if (!u)
return sd_bus_error_setf(error, BUS_ERROR_NO_SUCH_UNIT, "Unit %s not loaded.", name);
- r = selinux_unit_access_check(u, message, "status", error);
+ r = mac_selinux_unit_access_check(u, message, "status", error);
if (r < 0)
return r;
if (!u)
return sd_bus_error_setf(error, BUS_ERROR_NO_UNIT_FOR_PID, "PID %u does not belong to any loaded unit.", pid);
- r = selinux_unit_access_check(u, message, "status", error);
+ r = mac_selinux_unit_access_check(u, message, "status", error);
if (r < 0)
return r;
if (r < 0)
return r;
- r = selinux_unit_access_check(u, message, "status", error);
+ r = mac_selinux_unit_access_check(u, message, "status", error);
if (r < 0)
return r;
if (mode < 0)
return sd_bus_error_setf(error, SD_BUS_ERROR_INVALID_ARGS, "Job mode %s is invalid.", smode);
- r = selinux_access_check(message, "start", error);
+ r = mac_selinux_access_check(message, "start", error);
if (r < 0)
return r;
if (!j)
return sd_bus_error_setf(error, BUS_ERROR_NO_SUCH_JOB, "Job %u does not exist.", (unsigned) id);
- r = selinux_unit_access_check(j->unit, message, "status", error);
+ r = mac_selinux_unit_access_check(j->unit, message, "status", error);
if (r < 0)
return r;
assert(message);
assert(m);
- r = selinux_access_check(message, "reboot", error);
+ r = mac_selinux_access_check(message, "reboot", error);
if (r < 0)
return r;
assert(message);
assert(m);
- r = selinux_access_check(message, "reload", error);
+ r = mac_selinux_access_check(message, "reload", error);
if (r < 0)
return r;
/* Anyone can call this method */
- r = selinux_access_check(message, "status", error);
+ r = mac_selinux_access_check(message, "status", error);
if (r < 0)
return r;
/* Anyone can call this method */
- r = selinux_access_check(message, "status", error);
+ r = mac_selinux_access_check(message, "status", error);
if (r < 0)
return r;
/* Anyone can call this method */
- r = selinux_access_check(message, "status", error);
+ r = mac_selinux_access_check(message, "status", error);
if (r < 0)
return r;
/* Anyone can call this method */
- r = selinux_access_check(message, "status", error);
+ r = mac_selinux_access_check(message, "status", error);
if (r < 0)
return r;
/* Anyone can call this method */
- r = selinux_access_check(message, "status", error);
+ r = mac_selinux_access_check(message, "status", error);
if (r < 0)
return r;
assert(message);
assert(m);
- r = selinux_access_check(message, "start", error);
+ r = mac_selinux_access_check(message, "start", error);
if (r < 0)
return r;
assert(message);
assert(m);
- r = selinux_access_check(message, "stop", error);
+ r = mac_selinux_access_check(message, "stop", error);
if (r < 0)
return r;
if (r == 0)
return 1; /* No authorization for now, but the async polkit stuff will call us again when it has it */
- r = selinux_access_check(message, "reload", error);
+ r = mac_selinux_access_check(message, "reload", error);
if (r < 0)
return r;
if (r == 0)
return 1; /* No authorization for now, but the async polkit stuff will call us again when it has it */
- r = selinux_access_check(message, "reload", error);
+ r = mac_selinux_access_check(message, "reload", error);
if (r < 0)
return r;
assert(message);
assert(m);
- r = selinux_access_check(message, "halt", error);
+ r = mac_selinux_access_check(message, "halt", error);
if (r < 0)
return r;
assert(message);
assert(m);
- r = selinux_access_check(message, "reboot", error);
+ r = mac_selinux_access_check(message, "reboot", error);
if (r < 0)
return r;
assert(message);
assert(m);
- r = selinux_access_check(message, "halt", error);
+ r = mac_selinux_access_check(message, "halt", error);
if (r < 0)
return r;
assert(message);
assert(m);
- r = selinux_access_check(message, "halt", error);
+ r = mac_selinux_access_check(message, "halt", error);
if (r < 0)
return r;
assert(message);
assert(m);
- r = selinux_access_check(message, "reboot", error);
+ r = mac_selinux_access_check(message, "reboot", error);
if (r < 0)
return r;
assert(message);
assert(m);
- r = selinux_access_check(message, "reboot", error);
+ r = mac_selinux_access_check(message, "reboot", error);
if (r < 0)
return r;
if (m->running_as != SYSTEMD_SYSTEM)
