#include "ioprio.h"
#include "securebits.h"
#include "namespace.h"
-#include "tcpwrap.h"
#include "exit-status.h"
#include "missing.h"
#include "utmp-wtmp.h"
#include "af-list.h"
#include "mkdir.h"
#include "apparmor-util.h"
+#include "label.h"
#ifdef HAVE_SECCOMP
#include "seccomp-util.h"
i == EXEC_INPUT_TTY_FAIL,
i == EXEC_INPUT_TTY_FORCE,
false,
- (usec_t) -1);
+ USEC_INFINITY);
if (fd < 0)
return fd;
static int ask_for_confirmation(char *response, char **argv) {
int saved_stdout = -1, saved_stdin = -1, r;
- char *line;
+ _cleanup_free_ char *line = NULL;
r = setup_confirm_stdio(&saved_stdin, &saved_stdout);
if (r < 0)
if (!line)
return -ENOMEM;
- r = ask(response, "yns", "Execute %s? [Yes, No, Skip] ", line);
- free(line);
+ r = ask_char(response, "yns", "Execute %s? [Yes, No, Skip] ", line);
restore_confirm_stdio(&saved_stdin, &saved_stdout);
return -ENOMEM;
our_env[n_env++] = x;
- if (asprintf(&x, "WATCHDOG_USEC=%llu", (unsigned long long) watchdog_usec) < 0)
+ if (asprintf(&x, "WATCHDOG_USEC="USEC_FMT, watchdog_usec) < 0)
return -ENOMEM;
our_env[n_env++] = x;
}
goto fail_child;
}
- if (context->tcpwrap_name) {
- if (socket_fd >= 0)
- if (!socket_tcpwrap(socket_fd, context->tcpwrap_name)) {
- err = -EACCES;
- r = EXIT_TCPWRAP;
- goto fail_child;
- }
-
- for (i = 0; i < (int) n_fds; i++) {
- if (!socket_tcpwrap(fds[i], context->tcpwrap_name)) {
- err = -EACCES;
- r = EXIT_TCPWRAP;
- goto fail_child;
- }
- }
- }
-
exec_context_tty_reset(context);
if (confirm_spawn) {
goto fail_child;
}
- if (context->timer_slack_nsec != (nsec_t) -1)
+ if (context->timer_slack_nsec != NSEC_INFINITY)
if (prctl(PR_SET_TIMERSLACK, context->timer_slack_nsec) < 0) {
err = -errno;
r = EXIT_TIMERSLACK;
!strv_isempty(context->inaccessible_dirs) ||
context->mount_flags != 0 ||
(context->private_tmp && runtime && (runtime->tmp_dir || runtime->var_tmp_dir)) ||
- context->private_devices) {
+ context->private_devices ||
+ context->protect_system != PROTECT_SYSTEM_NO ||
+ context->protect_home != PROTECT_HOME_NO) {
char *tmp = NULL, *var = NULL;
tmp,
var,
context->private_devices,
+ context->protect_home,
+ context->protect_system,
context->mount_flags);
-
if (err < 0) {
r = EXIT_NAMESPACE;
goto fail_child;
goto fail_child;
}
}
+
+ if (context->selinux_label_via_net && use_selinux()) {
+ _cleanup_free_ char *label = NULL;
+
+ err = label_get_child_label(socket_fd, command->path, &label);
+ if (err < 0) {
+ r = EXIT_SELINUX_CONTEXT;
+ goto fail_child;
+ }
+
+ err = setexeccon(label);
+ if (err < 0) {
+ r = EXIT_SELINUX_CONTEXT;
+ goto fail_child;
+ }
+ }
#endif
#ifdef HAVE_APPARMOR
c->syslog_priority = LOG_DAEMON|LOG_INFO;
c->syslog_level_prefix = true;
c->ignore_sigpipe = true;
- c->timer_slack_nsec = (nsec_t) -1;
+ c->timer_slack_nsec = NSEC_INFINITY;
c->personality = 0xffffffffUL;
c->runtime_directory_mode = 0755;
}
free(c->tty_path);
c->tty_path = NULL;
- free(c->tcpwrap_name);
- c->tcpwrap_name = NULL;
-
free(c->syslog_identifier);
