#include <sys/stat.h>
#include <sys/time.h>
#include <sys/resource.h>
+#include <sys/types.h>
+#include <grp.h>
#ifdef HAVE_SECCOMP
#include <seccomp.h>
#include "seccomp-util.h"
#endif
-#if !defined(HAVE_SYSV_COMPAT) || !defined(HAVE_SECCOMP) || !defined(HAVE_LIBWRAP) || !defined(HAVE_PAM) || !defined(HAVE_SELINUX) || !defined(HAVE_SMACK) || !defined(HAVE_APPARMOR)
+#if !defined(HAVE_SYSV_COMPAT) || !defined(HAVE_SECCOMP) || !defined(HAVE_PAM) || !defined(HAVE_SELINUX) || !defined(HAVE_SMACK) || !defined(HAVE_APPARMOR)
int config_parse_warn_compat(
const char *unit,
const char *filename,
UnitDependency d = ltype;
Unit *u = userdata;
- char *w;
+ char *w, *state;
size_t l;
- char *state;
assert(filename);
assert(lvalue);
}
if (!utf8_is_valid(path)) {
- log_syntax(unit, LOG_ERR, filename, line, EINVAL,
- "Path is not UTF-8 clean, ignoring assignment: %s",
- rvalue);
+ log_invalid_utf8(unit, LOG_ERR, filename, line, EINVAL, rvalue);
r = 0;
goto fail;
}
}
if (!utf8_is_valid(c)) {
- log_syntax(unit, LOG_ERR, filename, line, EINVAL,
- "Path is not UTF-8 clean, ignoring assignment: %s",
- rvalue);
+ log_invalid_utf8(unit, LOG_ERR, filename, line, EINVAL, rvalue);
r = 0;
goto fail;
}
return log_oom();
if (streq(t, "shared"))
- flags |= MS_SHARED;
+ flags = MS_SHARED;
else if (streq(t, "slave"))
- flags |= MS_SLAVE;
+ flags = MS_SLAVE;
else if (streq(w, "private"))
- flags |= MS_PRIVATE;
+ flags = MS_PRIVATE;
else {
- log_syntax(unit, LOG_ERR, filename, line, EINVAL,
- "Failed to parse mount flag %s, ignoring: %s",
- t, rvalue);
+ log_syntax(unit, LOG_ERR, filename, line, EINVAL, "Failed to parse mount flag %s, ignoring: %s", t, rvalue);
return 0;
}
}
TimerValue *v;
TimerBase b;
CalendarSpec *c = NULL;
- clockid_t id;
assert(filename);
assert(lvalue);
rvalue);
return 0;
}
-
- id = CLOCK_REALTIME;
} else {
if (parse_sec(rvalue, &u) < 0) {
log_syntax(unit, LOG_ERR, filename, line, EINVAL,
rvalue);
return 0;
}
-
- id = CLOCK_MONOTONIC;
}
v = new0(TimerValue, 1);
return log_oom();
v->base = b;
- v->clock_id = id;
v->value = u;
v->calendar_spec = c;
return 0;
}
+int config_parse_bus_policy(
+ const char *unit,
+ const char *filename,
+ unsigned line,
+ const char *section,
+ unsigned section_line,
+ const char *lvalue,
+ int ltype,
+ const char *rvalue,
+ void *data,
+ void *userdata) {
+
+ _cleanup_free_ BusNamePolicy *p = NULL;
+ _cleanup_free_ char *id_str = NULL;
+ BusName *busname = data;
+ char *access_str;
+ int r;
+
+ assert(filename);
+ assert(lvalue);
+ assert(rvalue);
+ assert(data);
+
+ p = new0(BusNamePolicy, 1);
+ if (!p)
+ return log_oom();
+
+ if (streq(lvalue, "AllowUser"))
+ p->type = BUSNAME_POLICY_TYPE_USER;
+ else if (streq(lvalue, "AllowGroup"))
+ p->type = BUSNAME_POLICY_TYPE_GROUP;
+ else if (streq(lvalue, "AllowWorld"))
+ p->type = BUSNAME_POLICY_TYPE_WORLD;
+ else
+ assert_not_reached("Unknown lvalue");
+
+ id_str = strdup(rvalue);
+ if (!id_str)
+ return log_oom();
+
+ if (p->type != BUSNAME_POLICY_TYPE_WORLD) {
+ access_str = strchr(id_str, ' ');
+ if (!access_str) {
+ log_syntax(unit, LOG_ERR, filename, line, EINVAL, "Invalid busname policy value '%s'", rvalue);
