X-Git-Url: http://www.chiark.greenend.org.uk/ucgi/~ianmdlvl/git?p=elogind.git;a=blobdiff_plain;f=src%2Fcore%2Fdbus-manager.c;h=140a413c170844f95ef892ceb6566eb07f21d9cf;hp=e792fe7e28332638534691fc64641bd8772278b6;hb=2822da4fb7f891e5320f02f1d00f64b72221ced4;hpb=6ad3b2b62cbe34cc02ee98deb5f48047f5e42d26 diff --git a/src/core/dbus-manager.c b/src/core/dbus-manager.c index e792fe7e2..140a413c1 100644 --- a/src/core/dbus-manager.c +++ b/src/core/dbus-manager.c @@ -363,7 +363,7 @@ static int method_get_unit(sd_bus *bus, sd_bus_message *message, void *userdata, if (!u) return sd_bus_error_setf(error, BUS_ERROR_NO_SUCH_UNIT, "Unit %s not loaded.", name); - r = selinux_unit_access_check(u, message, "status", error); + r = mac_selinux_unit_access_check(u, message, "status", error); if (r < 0) return r; @@ -409,7 +409,7 @@ static int method_get_unit_by_pid(sd_bus *bus, sd_bus_message *message, void *us if (!u) return sd_bus_error_setf(error, BUS_ERROR_NO_UNIT_FOR_PID, "PID %u does not belong to any loaded unit.", pid); - r = selinux_unit_access_check(u, message, "status", error); + r = mac_selinux_unit_access_check(u, message, "status", error); if (r < 0) return r; @@ -441,7 +441,7 @@ static int method_load_unit(sd_bus *bus, sd_bus_message *message, void *userdata if (r < 0) return r; - r = selinux_unit_access_check(u, message, "status", error); + r = mac_selinux_unit_access_check(u, message, "status", error); if (r < 0) return r; @@ -615,6 +615,92 @@ static int method_set_unit_properties(sd_bus *bus, sd_bus_message *message, void return bus_unit_method_set_properties(bus, message, u, error); } +static int transient_unit_from_message( + Manager *m, + sd_bus_message *message, + const char *name, + Unit **unit, + sd_bus_error *error) { + + Unit *u; + int r; + + assert(m); + assert(message); + assert(name); + + r = manager_load_unit(m, name, NULL, error, &u); + if (r < 0) + return r; + + if (u->load_state != UNIT_NOT_FOUND || + set_size(u->dependencies[UNIT_REFERENCED_BY]) > 0) + return sd_bus_error_setf(error, BUS_ERROR_UNIT_EXISTS, "Unit %s already exists.", name); + + /* OK, the unit failed to load and is unreferenced, now let's + * fill in the transient data instead */ + r = unit_make_transient(u); + if (r < 0) + return r; + + /* Set our properties */ + r = bus_unit_set_properties(u, message, UNIT_RUNTIME, false, error); + if (r < 0) + return r; + + *unit = u; + + return 0; +} + +static int transient_aux_units_from_message( + Manager *m, + sd_bus_message *message, + sd_bus_error *error) { + + Unit *u; + char *name = NULL; + int r; + + assert(m); + assert(message); + + r = sd_bus_message_enter_container(message, 'a', "(sa(sv))"); + if (r < 0) + return r; + + while ((r = sd_bus_message_enter_container(message, 'r', "sa(sv)")) > 0) { + if (r <= 0) + return r; + + r = sd_bus_message_read(message, "s", &name); + if (r < 0) + return r; + + r = transient_unit_from_message(m, message, name, &u, error); + if (r < 0 && r != -EEXIST) + return r; + + if (r != -EEXIST) { + r = unit_load(u); + if (r < 0) + return r; + } + + r = sd_bus_message_exit_container(message); + if (r < 0) + return r; + } + if (r < 0) + return r; + + r = sd_bus_message_exit_container(message); + if (r < 0) + return r; + + return 0; +} + static int method_start_transient_unit(sd_bus *bus, sd_bus_message *message, void *userdata, sd_bus_error *error) { const char *name, *smode; Manager *m = userdata; @@ -648,25 +734,15 @@ static int method_start_transient_unit(sd_bus *bus, sd_bus_message *message, voi if (mode < 0) return sd_bus_error_setf(error, SD_BUS_ERROR_INVALID_ARGS, "Job mode %s is invalid.", smode); - r = selinux_access_check(message, "start", error); - if (r < 0) - return r; - - r = manager_load_unit(m, name, NULL, error, &u); + r = mac_selinux_access_check(message, "start", error); if (r < 0) return r; - if (u->load_state != UNIT_NOT_FOUND || set_size(u->dependencies[UNIT_REFERENCED_BY]) > 0) - return sd_bus_error_setf(error, BUS_ERROR_UNIT_EXISTS, "Unit %s already exists.", name); - - /* OK, the unit failed to load and is unreferenced, now let's - * fill in the transient data instead */ - r = unit_make_transient(u); + r = transient_unit_from_message(m, message, name, &u, error); if (r < 0) return r; - /* Set our properties */ - r = bus_unit_set_properties(u, message, UNIT_RUNTIME, false, error); + r = transient_aux_units_from_message(m, message, error); if (r < 0) return r; @@ -702,7 +778,7 @@ static int method_get_job(sd_bus *bus, sd_bus_message *message, void *userdata, if (!j) return sd_bus_error_setf(error, BUS_ERROR_NO_SUCH_JOB, "Job %u does not exist.", (unsigned) id); - r = selinux_unit_access_check(j->unit, message, "status", error); + r = mac_selinux_unit_access_check(j->unit, message, "status", error); if (r < 0) return r; @@ -742,7 +818,7 @@ static int method_clear_jobs(sd_bus *bus, sd_bus_message *message, void *userdat assert(message); assert(m); - r = selinux_access_check(message, "reboot", error); + r = mac_selinux_access_check(message, "reboot", error); if (r < 0) return r; @@ -759,7 +835,7 @@ static int method_reset_failed(sd_bus *bus, sd_bus_message *message, void *userd assert(message); assert(m); - r = selinux_access_check(message, "reload", error); + r = mac_selinux_access_check(message, "reload", error); if (r < 0) return r; @@ -782,7 +858,7 @@ static int list_units_filtered(sd_bus *bus, sd_bus_message *message, void *userd /* Anyone can call this method */ - r = selinux_access_check(message, "status", error); + r = mac_selinux_access_check(message, "status", error); if (r < 0) return r; @@ -870,7 +946,7 @@ static int method_list_jobs(sd_bus *bus, sd_bus_message *message, void *userdata /* Anyone can call this method */ - r = selinux_access_check(message, "status", error); + r = mac_selinux_access_check(message, "status", error); if (r < 0) return r; @@ -922,7 +998,7 @@ static int method_subscribe(sd_bus *bus, sd_bus_message *message, void *userdata /* Anyone can call this method */ - r = selinux_access_check(message, "status", error); + r = mac_selinux_access_check(message, "status", error); if (r < 0) return r; @@ -957,7 +1033,7 @@ static int method_unsubscribe(sd_bus *bus, sd_bus_message *message, void *userda /* Anyone can call this method */ - r = selinux_access_check(message, "status", error); + r = mac_selinux_access_check(message, "status", error); if (r < 0) return r; @@ -985,7 +1061,7 @@ static int method_dump(sd_bus *bus, sd_bus_message *message, void *userdata, sd_ /* Anyone can call this method */ - r = selinux_access_check(message, "status", error); + r = mac_selinux_access_check(message, "status", error); if (r < 0) return r; @@ -1016,7 +1092,7 @@ static int method_create_snapshot(sd_bus *bus, sd_bus_message *message, void *us assert(message); assert(m); - r = selinux_access_check(message, "start", error); + r = mac_selinux_access_check(message, "start", error); if (r < 0) return r; @@ -1048,7 +1124,7 @@ static int method_remove_snapshot(sd_bus *bus, sd_bus_message *message, void *us assert(message); assert(m); - r = selinux_access_check(message, "stop", error); + r = mac_selinux_access_check(message, "stop", error); if (r < 0) return r; @@ -1080,7 +1156,7 @@ static int method_reload(sd_bus *bus, sd_bus_message *message, void *userdata, s if (r == 0) return 1; /* No authorization for now, but the async polkit stuff will call us again when it has it */ - r = selinux_access_check(message, "reload", error); + r = mac_selinux_access_check(message, "reload", error); if (r < 0) return r; @@ -1114,7 +1190,7 @@ static