c->syslog_identifier = NULL;
return -EINVAL;
}
for (n = 0; n < count; n++) {
- k = load_env_file(pglob.gl_pathv[n], NULL, &p);
+ k = load_env_file(NULL, pglob.gl_pathv[n], NULL, &p);
if (k < 0) {
if (ignore)
continue;
}
static bool tty_may_match_dev_console(const char *tty) {
- char *active = NULL, *console;
- bool b;
+ _cleanup_free_ char *active = NULL;
+ char *console;
if (startswith(tty, "/dev/"))
tty += 5;
return true;
/* "tty0" means the active VC, so it may be the same sometimes */
- b = streq(console, tty) || (streq(console, "tty0") && tty_is_vc(tty));
- free(active);
-
- return b;
+ return streq(console, tty) || (streq(console, "tty0") && tty_is_vc(tty));
}
bool exec_context_may_touch_console(ExecContext *ec) {
"%sPrivateTmp: %s\n"
"%sPrivateNetwork: %s\n"
"%sPrivateDevices: %s\n"
- "%sIgnoreSIGPIPE: %s\n",
+ "%sProtectHome: %s\n"
+ "%sProtectSystem: %s\n"
+ "%sIgnoreSIGPIPE: %s\n"
+ "%sSELinuxLabelViaNet: %s\n",
prefix, c->umask,
prefix, c->working_directory ? c->working_directory : "/",
prefix, c->root_directory ? c->root_directory : "/",
prefix, yes_no(c->private_tmp),
prefix, yes_no(c->private_network),
prefix, yes_no(c->private_devices),
- prefix, yes_no(c->ignore_sigpipe));
+ prefix, protect_home_to_string(c->protect_home),
+ prefix, protect_system_to_string(c->protect_system),
+ prefix, yes_no(c->ignore_sigpipe),
+ prefix, yes_no(c->selinux_label_via_net));
STRV_FOREACH(e, c->environment)
fprintf(f, "%sEnvironment: %s\n", prefix, *e);
STRV_FOREACH(e, c->environment_files)
fprintf(f, "%sEnvironmentFile: %s\n", prefix, *e);
- if (c->tcpwrap_name)
- fprintf(f,
- "%sTCPWrapName: %s\n",
- prefix, c->tcpwrap_name);
-
if (c->nice_set)
fprintf(f,
"%sNice: %i\n",
for (i = 0; i < RLIM_NLIMITS; i++)
if (c->rlimit[i])
- fprintf(f, "%s%s: %llu\n", prefix, rlimit_to_string(i), (unsigned long long) c->rlimit[i]->rlim_max);
+ fprintf(f, "%s%s: "RLIM_FMT"\n",
+ prefix, rlimit_to_string(i), c->rlimit[i]->rlim_max);
if (c->ioprio_set) {
_cleanup_free_ char *class_str = NULL;
fputs("\n", f);
}
- if (c->timer_slack_nsec != (nsec_t) -1)
+ if (c->timer_slack_nsec != NSEC_INFINITY)
fprintf(f, "%sTimerSlackNSec: "NSEC_FMT "\n", prefix, c->timer_slack_nsec);
fprintf(f,
}
void exec_command_dump(ExecCommand *c, FILE *f, const char *prefix) {
- char *p2;
+ _cleanup_free_ char *p2 = NULL;
const char *prefix2;
- char *cmd;
+ _cleanup_free_ char *cmd = NULL;
assert(c);
assert(f);
"%sCommand Line: %s\n",
prefix, cmd ? cmd : strerror(ENOMEM));
- free(cmd);
-
exec_status_dump(&c->exec_status, f, prefix2);
-
- free(p2);
}
void exec_command_dump_list(ExecCommand *c, FILE *f, const char *prefix) {
if (r->n_ref <= 0) {
free(r->tmp_dir);
free(r->var_tmp_dir);
- close_pipe(r->netns_storage_socket);
+ safe_close_pair(r->netns_storage_socket);
free(r);
}
rt->var_tmp_dir = NULL;
}
- close_pipe(rt->netns_storage_socket);
+ safe_close_pair(rt->netns_storage_socket);
}
static const char* const exec_input_table[_EXEC_INPUT_MAX] = {
~ianmdlvl / elogind.git / blobdiff