summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorLennart Poettering <lennart@poettering.net>2010-06-16 16:25:42 +0200
committerLennart Poettering <lennart@poettering.net>2010-06-16 16:27:24 +0200
commitdf1f0afe0c0d044a42ee726fa03730291d7082ee (patch)
treeec9aba0611608c2666aabac5ebc1b41b1c2508bd
parent0213c3f8102bdc934c629d11a44ca0b408762287 (diff)
tcpwrap: execute tcpwrap check in forked client, to avoid blocking name lookups in main systemd process
-rw-r--r--fixme2
-rw-r--r--src/dbus-execute.h6
-rw-r--r--src/dbus-socket.c2
-rw-r--r--src/execute.c18
-rw-r--r--src/execute.h5
-rw-r--r--src/load-fragment.c4
-rw-r--r--src/socket.c15
-rw-r--r--src/socket.h2
8 files changed, 28 insertions, 26 deletions
diff --git a/fixme b/fixme
index 460376440a..17a8ef8cfc 100644
--- a/fixme
+++ b/fixme
@@ -53,8 +53,6 @@
* run PAM session stuff
-* tcpwrap
-
* use setproctitle() when forking, before exec() (waiting for (PR_SET_PROCTITLE_AREA to enter the kernel)
* follow property change dbus spec
diff --git a/src/dbus-execute.h b/src/dbus-execute.h
index 6abae1657c..243854f893 100644
--- a/src/dbus-execute.h
+++ b/src/dbus-execute.h
@@ -43,7 +43,8 @@
" <property name=\"CapabilityBoundingSetDrop\" type=\"t\" access=\"read\"/>\n" \
" <property name=\"User\" type=\"s\" access=\"read\"/>\n" \
" <property name=\"Group\" type=\"s\" access=\"read\"/>\n" \
- " <property name=\"SupplementaryGroups\" type=\"as\" access=\"read\"/>\n"
+ " <property name=\"SupplementaryGroups\" type=\"as\" access=\"read\"/>\n" \
+ " <property name=\"TCPWrapName\" type=\"s\" access=\"read\"/>\n"
#define BUS_EXEC_CONTEXT_PROPERTIES(interface, context) \
{ interface, "Environment", bus_property_append_strv, "as", (context).environment }, \
@@ -71,7 +72,8 @@
{ interface, "CapabilityBoundingSetDrop", bus_property_append_uint64, "t", &(context).capability_bounding_set_drop }, \
{ interface, "User", bus_property_append_string, "s", (context).user }, \
{ interface, "Group", bus_property_append_string, "s", (context).group }, \
- { interface, "SupplementaryGroups", bus_property_append_strv, "as", (context).supplementary_groups }
+ { interface, "SupplementaryGroups", bus_property_append_strv, "as", (context).supplementary_groups }, \
+ { interface, "TCPWrapName", bus_property_append_string, "s", (context).tcpwrap_name }
int bus_execute_append_output(Manager *m, DBusMessageIter *i, const char *property, void *data);
int bus_execute_append_input(Manager *m, DBusMessageIter *i, const char *property, void *data);
diff --git a/src/dbus-socket.c b/src/dbus-socket.c
index fa84191140..426af2b4cf 100644
--- a/src/dbus-socket.c
+++ b/src/dbus-socket.c
@@ -37,7 +37,6 @@
" <property name=\"DirectoryMode\" type=\"u\" access=\"read\"/>\n" \
" <property name=\"SocketMode\" type=\"u\" access=\"read\"/>\n" \
" <property name=\"Accept\" type=\"b\" access=\"read\"/>\n" \
- " <property name=\"TCPWrapName\" type=\"s\" access=\"read\"/>\n" \
" </interface>\n" \
#define INTROSPECTION \
@@ -67,7 +66,6 @@ DBusHandlerResult bus_socket_message_handler(Unit *u, DBusMessage *message) {
{ "org.freedesktop.systemd1.Socket", "DirectoryMode", bus_property_append_mode, "u", &u->socket.directory_mode },
{ "org.freedesktop.systemd1.Socket", "SocketMode", bus_property_append_mode, "u", &u->socket.socket_mode },
{ "org.freedesktop.systemd1.Socket", "Accept", bus_property_append_bool, "b", &u->socket.accept },
- { "org.freedesktop.systemd1.Socket", "TCPWrapName", bus_property_append_string, "s", u->socket.tcpwrap_name },
{ NULL, NULL, NULL, NULL, NULL }
};
diff --git a/src/execute.c b/src/execute.c
index 1b37f2efe4..b61c1f838b 100644
--- a/src/execute.c
+++ b/src/execute.c
@@ -46,6 +46,7 @@
#include "securebits.h"
#include "cgroup.h"
#include "namespace.h"
+#include "tcpwrap.h"
/* This assumes there is a 'tty' group */
#define TTY_MODE 0620
@@ -803,6 +804,12 @@ int exec_spawn(ExecCommand *command,
goto fail;
}
