diff options
Diffstat (limited to 'src')
38 files changed, 440 insertions, 122 deletions
| diff --git a/src/basic/capability-util.c b/src/basic/capability-util.c index fef722b6f2..49c2d61afe 100644 --- a/src/basic/capability-util.c +++ b/src/basic/capability-util.c @@ -96,7 +96,62 @@ unsigned long cap_last_cap(void) {          return p;  } -int capability_bounding_set_drop(uint64_t drop, bool right_now) { +int capability_update_inherited_set(cap_t caps, uint64_t set) { +        unsigned long i; + +        /* Add capabilities in the set to the inherited caps. Do not apply +         * them yet. */ + +        for (i = 0; i < cap_last_cap(); i++) { + +                if (set & (UINT64_C(1) << i)) { +                        cap_value_t v; + +                        v = (cap_value_t) i; + +                        /* Make the capability inheritable. */ +                        if (cap_set_flag(caps, CAP_INHERITABLE, 1, &v, CAP_SET) < 0) +                                return -errno; +                } +        } + +        return 0; +} + +int capability_ambient_set_apply(uint64_t set, bool also_inherit) { +        unsigned long i; +        _cleanup_cap_free_ cap_t caps = NULL; + +        /* Add the capabilities to the ambient set. */ + +        if (also_inherit) { +                int r; +                caps = cap_get_proc(); +                if (!caps) +                        return -errno; + +                r = capability_update_inherited_set(caps, set); +                if (r < 0) +                        return -errno; + +                if (cap_set_proc(caps) < 0) +                        return -errno; +        } + +        for (i = 0; i < cap_last_cap(); i++) { + +                if (set & (UINT64_C(1) << i)) { + +                        /* Add the capability to the ambient set. */ +                        if (prctl(PR_CAP_AMBIENT, PR_CAP_AMBIENT_RAISE, i, 0, 0) < 0) +                                return -errno; +                } +        } + +        return 0; +} + +int capability_bounding_set_drop(uint64_t keep, bool right_now) {          _cleanup_cap_free_ cap_t after_cap = NULL;          cap_flag_value_t fv;          unsigned long i; @@ -137,7 +192,7 @@ int capability_bounding_set_drop(uint64_t drop, bool right_now) {          for (i = 0; i <= cap_last_cap(); i++) { -                if (drop & ((uint64_t) 1ULL << (uint64_t) i)) { +                if (!(keep & (UINT64_C(1) << i))) {                          cap_value_t v;                          /* Drop it from the bounding set */ @@ -176,7 +231,7 @@ finish:          return r;  } -static int drop_from_file(const char *fn, uint64_t drop) { +static int drop_from_file(const char *fn, uint64_t keep) {          int r, k;          uint32_t hi, lo;          uint64_t current, after; @@ -196,7 +251,7 @@ static int drop_from_file(const char *fn, uint64_t drop) {                  return -EIO;          current = (uint64_t) lo | ((uint64_t) hi << 32ULL); -        after = current & ~drop; +        after = current & keep;          if (current == after)                  return 0; @@ -213,14 +268,14 @@ static int drop_from_file(const char *fn, uint64_t drop) {          return r;  } -int capability_bounding_set_drop_usermode(uint64_t drop) { +int capability_bounding_set_drop_usermode(uint64_t keep) {          int r; -        r = drop_from_file("/proc/sys/kernel/usermodehelper/inheritable", drop); +        r = drop_from_file("/proc/sys/kernel/usermodehelper/inheritable", keep);          if (r < 0)                  return r; -        r = drop_from_file("/proc/sys/kernel/usermodehelper/bset", drop); +        r = drop_from_file("/proc/sys/kernel/usermodehelper/bset", keep);          if (r < 0)                  return r; @@ -257,7 +312,7 @@ int drop_privileges(uid_t uid, gid_t gid, uint64_t keep_capabilities) {                  return log_error_errno(errno, "Failed to disable keep capabilities flag: %m");          /* Drop all caps from the bounding set, except the ones we want */ -        r = capability_bounding_set_drop(~keep_capabilities, true); +        r = capability_bounding_set_drop(keep_capabilities, true);          if (r < 0)                  return log_error_errno(r, "Failed to drop capabilities: %m"); diff --git a/src/basic/capability-util.h b/src/basic/capability-util.h index 6bbf7318fd..be41475441 100644 --- a/src/basic/capability-util.h +++ b/src/basic/capability-util.h @@ -29,10 +29,15 @@  #include "macro.h"  #include "util.h" +#define CAP_ALL (uint64_t) -1 +  unsigned long cap_last_cap(void);  int have_effective_cap(int value); -int capability_bounding_set_drop(uint64_t drop, bool right_now); -int capability_bounding_set_drop_usermode(uint64_t drop); +int capability_bounding_set_drop(uint64_t keep, bool right_now); +int capability_bounding_set_drop_usermode(uint64_t keep); + +int capability_ambient_set_apply(uint64_t set, bool also_inherit); +int capability_update_inherited_set(cap_t caps, uint64_t ambient_set);  int drop_privileges(uid_t uid, gid_t gid, uint64_t keep_capabilities); @@ -46,3 +51,9 @@ static inline void cap_free_charpp(char **p) {                  cap_free(*p);  }  #define _cleanup_cap_free_charp_ _cleanup_(cap_free_charpp) + +static inline bool cap_test_all(uint64_t caps) { +        uint64_t m; +        m = (UINT64_C(1) << (cap_last_cap() + 1)) - 1; +        return (caps & m) == m; +} diff --git a/src/basic/cgroup-util.c b/src/basic/cgroup-util.c index 639f9f3db1..3945d37c8d 100644 --- a/src/basic/cgroup-util.c +++ b/src/basic/cgroup-util.c @@ -53,6 +53,7 @@  #include "set.h"  #include "special.h"  #include "stat-util.h" +#include "stdio-util.h"  #include "string-table.h"  #include "string-util.h"  #include "unit-name.h" @@ -716,7 +717,7 @@ int cg_attach(const char *controller, const char *path, pid_t pid) {          if (pid == 0)                  pid = getpid(); -        snprintf(c, sizeof(c), PID_FMT"\n", pid); +        xsprintf(c, PID_FMT "\n", pid);          return write_string_file(fs, c, 0);  } diff --git a/src/basic/log.c b/src/basic/log.c index 1a9e6bdb91..a2bc0d5be2 100644 --- a/src/basic/log.c +++ b/src/basic/log.c @@ -352,7 +352,7 @@ static int write_to_console(          highlight = LOG_PRI(level) <= LOG_ERR && show_color;          if (show_location) { -                snprintf(location, sizeof(location), "(%s:%i) ", file, line); +                xsprintf(location, "(%s:%i) ", file, line);                  IOVEC_SET_STRING(iovec[n++], location);          } @@ -777,7 +777,7 @@ static void log_assert(                  return;          DISABLE_WARNING_FORMAT_NONLITERAL; -        snprintf(buffer, sizeof(buffer), format, text, file, line, func); +        xsprintf(buffer, format, text, file, line, func);          REENABLE_WARNING;          log_abort_msg = buffer; diff --git a/src/basic/missing.h b/src/basic/missing.h index 880e724cb4..2d2785bead 100644 --- a/src/basic/missing.h +++ b/src/basic/missing.h @@ -1129,3 +1129,19 @@ static inline key_serial_t request_key(const char *type, const char *description  #ifndef KEY_SPEC_USER_KEYRING  #define KEY_SPEC_USER_KEYRING -4  #endif + +#ifndef PR_CAP_AMBIENT +#define PR_CAP_AMBIENT 47 +#endif + +#ifndef PR_CAP_AMBIENT_IS_SET +#define PR_CAP_AMBIENT_IS_SET 1 +#endif + +#ifndef PR_CAP_AMBIENT_RAISE +#define PR_CAP_AMBIENT_RAISE 2 +#endif + +#ifndef PR_CAP_AMBIENT_CLEAR_ALL +#define PR_CAP_AMBIENT_CLEAR_ALL 4 +#endif diff --git a/src/basic/signal-util.c b/src/basic/signal-util.c index 7637fccb2f..315efadd93 100644 --- a/src/basic/signal-util.c +++ b/src/basic/signal-util.c @@ -26,6 +26,7 @@  #include "macro.h"  #include "parse-util.h"  #include "signal-util.h" +#include "stdio-util.h"  #include "string-table.h"  #include "string-util.h" @@ -234,9 +235,9 @@ const char *signal_to_string(int signo) {                  return name;          if (signo >= SIGRTMIN && signo <= SIGRTMAX) -                snprintf(buf, sizeof(buf), "RTMIN+%d", signo - SIGRTMIN); +                xsprintf(buf, "RTMIN+%d", signo - SIGRTMIN);          else -                snprintf(buf, sizeof(buf), "%d", signo); +                xsprintf(buf, "%d", signo);          return buf;  } diff --git a/src/bootchart/svg.c b/src/bootchart/svg.c index 2bf473ffc1..79e261abe5 100644 --- a/src/bootchart/svg.c +++ b/src/bootchart/svg.c @@ -37,6 +37,7 @@  #include "fileio.h"  #include "list.h"  #include "macro.h" +#include "stdio-util.h"  #include "store.h"  #include "svg.h"  #include "utf8.h" @@ -171,7 +172,7 @@ static int svg_title(FILE *of, const char *build, int pscount, double log_start,                  strncpy(rootbdev, &c[10], sizeof(rootbdev) - 1);                  rootbdev[3] = '\0'; -                snprintf(filename, sizeof(filename), "/sys/block/%s/device/model", rootbdev); +                xsprintf(filename, "/sys/block/%s/device/model", rootbdev);                  r = read_one_line_file(filename, &model);                  if (r < 0) diff --git a/src/cgtop/cgtop.c b/src/cgtop/cgtop.c index 0a5c11ad0c..4894296554 100644 --- a/src/cgtop/cgtop.c +++ b/src/cgtop/cgtop.c @@ -40,6 +40,7 @@  #include "parse-util.h"  #include "path-util.h"  #include "process-util.h" +#include "stdio-util.h"  #include "terminal-util.h"  #include "unit-name.h"  #include "util.h" @@ -565,9 +566,9 @@ static void display(Hashmap *a) {          }          if (arg_cpu_type == CPU_PERCENT) -                snprintf(buffer, sizeof(buffer), "%6s", "%CPU"); +                xsprintf(buffer, "%6s", "%CPU");          else -                snprintf(buffer, sizeof(buffer), "%*s", maxtcpu, "CPU Time"); +                xsprintf(buffer, "%*s", maxtcpu, "CPU Time");          rows = lines();          if (rows <= 10) diff --git a/src/core/dbus-execute.c b/src/core/dbus-execute.c index 1f736b2686..c2238c8c43 100644 --- a/src/core/dbus-execute.c +++ b/src/core/dbus-execute.c @@ -293,9 +293,25 @@ static int property_get_capability_bounding_set(          assert(reply);          assert(c); -        /* We store this negated internally, to match the kernel, but -         * we expose it normalized. */ -        return sd_bus_message_append(reply, "t", ~c->capability_bounding_set_drop); +        return sd_bus_message_append(reply, "t", c->capability_bounding_set); +} + +static int property_get_ambient_capabilities( +                sd_bus *bus, +                const char *path, +                const char *interface, +                const char *property, +                sd_bus_message *reply, +                void *userdata, +                sd_bus_error *error) { + +        ExecContext *c = userdata; + +        assert(bus); +        assert(reply); +        assert(c); + +        return sd_bus_message_append(reply, "t", c->capability_ambient_set);  }  static int property_get_capabilities( @@ -689,6 +705,7 @@ const sd_bus_vtable bus_exec_vtable[] = {          SD_BUS_PROPERTY("Capabilities", "s", property_get_capabilities, 0, SD_BUS_VTABLE_PROPERTY_CONST),          SD_BUS_PROPERTY("SecureBits", "i", bus_property_get_int, offsetof(ExecContext, secure_bits), SD_BUS_VTABLE_PROPERTY_CONST),          SD_BUS_PROPERTY("CapabilityBoundingSet", "t", property_get_capability_bounding_set, 0, SD_BUS_VTABLE_PROPERTY_CONST), +        SD_BUS_PROPERTY("AmbientCapabilities", "t", property_get_ambient_capabilities, 0, SD_BUS_VTABLE_PROPERTY_CONST),          SD_BUS_PROPERTY("User", "s", NULL, offsetof(ExecContext, user), SD_BUS_VTABLE_PROPERTY_CONST),          SD_BUS_PROPERTY("Group", "s", NULL, offsetof(ExecContext, group), SD_BUS_VTABLE_PROPERTY_CONST),          SD_BUS_PROPERTY("SupplementaryGroups", "as", NULL, offsetof(ExecContext, supplementary_groups), SD_BUS_VTABLE_PROPERTY_CONST), diff --git a/src/core/execute.c b/src/core/execute.c index 9b76861919..ac91568b63 100644 --- a/src/core/execute.c +++ b/src/core/execute.c @@ -737,12 +737,7 @@ static int enforce_user(const ExecContext *context, uid_t uid) {          /* Sets (but doesn't lookup) the uid and make sure we keep the           * capabilities while doing so. */ -        if (context->capabilities) { -                _cleanup_cap_free_ cap_t d = NULL; -                static const cap_value_t bits[] = { -                        CAP_SETUID,   /* Necessary so that we can run setresuid() below */ -                        CAP_SETPCAP   /* Necessary so that we can set PR_SET_SECUREBITS later on */ -                }; +        if (context->capabilities || context->capability_ambient_set != 0) {                  /* First step: If we need to keep capabilities but                   * drop privileges we need to make sure we keep our @@ -758,16 +753,24 @@ static int enforce_user(const ExecContext *context, uid_t uid) {                  /* Second step: set the capabilities. This will reduce                   * the capabilities to the minimum we need. */ -                d = cap_dup(context->capabilities); -                if (!d) -                        return -errno; +                if (context->capabilities) { +                        _cleanup_cap_free_ cap_t d = NULL; +                        static const cap_value_t bits[] = { +                                CAP_SETUID,   /* Necessary so that we can run setresuid() below */ +                                CAP_SETPCAP   /* Necessary so that we can set PR_SET_SECUREBITS later on */ +                        }; -                if (cap_set_flag(d, CAP_EFFECTIVE, ELEMENTSOF(bits), bits, CAP_SET) < 0 || -                    cap_set_flag(d, CAP_PERMITTED, ELEMENTSOF(bits), bits, CAP_SET) < 0) -                        return -errno; +                        d = cap_dup(context->capabilities); +                        if (!d) +                                return -errno; -                if (cap_set_proc(d) < 0) -                        return -errno; +                        if (cap_set_flag(d, CAP_EFFECTIVE, ELEMENTSOF(bits), bits, CAP_SET) < 0 || +                            cap_set_flag(d, CAP_PERMITTED, ELEMENTSOF(bits), bits, CAP_SET) < 0) +                                return -errno; + +                        if (cap_set_proc(d) < 0) +                                return -errno; +                }          }          /* Third step: actually set the uids */ @@ -1856,6 +1859,8 @@ static int exec_child(          if (params->apply_permissions) { +                int secure_bits = context->secure_bits; +                  for (i = 0; i < _RLIMIT_MAX; i++) {                          if (!context->rlimit[i])                                  continue; @@ -1866,28 +1871,71 @@ static int exec_child(                          }                  } -                if (context->capability_bounding_set_drop) { -                        r = capability_bounding_set_drop(context->capability_bounding_set_drop, false); +                if (!cap_test_all(context->capability_bounding_set)) { +                        r = capability_bounding_set_drop(context->capability_bounding_set, false);                          if (r < 0) {                                  *exit_status = EXIT_CAPABILITIES;                                  return r;                          }                  } +                /* This is done before enforce_user, but ambient set +                 * does not survive over setresuid() if keep_caps is not set. */ +                if (context->capability_ambient_set != 0) { +                        r = capability_ambient_set_apply(context->capability_ambient_set, true); +                        if (r < 0) { +                                *exit_status = EXIT_CAPABILITIES; +                                return r; +                        } + +                        if (context->capabilities) { + +                                /* The