diff options
author | Lennart Poettering <lennart@poettering.net> | 2013-06-27 23:13:17 +0200 |
---|---|---|
committer | Lennart Poettering <lennart@poettering.net> | 2013-06-27 23:13:17 +0200 |
commit | 7041efe9600e569da6089c36d00fa3ff58e33178 (patch) | |
tree | cd1e27213801a05d2b1a00bd0b84492e5a4e5fab /src | |
parent | b42defe3b8ed3947d85db654a6cdb1b9999f394d (diff) |
dbus: make DeviceAllow=/DevicePolicy= writable
Diffstat (limited to 'src')
-rw-r--r-- | src/core/dbus-cgroup.c | 105 | ||||
-rw-r--r-- | src/systemctl/systemctl.c | 37 |
2 files changed, 142 insertions, 0 deletions
diff --git a/src/core/dbus-cgroup.c b/src/core/dbus-cgroup.c index ae360eae33..cf05f04ea1 100644 --- a/src/core/dbus-cgroup.c +++ b/src/core/dbus-cgroup.c @@ -21,6 +21,7 @@ #include <dbus/dbus.h> +#include "path-util.h" #include "dbus-cgroup.h" static DEFINE_BUS_PROPERTY_APPEND_ENUM(bus_cgroup_append_device_policy, cgroup_device_policy, CGroupDevicePolicy); @@ -265,6 +266,110 @@ int bus_cgroup_set_property( } return 1; + + } else if (streq(name, "DevicePolicy")) { + const char *policy; + CGroupDevicePolicy p; + + if (dbus_message_iter_get_arg_type(i) != DBUS_TYPE_STRING) + return -EINVAL; + + dbus_message_iter_get_basic(i, &policy); + p = cgroup_device_policy_from_string(policy); + if (p < 0) + return -EINVAL; + + if (mode != UNIT_CHECK) { + char *buf; + + c->device_policy = p; + + buf = strappenda("DevicePolicy=", policy); + unit_write_drop_in_private_section(u, mode, "device-policy", buf); + } + + return 1; + + } else if (streq(name, "DeviceAllow")) { + DBusMessageIter sub; + unsigned n = 0; + + if (dbus_message_iter_get_arg_type(i) != DBUS_TYPE_ARRAY || + dbus_message_iter_get_element_type(i) != DBUS_TYPE_STRUCT) + return -EINVAL; + + dbus_message_iter_recurse(i, &sub); + while (dbus_message_iter_get_arg_type(&sub) == DBUS_TYPE_STRUCT) { + DBusMessageIter sub2; + const char *path, *rwm; + CGroupDeviceAllow *a; + + dbus_message_iter_recurse(&sub, &sub2); + + if (bus_iter_get_basic_and_next(&sub2, DBUS_TYPE_STRING, &path, true) < 0 || + bus_iter_get_basic_and_next(&sub2, DBUS_TYPE_STRING, &rwm, false) < 0) + return -EINVAL; + + if (!path_startswith(path, "/dev")) { + dbus_set_error(error, DBUS_ERROR_INVALID_ARGS, "DeviceAllow= requires device node"); + return -EINVAL; + } + + if (isempty(rwm)) + rwm = "rwm"; + + if (!in_charset(rwm, "rwm")) { + dbus_set_error(error, DBUS_ERROR_INVALID_ARGS, "DeviceAllow= requires combination of rwm flags"); + return -EINVAL; + } + + n++; + + if (mode != UNIT_CHECK) { + a = new0(CGroupDeviceAllow, 1); + if (!a) + return -ENOMEM; + + a->path = strdup(path); + if (!a->path) { + free(a); + return -ENOMEM; + } + + a->r = !!strchr(rwm, 'r'); + a->w = !!strchr(rwm, 'w'); + a->m = !!strchr(rwm, 'm'); + + LIST_PREPEND(CGroupDeviceAllow, device_allow, c->device_allow, a); + } + + dbus_message_iter_next(&sub); + } + + if (mode != UNIT_CHECK) { + _cleanup_free_ char *buf = NULL; + _cleanup_fclose_ FILE *f = NULL; + CGroupDeviceAllow *a; + size_t size = 0; + + if (n == 0) { + while (c->device_allow) + cgroup_context_free_device_allow(c, c->device_allow); + } + + f = open_memstream(&buf, &size); + if (!f) + return -ENOMEM; + + fputs("DeviceAllow=\n", f); + LIST_FOREACH(device_allow, a, c->device_allow) + fprintf(f, "DeviceAllow=%s %s%s%s\n", a->path, a->r ? "r" : "", a->w ? "w" : "", a->m ? "m" : ""); + + fflush(f); + unit_write_drop_in_private_section(u, mode, "device-allow", buf); + } + + return 1; } return 0; diff --git a/src/systemctl/systemctl.c b/src/systemctl/systemctl.c index 5048b529e1..ef1a079911 100644 --- a/src/systemctl/systemctl.c +++ b/src/systemctl/systemctl.c @@ -3661,6 +3661,43 @@ static int append_assignment(DBusMessageIter *iter, const char *assignment) { !dbus_message_iter_append_basic(&sub, DBUS_TYPE_UINT64, &u)) return log_oom(); + } else if (streq(field, "DevicePolicy")) { + + if (!dbus_message_iter_open_container(iter, DBUS_TYPE_VARIANT, "s", &sub) || + !dbus_message_iter_append_basic(&sub, DBUS_TYPE_STRING, &eq)) + return log_oom(); + + } else if (streq(field, "DeviceAllow")) { + DBusMessageIter sub2; + + if (!dbus_message_iter_open_container(iter, DBUS_TYPE_VARIANT, "a(ss)", &sub) || + !dbus_message_iter_open_container(&sub, DBUS_TYPE_ARRAY, "(ss)", &sub2)) + return log_oom(); + + if (!isempty(eq)) { + const char *path, *rwm; + DBusMessageIter sub3; + char *e; + + e = strchr(eq, ' '); + if (e) { + path = strndupa(eq, e - eq); + rwm = e+1; + } else { + path = eq; + rwm = ""; + } + + if (!dbus_message_iter_open_container(&sub2, DBUS_TYPE_STRUCT, NULL, &sub3) || + !dbus_message_iter_append_basic(&sub3, DBUS_TYPE_STRING, &path) || + !dbus_message_iter_append_basic(&sub3, DBUS_TYPE_STRING, &rwm) || + !dbus_message_iter_close_container(&sub2, &sub3)) + return log_oom(); + } + + if (!dbus_message_iter_close_container(&sub, &sub2)) + return log_oom(); + } else { log_error("Unknown assignment %s.", assignment); return -EINVAL; |