diff options
119 files changed, 1080 insertions, 441 deletions
diff --git a/Makefile.am b/Makefile.am index f2d8bf57f7..50da458918 100644 --- a/Makefile.am +++ b/Makefile.am @@ -932,7 +932,7 @@ libbasic_la_SOURCES = \ src/basic/copy.h \ src/basic/alloc-util.h \ src/basic/alloc-util.c \ - src/basic/formats-util.h \ + src/basic/format-util.h \ src/basic/nss-util.h nodist_libbasic_la_SOURCES = \ @@ -1046,7 +1046,9 @@ libshared_la_SOURCES = \ src/shared/tests.h \ src/shared/tests.c \ src/shared/fdset.c \ - src/shared/fdset.h + src/shared/fdset.h \ + src/shared/nsflags.h \ + src/shared/nsflags.c if HAVE_UTMP libshared_la_SOURCES += \ @@ -6054,6 +6056,7 @@ EXTRA_DIST += \ # ------------------------------------------------------------------------------ substitutions = \ + '|rootlibdir=$(rootlibdir)|' \ '|rootlibexecdir=$(rootlibexecdir)|' \ '|rootbindir=$(rootbindir)|' \ '|bindir=$(bindir)|' \ @@ -23,9 +23,6 @@ External: Janitorial Clean-ups: -* code cleanup: retire FOREACH_WORD_QUOTED, port to extract_first_word() loops instead. - For example, most conf parsing callbacks should use it. - * replace manual readdir() loops with FOREACH_DIRENT or FOREACH_DIRENT_ALL * Rearrange tests so that the various test-xyz.c match a specific src/basic/xyz.c again @@ -59,14 +56,10 @@ Features: * define gpt header bits to select volatility mode -* nspawn: mount loopback filesystems with "discard" - * ProtectKernelLogs= (drops CAP_SYSLOG, add seccomp for syslog() syscall, and DeviceAllow to /dev/kmsg) in service files * ProtectClock= (drops CAP_SYS_TIMES, adds seecomp filters for settimeofday, adjtimex), sets DeviceAllow o /dev/rtc -* ProtectKernelModules= (drops CAP_SYS_MODULE and filters the kmod syscalls) - * ProtectTracing= (drops CAP_SYS_PTRACE, blocks ptrace syscall, makes /sys/kernel/tracing go away) * ProtectMount= (drop mount/umount/pivot_root from seccomp, disallow fuse via DeviceAllow, imply Mountflags=slave) @@ -88,8 +81,6 @@ Features: * Add RootImage= for mounting a disk image or file as root directory -* RestrictNamespaces= or so in services (taking away the ability to create namespaces, with setns, unshare, clone) - * make sure the ratelimit object can deal with USEC_INFINITY as way to turn off things * journalctl: make sure -f ends when the container indicated by -M terminates diff --git a/configure.ac b/configure.ac index 0b10fc7de7..7f6b3b937c 100644 --- a/configure.ac +++ b/configure.ac @@ -97,8 +97,6 @@ AC_PATH_PROG([M4], [m4]) AC_PATH_PROG([QUOTAON], [quotaon], [/usr/sbin/quotaon], [$PATH:/usr/sbin:/sbin]) AC_PATH_PROG([QUOTACHECK], [quotacheck], [/usr/sbin/quotacheck], [$PATH:/usr/sbin:/sbin]) -AC_PATH_PROG([SETCAP], [setcap], [/usr/sbin/setcap], [$PATH:/usr/sbin:/sbin]) - AC_PATH_PROG([KILL], [kill], [/usr/bin/kill], [$PATH:/usr/sbin:/sbin]) AC_PATH_PROG([KMOD], [kmod], [/usr/bin/kmod], [$PATH:/usr/sbin:/sbin]) @@ -218,25 +216,21 @@ AS_CASE([$CFLAGS], [*-O[[12345sz\ ]]*], [CC_CHECK_FLAGS_APPEND([with_cflags], [CFLAGS], [-flto])], [AC_MSG_RESULT([disabling -flto as requested])])], [AC_MSG_RESULT([skipping -flto, optimization not enabled])]) -AC_SUBST([OUR_CFLAGS], "$with_cflags $sanitizer_cflags") AS_CASE([$CFLAGS], [*-O[[12345sz\ ]]*], [CC_CHECK_FLAGS_APPEND([with_cppflags], [CPPFLAGS], [\ -Wp,-D_FORTIFY_SOURCE=2])], [AC_MSG_RESULT([skipping -D_FORTIFY_SOURCE, optimization not enabled])]) -AC_SUBST([OUR_CPPFLAGS], "$with_cppflags $sanitizer_cppflags") AS_CASE([$CFLAGS], [*-O[[12345sz\ ]]*], [CC_CHECK_FLAGS_APPEND([with_ldflags], [LDFLAGS], [\ -Wl,--gc-sections])], [AC_MSG_RESULT([skipping --gc-sections, optimization not enabled])]) -AC_SUBST([OUR_CFLAGS], "$with_ldflags $sanitizer_cflags") AS_CASE([$CFLAGS], [*-O[[12345sz\ ]]*], [CC_CHECK_FLAGS_APPEND([with_cflags], [CFLAGS], [\ -ffunction-sections -fdata-sections])], [AC_MSG_RESULT([skipping -ffunction/data-section, optimization not enabled])]) -AC_SUBST([OUR_CFLAGS], "$with_cflags $sanitizer_cflags") CC_CHECK_FLAGS_APPEND([with_ldflags], [LDFLAGS], [\ -Wl,--as-needed \ @@ -245,6 +239,9 @@ CC_CHECK_FLAGS_APPEND([with_ldflags], [LDFLAGS], [\ -Wl,-z,now \ -pie \ -Wl,-fuse-ld=gold]) + +AC_SUBST([OUR_CPPFLAGS], "$with_cppflags $sanitizer_cppflags") +AC_SUBST([OUR_CFLAGS], "-D__SANE_USERSPACE_TYPES__ $with_cflags $sanitizer_cflags") AC_SUBST([OUR_LDFLAGS], "$with_ldflags $sanitizer_ldflags") AC_CHECK_SIZEOF(pid_t) diff --git a/man/kernel-install.xml b/man/kernel-install.xml index 4a8a46cef4..99b7970457 100644 --- a/man/kernel-install.xml +++ b/man/kernel-install.xml @@ -89,11 +89,12 @@ <listitem> <para><command>kernel-install</command> creates the directory <filename>/boot/<replaceable>MACHINE-ID</replaceable>/<replaceable>KERNEL-VERSION</replaceable>/</filename> - and calls every executable + and calls executables from <filename>/usr/lib/kernel/install.d/*.install</filename> and <filename>/etc/kernel/install.d/*.install</filename> with the arguments - <programlisting>add <replaceable>KERNEL-VERSION</replaceable> <filename>/boot/<replaceable>MACHINE-ID</replaceable>/<replaceable>KERNEL-VERSION</replaceable>/</filename></programlisting> + <programlisting>add <replaceable>KERNEL-VERSION</replaceable> \ + <filename>/boot/<replaceable>MACHINE-ID</replaceable>/<replaceable>KERNEL-VERSION</replaceable>/</filename> <replaceable>KERNEL-IMAGE</replaceable></programlisting> </para> <para>The kernel-install plugin <filename>50-depmod.install</filename> runs depmod for the <replaceable>KERNEL-VERSION</replaceable>.</para> @@ -119,7 +120,7 @@ <varlistentry> <term><command>remove <replaceable>KERNEL-VERSION</replaceable></command></term> <listitem> - <para>Calls every executable <filename>/usr/lib/kernel/install.d/*.install</filename> + <para>Calls executables from <filename>/usr/lib/kernel/install.d/*.install</filename> and <filename>/etc/kernel/install.d/*.install</filename> with the arguments <programlisting>remove <replaceable>KERNEL-VERSION</replaceable> <filename>/boot/<replaceable>MACHINE-ID</replaceable>/<replaceable>KERNEL-VERSION</replaceable>/</filename></programlisting> </para> @@ -138,7 +139,7 @@ <refsect1> <title>Exit status</title> - <para>If every executable returns with 0, 0 is returned, a non-zero failure code otherwise.</para> + <para>If every executable returns 0 or 77, 0 is returned, and a non-zero failure code otherwise.</para> </refsect1> <refsect1> diff --git a/man/sd_watchdog_enabled.xml b/man/sd_watchdog_enabled.xml index 3de9899453..759d9303c6 100644 --- a/man/sd_watchdog_enabled.xml +++ b/man/sd_watchdog_enabled.xml @@ -121,7 +121,7 @@ <xi:include href="libsystemd-pkgconfig.xml" xpointer="pkgconfig-text"/> - <para>Internally, this functions parses the + <para>Internally, this function parses the <varname>$WATCHDOG_PID</varname> and <varname>$WATCHDOG_USEC</varname> environment variable. The call will ignore these variables if <varname>$WATCHDOG_PID</varname> @@ -148,7 +148,7 @@ <listitem><para>Set by the system manager for supervised process for which watchdog support is enabled, and contains - the watchdog timeout in µs See above for + the watchdog timeout in µs. See above for details.</para></listitem> </varlistentry> </variablelist> diff --git a/man/systemd.exec.xml b/man/systemd.exec.xml index 0973f4047a..3b39a9c912 100644 --- a/man/systemd.exec.xml +++ b/man/systemd.exec.xml @@ -1234,22 +1234,16 @@ <varlistentry> <term><varname>NoNewPrivileges=</varname></term> - <listitem><para>Takes a boolean argument. If true, ensures that the service - process and all its children can never gain new privileges through - <function>execve</function> (e.g. via setuid or setgid bits, or filesystem - capabilities). This is the simplest and most effective way to ensure that - a process and its children can never elevate privileges again. Defaults to false, - but in the user manager instance certain settings force - <varname>NoNewPrivileges=yes</varname>, ignoring the value of this setting. - This is the case when <varname>SystemCallFilter=</varname>, - <varname>SystemCallArchitectures=</varname>, - <varname>RestrictAddressFamilies=</varname>, - <varname>PrivateDevices=</varname>, - <varname>ProtectKernelTunables=</varname>, - <varname>ProtectKernelModules=</varname>, - <varname>MemoryDenyWriteExecute=</varname>, or - <varname>RestrictRealtime=</varname> are specified. - </para></listitem> + <listitem><para>Takes a boolean argument. If true, ensures that the service process and all its children can + never gain new privileges through <function>execve()</function> (e.g. via setuid or setgid bits, or filesystem + capabilities). This is the simplest and most effective way to ensure that a process and its children can never + elevate privileges again. Defaults to false, but in the user manager instance certain settings force + <varname>NoNewPrivileges=yes</varname>, ignoring the value of this setting. This is the case when + <varname>SystemCallFilter=</varname>, <varname>SystemCallArchitectures=</varname>, + <varname>RestrictAddressFamilies=</varname>, <varname>RestrictNamespaces=</varname>, + <varname>PrivateDevices=</varname>, <varname>ProtectKernelTunables=</varname>, + <varname>ProtectKernelModules=</varname>, <varname>MemoryDenyWriteExecute=</varname>, or + <varname>RestrictRealtime=</varname> are specified.</para></listitem> </varlistentry> <varlistentry> @@ -1468,6 +1462,30 @@ </varlistentry> <varlistentry> + <term><varname>RestrictNamespaces=</varname></term> + + <listitem><para>Restricts access to Linux namespace functionality for the processes of this unit. For details + about Linux namespaces, see + <citerefentry><refentrytitle>namespaces</refentrytitle><manvolnum>7</manvolnum></citerefentry>. Either takes a + boolean argument, or a space-separated list of namespace type identifiers. If false (the default), no + restrictions on namespace creation and switching are made. If true, access to any kind of namespacing is + prohibited. Otherwise, a space-separated list of namespace type identifiers must be specified, consisting of + any combination of: <constant>cgroup</constant>, <constant>ipc</constant>, <constant>net</constant>, + <constant>mnt</constant>, <constant>pid</constant>, <constant>user</constant> and <constant>uts</constant>. Any + namespace type listed is made accessible to the unit's processes, access to namespace types not listed is + prohibited (whitelisting). By prepending the list with a single tilda character (<literal>~</literal>) the + effect may be inverted: only the listed namespace types will be made inaccessible, all unlisted ones are + permitted (blacklisting). If the empty string is assigned, the default namespace restrictions are applied, + which is equivalent to false. Internally, this setting limits access to the + <citerefentry><refentrytitle>unshare</refentrytitle><manvolnum>2</manvolnum></citerefentry>, + <citerefentry><refentrytitle>clone</refentrytitle><manvolnum>2</manvolnum></citerefentry> and + <citerefentry><refentrytitle>setns</refentrytitle><manvolnum>2</manvolnum></citerefentry> system calls, taking + the specified flags parameters into account. Note that — if this option is used — in addition to restricting + creation and switching of the specified types of namespaces (or all of them, if true) access to the + <function>setns()</function> system call with a zero flags parameter is prohibited.</para></listitem> + </varlistentry> + + <varlistentry> <term><varname>ProtectKernelModules=</varname></term> <listitem><para>Takes a boolean argument. If true, explicit module loading will diff --git a/man/tmpfiles.d.xml b/man/tmpfiles.d.xml index e040a1636d..555e9c2d56 100644 --- a/man/tmpfiles.d.xml +++ b/man/tmpfiles.d.xml @@ -117,8 +117,8 @@ type, path, mode, ownership, age, and argument fields:</para> <programlisting>#Type Path Mode UID GID Age Argument - d /run/user 0755 root root 10d - - L /tmp/foobar - - - - /dev/null</programlisting> +d /run/user 0755 root root 10d - +L /tmp/foobar - - - - /dev/null</programlisting> <para>Fields may be enclosed within quotes and contain C-style escapes.</para> @@ -159,7 +159,7 @@ <term><varname>d</varname></term> <listitem><para>Create a directory. The mode and ownership will be adjusted if specified and the directory already exists. Contents of this directory are subject - to time based cleanup if the time argument is specified.</para></listitem> + to time based cleanup if the age argument is specified.</para></listitem> </varlistentry> <varlistentry> @@ -171,9 +171,13 @@ <varlistentry> <term><varname>e</varname></term> - <listitem><para>Similar to <varname>d</varname>, but the directory will not be - created if it does not exist. Lines of this type accept shell-style globs in - place of normal path names.</para></listitem> + <listitem><para>Similar to <varname>d</varname>, but the directory will not be created if + it does not exist. Lines of this type accept shell-style globs in place of normal path + names. For this entry to be useful, at least one of the mode, uid, gid, or age arguments + must be specified, since otherwise this entry has no effect. If the age argument is + <literal>0</literal>, contents of the directory will be unconditionally deleted every time + <command>systemd-tmpfiles --clean</command> is run. This can be useful when combined with + <varname>!</varname>, see the examples.</para></listitem> </varlistentry> <varlistentry> @@ -680,6 +684,18 @@ e /var/chache/dnf/ - - - 30d <filename>/var/chache/dnf/</filename> will be removed after they have not been accessed in 30 days.