int method_reexecute(sd_bus *bus, sd_bus_message *message, void *userdata if (r == 0) return 1; /* No authorization for now, but the async polkit stuff will call us again when it has it */ - r = selinux_access_check(message, "reload", error); + r = mac_selinux_access_check(message, "reload", error); if (r < 0) return r; @@ -1133,7 +1209,7 @@ static int method_exit(sd_bus *bus, sd_bus_message *message, void *userdata, sd_ assert(message); assert(m); - r = selinux_access_check(message, "halt", error); + r = mac_selinux_access_check(message, "halt", error); if (r < 0) return r; @@ -1153,7 +1229,7 @@ static int method_reboot(sd_bus *bus, sd_bus_message *message, void *userdata, s assert(message); assert(m); - r = selinux_access_check(message, "reboot", error); + r = mac_selinux_access_check(message, "reboot", error); if (r < 0) return r; @@ -1174,7 +1250,7 @@ static int method_poweroff(sd_bus *bus, sd_bus_message *message, void *userdata, assert(message); assert(m); - r = selinux_access_check(message, "halt", error); + r = mac_selinux_access_check(message, "halt", error); if (r < 0) return r; @@ -1194,7 +1270,7 @@ static int method_halt(sd_bus *bus, sd_bus_message *message, void *userdata, sd_ assert(message); assert(m); - r = selinux_access_check(message, "halt", error); + r = mac_selinux_access_check(message, "halt", error); if (r < 0) return r; @@ -1214,7 +1290,7 @@ static int method_kexec(sd_bus *bus, sd_bus_message *message, void *userdata, sd assert(message); assert(m); - r = selinux_access_check(message, "reboot", error); + r = mac_selinux_access_check(message, "reboot", error); if (r < 0) return r; @@ -1236,7 +1312,7 @@ static int method_switch_root(sd_bus *bus, sd_bus_message *message, void *userda assert(message); assert(m); - r = selinux_access_check(message, "reboot", error); + r = mac_selinux_access_check(message, "reboot", error); if (r < 0) return r; @@ -1300,7 +1376,7 @@ static int method_set_environment(sd_bus *bus, sd_bus_message *message, void *us assert(message); assert(m); - r = selinux_access_check(message, "reload", error); + r = mac_selinux_access_check(message, "reload", error); if (r < 0) return r; @@ -1326,7 +1402,7 @@ static int method_unset_environment(sd_bus *bus, sd_bus_message *message, void * assert(message); assert(m); - r = selinux_access_check(message, "reload", error); + r = mac_selinux_access_check(message, "reload", error); if (r < 0) return r; @@ -1353,22 +1429,22 @@ static int method_unset_and_set_environment(sd_bus *bus, sd_bus_message *message assert(message); assert(m); - r = selinux_access_check(message, "reload", error); + r = mac_selinux_access_check(message, "reload", error); if (r < 0) return r; - r = sd_bus_message_read_strv(message, &plus); + r = sd_bus_message_read_strv(message, &minus); if (r < 0) return r; - r = sd_bus_message_read_strv(message, &minus); + r = sd_bus_message_read_strv(message, &plus); if (r < 0) return r; - if (!strv_env_is_valid(plus)) - return sd_bus_error_setf(error, SD_BUS_ERROR_INVALID_ARGS, "Invalid environment assignments"); if (!strv_env_name_or_assignment_is_valid(minus)) return sd_bus_error_setf(error, SD_BUS_ERROR_INVALID_ARGS, "Invalid environment variable names or assignments"); + if (!strv_env_is_valid(plus)) + return sd_bus_error_setf(error, SD_BUS_ERROR_INVALID_ARGS, "Invalid environment assignments"); r = manager_environment_add(m, minus, plus); if (r < 0) @@ -1391,7 +1467,7 @@ static int method_list_unit_files(sd_bus *bus, sd_bus_message *message, void *us /* Anyone can call this method */ - r = selinux_access_check(message, "status", error); + r = mac_selinux_access_check(message, "status", error); if (r < 0) return r; @@ -1399,7 +1475,7 @@ static int method_list_unit_files(sd_bus *bus, sd_bus_message *message, void *us if (r < 0) return r; - h = hashmap_new(string_hash_func, string_compare_func); + h = hashmap_new(&string_hash_ops); if (!h) return -ENOMEM; @@ -1444,7 +1520,7 @@ static int method_get_unit_file_state(sd_bus *bus, sd_bus_message *message, void /* Anyone can call this method */ - r = selinux_access_check(message, "status", error); + r = mac_selinux_access_check(message, "status", error); if (r < 0) return r; @@ -1473,7 +1549,7 @@ static int method_get_default_target(sd_bus *bus, sd_bus_message *message, void /* Anyone can call this method */ - r = selinux_access_check(message, "status", error); + r = mac_selinux_access_check(message, "status", error); if (r < 0) return r; @@ -1514,7 +1590,7 @@ static int reply_unit_file_changes_and_free( if (n_changes > 0) { r = bus_foreach_bus(m, NULL, send_unit_files_changed, NULL); if (r < 0) - log_debug("Failed to send UnitFilesChanged signal: %s", strerror(-r)); + log_debug_errno(r, "Failed to send UnitFilesChanged signal: %m"); } r = sd_bus_message_new_method_return(message, &reply); @@ -1562,9 +1638,6 @@ static int method_enable_unit_files_generic( sd_bus_error *error) { _cleanup_strv_free_ char **l = NULL; -#ifdef HAVE_SELINUX - char **i; -#endif UnitFileChange *changes = NULL; unsigned n_changes = 0; UnitFileScope scope; @@ -1588,18 +1661,9 @@ static int method_enable_unit_files_generic( if (r < 0) return r; -#ifdef HAVE_SELINUX - STRV_FOREACH(i, l) { - Unit *u; - - u = manager_get_unit(m, *i); - if (u) { - r = selinux_unit_access_check(u, message, verb, error); - if (r < 0) - return r; - } - } -#endif + r = mac_selinux_unit_access_check_strv(l, message, m, verb, error); + if (r < 0) + return r; scope = m->running_as == SYSTEMD_SYSTEM ? UNIT_FILE_SYSTEM : UNIT_FILE_USER; @@ -1637,9 +1701,6 @@ static int method_mask_unit_files(sd_bus *bus, sd_bus_message *message, void *us static int method_preset_unit_files_with_mode(sd_bus *bus, sd_bus_message *message, void *userdata, sd_bus_error *error) { _cleanup_strv_free_ char **l = NULL; -#ifdef HAVE_SELINUX - char **i; -#endif UnitFileChange *changes = NULL; unsigned n_changes = 0; Manager *m = userdata; @@ -1674,18 +1735,9 @@ static int method_preset_unit_files_with_mode(sd_bus *bus, sd_bus_message *messa return -EINVAL; } -#ifdef HAVE_SELINUX - STRV_FOREACH(i, l) { - Unit *u; - - u = manager_get_unit(m, *i); - if (u) { - r = selinux_unit_access_check(u, message, "enable", error); - if (r < 0) - return r; - } - } -#endif + r = mac_selinux_unit_access_check_strv(l, message, m, "enable", error); + if (r < 0) + return r; scope = m->running_as == SYSTEMD_SYSTEM ? UNIT_FILE_SYSTEM : UNIT_FILE_USER; @@ -1720,7 +1772,7 @@ static int method_disable_unit_files_generic( if (r == 0) return 1; /* No authorization for now, but the async polkit stuff will call us again when it has it */ - r = selinux_access_check(message, verb, error); + r = mac_selinux_access_check(message, verb, error); if (r < 0) return r; @@ -1767,7 +1819,7 @@ static int method_set_default_target(sd_bus *bus, sd_bus_message *message, void if (r == 0) return 1; /* No authorization for now, but the async polkit stuff will call us again when it has it */ - r = selinux_access_check(message, "enable", error); + r = mac_selinux_access_check(message, "enable", error); if (r < 0) return r; @@ -1803,7 +1855,7 @@ static int method_preset_all_unit_files(sd_bus *bus, sd_bus_message *message, vo if (r == 0) return 1; /* No authorization for now, but the async polkit stuff will call us again when it has it */ - r = selinux_access_check(message, "enable", error); + r = mac_selinux_access_check(message, "enable", error); if (r < 0) return r; @@ -1828,6 +1880,52 @@ static int method_preset_all_unit_files(sd_bus *bus, sd_bus_message *message, vo return