X-Git-Url: http://www.chiark.greenend.org.uk/ucgi/~ianmdlvl/git?p=elogind.git;a=blobdiff_plain;f=src%2Fcore%2Fsocket.c;h=f3f09cac4326133e8af4c9ecb3a8a4132fd3a0e7;hp=f975a4333d542dfa96720906a41f922a0792fb98;hb=aea54018a5e66a41318afb6c6be745b6aef48d9e;hpb=c65a0b146652cac52fe3c43f7cb8fe6a2ac3e063 diff --git a/src/core/socket.c b/src/core/socket.c index f975a4333..f3f09cac4 100644 --- a/src/core/socket.c +++ b/src/core/socket.c @@ -28,6 +28,7 @@ #include #include #include +#include #include "unit.h" #include "socket.h" @@ -39,6 +40,7 @@ #include "mkdir.h" #include "path-util.h" #include "unit-name.h" +#include "unit-printf.h" #include "dbus-socket.h" #include "missing.h" #include "special.h" @@ -130,6 +132,16 @@ static void socket_done(Unit *u) { free(s->bind_to_device); s->bind_to_device = NULL; + free(s->smack); + free(s->smack_ip_in); + free(s->smack_ip_out); + + free(s->socket_user); + s->socket_user = NULL; + + free(s->socket_group); + s->socket_group = NULL; + unit_unwatch_timer(u, &s->timer_watch); } @@ -264,7 +276,8 @@ int socket_add_one_mount_link(Socket *s, Mount *m) { if (!socket_needs_mount(s, m->where)) return 0; - if ((r = unit_add_two_dependencies(UNIT(s), UNIT_AFTER, UNIT_REQUIRES, UNIT(m), true)) < 0) + r = unit_add_two_dependencies(UNIT(s), UNIT_AFTER, UNIT_REQUIRES, UNIT(m), true); + if (r < 0) return r; return 0; @@ -276,9 +289,11 @@ static int socket_add_mount_links(Socket *s) { assert(s); - LIST_FOREACH(units_by_type, other, UNIT(s)->manager->units_by_type[UNIT_MOUNT]) - if ((r = socket_add_one_mount_link(s, MOUNT(other))) < 0) + LIST_FOREACH(units_by_type, other, UNIT(s)->manager->units_by_type[UNIT_MOUNT]) { + r = socket_add_one_mount_link(s, MOUNT(other)); + if (r < 0) return r; + } return 0; } @@ -305,7 +320,7 @@ static int socket_add_default_dependencies(Socket *s) { int r; assert(s); - if (UNIT(s)->manager->running_as == MANAGER_SYSTEM) { + if (UNIT(s)->manager->running_as == SYSTEMD_SYSTEM) { if ((r = unit_add_dependency_by_name(UNIT(s), UNIT_BEFORE, SPECIAL_SOCKETS_TARGET, NULL, true)) < 0) return r; @@ -440,6 +455,16 @@ static void socket_dump(Unit *u, FILE *f, const char *prefix) { prefix, yes_no(s->pass_sec), prefix, strna(s->tcp_congestion)); + if (s->socket_user) + fprintf(f, + "SocketUser: %s\n", + s->socket_user); + + if (s->socket_group) + fprintf(f, + "SocketGroup: %s\n", + s->socket_group); + if (s->control_pid > 0) fprintf(f, "%sControl PID: %lu\n", @@ -504,6 +529,21 @@ static void socket_dump(Unit *u, FILE *f, const char *prefix) { "%sMessageQueueMessageSize: %li\n", prefix, s->mq_msgsize); + if (s->smack) + fprintf(f, + "%sSmackLabel: %s\n", + prefix, s->smack); + + if (s->smack_ip_in) + fprintf(f, + "%sSmackLabelIPIn: %s\n", + prefix, s->smack_ip_in); + + if (s->smack_ip_out) + fprintf(f, + "%sSmackLabelIPOut: %s\n", + prefix, s->smack_ip_out); + LIST_FOREACH(port, p, s->ports) { if (p->type == SOCKET_SOCKET) { @@ -668,6 +708,9 @@ static void socket_close_fds(Socket *s) { } static void socket_apply_socket_options(Socket *s, int fd) { + uid_t uid = 0; + gid_t gid = 0; + assert(s); assert(fd >= 0); @@ -743,6 +786,29 @@ static void socket_apply_socket_options(Socket *s, int fd) { if (s->tcp_congestion) if (setsockopt(fd, SOL_TCP, TCP_CONGESTION, s->tcp_congestion, strlen(s->tcp_congestion)+1) < 