chiark
/
gitweb
/
~ianmdlvl
/
elogind.git
/ blobdiff
commit
grep
author
committer
pickaxe
?
search:
re
summary
|
shortlog
|
log
|
commit
|
commitdiff
|
tree
raw
|
inline
| side by side
core: rename ReadOnlySystem= to ProtectSystem= and add a third value for also mountin...
[elogind.git]
/
src
/
core
/
execute.c
diff --git
a/src/core/execute.c
b/src/core/execute.c
index 353f2d1297619f9ca4e6b4077d5ea85cf664fbfe..78fb81f7262771d97002512bb3e5ea964bfa0c67 100644
(file)
--- a/
src/core/execute.c
+++ b/
src/core/execute.c
@@
-69,7
+69,6
@@
#include "ioprio.h"
#include "securebits.h"
#include "namespace.h"
#include "ioprio.h"
#include "securebits.h"
#include "namespace.h"
-#include "tcpwrap.h"
#include "exit-status.h"
#include "missing.h"
#include "utmp-wtmp.h"
#include "exit-status.h"
#include "missing.h"
#include "utmp-wtmp.h"
@@
-1174,7
+1173,7
@@
static int build_environment(
return -ENOMEM;
our_env[n_env++] = x;
return -ENOMEM;
our_env[n_env++] = x;
- if (asprintf(&x, "WATCHDOG_USEC=
%llu", (unsigned long long)
watchdog_usec) < 0)
+ if (asprintf(&x, "WATCHDOG_USEC=
"USEC_FMT,
watchdog_usec) < 0)
return -ENOMEM;
our_env[n_env++] = x;
}
return -ENOMEM;
our_env[n_env++] = x;
}
@@
-1362,23
+1361,6
@@
int exec_spawn(ExecCommand *command,
goto fail_child;
}
goto fail_child;
}
- if (context->tcpwrap_name) {
- if (socket_fd >= 0)
- if (!socket_tcpwrap(socket_fd, context->tcpwrap_name)) {
- err = -EACCES;
- r = EXIT_TCPWRAP;
- goto fail_child;
- }
-
- for (i = 0; i < (int) n_fds; i++) {
- if (!socket_tcpwrap(fds[i], context->tcpwrap_name)) {
- err = -EACCES;
- r = EXIT_TCPWRAP;
- goto fail_child;
- }
- }
- }
-
exec_context_tty_reset(context);
if (confirm_spawn) {
exec_context_tty_reset(context);
if (confirm_spawn) {
@@
-1587,7
+1569,9
@@
int exec_spawn(ExecCommand *command,
!strv_isempty(context->inaccessible_dirs) ||
context->mount_flags != 0 ||
(context->private_tmp && runtime && (runtime->tmp_dir || runtime->var_tmp_dir)) ||
!strv_isempty(context->inaccessible_dirs) ||
context->mount_flags != 0 ||
(context->private_tmp && runtime && (runtime->tmp_dir || runtime->var_tmp_dir)) ||
- context->private_devices) {
+ context->private_devices ||
+ context->protect_system != PROTECT_SYSTEM_NO ||
+ context->protect_home != PROTECT_HOME_NO) {
char *tmp = NULL, *var = NULL;
char *tmp = NULL, *var = NULL;
@@
-1611,8
+1595,9
@@
int exec_spawn(ExecCommand *command,
tmp,
var,
context->private_devices,
tmp,
var,
context->private_devices,
+ context->protect_home,
+ context->protect_system,
context->mount_flags);
context->mount_flags);
-
if (err < 0) {
r = EXIT_NAMESPACE;
goto fail_child;
if (err < 0) {
r = EXIT_NAMESPACE;
goto fail_child;
@@
-1878,9
+1863,6
@@
void exec_context_done(ExecContext *c) {
free(c->tty_path);
c->tty_path = NULL;
free(c->tty_path);
c->tty_path = NULL;
- free(c->tcpwrap_name);
- c->tcpwrap_name = NULL;
-
free(c->syslog_identifier);
c->syslog_identifier = NULL;
free(c->syslog_identifier);
c->syslog_identifier = NULL;
@@
-2132,6
+2114,8
@@
void exec_context_dump(ExecContext *c, FILE* f, const char *prefix) {
"%sPrivateTmp: %s\n"
"%sPrivateNetwork: %s\n"
"%sPrivateDevices: %s\n"
"%sPrivateTmp: %s\n"
"%sPrivateNetwork: %s\n"
"%sPrivateDevices: %s\n"
+ "%sProtectHome: %s\n"
+ "%sProtectSystem: %s\n"
"%sIgnoreSIGPIPE: %s\n",
prefix, c->umask,
prefix, c->working_directory ? c->working_directory : "/",
"%sIgnoreSIGPIPE: %s\n",
prefix, c->umask,
prefix, c->working_directory ? c->working_directory : "/",
@@
-2140,6
+2124,8
@@
void exec_context_dump(ExecContext *c, FILE* f, const char *prefix) {
prefix, yes_no(c->private_tmp),
prefix, yes_no(c->private_network),
prefix, yes_no(c->private_devices),
prefix, yes_no(c->private_tmp),
prefix, yes_no(c->private_network),
prefix, yes_no(c->private_devices),
+ prefix, protect_home_to_string(c->protect_home),
+ prefix, protect_system_to_string(c->protect_system),
prefix, yes_no(c->ignore_sigpipe));
STRV_FOREACH(e, c->environment)
prefix, yes_no(c->ignore_sigpipe));
STRV_FOREACH(e, c->environment)
@@
-2148,11
+2134,6
@@
void exec_context_dump(ExecContext *c, FILE* f, const char *prefix) {
STRV_FOREACH(e, c->environment_files)
fprintf(f, "%sEnvironmentFile: %s\n", prefix, *e);
STRV_FOREACH(e, c->environment_files)
fprintf(f, "%sEnvironmentFile: %s\n", prefix, *e);
- if (c->tcpwrap_name)
- fprintf(f,
- "%sTCPWrapName: %s\n",
- prefix, c->tcpwrap_name);
-
if (c->nice_set)
fprintf(f,
"%sNice: %i\n",
if (c->nice_set)
fprintf(f,
"%sNice: %i\n",
@@
-2165,7
+2146,8
@@
void exec_context_dump(ExecContext *c, FILE* f, const char *prefix) {
for (i = 0; i < RLIM_NLIMITS; i++)
if (c->rlimit[i])
for (i = 0; i < RLIM_NLIMITS; i++)
if (c->rlimit[i])
- fprintf(f, "%s%s: %llu\n", prefix, rlimit_to_string(i), (unsigned long long) c->rlimit[i]->rlim_max);
+ fprintf(f, "%s%s: "RLIM_FMT"\n",
+ prefix, rlimit_to_string(i), c->rlimit[i]->rlim_max);
if (c->ioprio_set) {
_cleanup_free_ char *class_str = NULL;
if (c->ioprio_set) {
_cleanup_free_ char *class_str = NULL;