</para> </example> + + <example> + <title>Empty the contents of a cache directory on boot</title> + + <programlisting># /usr/lib/tmpfiles.d/krb5rcache.conf +e! /var/cache/krb5rcache - - - 0 +</programlisting> + + <para>Any files and subdirectories in <filename>/var/cache/krb5rcache/</filename> + will be removed on boot. The directory will not be created. + </para> + </example> </refsect1> <refsect1> diff --git a/src/basic/cgroup-util.c b/src/basic/cgroup-util.c index 5fce32f769..dc13025115 100644 --- a/src/basic/cgroup-util.c +++ b/src/basic/cgroup-util.c @@ -38,7 +38,7 @@ #include "extract-word.h" #include "fd-util.h" #include "fileio.h" -#include "formats-util.h" +#include "format-util.h" #include "fs-util.h" #include "log.h" #include "login-util.h" @@ -2423,10 +2423,10 @@ bool cg_is_unified_systemd_controller_wanted(void) { r = get_proc_cmdline_key("systemd.legacy_systemd_cgroup_controller=", &value); if (r < 0) - return true; + return false; if (r == 0) - wanted = true; + wanted = false; else wanted = parse_boolean(value) <= 0; } diff --git a/src/basic/env-util.c b/src/basic/env-util.c index b74290d6fd..7c69ccdaf9 100644 --- a/src/basic/env-util.c +++ b/src/basic/env-util.c @@ -384,6 +384,28 @@ char **strv_env_unset_many(char **l, ...) { return l; } +int strv_env_replace(char ***l, char *p) { + char **f; + + assert(p); + + /* Replace first occurrence of the env var or add a new one in the + * string list. Drop other occurences. Edits in-place. Does not copy p. + */ + + for (f = *l; f && *f; f++) + if (env_match(*f, p)) { + free_and_replace(*f, p); + strv_env_unset(f + 1, p); + return 0; + } + + /* We didn't find a match, we need to append p or create a new strv */ + if (strv_push(l, p) < 0) + return -ENOMEM; + return 1; +} + char **strv_env_set(char **x, const char *p) { char **k, **r; diff --git a/src/basic/env-util.h b/src/basic/env-util.h index b1fef704c2..8cb0fc2131 100644 --- a/src/basic/env-util.h +++ b/src/basic/env-util.h @@ -44,6 +44,7 @@ char **strv_env_delete(char **x, unsigned n_lists, ...); /* New copy */ char **strv_env_set(char **x, const char *p); /* New copy ... */ char **strv_env_unset(char **l, const char *p); /* In place ... */ char **strv_env_unset_many(char **l, ...) _sentinel_; +int strv_env_replace(char ***l, char *p); /* In place ... */ char *strv_env_get_n(char **l, const char *name, size_t k) _pure_; char *strv_env_get(char **x, const char *n) _pure_; diff --git a/src/basic/formats-util.h b/src/basic/format-util.h index 39a185f59b..39a185f59b 100644 --- a/src/basic/formats-util.h +++ b/src/basic/format-util.h diff --git a/src/basic/log.c b/src/basic/log.c index 4919d175da..f5cff4cc9f 100644 --- a/src/basic/log.c +++ b/src/basic/log.c @@ -37,7 +37,7 @@ #include "alloc-util.h" #include "fd-util.h" -#include "formats-util.h" +#include "format-util.h" #include "io-util.h" #include "log.h" #include "macro.h" diff --git a/src/basic/process-util.h b/src/basic/process-util.h index 2568e3834f..89dfeb4d6a 100644 --- a/src/basic/process-util.h +++ b/src/basic/process-util.h @@ -28,7 +28,7 @@ #include <sys/types.h> #include <sys/resource.h> -#include "formats-util.h" +#include "format-util.h" #include "macro.h" #define procfs_file_alloca(pid, field) \ diff --git a/src/basic/rlimit-util.c b/src/basic/rlimit-util.c index ee063720ed..ca834df621 100644 --- a/src/basic/rlimit-util.c +++ b/src/basic/rlimit-util.c @@ -22,7 +22,7 @@ #include "alloc-util.h" #include "extract-word.h" -#include "formats-util.h" +#include "format-util.h" #include "macro.h" #include "missing.h" #include "rlimit-util.h" diff --git a/src/basic/socket-util.c b/src/basic/socket-util.c index 1662c04705..4ebf106109 100644 --- a/src/basic/socket-util.c +++ b/src/basic/socket-util.c @@ -34,7 +34,7 @@ #include "alloc-util.h" #include "fd-util.h" #include "fileio.h" -#include "formats-util.h" +#include "format-util.h" #include "log.h" #include "macro.h" #include "missing.h" diff --git a/src/basic/string-util.h b/src/basic/string-util.h index 0175803302..e99f7964be 100644 --- a/src/basic/string-util.h +++ b/src/basic/string-util.h @@ -107,9 +107,6 @@ const char* split(const char **state, size_t *l, const char *separator, bool quo #define FOREACH_WORD_SEPARATOR(word, length, s, separator, state) \ _FOREACH_WORD(word, length, s, separator, false, state) -#define FOREACH_WORD_QUOTED(word, length, s, state) \ - _FOREACH_WORD(word, length, s, WHITESPACE, true, state) - #define _FOREACH_WORD(word, length, s, separator, quoted, state) \ for ((state) = (s), (word) = split(&(state), &(length), (separator), (quoted)); (word); (word) = split(&(state), &(length), (separator), (quoted))) diff --git a/src/basic/time-util.c b/src/basic/time-util.c index fedff1362c..cbdfd55ada 100644 --- a/src/basic/time-util.c +++ b/src/basic/time-util.c @@ -309,7 +309,7 @@ static char *format_timestamp_internal( if (n + 8 > l) return NULL; /* Microseconds part doesn't fit. */ - sprintf(buf + n, ".%06llu", (unsigned long long) (t % USEC_PER_SEC)); + sprintf(buf + n, ".%06"PRI_USEC, t % USEC_PER_SEC); } /* Append the timezone */ @@ -499,11 +499,11 @@ char *format_timespan(char *buf, size_t l, usec_t t, usec_t accuracy) { if (j > 0) { k = snprintf(p, l, - "%s"USEC_FMT".%0*llu%s", + "%s"USEC_FMT".%0*"PRI_USEC"%s", p > buf ? " " : "", a, j, - (unsigned long long) b, + b, table[i].suffix); t = 0; @@ -1320,7 +1320,7 @@ unsigned long usec_to_jiffies(usec_t u) { r = sysconf(_SC_CLK_TCK); assert(r > 0); - hz = (unsigned long) r; + hz = r; } return DIV_ROUND_UP(u , USEC_PER_SEC / hz); diff --git a/src/basic/time-util.h b/src/basic/time-util.h index 558b0b5b7f..f67a4474ed 100644 --- a/src/basic/time-util.h +++ b/src/basic/time-util.h @@ -29,8 +29,10 @@ typedef uint64_t usec_t; typedef uint64_t nsec_t; -#define NSEC_FMT "%" PRIu64 -#define USEC_FMT "%" PRIu64 +#define PRI_NSEC PRIu64 +#define PRI_USEC PRIu64 +#define NSEC_FMT "%" PRI_NSEC +#define USEC_FMT "%" PRI_USEC #include "macro.h" diff --git a/src/basic/user-util.c b/src/basic/user-util.c index de6c93056e..938533d2e7 100644 --- a/src/basic/user-util.c +++ b/src/basic/user-util.c @@ -34,7 +34,7 @@ #include "alloc-util.h" #include "fd-util.h" #include "fileio.h" -#include "formats-util.h" +#include "format-util.h" #include "macro.h" #include "missing.h" #include "parse-util.h" diff --git a/src/basic/util.c b/src/basic/util.c index 0f65e4839c..c1b5ca1ef7 100644 --- a/src/basic/util.c +++ b/src/basic/util.c @@ -41,7 +41,7 @@ #include "dirent-util.h" #include "fd-util.h" #include "fileio.h" -#include "formats-util.h" +#include "format-util.h" #include "hashmap.h" #include "hostname-util.h" #include "log.h" diff --git a/src/basic/util.h b/src/basic/util.h index bb2fc318ef..c3802a811c 100644 --- a/src/basic/util.h +++ b/src/basic/util.h @@ -41,7 +41,7 @@ #include <time.h> #include <unistd.h> -#include "formats-util.h" +#include "format-util.h" #include "macro.h" #include "missing.h" #include "time-util.h" diff --git a/src/core/automount.c b/src/core/automount.c index 7d7a0a6e46..5fa6eb7b18 100644 --- a/src/core/automount.c +++ b/src/core/automount.c @@ -34,7 +34,7 @@ #include "bus-util.h" #include "dbus-automount.h" #include "fd-util.h" -#include "formats-util.h" +#include "format-util.h" #include "io-util.h" #include "label.h" #include "mkdir.h" diff --git a/src/core/busname.c b/src/core/busname.c index b96ec09e67..88b758eecb 100644 --- a/src/core/busname.c +++ b/src/core/busname.c @@ -27,7 +27,7 @@ #include "busname.h" #include "dbus-busname.h" #include "fd-util.h" -#include "formats-util.h" +#include "format-util.h" #include "kdbus.h" #include "parse-util.h" #include "process-util.h" diff --git a/src/core/dbus-execute.c b/src/core/dbus-execute.c index 03f23780c1..d7bb0496a0 100644 --- a/src/core/dbus-execute.c +++ b/src/core/dbus-execute.c @@ -781,6 +781,7 @@ const sd_bus_vtable bus_exec_vtable[] = { SD_BUS_PROPERTY("RuntimeDirectory", "as", NULL, offsetof(ExecContext, runtime_directory), SD_BUS_VTABLE_PROPERTY_CONST), SD_BUS_PROPERTY("MemoryDenyWriteExecute", "b", bus_property_get_bool, offsetof(ExecContext, memory_deny_write_execute), SD_BUS_VTABLE_PROPERTY_CONST), SD_BUS_PROPERTY("RestrictRealtime", "b", bus_property_get_bool, offsetof(ExecContext, restrict_realtime), SD_BUS_VTABLE_PROPERTY_CONST), + SD_BUS_PROPERTY("RestrictNamespace", "t", bus_property_get_ulong, offsetof(ExecContext, restrict_namespaces), SD_BUS_VTABLE_PROPERTY_CONST), SD_BUS_VTABLE_END }; @@ -1591,7 +1592,27 @@ int bus_exec_context_set_transient_property( } return 1; + } else if (streq(name, "RestrictNamespaces")) { + uint64_t flags; + r = sd_bus_message_read(message, "t", &flags); + if (r < 0) + return r; + if ((flags & NAMESPACE_FLAGS_ALL) != flags) + return sd_bus_error_setf(error, SD_BUS_ERROR_INVALID_ARGS, "Unknown namespace types"); + + if (mode != UNIT_CHECK) { + _cleanup_free_ char *s = NULL; + + r = namespace_flag_to_string_many(flags, &s); + if (r < 0) + return r; + + c->restrict_namespaces = flags; + unit_write_drop_in_private_format(u, mode, name, "%s=%s", name, s); + } + + return 1; } ri = rlimit_from_string(name); diff --git a/src/core/dbus-manager.c b/src/core/dbus-manager.c index d7d3d3c8ce..5a7922a249 100644 --- a/src/core/dbus-manager.c +++ b/src/core/dbus-manager.c @@ -34,7 +34,7 @@ #include "env-util.h" #include "fd-util.h" #include "fileio.h" -#include "formats-util.h" +#include "format-util.h" #include "install.h" #include "log.h" #include "path-util.h" diff --git a/src/core/device.c b/src/core/device.c index 498351af11..c572a6737c 100644 --- a/src/core/device.c +++ b/src/core/device.c @@ -256,39 +256,33 @@ static int device_update_description(Unit *u, struct udev_device *dev, const cha } static int device_add_udev_wants(Unit *u, struct udev_device *dev) { - const char *wants; - const char *word, *state; - size_t l; + const char *wants, *property, *p; int r; - const char *property; assert(u); assert(dev); property = MANAGER_IS_USER(u->manager) ? "SYSTEMD_USER_WANTS" : "SYSTEMD_WANTS"; wants = udev_device_get_property_value(dev, property); - if (!wants) - return 0; - - FOREACH_WORD_QUOTED(word, l, wants, state) { - _cleanup_free_ char *n = NULL; - char e[l+1]; + for (p = wants;;) { + _cleanup_free_ char *word = NULL, *k = NULL; - memcpy(e, word, l); - e[l] = 0; + r = extract_first_word(&p, &word, NULL, EXTRACT_QUOTES); + if (r == 0) + return 0; + if (r == -ENOMEM) + return log_oom(); + if (r < 0) + return log_unit_error_errno(u, r, "Failed to add parse %s: %m", property); - r = unit_name_mangle(e, UNIT_NAME_NOGLOB, &n); + r = unit_name_mangle(word, UNIT_NAME_NOGLOB, &k); if (r < 0) - return log_unit_error_errno(u, r, "Failed to mangle unit name: %m"); + return log_unit_error_errno(u, r, "Failed to mangle unit name \"%s\": %m", word); - r = unit_add_dependency_by_name(u, UNIT_WANTS, n, NULL, true); + r = unit_add_dependency_by_name(u, UNIT_WANTS, k, NULL, true); if (r < 0) return log_unit_error_errno(u, r, "Failed to add wants dependency: %m"); } - if (!isempty(state)) - log_unit_warning(u, "Property %s on %s has trailing garbage, ignoring.", property, strna(udev_device_get_syspath(dev))); - - return 0; } static int device_setup_unit(Manager *m, struct udev_device *dev, const char *path, bool main) { @@ -423,26 +417,22 @@ static int device_process_new(Manager *m, struct udev_device *dev) { /* Add additional units for all explicitly configured * aliases */ alias = udev_device_get_property_value(dev, "SYSTEMD_ALIAS"); - if (alias) { - const char *word, *state; - size_t l; - - FOREACH_WORD_QUOTED(word, l, alias, state) { - char e[l+1]; + for (;;) { + _cleanup_free_ char *word = NULL, *k = NULL; - memcpy(e, word, l); - e[l] = 0; + r = extract_first_word(&alias, &word, NULL, EXTRACT_QUOTES); + if (r == 0) + return 0; + if (r == -ENOMEM) + return log_oom(); + if (r < 0) + return log_warning_errno(r, "Failed to add parse SYSTEMD_ALIAS for %s: %m", sysfs); - if (path_is_absolute(e)) - (void) device_setup_unit(m, dev, e, false); - else - log_warning("SYSTEMD_ALIAS for %s is not an absolute path, ignoring: %s", sysfs, e); - } - if (!isempty(state)) - log_warning("SYSTEMD_ALIAS for %s has trailing garbage, ignoring.", sysfs); + if (path_is_absolute(word)) + (void) device_setup_unit(m, dev, word, false); + else + log_warning("SYSTEMD_ALIAS for %s is not an absolute path, ignoring: %s", sysfs, word); } - - return 0; } static void device_update_found_one(Device *d, bool add, DeviceFound found, bool now) { diff --git a/src/core/execute.c b/src/core/execute.c index 5bb23e2e4a..f666f7c6ce 100644 --- a/src/core/execute.c +++ b/src/core/execute.c @@ -71,7 +71,7 @@ #include "exit-status.h" #include "fd-util.h" #include "fileio.h" -#include "formats-util.h" +#include "format-util.h" #include "fs-util.h" #include "glob-util.h" #include "io-util.h" @@ -1534,6 +1534,18 @@ static int apply_private_devices(const Unit *u, const ExecContext *c) { return seccomp_load_filter_set(SCMP_ACT_ALLOW, syscall_filter_sets + SYSCALL_FILTER_SET_RAW_IO, SCMP_ACT_ERRNO(EPERM)); } +static int apply_restrict_namespaces(Unit *u, const ExecContext *c) { + assert(c); + + if (!exec_context_restrict_namespaces_set(c)) + return 0; + + if (skip_seccomp_unavailable(u, "RestrictNamespaces=")) + return 0; + + return seccomp_restrict_namespaces(c->restrict_namespaces); +} + #endif static void do_idle_pipe_dance(int idle_pipe[4]) { @@ -2022,6 +2034,7 @@ static int apply_mount_namespace(Unit *u, const ExecContext *context, char *tmp = NULL, *var = NULL; const char *root_dir = NULL; NameSpaceInfo ns_info = { + .ignore_protect_paths = false, .private_dev = context->private_devices, .protect_control_groups = context->protect_control_groups, .protect_kernel_tunables = context->protect_kernel_tunables, @@ -2048,6 +2061,14 @@ static int apply_mount_namespace(Unit *u, const ExecContext *context, if (params->flags & EXEC_APPLY_CHROOT) root_dir = context->root_directory; + /* + * If DynamicUser=no and RootDirectory= is set then lets pass a relaxed + * sandbox info, otherwise enforce it, don't ignore protected paths and + * fail if we are enable to apply the sandbox inside the mount namespace. + */ + if (!context->dynamic_user && root_dir) + ns_info.ignore_protect_paths = true; + r = setup_namespace(root_dir, &ns_info, rw, context->read_only_paths, context->inaccessible_paths, @@ -2183,6 +2204,7 @@ static bool context_has_no_new_privileges(const ExecContext *c) { return context_has_address_families(c) || /* we need NNP if we have any form of seccomp and are unprivileged */ c->memory_deny_write_execute || c->restrict_realtime || + exec_context_restrict_namespaces_set(c) || c->protect_kernel_tunables || c->protect_kernel_modules || c->private_devices || @@ -2764,6 +2786,12 @@ static int exec_child( } } + r = apply_restrict_namespaces(unit, context); + if (r < 0) { + *exit_status = EXIT_SECCOMP; + return r; + } + if (context->protect_kernel_tunables) { r = apply_protect_sysctl(unit, context); if (r < 0) { @@ -2947,6 +2975,7 @@ void exec_context_init(ExecContext *c) { c->personality = PERSONALITY_INVALID; c->runtime_directory_mode = 0755; c->capability_bounding_set = CAP_ALL; + c->restrict_namespaces = NAMESPACE_FLAGS_ALL; } void