core: provide /dev/ptmx as symlink in PrivateDevices= execution environments

[elogind.git] / src / bus-proxyd / bus-proxyd.c

diff --git a/src/bus-proxyd/bus-proxyd.c b/src/bus-proxyd/bus-proxyd.c
index c5f9f002feb58ae21b64cefb3a714494e9403654..98b2ffd7d1c33230e59da322359c45d44bec40f1 100644 (file)
--- a/src/bus-proxyd/bus-proxyd.c
+++ b/src/bus-proxyd/bus-proxyd.c
@@ -40,12 +40,15 @@
 #include "bus-internal.h"
 #include "bus-message.h"
 #include "bus-util.h"
+#include "bus-internal.h"
 #include "build.h"
 #include "strv.h"
 #include "def.h"
+#include "capability.h"
 
 static const char *arg_address = DEFAULT_SYSTEM_BUS_PATH;
 static char *arg_command_line_buffer = NULL;
+static bool arg_drop_privileges = false;
 
 static int help(void) {
 
@@ -53,6 +56,7 @@ static int help(void) {
                "Connect STDIO or a socket to a given bus address.\n\n"
                "  -h --help              Show this help\n"
                "     --version           Show package version\n"
+               "     --drop-privileges   Drop privileges\n"
                "     --address=ADDRESS   Connect to the bus specified by ADDRESS\n"
                "                         (default: " DEFAULT_SYSTEM_BUS_PATH ")\n",
                program_invocation_short_name);
@@ -65,13 +69,15 @@ static int parse_argv(int argc, char *argv[]) {
         enum {
                 ARG_VERSION = 0x100,
                 ARG_ADDRESS,
+                ARG_DROP_PRIVILEGES,
         };
 
         static const struct option options[] = {
-                { "help",       no_argument,       NULL, 'h'            },
-                { "version",    no_argument,       NULL, ARG_VERSION    },
-                { "address",    required_argument, NULL, ARG_ADDRESS    },
-                { NULL,         0,                 NULL, 0              }
+                { "help",            no_argument,       NULL, 'h'                 },
+                { "version",         no_argument,       NULL, ARG_VERSION         },
+                { "address",         required_argument, NULL, ARG_ADDRESS         },
+                { "drop-privileges", no_argument,       NULL, ARG_DROP_PRIVILEGES },
+                { NULL,              0,                 NULL, 0                   },
         };
 
         int c;
@@ -96,6 +102,10 @@ static int parse_argv(int argc, char *argv[]) {
                         arg_address = optarg;
                         break;
 
+                case ARG_DROP_PRIVILEGES:
+                        arg_drop_privileges = true;
+                        break;
+
                 case '?':
                         return -EINVAL;
 
@@ -439,7 +449,6 @@ static int peer_is_privileged(sd_bus *bus, sd_bus_message *m) {
         return false;
 }
 
-
 static int process_driver(sd_bus *a, sd_bus *b, sd_bus_message *m) {
         int r;
 
@@ -551,7 +560,7 @@ static int process_driver(sd_bus *a, sd_bus *b, sd_bus_message *m) {
                 if (r < 0)
                         return synthetic_reply_method_errno(m, r, NULL);
 
-                r = sd_bus_add_match(a, match, NULL, NULL);
+                r = sd_bus_add_match(a, NULL, match, NULL, NULL);
                 if (r < 0)
                         return synthetic_reply_method_errno(m, r, NULL);
 
@@ -564,7 +573,9 @@ static int process_driver(sd_bus *a, sd_bus *b, sd_bus_message *m) {
                 if (r < 0)
                         return synthetic_reply_method_errno(m, r, NULL);
 
-                r = sd_bus_remove_match(a, match, NULL, NULL);
+                r = bus_remove_match_by_string(a, match, NULL, NULL);
+                if (r == 0)
+                        return synthetic_reply_method_error(m, &SD_BUS_ERROR_MAKE_CONST(SD_BUS_ERROR_MATCH_RULE_NOT_FOUND, "Match rule not found"));
                 if (r < 0)
                         return synthetic_reply_method_errno(m, r, NULL);
 
@@ -739,9 +750,10 @@ static int process_driver(sd_bus *a, sd_bus *b, sd_bus_message *m) {
                 r = sd_bus_release_name(a, name);
                 if (r < 0) {
                         if (r == -ESRCH)
-                                synthetic_reply_method_return(m, "u", BUS_NAME_NON_EXISTENT);
+                                return synthetic_reply_method_return(m, "u", BUS_NAME_NON_EXISTENT);
                         if (r == -EADDRINUSE)
-                                synthetic_reply_method_return(m, "u", BUS_NAME_NOT_OWNER);
+                                return synthetic_reply_method_return(m, "u", BUS_NAME_NOT_OWNER);
+
                         return synthetic_reply_method_errno(m, r, NULL);
                 }
 
@@ -1061,6 +1073,22 @@ int main(int argc, char *argv[]) {
                 getpeersec(in_fd, &peersec);
         }
 
+        if (arg_drop_privileges) {
+                const char *user = "systemd-bus-proxy";
+                uid_t uid;
+                gid_t gid;
+
+                r = get_user_creds(&user, &uid, &gid, NULL, NULL);
+                if (r < 0) {
+                        log_error("Cannot resolve user name %s: %s", user, strerror(-r));
+                        goto finish;
+                }
+
+                r = drop_privileges(uid, gid, 1ULL << CAP_IPC_OWNER);
+                if (r < 0)
+                        goto finish;
+        }
+
         r = sd_bus_new(&a);
         if (r < 0) {
                 log_error("Failed to allocate bus: %s", strerror(-r));
@@ -1177,7 +1205,7 @@ int main(int argc, char *argv[]) {
                         goto finish;
                 }
 
-                r = sd_bus_add_match(a, match, NULL, NULL);
+                r = sd_bus_add_match(a, NULL, match, NULL, NULL);
                 if (r < 0) {
                         log_error("Failed to add match for NameLost: %s", strerror(-r));
                         goto finish;
@@ -1198,7 +1226,7 @@ int main(int argc, char *argv[]) {
                         goto finish;
                 }
 
-                r = sd_bus_add_match(a, match, NULL, NULL);
+                r = sd_bus_add_match(a, NULL, match, NULL, NULL);
                 if (r < 0) {
                         log_error("Failed to add match for NameAcquired: %s", strerror(-r));
                         goto finish;