diff options
| -rw-r--r-- | man/systemd-run.xml | 2 | ||||
| -rw-r--r-- | src/core/execute.c | 68 | ||||
| -rw-r--r-- | src/network/networkd-link.c | 24 |
3 files changed, 46 insertions, 48 deletions
diff --git a/man/systemd-run.xml b/man/systemd-run.xml index b220e0dce1..8850735a34 100644 --- a/man/systemd-run.xml +++ b/man/systemd-run.xml @@ -381,7 +381,7 @@ Dec 08 20:44:48 container systemd[1]: Started /bin/touch /tmp/foo.</programlisti as a service passing its standard input, output and error to the calling TTY.</para> - <programlisting># systemd-run -t /bin/bash</programlisting> + <programlisting># systemd-run -t --send-sighup /bin/bash</programlisting> </refsect1> diff --git a/src/core/execute.c b/src/core/execute.c index 6e14848cd4..a7e2362236 100644 --- a/src/core/execute.c +++ b/src/core/execute.c @@ -1582,25 +1582,50 @@ static int exec_child( } } + umask(context->umask); + if (params->apply_permissions) { r = enforce_groups(context, username, gid); if (r < 0) { *exit_status = EXIT_GROUP; return r; } - } +#ifdef HAVE_SMACK + if (context->smack_process_label) { + r = mac_smack_apply_pid(0, context->smack_process_label); + if (r < 0) { + *exit_status = EXIT_SMACK_PROCESS_LABEL; + return r; + } + } +#ifdef SMACK_DEFAULT_PROCESS_LABEL + else { + _cleanup_free_ char *exec_label = NULL; - umask(context->umask); + r = mac_smack_read(command->path, SMACK_ATTR_EXEC, &exec_label); + if (r < 0 && r != -ENODATA && r != -EOPNOTSUPP) { + *exit_status = EXIT_SMACK_PROCESS_LABEL; + return r; + } + r = mac_smack_apply_pid(0, exec_label ? : SMACK_DEFAULT_PROCESS_LABEL); + if (r < 0) { + *exit_status = EXIT_SMACK_PROCESS_LABEL; + return r; + } + } +#endif +#endif #ifdef HAVE_PAM - if (params->apply_permissions && context->pam_name && username) { - r = setup_pam(context->pam_name, username, uid, context->tty_path, &pam_env, fds, n_fds); - if (r < 0) { - *exit_status = EXIT_PAM; - return r; + if (context->pam_name && username) { + r = setup_pam(context->pam_name, username, uid, context->tty_path, &pam_env, fds, n_fds); + if (r < 0) { + *exit_status = EXIT_PAM; + return r; + } } - } #endif + } if (context->private_network && runtime && runtime->netns_storage_socket[0] >= 0) { r = setup_netns(runtime->netns_storage_socket); @@ -1729,33 +1754,6 @@ static int exec_child( } } -#ifdef HAVE_SMACK - if (context->smack_process_label) { - r = mac_smack_apply_pid(0, context->smack_process_label); - if (r < 0) { - *exit_status = EXIT_SMACK_PROCESS_LABEL; - return r; - } - } -#ifdef SMACK_DEFAULT_PROCESS_LABEL - else { - _cleanup_free_ char *exec_label = NULL; - - r = mac_smack_read(command->path, SMACK_ATTR_EXEC, &exec_label); - if (r < 0 && r != -ENODATA && r != -EOPNOTSUPP) { - *exit_status = EXIT_SMACK_PROCESS_LABEL; - return r; - } - - r = mac_smack_apply_pid(0, exec_label ? : SMACK_DEFAULT_PROCESS_LABEL); - if (r < 0) { - *exit_status = EXIT_SMACK_PROCESS_LABEL; - return r; - } - } -#endif -#endif - if (context->user) { r = enforce_user(context, uid); if (r < 0) { diff --git a/src/network/networkd-link.c b/src/network/networkd-link.c index 86f1c3bb1a..05a1358eca 100644 --- a/src/network/networkd-link.c +++ b/src/network/networkd-link.c @@ -1794,7 +1794,6 @@ static int link_set_ipv6_privacy_extensions(Link *link) { static int link_set_ipv6_accept_ra(Link *link) { const char *p = NULL, *v = NULL; - bool b; int r; /* Make this a NOP if IPv6 is not available */ @@ -1804,20 +1803,21 @@ static int link_set_ipv6_accept_ra(Link *link) { if (link->flags & IFF_LOOPBACK) return 0; - /* if unset check the ip forwarding setting maintained for the interface - * and then set it to depending on that. enabled if local forwarding - * is disabled. disabled if local forwarding is enabled. + /* If unset use system default (enabled if local forwarding is disabled. + * disabled if local forwarding is enabled). + * If set, ignore or enforce RA independent of local forwarding state. */ if (link->network->ipv6_accept_ra < 0) { - if (IN_SET(link->network->ip_forward, ADDRESS_FAMILY_YES, ADDRESS_FAMILY_IPV6)) - b = false; - else - b = true; - } else - b = link->network->ipv6_accept_ra; - + /* default to accept RA if ip_forward is disabled and ignore RA if ip_forward is enabled */ + v = "1"; + } else if (link->network->ipv6_accept_ra > 0) { + /* "2" means accept RA even if ip_forward is enabled */ + v = "2"; + } else { + /* "0" means ignore RA */ + v = "0"; + } p = strjoina("/proc/sys/net/ipv6/conf/", link->ifname, "/accept_ra"); - v = one_zero(b); r = write_string_file(p, v, 0); if (r < 0) { |