execute: setup namespace after doing NSS calls

[elogind.git] / src / execute.c

diff --git a/src/execute.c b/src/execute.c
index ead6c0fa423fd2c322bbedd37686a0ca4c2d7b28..1a7871b4e030b374b4699a0bc8f91362a91b209c 100644 (file)
--- a/src/execute.c
+++ b/src/execute.c
@@ -46,6 +46,7 @@
 #include "securebits.h"
 #include "cgroup.h"
 #include "namespace.h"
+#include "tcpwrap.h"
 
 /* This assumes there is a 'tty' group */
 #define TTY_MODE 0620
@@ -783,10 +784,12 @@ int exec_spawn(ExecCommand *command,
 
                 /* child */
 
-                /* We reset exactly these two signals, since they are
-                 * the only ones we set to SIG_IGN in the main
-                 * daemon. All others */
-                default_signals(SIGNALS_CRASH_HANLDER,
+                /* We reset exactly these signals, since they are the
+                 * only ones we set to SIG_IGN in the main daemon. All
+                 * others we leave untouched because we set them to
+                 * SIG_DFL or a valid handler initially, both of which
+                 * will be demoted to SIG_DFL. */
+                default_signals(SIGNALS_CRASH_HANDLER,
                                 SIGNALS_IGNORE, -1);
 
                 if (sigemptyset(&ss) < 0 ||
@@ -801,6 +804,12 @@ int exec_spawn(ExecCommand *command,
                                 goto fail;
                         }
 
+                if (socket_fd >= 0 && context->tcpwrap_name)
+                        if (!socket_tcpwrap(socket_fd, context->tcpwrap_name)) {
+                                r = EXIT_TCPWRAP;
+                                goto fail;
+                        }
+
                 if (confirm_spawn) {
                         char response;
 
@@ -905,19 +914,6 @@ int exec_spawn(ExecCommand *command,
                                 goto fail;
                         }
 
-                if (strv_length(context->read_write_dirs) > 0 ||
-                    strv_length(context->read_only_dirs) > 0 ||
-                    strv_length(context->inaccessible_dirs) > 0 ||
-                    context->mount_flags != MS_SHARED ||
-                    context->private_tmp)
-                        if ((r = setup_namespace(
-                                             context->read_write_dirs,
-                                             context->read_only_dirs,
-                                             context->inaccessible_dirs,
-                                             context->private_tmp,
-                                             context->mount_flags)) < 0)
-                                goto fail;
-
                 if (context->user) {
                         username = context->user;
                         if (get_user_creds(&username, &uid, &gid, &home) < 0) {
@@ -940,6 +936,19 @@ int exec_spawn(ExecCommand *command,
 
                 umask(context->umask);
 
+                if (strv_length(context->read_write_dirs) > 0 ||
+                    strv_length(context->read_only_dirs) > 0 ||
+                    strv_length(context->inaccessible_dirs) > 0 ||
+                    context->mount_flags != MS_SHARED ||
+                    context->private_tmp)
+                        if ((r = setup_namespace(
+                                             context->read_write_dirs,
+                                             context->read_only_dirs,
+                                             context->inaccessible_dirs,
+                                             context->private_tmp,
+                                             context->mount_flags)) < 0)
+                                goto fail;
+
                 if (apply_chroot) {
                         if (context->root_directory)
                                 if (chroot(context->root_directory) < 0) {
@@ -1109,6 +1118,9 @@ void exec_context_done(ExecContext *c) {
         free(c->tty_path);
         c->tty_path = NULL;
 
+        free(c->tcpwrap_name);
+        c->tcpwrap_name = NULL;
+
         free(c->syslog_identifier);
         c->syslog_identifier = NULL;
 
@@ -1207,6 +1219,11 @@ void exec_context_dump(ExecContext *c, FILE* f, const char *prefix) {
                 for (e = c->environment; *e; e++)
                         fprintf(f, "%sEnvironment: %s\n", prefix, *e);
 
+        if (c->tcpwrap_name)
+                fprintf(f,
+                        "%sTCPWrapName: %s\n",
+                        prefix, c->tcpwrap_name);
+
         if (c->nice_set)
                 fprintf(f,
                         "%sNice: %i\n",
@@ -1593,6 +1610,9 @@ const char* exit_status_to_string(ExitStatus status) {
         case EXIT_STDERR:
                 return "STDERR";
 
+        case EXIT_TCPWRAP:
+                return "TCPWRAP";
+
         default:
                 return NULL;
         }