mirror of
https://github.com/systemd/systemd-stable.git
synced 2024-12-22 13:33:56 +03:00
core: add load fragment implementation for RestrictNetworkInterfaces=
Signed-off-by: Mauricio Vásquez <mauricio@kinvolk.io>
This commit is contained in:
parent
6f50d4f7d6
commit
4f0c25c794
@ -233,6 +233,7 @@
|
||||
{{type}}.BPFProgram, config_parse_bpf_foreign_program, 0, offsetof({{type}}, cgroup_context)
|
||||
{{type}}.SocketBindAllow, config_parse_cgroup_socket_bind, 0, offsetof({{type}}, cgroup_context.socket_bind_allow)
|
||||
{{type}}.SocketBindDeny, config_parse_cgroup_socket_bind, 0, offsetof({{type}}, cgroup_context.socket_bind_deny)
|
||||
{{type}}.RestrictNetworkInterfaces, config_parse_restrict_network_interfaces, 0, offsetof({{type}}, cgroup_context)
|
||||
{%- endmacro -%}
|
||||
|
||||
%{
|
||||
|
@ -5711,6 +5711,72 @@ int config_parse_cgroup_socket_bind(
|
||||
return 0;
|
||||
}
|
||||
|
||||
int config_parse_restrict_network_interfaces(
|
||||
const char *unit,
|
||||
const char *filename,
|
||||
unsigned line,
|
||||
const char *section,
|
||||
unsigned section_line,
|
||||
const char *lvalue,
|
||||
int ltype,
|
||||
const char *rvalue,
|
||||
void *data,
|
||||
void *userdata) {
|
||||
CGroupContext *c = data;
|
||||
bool is_allow_rule = true;
|
||||
int r;
|
||||
|
||||
assert(filename);
|
||||
assert(lvalue);
|
||||
assert(rvalue);
|
||||
assert(data);
|
||||
|
||||
if (isempty(rvalue)) {
|
||||
/* Empty assignment resets the list */
|
||||
c->restrict_network_interfaces = set_free(c->restrict_network_interfaces);
|
||||
return 0;
|
||||
}
|
||||
|
||||
if (rvalue[0] == '~') {
|
||||
is_allow_rule = false;
|
||||
rvalue++;
|
||||
}
|
||||
|
||||
if (set_isempty(c->restrict_network_interfaces))
|
||||
/* Only initialize this when creating the set */
|
||||
c->restrict_network_interfaces_is_allow_list = is_allow_rule;
|
||||
|
||||
for (const char *p = rvalue;;) {
|
||||
_cleanup_free_ char *word = NULL;
|
||||
|
||||
r = extract_first_word(&p, &word, NULL, EXTRACT_UNQUOTE);
|
||||
if (r == 0)
|
||||
break;
|
||||
if (r == -ENOMEM)
|
||||
return log_oom();
|
||||
if (r < 0) {
|
||||
log_syntax(unit, LOG_WARNING, filename, line, r,
|
||||
"Trailing garbage in %s, ignoring: %s", lvalue, rvalue);
|
||||
break;
|
||||
}
|
||||
|
||||
if (!ifname_valid(word)) {
|
||||
log_syntax(unit, LOG_WARNING, filename, line, 0, "Invalid interface name, ignoring: %s", word);
|
||||
continue;
|
||||
}
|
||||
|
||||
if (c->restrict_network_interfaces_is_allow_list != is_allow_rule)
|
||||
free(set_remove(c->restrict_network_interfaces, word));
|
||||
else {
|
||||
r = set_put_strdup(&c->restrict_network_interfaces, word);
|
||||
if (r < 0)
|
||||
return log_oom();
|
||||
}
|
||||
}
|
||||
|
||||
return 0;
|
||||
}
|
||||
|
||||
static int merge_by_names(Unit **u, Set *names, const char *id) {
|
||||
char *k;
|
||||
int r;
|
||||
|
@ -141,6 +141,7 @@ CONFIG_PARSER_PROTOTYPE(config_parse_socket_timestamping);
|
||||
CONFIG_PARSER_PROTOTYPE(config_parse_extension_images);
|
||||
CONFIG_PARSER_PROTOTYPE(config_parse_bpf_foreign_program);
|
||||
CONFIG_PARSER_PROTOTYPE(config_parse_cgroup_socket_bind);
|
||||
CONFIG_PARSER_PROTOTYPE(config_parse_restrict_network_interfaces);
|
||||
|
||||
/* gperf prototypes */
|
||||
const struct ConfigPerfItem* load_fragment_gperf_lookup(const char *key, GPERF_LEN_TYPE length);
|
||||
|
@ -886,6 +886,7 @@ RemoveIPC=
|
||||
ReserveVT=
|
||||
RestrictAddressFamilies=
|
||||
RestrictNamespaces=
|
||||
RestrictNetworkInterfaces=
|
||||
RestrictRealtime=
|
||||
RestrictSUIDSGID=
|
||||
RuntimeDirectory=
|
||||
|
@ -144,6 +144,7 @@ RemoveIPC=
|
||||
RestartKillSignal=
|
||||
RestrictAddressFamilies=
|
||||
RestrictNamespaces=
|
||||
RestrictNetworkInterfaces=
|
||||
RestrictRealtime=
|
||||
RestrictSUIDSGID=
|
||||
RootDirectory=
|
||||
|
@ -48,6 +48,7 @@ MemoryMin=
|
||||
MemorySwapMax=
|
||||
NetClass=
|
||||
RestartKillSignal=
|
||||
RestrictNetworkInterfaces=
|
||||
RuntimeMaxSec=
|
||||
SendSIGHUP=
|
||||
SendSIGKILL=
|
||||
|
@ -275,6 +275,7 @@ RestartPreventExitStatus=
|
||||
RestartSec=
|
||||
RestrictAddressFamilies=
|
||||
RestrictNamespaces=
|
||||
RestrictNetworkInterfaces=
|
||||
RestrictRealtime=
|
||||
RestrictSUIDSGID=
|
||||
RootDirectory=
|
||||
|
@ -44,6 +44,7 @@ MemoryMax=
|
||||
MemoryMin=
|
||||
MemorySwapMax=
|
||||
NetClass=
|
||||
RestrictNetworkInterfaces=
|
||||
Slice=
|
||||
SocketBindAllow=
|
||||
SocketBindDeny=
|
||||
|
@ -180,6 +180,7 @@ RemoveOnStop=
|
||||
RestartKillSignal=
|
||||
RestrictAddressFamilies=
|
||||
RestrictNamespaces=
|
||||
RestrictNetworkInterfaces=
|
||||
RestrictRealtime=
|
||||
RestrictSUIDSGID=
|
||||
ReusePort=
|
||||
|
@ -141,6 +141,7 @@ RemoveIPC=
|
||||
RestartKillSignal=
|
||||
RestrictAddressFamilies=
|
||||
RestrictNamespaces=
|
||||
RestrictNetworkInterfaces=
|
||||
RestrictRealtime=
|
||||
RestrictSUIDSGID=
|
||||
RootDirectory=
|
||||
|
Loading…
Reference in New Issue
Block a user