+ return 0;
+ }
+
+ *access_str = '\0';
+ access_str++;
+
+ if (p->type == BUSNAME_POLICY_TYPE_USER) {
+ const char *user = id_str;
+
+ r = get_user_creds(&user, &p->uid, NULL, NULL, NULL);
+ if (r < 0) {
+ log_syntax(unit, LOG_ERR, filename, line, r, "Unable to parse uid from '%s'", id_str);
+ return 0;
+ }
+ } else {
+ const char *group = id_str;
+
+ r = get_group_creds(&group, &p->gid);
+ if (r < 0) {
+ log_syntax(unit, LOG_ERR, filename, line, -errno, "Unable to parse gid from '%s'", id_str);
+ return 0;
+ }
+ }
+ } else {
+ access_str = id_str;
+ }
+
+ p->access = busname_policy_access_from_string(access_str);
+ if (p->access < 0) {
+ log_syntax(unit, LOG_ERR, filename, line, EINVAL, "Invalid busname policy access type '%s'", access_str);
+ return 0;
+ }
+
+ LIST_PREPEND(policy, busname->policy, p);
+ p = NULL;
+
+ return 0;
+}
+
int config_parse_unit_env_file(const char *unit,
const char *filename,
unsigned line,
}
DEFINE_CONFIG_PARSE_ENUM(config_parse_notify_access, notify_access, NotifyAccess, "Failed to parse notify access specifier");
-DEFINE_CONFIG_PARSE_ENUM(config_parse_start_limit_action, start_limit_action, StartLimitAction, "Failed to parse start limit action specifier");
+DEFINE_CONFIG_PARSE_ENUM(config_parse_failure_action, failure_action, FailureAction, "Failed to parse failure action specifier");
int config_parse_unit_requires_mounts_for(
const char *unit,
return log_oom();
if (!utf8_is_valid(n)) {
- log_syntax(unit, LOG_ERR, filename, line, EINVAL,
- "Path is not UTF-8 clean, ignoring assignment: %s", rvalue);
+ log_invalid_utf8(unit, LOG_ERR, filename, line, EINVAL, rvalue);
continue;
}
set_remove(c->syscall_filter, INT_TO_PTR(id + 1));
}
- c->no_new_privileges = true;
+ /* Turn on NNP, but only if it wasn't configured explicitly
+ * before, and only if we are in user mode. */
+ if (!c->no_new_privileges_set && u->manager->running_as == SYSTEMD_USER)
+ c->no_new_privileges = true;
return 0;
}
return 0;
}
+int config_parse_cpu_quota(
+ const char *unit,
+ const char *filename,
+ unsigned line,
+ const char *section,
+ unsigned section_line,
+ const char *lvalue,
+ int ltype,
+ const char *rvalue,
+ void *data,
+ void *userdata) {
+
+ CGroupContext *c = data;
+ int r;
+
+ assert(filename);
+ assert(lvalue);
+ assert(rvalue);
+
+ if (isempty(rvalue)) {
+ c->cpu_quota_per_sec_usec = (usec_t) -1;
+ c->cpu_quota_usec = (usec_t) -1;
+ return 0;
+ }
+
+ if (endswith(rvalue, "%")) {
+ double percent;
+
+ if (sscanf(rvalue, "%lf%%", &percent) != 1 || percent <= 0) {
+ log_syntax(unit, LOG_ERR, filename, line, EINVAL, "CPU quota '%s' invalid. Ignoring.", rvalue);
+ return 0;
+ }
+
+ c->cpu_quota_per_sec_usec = (usec_t) (percent * USEC_PER_SEC / 100);
+ c->cpu_quota_usec = (usec_t) -1;
+ } else {
+ r = parse_sec(rvalue, &c->cpu_quota_usec);
+ if (r < 0) {
+ log_syntax(unit, LOG_ERR, filename, line, EINVAL, "CPU quota '%s' invalid. Ignoring.", rvalue);
+ return 0;
+ }
+
+ c->cpu_quota_per_sec_usec = (usec_t) -1;
+ }
+
+ return 0;
+}
+
int config_parse_memory_limit(
const char *unit,
