diff options
author | Lennart Poettering <lennart@poettering.net> | 2012-03-13 00:00:27 +0100 |
---|---|---|
committer | Lennart Poettering <lennart@poettering.net> | 2012-03-13 00:00:27 +0100 |
commit | 54ecda32c60c6f2548f74703bfd324694393edaa (patch) | |
tree | d9747c30a1985b3b95497450ca1c2678a9079d08 | |
parent | fa734f4da837abe6c893e75c95be78527db72c0f (diff) |
socket: add option for SO_PASSEC
https://bugzilla.redhat.com/show_bug.cgi?id=798760
(Note that this work is not complete yet, as the kernel seems to send us
useless data with SCM_SECURITY enabled)
-rw-r--r-- | TODO | 2 | ||||
-rw-r--r-- | man/systemd.socket.xml | 13 | ||||
-rw-r--r-- | src/dbus-socket.c | 2 | ||||
-rw-r--r-- | src/journal/journald.c | 10 | ||||
-rw-r--r-- | src/load-fragment-gperf.gperf.m4 | 1 | ||||
-rw-r--r-- | src/missing.h | 4 | ||||
-rw-r--r-- | src/socket.c | 8 | ||||
-rw-r--r-- | src/socket.h | 1 | ||||
-rw-r--r-- | units/syslog.socket | 1 | ||||
-rw-r--r-- | units/systemd-journald.socket | 1 | ||||
-rw-r--r-- | units/systemd-shutdownd.socket | 1 |
11 files changed, 43 insertions, 1 deletions
@@ -18,6 +18,8 @@ Bugfixes: Features: +* journal: extend sd-journal.h logging calls to implicitly log function names/line numbers/... + * document crypttab(5) * There's currently no way to cancel fsck (used to be possible via C-c or c on the console) diff --git a/man/systemd.socket.xml b/man/systemd.socket.xml index ef5b28c771..d9921e496d 100644 --- a/man/systemd.socket.xml +++ b/man/systemd.socket.xml @@ -528,7 +528,7 @@ <term><varname>PassCredentials=</varname></term> <listitem><para>Takes a boolean value. This controls the SO_PASSCRED - socket option, which allows UNIX sockets to + socket option, which allows AF_UNIX sockets to receive the credentials of the sending process in an ancillary message. Defaults to @@ -536,6 +536,17 @@ </varlistentry> <varlistentry> + <term><varname>PassSecurity=</varname></term> + <listitem><para>Takes a boolean + value. This controls the SO_PASSSEC + socket option, which allows AF_UNIX + sockets to receive the security + context of the sending process in an + ancillary message. Defaults to + <option>false</option>.</para></listitem> + </varlistentry> + + <varlistentry> <term><varname>TCPCongestion=</varname></term> <listitem><para>Takes a string value. Controls the TCP congestion diff --git a/src/dbus-socket.c b/src/dbus-socket.c index 9fef6769f0..2e3342cb55 100644 --- a/src/dbus-socket.c +++ b/src/dbus-socket.c @@ -52,6 +52,7 @@ " <property name=\"Transparent\" type=\"b\" access=\"read\"/>\n" \ " <property name=\"Broadcast\" type=\"b\" access=\"read\"/>\n" \ " <property name=\"PassCredentials\" type=\"b\" access=\"read\"/>\n" \ + " <property name=\"PassSecurity\" type=\"b\" access=\"read\"/>\n" \ " <property name=\"Mark\" type=\"i\" access=\"read\"/>\n" \ " <property name=\"MaxConnections\" type=\"u\" access=\"read\"/>\n" \ " <property name=\"NAccepted\" type=\"u\" access=\"read\"/>\n" \ @@ -114,6 +115,7 @@ static const BusProperty bus_socket_properties[] = { { "Transparent", bus_property_append_bool, "b", offsetof(Socket, transparent) }, { "Broadcast", bus_property_append_bool, "b", offsetof(Socket, broadcast) }, { "PassCredentials",bus_property_append_bool, "b", offsetof(Socket, pass_cred) }, + { "PassSecurity", bus_property_append_bool, "b", offsetof(Socket, pass_sec) }, { "Mark", bus_property_append_int, "i", offsetof(Socket, mark) }, { "MaxConnections", bus_property_append_unsigned, "u", offsetof(Socket, max_connections) }, { "NConnections", bus_property_append_unsigned, "u", offsetof(Socket, n_connections) }, diff --git a/src/journal/journald.c b/src/journal/journald.c index 73f8ed6ae8..375f5aa6ca 100644 --- a/src/journal/journald.c +++ b/src/journal/journald.c @@ -2253,6 +2253,11 @@ static int open_syslog_socket(Server *s) { } one = 1; + r = setsockopt(s->syslog_fd, SOL_SOCKET, SO_PASSSEC, &one, sizeof(one)); + if (r < 0) + log_warning("SO_PASSSEC