- return sd_bus_error_setf(error, SD_BUS_ERROR_NOT_SUPPORTED, "KExec is only supported for system managers.");
+ return sd_bus_error_setf(error, SD_BUS_ERROR_NOT_SUPPORTED, "Root switching is only supported by system manager.");
r = sd_bus_message_read(message, "ss", &root, &init);
if (r < 0)
/* Safety check */
if (isempty(init)) {
- if (! path_is_os_tree(root))
+ if (!path_is_os_tree(root))
return sd_bus_error_setf(error, SD_BUS_ERROR_INVALID_ARGS, "Specified switch root path %s does not seem to be an OS tree. os-release file is missing.", root);
} else {
_cleanup_free_ char *p = NULL;
assert(message);
assert(m);
- r = selinux_access_check(message, "reload", error);
+ r = mac_selinux_access_check(message, "reload", error);
if (r < 0)
return r;
assert(message);
assert(m);
- r = selinux_access_check(message, "reload", error);
+ r = mac_selinux_access_check(message, "reload", error);
if (r < 0)
return r;
assert(message);
assert(m);
- r = selinux_access_check(message, "reload", error);
+ r = mac_selinux_access_check(message, "reload", error);
if (r < 0)
return r;
- r = sd_bus_message_read_strv(message, &plus);
+ r = sd_bus_message_read_strv(message, &minus);
if (r < 0)
return r;
- r = sd_bus_message_read_strv(message, &minus);
+ r = sd_bus_message_read_strv(message, &plus);
if (r < 0)
return r;
- if (!strv_env_is_valid(plus))
- return sd_bus_error_setf(error, SD_BUS_ERROR_INVALID_ARGS, "Invalid environment assignments");
if (!strv_env_name_or_assignment_is_valid(minus))
return sd_bus_error_setf(error, SD_BUS_ERROR_INVALID_ARGS, "Invalid environment variable names or assignments");
+ if (!strv_env_is_valid(plus))
+ return sd_bus_error_setf(error, SD_BUS_ERROR_INVALID_ARGS, "Invalid environment assignments");
r = manager_environment_add(m, minus, plus);
if (r < 0)
/* Anyone can call this method */
- r = selinux_access_check(message, "status", error);
+ r = mac_selinux_access_check(message, "status", error);
if (r < 0)
return r;
if (r < 0)
return r;
- h = hashmap_new(string_hash_func, string_compare_func);
+ h = hashmap_new(&string_hash_ops);
if (!h)
return -ENOMEM;
/* Anyone can call this method */
- r = selinux_access_check(message, "status", error);
+ r = mac_selinux_access_check(message, "status", error);
if (r < 0)
return r;
/* Anyone can call this method */
- r = selinux_access_check(message, "status", error);
+ r = mac_selinux_access_check(message, "status", error);
if (r < 0)
return r;
if (n_changes > 0) {
r = bus_foreach_bus(m, NULL, send_unit_files_changed, NULL);
if (r < 0)
- log_debug("Failed to send UnitFilesChanged signal: %s", strerror(-r));
+ log_debug_errno(r, "Failed to send UnitFilesChanged signal: %m");
}
r = sd_bus_message_new_method_return(message, &reply);
sd_bus_error *error) {
_cleanup_strv_free_ char **l = NULL;
-#ifdef HAVE_SELINUX
- char **i;
-#endif
UnitFileChange *changes = NULL;
unsigned n_changes = 0;
UnitFileScope scope;
if (r < 0)
return r;
-#ifdef HAVE_SELINUX
- STRV_FOREACH(i, l) {
- Unit *u;
-
- u = manager_get_unit(m, *i);
- if (u) {
- r = selinux_unit_access_check(u, message, verb, error);
- if (r < 0)
- return r;
- }
- }
-#endif
+ r = mac_selinux_unit_access_check_strv(l, message, m, verb, error);
+ if (r < 0)
+ return r;
scope = m->running_as == SYSTEMD_SYSTEM ? UNIT_FILE_SYSTEM : UNIT_FILE_USER;
static int method_preset_unit_files_with_mode(sd_bus *bus, sd_bus_message *message, void *userdata, sd_bus_error *error) {
_cleanup_strv_free_ char **l = NULL;
-#ifdef HAVE_SELINUX
- char **i;
-#endif
UnitFileChange *changes = NULL;
unsigned n_changes = 0;
Manager *m = userdata;
return -EINVAL;
}
-#ifdef HAVE_SELINUX
- STRV_FOREACH(i, l) {
- Unit *u;
-
- u = manager_get_unit(m, *i);
- if (u) {
- r = selinux_unit_access_check(u, message, "enable", error);
- if (r < 0)
- return r;
- }
- }
-#endif
+ r = mac_selinux_unit_access_check_strv(l, message, m, "enable", error);
+ if (r < 0)
+ return r;
scope = m->running_as == SYSTEMD_SYSTEM ? UNIT_FILE_SYSTEM : UNIT_FILE_USER;
if (r == 0)
return 1; /* No authorization for now, but the async polkit stuff will call us again when it has it */
- r = selinux_access_check(message, verb, error);