exec_context_done(ExecContext *c) { @@ -3244,6 +3273,7 @@ static void strv_fprintf(FILE *f, char **l) { void exec_context_dump(ExecContext *c, FILE* f, const char *prefix) { char **e, **d; unsigned i; + int r; assert(c); assert(f); @@ -3524,6 +3554,15 @@ void exec_context_dump(ExecContext *c, FILE* f, const char *prefix) { fputc('\n', f); } + if (exec_context_restrict_namespaces_set(c)) { + _cleanup_free_ char *s = NULL; + + r = namespace_flag_to_string_many(c->restrict_namespaces, &s); + if (r >= 0) + fprintf(f, "%sRestrictNamespaces: %s\n", + prefix, s); + } + if (c->syscall_errno > 0) fprintf(f, "%sSystemCallErrorNumber: %s\n", diff --git a/src/core/execute.h b/src/core/execute.h index c7d0f7761e..56f880cffe 100644 --- a/src/core/execute.h +++ b/src/core/execute.h @@ -35,6 +35,7 @@ typedef struct ExecParameters ExecParameters; #include "list.h" #include "missing.h" #include "namespace.h" +#include "nsflags.h" typedef enum ExecUtmpMode { EXEC_UTMP_INIT, @@ -195,6 +196,8 @@ struct ExecContext { unsigned long personality; + unsigned long restrict_namespaces; /* The CLONE_NEWxyz flags permitted to the unit's processes */ + Set *syscall_filter; Set *syscall_archs; int syscall_errno; @@ -216,6 +219,12 @@ struct ExecContext { bool no_new_privileges_set:1; }; +static inline bool exec_context_restrict_namespaces_set(const ExecContext *c) { + assert(c); + + return (c->restrict_namespaces & NAMESPACE_FLAGS_ALL) != NAMESPACE_FLAGS_ALL; +} + typedef enum ExecFlags { EXEC_CONFIRM_SPAWN = 1U << 0, EXEC_APPLY_PERMISSIONS = 1U << 1, diff --git a/src/core/killall.c b/src/core/killall.c index a8b814e868..3bc19e9c84 100644 --- a/src/core/killall.c +++ b/src/core/killall.c @@ -25,7 +25,7 @@ #include "alloc-util.h" #include "def.h" #include "fd-util.h" -#include "formats-util.h" +#include "format-util.h" #include "killall.h" #include "parse-util.h" #include "process-util.h" diff --git a/src/core/load-fragment-gperf.gperf.m4 b/src/core/load-fragment-gperf.gperf.m4 index af2f9d960b..cb2f384f47 100644 --- a/src/core/load-fragment-gperf.gperf.m4 +++ b/src/core/load-fragment-gperf.gperf.m4 @@ -57,12 +57,14 @@ m4_ifdef(`HAVE_SECCOMP', $1.SystemCallArchitectures, config_parse_syscall_archs, 0, offsetof($1, exec_context.syscall_archs) $1.SystemCallErrorNumber, config_parse_syscall_errno, 0, offsetof($1, exec_context) $1.MemoryDenyWriteExecute, config_parse_bool, 0, offsetof($1, exec_context.memory_deny_write_execute) +$1.RestrictNamespaces, config_parse_restrict_namespaces, 0, offsetof($1, exec_context.restrict_namespaces) $1.RestrictRealtime, config_parse_bool, 0, offsetof($1, exec_context.restrict_realtime) $1.RestrictAddressFamilies, config_parse_address_families, 0, offsetof($1, exec_context)', `$1.SystemCallFilter, config_parse_warn_compat, DISABLED_CONFIGURATION, 0 $1.SystemCallArchitectures, config_parse_warn_compat, DISABLED_CONFIGURATION, 0 $1.SystemCallErrorNumber, config_parse_warn_compat, DISABLED_CONFIGURATION, 0 $1.MemoryDenyWriteExecute, config_parse_warn_compat, DISABLED_CONFIGURATION, 0 +$1.RestrictNamespaces, config_parse_warn_compat, DISABLED_CONFIGURATION, 0 $1.RestrictRealtime, config_parse_warn_compat, DISABLED_CONFIGURATION, 0 $1.RestrictAddressFamilies, config_parse_warn_compat, DISABLED_CONFIGURATION, 0') $1.LimitCPU, config_parse_limit, RLIMIT_CPU, offsetof($1, exec_context.rlimit) diff --git a/src/core/load-fragment.c b/src/core/load-fragment.c index cbc826809e..52079980d8 100644 --- a/src/core/load-fragment.c +++ b/src/core/load-fragment.c @@ -269,26 +269,33 @@ int config_parse_unit_path_strv_printf( void *userdata) { char ***x = data; - const char *word, *state; Unit *u = userdata; - size_t l; int r; + const char *p; assert(filename); assert(lvalue); assert(rvalue); assert(u); - FOREACH_WORD_QUOTED(word, l, rvalue, state) { - _cleanup_free_ char *k = NULL; - char t[l+1]; + for (p = rvalue;;) { + _cleanup_free_ char *word = NULL, *k = NULL; - memcpy(t, word, l); - t[l] = 0; + r = extract_first_word(&p, &word, NULL, EXTRACT_QUOTES); + if (r == 0) + return 0; + if (r == -ENOMEM) + return log_oom(); + if (r < 0) { + log_syntax(unit, LOG_WARNING, filename, line, r, + "Invalid syntax, ignoring: %s", rvalue); + return 0; + } - r = unit_full_printf(u, t, &k); + r = unit_full_printf(u, word, &k); if (r < 0) { - log_syntax(unit, LOG_ERR, filename, line, r, "Failed to resolve unit specifiers on %s, ignoring: %m", t); + log_syntax(unit, LOG_ERR, filename, line, r, + "Failed to resolve unit specifiers on \"%s\", ignoring: %m", word); return 0; } @@ -298,7 +305,8 @@ int config_parse_unit_path_strv_printf( } if (!path_is_absolute(k)) { - log_syntax(unit, LOG_ERR, filename, line, 0, "Symlink path %s is not absolute, ignoring: %m", k); + log_syntax(unit, LOG_ERR, filename, line, 0, + "Symlink path is not absolute: %s", k); return 0; } @@ -307,13 +315,8 @@ int config_parse_unit_path_strv_printf( r = strv_push(x, k); if (r < 0) return log_oom(); - k = NULL; } - if (!isempty(state)) - log_syntax(unit, LOG_ERR, filename, line, 0, "Invalid syntax, ignoring."); - - return 0; } int config_parse_socket_listen(const char *unit, @@ -606,7 +609,7 @@ int config_parse_exec( semicolon = false; - r = extract_first_word_and_warn(&p, &firstword, WHITESPACE, EXTRACT_QUOTES|EXTRACT_CUNESCAPE, unit, filename, line, rvalue); + r = extract_first_word_and_warn(&p, &firstword, NULL, EXTRACT_QUOTES|EXTRACT_CUNESCAPE, unit, filename, line, rvalue); if (r <= 0) return 0; @@ -695,7 +698,7 @@ int config_parse_exec( continue; } - r = extract_first_word_and_warn(&p, &word, WHITESPACE, EXTRACT_QUOTES|EXTRACT_CUNESCAPE, unit, filename, line, rvalue); + r = extract_first_word_and_warn(&p, &word, NULL, EXTRACT_QUOTES|EXTRACT_CUNESCAPE, unit, filename, line, rvalue); if (r == 0) break; else if (r < 0) @@ -1062,8 +1065,8 @@ int config_parse_exec_secure_bits(const char *unit, void *userdata) { ExecContext *c = data; - size_t l; - const char *word, *state; + const char *p; + int r; assert(filename); assert(lvalue); @@ -1076,28 +1079,38 @@ int config_parse_exec_secure_bits(const char *unit, return 0; } - FOREACH_WORD_QUOTED(word, l, rvalue, state) { - if (first_word(word, "keep-caps")) + for (p = rvalue;;) { + _cleanup_free_ char *word = NULL; + + r = extract_first_word(&p, &word, NULL, EXTRACT_QUOTES); + if (r == 0) + return 0; + if (r == -ENOMEM) + return log_oom(); + if (r < 0) { + log_syntax(unit, LOG_WARNING, filename, line, r, + "Invalid syntax, ignoring: %s", rvalue); + return 0; + } + + if (streq(word, "keep-caps")) c->secure_bits |= 1<<SECURE_KEEP_CAPS; - else if (first_word(word, "keep-caps-locked")) + else if (streq(word, "keep-caps-locked")) c->secure_bits |= 1<<SECURE_KEEP_CAPS_LOCKED; - else if (first_word(word, "no-setuid-fixup")) + else if (streq(word, "no-setuid-fixup")) c->secure_bits |= 1<<SECURE_NO_SETUID_FIXUP; - else if (first_word(word, "no-setuid-fixup-locked")) + else if (streq(word, "no-setuid-fixup-locked")) c->secure_bits |= 1<<SECURE_NO_SETUID_FIXUP_LOCKED; - else if (first_word(word, "noroot")) + else if (streq(word, "noroot")) c->secure_bits |= 1<<SECURE_NOROOT; - else if (first_word(word, "noroot-locked")) + else if (streq(word, "noroot-locked")) c->secure_bits |= 1<<SECURE_NOROOT_LOCKED; else { - log_syntax(unit, LOG_ERR, filename, line, 0, "Failed to parse secure bits, ignoring: %s", rvalue); + log_syntax(unit, LOG_ERR, filename, line, 0, + "Failed to parse secure bit \"%s\", ignoring.", word); return 0; } } - if (!isempty(state)) - log_syntax(unit, LOG_ERR, filename, line, 0, "Invalid syntax, garbage at the end, ignoring."); - - return 0; } int config_parse_capability_set( @@ -1951,7 +1964,7 @@ int config_parse_user_group_strv( for (;;) { _cleanup_free_ char *word = NULL, *k = NULL; - r = extract_first_word(&p, &word, WHITESPACE, 0); + r = extract_first_word(&p, &word, NULL, 0); if (r == 0) break; if (r == -ENOMEM) @@ -2210,10 +2223,8 @@ int config_parse_environ(const char *unit, void *userdata) { Unit *u = userdata; - char*** env = data; - const char *word, *state; - size_t l; - _cleanup_free_ char *k = NULL; + char ***env = data; + const char *p; int r; assert(filename); @@ -2227,46 +2238,43 @@ int config_parse_environ(const char *unit, return 0; } - if (u) { - r = unit_full_printf(u, rvalue, &k); + for (p = rvalue;; ) { + _cleanup_free_ char *word = NULL, *k = NULL; + + r = extract_first_word(&p, &word, NULL, EXTRACT_CUNESCAPE|EXTRACT_QUOTES); + if (r == 0) + return 0; + if (r == -ENOMEM) + return log_oom(); if (r < 0) { - log_syntax(unit, LOG_ERR, filename, line, r, "Failed to resolve specifiers, ignoring: %s", rvalue); + log_syntax(unit, LOG_WARNING, filename, line, r, + "Invalid syntax, ignoring: %s", rvalue); return 0; } - } - if (!k) { - k = strdup(rvalue); - if (!k) - return log_oom(); - } - - FOREACH_WORD_QUOTED(word, l, k, state) { - _cleanup_free_ char *n = NULL; - char **x; - - r = cunescape_length(word, l, 0, &n); - if (r < 0) { - log_syntax(unit, LOG_ERR, filename, line, r, "Couldn't unescape assignment, ignoring: %s", rvalue); - continue; + if (u) { + r = unit_full_printf(u, word, &k); + if (r < 0) { + log_syntax(unit, LOG_ERR, filename, line, r, + "Failed to resolve specifiers, ignoring: %s", k); + continue; + } + } else { + k = word; + word = NULL; } - if (!env_assignment_is_valid(n)) { - log_syntax(unit, LOG_ERR, filename, line, 0, "Invalid environment assignment, ignoring: %s", rvalue); + if (!env_assignment_is_valid(k)) { + log_syntax(unit, LOG_ERR, filename, line, 0, + "Invalid environment assignment, ignoring: %s", k); continue; } - x = strv_env_set(*env, n); - if (!x) + r = strv_env_replace(env, k); + if (r < 0) return log_oom(); - - strv_free(*env); - *env = x; + k = NULL; } - if (!isempty(state)) - log_syntax(unit, LOG_ERR, filename, line, 0, "Trailing garbage, ignoring."); - - return 0; } int config_parse_pass_environ(const char *unit, @@ -2300,7 +2308,7 @@ int config_parse_pass_environ(const char *unit, for (;;) { _cleanup_free_ char *word = NULL; - r = extract_first_word(&rvalue, &word, WHITESPACE, EXTRACT_QUOTES); + r = extract_first_word(&rvalue, &word, NULL, EXTRACT_QUOTES); if (r == 0) break; if (r == -ENOMEM) @@ -2538,37 +2546,39 @@ int config_parse_unit_requires_mounts_for( void *userdata) { Unit *u = userdata; - const char *word, *state; - size_t l; + const char *p; + int r; assert(filename); assert(lvalue); assert(rvalue); assert(data); - FOREACH_WORD_QUOTED(word, l, rvalue, state) { - int r; - _cleanup_free_ char *n; + for (p = rvalue;; ) { + _cleanup_free_ char *word = NULL; - n = strndup(word, l); - if (!n) + r = extract_first_word(&p, &word, NULL, EXTRACT_QUOTES); + if (r == 0) + return 0; + if (r == -ENOMEM) return log_oom(); + if (r < 0) { + log_syntax(unit, LOG_WARNING, filename, line, r, + "Invalid syntax, ignoring: %s", rvalue); + return 0; + } - if (!utf8_is_valid(n)) { + if (!utf8_is_valid(word)) { log_syntax_invalid_utf8(unit, LOG_ERR, filename, line, rvalue); continue; } - r = unit_require_mounts_for(u, n); + r = unit_require_mounts_for(u, word); if (r < 0) { - log_syntax(unit, LOG_ERR, filename, line, r, "Failed to add required mount for, ignoring: %s", rvalue); + log_syntax(unit, LOG_ERR, filename, line, r, "Failed to add required mount \"%s\", ignoring: %m", word); continue; } } - if (!isempty(state)) - log_syntax(unit, LOG_ERR, filename, line, 0, "Trailing garbage, ignoring."); - - return 0; } int config_parse_documentation(const char *unit, @@ -2760,8 +2770,7 @@ int config_parse_syscall_archs( void *userdata) { Set **archs = data; - const char *word, *state; - size_t l; + const char *p; int r; if (isempty(rvalue)) { @@ -2773,30 +2782,32 @@ int config_parse_syscall_archs( if (r < 0) return log_oom(); - FOREACH_WORD_QUOTED(word, l, rvalue, state) { - _cleanup_free_ char *t = NULL; + for (p = rvalue;;) { + _cleanup_free_ char *word = NULL; uint32_t a; - t = strndup(word, l); - if (!t) + r = extract_first_word(&p, &word, NULL, EXTRACT_QUOTES); + if (r == 0) + return 0; + if (r == -ENOMEM) return log_oom(); + if (r < 0) { + log_syntax(unit, LOG_WARNING, filename, line, r, + "Invalid syntax, ignoring: %s", rvalue); + return 0; + } - r = seccomp_arch_from_string(t, &a); + r = seccomp_arch_from_string(word, &a); if (r < 0) { - log_syntax(unit, LOG_ERR, filename, line, 0, "Failed to parse system call architecture, ignoring: %s", t); + log_syntax(unit, LOG_ERR, filename, line, r, + "Failed to parse system call architecture \"%s\", ignoring: %m", word); continue; } r = set_put(*archs, UINT32_TO_PTR(a + 1)); - if (r == 0) - continue; if (r < 0) return log_oom(); } - if (!isempty(state)) - log_syntax(unit, LOG_ERR, filename, line, 0, "Trailing garbage, ignoring."); - - return 0; } int config_parse_syscall_errno( @@ -2848,8 +2859,7 @@ int config_parse_address_families( ExecContext *c = data; bool invert = false; - const char *word, *state; - size_t l; + const char *p; int r; assert(filename); @@ -2876,34 +2886,84 @@ int config_parse_address_families( c->address_families_whitelist = !invert; } - FOREACH_WORD_QUOTED(word, l, rvalue, state) { - _cleanup_free_ char *t = NULL; + for (p = rvalue;;) { + _cleanup_free_ char *word = NULL; int af; - t = strndup(word, l); - if (!t) + r = extract_first_word(&p, &word, NULL, EXTRACT_QUOTES); + if (r == 0) + return 0; + if (r == -ENOMEM) return log_oom(); + if (r < 0) { + log_syntax(unit, LOG_WARNING, filename, line, r, + "Invalid syntax, ignoring: %s", rvalue); + return 0; + } - af = af_from_name(t); + af = af_from_name(word); if (af <= 0) { - log_syntax(unit, LOG_ERR, filename, line, 0, "Failed to parse address family, ignoring: %s", t); + log_syntax(unit, LOG_ERR, filename, line, 0, + "Failed to parse address family \"%s\", ignoring: %m", word); continue; } /* If we previously wanted to forbid an address family and now - * we want to allow it, then remove it from the list + * we want to allow it, then just remove it from the list. */ if (!invert == c->address_families_whitelist) { r = set_put(c->address_families, INT_TO_PTR(af)); - if (r == 0) - continue; if (r < 0) return log_oom(); } else set_remove(c->address_families, INT_TO_PTR(af)); } - if (!isempty(state)) - log_syntax(unit, LOG_ERR, filename, line, 0, "Trailing garbage, ignoring."); +} + +int config_parse_restrict_namespaces( + const char *unit, + const char *filename, + unsigned line, + const