mirror of
https://github.com/systemd/systemd
synced 2024-10-01 13:55:20 +00:00
core: verify WorkingDirectory= is outside of API VFS only under mount namespacing
The purpose of the check is to prevent leaking API VFS fds from host into a mount namespace/container. When mountns is not used at all, the check is pointless and causes inconvenience. E.g. file managers might need to be spawned under those directories, and they surely won't run in mountns. Suggested in https://github.com/systemd/systemd/pull/33454#issuecomment-2186351467 Fixes #33361
This commit is contained in:
parent
453cb5d01e
commit
276bd392ec
|
@ -2799,10 +2799,6 @@ int bus_exec_context_set_transient_property(
|
|||
if (!path_is_normalized(simplified))
|
||||
return sd_bus_error_set(error, SD_BUS_ERROR_INVALID_ARGS,
|
||||
"WorkingDirectory= expects a normalized path or '~'");
|
||||
|
||||
if (path_below_api_vfs(simplified))
|
||||
return sd_bus_error_set(error, SD_BUS_ERROR_INVALID_ARGS,
|
||||
"WorkingDirectory= may not be below /proc/, /sys/ or /dev/");
|
||||
}
|
||||
}
|
||||
|
||||
|
|
|
@ -2635,7 +2635,8 @@ int config_parse_working_directory(
|
|||
return missing_ok ? 0 : -ENOEXEC;
|
||||
}
|
||||
|
||||
r = path_simplify_and_warn(k, PATH_CHECK_ABSOLUTE|PATH_CHECK_NON_API_VFS|(missing_ok ? 0 : PATH_CHECK_FATAL), unit, filename, line, lvalue);
|
||||
r = path_simplify_and_warn(k, PATH_CHECK_ABSOLUTE|(missing_ok ? 0 : PATH_CHECK_FATAL),
|
||||
unit, filename, line, lvalue);
|
||||
if (r < 0)
|
||||
return missing_ok ? 0 : -ENOEXEC;
|
||||
|
||||
|
|
|
@ -41,6 +41,7 @@
|
|||
#include "logarithm.h"
|
||||
#include "macro.h"
|
||||
#include "mkdir-label.h"
|
||||
#include "mountpoint-util.h"
|
||||
#include "path-util.h"
|
||||
#include "process-util.h"
|
||||
#include "rm-rf.h"
|
||||
|
@ -4224,6 +4225,10 @@ static int unit_verify_contexts(const Unit *u, const ExecContext *ec) {
|
|||
if (ec->dynamic_user && ec->working_directory_home)
|
||||
return log_unit_error_errno(u, SYNTHETIC_ERRNO(ENOEXEC), "WorkingDirectory=~ is not allowed under DynamicUser=yes. Refusing.");
|
||||
|
||||
if (ec->working_directory && path_below_api_vfs(ec->working_directory) &&
|
||||
exec_needs_mount_namespace(ec, /* params = */ NULL, /* runtime = */ NULL))
|
||||
return log_unit_error_errno(u, SYNTHETIC_ERRNO(ENOEXEC), "WorkingDirectory= may not be below /proc/, /sys/ or /dev/ when using mount namespacing. Refusing.");
|
||||
|
||||
return 0;
|
||||
}
|
||||
|
||||
|
|
Loading…
Reference in a new issue