diff options
author | Lennart Poettering <lennart@poettering.net> | 2016-08-01 19:24:40 +0200 |
---|---|---|
committer | Lennart Poettering <lennart@poettering.net> | 2016-08-19 00:37:25 +0200 |
commit | 00d9ef8560c252d8504be99cb38d1a54d35a9144 (patch) | |
tree | 388323761f8f32b4ec3b83a017a8931c4fd450b9 /src/core/service.c | |
parent | 51d73fd96a55810ca40324eec098e66c6657699b (diff) |
core: add RemoveIPC= setting
This adds the boolean RemoveIPC= setting to service, socket, mount and swap
units (i.e. all unit types that may invoke processes). if turned on, and the
unit's user/group is not root, all IPC objects of the user/group are removed
when the service is shut down. The life-cycle of the IPC objects is hence bound
to the unit life-cycle.
This is particularly relevant for units with dynamic users, as it is essential
that no objects owned by the dynamic users survive the service exiting. In
fact, this patch adds code to imply RemoveIPC= if DynamicUser= is set.
In order to communicate the UID/GID of an executed process back to PID 1 this
adds a new "user lookup" socket pair, that is inherited into the forked
processes, and closed before the exec(). This is needed since we cannot do NSS
from PID 1 due to deadlock risks, However need to know the used UID/GID in
order to clean up IPC owned by it if the unit shuts down.
Diffstat (limited to 'src/core/service.c')
-rw-r--r-- | src/core/service.c | 3 |
1 files changed, 3 insertions, 0 deletions
diff --git a/src/core/service.c b/src/core/service.c index 4a37702f52..1951ba9222 100644 --- a/src/core/service.c +++ b/src/core/service.c @@ -1471,6 +1471,9 @@ static void service_enter_dead(Service *s, ServiceResult f, bool allow_restart) /* Also, remove the runtime directory */ exec_context_destroy_runtime_directory(&s->exec_context, manager_get_runtime_prefix(UNIT(s)->manager)); + /* Get rid of the IPC bits of the user */ + unit_unref_uid_gid(UNIT(s), true); + /* Release the user, and destroy it if we are the only remaining owner */ dynamic_creds_destroy(&s->dynamic_creds); |