char *section, + unsigned section_line, + const char *lvalue, + int ltype, + const char *rvalue, + void *data, + void *userdata) { + + ExecContext *c = data; + bool invert = false; + int r; + + if (isempty(rvalue)) { + /* Reset to the default. */ + c->restrict_namespaces = NAMESPACE_FLAGS_ALL; + return 0; + } + + if (rvalue[0] == '~') { + invert = true; + rvalue++; + } + + r = parse_boolean(rvalue); + if (r > 0) + c->restrict_namespaces = 0; + else if (r == 0) + c->restrict_namespaces = NAMESPACE_FLAGS_ALL; + else { + /* Not a boolean argument, in this case it's a list of namespace types. */ + + r = namespace_flag_from_string_many(rvalue, &c->restrict_namespaces); + if (r < 0) { + log_syntax(unit, LOG_ERR, filename, line, r, "Failed to parse namespace type string, ignoring: %s", rvalue); + return 0; + } + } + + if (invert) + c->restrict_namespaces = (~c->restrict_namespaces) & NAMESPACE_FLAGS_ALL; return 0; } @@ -3622,8 +3682,7 @@ int config_parse_runtime_directory( char***rt = data; Unit *u = userdata; - const char *word, *state; - size_t l; + const char *p; int r; assert(filename); @@ -3637,34 +3696,38 @@ int config_parse_runtime_directory( return 0; } - FOREACH_WORD_QUOTED(word, l, rvalue, state) { - _cleanup_free_ char *t = NULL, *n = NULL; + for (p = rvalue;;) { + _cleanup_free_ char *word = NULL, *k = NULL; - t = strndup(word, l); - if (!t) + r = extract_first_word(&p, &word, NULL, EXTRACT_QUOTES); + if (r == 0) + return 0; + if (r == -ENOMEM) return log_oom(); + if (r < 0) { + log_syntax(unit, LOG_WARNING, filename, line, r, + "Invalid syntax, ignoring: %s", rvalue); + return 0; + } - r = unit_name_printf(u, t, &n); + r = unit_name_printf(u, word, &k); if (r < 0) { - log_syntax(unit, LOG_ERR, filename, line, r, "Failed to resolve specifiers, ignoring: %m"); + log_syntax(unit, LOG_ERR, filename, line, r, + "Failed to resolve specifiers in \"%s\", ignoring: %m", word); continue; } - if (!filename_is_valid(n)) { - log_syntax(unit, LOG_ERR, filename, line, 0, "Runtime directory is not valid, ignoring assignment: %s", rvalue); + if (!filename_is_valid(k)) { + log_syntax(unit, LOG_ERR, filename, line, 0, + "Runtime directory is not valid, ignoring assignment: %s", rvalue); continue; } - r = strv_push(rt, n); + r = strv_push(rt, k); if (r < 0) return log_oom(); - - n = NULL; + k = NULL; } - if (!isempty(state)) - log_syntax(unit, LOG_ERR, filename, line, 0, "Trailing garbage, ignoring."); - - return 0; } int config_parse_set_status( @@ -4327,6 +4390,7 @@ void unit_dump_config_items(FILE *f) { { config_parse_syscall_archs, "ARCHS" }, { config_parse_syscall_errno, "ERRNO" }, { config_parse_address_families, "FAMILIES" }, + { config_parse_restrict_namespaces, "NAMESPACES" }, #endif { config_parse_cpu_shares, "SHARES" }, { config_parse_cpu_weight, "WEIGHT" }, diff --git a/src/core/load-fragment.h b/src/core/load-fragment.h index c05f205c37..1cff815a50 100644 --- a/src/core/load-fragment.h +++ b/src/core/load-fragment.h @@ -116,6 +116,7 @@ int config_parse_fdname(const char *unit, const char *filename, unsigned line, c int config_parse_sec_fix_0(const char *unit, const char *filename, unsigned line, const char *section, unsigned section_line, const char *lvalue, int ltype, const char *rvalue, void *data, void *userdata); int config_parse_user_group(const char *unit, const char *filename, unsigned line, const char *section, unsigned section_line, const char *lvalue, int ltype, const char *rvalue, void *data, void *userdata); int config_parse_user_group_strv(const char *unit, const char *filename, unsigned line, const char *section, unsigned section_line, const char *lvalue, int ltype, const char *rvalue, void *data, void *userdata); +int config_parse_restrict_namespaces(const char *unit, const char *filename, unsigned line, const char *section, unsigned section_line, const char *lvalue, int ltype, const char *rvalue, void *data, void *userdata); /* gperf prototypes */ const struct ConfigPerfItem* load_fragment_gperf_lookup(const char *key, unsigned length); diff --git a/src/core/main.c b/src/core/main.c index 94602611a7..f5f7df838d 100644 --- a/src/core/main.c +++ b/src/core/main.c @@ -53,7 +53,7 @@ #include "fd-util.h" #include "fdset.h" #include "fileio.h" -#include "formats-util.h" +#include "format-util.h" #include "fs-util.h" #include "hostname-setup.h" #include "ima-setup.h" @@ -574,7 +574,7 @@ static int config_parse_join_controllers(const char *unit, char **l; int r; - r = extract_first_word(&rvalue, &word, WHITESPACE, EXTRACT_QUOTES); + r = extract_first_word(&rvalue, &word, NULL, EXTRACT_QUOTES); if (r < 0) { log_syntax(unit, LOG_ERR, filename, line, r, "Invalid value for %s: %s", lvalue, whole_rvalue); return r; diff --git a/src/core/mount.c b/src/core/mount.c index d749e49df5..43e0f1c746 100644 --- a/src/core/mount.c +++ b/src/core/mount.c @@ -28,7 +28,7 @@ #include "dbus-mount.h" #include "escape.h" #include "exit-status.h" -#include "formats-util.h" +#include "format-util.h" #include "fstab-util.h" #include "log.h" #include "manager.h" diff --git a/src/core/namespace.c b/src/core/namespace.c index db9a7aa5e7..67b203ba76 100644 --- a/src/core/namespace.c +++ b/src/core/namespace.c @@ -58,8 +58,7 @@ typedef enum MountMode { } MountMode; typedef struct BindMount { - const char *path; /* stack memory, doesn't need to be freed explicitly */ - char *chased; /* malloc()ed memory, needs to be freed */ + char *path; MountMode mode; bool ignore; /* Ignore if path does not exist */ } BindMount; @@ -155,10 +154,23 @@ static const TargetMount protect_system_strict_table[] = { { "/root", READWRITE, true }, /* ProtectHome= */ }; -static void set_bind_mount(BindMount **p, const char *path, MountMode mode, bool ignore) { - (*p)->path = path; - (*p)->mode = mode; - (*p)->ignore = ignore; +static void set_bind_mount(BindMount *p, char *path, MountMode mode, bool ignore) { + p->path = path; + p->mode = mode; + p->ignore = ignore; +} + +static int append_one_mount(BindMount **p, const char *root_directory, + const char *path, MountMode mode, bool ignore) { + char *lpath; + assert(p); + + lpath = prefix_root(root_directory, path); + if (!lpath) + return -ENOMEM; + + set_bind_mount((*p)++, lpath, mode, ignore); + return 0; } static int append_mounts(BindMount **p, char **strv, MountMode mode) { @@ -168,6 +180,7 @@ static int append_mounts(BindMount **p, char **strv, MountMode mode) { STRV_FOREACH(i, strv) { bool ignore = false; + char *path; if (IN_SET(mode, INACCESSIBLE, READONLY, READWRITE) && startswith(*i, "-")) { (*i)++; @@ -177,52 +190,66 @@ static int append_mounts(BindMount **p, char **strv, MountMode mode) { if (!path_is_absolute(*i)) return -EINVAL; - set_bind_mount(p, *i, mode, ignore); - (*p)++; + path = strdup(*i); + if (!path) + return -ENOMEM; + + set_bind_mount((*p)++, path, mode, ignore); } return 0; } -static int append_target_mounts(BindMount **p, const char *root_directory, const TargetMount *mounts, const size_t size) { +static int append_target_mounts(BindMount **p, const char *root_directory, + const TargetMount *mounts, const size_t size, bool ignore_protect) { unsigned i; assert(p); assert(mounts); for (i = 0; i < size; i++) { + bool ignore; /* * Here we assume that the ignore field is set during * declaration we do not support "-" at the beginning. */ const TargetMount *m = &mounts[i]; - const char *path = prefix_roota(root_directory, m->path); + char *path; + + path = prefix_root(root_directory, m->path); + if (!path) + return -ENOMEM; if (!path_is_absolute(path)) return -EINVAL; - set_bind_mount(p, path, m->mode, m->ignore); - (*p)++; + /* + * Ignore paths if they are not present. First we use our + * static tables otherwise fallback to Unit context. + */ + ignore = m->ignore || ignore_protect; + + set_bind_mount((*p)++, path, m->mode, ignore); } return 0; } -static int append_protect_kernel_tunables(BindMount **p, const char *root_directory) { +static int append_protect_kernel_tunables(BindMount **p, const char *root_directory, bool ignore_protect) { assert(p); return append_target_mounts(p, root_directory, protect_kernel_tunables_table, - ELEMENTSOF(protect_kernel_tunables_table)); + ELEMENTSOF(protect_kernel_tunables_table), ignore_protect); } -static int append_protect_kernel_modules(BindMount **p, const char *root_directory) { +static int append_protect_kernel_modules(BindMount **p, const char *root_directory, bool ignore_protect) { assert(p); return append_target_mounts(p, root_directory, protect_kernel_modules_table, - ELEMENTSOF(protect_kernel_modules_table)); + ELEMENTSOF(protect_kernel_modules_table), ignore_protect); } -static int append_protect_home(BindMount **p, const char *root_directory, ProtectHome protect_home) { +static int append_protect_home(BindMount **p, const char *root_directory, ProtectHome protect_home, bool ignore_protect) { int r = 0; assert(p); @@ -233,11 +260,12 @@ static int append_protect_home(BindMount **p, const char *root_directory, Protec switch (protect_home) { case PROTECT_HOME_READ_ONLY: r = append_target_mounts(p, root_directory, protect_home_read_only_table, - ELEMENTSOF(protect_home_read_only_table)); + ELEMENTSOF(protect_home_read_only_table), + ignore_protect); break; case PROTECT_HOME_YES: r = append_target_mounts(p, root_directory, protect_home_yes_table, - ELEMENTSOF(protect_home_yes_table)); + ELEMENTSOF(protect_home_yes_table), ignore_protect); break; default: r = -EINVAL; @@ -247,7 +275,7 @@ static int append_protect_home(BindMount **p, const char *root_directory, Protec return r; } -static int append_protect_system(BindMount **p, const char *root_directory, ProtectSystem protect_system) { +static int append_protect_system(BindMount **p, const char *root_directory, ProtectSystem protect_system, bool ignore_protect) { int r = 0; assert(p); @@ -258,15 +286,15 @@ static int append_protect_system(BindMount **p, const char *root_directory, Prot switch (protect_system) { case PROTECT_SYSTEM_STRICT: r = append_target_mounts(p, root_directory, protect_system_strict_table, - ELEMENTSOF(protect_system_strict_table)); + ELEMENTSOF(protect_system_strict_table), ignore_protect); break; case PROTECT_SYSTEM_YES: r = append_target_mounts(p, root_directory, protect_system_yes_table, - ELEMENTSOF(protect_system_yes_table)); + ELEMENTSOF(protect_system_yes_table), ignore_protect); break; case PROTECT_SYSTEM_FULL: r = append_target_mounts(p, root_directory, protect_system_full_table, - ELEMENTSOF(protect_system_full_table)); + ELEMENTSOF(protect_system_full_table), ignore_protect); break; default: r = -EINVAL; @@ -303,12 +331,13 @@ static void drop_duplicates(BindMount *m, unsigned *n) { /* Drops duplicate entries. Expects that the array is properly ordered already. */ - for (f = m, t = m, previous = NULL; f < m+*n; f++) { + for (f = m, t = m, previous = NULL; f < m + *n; f++) { /* The first one wins (which is the one with the more restrictive mode), see mount_path_compare() * above. */ if (previous && path_equal(f->path, previous->path)) { log_debug("%s is duplicate.", f->path); + f->path = mfree(f->path); continue; } @@ -330,12 +359,13 @@ static void drop_inaccessible(BindMount *m, unsigned *n) { /* Drops all entries obstructed by another entry further up the tree. Expects that the array is properly * ordered already. */ - for (f = m, t = m; f < m+*n; f++) { + for (f = m, t = m; f < m + *n; f++) { /* If we found a path set for INACCESSIBLE earlier, and this entry has it as prefix we should drop * it, as inaccessible paths really should drop the entire subtree. */ if (clear && path_startswith(f->path, clear)) { log_debug("%s is masked by %s.", f->path, clear); + f->path = mfree(f->path); continue; } @@ -357,7 +387,7 @@ static void drop_nop(BindMount *m, unsigned *n) { /* Drops all entries which have an immediate parent that has the same type, as they are redundant. Assumes the * list is ordered by prefixes. */ - for (f = m, t = m; f < m+*n; f++) { + for (f = m, t = m; f < m + *n; f++) { /* Only suppress such subtrees for READONLY and READWRITE entries */ if (IN_SET(f->mode, READONLY, READWRITE)) { @@ -375,6 +405,7 @@ static void drop_nop(BindMount *m, unsigned *n) { /* We found it, let's see if it's the same mode, if so, we can drop this entry */ if (found && p->mode == f->mode) { log_debug("%s is redundant by %s", f->path, p->path); + f->path = mfree(f->path); continue; } } @@ -392,15 +423,17 @@ static void drop_outside_root(const char *root_directory, BindMount *m, unsigned assert(m); assert(n); + /* Nothing to do */ if (!root_directory) return; /* Drops all mounts that are outside of the root directory. */ - for (f = m, t = m; f < m+*n; f++) { + for (f = m, t = m; f < m + *n; f++) { if (!path_startswith(f->path, root_directory)) { log_debug("%s is outside of root directory.", f->path); + f->path = mfree(f->path); continue; } @@ -591,7 +624,6 @@ static int apply_mount( return log_debug_errno(r, "Failed to determine whether %s is already a mount point: %m", m->path); if (r > 0) /* Nothing to do here, it is already a mount. We just later toggle the MS_RDONLY bit for the mount point if needed. */ return 0; - /* This isn't a mount point yet, let's make it one. */ what = m->path; break; @@ -640,9 +672,10 @@ static int make_read_only(BindMount *m, char **blacklist) { return r; } +/* Chase symlinks and remove failed paths from mounts */ static int chase_all_symlinks(const char *root_directory, BindMount *m, unsigned *n) { BindMount *f, *t; - int r; + int r = 0; assert(m); assert(n); @@ -651,19 +684,25 @@ static int chase_all_symlinks(const char *root_directory, BindMount *m, unsigned * chase the symlinks on our own first. This call wil do so for all entries and remove all entries where we * can't resolve the path, and which have been marked for such removal. */ - for (f = m, t = m; f < m+*n; f++) { + for (f = m, t = m; f < m + *n; f++) { + int k; + _cleanup_free_ char *chased = NULL; + + k = chase_symlinks(f->path, root_directory, &chased); + if (k < 0) { + /* Get only real errors */ + if (r >= 0 && (k != -ENOENT || !f->ignore)) + r = k; - r = chase_symlinks(f->path, root_directory, &f->chased); - if (r == -ENOENT && f->ignore) /* Doesn't exist? Then remove it! */ + log_debug_errno(r, "Failed to chase symlinks for %s: %m", f->path); + /* Doesn't exist or failed? Then remove