X Tutup
Skip to content

Commit 80271a4

Browse files
xry111xry111
committed
Remount /dev/mqueue in unshared mount namespace for PrivateIPC
1 parent a70581f commit 80271a4

File tree

3 files changed

+38
-2
lines changed

3 files changed

+38
-2
lines changed

src/core/execute.c

Lines changed: 4 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -2037,7 +2037,9 @@ bool exec_needs_mount_namespace(
20372037
context->protect_kernel_logs ||
20382038
context->protect_control_groups ||
20392039
context->protect_proc != PROTECT_PROC_DEFAULT ||
2040-
context->proc_subset != PROC_SUBSET_ALL)
2040+
context->proc_subset != PROC_SUBSET_ALL ||
2041+
context->private_ipc ||
2042+
context->ipc_namespace_path)
20412043
return true;
20422044

20432045
if (context->root_directory) {
@@ -3178,6 +3180,7 @@ static int apply_mount_namespace(
31783180
.protect_system = context->protect_system,
31793181
.protect_proc = context->protect_proc,
31803182
.proc_subset = context->proc_subset,
3183+
.private_ipc = context->private_ipc || context->ipc_namespace_path,
31813184
};
31823185
} else if (!context->dynamic_user && root_dir)
31833186
/*

src/core/namespace.c

Lines changed: 33 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -64,6 +64,7 @@ typedef enum MountMode {
6464
EXEC,
6565
TMPFS,
6666
EXTENSION_IMAGES, /* Mounted outside the root directory, and used by subsequent mounts */
67+
MQUEUEFS,
6768
READWRITE_IMPLICIT, /* Should have the lowest priority. */
6869
_MOUNT_MODE_MAX,
6970
} MountMode;
@@ -228,6 +229,7 @@ static const char * const mount_mode_table[_MOUNT_MODE_MAX] = {
228229
[READWRITE_IMPLICIT] = "rw-implicit",
229230
[EXEC] = "exec",
230231
[NOEXEC] = "noexec",
232+
[MQUEUEFS] = "mqueuefs",
231233
};
232234

233235
DEFINE_PRIVATE_STRING_TABLE_LOOKUP_TO_STRING(mount_mode, MountMode);
@@ -1113,6 +1115,24 @@ static int mount_run(const MountEntry *m) {
11131115
return mount_tmpfs(m);
11141116
}
11151117

1118+
static int mount_mqueuefs(const MountEntry *m) {
1119+
int r;
1120+
const char *entry_path;
1121+
1122+
assert(m);
1123+
1124+
entry_path = mount_entry_path(m);
1125+
1126+
(void) mkdir_p_label(entry_path, 0755);
1127+
(void) umount_recursive(entry_path, 0);
1128+
1129+
r = mount_nofollow_verbose(LOG_DEBUG, "mqueue", entry_path, "mqueue", m->flags, mount_entry_options(m));
1130+
if (r < 0)
1131+
return r;
1132+
1133+
return 0;
1134+
}
1135+
11161136
static int mount_image(const MountEntry *m, const char *root_directory) {
11171137

11181138
_cleanup_free_ char *host_os_release_id = NULL, *host_os_release_version_id = NULL,
@@ -1317,6 +1337,9 @@ static int apply_one_mount(
13171337
case RUN:
13181338
return mount_run(m);
13191339

1340+
case MQUEUEFS:
1341+
return mount_mqueuefs(m);
1342+
13201343
case MOUNT_IMAGES:
13211344
return mount_image(m, NULL);
13221345

@@ -1516,7 +1539,8 @@ static size_t namespace_calculate_mounts(
15161539
(creds_path ? 2 : 1) +
15171540
!!log_namespace +
15181541
setup_propagate + /* /run/systemd/incoming */
1519-
!!notify_socket;
1542+
!!notify_socket +
1543+
ns_info->private_ipc; /* /dev/mqueue */
15201544
}
15211545

15221546
static void normalize_mounts(const char *root_directory, MountEntry *mounts, size_t *n_mounts) {
@@ -2027,6 +2051,14 @@ int setup_namespace(
20272051
};
20282052
}
20292053

2054+
if (ns_info->private_ipc) {
2055+
*(m++) = (MountEntry) {
2056+
.path_const = "/dev/mqueue",
2057+
.mode = MQUEUEFS,
2058+
.flags = MS_NOSUID | MS_NODEV | MS_NOEXEC | MS_RELATIME,
2059+
};
2060+
}
2061+
20302062
if (creds_path) {
20312063
/* If our service has a credentials store configured, then bind that one in, but hide
20322064
* everything else. */

src/core/namespace.h

Lines changed: 1 addition & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -73,6 +73,7 @@ struct NamespaceInfo {
7373
bool protect_kernel_logs;
7474
bool mount_apivfs;
7575
bool protect_hostname;
76+
bool private_ipc;
7677
ProtectHome protect_home;
7778
ProtectSystem protect_system;
7879
ProtectProc protect_proc;

0 commit comments

Comments
 (0)
X Tutup