failed: %m"); + + one = 1; r = setsockopt(s->syslog_fd, SOL_SOCKET, SO_TIMESTAMP, &one, sizeof(one)); if (r < 0) { log_error("SO_TIMESTAMP failed: %m"); @@ -2309,6 +2314,11 @@ static int open_native_socket(Server*s) { } one = 1; + r = setsockopt(s->syslog_fd, SOL_SOCKET, SO_PASSSEC, &one, sizeof(one)); + if (r < 0) + log_warning("SO_PASSSEC failed: %m"); + + one = 1; r = setsockopt(s->native_fd, SOL_SOCKET, SO_TIMESTAMP, &one, sizeof(one)); if (r < 0) { log_error("SO_TIMESTAMP failed: %m"); diff --git a/src/load-fragment-gperf.gperf.m4 b/src/load-fragment-gperf.gperf.m4 index 44ce4bbbc4..4b02e3157e 100644 --- a/src/load-fragment-gperf.gperf.m4 +++ b/src/load-fragment-gperf.gperf.m4 @@ -186,6 +186,7 @@ Socket.FreeBind, config_parse_bool, 0, Socket.Transparent, config_parse_bool, 0, offsetof(Socket, transparent) Socket.Broadcast, config_parse_bool, 0, offsetof(Socket, broadcast) Socket.PassCredentials, config_parse_bool, 0, offsetof(Socket, pass_cred) +Socket.PassSecurity, config_parse_bool, 0, offsetof(Socket, pass_sec) Socket.TCPCongestion, config_parse_string, 0, offsetof(Socket, tcp_congestion) Socket.MessageQueueMaxMessages, config_parse_long, 0, offsetof(Socket, mq_maxmsg) Socket.MessageQueueMessageSize, config_parse_long, 0, offsetof(Socket, mq_msgsize) diff --git a/src/missing.h b/src/missing.h index 213ef2f6a6..095bf1fe04 100644 --- a/src/missing.h +++ b/src/missing.h @@ -180,4 +180,8 @@ static inline pid_t gettid(void) { return (pid_t) syscall(SYS_gettid); } +#ifndef SCM_SECURITY +#define SCM_SECURITY 0x03 +#endif + #endif diff --git a/src/socket.c b/src/socket.c index aeedcbd7f3..ecaf3d2148 100644 --- a/src/socket.c +++ b/src/socket.c @@ -417,6 +417,7 @@ static void socket_dump(Unit *u, FILE *f, const char *prefix) { "%sTransparent: %s\n" "%sBroadcast: %s\n" "%sPassCredentials: %s\n" + "%sPassSecurity: %s\n" "%sTCPCongestion: %s\n", prefix, socket_state_to_string(s->state), prefix, socket_result_to_string(s->result), @@ -429,6 +430,7 @@ static void socket_dump(Unit *u, FILE *f, const char *prefix) { prefix, yes_no(s->transparent), prefix, yes_no(s->broadcast), prefix, yes_no(s->pass_cred), + prefix, yes_no(s->pass_sec), prefix, strna(s->tcp_congestion)); if (s->control_pid > 0) @@ -676,6 +678,12 @@ static void socket_apply_socket_options(Socket *s, int fd) { log_warning("SO_PASSCRED failed: %m"); } + if (s->pass_sec) { + int one = 1; + if (setsockopt(fd, SOL_SOCKET, SO_PASSSEC, &one, sizeof(one)) < 0) + log_warning("SO_PASSSEC failed: %m"); + } + if (s->priority >= 0) if (setsockopt(fd, SOL_SOCKET, SO_PRIORITY, &s->priority, sizeof(s->priority)) < 0) log_warning("SO_PRIORITY failed: %m"); diff --git a/src/socket.h b/src/socket.h index 6f2af7cd61..6470d8b63e 100644 --- a/src/socket.h +++ b/src/socket.h @@ -129,6 +129,7 @@ struct Socket { bool transparent; bool broadcast; bool pass_cred; + bool pass_sec; int priority; int mark; size_t receive_buffer; diff --git a/units/syslog.socket b/units/syslog.socket index 1c54857762..0e211e16e7 100644 --- a/units/syslog.socket +++ b/units/syslog.socket @@ -21,6 +21,7 @@ Wants=syslog.target ListenDatagram=/run/systemd/journal/syslog SocketMode=0666 PassCredentials=yes +PassSecurity=yes ReceiveBuffer=8M # The default syslog implementation should make syslog.service a diff --git a/units/systemd-journald.socket b/units/systemd-journald.socket index c752505d9f..15fc49ef29 100644 --- a/units/systemd-journald.socket +++ b/units/systemd-journald.socket @@ -23,4 +23,5 @@ ListenDatagram=/run/systemd/journal/socket ListenDatagram=/dev/log SocketMode=0666 PassCredentials=yes +PassSecurity=yes ReceiveBuffer=8M diff --git a/units/systemd-shutdownd.socket b/units/systemd-shutdownd.socket index 532a6f0c73..7f13c9386e 100644 --- a/units/systemd-shutdownd.socket +++ b/units/systemd-shutdownd.socket @@ -16,3 +16,4 @@ Before=sockets.target ListenDatagram=/run/systemd/shutdownd SocketMode=0600 PassCredentials=yes +PassSecurity=yes |