it and continue! */ + f->path = mfree(f->path); continue; - if (r < 0) - return log_debug_errno(r, "Failed to chase symlinks for %s: %m", f->path); + } - if (path_equal(f->path, f->chased)) - f->chased = mfree(f->chased); - else { - log_debug("Chased %s → %s", f->path, f->chased); - f->path = f->chased; + if (!path_equal(f->path, chased)) { + log_debug("Chased %s → %s", f->path, chased); + free_and_replace(f->path, chased); } *t = *f; @@ -671,7 +710,7 @@ static int chase_all_symlinks(const char *root_directory, BindMount *m, unsigned } *n = t - m; - return 0; + return r; } static unsigned namespace_calculate_mounts( @@ -724,96 +763,99 @@ int setup_namespace( BindMount *m, *mounts = NULL; bool make_slave = false; - unsigned n; + unsigned n_mounts; int r = 0; if (mount_flags == 0) mount_flags = MS_SHARED; - n = namespace_calculate_mounts(ns_info, - read_write_paths, - read_only_paths, - inaccessible_paths, - tmp_dir, var_tmp_dir, - protect_home, protect_system); + n_mounts = namespace_calculate_mounts(ns_info, + read_write_paths, + read_only_paths, + inaccessible_paths, + tmp_dir, var_tmp_dir, + protect_home, protect_system); /* Set mount slave mode */ - if (root_directory || n > 0) + if (root_directory || n_mounts > 0) make_slave = true; - if (n > 0) { - m = mounts = (BindMount *) alloca0(n * sizeof(BindMount)); + if (n_mounts > 0) { + m = mounts = (BindMount *) alloca0(n_mounts * sizeof(BindMount)); r = append_mounts(&m, read_write_paths, READWRITE); if (r < 0) - return r; + goto finish; r = append_mounts(&m, read_only_paths, READONLY); if (r < 0) - return r; + goto finish; r = append_mounts(&m, inaccessible_paths, INACCESSIBLE); if (r < 0) - return r; + goto finish; if (tmp_dir) { - m->path = prefix_roota(root_directory, "/tmp"); - m->mode = PRIVATE_TMP; - m++; + r = append_one_mount(&m, root_directory, "/tmp", PRIVATE_TMP, false); + if (r < 0) + goto finish; } if (var_tmp_dir) { - m->path = prefix_roota(root_directory, "/var/tmp"); - m->mode = PRIVATE_VAR_TMP; - m++; + r = append_one_mount(&m, root_directory, "/var/tmp", PRIVATE_VAR_TMP, false); + if (r < 0) + goto finish; } if (ns_info->private_dev) { - m->path = prefix_roota(root_directory, "/dev"); - m->mode = PRIVATE_DEV; - m++; + r = append_one_mount(&m, root_directory, "/dev", PRIVATE_DEV, false); + if (r < 0) + goto finish; } if (ns_info->protect_kernel_tunables) { - r = append_protect_kernel_tunables(&m, root_directory); + r = append_protect_kernel_tunables(&m, root_directory, + ns_info->ignore_protect_paths); if (r < 0) - return r; + goto finish; } if (ns_info->protect_kernel_modules) { - r = append_protect_kernel_modules(&m, root_directory); + r = append_protect_kernel_modules(&m, root_directory, + ns_info->ignore_protect_paths); if (r < 0) - return r; + goto finish; } if (ns_info->protect_control_groups) { - m->path = prefix_roota(root_directory, "/sys/fs/cgroup"); - m->mode = READONLY; - m++; + r = append_one_mount(&m, root_directory, "/sys/fs/cgroup", READONLY, false); + if (r < 0) + goto finish; } - r = append_protect_home(&m, root_directory, protect_home); + r = append_protect_home(&m, root_directory, protect_home, + ns_info->ignore_protect_paths); if (r < 0) - return r; + goto finish; - r = append_protect_system(&m, root_directory, protect_system); + r = append_protect_system(&m, root_directory, protect_system, false); if (r < 0) - return r; + goto finish; - assert(mounts + n == m); + assert(mounts + n_mounts == m); /* Resolve symlinks manually first, as mount() will always follow them relative to the host's * root. Moreover we want to suppress duplicates based on the resolved paths. This of course is a bit * racy. */ - r = chase_all_symlinks(root_directory, mounts, &n); + r = chase_all_symlinks(root_directory, mounts, &n_mounts); if (r < 0) goto finish; - qsort(mounts, n, sizeof(BindMount), mount_path_compare); + qsort(mounts, n_mounts, sizeof(BindMount), mount_path_compare); - drop_duplicates(mounts, &n); - drop_outside_root(root_directory, mounts, &n); - drop_inaccessible(mounts, &n); - drop_nop(mounts, &n); + drop_duplicates(mounts, &n_mounts); + drop_outside_root(root_directory, mounts, &n_mounts); + drop_inaccessible(mounts, &n_mounts); + drop_nop(mounts, &n_mounts); } if (unshare(CLONE_NEWNS) < 0) { @@ -843,25 +885,25 @@ int setup_namespace( } } - if (n > 0) { + if (n_mounts > 0) { char **blacklist; unsigned j; /* First round, add in all special mounts we need */ - for (m = mounts; m < mounts + n; ++m) { + for (m = mounts; m < mounts + n_mounts; ++m) { r = apply_mount(m, tmp_dir, var_tmp_dir); if (r < 0) goto finish; } /* Create a blacklist we can pass to bind_mount_recursive() */ - blacklist = newa(char*, n+1); - for (j = 0; j < n; j++) + blacklist = newa(char*, n_mounts+1); + for (j = 0; j < n_mounts; j++) blacklist[j] = (char*) mounts[j].path; blacklist[j] = NULL; /* Second round, flip the ro bits if necessary. */ - for (m = mounts; m < mounts + n; ++m) { + for (m = mounts; m < mounts + n_mounts; ++m) { r = make_read_only(m, blacklist); if (r < 0) goto finish; @@ -886,8 +928,8 @@ int setup_namespace( r = 0; finish: - for (m = mounts; m < mounts + n; m++) - free(m->chased); + for (m = mounts; m < mounts + n_mounts; m++) + free(m->path); return r; } diff --git a/src/core/namespace.h b/src/core/namespace.h index 6310638e9a..2c278fd457 100644 --- a/src/core/namespace.h +++ b/src/core/namespace.h @@ -44,6 +44,7 @@ typedef enum ProtectSystem { } ProtectSystem; struct NameSpaceInfo { + bool ignore_protect_paths:1; bool private_dev:1; bool protect_control_groups:1; bool protect_kernel_tunables:1; diff --git a/src/core/service.c b/src/core/service.c index f6acc2f129..7aa1fba572 100644 --- a/src/core/service.c +++ b/src/core/service.c @@ -33,7 +33,7 @@ #include "exit-status.h" #include "fd-util.h" #include "fileio.h" -#include "formats-util.h" +#include "format-util.h" #include "fs-util.h" #include "load-dropin.h" #include "load-fragment.h" diff --git a/src/core/socket.c b/src/core/socket.c index 0b1c4acfec..ebacd74a47 100644 --- a/src/core/socket.c +++ b/src/core/socket.c @@ -36,7 +36,7 @@ #include "def.h" #include "exit-status.h" #include "fd-util.h" -#include "formats-util.h" +#include "format-util.h" #include "io-util.h" #include "label.h" #include "log.h" diff --git a/src/core/swap.c b/src/core/swap.c index 2228a254bb..b870ac88e3 100644 --- a/src/core/swap.c +++ b/src/core/swap.c @@ -29,7 +29,7 @@ #include "escape.h" #include "exit-status.h" #include "fd-util.h" -#include "formats-util.h" +#include "format-util.h" #include "fstab-util.h" #include "parse-util.h" #include "path-util.h" diff --git a/src/core/unit-printf.c b/src/core/unit-printf.c index f11df42af3..1f5dc6fd88 100644 --- a/src/core/unit-printf.c +++ b/src/core/unit-printf.c @@ -19,7 +19,7 @@ #include "alloc-util.h" #include "cgroup-util.h" -#include "formats-util.h" +#include "format-util.h" #include "macro.h" #include "specifier.h" #include "string-util.h" diff --git a/src/core/unit.c b/src/core/unit.c index fa1f3d9d4b..bba0f5d357 100644 --- a/src/core/unit.c +++ b/src/core/unit.c @@ -36,7 +36,7 @@ #include "escape.h" #include "execute.h" #include "fileio-label.h" -#include "formats-util.h" +#include "format-util.h" #include "id128-util.h" #include "load-dropin.h" #include "load-fragment.h" diff --git a/src/coredump/coredump.c b/src/coredump/coredump.c index 6bd0e925eb..d55d896df4 100644 --- a/src/coredump/coredump.c +++ b/src/coredump/coredump.c @@ -111,7 +111,7 @@ static CoredumpStorage arg_storage = COREDUMP_STORAGE_EXTERNAL; static bool arg_compress = true; static uint64_t arg_process_size_max = PROCESS_SIZE_MAX; static uint64_t arg_external_size_max = EXTERNAL_SIZE_MAX; -static size_t arg_journal_size_max = JOURNAL_SIZE_MAX; +static uint64_t arg_journal_size_max = JOURNAL_SIZE_MAX; static uint64_t arg_keep_free = (uint64_t) -1; static uint64_t arg_max_use = (uint64_t) -1; @@ -708,7 +708,7 @@ static int submit_coredump( coredump_filename = strjoina("COREDUMP_FILENAME=", filename); IOVEC_SET_STRING(iovec[n_iovec++], coredump_filename); } else if (arg_storage == COREDUMP_STORAGE_EXTERNAL) - log_info("The core will not be stored: size %zu is greater than %zu (the configured maximum)", + log_info("The core will not be stored: size %"PRIu64" is greater than %"PRIu64" (the configured maximum)", coredump_size, arg_external_size_max); /* Vacuum again, but exclude the coredump we just created */ @@ -738,7 +738,7 @@ static int submit_coredump( else log_warning_errno(r, "Failed to generate stack trace: %m"); } else - log_debug("Not generating stack trace: core size %zu is greater than %zu (the configured maximum)", + log_debug("Not generating stack trace: core size %"PRIu64" is greater than %"PRIu64" (the configured maximum)", coredump_size, arg_process_size_max); if (!core_message) @@ -765,7 +765,7 @@ log: } else log_warning_errno(r, "Failed to attach the core to the journal entry: %m"); } else - log_info("The core will not be stored: size %zu is greater than %zu (the configured maximum)", + log_info("The core will not be stored: size %"PRIu64" is greater than %"PRIu64" (the configured maximum)", coredump_size, arg_journal_size_max); } diff --git a/src/coredump/stacktrace.c b/src/coredump/stacktrace.c index cc4dad9465..778bee9b12 100644 --- a/src/coredump/stacktrace.c +++ b/src/coredump/stacktrace.c @@ -22,7 +22,7 @@ #include "alloc-util.h" #include "fd-util.h" -#include "formats-util.h" +#include "format-util.h" #include "macro.h" #include "stacktrace.h" #include "string-util.h" diff --git a/src/delta/delta.c b/src/delta/delta.c index 6848662ccb..04de75475d 100644 --- a/src/delta/delta.c +++ b/src/delta/delta.c @@ -355,6 +355,21 @@ static int enumerate_dir(Hashmap *top, Hashmap *bottom, Hashmap *drops, const ch } } +static int should_skip_prefix(const char* p) { +#ifdef HAVE_SPLIT_USR + int r; + _cleanup_free_ char *target = NULL; + + r = chase_symlinks(p, NULL, &target); + if (r < 0) + return r; + + return !streq(p, target) && nulstr_contains(prefixes, target); +#else + return 0; +#endif +} + static int process_suffix(const char *suffix, const char *onlyprefix) { const char *p; char *f; @@ -382,6 +397,15 @@ static int process_suffix(const char *suffix, const char *onlyprefix) { NULSTR_FOREACH(p, prefixes) { _cleanup_free_ char *t = NULL; + int skip; + + skip = should_skip_prefix(p); + if (skip < 0) { + r = skip; + goto finish; + } + if (skip) + continue; t = strjoin(p, "/", suffix); if (!t) { @@ -459,6 +483,13 @@ static int process_suffix_chop(const char *arg) { /* Strip prefix from the suffix */ NULSTR_FOREACH(p, prefixes) { const char *suffix; + int skip; + + skip = should_skip_prefix(p); + if (skip < 0) + return skip; + if (skip) + continue; suffix = startswith(arg, p); if (suffix) { diff --git a/src/gpt-auto-generator/gpt-auto-generator.c b/src/gpt-auto-generator/gpt-auto-generator.c index e64d5bb231..52cde493e5 100644 --- a/src/gpt-auto-generator/gpt-auto-generator.c +++ b/src/gpt-auto-generator/gpt-auto-generator.c @@ -429,10 +429,10 @@ static int add_automount( "Documentation=man:systemd-gpt-auto-generator(8)\n" "[Automount]\n" "Where=%s\n" - "TimeoutIdleSec=%lld\n", + "TimeoutIdleSec="USEC_FMT"\n", description, where, - (unsigned long long)timeout / USEC_PER_SEC); + timeout / USEC_PER_SEC); r = fflush_and_check(f); if (r < 0) diff --git a/src/initctl/initctl.c b/src/initctl/initctl.c index 41b2237d16..6aeb5ad614 100644 --- a/src/initctl/initctl.c +++ b/src/initctl/initctl.c @@ -31,7 +31,7 @@ #include "bus-util.h" #include "def.h" #include "fd-util.h" -#include "formats-util.h" +#include "format-util.h" #include "initreq.h" #include "list.h" #include "log.h" diff --git a/src/journal-remote/journal-upload.c b/src/journal-remote/journal-upload.c index 42880cca76..371b6acc64 100644 --- a/src/journal-remote/journal-upload.c +++ b/src/journal-remote/journal-upload.c @@ -30,7 +30,7 @@ #include "def.h" #include "fd-util.h" #include "fileio.h" -#include "formats-util.h" +#include "format-util.h" #include "glob-util.h" #include "journal-upload.h" #include "log.h" diff --git a/src/journal/journald-console.c b/src/journal/journald-console.c index 3a9fba42a3..5126c2160e 100644 --- a/src/journal/journald-console.c +++ b/src/journal/journald-console.c @@ -24,7 +24,7 @@ #include "alloc-util.h" #include "fd-util.h" #include "fileio.h" -#include "formats-util.h" +#include "format-util.h" #include "io-util.h" #include "journald-console.h" #include "journald-server.h" diff --git a/src/journal/journald-kmsg.c b/src/journal/journald-kmsg.c index f64abdd431..18c8644507 100644 --- a/src/journal/journald-kmsg.c +++ b/src/journal/journald-kmsg.c @@ -28,7 +28,7 @@ #include "escape.h" #include "fd-util.h" -#include "formats-util.h" +#include "format-util.h" #include "io-util.h" #include "journald-kmsg.h" #include "journald-server.h" diff --git a/src/journal/journald-server.c b/src/journal/journald-server.c index dee153a4cf..567f06515f 100644 --- a/src/journal/journald-server.c +++ b/src/journal/journald-server.c @@ -40,7 +40,7 @@ #include "extract-word.h" #include "fd-util.h" #include "fileio.h" -#include "formats-util.h" +#include "format-util.h" #include "fs-util.h" #include "hashmap.h" #include "hostname-util.h" diff --git a/src/journal/journald-syslog.c b/src/journal/journald-syslog.c index 0609b4b694..896303fb85 100644 --- a/src/journal/journald-syslog.c +++ b/src/journal/journald-syslog.c @@ -25,7 +25,7 @@ #include "alloc-util.h" #include "fd-util.h" -#include "formats-util.h" +#include "format-util.h" #include "io-util.h" #include "journald-console.h" #include "journald-kmsg.h" diff --git a/src/journal/journald-wall.c b/src/journal/journald-wall.c index d857ff8d39..bfe53ce39d 100644 --- a/src/journal/journald-wall.c +++ b/src/journal/journald-wall.c @@ -18,7 +18,7 @@ ***/ #include "alloc-util.h" -#include "formats-util.h" +#include "format-util.h" #include "journald-server.h" #include "journald-wall.h" #include "process-util.h" diff --git a/src/journal/journald.c b/src/journal/journald.c index 7f47ca22dd..fc26ef1785 100644 --- a/src/journal/journald.c +++ b/src/journal/journald.c @@ -22,7 +22,7 @@ #include "sd-daemon.h" #include "sd-messages.h" -#include "formats-util.h" +#include "format-util.h" #include "journal-authenticate.h" #include "journald-kmsg.h" #include "journald-server.h" diff --git a/src/journal/sd-journal.c b/src/journal/sd-journal.c index 47c77b1ba9..56257c41d4 100644 --- a/src/journal/sd-journal.c +++ b/src/journal/sd-journal.c @@ -35,7 +35,7 @@ #include "dirent-util.h" #include "fd-util.h" #include "fileio.h" -#include "formats-util.h" +#include "format-util.h" #include "fs-util.h" #include "hashmap.h" #include "hostname-util.h" diff --git a/src/kernel-install/kernel-install b/src/kernel-install/kernel-install index 0c0ee718ac..a95b9717f0 100644 --- a/src/kernel-install/kernel-install +++ b/src/kernel-install/kernel-install @@ -127,7 +127,7 @@ case $COMMAND in "$f" add "$KERNEL_VERSION" "$BOOT_DIR_ABS" "$KERNEL_IMAGE" x=$? if [[ $x == $SKIP_REMAINING ]]; then - return 0 + exit 0 fi ((ret+=$x)) fi @@ -140,7 +140,7 @@ case $COMMAND in "$f" remove "$KERNEL_VERSION" "$BOOT_DIR_ABS" x=$? if [[ $x == $SKIP_REMAINING ]]; then - return 0 + exit 0 fi ((ret+=$x)) fi diff --git a/src/libsystemd/libsystemd.pc.in b/src/libsystemd/libsystemd.pc.in index e8f79507ea..7e6d4999cb 100644 --- a/src/libsystemd/libsystemd.pc.in +++ b/src/libsystemd/libsystemd.pc.in @@ -7,7 +7,7 @@ prefix=@prefix@ exec_prefix=@exec_prefix@ -libdir=@libdir@ +libdir=@rootlibdir@ includedir=@includedir@ Name: systemd diff --git a/src/libsystemd/sd-bus/bus-control.c b/src/libsystemd/sd-bus/bus-control.c index 52128e7b5c..9e58ffbd88 100644 --- a/src/libsystemd/sd-bus/bus-control.c +++ b/src/libsystemd/sd-bus/bus-control.c @@ -264,7 +264,7 @@ static int kernel_get_list(sd_bus *bus, uint64_t flags, char ***x) { if ((flags & KDBUS_LIST_UNIQUE) && name->id != previous_id && !