core: verify WorkingDirectory= is outside of API VFS only under mount namespacing

The purpose of the check is to prevent leaking API VFS fds from host into a mount namespace/container. When mountns is not used at all, the check is pointless and causes inconvenience. E.g. file managers might need to be spawned under those directories, and they surely won't run in mountns. Suggested in https://github.com/systemd/systemd/pull/33454#issuecomment-2186351467 Fixes #33361
2024-07-01 07:34:28 +00:00 · 2024-06-23 18:12:33 +02:00 · 2024-06-23 18:12:33 +02:00 · 276bd392ec
commit 276bd392ec
parent 453cb5d01e
3 changed files with 7 additions and 5 deletions
--- a/src/core/dbus-execute.c
+++ b/src/core/dbus-execute.c
@ -2799,10 +2799,6 @@ int bus_exec_context_set_transient_property(
                                if (!path_is_normalized(simplified))
                                        return sd_bus_error_set(error, SD_BUS_ERROR_INVALID_ARGS,
                                                                "WorkingDirectory= expects a normalized path or '~'");
-
-                                if (path_below_api_vfs(simplified))
-                                        return sd_bus_error_set(error, SD_BUS_ERROR_INVALID_ARGS,
-                                                                "WorkingDirectory= may not be below /proc/, /sys/ or /dev/");
                        }
                }

--- a/src/core/load-fragment.c
+++ b/src/core/load-fragment.c
@ -2635,7 +2635,8 @@ int config_parse_working_directory(
                        return missing_ok ? 0 : -ENOEXEC;
                }

-                r = path_simplify_and_warn(k, PATH_CHECK_ABSOLUTE|PATH_CHECK_NON_API_VFS|(missing_ok ? 0 : PATH_CHECK_FATAL), unit, filename, line, lvalue);
+                r = path_simplify_and_warn(k, PATH_CHECK_ABSOLUTE|(missing_ok ? 0 : PATH_CHECK_FATAL),
+                                           unit, filename, line, lvalue);
                if (r < 0)
                        return missing_ok ? 0 : -ENOEXEC;

--- a/src/core/unit.c
+++ b/src/core/unit.c
@ -41,6 +41,7 @@
 #include "logarithm.h"
 #include "macro.h"
 #include "mkdir-label.h"
+#include "mountpoint-util.h"
 #include "path-util.h"
 #include "process-util.h"
 #include "rm-rf.h"
@ -4224,6 +4225,10 @@ static int unit_verify_contexts(const Unit *u, const ExecContext *ec) {
        if (ec->dynamic_user && ec->working_directory_home)
                return log_unit_error_errno(u, SYNTHETIC_ERRNO(ENOEXEC), "WorkingDirectory=~ is not allowed under DynamicUser=yes. Refusing.");

+        if (ec->working_directory && path_below_api_vfs(ec->working_directory) &&
+            exec_needs_mount_namespace(ec, /* params = */ NULL, /* runtime = */ NULL))
+                return log_unit_error_errno(u, SYNTHETIC_ERRNO(ENOEXEC), "WorkingDirectory= may not be below /proc/, /sys/ or /dev/ when using mount namespacing. Refusing.");
+
        return 0;
 }