namespace: when setting up an inaccessible mount point, unmounting everything below

[elogind.git] / src / timesync / timesyncd.c

diff --git a/src/timesync/timesyncd.c b/src/timesync/timesyncd.c
index b28beadd31ac067f111060ca351e8e7326a6c8a6..27f6b2d22628e33172f53ebcf0b7044c75484245 100644 (file)
--- a/src/timesync/timesyncd.c
+++ b/src/timesync/timesyncd.c
@@ -834,7 +834,7 @@ static int manager_resolve_handler(sd_resolve_query *q, int ret, const struct ad
         m->resolve_query = sd_resolve_query_unref(m->resolve_query);
 
         if (ret != 0) {
-                log_info("Failed to resolve %s: %s", m->current_server_name->string, gai_strerror(ret));
+                log_debug("Failed to resolve %s: %s", m->current_server_name->string, gai_strerror(ret));
 
                 /* Try next host */
                 return manager_connect(m);
@@ -1146,10 +1146,10 @@ static int manager_network_event_handler(sd_event_source *s, int fd, uint32_t re
         connected = (m->server_socket != -1);
 
         if (connected && !online) {
-                log_info("No network connectivity. Suspending.");
+                log_info("No network connectivity, watching for changes.");
                 manager_disconnect(m);
         } else if (!connected && online) {
-                log_info("Network connectivity detected. Resuming.");
+                log_info("Network configuration changed, trying to establish connection.");
                 if (m->current_server_address) {
                         r = manager_begin(m);
                         if (r < 0)
@@ -1196,72 +1196,6 @@ static int manager_network_monitor_listen(Manager *m) {
         return 0;
 }
 
-static int drop_privileges(uid_t uid, gid_t gid) {
-
-        static const cap_value_t bits[] = {
-                CAP_SYS_TIME,
-        };
-
-        _cleanup_cap_free_ cap_t d = NULL;
-        int r;
-
-        /* Unfortunately we cannot leave privilege dropping to PID 1
-         * here, since we want to run as user but want to keep te
-         * CAP_SYS_TIME capability. Since file capabilities have been
-         * introduced this cannot be done across exec() anymore,
-         * unless our binary has the capability configured in the file
-         * system, which we want to avoid. */
-
-        if (setresgid(gid, gid, gid) < 0) {
-                log_error("Failed change group ID: %m");
-                return -errno;
-        }
-
-        if (setgroups(0, NULL) < 0) {
-                log_error("Failed to drop auxiliary groups list: %m");
-                return -errno;
-        }
-
-        if (prctl(PR_SET_KEEPCAPS, 1) < 0) {
-                log_error("Failed to enable keep capabilities flag: %m");
-                return -errno;
-        }
-
-        r = setresuid(uid, uid, uid);
-        if (r < 0) {
-                log_error("Failed change user ID: %m");
-                return -errno;
-        }
-
-        if (prctl(PR_SET_KEEPCAPS, 0) < 0) {
-                log_error("Failed to disable keep capabilities flag: %m");
-                return -errno;
-        }
-
-        r = capability_bounding_set_drop(~(1ULL << CAP_SYS_TIME), true);
-        if (r < 0) {
-                log_error("Failed to drop capabilities: %s", strerror(-r));
-                return r;
-        }
-
-        d = cap_init();
-        if (!d)
-                return log_oom();
-
-        if (cap_set_flag(d, CAP_EFFECTIVE, ELEMENTSOF(bits), bits, CAP_SET) < 0 ||
-            cap_set_flag(d, CAP_PERMITTED, ELEMENTSOF(bits), bits, CAP_SET) < 0) {
-                log_error("Failed to enable capabilities bits: %m");
-                return -errno;
-        }
-
-        if (cap_set_proc(d) < 0) {
-                log_error("Failed to increase capabilities: %m");
-                return -errno;
-        }
-
-        return 0;
-}
-
 int main(int argc, char *argv[]) {
         const char *user = "systemd-timesync";
         _cleanup_manager_free_ Manager *m = NULL;
@@ -1291,7 +1225,7 @@ int main(int argc, char *argv[]) {
         if (r < 0)
                 goto out;
 
-        r = drop_privileges(uid, gid);
+        r = drop_privileges(uid, gid, (1ULL << CAP_SYS_TIME));
         if (r < 0)
                 goto out;