(name->flags & KDBUS_HELLO_ACTIVATOR)) { char *n; - if (asprintf(&n, ":1.%llu", (unsigned long long) name->id) < 0) { + if (asprintf(&n, ":1.%llu", name->id) < 0) { r = -ENOMEM; goto fail; } @@ -711,7 +711,7 @@ int bus_get_name_creds_kdbus( } if (mask & SD_BUS_CREDS_UNIQUE_NAME) { - if (asprintf(&c->unique_name, ":1.%llu", (unsigned long long) conn_info->id) < 0) { + if (asprintf(&c->unique_name, ":1.%llu", conn_info->id) < 0) { r = -ENOMEM; goto fail; } diff --git a/src/libsystemd/sd-bus/bus-creds.c b/src/libsystemd/sd-bus/bus-creds.c index c4f693dee9..349fa57f2d 100644 --- a/src/libsystemd/sd-bus/bus-creds.c +++ b/src/libsystemd/sd-bus/bus-creds.c @@ -30,7 +30,7 @@ #include "cgroup-util.h" #include "fd-util.h" #include "fileio.h" -#include "formats-util.h" +#include "format-util.h" #include "hexdecoct.h" #include "parse-util.h" #include "process-util.h" diff --git a/src/libsystemd/sd-bus/bus-dump.c b/src/libsystemd/sd-bus/bus-dump.c index 21a6b20a11..f117c98c11 100644 --- a/src/libsystemd/sd-bus/bus-dump.c +++ b/src/libsystemd/sd-bus/bus-dump.c @@ -25,7 +25,7 @@ #include "cap-list.h" #include "capability-util.h" #include "fileio.h" -#include "formats-util.h" +#include "format-util.h" #include "locale-util.h" #include "macro.h" #include "string-util.h" diff --git a/src/libsystemd/sd-bus/bus-kernel.c b/src/libsystemd/sd-bus/bus-kernel.c index a3427ca33e..c82caeb3fc 100644 --- a/src/libsystemd/sd-bus/bus-kernel.c +++ b/src/libsystemd/sd-bus/bus-kernel.c @@ -42,7 +42,7 @@ #include "capability-util.h" #include "fd-util.h" #include "fileio.h" -#include "formats-util.h" +#include "format-util.h" #include "memfd-util.h" #include "parse-util.h" #include "stdio-util.h" @@ -848,8 +848,7 @@ static int bus_kernel_make_message(sd_bus *bus, struct kdbus_msg *k) { if (k->src_id == KDBUS_SRC_ID_KERNEL) bus_message_set_sender_driver(bus, m); else { - xsprintf(m->sender_buffer, ":1.%llu", - (unsigned long long)k->src_id); + xsprintf(m->sender_buffer, ":1.%llu", k->src_id); m->sender = m->creds.unique_name = m->sender_buffer; } @@ -860,8 +859,7 @@ static int bus_kernel_make_message(sd_bus *bus, struct kdbus_msg *k) { else if (k->dst_id == KDBUS_DST_ID_NAME) m->destination = bus->unique_name; /* fill in unique name if the well-known name is missing */ else { - xsprintf(m->destination_buffer, ":1.%llu", - (unsigned long long)k->dst_id); + xsprintf(m->destination_buffer, ":1.%llu", k->dst_id); m->destination = m->destination_buffer; } @@ -1035,7 +1033,7 @@ int bus_kernel_take_fd(sd_bus *b) { b->bloom_size = (size_t) bloom->size; b->bloom_n_hash = (unsigned) bloom->n_hash; - if (asprintf(&b->unique_name, ":1.%llu", (unsigned long long) hello->id) < 0) { + if (asprintf(&b->unique_name, ":1.%llu", hello->id) < 0) { r = -ENOMEM; goto fail; } @@ -1207,7 +1205,7 @@ int bus_kernel_write_message(sd_bus *bus, sd_bus_message *m, bool hint_sync_call return r; } } else { - log_debug("Ignoring message with unknown payload type %llu.", (unsigned long long) k->payload_type); + log_debug("Ignoring message with unknown payload type %llu.", k->payload_type); close_kdbus_msg(bus, k); } } @@ -1268,7 +1266,7 @@ static int translate_name_change( if (d->type == KDBUS_ITEM_NAME_ADD || (d->name_change.old_id.flags & (KDBUS_NAME_IN_QUEUE|KDBUS_NAME_ACTIVATOR))) old_owner[0] = 0; else - sprintf(old_owner, ":1.%llu", (unsigned long long) d->name_change.old_id.id); + sprintf(old_owner, ":1.%llu", d->name_change.old_id.id); if (d->type == KDBUS_ITEM_NAME_REMOVE || (d->name_change.new_id.flags & (KDBUS_NAME_IN_QUEUE|KDBUS_NAME_ACTIVATOR))) { @@ -1277,7 +1275,7 @@ static int translate_name_change( new_owner[0] = 0; } else - sprintf(new_owner, ":1.%llu", (unsigned long long) d->name_change.new_id.id); + sprintf(new_owner, ":1.%llu", d->name_change.new_id.id); return push_name_owner_changed(bus, d->name_change.name, old_owner, new_owner, ts); } @@ -1419,7 +1417,7 @@ int bus_kernel_read_message(sd_bus *bus, bool hint_priority, int64_t priority) { r = bus_kernel_translate_message(bus, k); close_kdbus_msg(bus, k); } else { - log_debug("Ignoring message with unknown payload type %llu.", (unsigned long long) k->payload_type); + log_debug("Ignoring message with unknown payload type %llu.", k->payload_type); r = 0; close_kdbus_msg(bus, k); } diff --git a/src/libsystemd/sd-bus/bus-socket.c b/src/libsystemd/sd-bus/bus-socket.c index cfd7753139..e6ed15eb71 100644 --- a/src/libsystemd/sd-bus/bus-socket.c +++ b/src/libsystemd/sd-bus/bus-socket.c @@ -30,7 +30,7 @@ #include "bus-message.h" #include "bus-socket.h" #include "fd-util.h" -#include "formats-util.h" +#include "format-util.h" #include "hexdecoct.h" #include "macro.h" #include "missing.h" diff --git a/src/libsystemd/sd-bus/test-bus-chat.c b/src/libsystemd/sd-bus/test-bus-chat.c index fc60830059..0fc6fc90ed 100644 --- a/src/libsystemd/sd-bus/test-bus-chat.c +++ b/src/libsystemd/sd-bus/test-bus-chat.c @@ -30,7 +30,7 @@ #include "bus-match.h" #include "bus-util.h" #include "fd-util.h" -#include "formats-util.h" +#include "format-util.h" #include "log.h" #include "macro.h" #include "util.h" diff --git a/src/libsystemd/sd-login/sd-login.c b/src/libsystemd/sd-login/sd-login.c index 3fcefada3f..42ea0badfc 100644 --- a/src/libsystemd/sd-login/sd-login.c +++ b/src/libsystemd/sd-login/sd-login.c @@ -31,7 +31,7 @@ #include "escape.h" #include "fd-util.h" #include "fileio.h" -#include "formats-util.h" +#include "format-util.h" #include "fs-util.h" #include "hostname-util.h" #include "io-util.h" diff --git a/src/libsystemd/sd-login/test-login.c b/src/libsystemd/sd-login/test-login.c index c1fd7dd33e..9de33d85db 100644 --- a/src/libsystemd/sd-login/test-login.c +++ b/src/libsystemd/sd-login/test-login.c @@ -24,7 +24,7 @@ #include "alloc-util.h" #include "fd-util.h" -#include "formats-util.h" +#include "format-util.h" #include "string-util.h" #include "strv.h" #include "util.h" diff --git a/src/libsystemd/sd-netlink/netlink-message.c b/src/libsystemd/sd-netlink/netlink-message.c index df3b3c922e..654a22fe3b 100644 --- a/src/libsystemd/sd-netlink/netlink-message.c +++ b/src/libsystemd/sd-netlink/netlink-message.c @@ -24,7 +24,7 @@ #include "sd-netlink.h" #include "alloc-util.h" -#include "formats-util.h" +#include "format-util.h" #include "missing.h" #include "netlink-internal.h" #include "netlink-types.h" diff --git a/src/libsystemd/sd-netlink/netlink-socket.c b/src/libsystemd/sd-netlink/netlink-socket.c index c165fa3359..a0fd8a3ac9 100644 --- a/src/libsystemd/sd-netlink/netlink-socket.c +++ b/src/libsystemd/sd-netlink/netlink-socket.c @@ -24,7 +24,7 @@ #include "sd-netlink.h" #include "alloc-util.h" -#include "formats-util.h" +#include "format-util.h" #include "missing.h" #include "netlink-internal.h" #include "netlink-types.h" diff --git a/src/libsystemd/sd-netlink/rtnl-message.c b/src/libsystemd/sd-netlink/rtnl-message.c index 09240c7b2a..b543b5f20c 100644 --- a/src/libsystemd/sd-netlink/rtnl-message.c +++ b/src/libsystemd/sd-netlink/rtnl-message.c @@ -23,7 +23,7 @@ #include "sd-netlink.h" -#include "formats-util.h" +#include "format-util.h" #include "missing.h" #include "netlink-internal.h" #include "netlink-types.h" diff --git a/src/libudev/libudev-monitor.c b/src/libudev/libudev-monitor.c index a1f2b33ad5..a40329d732 100644 --- a/src/libudev/libudev-monitor.c +++ b/src/libudev/libudev-monitor.c @@ -33,7 +33,7 @@ #include "alloc-util.h" #include "fd-util.h" #include "fileio.h" -#include "formats-util.h" +#include "format-util.h" #include "libudev-private.h" #include "missing.h" #include "mount-util.h" diff --git a/src/libudev/libudev.pc.in b/src/libudev/libudev.pc.in index a0f3f524e0..770c92209e 100644 --- a/src/libudev/libudev.pc.in +++ b/src/libudev/libudev.pc.in @@ -7,7 +7,7 @@ prefix=@prefix@ exec_prefix=@exec_prefix@ -libdir=@libdir@ +libdir=@rootlibdir@ includedir=@includedir@ Name: libudev diff --git a/src/login/inhibit.c b/src/login/inhibit.c index f2c37a8623..7e5a093698 100644 --- a/src/login/inhibit.c +++ b/src/login/inhibit.c @@ -29,7 +29,7 @@ #include "bus-error.h" #include "bus-util.h" #include "fd-util.h" -#include "formats-util.h" +#include "format-util.h" #include "process-util.h" #include "signal-util.h" #include "strv.h" diff --git a/src/login/logind-acl.c b/src/login/logind-acl.c index 0cef88a82d..1b69f4b9ca 100644 --- a/src/login/logind-acl.c +++ b/src/login/logind-acl.c @@ -25,7 +25,7 @@ #include "dirent-util.h" #include "escape.h" #include "fd-util.h" -#include "formats-util.h" +#include "format-util.h" #include "logind-acl.h" #include "set.h" #include "string-util.h" diff --git a/src/login/logind-action.c b/src/login/logind-action.c index a950409254..91225a5363 100644 --- a/src/login/logind-action.c +++ b/src/login/logind-action.c @@ -23,7 +23,7 @@ #include "bus-error.h" #include "bus-util.h" #include "conf-parser.h" -#include "formats-util.h" +#include "format-util.h" #include "logind-action.h" #include "process-util.h" #include "sleep-config.h" diff --git a/src/login/logind-dbus.c b/src/login/logind-dbus.c index 0a84d75e24..23ad5d7c6a 100644 --- a/src/login/logind-dbus.c +++ b/src/login/logind-dbus.c @@ -34,7 +34,7 @@ #include "escape.h" #include "fd-util.h" #include "fileio-label.h" -#include "formats-util.h" +#include "format-util.h" #include "fs-util.h" #include "logind.h" #include "mkdir.h" diff --git a/src/login/logind-inhibit.c b/src/login/logind-inhibit.c index a7e5c01ef3..5ca42b1ca2 100644 --- a/src/login/logind-inhibit.c +++ b/src/login/logind-inhibit.c @@ -26,7 +26,7 @@ #include "escape.h" #include "fd-util.h" #include "fileio.h" -#include "formats-util.h" +#include "format-util.h" #include "logind-inhibit.h" #include "mkdir.h" #include "parse-util.h" diff --git a/src/login/logind-seat.c b/src/login/logind-seat.c index ecc7bd2e5b..f0d8a1f554 100644 --- a/src/login/logind-seat.c +++ b/src/login/logind-seat.c @@ -27,7 +27,7 @@ #include "alloc-util.h" #include "fd-util.h" #include "fileio.h" -#include "formats-util.h" +#include "format-util.h" #include "logind-acl.h" #include "logind-seat.h" #include "mkdir.h" diff --git a/src/login/logind-session.c b/src/login/logind-session.c index e83c37a5ac..d8bb1ea0a8 100644 --- a/src/login/logind-session.c +++ b/src/login/logind-session.c @@ -35,7 +35,7 @@ #include "escape.h" #include "fd-util.h" #include "fileio.h" -#include "formats-util.h" +#include "format-util.h" #include "io-util.h" #include "logind-session.h" #include "mkdir.h" diff --git a/src/login/logind-user-dbus.c b/src/login/logind-user-dbus.c index af6392e025..987c63014f 100644 --- a/src/login/logind-user-dbus.c +++ b/src/login/logind-user-dbus.c @@ -22,7 +22,7 @@ #include "alloc-util.h" #include "bus-util.h" -#include "formats-util.h" +#include "format-util.h" #include "logind-user.h" #include "logind.h" #include "signal-util.h" diff --git a/src/login/logind-user.c b/src/login/logind-user.c index 2dc5fa7665..0d1417ea16 100644 --- a/src/login/logind-user.c +++ b/src/login/logind-user.c @@ -32,7 +32,7 @@ #include "escape.h" #include "fd-util.h" #include "fileio.h" -#include "formats-util.h" +#include "format-util.h" #include "fs-util.h" #include "hashmap.h" #include "label.h" diff --git a/src/login/logind-utmp.c b/src/login/logind-utmp.c index 29ab00eb1f..311751c2db 100644 --- a/src/login/logind-utmp.c +++ b/src/login/logind-utmp.c @@ -29,7 +29,7 @@ #include "bus-common-errors.h" #include "bus-error.h" #include "bus-util.h" -#include "formats-util.h" +#include "format-util.h" #include "logind.h" #include "special.h" #include "strv.h" diff --git a/src/login/logind.c b/src/login/logind.c index a9841a3832..19bae294a4 100644 --- a/src/login/logind.c +++ b/src/login/logind.c @@ -32,7 +32,7 @@ #include "def.h" #include "dirent-util.h" #include "fd-util.h" -#include "formats-util.h" +#include "format-util.h" #include "logind.h" #include "selinux-util.h" #include "signal-util.h" diff --git a/src/login/pam_systemd.c b/src/login/pam_systemd.c index b0f75b2a21..dab082a26e 100644 --- a/src/login/pam_systemd.c +++ b/src/login/pam_systemd.c @@ -36,7 +36,7 @@ #include "def.h" #include "fd-util.h" #include "fileio.h" -#include "formats-util.h" +#include "format-util.h" #include "hostname-util.h" #include "login-util.h" #include "macro.h" diff --git a/src/machine/machine-dbus.c b/src/machine/machine-dbus.c index 5ca18ff87e..28e4867cb3 100644 --- a/src/machine/machine-dbus.c +++ b/src/machine/machine-dbus.c @@ -37,7 +37,7 @@ #include "env-util.h" #include "fd-util.h" #include "fileio.h" -#include "formats-util.h" +#include "format-util.h" #include "fs-util.h" #include "in-addr-util.h" #include "local-addresses.h" diff --git a/src/machine/machine.c b/src/machine/machine.c index 9e7b6cc03d..eb4b35d52a 100644 --- a/src/machine/machine.c +++ b/src/machine/machine.c @@ -30,7 +30,7 @@ #include "extract-word.h" #include "fd-util.h" #include "fileio.h" -#include "formats-util.h" +#include "format-util.h" #include "hashmap.h" #include "machine-dbus.h" #include "machine.h" diff --git a/src/machine/machinectl.c b/src/machine/machinectl.c index 7b9be3b425..9c754b4327 100644 --- a/src/machine/machinectl.c +++ b/src/machine/machinectl.c @@ -330,10 +330,12 @@ static int list_machines(int argc, char *argv[], void *userdata) { printf("-\n"); } - if (arg_legend && n_machines > 0) - printf("\n%zu machines listed.