core: always create /dev/kdbus/ns (and make it private 0700) after setting up the...

author Lennart Poettering <lennart@poettering.net>

Tue, 17 Dec 2013 00:02:13 +0000 (01:02 +0100)

committer Lennart Poettering <lennart@poettering.net>

Tue, 17 Dec 2013 00:05:37 +0000 (01:05 +0100)
author Lennart Poettering <lennart@poettering.net>
Tue, 17 Dec 2013 00:02:13 +0000 (01:02 +0100)
committer Lennart Poettering <lennart@poettering.net>
Tue, 17 Dec 2013 00:05:37 +0000 (01:05 +0100)
diff --git a/src/core/manager.c b/src/core/manager.c

index a2f3570bb624eb66680896fc45378803dc80e0c6..6a755975fb6d6739d05e8c7340b12bb89a340ecc 100644 (file)
--- a/src/core/manager.c
+++ b/src/core/manager.c
@@ -427,6 +427,12 @@ static int manager_setup_kdbus(Manager *m) {
          }
  
          log_debug("Successfully set up kdbus on %s", p);
+
+        /* Create the namespace directory here, so that the contents
+         * of that directory is not visible to non-root users. This is
+         * necessary to ensure that users cannot get access to busses
+         * of virtualized users when no UID namespacing is used. */
+        mkdir_p_label("/dev/kdbus/ns", 0700);
  #endif
  
          return 0;
author	Lennart Poettering <lennart@poettering.net>
	Tue, 17 Dec 2013 00:02:13 +0000 (01:02 +0100)
committer	Lennart Poettering <lennart@poettering.net>
	Tue, 17 Dec 2013 00:05:37 +0000 (01:05 +0100)