#include "securebits.h"
#include "missing.h"
#include "unit-name.h"
+#include "unit-printf.h"
#include "bus-errors.h"
#include "utf8.h"
#include "path-util.h"
+#include "syscall-list.h"
#ifndef HAVE_SYSV_COMPAT
int config_parse_warn_compat(
k = unit_full_printf(u, rvalue);
if (!k)
- return -ENOMEM;
+ return log_oom();
r = config_parse_path(filename, line, section, lvalue, ltype, k, data, userdata);
free(k);
s = SOCKET(data);
- if ((b = socket_address_bind_ipv6_only_from_string(rvalue)) < 0) {
+ b = socket_address_bind_ipv6_only_from_string(rvalue);
+ if (b < 0) {
int r;
- if ((r = parse_boolean(rvalue)) < 0) {
+ r = parse_boolean(rvalue);
+ if (r < 0) {
log_error("[%s:%u] Failed to parse bind IPv6 only value, ignoring: %s", filename, line, rvalue);
return 0;
}
if (r < 0) {
log_error("[%s:%u] Failed to parse capability bounding set, ignoring: %s", filename, line, rvalue);
- return 0;
+ continue;
}
sum |= ((uint64_t) 1ULL) << (uint64_t) cap;
Path *p = data;
PathSpec *s;
PathType b;
+ char *k;
assert(filename);
assert(lvalue);
assert(rvalue);
assert(data);
- if ((b = path_type_from_string(lvalue)) < 0) {
+ b = path_type_from_string(lvalue);
+ if (b < 0) {
log_error("[%s:%u] Failed to parse path type, ignoring: %s", filename, line, lvalue);
return 0;
}
- if (!path_is_absolute(rvalue)) {
- log_error("[%s:%u] Path is not absolute, ignoring: %s", filename, line, rvalue);
+ k = unit_full_printf(UNIT(p), rvalue);
+ if (!k)
+ return log_oom();
+
+ if (!path_is_absolute(k)) {
+ log_error("[%s:%u] Path is not absolute, ignoring: %s", filename, line, k);
+ free(k);
return 0;
}
- if (!(s = new0(PathSpec, 1)))
- return -ENOMEM;
-
- if (!(s->path = strdup(rvalue))) {
- free(s);
- return -ENOMEM;
+ s = new0(PathSpec, 1);
+ if (!s) {
+ free(k);
+ return log_oom();
}
- path_kill_slashes(s->path);
-
+ s->path = path_kill_slashes(k);
s->type = b;
s->inotify_fd = -1;
r = config_parse_usec(filename, line, section, lvalue, ltype, rvalue, data, userdata);
- if (!r)
- s->timeout_defined = true;
+ if (r)
+ return r;
- return r;
+ if (streq(lvalue, "TimeoutSec")) {
+ s->start_timeout_defined = true;
+ s->timeout_stop_usec = s->timeout_start_usec;
+ } else if (streq(lvalue, "TimeoutStartSec"))
+ s->start_timeout_defined = true;
+
+ return 0;
}
int config_parse_unit_env_file(
Unit *u = data;
bool trigger, negate;
Condition *c;
+ _cleanup_free_ char *p = NULL;
assert(filename);
assert(lvalue);
if (negate)
rvalue++;
- if (!path_is_absolute(rvalue)) {
- log_error("[%s:%u] Path in condition not absolute, ignoring: %s", filename, line, rvalue);
+ p = unit_full_printf(u, rvalue);
+ if (!p)
+ return -ENOMEM;
+
+ if (!path_is_absolute(p)) {
+ log_error("[%s:%u] Path in condition not absolute, ignoring: %s", filename, line, p);
return 0;
}
- c = condition_new(cond, rvalue, trigger, negate);
+ c = condition_new(cond, p, trigger, negate);
if (!c)
return -ENOMEM;
Unit *u = data;
bool trigger, negate;
Condition *c;
+ _cleanup_free_ char *s = NULL;
assert(filename);
assert(lvalue);
assert(rvalue);
assert(data);
- if ((trigger = rvalue[0] == '|'))
+ trigger = rvalue[0] == '|';
+ if (trigger)
rvalue++;
- if ((negate = rvalue[0] == '!'))
+ negate = rvalue[0] == '!';
+ if (negate)
rvalue++;
- if (!(c = condition_new(cond, rvalue, trigger, negate)))
+ s = unit_full_printf(u, rvalue);
+ if (!s)
return -ENOMEM;
+ c = condition_new(cond, s, trigger, negate);
+ if (!c)
+ return log_oom();
+
LIST_PREPEND(Condition, conditions, u->conditions, c);
return 0;
}
return r;
}
+static void syscall_set(uint32_t *p, int nr) {
+ p[nr >> 4] |= 1 << (nr & 31);
+}
+
+static void syscall_unset(uint32_t *p, int nr) {
+ p[nr >> 4] &= ~(1 << (nr & 31));
+}
+
+int config_parse_syscall_filter(
+ const char *filename,
+ unsigned line,
+ const char *section,
+ const char *lvalue,
+ int ltype,
+ const char *rvalue,
+ void *data,
+ void *userdata) {
+
+ ExecContext *c = data;
+ Unit *u = userdata;
+ bool invert = false;
+ char *w;
+ size_t l;
+ char *state;
+
+ assert(filename);
+ assert(lvalue);
+ assert(rvalue);
+ assert(u);
+
+ if (rvalue[0] == '~') {
+ invert = true;
+ rvalue++;
+ }
+
+ if (!c->syscall_filter) {
+ size_t n;
+
+ n = (syscall_max() + 31) >> 4;
+ c->syscall_filter = new(uint32_t, n);
+ if (!c->syscall_filter)
+ return -ENOMEM;
+
+ memset(c->syscall_filter, invert ? 0xFF : 0, n * sizeof(uint32_t));
+
+ /* Add these by default */
+ syscall_set(c->syscall_filter, __NR_execve);
+ syscall_set(c->syscall_filter, __NR_rt_sigreturn);
+#ifdef __NR_sigreturn
+ syscall_set(c->syscall_filter, __NR_sigreturn);
+#endif
+ syscall_set(c->syscall_filter, __NR_exit_group);
+ syscall_set(c->syscall_filter, __NR_exit);
+ }
+
+ FOREACH_WORD_QUOTED(w, l, rvalue, state) {
+ int id;
+ char *t;
+
+ t = strndup(w, l);
+ if (!t)
+ return -ENOMEM;
+
+ id = syscall_from_name(t);
+ free(t);
+
+ if (id < 0) {
+ log_error("[%s:%u] Failed to parse syscall, ignoring: %s", filename, line, rvalue);
+ continue;
+ }
+
+ if (invert)
+ syscall_unset(c->syscall_filter, id);
+ else
+ syscall_set(c->syscall_filter, id);
+ }
+
+ c->no_new_privileges = true;
+
+ return 0;
+}
+
#define FOLLOW_MAX 8
static int open_follow(char **filename, FILE **_f, Set *names, char **_final) {
goto finish;
}
- zero(st);
if (fstat(fileno(f), &st) < 0) {
r = -errno;
goto finish;
~ianmdlvl / elogind.git / blobdiff