From: Lennart Poettering <lennart@poettering.net>
Date: Fri, 6 Jun 2014 12:48:51 +0000 (+0200)
Subject: namespace: cover /boot with ProtectSystem= again
X-Git-Tag: v214~56
X-Git-Url: http://www.chiark.greenend.org.uk/ucgi/~ianmdlvl/git?a=commitdiff_plain;h=051be1f71c9ab82a88da8f33e95882aa386a5541;p=elogind.git

namespace: cover /boot with ProtectSystem= again

Now that we properly exclude autofs mounts from ProtectSystem= we can
include it in the effect of ProtectSystem= again.
---

diff --git a/src/core/namespace.c b/src/core/namespace.c
index f11065ee4..3b5402b7c 100644
--- a/src/core/namespace.c
+++ b/src/core/namespace.c
@@ -367,7 +367,7 @@ int setup_namespace(
                 strv_length(inaccessible_dirs) +
                 private_dev +
                 (protect_home != PROTECT_HOME_NO ? 3 : 0) +
-                (protect_system != PROTECT_SYSTEM_NO ? 1 : 0) +
+                (protect_system != PROTECT_SYSTEM_NO ? 2 : 0) +
                 (protect_system == PROTECT_SYSTEM_FULL ? 1 : 0);
 
         if (n > 0) {
@@ -409,7 +409,7 @@ int setup_namespace(
                 }
 
                 if (protect_system != PROTECT_SYSTEM_NO) {
-                        r = append_mounts(&m, protect_system == PROTECT_SYSTEM_FULL ? STRV_MAKE("/usr", "/etc") : STRV_MAKE("/usr"), READONLY);
+                        r = append_mounts(&m, protect_system == PROTECT_SYSTEM_FULL ? STRV_MAKE("/usr", "-/boot", "/etc") : STRV_MAKE("/usr", "-/boot"), READONLY);
                         if (r < 0)
                                 return r;
                 }