+ if (socket_fd >= 0 && context->tcpwrap_name)
+ if (!socket_tcpwrap(socket_fd, context->tcpwrap_name)) {
+ r = EXIT_TCPWRAP;
+ goto fail;
+ }
+
if (confirm_spawn) {
char response;
@@ -1111,6 +1118,9 @@ void exec_context_done(ExecContext *c) {
free(c->tty_path);
c->tty_path = NULL;
+ free(c->tcpwrap_name);
+ c->tcpwrap_name = NULL;
+
free(c->syslog_identifier);
c->syslog_identifier = NULL;
@@ -1209,6 +1219,11 @@ void exec_context_dump(ExecContext *c, FILE* f, const char *prefix) {
for (e = c->environment; *e; e++)
fprintf(f, "%sEnvironment: %s\n", prefix, *e);
+ if (c->tcpwrap_name)
+ fprintf(f,
+ "%sTCPWrapName: %s\n",
+ prefix, c->tcpwrap_name);
+
if (c->nice_set)
fprintf(f,
"%sNice: %i\n",
@@ -1595,6 +1610,9 @@ const char* exit_status_to_string(ExitStatus status) {
case EXIT_STDERR:
return "STDERR";
+ case EXIT_TCPWRAP:
+ return "TCPWRAP";
+
default:
return NULL;
}
diff --git a/src/execute.h b/src/execute.h
index 4585fe43a7..1adf41ea67 100644
--- a/src/execute.h
+++ b/src/execute.h
@@ -104,6 +104,8 @@ struct ExecContext {
char *syslog_identifier;
bool syslog_no_prefix;
+ char *tcpwrap_name;
+
char *tty_path;
/* Since resolving these names might might involve socket
@@ -179,7 +181,8 @@ typedef enum ExitStatus {
EXIT_CGROUP,
EXIT_SETSID, /* 220 */
EXIT_CONFIRM,
- EXIT_STDERR
+ EXIT_STDERR,
+ EXIT_TCPWRAP
} ExitStatus;
diff --git a/src/load-fragment.c b/src/load-fragment.c
index 94a637541f..f409776e88 100644
--- a/src/load-fragment.c
+++ b/src/load-fragment.c
@@ -1391,7 +1391,8 @@ static int load_from_path(Unit *u, const char *path) {
{ "ReadOnlyDirectories", config_parse_path_strv, &(context).read_only_dirs, section }, \
{ "InaccessibleDirectories",config_parse_path_strv, &(context).inaccessible_dirs, section }, \
{ "PrivateTmp", config_parse_bool, &(context).private_tmp, section }, \
- { "MountFlags", config_parse_mount_flags, &(context), section }
+ { "MountFlags", config_parse_mount_flags, &(context), section }, \
+ { "TCPWrapName", config_parse_string, &(context).tcpwrap_name, section }
const ConfigItem items[] = {
{ "Names", config_parse_names, u, "Unit" },
@@ -1444,7 +1445,6 @@ static int load_from_path(Unit *u, const char *path) {
{ "SocketMode", config_parse_mode, &u->socket.socket_mode, "Socket" },
{ "KillMode", config_parse_kill_mode, &u->socket.kill_mode, "Socket" },
{ "Accept", config_parse_bool, &u->socket.accept, "Socket" },
- { "TCPWrapName", config_parse_string, &u->socket.tcpwrap_name, "Socket" },
EXEC_CONTEXT_CONFIG_ITEMS(u->socket.exec_context, "Socket"),
{ "What", config_parse_string, &u->mount.parameters_fragment.what, "Mount" },
diff --git a/src/socket.c b/src/socket.c
index 71f1672027..1852fe9375 100644
--- a/src/socket.c
+++ b/src/socket.c
@@ -36,7 +36,6 @@
#include "strv.h"
#include "unit-name.h"
#include "dbus-socket.h"
-#include "tcpwrap.h"
static const UnitActiveState state_translation_table[_SOCKET_STATE_MAX] = {
[SOCKET_DEAD] = UNIT_INACTIVE,
@@ -108,9 +107,6 @@ static void socket_done(Unit *u) {
free(s->bind_to_device);
s->bind_to_device = NULL;
- free(s->tcpwrap_name);
- s->tcpwrap_name = NULL;
-
unit_unwatch_timer(u, &s->timer_watch);
}
@@ -309,11 +305,6 @@ static void socket_dump(Unit *u, FILE *f, const char *prefix) {
"%sBindToDevice: %s\n",
prefix, s->bind_to_device);
- if (s->tcpwrap_name)
- fprintf(f,
- "%sTCPWrapName: %s\n",
- prefix, s->tcpwrap_name);
-
if (s->accept)
fprintf(f,
"%sAccepted: %u\n",
@@ -1221,12 +1212,6 @@ static void socket_fd_event(Unit *u, int fd, uint32_t events, Watch *w) {
break;
}
-
- if (s->tcpwrap_name)
- if (!socket_tcpwrap(cfd, s->tcpwrap_name)) {
- close_nointr_nofail(cfd);
- return;
- }
}
socket_enter_running(s, cfd);
diff --git a/src/socket.h b/src/socket.h
index de3e913f7c..5a2cd06d9d 100644
--- a/src/socket.h
+++ b/src/socket.h
@@ -101,8 +101,6 @@ struct Socket {
mode_t directory_mode;
mode_t socket_mode;
- char *tcpwrap_name;
-
bool accept;
unsigned n_accepted;