diff options
| author | Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> | 2016-11-08 19:54:21 -0500 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2016-11-08 19:54:21 -0500 |
| commit | d85a0f802851e79efdb09acaa1ce517f7127ad28 (patch) | |
| tree | 609c7aa9f807b3a74e0f23e3d4eed3f1e2454ea2 /src/core/load-fragment.c | |
| parent | a809cee58249cc2f42222f1ab5d4746d634c2668 (diff) | |
| parent | add005357d535681c7075ced8eec2b6e61b43728 (diff) | |
Merge pull request #4536 from poettering/seccomp-namespaces
core: add new RestrictNamespaces= unit file setting
Merging, not rebasing, because this touches many files and there were tree-wide cleanups in the mean time.
Diffstat (limited to 'src/core/load-fragment.c')
| -rw-r--r-- | src/core/load-fragment.c | 49 |
1 files changed, 49 insertions, 0 deletions
diff --git a/src/core/load-fragment.c b/src/core/load-fragment.c index 75c048a23e..52079980d8 100644 --- a/src/core/load-fragment.c +++ b/src/core/load-fragment.c @@ -2919,6 +2919,54 @@ int config_parse_address_families( set_remove(c->address_families, INT_TO_PTR(af)); } } + +int config_parse_restrict_namespaces( + const char *unit, + const char *filename, + unsigned line, + const char *section, + unsigned section_line, + const char *lvalue, + int ltype, + const char *rvalue, + void *data, + void *userdata) { + + ExecContext *c = data; + bool invert = false; + int r; + + if (isempty(rvalue)) { + /* Reset to the default. */ + c->restrict_namespaces = NAMESPACE_FLAGS_ALL; + return 0; + } + + if (rvalue[0] == '~') { + invert = true; + rvalue++; + } + + r = parse_boolean(rvalue); + if (r > 0) + c->restrict_namespaces = 0; + else if (r == 0) + c->restrict_namespaces = NAMESPACE_FLAGS_ALL; + else { + /* Not a boolean argument, in this case it's a list of namespace types. */ + + r = namespace_flag_from_string_many(rvalue, &c->restrict_namespaces); + if (r < 0) { + log_syntax(unit, LOG_ERR, filename, line, r, "Failed to parse namespace type string, ignoring: %s", rvalue); + return 0; + } + } + + if (invert) + c->restrict_namespaces = (~c->restrict_namespaces) & NAMESPACE_FLAGS_ALL; + + return 0; +} #endif int config_parse_unit_slice( @@ -4342,6 +4390,7 @@ void unit_dump_config_items(FILE *f) { { config_parse_syscall_archs, "ARCHS" }, { config_parse_syscall_errno, "ERRNO" }, { config_parse_address_families, "FAMILIES" }, + { config_parse_restrict_namespaces, "NAMESPACES" }, #endif { config_parse_cpu_shares, "SHARES" }, { config_parse_cpu_weight, "WEIGHT" }, |