+ r = mac_selinux_access_check(message, verb, error);
if (r < 0)
return r;
if (r == 0)
return 1; /* No authorization for now, but the async polkit stuff will call us again when it has it */
- r = selinux_access_check(message, "enable", error);
+ r = mac_selinux_access_check(message, "enable", error);
if (r < 0)
return r;
if (r == 0)
return 1; /* No authorization for now, but the async polkit stuff will call us again when it has it */
- r = selinux_access_check(message, "enable", error);
+ r = mac_selinux_access_check(message, "enable", error);
if (r < 0)
return r;
return reply_unit_file_changes_and_free(m, bus, message, -1, changes, n_changes);
}
+static int method_add_dependency_unit_files(sd_bus *bus, sd_bus_message *message, void *userdata, sd_bus_error *error) {
+ _cleanup_strv_free_ char **l = NULL;
+ Manager *m = userdata;
+ UnitFileChange *changes = NULL;
+ unsigned n_changes = 0;
+ UnitFileScope scope;
+ int runtime, force, r;
+ char *target;
+ char *type;
+ UnitDependency dep;
+
+ assert(bus);
+ assert(message);
+ assert(m);
+
+ r = bus_verify_manage_unit_files_async(m, message, error);
+ if (r < 0)
+ return r;
+ if (r == 0)
+ return 1; /* No authorization for now, but the async polkit stuff will call us again when it has it */
+
+ r = sd_bus_message_read_strv(message, &l);
+ if (r < 0)
+ return r;
+
+ r = sd_bus_message_read(message, "ssbb", &target, &type, &runtime, &force);
+ if (r < 0)
+ return r;
+
+ dep = unit_dependency_from_string(type);
+ if (dep < 0)
+ return -EINVAL;
+
+ r = mac_selinux_unit_access_check_strv(l, message, m, "enable", error);
+ if (r < 0)
+ return r;
+
+ scope = m->running_as == SYSTEMD_SYSTEM ? UNIT_FILE_SYSTEM : UNIT_FILE_USER;
+
+ r = unit_file_add_dependency(scope, runtime, NULL, l, target, dep, force, &changes, &n_changes);
+ if (r < 0)
+ return r;
+
+ return reply_unit_file_changes_and_free(m, bus, message, -1, changes, n_changes);
+}
+
const sd_bus_vtable bus_manager_vtable[] = {
SD_BUS_VTABLE_START(0),
SD_BUS_PROPERTY("UnitPath", "as", NULL, offsetof(Manager, lookup_paths.unit_path), SD_BUS_VTABLE_PROPERTY_CONST),
SD_BUS_PROPERTY("DefaultStandardOutput", "s", bus_property_get_exec_output, offsetof(Manager, default_std_output), SD_BUS_VTABLE_PROPERTY_CONST),
SD_BUS_PROPERTY("DefaultStandardError", "s", bus_property_get_exec_output, offsetof(Manager, default_std_output), SD_BUS_VTABLE_PROPERTY_CONST),
- SD_BUS_WRITABLE_PROPERTY("RuntimeWatchdogUSec", "t", bus_property_get_usec, property_set_runtime_watchdog, offsetof(Manager, runtime_watchdog), SD_BUS_VTABLE_PROPERTY_CONST),
- SD_BUS_WRITABLE_PROPERTY("ShutdownWatchdogUSec", "t", bus_property_get_usec, bus_property_set_usec, offsetof(Manager, shutdown_watchdog), SD_BUS_VTABLE_PROPERTY_CONST),
+ SD_BUS_WRITABLE_PROPERTY("RuntimeWatchdogUSec", "t", bus_property_get_usec, property_set_runtime_watchdog, offsetof(Manager, runtime_watchdog), 0),
+ SD_BUS_WRITABLE_PROPERTY("ShutdownWatchdogUSec", "t", bus_property_get_usec, bus_property_set_usec, offsetof(Manager, shutdown_watchdog), 0),
SD_BUS_PROPERTY("ControlGroup", "s", NULL, offsetof(Manager, cgroup_root), 0),
SD_BUS_PROPERTY("SystemState", "s", property_get_system_state, 0, 0),
SD_BUS_METHOD("SetDefaultTarget", "sb", "a(sss)", method_set_default_target, SD_BUS_VTABLE_UNPRIVILEGED),
SD_BUS_METHOD("GetDefaultTarget", NULL, "s", method_get_default_target, SD_BUS_VTABLE_UNPRIVILEGED),
SD_BUS_METHOD("PresetAllUnitFiles", "sbb", "a(sss)", method_preset_all_unit_files, SD_BUS_VTABLE_UNPRIVILEGED),
+ SD_BUS_METHOD("AddDependencyUnitFiles", "asssbb", "a(sss)", method_add_dependency_unit_files, SD_BUS_VTABLE_UNPRIVILEGED),
SD_BUS_SIGNAL("UnitNew", "so", 0),
SD_BUS_SIGNAL("UnitRemoved", "so", 0),
total_usec
});
if (r < 0)
- log_debug("Failed to send finished signal: %s", strerror(-r));
+ log_debug_errno(r, "Failed to send finished signal: %m");
}
static int send_reloading(sd_bus *bus, void *userdata) {
r = bus_foreach_bus(m, NULL, send_reloading, INT_TO_PTR(active));
if (r < 0)
- log_debug("Failed to send reloading signal: %s", strerror(-r));
+ log_debug_errno(r, "Failed to send reloading signal: %m");
}