X-Git-Url: http://www.chiark.greenend.org.uk/ucgi/~ianmdlvl/git?p=elogind.git;a=blobdiff_plain;f=src%2Fcore%2Fload-fragment.c;h=3b36d1568c8df75370482aff4ae6349704bc9f47;hp=d77bf5cf98cd6a9c4cfd738338ba42b3973d1d02;hb=b2f8b02ec27dfec9cbd23573f47aba494f2e9b5f;hpb=94828d2ddc89c9dba3d6f386e55b6c9310d8f627 diff --git a/src/core/load-fragment.c b/src/core/load-fragment.c index d77bf5cf9..3b36d1568 100644 --- a/src/core/load-fragment.c +++ b/src/core/load-fragment.c @@ -33,6 +33,8 @@ #include #include #include +#include +#include #ifdef HAVE_SECCOMP #include @@ -62,7 +64,7 @@ #include "seccomp-util.h" #endif -#if !defined(HAVE_SYSV_COMPAT) || !defined(HAVE_SECCOMP) || !defined(HAVE_LIBWRAP) || !defined(HAVE_PAM) || !defined(HAVE_SELINUX) || !defined(HAVE_SMACK) || !defined(HAVE_APPARMOR) +#if !defined(HAVE_SYSV_COMPAT) || !defined(HAVE_SECCOMP) || !defined(HAVE_PAM) || !defined(HAVE_SELINUX) || !defined(HAVE_SMACK) || !defined(HAVE_APPARMOR) int config_parse_warn_compat( const char *unit, const char *filename, @@ -536,9 +538,7 @@ int config_parse_exec(const char *unit, } if (!utf8_is_valid(path)) { - log_syntax(unit, LOG_ERR, filename, line, EINVAL, - "Path is not UTF-8 clean, ignoring assignment: %s", - rvalue); + log_invalid_utf8(unit, LOG_ERR, filename, line, EINVAL, rvalue); r = 0; goto fail; } @@ -553,9 +553,7 @@ int config_parse_exec(const char *unit, } if (!utf8_is_valid(c)) { - log_syntax(unit, LOG_ERR, filename, line, EINVAL, - "Path is not UTF-8 clean, ignoring assignment: %s", - rvalue); + log_invalid_utf8(unit, LOG_ERR, filename, line, EINVAL, rvalue); r = 0; goto fail; } @@ -1127,15 +1125,13 @@ int config_parse_exec_mount_flags(const char *unit, return log_oom(); if (streq(t, "shared")) - flags |= MS_SHARED; + flags = MS_SHARED; else if (streq(t, "slave")) - flags |= MS_SLAVE; + flags = MS_SLAVE; else if (streq(w, "private")) - flags |= MS_PRIVATE; + flags = MS_PRIVATE; else { - log_syntax(unit, LOG_ERR, filename, line, EINVAL, - "Failed to parse mount flag %s, ignoring: %s", - t, rvalue); + log_syntax(unit, LOG_ERR, filename, line, EINVAL, "Failed to parse mount flag %s, ignoring: %s", t, rvalue); return 0; } } @@ -1258,7 +1254,6 @@ int config_parse_timer(const char *unit, TimerValue *v; TimerBase b; CalendarSpec *c = NULL; - clockid_t id; assert(filename); assert(lvalue); @@ -1285,8 +1280,6 @@ int config_parse_timer(const char *unit, rvalue); return 0; } - - id = CLOCK_REALTIME; } else { if (parse_sec(rvalue, &u) < 0) { log_syntax(unit, LOG_ERR, filename, line, EINVAL, @@ -1294,8 +1287,6 @@ int config_parse_timer(const char *unit, rvalue); return 0; } - - id = CLOCK_MONOTONIC; } v = new0(TimerValue, 1); @@ -1303,7 +1294,6 @@ int config_parse_timer(const char *unit, return log_oom(); v->base = b; - v->clock_id = id; v->value = u; v->calendar_spec = c; @@ -1610,6 +1600,89 @@ int config_parse_busname_service( return 0; } +int config_parse_bus_policy( + const char *unit, + const char *filename, + unsigned line, + const char *section, + unsigned section_line, + const char *lvalue, + int ltype, + const char *rvalue, + void *data, + void *userdata) { + + _cleanup_free_ BusNamePolicy *p = NULL; + _cleanup_free_ char *id_str = NULL; + BusName *busname = data; + char *access_str; + int r; + + assert(filename); + assert(lvalue); + assert(rvalue); + assert(data); + + p = new0(BusNamePolicy, 1); + if (!p) + return log_oom(); + + if (streq(lvalue, "AllowUser")) + p->type = BUSNAME_POLICY_TYPE_USER; + else if (streq(lvalue, "AllowGroup")) + p->type = BUSNAME_POLICY_TYPE_GROUP; + else if (streq(lvalue, "AllowWorld")) + p->type = BUSNAME_POLICY_TYPE_WORLD; + else + assert_not_reached("Unknown lvalue"); + + id_str = strdup(rvalue); + if (!id_str) + return log_oom(); + + if (p->type != BUSNAME_POLICY_TYPE_WORLD) { + access_str = strchr(id_str, ' '); + if (!access_str) { + log_syntax(unit, LOG_ERR, filename, line, EINVAL, "Invalid busname policy value '%s'", rvalue); + return 0; + } + + *access_str = '\0'; + access_str++; + + if (p->type == BUSNAME_POLICY_TYPE_USER) { + const char *user = id_str; + + r = get_user_creds(&user, &p->uid, NULL, NULL, NULL); + if (r < 0) { + log_syntax(unit, LOG_ERR, filename, line, r, "Unable to parse uid from '%s'", id_str); + return 0; + } + } else { + const char *group = id_str; + + r = get_group_creds(&group, &p->gid); + if (r < 0) { + log_syntax(unit, LOG_ERR, filename, line, -errno, "Unable to parse gid from '%s'", id_str); + return 0; + } + } + } else { + access_str = id_str; + } + + p->access = busname_policy_access_from_string(access_str); + if (p->access < 0) { + log_syntax(unit, LOG_ERR, filename, line, EINVAL, "Invalid busname policy access type '%s'", access_str); + return 0; + } + + LIST_PREPEND(policy, busname->policy, p); + p = NULL; + + return 0; +} + int config_parse_unit_env_file(const char *unit, const char *filename, unsigned line, @@ -1927,7 +2000,7 @@ int config_parse_unit_condition_null(const char *unit, } DEFINE_CONFIG_PARSE_ENUM(config_parse_notify_access, notify_access, NotifyAccess, "Failed to parse notify access specifier"); -DEFINE_CONFIG_PARSE_ENUM(config_parse_start_limit_action, start_limit_action, StartLimitAction, "Failed to parse start limit action specifier"); +DEFINE_CONFIG_PARSE_ENUM(config_parse_failure_action, failure_action, FailureAction, "Failed to parse failure action specifier"); int config_parse_unit_requires_mounts_for( const char *unit, @@ -1960,8 +2033,7 @@ int config_parse_unit_requires_mounts_for( return log_oom(); if (!utf8_is_valid(n)) { - log_syntax(unit, LOG_ERR, filename, line, EINVAL, - "Path is not UTF-8 clean, ignoring assignment: %s", rvalue); + log_invalid_utf8(unit, LOG_ERR, filename, line, EINVAL, rvalue); continue; } @@ -2127,7 +2199,10 @@ int config_parse_syscall_filter( set_remove(c->syscall_filter, INT_TO_PTR(id + 1)); } - c->no_new_privileges = true; + /* Turn on NNP, but only if it wasn't configured explicitly + * before, and only if we are in user mode. */ + if (!c->no_new_privileges_set && u->manager->running_as == SYSTEMD_USER) + c->no_new_privileges = true; return 0; } @@ -2380,6 +2455,54 @@ int config_parse_cpu_shares( return 0; } +int config_parse_cpu_quota( + const char *unit, + const char *filename, + unsigned line, + const char *section, + unsigned section_line, + const char *lvalue, + int ltype, + const