From 4355c04fef3e5217944e481456ce9c3839f66fda Mon Sep 17 00:00:00 2001 From: Luca Boccassi Date: Thu, 17 Mar 2022 23:37:29 +0000 Subject: [PATCH] core: insist on sandboxing if ExtensionImages/Directories are configured Same as other image mounting in the namespace --- src/core/execute.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/src/core/execute.c b/src/core/execute.c index ba57bbc279..b6021397ce 100644 --- a/src/core/execute.c +++ b/src/core/execute.c @@ -3415,6 +3415,9 @@ static bool insist_on_sandboxing( if (context->dynamic_user) return true; + if (context->n_extension_images > 0 || !strv_isempty(context->extension_directories)) + return true; + /* If there are any bind mounts set that don't map back onto themselves, fs namespacing becomes * essential. */ for (size_t i = 0; i < n_bind_mounts; i++)