capabilities in ambient set need to be also in the inherited +                                 * set. If they aren't, trying to get them will fail. Add the ambient +                                 * set inherited capabilities to the capability set in the context. +                                 * This is needed because if capabilities are set (using "Capabilities=" +                                 * keyword), they will override whatever we set now. */ + +                                r = capability_update_inherited_set(context->capabilities, context->capability_ambient_set); +                                if (r < 0) { +                                        *exit_status = EXIT_CAPABILITIES; +                                        return r; +                                } +                        } +                } +                  if (context->user) {                          r = enforce_user(context, uid);                          if (r < 0) {                                  *exit_status = EXIT_USER;                                  return r;                          } +                        if (context->capability_ambient_set != 0) { + +                                /* Fix the ambient capabilities after user change. */ +                                r = capability_ambient_set_apply(context->capability_ambient_set, false); +                                if (r < 0) { +                                        *exit_status = EXIT_CAPABILITIES; +                                        return r; +                                } + +                                /* If we were asked to change user and ambient capabilities +                                 * were requested, we had to add keep-caps to the securebits +                                 * so that we would maintain the inherited capability set +                                 * through the setresuid(). Make sure that the bit is added +                                 * also to the context secure_bits so that we don't try to +                                 * drop the bit away next. */ + +                                 secure_bits |= 1<<SECURE_KEEP_CAPS; +                        }                  }                  /* PR_GET_SECUREBITS is not privileged, while                   * PR_SET_SECUREBITS is. So to suppress                   * potential EPERMs we'll try not to call                   * PR_SET_SECUREBITS unless necessary. */ -                if (prctl(PR_GET_SECUREBITS) != context->secure_bits) -                        if (prctl(PR_SET_SECUREBITS, context->secure_bits) < 0) { +                if (prctl(PR_GET_SECUREBITS) != secure_bits) +                        if (prctl(PR_SET_SECUREBITS, secure_bits) < 0) {                                  *exit_status = EXIT_SECUREBITS;                                  return -errno;                          } @@ -2114,6 +2162,7 @@ void exec_context_init(ExecContext *c) {          c->timer_slack_nsec = NSEC_INFINITY;          c->personality = PERSONALITY_INVALID;          c->runtime_directory_mode = 0755; +        c->capability_bounding_set = CAP_ALL;  }  void exec_context_done(ExecContext *c) { @@ -2517,12 +2566,23 @@ void exec_context_dump(ExecContext *c, FILE* f, const char *prefix) {                          (c->secure_bits & 1<<SECURE_NOROOT) ? " noroot" : "",                          (c->secure_bits & 1<<SECURE_NOROOT_LOCKED) ? "noroot-locked" : ""); -        if (c->capability_bounding_set_drop) { +        if (c->capability_bounding_set != CAP_ALL) {                  unsigned long l;                  fprintf(f, "%sCapabilityBoundingSet:", prefix);                  for (l = 0; l <= cap_last_cap(); l++) -                        if (!(c->capability_bounding_set_drop & ((uint64_t) 1ULL << (uint64_t) l))) +                        if (c->capability_bounding_set & (UINT64_C(1) << l)) +                                fprintf(f, " %s", strna(capability_to_name(l))); + +                fputs("\n", f); +        } + +        if (c->capability_ambient_set != 0) { +                unsigned long l; +                fprintf(f, "%sAmbientCapabilities:", prefix); + +                for (l = 0; l <= cap_last_cap(); l++) +                        if (c->capability_ambient_set & (UINT64_C(1) << l))                                  fprintf(f, " %s", strna(capability_to_name(l)));                  fputs("\n", f); diff --git a/src/core/execute.h b/src/core/execute.h index be5be9f531..8649620830 100644 --- a/src/core/execute.h +++ b/src/core/execute.h @@ -155,7 +155,9 @@ struct ExecContext {          char **read_write_dirs, **read_only_dirs, **inaccessible_dirs;          unsigned long mount_flags; -        uint64_t capability_bounding_set_drop; +        uint64_t capability_bounding_set; + +        uint64_t capability_ambient_set;          cap_t capabilities;          int secure_bits; diff --git a/src/core/job.c b/src/core/job.c index 9654590635..274c554da9 100644 --- a/src/core/job.c +++ b/src/core/job.c @@ -35,6 +35,7 @@  #include "parse-util.h"  #include "set.h"  #include "special.h" +#include "stdio-util.h"  #include "string-table.h"  #include "string-util.h"  #include "strv.h" @@ -754,7 +755,7 @@ static void job_log_status_message(Unit *u, JobType t, JobResult result) {                  return;          DISABLE_WARNING_FORMAT_NONLITERAL; -        snprintf(buf, sizeof(buf), format, unit_description(u)); +        xsprintf(buf, format, unit_description(u));          REENABLE_WARNING;          switch (t) { diff --git a/src/core/load-fragment-gperf.gperf.m4 b/src/core/load-fragment-gperf.gperf.m4 index 0408b9a829..29ab1b6b9e 100644 --- a/src/core/load-fragment-gperf.gperf.m4 +++ b/src/core/load-fragment-gperf.gperf.m4 @@ -47,7 +47,8 @@ $1.SyslogLevel,                  config_parse_log_level,             0,  $1.SyslogLevelPrefix,            config_parse_bool,                  0,                             offsetof($1, exec_context.syslog_level_prefix)  $1.Capabilities,                 config_parse_exec_capabilities,     0,                             offsetof($1, exec_context)  $1.SecureBits,                   config_parse_exec_secure_bits,      0,                             offsetof($1, exec_context) -$1.CapabilityBoundingSet,        config_parse_bounding_set,          0,                             offsetof($1, exec_context.capability_bounding_set_drop) +$1.CapabilityBoundingSet,        config_parse_capability_set,        0,                             offsetof($1, exec_context.capability_bounding_set) +$1.AmbientCapabilities,          config_parse_capability_set,        0,                             offsetof($1, exec_context.capability_ambient_set)  $1.TimerSlackNSec,               config_parse_nsec,                  0,                             offsetof($1, exec_context.timer_slack_nsec)  $1.NoNewPrivileges,              config_parse_no_new_privileges,     0,                             offsetof($1, exec_context)  m4_ifdef(`HAVE_SECCOMP', diff --git a/src/core/load-fragment.c b/src/core/load-fragment.c index cb553e1252..d3880b4e3c 100644 --- a/src/core/load-fragment.c +++ b/src/core/load-fragment.c @@ -38,6 +38,7 @@  #include "bus-internal.h"  #include "bus-util.h"  #include "cap-list.h" +#include "capability-util.h"  #include "cgroup.h"  #include "conf-parser.h"  #include "cpu-set-util.h" @@ -1024,7 +1025,7 @@ int config_parse_exec_secure_bits(const char *unit,          return 0;  } -int config_parse_bounding_set( +int config_parse_capability_set(                  const char *unit,                  const char *filename,                  unsigned line, @@ -1036,8 +1037,8 @@ int config_parse_bounding_set(                  void *data,                  void *userdata) { -        uint64_t *capability_bounding_set_drop = data; -        uint64_t capability_bounding_set, sum = 