\n", n_machines); - else - printf("No machines.\n"); + if (arg_legend) { + if (n_machines > 0) + printf("\n%zu machines listed.\n", n_machines); + else + printf("No machines.\n"); + } out: clean_machine_info(machines, n_machines); @@ -463,10 +465,12 @@ static int list_images(int argc, char *argv[], void *userdata) { (int) max_mtime, strna(format_timestamp(mtime_buf, sizeof(mtime_buf), images[j].mtime))); } - if (arg_legend && n_images > 0) - printf("\n%zu images listed.\n", n_images); - else - printf("No images.\n"); + if (arg_legend) { + if (n_images > 0) + printf("\n%zu images listed.\n", n_images); + else + printf("No images.\n"); + } return 0; } @@ -2489,10 +2493,12 @@ static int list_transfers(int argc, char *argv[], void *userdata) { (int) max_local, transfers[j].local, (int) max_remote, transfers[j].remote); - if (arg_legend && n_transfers > 0) - printf("\n%zu transfers listed.\n", n_transfers); - else - printf("No transfers.\n"); + if (arg_legend) { + if (n_transfers > 0) + printf("\n%zu transfers listed.\n", n_transfers); + else + printf("No transfers.\n"); + } return 0; } diff --git a/src/machine/machined-dbus.c b/src/machine/machined-dbus.c index e40f40a263..3ee3938ebb 100644 --- a/src/machine/machined-dbus.c +++ b/src/machine/machined-dbus.c @@ -30,7 +30,7 @@ #include "cgroup-util.h" #include "fd-util.h" #include "fileio.h" -#include "formats-util.h" +#include "format-util.h" #include "hostname-util.h" #include "image-dbus.h" #include "io-util.h" diff --git a/src/machine/machined.c b/src/machine/machined.c index 57121945f3..8719e01de9 100644 --- a/src/machine/machined.c +++ b/src/machine/machined.c @@ -29,7 +29,7 @@ #include "cgroup-util.h" #include "dirent-util.h" #include "fd-util.h" -#include "formats-util.h" +#include "format-util.h" #include "hostname-util.h" #include "label.h" #include "machine-image.h" diff --git a/src/network/networkd-network.c b/src/network/networkd-network.c index 042232fcac..0dc00e874d 100644 --- a/src/network/networkd-network.c +++ b/src/network/networkd-network.c @@ -1003,7 +1003,7 @@ int config_parse_dns( union in_addr_union a; int family; - r = extract_first_word(&rvalue, &w, WHITESPACE, EXTRACT_QUOTES|EXTRACT_RETAIN_ESCAPE); + r = extract_first_word(&rvalue, &w, NULL, EXTRACT_QUOTES|EXTRACT_RETAIN_ESCAPE); if (r == 0) break; if (r == -ENOMEM) diff --git a/src/notify/notify.c b/src/notify/notify.c index 49f97c61d9..70b6f868b9 100644 --- a/src/notify/notify.c +++ b/src/notify/notify.c @@ -27,7 +27,7 @@ #include "alloc-util.h" #include "env-util.h" -#include "formats-util.h" +#include "format-util.h" #include "log.h" #include "parse-util.h" #include "string-util.h" diff --git a/src/nspawn/nspawn-mount.c b/src/nspawn/nspawn-mount.c index 392498d1bb..0c24b8e18a 100644 --- a/src/nspawn/nspawn-mount.c +++ b/src/nspawn/nspawn-mount.c @@ -429,7 +429,7 @@ int mount_all(const char *dest, o = options; } - r = mount_verbose(mount_table[k].fatal ? LOG_ERR : LOG_WARNING, + r = mount_verbose(mount_table[k].fatal ? LOG_ERR : LOG_DEBUG, mount_table[k].what, where, mount_table[k].type, diff --git a/src/nspawn/nspawn.c b/src/nspawn/nspawn.c index 673e616911..9b9ae909c9 100644 --- a/src/nspawn/nspawn.c +++ b/src/nspawn/nspawn.c @@ -57,7 +57,7 @@ #include "fd-util.h" #include "fdset.h" #include "fileio.h" -#include "formats-util.h" +#include "format-util.h" #include "fs-util.h" #include "gpt.h" #include "hostname-util.h" @@ -1309,7 +1309,8 @@ static int setup_resolv_conf(const char *dest) { /* Fix resolv.conf, if possible */ where = prefix_roota(dest, "/etc/resolv.conf"); - if (access("/usr/lib/systemd/resolv.conf", F_OK) >= 0) { + if (access("/run/systemd/resolve/resolv.conf", F_OK) >= 0 && + access("/usr/lib/systemd/resolv.conf", F_OK) >= 0) { /* resolved is enabled on the host. In this, case bind mount its static resolv.conf file into the * container, so that the container can use the host's resolver. Given that network namespacing is * disabled it's only natural of the container also uses the host's resolver. It also has the big @@ -4033,7 +4034,7 @@ int main(int argc, char *argv[]) { bool root_device_rw = true, home_device_rw = true, srv_device_rw = true; _cleanup_close_ int master = -1, image_fd = -1; _cleanup_fdset_free_ FDSet *fds = NULL; - int r, n_fd_passed, loop_nr = -1, ret = EXIT_FAILURE; + int r, n_fd_passed, loop_nr = -1, ret = EXIT_SUCCESS; char veth_name[IFNAMSIZ] = ""; bool secondary = false, remove_subvol = false; pid_t pid = 0; diff --git a/src/run/run.c b/src/run/run.c index 8f1cc9e2e3..99f03465b0 100644 --- a/src/run/run.c +++ b/src/run/run.c @@ -30,7 +30,7 @@ #include "calendarspec.h" #include "env-util.h" #include "fd-util.h" -#include "formats-util.h" +#include "format-util.h" #include "parse-util.h" #include "path-util.h" #include "process-util.h" diff --git a/src/shared/acl-util.c b/src/shared/acl-util.c index 2aa951fce9..79a3b9591d 100644 --- a/src/shared/acl-util.c +++ b/src/shared/acl-util.c @@ -162,7 +162,7 @@ int add_base_acls_if_needed(acl_t *acl_p, const char *path) { int acl_search_groups(const char *path, char ***ret_groups) { _cleanup_strv_free_ char **g = NULL; - _cleanup_(acl_free) acl_t acl = NULL; + _cleanup_(acl_freep) acl_t acl = NULL; bool ret = false; acl_entry_t entry; int r; diff --git a/src/shared/ask-password-api.c b/src/shared/ask-password-api.c index 2597cfc648..3e877920da 100644 --- a/src/shared/ask-password-api.c +++ b/src/shared/ask-password-api.c @@ -43,7 +43,7 @@ #include "ask-password-api.h" #include "fd-util.h" #include "fileio.h" -#include "formats-util.h" +#include "format-util.h" #include "io-util.h" #include "log.h" #include "macro.h" diff --git a/src/shared/bus-unit-util.c b/src/shared/bus-unit-util.c index f639e0e832..35e2c8f18e 100644 --- a/src/shared/bus-unit-util.c +++ b/src/shared/bus-unit-util.c @@ -27,6 +27,7 @@ #include "hashmap.h" #include "list.h" #include "locale-util.h" +#include "nsflags.h" #include "parse-util.h" #include "path-util.h" #include "process-util.h" @@ -553,6 +554,30 @@ int bus_append_unit_property_assignment(sd_bus_message *m, const char *assignmen r = sd_bus_message_close_container(m); + } else if (streq(field, "RestrictNamespaces")) { + bool invert = false; + uint64_t flags = 0; + + if (eq[0] == '~') { + invert = true; + eq++; + } + + r = parse_boolean(eq); + if (r > 0) + flags = 0; + else if (r == 0) + flags = NAMESPACE_FLAGS_ALL; + else { + r = namespace_flag_from_string_many(eq, &flags); + if (r < 0) + return log_error_errno(r, "Failed to parse %s value %s.", field, eq); + } + + if (invert) + flags = (~flags) & NAMESPACE_FLAGS_ALL; + + r = sd_bus_message_append(m, "v", "t", flags); } else { log_error("Unknown assignment %s.", assignment); return -EINVAL; diff --git a/src/shared/cgroup-show.c b/src/shared/cgroup-show.c index 4db6cefb6e..5d21742a09 100644 --- a/src/shared/cgroup-show.c +++ b/src/shared/cgroup-show.c @@ -28,7 +28,7 @@ #include "cgroup-show.h" #include "cgroup-util.h" #include "fd-util.h" -#include "formats-util.h" +#include "format-util.h" #include "locale-util.h" #include "macro.h" #include "output-mode.h" diff --git a/src/shared/clean-ipc.c b/src/shared/clean-ipc.c index d5db604f03..f2d1555c13 100644 --- a/src/shared/clean-ipc.c +++ b/src/shared/clean-ipc.c @@ -36,7 +36,7 @@ #include "dirent-util.h" #include "fd-util.h" #include "fileio.h" -#include "formats-util.h" +#include "format-util.h" #include "log.h" #include "macro.h" #include "string-util.h" diff --git a/src/shared/conf-parser.c b/src/shared/conf-parser.c index 19a371c865..265ac83dc0 100644 --- a/src/shared/conf-parser.c +++ b/src/shared/conf-parser.c @@ -781,7 +781,7 @@ int config_parse_strv(const char *unit, for (;;) { char *word = NULL; - r = extract_first_word(&rvalue, &word, WHITESPACE, EXTRACT_QUOTES|EXTRACT_RETAIN_ESCAPE); + r = extract_first_word(&rvalue, &word, NULL, EXTRACT_QUOTES|EXTRACT_RETAIN_ESCAPE); if (r == 0) break; if (r == -ENOMEM) diff --git a/src/shared/install-printf.c b/src/shared/install-printf.c index 007c632f35..823fb61cda 100644 --- a/src/shared/install-printf.c +++ b/src/shared/install-printf.c @@ -22,7 +22,7 @@ #include <string.h> #include <unistd.h> -#include "formats-util.h" +#include "format-util.h" #include "install-printf.h" #include "install.h" #include "macro.h" diff --git a/src/shared/logs-show.c b/src/shared/logs-show.c index f9d9c4ed62..75ea25c8ac 100644 --- a/src/shared/logs-show.c +++ b/src/shared/logs-show.c @@ -33,7 +33,7 @@ #include "alloc-util.h" #include "fd-util.h" -#include "formats-util.h" +#include "format-util.h" #include "hashmap.h" #include "hostname-util.h" #include "io-util.h" @@ -223,10 +223,7 @@ static int output_timestamp_monotonic(FILE *f, sd_journal *j, const char *monoto if (r < 0) return log_error_errno(r, "Failed to get monotonic timestamp: %m"); - fprintf(f, "[%5llu.%06llu]", - (unsigned long long) (t / USEC_PER_SEC), - (unsigned long long) (t % USEC_PER_SEC)); - + fprintf(f, "[%5"PRI_USEC".%06"PRI_USEC"]", t / USEC_PER_SEC, t % USEC_PER_SEC); return 1 + 5 + 1 + 6 + 1; } @@ -268,7 +265,7 @@ static int output_timestamp_realtime(FILE *f, sd_journal *j, OutputMode mode, Ou switch (mode) { case OUTPUT_SHORT_UNIX: - xsprintf(buf, "%10llu.%06llu", (unsigned long long) t, (unsigned long long) (x % USEC_PER_SEC)); + xsprintf(buf, "%10"PRI_TIME".%06"PRIu64, t, x % USEC_PER_SEC); break; case OUTPUT_SHORT_ISO: @@ -292,7 +289,7 @@ static int output_timestamp_realtime(FILE *f, sd_journal *j, OutputMode mode, Ou assert(sizeof(buf) > strlen(buf)); k = sizeof(buf) - strlen(buf); - r = snprintf(buf + strlen(buf), k, ".%06llu", (unsigned long long) (x % USEC_PER_SEC)); + r = snprintf(buf + strlen(buf), k, ".%06"PRIu64, x % USEC_PER_SEC); if (r <= 0 || (size_t) r >= k) { /* too long? */ log_error("Failed to format precise time"); return -EINVAL; @@ -418,7 +415,7 @@ static int output_short( if (flags & OUTPUT_NO_HOSTNAME) { /* Suppress display of the hostname if this is requested. */ - hostname = NULL; + hostname = mfree(hostname); hostname_len = 0; } diff --git a/src/shared/nsflags.c b/src/shared/nsflags.c new file mode 100644 index 0000000000..8fcbe97ba7 --- /dev/null +++ b/src/shared/nsflags.c @@ -0,0 +1,126 @@ +/*** + This file is part of systemd. + + Copyright 2016 Lennart Poettering + + systemd is free software; you can redistribute it and/or modify it + under the terms of the GNU Lesser General Public License as published by + the Free Software Foundation; either version 2.1 of the License, or + (at your option) any later version. + + systemd is distributed in the hope that it will be useful, but + WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + Lesser General Public License for more details. + + You should have received a copy of the GNU Lesser General Public License + along with systemd; If not, see <http://www.gnu.org/licenses/>. +***/ + +#include <sched.h> + +#include "alloc-util.h" +#include "extract-word.h" +#include "nsflags.h" +#include "seccomp-util.h" +#include "string-util.h" + +const struct namespace_flag_map namespace_flag_map[] = { + { CLONE_NEWCGROUP, "cgroup" }, + { CLONE_NEWIPC, "ipc" }, + { CLONE_NEWNET, "net" }, + /* So, the mount namespace flag is called CLONE_NEWNS for historical reasons. Let's expose it here under a more + * explanatory name: "mnt". This is in-line with how the kernel exposes namespaces in /proc/$PID/ns. */ + { CLONE_NEWNS, "mnt" }, + { CLONE_NEWPID, "pid" }, + { CLONE_NEWUSER, "user" }, + { CLONE_NEWUTS, "uts" }, + {} +}; + +const char* namespace_flag_to_string(unsigned long flag) { + unsigned i; + + flag &= NAMESPACE_FLAGS_ALL; + + for (i = 0; namespace_flag_map[i].name; i++) + if (flag == namespace_flag_map[i].flag) + return namespace_flag_map[i].name; + + return NULL; /* either unknown namespace flag, or a combination of many. This call supports neither. */ +} + +unsigned long namespace_flag_from_string(const char *name) { + unsigned i; + + if (isempty(name)) + return 0; + + for (i = 0; namespace_flag_map[i].name; i++) + if (streq(name, namespace_flag_map[i].name)) + return namespace_flag_map[i].flag; + + return 0; +} + +int namespace_flag_from_string_many(const char *name, unsigned long *ret) { + unsigned long flags = 0; + int r; + + assert_se(ret); + + if (!name) { + *ret = 0; + return 0; + } + + for (;;) { + _cleanup_free_ char *word = NULL; + unsigned long f; + + r = extract_first_word(&name, &word, NULL, 0); + if (r < 0) + return r; + if (r == 0) + break; + + f = namespace_flag_from_string(word); + if (f == 0) + return -EINVAL; + + flags |= f; + } + + *ret = flags; + return 0; +} + +int namespace_flag_to_string_many(unsigned long flags, char **ret) { + _cleanup_free_ char *s = NULL; + unsigned i; + + for (i = 0; namespace_flag_map[i].name; i++) { + if ((flags & namespace_flag_map[i].flag) != namespace_flag_map[i].flag) + continue; + + if (!s) { + s = strdup(namespace_flag_map[i].name); + if (!s) + return -ENOMEM; + } else { + if (!strextend(&s, " ", namespace_flag_map[i].name, NULL)) + return -ENOMEM; + } + } + + if (!s) { + s = strdup(""); + if (!s) + return -ENOMEM; + } + + *ret = s; + s = NULL; + + return 0; +} diff --git a/src/shared/nsflags.h b/src/shared/nsflags.h new file mode 100644 index 0000000000..152ab8b936 --- /dev/null +++ b/src/shared/nsflags.h @@ -0,0 +1,49 @@ +#pragma once + +/*** + This file is part of systemd. + + Copyright 2016 Lennart Poettering + + systemd is free software; you can redistribute it and/or modify it + under the terms of the GNU Lesser General Public License as published by + the Free Software Foundation; either version 2.1 of the License, or + (at your option) any later version. + + systemd is distributed in the hope that it will be useful, but + WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + Lesser General Public License for more details. + + You should have