[systemd-devel] [PATCH] [PATCH v4] core: Private*/Protect* options with RootDirectory

[Lennart Poettering]

On Mon, 18.05.15 12:20, Alban Crequy (alban.crequy at gmail.com) wrote:

> From: Alban Crequy <alban at endocode.com>
> 
> When a service is chrooted with the option RootDirectory=/opt/..., then
> the options PrivateDevices, PrivateTmp, ProtectHome, ProtectSystem must
> mount the directories under $RootDirectory/{dev,tmp,home,usr,boot}.

Applied with two changes:

> -                        r = append_mounts(&m, STRV_MAKE("-/home", "-/run/user", "-/root"), protect_home == PROTECT_HOME_READ_ONLY ? READONLY : INACCESSIBLE);
> +                        char *home_dir, *run_user_dir, *root_dir;
> +
> +                        home_dir = prefix_roota(root_directory, "/home");
> +                        home_dir = strjoina("-", home_dir);
> +                        run_user_dir = prefix_roota(root_directory, "/run/user");
> +                        run_user_dir = strjoina("-", run_user_dir);
> +                        root_dir = prefix_roota(root_directory, "/root");
> +                        root_dir = strjoina("-", root_dir);

prefix_roota() returns a "const char*". hence home_dir and friends
should be "const char*" too.

The compiler warns about this loudly...

I figure eventually we should fix the "-" handling in a ncier way, and
parse them away and store them in a proper bool rather than this weird
prefix thing...

> +
> +                log_info("Usage:");
> +                log_info("  sudo TEST_NS_PROJECTS=/home/lennart/projects ./test-ns");
> +                log_info("  sudo TEST_NS_CHROOT=/home/alban/debian-tree TEST_NS_PROJECTS=/home/alban/debian-tree/home/alban/Documents ./test-ns");

log_info() and friends is happy with newlines in log messages, please
use them instead of using multiple log log_info() invocations.

Thanks!

Lennart

-- 
Lennart Poettering, Red Hat