0; +        uint64_t *capability_set = data; +        uint64_t sum = 0, initial = 0;          bool invert = false;          const char *p; @@ -1051,10 +1052,9 @@ int config_parse_bounding_set(                  rvalue++;          } -        /* Note that we store this inverted internally, since the -         * kernel wants it like this. But we actually expose it -         * non-inverted everywhere to have a fully normalized -         * interface. */ +        if (strcmp(lvalue, "CapabilityBoundingSet") == 0) +                initial = CAP_ALL; /* initialized to all bits on */ +        /* else "AmbientCapabilities" initialized to all bits off */          p = rvalue;          for (;;) { @@ -1073,18 +1073,21 @@ int config_parse_bounding_set(                  cap = capability_from_name(word);                  if (cap < 0) { -                        log_syntax(unit, LOG_ERR, filename, line, 0, "Failed to parse capability in bounding set, ignoring: %s", word); +                        log_syntax(unit, LOG_ERR, filename, line, 0, "Failed to parse capability in bounding/ambient set, ignoring: %s", word);                          continue;                  }                  sum |= ((uint64_t) UINT64_C(1)) << (uint64_t) cap;          } -        capability_bounding_set = invert ? ~sum : sum; -        if (*capability_bounding_set_drop != 0 && capability_bounding_set != 0) -                *capability_bounding_set_drop = ~(~*capability_bounding_set_drop | capability_bounding_set); +        sum = invert ? ~sum : sum; + +        if (sum == 0 || *capability_set == initial) +                /* "" or uninitialized data -> replace */ +                *capability_set = sum;          else -                *capability_bounding_set_drop = ~capability_bounding_set; +                /* previous data -> merge */ +                *capability_set |= sum;          return 0;  } @@ -4002,7 +4005,7 @@ void unit_dump_config_items(FILE *f) {                  { config_parse_log_level,             "LEVEL" },                  { config_parse_exec_capabilities,     "CAPABILITIES" },                  { config_parse_exec_secure_bits,      "SECUREBITS" }, -                { config_parse_bounding_set,          "BOUNDINGSET" }, +                { config_parse_capability_set,        "BOUNDINGSET" },                  { config_parse_limit,                 "LIMIT" },                  { config_parse_unit_deps,             "UNIT [...]" },                  { config_parse_exec,                  "PATH [ARGUMENT [...]]" }, diff --git a/src/core/load-fragment.h b/src/core/load-fragment.h index a451fc164a..f0027a6b43 100644 --- a/src/core/load-fragment.h +++ b/src/core/load-fragment.h @@ -56,7 +56,7 @@ int config_parse_exec_cpu_sched_prio(const char *unit, const char *filename, uns  int config_parse_exec_cpu_affinity(const char *unit, const char *filename, unsigned line, const char *section, unsigned section_line, const char *lvalue, int ltype, const char *rvalue, void *data, void *userdata);  int config_parse_exec_capabilities(const char *unit, const char *filename, unsigned line, const char *section, unsigned section_line, const char *lvalue, int ltype, const char *rvalue, void *data, void *userdata);  int config_parse_exec_secure_bits(const char *unit, const char *filename, unsigned line, const char *section, unsigned section_line, const char *lvalue, int ltype, const char *rvalue, void *data, void *userdata); -int config_parse_bounding_set(const char *unit, const char *filename, unsigned line, const char *section, unsigned section_line, const char *lvalue, int ltype, const char *rvalue, void *data, void *userdata); +int config_parse_capability_set(const char *unit, const char *filename, unsigned line, const char *section, unsigned section_line, const char *lvalue, int ltype, const char *rvalue, void *data, void *userdata);  int config_parse_limit(const char *unit, const char *filename, unsigned line, const char *section, unsigned section_line, const char *lvalue, int ltype, const char *rvalue, void *data, void *userdata);  int config_parse_bytes_limit(const char *unit, const char *filename, unsigned line, const char *section, unsigned section_line, const char *lvalue, int ltype, const char *rvalue, void *data, void *userdata);  int config_parse_sec_limit(const char *unit, const char *filename, unsigned line, const char *section, unsigned section_line, const char *lvalue, int ltype, const char *rvalue, void *data, void *userdata); diff --git a/src/core/main.c b/src/core/main.c index e415d1c5b8..2f9094f03a 100644 --- a/src/core/main.c +++ b/src/core/main.c @@ -117,7 +117,7 @@ static usec_t arg_runtime_watchdog = 0;  static usec_t arg_shutdown_watchdog = 10 * USEC_PER_MINUTE;  static char **arg_default_environment = NULL;  static struct rlimit *arg_default_rlimit[_RLIMIT_MAX] = {}; -static uint64_t arg_capability_bounding_set_drop = 0; +static uint64_t arg_capability_bounding_set = CAP_ALL;  static nsec_t arg_timer_slack_nsec = NSEC_INFINITY;  static usec_t arg_default_timer_accuracy_usec = 1 * USEC_PER_MINUTE;  static Set* arg_syscall_archs = NULL; @@ -662,7 +662,7 @@ static int parse_config_file(void) {                  { "Manager", "JoinControllers",           config_parse_join_controllers, 0, &arg_join_controllers                  },                  { "Manager", "RuntimeWatchdogSec",        config_parse_sec,              0, &arg_runtime_watchdog                  },                  { "Manager", "ShutdownWatchdogSec",       config_parse_sec,              0, &arg_shutdown_watchdog                 }, -                { "Manager", "CapabilityBoundingSet",     config_parse_bounding_set,     0, &arg_capability_bounding_set_drop      }, +                { "Manager", "CapabilityBoundingSet",     config_parse_capability_set,   0, &arg_capability_bounding_set           },  #ifdef HAVE_SECCOMP                  { "Manager", "SystemCallArchitectures",   config_parse_syscall_archs,    0, &arg_syscall_archs                     },  #endif @@ -1659,14 +1659,14 @@ int main(int argc, char *argv[]) {                  if (prctl(PR_SET_TIMERSLACK, arg_timer_slack_nsec) < 0)                          log_error_errno(errno, "Failed to adjust timer slack: %m"); -        if (arg_capability_bounding_set_drop) { -                r = capability_bounding_set_drop_usermode(arg_capability_bounding_set_drop); +        if (!cap_test_all(arg_capability_bounding_set)) { +                r = capability_bounding_set_drop_usermode(arg_capability_bounding_set);                  if (r < 0) {                          log_emergency_errno(r, "Failed to drop capability bounding set of usermode helpers: %m");                          error_message = "Failed to drop capability bounding set of usermode helpers";                          goto finish;                  } -                r = capability_bounding_set_drop(arg_capability_bounding_set_drop, true); +                r = capability_bounding_set_drop(arg_capability_bounding_set, true);                  if (r < 0) {                          log_emergency_errno(r, "Failed to drop capability bounding set: %m");                          error_message = "Failed to drop capability bounding set"; diff --git a/src/core/unit.c b/src/core/unit.c index b977ac7f0c..32267d95f5 100644 --- a/src/core/unit.c +++ b/src/core/unit.c @@ -51,6 +51,7 @@  #include "set.h"  #include "special.h"  #include "stat-util.h" +#include "stdio-util.h"  #include "string-util.h"  #include "strv.h"  #include "unit-name.h" @@ -1412,7 +1413,7 @@ static void unit_status_log_starting_stopping_reloading(Unit *u, JobType t) {          format = unit_get_status_message_format(u, t);          DISABLE_WARNING_FORMAT_NONLITERAL; -        snprintf(buf, sizeof(buf), format, unit_description(u)); +        xsprintf(buf, format, unit_description(u));          REENABLE_WARNING;          