[systemd-commits] 5 commits - TODO src/core src/nspawn

Lennart Poettering lennart at kemper.freedesktop.org
Mon Aug 13 07:30:53 PDT 2012 

 TODO                        |    4 ++++
 src/core/machine-id-setup.c |    8 ++++++--
 src/core/namespace.c        |    4 ++--
 src/core/umount.c           |    2 +-
 src/nspawn/nspawn.c         |   18 +++++++++---------
 5 files changed, 22 insertions(+), 14 deletions(-)

New commits:
commit 8caf9d6836c3ed5b7bb4c1ea8dea5241a634c298
Author: Lennart Poettering <lennart at poettering.net>
Date:   Mon Aug 13 16:30:10 2012 +0200

    umount: MS_MGC_VAL is so 90s

diff --git a/src/core/umount.c b/src/core/umount.c
index a5a215b..b9afac7 100644
--- a/src/core/umount.c
+++ b/src/core/umount.c
@@ -440,7 +440,7 @@ static int mount_points_list_remount_read_only(MountPoint **head, bool *changed)
         LIST_FOREACH_SAFE(mount_point, m, n, *head) {
 
                 /* Trying to remount read-only */
-                if (mount(NULL, m->path, NULL, MS_MGC_VAL|MS_REMOUNT|MS_RDONLY, NULL) == 0) {
+                if (mount(NULL, m->path, NULL, MS_REMOUNT|MS_RDONLY, NULL) == 0) {
                         if (changed)
                                 *changed = true;
 

commit 5a7e959984788cf89719dec31999409b63bb802b
Author: Lennart Poettering <lennart at poettering.net>
Date:   Mon Aug 13 16:27:17 2012 +0200

    update TODO

diff --git a/TODO b/TODO
index 8e3cd7f..2467ea8 100644
--- a/TODO
+++ b/TODO
@@ -49,8 +49,12 @@ Bugfixes:
 
 Features:
 
+* nspawn: --read-only is not applied recursively to submounts
+
 * MountFlags=shared acts as MountFlags=slave right now.
 
+* ReadOnlyDirectories= is not applied recursively to submounts
+
 * drop PID 1 reloading, only do reexecing (difficult: Reload()
   currently is properly synchronous, Reexec() is weird, because we
   can't delay the response properly until we are back, so instead of

commit 1e41be20158a6d982c34cea20e66ff271302abc5
Author: Lennart Poettering <lennart at poettering.net>
Date:   Mon Aug 13 16:25:03 2012 +0200

    nspawn,namespaces: make sure we recursively bind mount things in
    
    We want to make sure that everything from the host is also visible in
    the sandbox.

diff --git a/src/core/namespace.c b/src/core/namespace.c
index 5c2a246..ba18ddc 100644
--- a/src/core/namespace.c
+++ b/src/core/namespace.c
@@ -156,7 +156,7 @@ static int apply_mount(
 
         assert(what);
 
-        r = mount(what, p->path, NULL, MS_BIND, NULL);
+        r = mount(what, p->path, NULL, MS_BIND|MS_REC, NULL);
         if (r >= 0)
                 log_debug("Successfully mounted %s to %s", what, p->path);
 
@@ -171,7 +171,7 @@ static int make_read_only(Path *p) {
         if (p->mode != INACCESSIBLE && p->mode != READONLY)
                 return 0;
 
-        r = mount(NULL, p->path, NULL, MS_BIND|MS_REMOUNT|MS_RDONLY, NULL);
+        r = mount(NULL, p->path, NULL, MS_BIND|MS_REMOUNT|MS_RDONLY|MS_REC, NULL);
         if (r < 0)
                 return -errno;
 
diff --git a/src/nspawn/nspawn.c b/src/nspawn/nspawn.c
index 78b5602..7d188f0 100644
--- a/src/nspawn/nspawn.c
+++ b/src/nspawn/nspawn.c
@@ -1187,13 +1187,13 @@ int main(int argc, char *argv[]) {
                 }
 