reply_unit_file_changes_and_free(m, bus, message, -1, changes, n_changes); } +static int method_add_dependency_unit_files(sd_bus *bus, sd_bus_message *message, void *userdata, sd_bus_error *error) { + _cleanup_strv_free_ char **l = NULL; + Manager *m = userdata; + UnitFileChange *changes = NULL; + unsigned n_changes = 0; + UnitFileScope scope; + int runtime, force, r; + char *target; + char *type; + UnitDependency dep; + + assert(bus); + assert(message); + assert(m); + + r = bus_verify_manage_unit_files_async(m, message, error); + if (r < 0) + return r; + if (r == 0) + return 1; /* No authorization for now, but the async polkit stuff will call us again when it has it */ + + r = sd_bus_message_read_strv(message, &l); + if (r < 0) + return r; + + r = sd_bus_message_read(message, "ssbb", &target, &type, &runtime, &force); + if (r < 0) + return r; + + dep = unit_dependency_from_string(type); + if (dep < 0) + return -EINVAL; + + r = mac_selinux_unit_access_check_strv(l, message, m, "enable", error); + if (r < 0) + return r; + + scope = m->running_as == SYSTEMD_SYSTEM ? UNIT_FILE_SYSTEM : UNIT_FILE_USER; + + r = unit_file_add_dependency(scope, runtime, NULL, l, target, dep, force, &changes, &n_changes); + if (r < 0) + return r; + + return reply_unit_file_changes_and_free(m, bus, message, -1, changes, n_changes); +} + const sd_bus_vtable bus_manager_vtable[] = { SD_BUS_VTABLE_START(0), @@ -1862,8 +1960,8 @@ const sd_bus_vtable bus_manager_vtable[] = { SD_BUS_PROPERTY("UnitPath", "as", NULL, offsetof(Manager, lookup_paths.unit_path), SD_BUS_VTABLE_PROPERTY_CONST), SD_BUS_PROPERTY("DefaultStandardOutput", "s", bus_property_get_exec_output, offsetof(Manager, default_std_output), SD_BUS_VTABLE_PROPERTY_CONST), SD_BUS_PROPERTY("DefaultStandardError", "s", bus_property_get_exec_output, offsetof(Manager, default_std_output), SD_BUS_VTABLE_PROPERTY_CONST), - SD_BUS_WRITABLE_PROPERTY("RuntimeWatchdogUSec", "t", bus_property_get_usec, property_set_runtime_watchdog, offsetof(Manager, runtime_watchdog), SD_BUS_VTABLE_PROPERTY_CONST), - SD_BUS_WRITABLE_PROPERTY("ShutdownWatchdogUSec", "t", bus_property_get_usec, bus_property_set_usec, offsetof(Manager, shutdown_watchdog), SD_BUS_VTABLE_PROPERTY_CONST), + SD_BUS_WRITABLE_PROPERTY("RuntimeWatchdogUSec", "t", bus_property_get_usec, property_set_runtime_watchdog, offsetof(Manager, runtime_watchdog), 0), + SD_BUS_WRITABLE_PROPERTY("ShutdownWatchdogUSec", "t", bus_property_get_usec, bus_property_set_usec, offsetof(Manager, shutdown_watchdog), 0), SD_BUS_PROPERTY("ControlGroup", "s", NULL, offsetof(Manager, cgroup_root), 0), SD_BUS_PROPERTY("SystemState", "s", property_get_system_state, 0, 0), @@ -1918,6 +2016,7 @@ const sd_bus_vtable bus_manager_vtable[] = { SD_BUS_METHOD("SetDefaultTarget", "sb", "a(sss)", method_set_default_target, SD_BUS_VTABLE_UNPRIVILEGED), SD_BUS_METHOD("GetDefaultTarget", NULL, "s", method_get_default_target, SD_BUS_VTABLE_UNPRIVILEGED), SD_BUS_METHOD("PresetAllUnitFiles", "sbb", "a(sss)", method_preset_all_unit_files, SD_BUS_VTABLE_UNPRIVILEGED), + SD_BUS_METHOD("AddDependencyUnitFiles", "asssbb", "a(sss)", method_add_dependency_unit_files, SD_BUS_VTABLE_UNPRIVILEGED), SD_BUS_SIGNAL("UnitNew", "so", 0), SD_BUS_SIGNAL("UnitRemoved", "so", 0), @@ -1975,7 +2074,7 @@ void bus_manager_send_finished( total_usec }); if (r < 0) - log_debug("Failed to send finished signal: %s", strerror(-r)); + log_debug_errno(r, "Failed to send finished signal: %m"); } static int send_reloading(sd_bus *bus, void *userdata) { @@ -2002,6 +2101,6 @@ void bus_manager_send_reloading(Manager *m, bool active) { r = bus_foreach_bus(m, NULL, send_reloading, INT_TO_PTR(active)); if (r < 0) - log_debug("Failed to send reloading signal: %s", strerror(-r)); + log_debug_errno(r, "Failed to send reloading signal: %m"); }