mid = t == JOB_START ? SD_MESSAGE_UNIT_STARTING : @@ -3231,7 +3232,7 @@ int unit_patch_contexts(Unit *u) {                          ec->no_new_privileges = true;                  if (ec->private_devices) -                        ec->capability_bounding_set_drop |= (uint64_t) 1ULL << (uint64_t) CAP_MKNOD; +                        ec->capability_bounding_set &= ~(UINT64_C(1) << CAP_MKNOD);          }          cc = unit_get_cgroup_context(u); diff --git a/src/import/import-common.c b/src/import/import-common.c index a8551ca9e8..8a48bd7bf9 100644 --- a/src/import/import-common.c +++ b/src/import/import-common.c @@ -134,7 +134,7 @@ int import_fork_tar_x(const char *path, pid_t *ret) {                  if (unshare(CLONE_NEWNET) < 0)                          log_error_errno(errno, "Failed to lock tar into network namespace, ignoring: %m"); -                r = capability_bounding_set_drop(~retain, true); +                r = capability_bounding_set_drop(retain, true);                  if (r < 0)                          log_error_errno(r, "Failed to drop capabilities, ignoring: %m"); @@ -208,7 +208,7 @@ int import_fork_tar_c(const char *path, pid_t *ret) {                  if (unshare(CLONE_NEWNET) < 0)                          log_error_errno(errno, "Failed to lock tar into network namespace, ignoring: %m"); -                r = capability_bounding_set_drop(~retain, true); +                r = capability_bounding_set_drop(retain, true);                  if (r < 0)                          log_error_errno(r, "Failed to drop capabilities, ignoring: %m"); diff --git a/src/journal/journald-native.c b/src/journal/journald-native.c index 371df5b37f..f80a6ebfe5 100644 --- a/src/journal/journald-native.c +++ b/src/journal/journald-native.c @@ -495,5 +495,9 @@ int server_open_native_socket(Server*s) {          if (r < 0)                  return log_error_errno(r, "Failed to add native server fd to event loop: %m"); +        r = sd_event_source_set_priority(s->native_event_source, SD_EVENT_PRIORITY_NORMAL+5); +        if (r < 0) +                return log_error_errno(r, "Failed to adjust native event source priority: %m"); +          return 0;  } diff --git a/src/journal/journald-stream.c b/src/journal/journald-stream.c index 131fcdac42..90884b6929 100644 --- a/src/journal/journald-stream.c +++ b/src/journal/journald-stream.c @@ -733,7 +733,7 @@ int server_open_stdout_socket(Server *s) {          if (r < 0)                  return log_error_errno(r, "Failed to add stdout server fd to event source: %m"); -        r = sd_event_source_set_priority(s->stdout_event_source, SD_EVENT_PRIORITY_NORMAL+10); +        r = sd_event_source_set_priority(s->stdout_event_source, SD_EVENT_PRIORITY_NORMAL+5);          if (r < 0)                  return log_error_errno(r, "Failed to adjust priority of stdout server event source: %m"); diff --git a/src/journal/journald-syslog.c b/src/journal/journald-syslog.c index cfc50d889b..0be73088e2 100644 --- a/src/journal/journald-syslog.c +++ b/src/journal/journald-syslog.c @@ -326,7 +326,7 @@ void server_process_syslog_message(          size_t label_len) {          char syslog_priority[sizeof("PRIORITY=") + DECIMAL_STR_MAX(int)], -             syslog_facility[sizeof("SYSLOG_FACILITY") + DECIMAL_STR_MAX(int)]; +             syslog_facility[sizeof("SYSLOG_FACILITY=") + DECIMAL_STR_MAX(int)];          const char *message = NULL, *syslog_identifier = NULL, *syslog_pid = NULL;          struct iovec iovec[N_IOVEC_META_FIELDS + 6];          unsigned n = 0; @@ -357,11 +357,11 @@ void server_process_syslog_message(          IOVEC_SET_STRING(iovec[n++], "_TRANSPORT=syslog"); -        sprintf(syslog_priority, "PRIORITY=%i", priority & LOG_PRIMASK); +        xsprintf(syslog_priority, "PRIORITY=%i", priority & LOG_PRIMASK);          IOVEC_SET_STRING(iovec[n++], syslog_priority);          if (priority & LOG_FACMASK) { -                sprintf(syslog_facility, "SYSLOG_FACILITY=%i", LOG_FAC(priority)); +                xsprintf(syslog_facility, "SYSLOG_FACILITY=%i", LOG_FAC(priority));                  IOVEC_SET_STRING(iovec[n++], syslog_facility);          } @@ -430,6 +430,10 @@ int server_open_syslog_socket(Server *s) {          if (r < 0)                  return log_error_errno(r, "Failed to add syslog server fd to event loop: %m"); +        r = sd_event_source_set_priority(s->syslog_event_source, SD_EVENT_PRIORITY_NORMAL+5); +        if (r < 0) +                return log_error_errno(r, "Failed to adjust syslog event source priority: %m"); +          return 0;  } diff --git a/src/libsystemd-network/sd-dhcp-lease.c b/src/libsystemd-network/sd-dhcp-lease.c index e875ba4986..6fb80dda7a 100644 --- a/src/libsystemd-network/sd-dhcp-lease.c +++ b/src/libsystemd-network/sd-dhcp-lease.c @@ -37,6 +37,7 @@  #include "in-addr-util.h"  #include "network-internal.h"  #include "parse-util.h" +#include "stdio-util.h"  #include "string-util.h"  #include "unaligned.h" @@ -839,7 +840,7 @@ int dhcp_lease_save(sd_dhcp_lease *lease, const char *lease_file) {          LIST_FOREACH(options, option, lease->private_options) {                  char key[strlen("OPTION_000")+1]; -                snprintf(key, sizeof(key), "OPTION_%"PRIu8, option->tag); +                xsprintf(key, "OPTION_%" PRIu8, option->tag);                  r = serialize_dhcp_option(f, key, option->data, option->length);                  if (r < 0)                          goto fail; diff --git a/src/libsystemd/sd-bus/bus-kernel.c b/src/libsystemd/sd-bus/bus-kernel.c index 6c05444e9a..b2d685855e 100644 --- a/src/libsystemd/sd-bus/bus-kernel.c +++ b/src/libsystemd/sd-bus/bus-kernel.c @@ -47,6 +47,7 @@  #include "formats-util.h"  #include "memfd-util.h"  #include "parse-util.h" +#include "stdio-util.h"  #include "string-util.h"  #include "strv.h"  #include "user-util.h" @@ -849,7 +850,8 @@ static int bus_kernel_make_message(sd_bus *bus, struct kdbus_msg *k) {          if (k->src_id == KDBUS_SRC_ID_KERNEL)                  bus_message_set_sender_driver(bus, m);          else { -                snprintf(m->sender_buffer, sizeof(m->sender_buffer), ":1.%llu", (unsigned long long) k->src_id); +                xsprintf(m->sender_buffer, ":1.%llu", +                         (unsigned long long)k->src_id);                  m->sender = m->creds.unique_name = m->sender_buffer;          } @@ -860,7 +862,8 @@ static int bus_kernel_make_message(sd_bus *bus, struct kdbus_msg *k) {          else if (k->dst_id == KDBUS_DST_ID_NAME)                  m->destination = bus->unique_name; /* fill in unique name if the well-known name is missing */          else { -                snprintf(m->destination_buffer, sizeof(m->destination_buffer), ":1.%llu", (unsigned long long) k->dst_id); +                xsprintf(m->destination_buffer, ":1.%llu", +                         (unsigned long long)k->dst_id);                  m->destination = m->destination_buffer;          } diff --git a/src/libsystemd/sd-event/sd-event.c b/src/libsystemd/sd-event/sd-event.c index 7fccbd1a71..aeb06ad9a8 100644 --- a/src/libsystemd/sd-event/sd-event.c +++ b/src/libsystemd/sd-event/sd-event.c @@ -225,6 +225,7 @@ struct sd_event {          bool exit_requested:1;          bool need_process_child:1;          bool watchdog:1; +        bool profile_delays:1;          int exit_code; @@ -236,6 +237,9 @@ struct sd_event {          unsigned n_sources;          LIST_HEAD(sd_event_source, sources); + +        usec_t last_run, last_log; +        unsigned delays[sizeof(usec_t) * 8];  };  static void source_disconnect(sd_event_source *s); @@ -444,6 +448,11 @@ _public_ int sd_event_new(sd_event** ret) {                  goto fail;          } +        if (secure_getenv("SD_EVENT_PROFILE_DELAYS")) { +                log_debug("Event loop profiling enabled. Logarithmic histogram of event loop iterations in the range 2^0 ... 