const char *filename,
return 0;
}
+int config_parse_namespace_path_strv(
+ const char *unit,
+ const char *filename,
+ unsigned line,
+ const char *section,
+ unsigned section_line,
+ const char *lvalue,
+ int ltype,
+ const char *rvalue,
+ void *data,
+ void *userdata) {
+
+ char*** sv = data, *w, *state;
+ size_t l;
+ int r;
+
+ assert(filename);
+ assert(lvalue);
+ assert(rvalue);
+ assert(data);
+
+ if (isempty(rvalue)) {
+ /* Empty assignment resets the list */
+ strv_free(*sv);
+ *sv = NULL;
+ return 0;
+ }
+
+ FOREACH_WORD_QUOTED(w, l, rvalue, state) {
+ _cleanup_free_ char *n;
+ int offset;
+
+ n = strndup(w, l);
+ if (!n)
+ return log_oom();
+
+ if (!utf8_is_valid(n)) {
+ log_invalid_utf8(unit, LOG_ERR, filename, line, EINVAL, rvalue);
+ continue;
+ }
+
+ offset = n[0] == '-';
+ if (!path_is_absolute(n + offset)) {
+ log_syntax(unit, LOG_ERR, filename, line, EINVAL, "Not an absolute path, ignoring: %s", rvalue);
+ continue;
+ }
+
+ path_kill_slashes(n);
+
+ r = strv_push(sv, n);
+ if (r < 0)
+ return log_oom();
+
+ n = NULL;
+ }
+
+ return 0;
+}
+
+int config_parse_no_new_priviliges(
+ const char* unit,
+ const char *filename,
+ unsigned line,
+ const char *section,
+ unsigned section_line,
+ const char *lvalue,
+ int ltype,
+ const char *rvalue,
+ void *data,
+ void *userdata) {
+
+ ExecContext *c = data;
+ int k;
+
+ assert(filename);
+ assert(lvalue);
+ assert(rvalue);
+ assert(data);
+
+ k = parse_boolean(rvalue);
+ if (k < 0) {
+ log_syntax(unit, LOG_ERR, filename, line, -k, "Failed to parse boolean value, ignoring: %s", rvalue);
+ return 0;
+ }
+
+ c->no_new_privileges = !!k;
+ c->no_new_privileges_set = true;
+
+ return 0;
+}
+
#define FOLLOW_MAX 8
static int open_follow(char **filename, FILE **_f, Set *names, char **_final) {
f = fdopen(fd, "re");
if (!f) {
r = -errno;
- close_nointr_nofail(fd);
+ safe_close(fd);
return r;
}
const ConfigParserCallback callback;
const char *rvalue;
} table[] = {
-#if !defined(HAVE_SYSV_COMPAT) || !defined(HAVE_SECCOMP) || !defined(HAVE_LIBWRAP) || !defined(HAVE_PAM) || !defined(HAVE_SELINUX) || !defined(HAVE_SMACK) || !defined(HAVE_APPARMOR)
+#if !defined(HAVE_SYSV_COMPAT) || !defined(HAVE_SECCOMP) || !defined(HAVE_PAM) || !defined(HAVE_SELINUX) || !defined(HAVE_SMACK) || !defined(HAVE_APPARMOR)
{ config_parse_warn_compat, "NOTSUPPORTED" },
#endif
{ config_parse_int, "INTEGER" },
{ config_parse_socket_bindtodevice, "NETWORKINTERFACE" },
{ config_parse_sec, "SECONDS" },
{ config_parse_nsec, "NANOSECONDS" },
- { config_parse_path_strv, "PATH [...]" },
+ { config_parse_namespace_path_strv, "PATH [...]" },
{ config_parse_unit_requires_mounts_for, "PATH [...]" },
{ config_parse_exec_mount_flags, "MOUNTFLAG [...]" },
{ config_parse_unit_string_printf, "STRING" },
{ config_parse_unit_slice, "SLICE" },
{ config_parse_documentation, "URL" },
{ config_parse_service_timeout, "SECONDS" },
- { config_parse_start_limit_action, "ACTION" },
+ { config_parse_failure_action, "ACTION" },
{ config_parse_set_status, "STATUS" },
{ config_parse_service_sockets, "SOCKETS" },
{ config_parse_environ, "ENVIRON" },