received a copy of the GNU Lesser General Public License + along with systemd; If not, see <http://www.gnu.org/licenses/>. +***/ + +#include <sched.h> + +#include "missing.h" + +/* The combination of all namespace flags defined by the kernel. The right type for this isn't clear. setns() and + * unshare() expect these flags to be passed as (signed) "int", while clone() wants them as "unsigned long". The latter + * is definitely more appropriate for a flags parameter, and also the larger type of the two, hence let's stick to that + * here. */ +#define NAMESPACE_FLAGS_ALL \ + ((unsigned long) (CLONE_NEWCGROUP| \ + CLONE_NEWIPC| \ + CLONE_NEWNET| \ + CLONE_NEWNS| \ + CLONE_NEWPID| \ + CLONE_NEWUSER| \ + CLONE_NEWUTS)) + +const char* namespace_flag_to_string(unsigned long flag); +unsigned long namespace_flag_from_string(const char *name); +int namespace_flag_from_string_many(const char *name, unsigned long *ret); +int namespace_flag_to_string_many(unsigned long flags, char **ret); + +struct namespace_flag_map { + unsigned long flag; + const char *name; +}; + +extern const struct namespace_flag_map namespace_flag_map[]; diff --git a/src/shared/seccomp-util.c b/src/shared/seccomp-util.c index fc1f6b68f2..4e4b2faca9 100644 --- a/src/shared/seccomp-util.c +++ b/src/shared/seccomp-util.c @@ -23,7 +23,9 @@ #include <sys/prctl.h> #include <linux/seccomp.h> +#include "alloc-util.h" #include "macro.h" +#include "nsflags.h" #include "seccomp-util.h" #include "string-util.h" #include "util.h" @@ -576,5 +578,92 @@ int seccomp_load_filter_set(uint32_t default_action, const SyscallFilterSet *set finish: seccomp_release(seccomp); return r; +} + +int seccomp_restrict_namespaces(unsigned long retain) { + scmp_filter_ctx seccomp; + unsigned i; + int r; + + if (log_get_max_level() >= LOG_DEBUG) { + _cleanup_free_ char *s = NULL; + + (void) namespace_flag_to_string_many(retain, &s); + log_debug("Restricting namespace to: %s.", strna(s)); + } + + /* NOOP? */ + if ((retain & NAMESPACE_FLAGS_ALL) == NAMESPACE_FLAGS_ALL) + return 0; + + r = seccomp_init_conservative(&seccomp, SCMP_ACT_ALLOW); + if (r < 0) + return r; + + if ((retain & NAMESPACE_FLAGS_ALL) == 0) + /* If every single kind of namespace shall be prohibited, then let's block the whole setns() syscall + * altogether. */ + r = seccomp_rule_add( + seccomp, + SCMP_ACT_ERRNO(EPERM), + SCMP_SYS(setns), + 0); + else + /* Otherwise, block only the invocations with the appropriate flags in the loop below, but also the + * special invocation with a zero flags argument, right here. */ + r = seccomp_rule_add( + seccomp, + SCMP_ACT_ERRNO(EPERM), + SCMP_SYS(setns), + 1, + SCMP_A1(SCMP_CMP_EQ, 0)); + if (r < 0) + goto finish; + + for (i = 0; namespace_flag_map[i].name; i++) { + unsigned long f; + + f = namespace_flag_map[i].flag; + if ((retain & f) == f) { + log_debug("Permitting %s.", namespace_flag_map[i].name); + continue; + } + log_debug("Blocking %s.", namespace_flag_map[i].name); + + r = seccomp_rule_add( + seccomp, + SCMP_ACT_ERRNO(EPERM), + SCMP_SYS(unshare), + 1, + SCMP_A0(SCMP_CMP_MASKED_EQ, f, f)); + if (r < 0) + goto finish; + + r = seccomp_rule_add( + seccomp, + SCMP_ACT_ERRNO(EPERM), + SCMP_SYS(clone), + 1, + SCMP_A0(SCMP_CMP_MASKED_EQ, f, f)); + if (r < 0) + goto finish; + + if ((retain & NAMESPACE_FLAGS_ALL) != 0) { + r = seccomp_rule_add( + seccomp, + SCMP_ACT_ERRNO(EPERM), + SCMP_SYS(setns), + 1, + SCMP_A1(SCMP_CMP_MASKED_EQ, f, f)); + if (r < 0) + goto finish; + } + } + + r = seccomp_load(seccomp); + +finish: + seccomp_release(seccomp); + return r; } diff --git a/src/shared/seccomp-util.h b/src/shared/seccomp-util.h index f0b9f455ab..438a6671bc 100644 --- a/src/shared/seccomp-util.h +++ b/src/shared/seccomp-util.h @@ -66,3 +66,5 @@ const SyscallFilterSet *syscall_filter_set_find(const char *name); int seccomp_add_syscall_filter_set(scmp_filter_ctx seccomp, const SyscallFilterSet *set, uint32_t action); int seccomp_load_filter_set(uint32_t default_action, const SyscallFilterSet *set, uint32_t action); + +int seccomp_restrict_namespaces(unsigned long retain); diff --git a/src/systemctl/systemctl.c b/src/systemctl/systemctl.c index 9e723b0261..af5b18c0ed 100644 --- a/src/systemctl/systemctl.c +++ b/src/systemctl/systemctl.c @@ -50,7 +50,7 @@ #include "exit-status.h" #include "fd-util.h" #include "fileio.h" -#include "formats-util.h" +#include "format-util.h" #include "fs-util.h" #include "glob-util.h" #include "hostname-util.h" diff --git a/src/sysusers/sysusers.c b/src/sysusers/sysusers.c index 0684f58fcd..17b966eb52 100644 --- a/src/sysusers/sysusers.c +++ b/src/sysusers/sysusers.c @@ -30,7 +30,7 @@ #include "def.h" #include "fd-util.h" #include "fileio-label.h" -#include "formats-util.h" +#include "format-util.h" #include "hashmap.h" #include "path-util.h" #include "selinux-util.h" diff --git a/src/test/test-cgroup-util.c b/src/test/test-cgroup-util.c index c24c784e9b..c60fb631fa 100644 --- a/src/test/test-cgroup-util.c +++ b/src/test/test-cgroup-util.c @@ -21,7 +21,7 @@ #include "cgroup-util.h" #include "dirent-util.h" #include "fd-util.h" -#include "formats-util.h" +#include "format-util.h" #include "parse-util.h" #include "process-util.h" #include "stat-util.h" diff --git a/src/test/test-log.c b/src/test/test-log.c index 55a2f9d23b..ae9e113efb 100644 --- a/src/test/test-log.c +++ b/src/test/test-log.c @@ -20,7 +20,7 @@ #include <stddef.h> #include <unistd.h> -#include "formats-util.h" +#include "format-util.h" #include "log.h" #include "util.h" diff --git a/src/test/test-seccomp.c b/src/test/test-seccomp.c index 43d1567288..beb6a7f422 100644 --- a/src/test/test-seccomp.c +++ b/src/test/test-seccomp.c @@ -20,10 +20,15 @@ #include <stdlib.h> #include <sys/eventfd.h> #include <unistd.h> +#include <sched.h> +#include "alloc-util.h" #include "fd-util.h" #include "macro.h" +#include "missing.h" +#include "nsflags.h" #include "process-util.h" +#include "raw-clone.h" #include "seccomp-util.h" #include "string-util.h" #include "util.h" @@ -125,12 +130,101 @@ static void test_filter_sets(void) { } } +static void test_restrict_namespace(void) { + _cleanup_free_ char *s = NULL; + pid_t pid; + unsigned long ul; + + assert_se(namespace_flag_to_string(0) == NULL); + assert_se(streq(namespace_flag_to_string(CLONE_NEWNS), "mnt")); + assert_se(namespace_flag_to_string(CLONE_NEWNS|CLONE_NEWIPC) == NULL); + assert_se(streq(namespace_flag_to_string(CLONE_NEWCGROUP), "cgroup")); + + assert_se(namespace_flag_from_string("mnt") == CLONE_NEWNS); + assert_se(namespace_flag_from_string(NULL) == 0); + assert_se(namespace_flag_from_string("") == 0); + assert_se(namespace_flag_from_string("uts") == CLONE_NEWUTS); + assert_se(namespace_flag_from_string(namespace_flag_to_string(CLONE_NEWUTS)) == CLONE_NEWUTS); + assert_se(streq(namespace_flag_to_string(namespace_flag_from_string("ipc")), "ipc")); + + assert_se(namespace_flag_from_string_many(NULL, &ul) == 0 && ul == 0); + assert_se(namespace_flag_from_string_many("", &ul) == 0 && ul == 0); + assert_se(namespace_flag_from_string_many("mnt uts ipc", &ul) == 0 && ul == (CLONE_NEWNS|CLONE_NEWUTS|CLONE_NEWIPC)); + + assert_se(namespace_flag_to_string_many(NAMESPACE_FLAGS_ALL, &s) == 0); + assert_se(streq(s, "cgroup ipc net mnt pid user uts")); + assert_se(namespace_flag_from_string_many(s, &ul) == 0 && ul == NAMESPACE_FLAGS_ALL); + + if (!is_seccomp_available()) + return; + + if (geteuid() != 0) + return; + + pid = fork(); + assert_se(pid >= 0); + + if (pid == 0) { + + assert_se(seccomp_restrict_namespaces(CLONE_NEWNS|CLONE_NEWNET) >= 0); + + assert_se(unshare(CLONE_NEWNS) == 0); + assert_se(unshare(CLONE_NEWNET) == 0); + assert_se(unshare(CLONE_NEWUTS) == -1); + assert_se(errno == EPERM); + assert_se(unshare(CLONE_NEWIPC) == -1); + assert_se(errno == EPERM); + assert_se(unshare(CLONE_NEWNET|CLONE_NEWUTS) == -1); + assert_se(errno == EPERM); + + /* We use fd 0 (stdin) here, which of course will fail with EINVAL on setns(). Except of course our + * seccomp filter worked, and hits first and makes it return EPERM */ + assert_se(setns(0, CLONE_NEWNS) == -1); + assert_se(errno == EINVAL); + assert_se(setns(0, CLONE_NEWNET) == -1); + assert_se(errno == EINVAL); + assert_se(setns(0, CLONE_NEWUTS) == -1); + assert_se(errno == EPERM); + assert_se(setns(0, CLONE_NEWIPC) == -1); + assert_se(errno == EPERM); + assert_se(setns(0, CLONE_NEWNET|CLONE_NEWUTS) == -1); + assert_se(errno == EPERM); + assert_se(setns(0, 0) == -1); + assert_se(errno == EPERM); + + pid = raw_clone(CLONE_NEWNS); + assert_se(pid >= 0); + if (pid == 0) + _exit(EXIT_SUCCESS); + pid = raw_clone(CLONE_NEWNET); + assert_se(pid >= 0); + if (pid == 0) + _exit(EXIT_SUCCESS); + pid = raw_clone(CLONE_NEWUTS); + assert_se(pid < 0); + assert_se(errno == EPERM); + pid = raw_clone(CLONE_NEWIPC); + assert_se(pid < 0); + assert_se(errno == EPERM); + pid = raw_clone(CLONE_NEWNET|CLONE_NEWUTS); + assert_se(pid < 0); + assert_se(errno == EPERM); + + _exit(EXIT_SUCCESS); + } + + assert_se(wait_for_terminate_and_warn("nsseccomp", pid, true) == EXIT_SUCCESS); +} + int main(int argc, char *argv[]) { + log_set_max_level(LOG_DEBUG); + test_seccomp_arch_to_string(); test_architecture_table(); test_syscall_filter_set_find(); test_filter_sets(); + test_restrict_namespace(); return 0; } diff --git a/src/test/test-string-util.c b/src/test/test-string-util.c index d0f84d70bc..e43373b0f5 100644 --- a/src/test/test-string-util.c +++ b/src/test/test-string-util.c @@ -232,21 +232,25 @@ static void test_foreach_word(void) { } static void check(const char *test, char** expected, bool trailing) { - const char *word, *state; - size_t l; - int i = 0; + int i = 0, r; printf("<<<%s>>>\n", test); - FOREACH_WORD_QUOTED(word, l, test, state) { - _cleanup_free_ char *t = NULL; - - assert_se(t = strndup(word, l)); - assert_se(strneq(expected[i++], word, l)); - printf("<%s>\n", t); + for (;;) { + _cleanup_free_ char *word = NULL; + + r = extract_first_word(&test, &word, NULL, EXTRACT_QUOTES); + if (r == 0) { + assert_se(!trailing); + break; + } else if (r < 0) { + assert_se(trailing); + break; + } + + assert_se(streq(word, expected[i++])); + printf("<%s>\n", word); } - printf("<<<%s>>>\n", state); assert_se(expected[i] == NULL); - assert_se(isempty(state) == !trailing); } static void test_foreach_word_quoted(void) { diff --git a/src/test/test-tmpfiles.c b/src/test/test-tmpfiles.c index f35e6793b7..a7c86d155a 100644 --- a/src/test/test-tmpfiles.c +++ b/src/test/test-tmpfiles.c @@ -25,7 +25,7 @@ #include "alloc-util.h" #include "fd-util.h" #include "fileio.h" -#include "formats-util.h" +#include "format-util.h" #include "fs-util.h" #include "log.h" #include "string-util.h" diff --git a/src/timesync/timesyncd-manager.c b/src/timesync/timesyncd-manager.c index d5e16db3a0..a455652a27 100644 --- a/src/timesync/timesyncd-manager.c +++ b/src/timesync/timesyncd-manager.c @@ -376,12 +376,12 @@ static int manager_adjust_clock(Manager *m, double offset, int leap_sec) { m->drift_ppm = tmx.freq / 65536; log_debug(" status : %04i %s\n" - " time now : %li.%03llu\n" + " time now : %li.%03"PRI_USEC"\n" " constant : %li\n" " offset : %+.3f sec\n" " freq offset : %+li (%i ppm)\n", tmx.status, tmx.status & STA_UNSYNC ? "unsync" : "sync", - tmx.time.tv_sec, (unsigned long long) (tmx.time.tv_usec / NSEC_PER_MSEC), + tmx.time.tv_sec, tmx.time.tv_usec / NSEC_PER_MSEC, tmx.constant, (double)tmx.offset / NSEC_PER_SEC, tmx.freq, m->drift_ppm); diff --git a/src/tmpfiles/tmpfiles.c b/src/tmpfiles/tmpfiles.c index 97a564d5a2..b881d774a0 100644 --- a/src/tmpfiles/tmpfiles.c +++ b/src/tmpfiles/tmpfiles.c @@ -47,7 +47,7 @@ #include "escape.h" #include "fd-util.h" #include "fileio.h" -#include "formats-util.h" +#include "format-util.h" #include "fs-util.h" #include "glob-util.h" #include "io-util.h" diff --git a/src/udev/udev-ctrl.c b/src/udev/udev-ctrl.c index 7717ac7924..dbefbbe175 100644 --- a/src/udev/udev-ctrl.c +++ b/src/udev/udev-ctrl.c @@ -20,7 +20,7 @@ #include "alloc-util.h" #include "fd-util.h" -#include "formats-util.h" +#include "format-util.h" #include "socket-util.h" #include "udev.h" diff --git a/src/udev/udev-event.c b/src/udev/udev-event.c index 54cd741bb1..304a28777b 100644 --- a/src/udev/udev-event.c +++ b/src/udev/udev-event.c @@ -32,7 +32,7 @@ #include "alloc-util.h" #include "fd-util.h" -#include "formats-util.h" +#include "format-util.h" #include "netlink-util.h" #include "process-util.h" #include "signal-util.h" diff --git a/src/udev/udev-node.c b/src/udev/udev-node.c index 43004bc0bc..e94a814388 100644 --- a/src/udev/udev-node.c +++ b/src/udev/udev-node.c @@ -25,7 +25,7 @@ #include <sys/stat.h> #include <unistd.h> -#include "formats-util.h" +#include "format-util.h" #include "fs-util.h" #include "selinux-util.h" #include "smack-util.h" diff --git a/src/udev/udevadm-monitor.c b/src/udev/udevadm-monitor.c index f656c2198e..f631834341 100644 --- a/src/udev/udevadm-monitor.c +++ b/src/udev/udevadm-monitor.c @@ -26,7 +26,7 @@ #include <time.h> #include "fd-util.h" -#include "formats-util.h" +#include "format-util.h" #include "udev-util.h" #include "udev.h" diff --git a/src/udev/udevd.c b/src/udev/udevd.c index badbab6205..d336ee003c 100644 --- a/src/udev/udevd.c +++ b/src/udev/udevd.c @@ -49,7 +49,7 @@ #include "dev-setup.h" #include "fd-util.h" #include "fileio.h" -#include "formats-util.h" +#include "format-util.h" #include "fs-util.h" #include "hashmap.h" #include "io-util.h" diff --git a/src/update-utmp/update-utmp.c b/src/update-utmp/update-utmp.c index a8efe8e91f..ae9859ccad 100644 --- a/src/update-utmp/update-utmp.c +++ b/src/update-utmp/update-utmp.c @@ -30,7 +30,7 @@ #include "alloc-util.h" #include "bus-error.h" #include "bus-util.h" -#include "formats-util.h" +#include "format-util.h" #include "log.h" #include "macro.h" #include "special.h" diff --git a/test/TEST-03-JOBS/test-jobs.sh b/test/TEST-03-JOBS/test-jobs.sh index fa6cf4181a..48926290a6 100755 --- a/test/TEST-03-JOBS/test-jobs.sh +++ b/test/TEST-03-JOBS/test-jobs.sh @@ -68,7 +68,7 @@ START_SEC=$(date -u '+%s') systemctl start --wait wait2.service || exit 1 END_SEC=$(date -u '+%s') ELAPSED=$(($END_SEC-$START_SEC)) -[[ "$ELAPSED" -ge 2 ]] && [[ "$ELAPSED" -le 3 ]] || exit 1 +[[ "$ELAPSED" -ge 2 ]] && [[ "$ELAPSED" -le 4 ]] || exit 1 # wait5fail fails, so systemctl should fail START_SEC=$(date -u '+%s') |