME_READ_ONLY ? READONLY : INACCESSIBLE); if (r < 0) return r; } - if (read_only_system) { - r = append_mounts(&m, STRV_MAKE("/usr", "-/boot"), READONLY); + if (protect_system != PROTECT_SYSTEM_NO) { + r = append_mounts(&m, protect_system == PROTECT_SYSTEM_FULL ? STRV_MAKE("/usr", "/etc") : STRV_MAKE("/usr"), READONLY); if (r < 0) return r; } @@ -601,10 +605,18 @@ fail: return r; } -static const char *const protected_home_table[_PROTECTED_HOME_MAX] = { - [PROTECTED_HOME_NO] = "no", - [PROTECTED_HOME_YES] = "yes", - [PROTECTED_HOME_READ_ONLY] = "read-only", +static const char *const protect_home_table[_PROTECT_HOME_MAX] = { + [PROTECT_HOME_NO] = "no", + [PROTECT_HOME_YES] = "yes", + [PROTECT_HOME_READ_ONLY] = "read-only", +}; + +DEFINE_STRING_TABLE_LOOKUP(protect_home, ProtectHome); + +static const char *const protect_system_table[_PROTECT_SYSTEM_MAX] = { + [PROTECT_SYSTEM_NO] = "no", + [PROTECT_SYSTEM_YES] = "yes", + [PROTECT_SYSTEM_FULL] = "full", }; -DEFINE_STRING_TABLE_LOOKUP(protected_home, ProtectedHome); +DEFINE_STRING_TABLE_LOOKUP(protect_system, ProtectSystem);