X-Git-Url: https://www.chiark.greenend.org.uk/ucgi/~ianmdlvl/git?a=blobdiff_plain;f=src%2Fcore%2Fload-fragment.c;h=fa4e931b23c30897e172320f3d77f60a147d4180;hb=22fdeadcc06e95fe41ac4de872ec245c0887547f;hp=5628d8c910df94530471c462a33568feb08d5144;hpb=b5d742138f71e87312541a89aac5657015f50f48;p=elogind.git diff --git a/src/core/load-fragment.c b/src/core/load-fragment.c index 5628d8c91..fa4e931b2 100644 --- a/src/core/load-fragment.c +++ b/src/core/load-fragment.c @@ -33,6 +33,8 @@ #include #include #include +#include +#include #ifdef HAVE_SECCOMP #include @@ -1123,15 +1125,13 @@ int config_parse_exec_mount_flags(const char *unit, return log_oom(); if (streq(t, "shared")) - flags |= MS_SHARED; + flags = MS_SHARED; else if (streq(t, "slave")) - flags |= MS_SLAVE; + flags = MS_SLAVE; else if (streq(w, "private")) - flags |= MS_PRIVATE; + flags = MS_PRIVATE; else { - log_syntax(unit, LOG_ERR, filename, line, EINVAL, - "Failed to parse mount flag %s, ignoring: %s", - t, rvalue); + log_syntax(unit, LOG_ERR, filename, line, EINVAL, "Failed to parse mount flag %s, ignoring: %s", t, rvalue); return 0; } } @@ -1606,6 +1606,89 @@ int config_parse_busname_service( return 0; } +int config_parse_bus_policy( + const char *unit, + const char *filename, + unsigned line, + const char *section, + unsigned section_line, + const char *lvalue, + int ltype, + const char *rvalue, + void *data, + void *userdata) { + + _cleanup_free_ BusNamePolicy *p = NULL; + _cleanup_free_ char *id_str = NULL; + BusName *busname = data; + char *access_str; + int r; + + assert(filename); + assert(lvalue); + assert(rvalue); + assert(data); + + p = new0(BusNamePolicy, 1); + if (!p) + return log_oom(); + + if (streq(lvalue, "AllowUser")) + p->type = BUSNAME_POLICY_TYPE_USER; + else if (streq(lvalue, "AllowGroup")) + p->type = BUSNAME_POLICY_TYPE_GROUP; + else if (streq(lvalue, "AllowWorld")) + p->type = BUSNAME_POLICY_TYPE_WORLD; + else + assert_not_reached("Unknown lvalue"); + + id_str = strdup(rvalue); + if (!id_str) + return log_oom(); + + if (p->type != BUSNAME_POLICY_TYPE_WORLD) { + access_str = strchr(id_str, ' '); + if (!access_str) { + log_syntax(unit, LOG_ERR, filename, line, EINVAL, "Invalid busname policy value '%s'", rvalue); + return 0; + } + + *access_str = '\0'; + access_str++; + + if (p->type == BUSNAME_POLICY_TYPE_USER) { + const char *user = id_str; + + r = get_user_creds(&user, &p->uid, NULL, NULL, NULL); + if (r < 0) { + log_syntax(unit, LOG_ERR, filename, line, r, "Unable to parse uid from '%s'", id_str); + return 0; + } + } else { + const char *group = id_str; + + r = get_group_creds(&group, &p->gid); + if (r < 0) { + log_syntax(unit, LOG_ERR, filename, line, -errno, "Unable to parse gid from '%s'", id_str); + return 0; + } + } + } else { + access_str = id_str; + } + + p->access = busname_policy_access_from_string(access_str); + if (p->access < 0) { + log_syntax(unit, LOG_ERR, filename, line, EINVAL, "Invalid busname policy access type '%s'", access_str); + return 0; + } + + LIST_PREPEND(policy, busname->policy, p); + p = NULL; + + return 0; +} + int config_parse_unit_env_file(const char *unit, const char *filename, unsigned line, @@ -2122,7 +2205,10 @@ int config_parse_syscall_filter( set_remove(c->syscall_filter, INT_TO_PTR(id + 1)); } - c->no_new_privileges = true; + /* Turn on NNP, but only if it wasn't configured explicitly + * before, and only if we are in user mode. */ + if (!c->no_new_privileges_set && u->manager->running_as == SYSTEMD_USER) + c->no_new_privileges = true; return 0; } @@ -2902,6 +2988,38 @@ int config_parse_namespace_path_strv( return 0; } +int config_parse_no_new_priviliges( + const char* unit, + const char *filename, + unsigned line, + const char *section, + unsigned section_line, + const char *lvalue, + int ltype, + const char *rvalue, + void *data, + void *userdata) { + + ExecContext *c = data; + int k; + + assert(filename); + assert(lvalue); + assert(rvalue); + assert(data); + + k = parse_boolean(rvalue); + if (k < 0) { + log_syntax(unit, LOG_ERR, filename, line, -k, "Failed to parse boolean value, ignoring: %s", rvalue); + return 0; + } + + c->no_new_privileges = !!k; + c->no_new_privileges_set = true; + + return 0; +} + #define FOLLOW_MAX 8 static int open_follow(char **filename, FILE **_f, Set *names, char **_final) { @@ -2965,7 +3083,7 @@ static int open_follow(char **filename, FILE **_f, Set *names, char **_final) { f = fdopen(fd, "re"); if (!f) { r = -errno; - close_nointr_nofail(fd); + safe_close(fd); return r; }