X-Git-Url: http://www.chiark.greenend.org.uk/ucgi/~ianmdlvl/git?a=blobdiff_plain;f=src%2Fimport%2Fimport-common.c;h=2acf380f99bb6898f1489fdf2ec1b70659b062ed;hb=c529695e7a30b300fdaa61ace4a8a4ed0e94ad1c;hp=b490c435d2bff0ff60db1e11797e7d4ae311a2a4;hpb=2c140ded48fc31e3c80a92a1f755a2b1ab6e1a30;p=elogind.git diff --git a/src/import/import-common.c b/src/import/import-common.c index b490c435d..2acf380f9 100644 --- a/src/import/import-common.c +++ b/src/import/import-common.c @@ -121,7 +121,7 @@ int import_make_local_copy(const char *final, const char *image_root, const char if (!image_root) image_root = "/var/lib/machines"; - p = strappenda(image_root, "/", local); + p = strjoina(image_root, "/", local); if (force_local) { (void) btrfs_subvol_remove(p); @@ -309,7 +309,7 @@ int import_verify( return -EBADMSG; } - line = strappenda(main_job->checksum, " *", fn, "\n"); + line = strjoina(main_job->checksum, " *", fn, "\n"); p = memmem(checksum_job->payload, checksum_job->payload_size, @@ -471,7 +471,8 @@ int import_fork_tar(const char *path, pid_t *ret) { (1ULL << CAP_FOWNER) | (1ULL << CAP_FSETID) | (1ULL << CAP_MKNOD) | - (1ULL << CAP_SETFCAP); + (1ULL << CAP_SETFCAP) | + (1ULL << CAP_DAC_OVERRIDE); /* Child */ @@ -507,11 +508,12 @@ int import_fork_tar(const char *path, pid_t *ret) { fd_cloexec(STDOUT_FILENO, false); fd_cloexec(STDERR_FILENO, false); + if (unshare(CLONE_NEWNET) < 0) + log_error_errno(errno, "Failed to lock tar into network namespace, ignoring: %m"); + r = capability_bounding_set_drop(~retain, true); - if (r < 0) { - log_error_errno(errno, "Failed to drop capabilities, ignoring: %m"); - _exit(EXIT_FAILURE); - } + if (r < 0) + log_error_errno(r, "Failed to drop capabilities, ignoring: %m"); execlp("tar", "tar", "--numeric-owner", "-C", path, "-px", NULL); log_error_errno(errno, "Failed to execute tar: %m");