chiark / gitweb /
tcpwrap: execute tcpwrap check in forked client, to avoid blocking name lookups in...
authorLennart Poettering <lennart@poettering.net>
Wed, 16 Jun 2010 14:25:42 +0000 (16:25 +0200)
committerLennart Poettering <lennart@poettering.net>
Wed, 16 Jun 2010 14:27:24 +0000 (16:27 +0200)
fixme
src/dbus-execute.h
src/dbus-socket.c
src/execute.c
src/execute.h
src/load-fragment.c
src/socket.c
src/socket.h

diff --git a/fixme b/fixme
index 4603764..17a8ef8 100644 (file)
--- a/fixme
+++ b/fixme
@@ -53,8 +53,6 @@
 
 * run PAM session stuff
 
-* tcpwrap
-
 * use setproctitle() when forking, before exec() (waiting for (PR_SET_PROCTITLE_AREA to enter the kernel)
 
 * follow property change dbus spec
index 6abae16..243854f 100644 (file)
@@ -43,7 +43,8 @@
         "  <property name=\"CapabilityBoundingSetDrop\" type=\"t\" access=\"read\"/>\n" \
         "  <property name=\"User\" type=\"s\" access=\"read\"/>\n"      \
         "  <property name=\"Group\" type=\"s\" access=\"read\"/>\n"     \
-        "  <property name=\"SupplementaryGroups\" type=\"as\" access=\"read\"/>\n"
+        "  <property name=\"SupplementaryGroups\" type=\"as\" access=\"read\"/>\n" \
+        "  <property name=\"TCPWrapName\" type=\"s\" access=\"read\"/>\n"
 
 #define BUS_EXEC_CONTEXT_PROPERTIES(interface, context)                 \
         { interface, "Environment",                   bus_property_append_strv,   "as",    (context).environment                   }, \
@@ -71,7 +72,8 @@
         { interface, "CapabilityBoundingSetDrop",     bus_property_append_uint64, "t",     &(context).capability_bounding_set_drop }, \
         { interface, "User",                          bus_property_append_string, "s",     (context).user                          }, \
         { interface, "Group",                         bus_property_append_string, "s",     (context).group                         }, \
-        { interface, "SupplementaryGroups",           bus_property_append_strv,   "as",    (context).supplementary_groups          }
+        { interface, "SupplementaryGroups",           bus_property_append_strv,   "as",    (context).supplementary_groups          }, \
+        { interface, "TCPWrapName",                   bus_property_append_string, "s",     (context).tcpwrap_name                  }
 
 int bus_execute_append_output(Manager *m, DBusMessageIter *i, const char *property, void *data);
 int bus_execute_append_input(Manager *m, DBusMessageIter *i, const char *property, void *data);
index fa84191..426af2b 100644 (file)
@@ -37,7 +37,6 @@
         "  <property name=\"DirectoryMode\" type=\"u\" access=\"read\"/>\n" \
         "  <property name=\"SocketMode\" type=\"u\" access=\"read\"/>\n" \
         "  <property name=\"Accept\" type=\"b\" access=\"read\"/>\n"    \
-        "  <property name=\"TCPWrapName\" type=\"s\" access=\"read\"/>\n" \
         " </interface>\n"                                               \
 
 #define INTROSPECTION                                                   \
@@ -67,7 +66,6 @@ DBusHandlerResult bus_socket_message_handler(Unit *u, DBusMessage *message) {
                 { "org.freedesktop.systemd1.Socket", "DirectoryMode", bus_property_append_mode,     "u", &u->socket.directory_mode },
                 { "org.freedesktop.systemd1.Socket", "SocketMode",    bus_property_append_mode,     "u", &u->socket.socket_mode },
                 { "org.freedesktop.systemd1.Socket", "Accept",        bus_property_append_bool,     "b", &u->socket.accept },
-                { "org.freedesktop.systemd1.Socket", "TCPWrapName",   bus_property_append_string,   "s", u->socket.tcpwrap_name },
                 { NULL, NULL, NULL, NULL, NULL }
         };
 
index 1b37f2e..b61c1f8 100644 (file)
@@ -46,6 +46,7 @@
 #include "securebits.h"
 #include "cgroup.h"
 #include "namespace.h"
+#include "tcpwrap.h"
 
 /* This assumes there is a 'tty' group */
 #define TTY_MODE 0620
@@ -803,6 +804,12 @@ int exec_spawn(ExecCommand *command,
                                 goto fail;
                         }
 
+                if (socket_fd >= 0 && context->tcpwrap_name)
+                        if (!socket_tcpwrap(socket_fd, context->tcpwrap_name)) {
+                                r = EXIT_TCPWRAP;
+                                goto fail;
+                        }
+
                 if (confirm_spawn) {
                         char response;
 
@@ -1111,6 +1118,9 @@ void exec_context_done(ExecContext *c) {
         free(c->tty_path);
         c->tty_path = NULL;
 