2^63 us will be logged every 5s."); +                e->profile_delays = true; +        } +          *ret = e;          return 0; @@ -2622,6 +2631,18 @@ _public_ int sd_event_dispatch(sd_event *e) {          return 1;  } +static void event_log_delays(sd_event *e) { +        char b[ELEMENTSOF(e->delays) * DECIMAL_STR_MAX(unsigned) + 1]; +        unsigned i; +        int o; + +        for (i = o = 0; i < ELEMENTSOF(e->delays); i++) { +                o += snprintf(&b[o], sizeof(b) - o, "%u ", e->delays[i]); +                e->delays[i] = 0; +        } +        log_debug("Event loop iterations: %.*s", o, b); +} +  _public_ int sd_event_run(sd_event *e, uint64_t timeout) {          int r; @@ -2630,11 +2651,30 @@ _public_ int sd_event_run(sd_event *e, uint64_t timeout) {          assert_return(e->state != SD_EVENT_FINISHED, -ESTALE);          assert_return(e->state == SD_EVENT_INITIAL, -EBUSY); +        if (e->profile_delays && e->last_run) { +                usec_t this_run; +                unsigned l; + +                this_run = now(CLOCK_MONOTONIC); + +                l = u64log2(this_run - e->last_run); +                assert(l < sizeof(e->delays)); +                e->delays[l]++; + +                if (this_run - e->last_log >= 5*USEC_PER_SEC) { +                        event_log_delays(e); +                        e->last_log = this_run; +                } +        } +          r = sd_event_prepare(e);          if (r == 0)                  /* There was nothing? Then wait... */                  r = sd_event_wait(e, timeout); +        if (e->profile_delays) +                e->last_run = now(CLOCK_MONOTONIC); +          if (r > 0) {                  /* There's something now, then let's dispatch it */                  r = sd_event_dispatch(e); diff --git a/src/login/logind-seat.c b/src/login/logind-seat.c index 1f4936cebe..9d111f737c 100644 --- a/src/login/logind-seat.c +++ b/src/login/logind-seat.c @@ -34,6 +34,7 @@  #include "logind-seat.h"  #include "mkdir.h"  #include "parse-util.h" +#include "stdio-util.h"  #include "string-util.h"  #include "terminal-util.h"  #include "util.h" @@ -181,7 +182,7 @@ static int vt_allocate(unsigned int vtnr) {          assert(vtnr >= 1); -        snprintf(p, sizeof(p), "/dev/tty%u", vtnr); +        xsprintf(p, "/dev/tty%u", vtnr);          fd = open_terminal(p, O_RDWR|O_NOCTTY|O_CLOEXEC);          if (fd < 0)                  return -errno; diff --git a/src/network/networkctl.c b/src/network/networkctl.c index 0234825adb..4a8fa4d8f3 100644 --- a/src/network/networkctl.c +++ b/src/network/networkctl.c @@ -40,6 +40,7 @@  #include "pager.h"  #include "parse-util.h"  #include "socket-util.h" +#include "stdio-util.h"  #include "string-table.h"  #include "string-util.h"  #include "strv.h" @@ -275,7 +276,8 @@ static int ieee_oui(sd_hwdb *hwdb, struct ether_addr *mac, char **ret) {          if (memcmp(mac, "\0\0\0", 3) == 0)                  return -EINVAL; -        snprintf(modalias, sizeof(modalias), "OUI:" ETHER_ADDR_FORMAT_STR, ETHER_ADDR_FORMAT_VAL(*mac)); +        xsprintf(modalias, "OUI:" ETHER_ADDR_FORMAT_STR, +                 ETHER_ADDR_FORMAT_VAL(*mac));          r = sd_hwdb_get(hwdb, modalias, "ID_OUI_FROM_DATABASE", &description);          if (r < 0) diff --git a/src/nspawn/nspawn.c b/src/nspawn/nspawn.c index a4e13bd6aa..d619206dd6 100644 --- a/src/nspawn/nspawn.c +++ b/src/nspawn/nspawn.c @@ -1482,7 +1482,7 @@ static int setup_journal(const char *directory) {  }  static int drop_capabilities(void) { -        return capability_bounding_set_drop(~arg_retain, false); +        return capability_bounding_set_drop(arg_retain, false);  }  static int reset_audit_loginuid(void) { diff --git a/src/shared/switch-root.c b/src/shared/switch-root.c index b1bbbdaadd..bf0739e5fa 100644 --- a/src/shared/switch-root.c +++ b/src/shared/switch-root.c @@ -35,6 +35,7 @@  #include "mkdir.h"  #include "path-util.h"  #include "rm-rf.h" +#include "stdio-util.h"  #include "string-util.h"  #include "switch-root.h"  #include "user-util.h" @@ -77,7 +78,7 @@ int switch_root(const char *new_root, const char *oldroot, bool detach_oldroot,                  char new_mount[PATH_MAX];                  struct stat sb; -                snprintf(new_mount, sizeof(new_mount), "%s%s", new_root, i); +                xsprintf(new_mount, "%s%s", new_root, i);                  mkdir_p_label(new_mount, 0755); diff --git a/src/test/test-capability.c b/src/test/test-capability.c index fc8d3ffe0d..629bb63c81 100644 --- a/src/test/test-capability.c +++ b/src/test/test-capability.c @@ -20,6 +20,7 @@  #include <netinet/in.h>  #include <pwd.h>  #include <sys/capability.h> +#include <sys/prctl.h>  #include <sys/socket.h>  #include <sys/wait.h>  #include <unistd.h> @@ -66,8 +67,9 @@ static void show_capabilities(void) {          cap_free(text);  } -static int setup_tests(void) { +static int setup_tests(bool *run_ambient) {          struct passwd *nobody; +        int r;          nobody = getpwnam("nobody");          if (!nobody) { @@ -77,6 +79,18 @@ static int setup_tests(void) {          test_uid = nobody->pw_uid;          test_gid = nobody->pw_gid; +        *run_ambient = false; + +        r = prctl(PR_CAP_AMBIENT, PR_CAP_AMBIENT_CLEAR_ALL, 0, 0, 0); + +        /* There's support for PR_CAP_AMBIENT if the prctl() call +         * succeeded or error code was something else than EINVAL. The +         * EINVAL check should be good enough to rule out false +         * positives. */ + +        if (r >= 0 || errno != EINVAL) +                *run_ambient = true; +          return 0;  } @@ -140,8 +154,53 @@ static void test_have_effective_cap(void) {          assert_se(!have_effective_cap(CAP_CHOWN));  } +static void test_update_inherited_set(void) { +        cap_t caps; +        uint64_t set = 0; +        cap_flag_value_t fv; + +        caps = cap_get_proc(); +        assert_se(caps); +        assert_se(!cap_get_flag(caps, CAP_CHOWN, CAP_INHERITABLE, &fv)); +        assert(fv == CAP_CLEAR); + +        set = (UINT64_C(1) << CAP_CHOWN); + +        assert_se(!capability_update_inherited_set(caps, set)); +        assert_se(!cap_get_flag(caps, CAP_CHOWN, CAP_INHERITABLE, &fv)); +        assert(fv == CAP_SET); + +        cap_free(caps); +} + +static void test_set_ambient_caps(void) { +        cap_t caps; +        uint64_t set = 0; +        cap_flag_value_t fv; + +        caps = cap_get_proc(); +        assert_se(caps); +        assert_se(!cap_get_flag(caps, CAP_CHOWN, CAP_INHERITABLE, &fv)); +        assert(fv == CAP_CLEAR); +        cap_free(caps); + +        assert_se(prctl(PR_CAP_AMBIENT, PR_CAP_AMBIENT_IS_SET, CAP_CHOWN, 0, 0) == 0); + +        set = (UINT64_C(1) << CAP_CHOWN); + +        assert_se(!capability_ambient_set_apply(set, true)); + +        caps = cap_get_proc(); +        assert_se(!cap_get_flag(caps, CAP_CHOWN, CAP_INHERITABLE, &fv)); +        assert(fv == CAP_SET); +        cap_free(caps); + +        assert_se(prctl(PR_CAP_AMBIENT, PR_CAP_AMBIENT_IS_SET, CAP_CHOWN, 0, 0) == 1); +} +  int main(int argc, char *argv[]) {          int r; +        bool run_ambient;          log_parse_environment();          log_open(); @@ -149,14 +208,19 @@ int main(int argc, char *argv[]) {          if (getuid() != 0)                  return EXIT_TEST_SKIP; -        r = setup_tests(); +        r = setup_tests(&run_ambient);          if (r < 0)                  return -r;          show_capabilities();          test_drop_privileges(); +        test_update_inherited_set(); +          fork_test(test_have_effective_cap); +        if (run_ambient) +                fork_test(test_set_ambient_caps); +          return 0;  } diff --git a/src/test/test-execute.c b/src/test/test-execute.c index 753afadb0a..92857cb5e2 100644 --- a/src/test/test-execute.c +++ b/src/test/test-execute.c @@ -20,6 +20,7 @@  #include <grp.h>  #include <pwd.h>  #include <stdio.h> +#include <sys/prctl.h>  #include <sys/types.h>  #include "fileio.h" @@ -224,6 +225,20 @@ static void test_exec_capabilityboundingset(Manager *m) {          test(m, "exec-capabilityboundingset-invert.service", 0, CLD_EXITED);  } +static void test_exec_capabilityambientset(Manager *m) { +        int r; + +        /* Check if the kernel has support for ambient capabilities. Run +         * the tests only if that's the case. Clearing all ambient +         * capabilities is fine, since we are expecting them to be unset +         * in the first place for the tests. */ +        r = prctl(PR_CAP_AMBIENT, PR_CAP_AMBIENT_CLEAR_ALL, 0, 0, 0); +        if (r >= 0 || errno != EINVAL) { +                test(m, "exec-capabilityambientset.service", 0, CLD_EXITED); +                test(m, "exec-capabilityambientset-merge.service", 0, CLD_EXITED); +        } +} +  static void test_exec_privatenetwork(Manager *m) {          int r; @@ -266,6 +281,7 @@ int main(int argc, char *argv[]) {                  test_exec_umask,                  test_exec_runtimedirectory,                  test_exec_capabilityboundingset, +                test_exec_capabilityambientset,                  test_exec_oomscoreadjust,                  test_exec_ioschedulingclass,                  NULL, diff --git a/src/test/test-libudev.c b/src/test/test-libudev.c index 350eaf734d..94d852b3b0 100644 --- a/src/test/test-libudev.c +++ b/src/test/test-libudev.c @@ -25,6 +25,7 @@  #include "libudev.h" +#include "stdio-util.h"  #include "string-util.h"  #include "udev-util.h"  #include "util.h" @@ -460,7 +461,7 @@ int main(int argc, char *argv[]) {          /* add sys path if needed */          if (!startswith(syspath, "/sys")) { -                snprintf(path, sizeof(path), "/sys/%s", syspath); +                xsprintf(path, "/sys/%s", syspath);                  syspath = path;          } diff --git a/src/test/test-unit-file.c b/src/test/test-unit-file.c index 0b3630f77c..cd1e4e4698 100644 --- a/src/test/test-unit-file.c +++ b/src/test/test-unit-file.c @@ -28,6 +28,7 @@  #include <unistd.h>  #include "alloc-util.h" +#include "capability-util.h"  #include "fd-util.h"  #include "fileio.h"  #include "hashmap.h" @@ -625,8 +626,8 @@ static uint64_t make_cap(int cap) {          return ((uint64_t) 1ULL << (uint64_t) cap);  } -static void test_config_parse_bounding_set(void) { -        /* int config_parse_bounding_set( +static void test_config_parse_capability_set(void) { +        /* int config_parse_capability_set(                   const char *unit,                   const char *filename,                   unsigned line, @@ -638,38 +639,38 @@ static void test_config_parse_bounding_set(void) {                   void *data,                   void *userdata) */          int r; -        uint64_t capability_bounding_set_drop = 0; +        uint64_t capability_bounding_set = 0; -        r = config_parse_bounding_set(NULL, "fake", 1, "section", 1, +        r = config_parse_capability_set(NULL, "fake", 1, "section", 1,                                "CapabilityBoundingSet", 0, "CAP_NET_RAW", -                              &capability_bounding_set_drop, NULL); +                              &capability_bounding_set, NULL);          assert_se(r >= 0); -        assert_se(capability_bounding_set_drop == ~make_cap(CAP_NET_RAW)); +        assert_se(capability_bounding_set == make_cap(CAP_NET_RAW)); -        r = config_parse_bounding_set(NULL, "fake", 1, "section", 1, +        r = config_parse_capability_set(NULL, "fake", 1, "section", 1,                                "CapabilityBoundingSet", 0, "CAP_NET_ADMIN", -                              &capability_bounding_set_drop, NULL); +                              &capability_bounding_set, NULL);          assert_se(r >= 0); -        assert_se(capability_bounding_set_drop == ~(make_cap(CAP_NET_RAW) | make_cap(CAP_NET_ADMIN))); +        assert_se(capability_bounding_set == (make_cap(CAP_NET_RAW) | make_cap(CAP_NET_ADMIN))); -        r = config_parse_bounding_set(NULL, "fake", 1, "section", 1, +        r = config_parse_capability_set(NULL, "fake", 1, "section", 1,                                "CapabilityBoundingSet", 0, "", -                              &capability_bounding_set_drop, NULL); +                              &capability_bounding_set, NULL);          assert_se(r >= 0); -        assert_se(capability_bounding_set_drop == ~((uint64_t) 0ULL)); +        assert_se(capability_bounding_set == UINT64_C(0)); -        r = config_parse_bounding_set(NULL, "fake", 1, "section", 1, +        r = config_parse_capability_set(NULL, "fake", 1, "section", 1,                                "CapabilityBoundingSet", 0, "~", -                              &capability_bounding_set_drop, NULL); +                              &capability_bounding_set, NULL);          assert_se(r >= 0); -        assert_se(capability_bounding_set_drop == (uint64_t) 0ULL); +        assert_se(cap_test_all(capability_bounding_set)); -        capability_bounding_set_drop = 0; -        r = config_parse_bounding_set(NULL, "fake", 1, "section", 1, +        capability_bounding_set = 0; +        r = config_parse_capability_set(NULL, "fake", 1, "section", 1,                                "CapabilityBoundingSet", 0, "  'CAP_NET_RAW' WAT_CAP??? CAP_NET_ADMIN CAP'_trailing_garbage", -                              &capability_bounding_set_drop, NULL); +                              &capability_bounding_set, NULL);          assert_se(r >= 0); -        assert_se(capability_bounding_set_drop == ~(make_cap(CAP_NET_RAW) | make_cap(CAP_NET_ADMIN))); +        assert_se(capability_bounding_set == (make_cap(CAP_NET_RAW) | make_cap(CAP_NET_ADMIN)));  }  static void test_config_parse_rlimit(void) { @@ -829,7 +830,7 @@ int main(int argc, char *argv[]) {          r = test_unit_file_get_set();          test_config_parse_exec(); -        test_config_parse_bounding_set(); +        test_config_parse_capability_set();          test_config_parse_rlimit();          test_config_parse_pass_environ();          test_load_env_file_1(); diff --git a/src/udev/collect/collect.c b/src/udev/collect/collect.c index b6c95cd452..349585b634 100644 --- a/src/udev/collect/collect.c +++ b/src/udev/collect/collect.c @@ -27,6 +27,7 @@  #include "alloc-util.h"  #include "libudev-private.h"  #include "macro.h" +#include "stdio-util.h"  #include "string-util.h"  #define BUFSIZE 16 @@ -91,7 +92,7 @@ static int prepare(char *dir, char *filename)          if (r < 0 && errno != EEXIST)                  return -errno; -        snprintf(buf, sizeof(buf), "%s/%s", dir, filename); +        xsprintf(buf, "%s/%s", dir, filename);          fd = open(buf,O_RDWR|O_CREAT|O_CLOEXEC, S_IRUSR|S_IWUSR);          if (fd < 0) diff --git a/src/udev/udev-builtin-input_id.c b/src/udev/udev-builtin-input_id.c index a7aac78def..691ef5656d 100644 --- a/src/udev/udev-builtin-input_id.c +++ b/src/udev/udev-builtin-input_id.c @@ -33,6 +33,7 @@  #include <linux/input.h>  #include "fd-util.h" +#include "stdio-util.h"  #include "string-util.h"  #include "udev.h"  #include "util.h" @@ -66,8 +67,8 @@ static void extract_info(struct udev_device *dev, const char *devpath, bool test          if (xabsinfo.resolution <= 0 || yabsinfo.resolution <= 0)                  return; -        snprintf(width, sizeof(width), "%d", abs_size_mm(&xabsinfo)); -        snprintf(height, sizeof(height), "%d", abs_size_mm(&yabsinfo)); +        xsprintf(width, "%d", abs_size_mm(&xabsinfo)); +        xsprintf(height, "%d", abs_size_mm(&yabsinfo));          udev_builtin_add_property(dev, test, "ID_INPUT_WIDTH_MM", width);          udev_builtin_add_property(dev, test, "ID_INPUT_HEIGHT_MM", height); @@ -93,7 +94,7 @@ static void get_cap_mask(struct udev_device *dev,          if (!v)                  