Merge pull request #33454 from YHNdnzj/user-service-working-dir-relax

core: verify WorkingDirectory= is outside of API VFS only under mount namespacing
2024-09-30 05:15:19 +00:00 · 2024-06-25 00:48:37 +02:00 · 2024-06-25 00:48:37 +02:00 · 11a66a95ec
parent 952b26c75d 276bd392ec
commit 11a66a95ec
3 changed files with 10 additions and 9 deletions
--- a/src/core/dbus-execute.c
+++ b/src/core/dbus-execute.c
@ -2799,10 +2799,6 @@ int bus_exec_context_set_transient_property(
                                if (!path_is_normalized(simplified))
                                        return sd_bus_error_set(error, SD_BUS_ERROR_INVALID_ARGS,
                                                                "WorkingDirectory= expects a normalized path or '~'");
-
-                                if (path_below_api_vfs(simplified))
-                                        return sd_bus_error_set(error, SD_BUS_ERROR_INVALID_ARGS,
-                                                                "WorkingDirectory= may not be below /proc/, /sys/ or /dev/");
                        }
                }

--- a/src/core/load-fragment.c
+++ b/src/core/load-fragment.c
@ -2635,7 +2635,8 @@ int config_parse_working_directory(
                        return missing_ok ? 0 : -ENOEXEC;
                }

-                r = path_simplify_and_warn(k, PATH_CHECK_ABSOLUTE|PATH_CHECK_NON_API_VFS|(missing_ok ? 0 : PATH_CHECK_FATAL), unit, filename, line, lvalue);
+                r = path_simplify_and_warn(k, PATH_CHECK_ABSOLUTE|(missing_ok ? 0 : PATH_CHECK_FATAL),
+                                           unit, filename, line, lvalue);
                if (r < 0)
                        return missing_ok ? 0 : -ENOEXEC;

@ -3699,15 +3700,14 @@ int config_parse_unit_slice(
                void *data,
                void *userdata) {

+        Unit *u = ASSERT_PTR(userdata), *slice;
        _cleanup_(sd_bus_error_free) sd_bus_error error = SD_BUS_ERROR_NULL;
        _cleanup_free_ char *k = NULL;
-        Unit *u = userdata, *slice;
        int r;

        assert(filename);
        assert(lvalue);
        assert(rvalue);
-        assert(u);

        r = unit_name_printf(u, rvalue, &k);
        if (r < 0) {
@ -3908,8 +3908,8 @@ int config_parse_tasks_max(
                void *data,
                void *userdata) {

-        const Unit *u = userdata;
-        CGroupTasksMax *tasks_max = data;
+        CGroupTasksMax *tasks_max = ASSERT_PTR(data);
+        const Unit *u = ASSERT_PTR(userdata);
        uint64_t v;
        int r;

--- a/src/core/unit.c
+++ b/src/core/unit.c
@ -41,6 +41,7 @@
 #include "logarithm.h"
 #include "macro.h"
 #include "mkdir-label.h"
+#include "mountpoint-util.h"
 #include "path-util.h"
 #include "process-util.h"
 #include "rm-rf.h"
@ -4224,6 +4225,10 @@ static int unit_verify_contexts(const Unit *u, const ExecContext *ec) {
        if (ec->dynamic_user && ec->working_directory_home)
                return log_unit_error_errno(u, SYNTHETIC_ERRNO(ENOEXEC), "WorkingDirectory=~ is not allowed under DynamicUser=yes. Refusing.");

+        if (ec->working_directory && path_below_api_vfs(ec->working_directory) &&
+            exec_needs_mount_namespace(ec, /* params = */ NULL, /* runtime = */ NULL))
+                return log_unit_error_errno(u, SYNTHETIC_ERRNO(ENOEXEC), "WorkingDirectory= may not be below /proc/, /sys/ or /dev/ when using mount namespacing. Refusing.");
+
        return 0;
 }