+        free(c->tcpwrap_name);
+        c->tcpwrap_name = NULL;
+
         free(c->syslog_identifier);
         c->syslog_identifier = NULL;
 
@@ -1209,6 +1219,11 @@ void exec_context_dump(ExecContext *c, FILE* f, const char *prefix) {
                 for (e = c->environment; *e; e++)
                         fprintf(f, "%sEnvironment: %s\n", prefix, *e);
 
+        if (c->tcpwrap_name)
+                fprintf(f,
+                        "%sTCPWrapName: %s\n",
+                        prefix, c->tcpwrap_name);
+
         if (c->nice_set)
                 fprintf(f,
                         "%sNice: %i\n",
@@ -1595,6 +1610,9 @@ const char* exit_status_to_string(ExitStatus status) {
         case EXIT_STDERR:
                 return "STDERR";
 
+        case EXIT_TCPWRAP:
+                return "TCPWRAP";
+
         default:
                 return NULL;
         }
index 4585fe4..1adf41e 100644 (file)
@@ -104,6 +104,8 @@ struct ExecContext {
         char *syslog_identifier;
         bool syslog_no_prefix;
 
+        char *tcpwrap_name;
+
         char *tty_path;
 
         /* Since resolving these names might might involve socket
@@ -179,7 +181,8 @@ typedef enum ExitStatus {
         EXIT_CGROUP,
         EXIT_SETSID,   /* 220 */
         EXIT_CONFIRM,
-        EXIT_STDERR
+        EXIT_STDERR,
+        EXIT_TCPWRAP
 
 } ExitStatus;
 
index 94a6375..f409776 100644 (file)
@@ -1391,7 +1391,8 @@ static int load_from_path(Unit *u, const char *path) {
                 { "ReadOnlyDirectories",    config_parse_path_strv,       &(context).read_only_dirs,                       section   }, \
                 { "InaccessibleDirectories",config_parse_path_strv,       &(context).inaccessible_dirs,                    section   }, \
                 { "PrivateTmp",             config_parse_bool,            &(context).private_tmp,                          section   }, \
-                { "MountFlags",             config_parse_mount_flags,     &(context),                                      section   }
+                { "MountFlags",             config_parse_mount_flags,     &(context),                                      section   }, \
+                { "TCPWrapName",            config_parse_string,          &(context).tcpwrap_name,                         section   }
 
         const ConfigItem items[] = {
                 { "Names",                  config_parse_names,           u,                                               "Unit"    },
@@ -1444,7 +1445,6 @@ static int load_from_path(Unit *u, const char *path) {
                 { "SocketMode",             config_parse_mode,            &u->socket.socket_mode,                          "Socket"  },
                 { "KillMode",               config_parse_kill_mode,       &u->socket.kill_mode,                            "Socket"  },
                 { "Accept",                 config_parse_bool,            &u->socket.accept,                               "Socket"  },
-                { "TCPWrapName",            config_parse_string,          &u->socket.tcpwrap_name,                         "Socket"  },
                 EXEC_CONTEXT_CONFIG_ITEMS(u->socket.exec_context, "Socket"),
 
                 { "What",                   config_parse_string,          &u->mount.parameters_fragment.what,              "Mount"   },
index 71f1672..1852fe9 100644 (file)
@@ -36,7 +36,6 @@
 #include "strv.h"
 #include "unit-name.h"
 #include "dbus-socket.h"
-#include "tcpwrap.h"
 
 static const UnitActiveState state_translation_table[_SOCKET_STATE_MAX] = {
         [SOCKET_DEAD] = UNIT_INACTIVE,
@@ -108,9 +107,6 @@ static void socket_done(Unit *u) {
         free(s->bind_to_device);
         s->bind_to_device = NULL;
 
-        free(s->tcpwrap_name);
-        s->tcpwrap_name = NULL;
-
         unit_unwatch_timer(u, &s->timer_watch);
 }
 
@@ -309,11 +305,6 @@ static void socket_dump(Unit *u, FILE *f, const char *prefix) {
                         "%sBindToDevice: %s\n",
                         prefix, s->bind_to_device);
 
-        if (s->tcpwrap_name)
-                fprintf(f,
-                        "%sTCPWrapName: %s\n",
-                        prefix, s->tcpwrap_name);
-
         if (s->accept)
                 fprintf(f,
                         "%sAccepted: %u\n",
@@ -1221,12 +1212,6 @@ static void socket_fd_event(Unit *u, int fd, uint32_t events, Watch *w) {
 
                         break;
                 }
-
-                if (s->tcpwrap_name)
-                        if (!socket_tcpwrap(cfd, s->tcpwrap_name)) {
-                                close_nointr_nofail(cfd);
-                                return;
-                        }
         }
 
         socket_enter_running(s, cfd);
index de3e913..5a2cd06 100644 (file)
@@ -101,8 +101,6 @@ struct Socket {
         mode_t directory_mode;
         mode_t socket_mode;
 
-        char *tcpwrap_name;
-
         bool accept;
         unsigned n_accepted;