                 /* Turn directory into bind mount */
-                if (mount(arg_directory, arg_directory, "bind", MS_BIND, NULL) < 0) {
+                if (mount(arg_directory, arg_directory, "bind", MS_BIND|MS_REC, NULL) < 0) {
                         log_error("Failed to make bind mount.");
                         goto child_fail;
                 }
 
                 if (arg_read_only)
-                        if (mount(arg_directory, arg_directory, "bind", MS_BIND|MS_REMOUNT|MS_RDONLY, NULL) < 0) {
+                        if (mount(arg_directory, arg_directory, "bind", MS_BIND|MS_REMOUNT|MS_RDONLY|MS_REC, NULL) < 0) {
                                 log_error("Failed to make read-only.");
                                 goto child_fail;
                         }

commit aed5a525777be452c8a451793cf9c16990ac5515
Author: Lennart Poettering <lennart at poettering.net>
Date:   Mon Aug 13 16:24:30 2012 +0200

    machine-id: properly mount transient machine ID read-only

diff --git a/src/core/machine-id-setup.c b/src/core/machine-id-setup.c
index c6fd77a..7f4c23b 100644
--- a/src/core/machine-id-setup.c
+++ b/src/core/machine-id-setup.c
@@ -226,13 +226,17 @@ int machine_id_setup(void) {
         }
 
         /* And now, let's mount it over */
-        r = mount("/run/machine-id", "/etc/machine-id", "bind", MS_BIND|MS_RDONLY, NULL) < 0 ? -errno : 0;
+        r = mount("/run/machine-id", "/etc/machine-id", NULL, MS_BIND, NULL) < 0 ? -errno : 0;
         if (r < 0) {
                 unlink("/run/machine-id");
                 log_error("Failed to mount /etc/machine-id: %s", strerror(-r));
-        } else
+        } else {
                 log_info("Installed transient /etc/machine-id file.");
 
+                /* Mark the mount read-only */
+                mount(NULL, "/etc/machine-id", NULL, MS_BIND|MS_RDONLY|MS_REMOUNT, NULL);
+        }
+
 finish:
 
         if (fd >= 0)

commit b4c59701f8d439f84141d4858dc1aa339f4ec529
Author: Lennart Poettering <lennart at poettering.net>
Date:   Mon Aug 13 16:23:31 2012 +0200

    nspawn: unset a few unnecessary params to mount()

diff --git a/src/nspawn/nspawn.c b/src/nspawn/nspawn.c
index df858a5..78b5602 100644
--- a/src/nspawn/nspawn.c
+++ b/src/nspawn/nspawn.c
@@ -266,16 +266,16 @@ static int mount_all(const char *dest) {
 
         static const MountPoint mount_table[] = {
                 { "proc",      "/proc",     "proc",  NULL,       MS_NOSUID|MS_NOEXEC|MS_NODEV, true  },
-                { "/proc/sys", "/proc/sys", "bind",  NULL,       MS_BIND, true                       },   /* Bind mount first */
-                { "/proc/sys", "/proc/sys", "bind",  NULL,       MS_BIND|MS_RDONLY|MS_REMOUNT, true  },   /* Then, make it r/o */
-                { "/sys",      "/sys",      "bind",  NULL,       MS_BIND,                      true  },   /* Bind mount first */
-                { "/sys",      "/sys",      "bind",  NULL,       MS_BIND|MS_RDONLY|MS_REMOUNT, true  },   /* Then, make it r/o */
+                { "/proc/sys", "/proc/sys", NULL,    NULL,       MS_BIND, true                       },   /* Bind mount first */
+                { NULL,        "/proc/sys", NULL,    NULL,       MS_BIND|MS_RDONLY|MS_REMOUNT, true  },   /* Then, make it r/o */
+                { "/sys",      "/sys",      NULL,    NULL,       MS_BIND,                      true  },   /* Bind mount first */
+                { NULL,        "/sys",      NULL,    NULL,       MS_BIND|MS_RDONLY|MS_REMOUNT, true  },   /* Then, make it r/o */
                 { "tmpfs",     "/dev",      "tmpfs", "mode=755", MS_NOSUID|MS_STRICTATIME,     true  },
-                { "/dev/pts",  "/dev/pts",  "bind",  NULL,       MS_BIND,                      true  },
+                { "/dev/pts",  "/dev/pts",  NULL,    NULL,       MS_BIND,                      true  },
                 { "tmpfs",     "/run",      "tmpfs", "mode=755", MS_NOSUID|MS_NODEV|MS_STRICTATIME, true  },
 #ifdef HAVE_SELINUX
-                { "/sys/fs/selinux", "/sys/fs/selinux", "bind", NULL, MS_BIND,                      false },  /* Bind mount first */
-                { "/sys/fs/selinux", "/sys/fs/selinux", "bind", NULL, MS_BIND|MS_RDONLY|MS_REMOUNT, false },  /* Then, make it r/o */
+                { "/sys/fs/selinux", "/sys/fs/selinux", NULL, NULL, MS_BIND,                      false },  /* Bind mount first */
+                { NULL,              "/sys/fs/selinux", NULL, NULL, MS_BIND|MS_RDONLY|MS_REMOUNT, false },  /* Then, make it r/o */
 #endif
         };

More information about the systemd-commits mailing list