0) log_warning("TCP_CONGESTION failed: %m"); + + if (s->smack_ip_in) + if (fsetxattr(fd, "security.SMACK64IPIN", s->smack_ip_in, strlen(s->smack_ip_in), 0) < 0) + log_error("fsetxattr(\"security.SMACK64IPIN\"): %m"); + + if (s->smack_ip_out) + if (fsetxattr(fd, "security.SMACK64IPOUT", s->smack_ip_out, strlen(s->smack_ip_out), 0) < 0) + log_error("fsetxattr(\"security.SMACK64IPOUT\"): %m"); + + if (s->socket_user && + get_user_creds((const char **)&s->socket_user, &uid, + NULL, NULL, NULL) < 0) { + log_warning("failed to lookup user: %s", s->socket_user); + } + + if (s->socket_group && + get_group_creds((const char **)&s->socket_group, &gid) < 0) { + log_warning("failed to lookup group: %s", s->socket_group); + } + + if ((uid != 0 || gid != 0) && fchown(fd, uid, gid) < 0) { + log_warning("failed to change ownership of socket"); + } } static void socket_apply_fifo_options(Socket *s, int fd) { @@ -752,17 +818,25 @@ static void socket_apply_fifo_options(Socket *s, int fd) { if (s->pipe_size > 0) if (fcntl(fd, F_SETPIPE_SZ, s->pipe_size) < 0) log_warning("F_SETPIPE_SZ: %m"); + + if (s->smack) + if (fsetxattr(fd, "security.SMACK64", s->smack, strlen(s->smack), 0) < 0) + log_error("fsetxattr(\"security.SMACK64\"): %m"); } static int fifo_address_create( const char *path, mode_t directory_mode, mode_t socket_mode, + const char *socket_user, + const char *socket_group, int *_fd) { int fd = -1, r = 0; struct stat st; mode_t old_mask; + uid_t uid = 0; + gid_t gid = 0; assert(path); assert(_fd); @@ -787,7 +861,8 @@ static int fifo_address_create( goto fail; } - if ((fd = open(path, O_RDWR|O_CLOEXEC|O_NOCTTY|O_NONBLOCK|O_NOFOLLOW)) < 0) { + fd = open(path, O_RDWR|O_CLOEXEC|O_NOCTTY|O_NONBLOCK|O_NOFOLLOW); + if (fd < 0) { r = -errno; goto fail; } @@ -799,15 +874,35 @@ static int fifo_address_create( goto fail; } + if (socket_user && + get_user_creds(&socket_user, &uid, NULL, NULL, NULL) < 0) { + r = -errno; + log_error("failed to lookup user: %s", socket_user); + goto fail; + } + + if (socket_group && + get_group_creds(&socket_group, &gid) < 0) { + r = -errno; + log_error("failed to lookup group: %s", socket_group); + goto fail; + } + if (!S_ISFIFO(st.st_mode) || (st.st_mode & 0777) != (socket_mode & ~old_mask) || - st.st_uid != getuid() || - st.st_gid != getgid()) { + st.st_uid != uid || + st.st_gid != gid) { r = -EEXIST; goto fail; } + if ((uid != 0 || gid != 0) && fchown(fd, uid, gid) < 0) { + r = -errno; + log_error("failed to changed ownership of FIFO: %s", path); + goto fail; + } + *_fd = fd; return 0; @@ -977,6 +1072,8 @@ static int socket_open_fds(Socket *s) { p->path, s->directory_mode, s->socket_mode, + s->socket_user, + s->socket_group, &p->fd)) < 0) goto rollback; @@ -1850,7 +1947,8 @@ static void socket_fd_event(Unit *u, int fd, uint32_t events, Watch *w) { if (w->socket_accept) { for (;;) { - if ((cfd = accept4(fd, NULL, NULL, SOCK_NONBLOCK)) < 0) { + cfd = accept4(fd, NULL, NULL, SOCK_NONBLOCK); + if (cfd < 0) { if (errno == EINTR) continue; @@ -2194,6 +2292,8 @@ DEFINE_STRING_TABLE_LOOKUP(socket_result, SocketResult); const UnitVTable socket_vtable = { .object_size = sizeof(Socket), + .exec_context_offset = offsetof(Socket, exec_context), + .sections = "Unit\0" "Socket\0"