v = ""; -        snprintf(text, sizeof(text), "%s", v); +        xsprintf(text, "%s", v);          log_debug("%s raw kernel attribute: %s", attr, text);          memzero(bitmask, bitmask_size); @@ -115,7 +116,8 @@ static void get_cap_mask(struct udev_device *dev,          if (test) {                  /* printf pattern with the right unsigned long number of hex chars */ -                snprintf(text, sizeof(text), "  bit %%4u: %%0%zulX\n", 2 * sizeof(unsigned long)); +                xsprintf(text, "  bit %%4u: %%0%zulX\n", +                         2 * sizeof(unsigned long));                  log_debug("%s decoded bit map:", attr);                  val = bitmask_size / sizeof (unsigned long);                  /* skip over leading zeros */ diff --git a/src/udev/udev-builtin-net_id.c b/src/udev/udev-builtin-net_id.c index e549fdbee9..e83b8b1c12 100644 --- a/src/udev/udev-builtin-net_id.c +++ b/src/udev/udev-builtin-net_id.c @@ -102,6 +102,7 @@  #include "fd-util.h"  #include "fileio.h" +#include "stdio-util.h"  #include "string-util.h"  #include "udev.h" @@ -228,7 +229,7 @@ static int dev_pci_slot(struct udev_device *dev, struct netnames *names) {                  err = -ENOENT;                  goto out;          } -        snprintf(slots, sizeof(slots), "%s/slots", udev_device_get_syspath(pci)); +        xsprintf(slots, "%s/slots", udev_device_get_syspath(pci));          dir = opendir(slots);          if (!dir) {                  err = -errno; @@ -247,7 +248,7 @@ static int dev_pci_slot(struct udev_device *dev, struct netnames *names) {                          continue;                  if (i < 1)                          continue; -                snprintf(str, sizeof(str), "%s/%s/address", slots, dent->d_name); +                xsprintf(str, "%s/%s/address", slots, dent->d_name);                  if (read_one_line_file(str, &address) >= 0) {                          /* match slot address with device by stripping the function */                          if (strneq(address, udev_device_get_sysname(names->pcidev), strlen(address))) @@ -380,7 +381,7 @@ static int names_bcma(struct udev_device *dev, struct netnames *names) {                  return -EINVAL;          /* suppress the common core == 0 */          if (core > 0) -                snprintf(names->bcma_core, sizeof(names->bcma_core), "b%u", core); +                xsprintf(names->bcma_core, "b%u", core);          names->type = NET_BCMA;          return 0; @@ -469,9 +470,9 @@ static int ieee_oui(struct udev_device *dev, struct netnames *names, bool test)          /* skip commonly misused 00:00:00 (Xerox) prefix */          if (memcmp(names->mac, "\0\0\0", 3) == 0)                  return -EINVAL; -        snprintf(str, sizeof(str), "OUI:%02X%02X%02X%02X%02X%02X", -                 names->mac[0], names->mac[1], names->mac[2], -                 names->mac[3], names->mac[4], names->mac[5]); +        xsprintf(str, "OUI:%02X%02X%02X%02X%02X%02X", names->mac[0], +                 names->mac[1], names->mac[2], names->mac[3], names->mac[4], +                 names->mac[5]);          udev_builtin_hwdb_lookup(dev, NULL, str, NULL, test);          return 0;  } @@ -523,7 +524,7 @@ static int builtin_net_id(struct udev_device *dev, int argc, char *argv[], bool          if (err >= 0 && names.mac_valid) {                  char str[IFNAMSIZ]; -                snprintf(str, sizeof(str), "%sx%02x%02x%02x%02x%02x%02x", prefix, +                xsprintf(str, "%sx%02x%02x%02x%02x%02x%02x", prefix,                           names.mac[0], names.mac[1], names.mac[2],                           names.mac[3], names.mac[4], names.mac[5]);                  udev_builtin_add_property(dev, test, "ID_NET_NAME_MAC", str); diff --git a/src/udev/udev-node.c b/src/udev/udev-node.c index 39ae2cc1b1..fd7936c2dc 100644 --- a/src/udev/udev-node.c +++ b/src/udev/udev-node.c @@ -31,6 +31,7 @@  #include "fs-util.h"  #include "selinux-util.h"  #include "smack-util.h" +#include "stdio-util.h"  #include "string-util.h"  #include "udev.h" @@ -348,9 +349,10 @@ void udev_node_add(struct udev_device *dev, bool apply,                  return;          /* always add /dev/{block,char}/$major:$minor */ -        snprintf(filename, sizeof(filename), "/dev/%s/%u:%u", +        xsprintf(filename, "/dev/%s/%u:%u",                   streq(udev_device_get_subsystem(dev), "block") ? "block" : "char", -                 major(udev_device_get_devnum(dev)), minor(udev_device_get_devnum(dev))); +                 major(udev_device_get_devnum(dev)), +                 minor(udev_device_get_devnum(dev)));          node_symlink(dev, udev_device_get_devnode(dev), filename);          /* create/update symlinks, add symlinks to name index */ @@ -367,8 +369,9 @@ void udev_node_remove(struct udev_device *dev) {                  link_update(dev, udev_list_entry_get_name(list_entry), false);          /* remove /dev/{block,char}/$major:$minor */ -        snprintf(filename, sizeof(filename), "/dev/%s/%u:%u", +        xsprintf(filename, "/dev/%s/%u:%u",                   streq(udev_device_get_subsystem(dev), "block") ? "block" : "char", -                 major(udev_device_get_devnum(dev)), minor(udev_device_get_devnum(dev))); +                 major(udev_device_get_devnum(dev)), +                 minor(udev_device_get_devnum(dev)));          unlink(filename);  } diff --git a/src/udev/udev-watch.c b/src/udev/udev-watch.c index 60de703706..c0f4973f93 100644 --- a/src/udev/udev-watch.c +++ b/src/udev/udev-watch.c @@ -26,6 +26,7 @@  #include <sys/inotify.h>  #include <unistd.h> +#include "stdio-util.h"  #include "udev.h"  static int inotify_fd = -1; @@ -105,7 +106,7 @@ void udev_watch_begin(struct udev *udev, struct udev_device *dev) {                  return;          } -        snprintf(filename, sizeof(filename), "/run/udev/watch/%d", wd); +        xsprintf(filename, "/run/udev/watch/%d", wd);          mkdir_parents(filename, 0755);          unlink(filename);          r = symlink(udev_device_get_id_filename(dev), filename); @@ -129,7 +130,7 @@ void udev_watch_end(struct udev *udev, struct udev_device *dev) {          log_debug("removing watch on '%s'", udev_device_get_devnode(dev));          inotify_rm_watch(inotify_fd, wd); -        snprintf(filename, sizeof(filename), "/run/udev/watch/%d", wd); +        xsprintf(filename, "/run/udev/watch/%d", wd);          unlink(filename);          udev_device_set_watch_handle(dev, -1); @@ -143,7 +144,7 @@ struct udev_device *udev_watch_lookup(struct udev *udev, int wd) {          if (inotify_fd < 0 || wd < 0)                  return NULL; -        snprintf(filename, sizeof(filename), "/run/udev/watch/%d", wd); +        xsprintf(filename, "/run/udev/watch/%d", wd);          len = readlink(filename, device, sizeof(device));          if (len <= 0 || (size_t)len == sizeof(device))                  return NULL; diff --git a/src/vconsole/vconsole-setup.c b/src/vconsole/vconsole-setup.c index a5f4529cfd..622fbe9a6d 100644 --- a/src/vconsole/vconsole-setup.c +++ b/src/vconsole/vconsole-setup.c @@ -39,6 +39,7 @@  #include "log.h"  #include "process-util.h"  #include "signal-util.h" +#include "stdio-util.h"  #include "string-util.h"  #include "terminal-util.h"  #include "util.h" @@ -215,11 +216,11 @@ static void font_copy_to_all_vcs(int fd) {                          continue;                  /* skip non-allocated ttys */ -                snprintf(vcname, sizeof(vcname), "/dev/vcs%i", i); +                xsprintf(vcname, "/dev/vcs%i", i);                  if (access(vcname, F_OK) < 0)                          continue; -                snprintf(vcname, sizeof(vcname), "/dev/tty%i", i); +                xsprintf(vcname, "/dev/tty%i", i);                  vcfd = open_terminal(vcname, O_RDWR|O_CLOEXEC);                  if (vcfd < 0)                          continue; | 
