summaryrefslogtreecommitdiff
path: root/src
diff options
context:
space:
mode:
authorLennart Poettering <lennart@poettering.net>2013-06-27 23:13:17 +0200
committerLennart Poettering <lennart@poettering.net>2013-06-27 23:13:17 +0200
commit7041efe9600e569da6089c36d00fa3ff58e33178 (patch)
treecd1e27213801a05d2b1a00bd0b84492e5a4e5fab /src
parentb42defe3b8ed3947d85db654a6cdb1b9999f394d (diff)
dbus: make DeviceAllow=/DevicePolicy= writable
Diffstat (limited to 'src')
-rw-r--r--src/core/dbus-cgroup.c105
-rw-r--r--src/systemctl/systemctl.c37
2 files changed, 142 insertions, 0 deletions
diff --git a/src/core/dbus-cgroup.c b/src/core/dbus-cgroup.c
index ae360eae33..cf05f04ea1 100644
--- a/src/core/dbus-cgroup.c
+++ b/src/core/dbus-cgroup.c
@@ -21,6 +21,7 @@
#include <dbus/dbus.h>
+#include "path-util.h"
#include "dbus-cgroup.h"
static DEFINE_BUS_PROPERTY_APPEND_ENUM(bus_cgroup_append_device_policy, cgroup_device_policy, CGroupDevicePolicy);
@@ -265,6 +266,110 @@ int bus_cgroup_set_property(
}
return 1;
+
+ } else if (streq(name, "DevicePolicy")) {
+ const char *policy;
+ CGroupDevicePolicy p;
+
+ if (dbus_message_iter_get_arg_type(i) != DBUS_TYPE_STRING)
+ return -EINVAL;
+
+ dbus_message_iter_get_basic(i, &policy);
+ p = cgroup_device_policy_from_string(policy);
+ if (p < 0)
+ return -EINVAL;
+
+ if (mode != UNIT_CHECK) {
+ char *buf;
+
+ c->device_policy = p;
+
+ buf = strappenda("DevicePolicy=", policy);
+ unit_write_drop_in_private_section(u, mode, "device-policy", buf);
+ }
+
+ return 1;
+
+ } else if (streq(name, "DeviceAllow")) {
+ DBusMessageIter sub;
+ unsigned n = 0;
+
+ if (dbus_message_iter_get_arg_type(i) != DBUS_TYPE_ARRAY ||
+ dbus_message_iter_get_element_type(i) != DBUS_TYPE_STRUCT)
+ return -EINVAL;
+
+ dbus_message_iter_recurse(i, &sub);
+ while (dbus_message_iter_get_arg_type(&sub) == DBUS_TYPE_STRUCT) {
+ DBusMessageIter sub2;
+ const char *path, *rwm;
+ CGroupDeviceAllow *a;
+
+ dbus_message_iter_recurse(&sub, &sub2);
+
+ if (bus_iter_get_basic_and_next(&sub2, DBUS_TYPE_STRING, &path, true) < 0 ||
+ bus_iter_get_basic_and_next(&sub2, DBUS_TYPE_STRING, &rwm, false) < 0)
+ return -EINVAL;
+
+ if (!path_startswith(path, "/dev")) {
+ dbus_set_error(error, DBUS_ERROR_INVALID_ARGS, "DeviceAllow= requires device node");
+ return -EINVAL;
+ }
+
+ if (isempty(rwm))
+ rwm = "rwm";
+
+ if (!in_charset(rwm, "rwm")) {
+ dbus_set_error(error, DBUS_ERROR_INVALID_ARGS, "DeviceAllow= requires combination of rwm flags");
+ return -EINVAL;
+ }
+
+ n++;
+
+ if (mode != UNIT_CHECK) {
+ a = new0(CGroupDeviceAllow, 1);
+ if (!a)
+ return -ENOMEM;
+
+ a->path = strdup(path);
+ if (!a->path) {
+ free(a);
+ return -ENOMEM;
+ }
+
+ a->r = !!strchr(rwm, 'r');
+ a->w = !!strchr(rwm, 'w');
+ a->m = !!strchr(rwm, 'm');
+
+ LIST_PREPEND(CGroupDeviceAllow, device_allow, c->device_allow, a);
+ }
+
+ dbus_message_iter_next(&sub);
+ }
+
+ if (mode != UNIT_CHECK) {
+ _cleanup_free_ char *buf = NULL;
+ _cleanup_fclose_ FILE *f = NULL;
+ CGroupDeviceAllow *a;
+ size_t size = 0;
+
+ if (n == 0) {
+ while (c->device_allow)
+ cgroup_context_free_device_allow(c, c->device_allow);
+ }
+
+ f = open_memstream(&buf, &size);
+ if (!f)
+ return -ENOMEM;
+
+ fputs("DeviceAllow=\n", f);
+ LIST_FOREACH(device_allow, a, c->device_allow)
+ fprintf(f, "DeviceAllow=%s %s%s%s\n", a->path, a->r ? "r" : "", a->w ? "w" : "", a->m ? "m" : "");
+
+ fflush(f);
+ unit_write_drop_in_private_section(u, mode, "device-allow", buf);
+ }
+
+ return 1;
}
return 0;
diff --git a/src/systemctl/systemctl.c b/src/systemctl/systemctl.c
index 5048b529e1..ef1a079911 100644
--- a/src/systemctl/systemctl.c
+++ b/src/systemctl/systemctl.c
@@ -3661,6 +3661,43 @@ static int append_assignment(DBusMessageIter *iter, const char *assignment) {
!dbus_message_iter_append_basic(&sub, DBUS_TYPE_UINT64, &u))
return log_oom();
+ } else if (streq(field, "DevicePolicy")) {
+
+ if (!dbus_message_iter_open_container(iter, DBUS_TYPE_VARIANT, "s", &sub) ||
+ !dbus_message_iter_append_basic(&sub, DBUS_TYPE_STRING, &eq))
+ return log_oom();
+
+ } else if (streq(field, "DeviceAllow")) {
+ DBusMessageIter sub2;
+
+ if (!dbus_message_iter_open_container(iter, DBUS_TYPE_VARIANT, "a(ss)", &sub) ||
+ !dbus_message_iter_open_container(&sub, DBUS_TYPE_ARRAY, "(ss)", &sub2))
+ return log_oom();
+
+ if (!isempty(eq)) {
+ const char *path, *rwm;
+ DBusMessageIter sub3;
+ char *e;
+
+ e = strchr(eq, ' ');
+ if (e) {
+ path = strndupa(eq, e - eq);
+ rwm = e+1;
+ } else {
+ path = eq;
+ rwm = "";
+ }
+
+ if (!dbus_message_iter_open_container(&sub2, DBUS_TYPE_STRUCT, NULL, &sub3) ||
+ !dbus_message_iter_append_basic(&sub3, DBUS_TYPE_STRING, &path) ||
+ !dbus_message_iter_append_basic(&sub3, DBUS_TYPE_STRING, &rwm) ||
+ !dbus_message_iter_close_container(&sub2, &sub3))
+ return log_oom();
+ }
+
+ if (!dbus_message_iter_close_container(&sub, &sub2))
+ return log_oom();
+
} else {
log_error("Unknown assignment %s.", assignment);
return -EINVAL;