X-Git-Url: http://www.chiark.greenend.org.uk/ucgi/~ianmdlvl/git?a=blobdiff_plain;f=src%2Fcore%2Fexecute.c;h=b5b22472d5a9f8ff954ad409484e4cef7aaedca8;hb=f461c8073dee9cd10bfae5ae3586e785ec8a5d07;hp=353f2d1297619f9ca4e6b4077d5ea85cf664fbfe;hpb=3d94f76c99da13e5603831d0b278f8c8c21bcb02;p=elogind.git diff --git a/src/core/execute.c b/src/core/execute.c index 353f2d129..b5b22472d 100644 --- a/src/core/execute.c +++ b/src/core/execute.c @@ -69,7 +69,6 @@ #include "ioprio.h" #include "securebits.h" #include "namespace.h" -#include "tcpwrap.h" #include "exit-status.h" #include "missing.h" #include "utmp-wtmp.h" @@ -334,7 +333,7 @@ static int setup_input(const ExecContext *context, int socket_fd, bool apply_tty i == EXEC_INPUT_TTY_FAIL, i == EXEC_INPUT_TTY_FORCE, false, - (usec_t) -1); + USEC_INFINITY); if (fd < 0) return fd; @@ -562,7 +561,7 @@ static int restore_confirm_stdio(int *saved_stdin, static int ask_for_confirmation(char *response, char **argv) { int saved_stdout = -1, saved_stdin = -1, r; - char *line; + _cleanup_free_ char *line = NULL; r = setup_confirm_stdio(&saved_stdin, &saved_stdout); if (r < 0) @@ -572,8 +571,7 @@ static int ask_for_confirmation(char *response, char **argv) { if (!line) return -ENOMEM; - r = ask(response, "yns", "Execute %s? [Yes, No, Skip] ", line); - free(line); + r = ask_char(response, "yns", "Execute %s? [Yes, No, Skip] ", line); restore_confirm_stdio(&saved_stdin, &saved_stdout); @@ -1174,7 +1172,7 @@ static int build_environment( return -ENOMEM; our_env[n_env++] = x; - if (asprintf(&x, "WATCHDOG_USEC=%llu", (unsigned long long) watchdog_usec) < 0) + if (asprintf(&x, "WATCHDOG_USEC="USEC_FMT, watchdog_usec) < 0) return -ENOMEM; our_env[n_env++] = x; } @@ -1362,23 +1360,6 @@ int exec_spawn(ExecCommand *command, goto fail_child; } - if (context->tcpwrap_name) { - if (socket_fd >= 0) - if (!socket_tcpwrap(socket_fd, context->tcpwrap_name)) { - err = -EACCES; - r = EXIT_TCPWRAP; - goto fail_child; - } - - for (i = 0; i < (int) n_fds; i++) { - if (!socket_tcpwrap(fds[i], context->tcpwrap_name)) { - err = -EACCES; - r = EXIT_TCPWRAP; - goto fail_child; - } - } - } - exec_context_tty_reset(context); if (confirm_spawn) { @@ -1483,7 +1464,7 @@ int exec_spawn(ExecCommand *command, goto fail_child; } - if (context->timer_slack_nsec != (nsec_t) -1) + if (context->timer_slack_nsec != NSEC_INFINITY) if (prctl(PR_SET_TIMERSLACK, context->timer_slack_nsec) < 0) { err = -errno; r = EXIT_TIMERSLACK; @@ -1587,7 +1568,9 @@ int exec_spawn(ExecCommand *command, !strv_isempty(context->inaccessible_dirs) || context->mount_flags != 0 || (context->private_tmp && runtime && (runtime->tmp_dir || runtime->var_tmp_dir)) || - context->private_devices) { + context->private_devices || + context->protect_system != PROTECT_SYSTEM_NO || + context->protect_home != PROTECT_HOME_NO) { char *tmp = NULL, *var = NULL; @@ -1611,8 +1594,9 @@ int exec_spawn(ExecCommand *command, tmp, var, context->private_devices, + context->protect_home, + context->protect_system, context->mount_flags); - if (err < 0) { r = EXIT_NAMESPACE; goto fail_child; @@ -1651,7 +1635,9 @@ int exec_spawn(ExecCommand *command, } /* We repeat the fd closing here, to make sure that - * nothing is leaked from the PAM modules */ + * nothing is leaked from the PAM modules. Note that + * we are more aggressive this time since socket_fd + * and the netns fds we don#t need anymore. */ err = close_all_fds(fds, n_fds); if (err >= 0) err = shift_fds(fds, n_fds); @@ -1849,7 +1835,7 @@ void exec_context_init(ExecContext *c) { c->syslog_priority = LOG_DAEMON|LOG_INFO; c->syslog_level_prefix = true; c->ignore_sigpipe = true; - c->timer_slack_nsec = (nsec_t) -1; + c->timer_slack_nsec = NSEC_INFINITY; c->personality = 0xffffffffUL; c->runtime_directory_mode = 0755; } @@ -1878,9 +1864,6 @@ void exec_context_done(ExecContext *c) { free(c->tty_path); c->tty_path = NULL; - free(c->tcpwrap_name); - c->tcpwrap_name = NULL; - free(c->syslog_identifier); c->syslog_identifier = NULL; @@ -2042,7 +2025,7 @@ int exec_context_load_environment(const ExecContext *c, char ***l) { return -EINVAL; } for (n = 0; n < count; n++) { - k = load_env_file(pglob.gl_pathv[n], NULL, &p); + k = load_env_file(NULL, pglob.gl_pathv[n], NULL, &p); if (k < 0) { if (ignore) continue; @@ -2076,8 +2059,8 @@ int exec_context_load_environment(const ExecContext *c, char ***l) { } static bool tty_may_match_dev_console(const char *tty) { - char *active = NULL, *console; - bool b; + _cleanup_free_ char *active = NULL; + char *console; if (startswith(tty, "/dev/")) tty += 5; @@ -2092,10 +2075,7 @@ static bool tty_may_match_dev_console(const char *tty) { return true; /* "tty0" means the active VC, so it may be the same sometimes */ - b = streq(console, tty) || (streq(console, "tty0") && tty_is_vc(tty)); - free(active); - - return b; + return streq(console, tty) || (streq(console, "tty0") && tty_is_vc(tty)); } bool exec_context_may_touch_console(ExecContext *ec) { @@ -2132,6 +2112,8 @@ void exec_context_dump(ExecContext *c, FILE* f, const char *prefix) { "%sPrivateTmp: %s\n" "%sPrivateNetwork: %s\n" "%sPrivateDevices: %s\n" + "%sProtectHome: %s\n" + "%sProtectSystem: %s\n" "%sIgnoreSIGPIPE: %s\n", prefix, c->umask, prefix, c->working_directory ? c->working_directory : "/", @@ -2140,6 +2122,8 @@ void exec_context_dump(ExecContext *c, FILE* f, const char *prefix) { prefix, yes_no(c->private_tmp), prefix, yes_no(c->private_network), prefix, yes_no(c->private_devices), + prefix, protect_home_to_string(c->protect_home), + prefix, protect_system_to_string(c->protect_system), prefix, yes_no(c->ignore_sigpipe)); STRV_FOREACH(e, c->environment) @@ -2148,11 +2132,6 @@ void exec_context_dump(ExecContext *c, FILE* f, const char *prefix) { STRV_FOREACH(e, c->environment_files) fprintf(f, "%sEnvironmentFile: %s\n", prefix, *e); - if (c->tcpwrap_name) - fprintf(f, - "%sTCPWrapName: %s\n", - prefix, c->tcpwrap_name); - if (c->nice_set) fprintf(f, "%sNice: %i\n", @@ -2165,7 +2144,8 @@ void exec_context_dump(ExecContext *c, FILE* f, const char *prefix) { for (i = 0; i < RLIM_NLIMITS; i++) if (c->rlimit[i]) - fprintf(f, "%s%s: %llu\n", prefix, rlimit_to_string(i), (unsigned long long) c->rlimit[i]->rlim_max); + fprintf(f, "%s%s: "RLIM_FMT"\n", + prefix, rlimit_to_string(i), c->rlimit[i]->rlim_max); if (c->ioprio_set) { _cleanup_free_ char *class_str = NULL; @@ -2199,7 +2179,7 @@ void exec_context_dump(ExecContext *c, FILE* f, const char *prefix) { fputs("\n", f); } - if (c->timer_slack_nsec != (nsec_t) -1) + if (c->timer_slack_nsec != NSEC_INFINITY) fprintf(f, "%sTimerSlackNSec: "NSEC_FMT "\n", prefix, c->timer_slack_nsec); fprintf(f, @@ -2420,12 +2400,11 @@ void exec_status_dump(ExecStatus *s, FILE *f, const char *prefix) { assert(s); assert(f); - if (!prefix) - prefix = ""; - if (s->pid <= 0) return; + prefix = strempty(prefix); + fprintf(f, "%sPID: "PID_FMT"\n", prefix, s->pid); @@ -2485,37 +2464,27 @@ char *exec_command_line(char **argv) { } void exec_command_dump(ExecCommand *c, FILE *f, const char *prefix) { - char *p2; + _cleanup_free_ char *cmd = NULL; const char *prefix2; - char *cmd; - assert(c); assert(f); - if (!prefix) - prefix = ""; - p2 = strappend(prefix, "\t"); - prefix2 = p2 ? p2 : prefix; + prefix = strempty(prefix); + prefix2 = strappenda(prefix, "\t"); cmd = exec_command_line(c->argv); - fprintf(f, "%sCommand Line: %s\n", prefix, cmd ? cmd : strerror(ENOMEM)); - free(cmd); - exec_status_dump(&c->exec_status, f, prefix2); - - free(p2); } void exec_command_dump_list(ExecCommand *c, FILE *f, const char *prefix) { assert(f); - if (!prefix) - prefix = ""; + prefix = strempty(prefix); LIST_FOREACH(command, c, c) exec_command_dump(c, f, prefix);