char *rvalue, + void *data, + void *userdata) { + + CGroupContext *c = data; + int r; + + assert(filename); + assert(lvalue); + assert(rvalue); + + if (isempty(rvalue)) { + c->cpu_quota_per_sec_usec = (usec_t) -1; + c->cpu_quota_usec = (usec_t) -1; + return 0; + } + + if (endswith(rvalue, "%")) { + double percent; + + if (sscanf(rvalue, "%lf%%", &percent) != 1 || percent <= 0) { + log_syntax(unit, LOG_ERR, filename, line, EINVAL, "CPU quota '%s' invalid. Ignoring.", rvalue); + return 0; + } + + c->cpu_quota_per_sec_usec = (usec_t) (percent * USEC_PER_SEC / 100); + c->cpu_quota_usec = (usec_t) -1; + } else { + r = parse_sec(rvalue, &c->cpu_quota_usec); + if (r < 0) { + log_syntax(unit, LOG_ERR, filename, line, EINVAL, "CPU quota '%s' invalid. Ignoring.", rvalue); + return 0; + } + + c->cpu_quota_per_sec_usec = (usec_t) -1; + } + + return 0; +} + int config_parse_memory_limit( const char *unit, const char *filename, @@ -2885,7 +3008,7 @@ int config_parse_namespace_path_strv( return log_oom(); if (!utf8_is_valid(n)) { - log_syntax(unit, LOG_ERR, filename, line, EINVAL, "Path is not UTF-8 clean, ignoring assignment: %s", rvalue); + log_invalid_utf8(unit, LOG_ERR, filename, line, EINVAL, rvalue); continue; } @@ -2907,6 +3030,38 @@ int config_parse_namespace_path_strv( return 0; } +int config_parse_no_new_priviliges( + const char* unit, + const char *filename, + unsigned line, + const char *section, + unsigned section_line, + const char *lvalue, + int ltype, + const char *rvalue, + void *data, + void *userdata) { + + ExecContext *c = data; + int k; + + assert(filename); + assert(lvalue); + assert(rvalue); + assert(data); + + k = parse_boolean(rvalue); + if (k < 0) { + log_syntax(unit, LOG_ERR, filename, line, -k, "Failed to parse boolean value, ignoring: %s", rvalue); + return 0; + } + + c->no_new_privileges = !!k; + c->no_new_privileges_set = true; + + return 0; +} + #define FOLLOW_MAX 8 static int open_follow(char **filename, FILE **_f, Set *names, char **_final) { @@ -2970,7 +3125,7 @@ static int open_follow(char **filename, FILE **_f, Set *names, char **_final) { f = fdopen(fd, "re"); if (!f) { r = -errno; - close_nointr_nofail(fd); + safe_close(fd); return r; } @@ -3221,7 +3376,7 @@ void unit_dump_config_items(FILE *f) { const ConfigParserCallback callback; const char *rvalue; } table[] = { -#if !defined(HAVE_SYSV_COMPAT) || !defined(HAVE_SECCOMP) || !defined(HAVE_LIBWRAP) || !defined(HAVE_PAM) || !defined(HAVE_SELINUX) || !defined(HAVE_SMACK) || !defined(HAVE_APPARMOR) +#if !defined(HAVE_SYSV_COMPAT) || !defined(HAVE_SECCOMP) || !defined(HAVE_PAM) || !defined(HAVE_SELINUX) || !defined(HAVE_SMACK) || !defined(HAVE_APPARMOR) { config_parse_warn_compat, "NOTSUPPORTED" }, #endif { config_parse_int, "INTEGER" }, @@ -3280,7 +3435,7 @@ void unit_dump_config_items(FILE *f) { { config_parse_unit_slice, "SLICE" }, { config_parse_documentation, "URL" }, { config_parse_service_timeout, "SECONDS" }, - { config_parse_start_limit_action, "ACTION" }, + { config_parse_failure_action, "ACTION" }, { config_parse_set_status, "STATUS" }, { config_parse_service_sockets, "SOCKETS" }, { config_parse_environ, "ENVIRON" },