mirror of
https://github.com/systemd/systemd-stable.git
synced 2024-12-22 13:33:56 +03:00
Merge pull request #3764 from poettering/assorted-stuff-2
Assorted fixes
This commit is contained in:
commit
5c3c778014
@ -137,7 +137,7 @@ enum nss_status _nss_##module##_getpwnam_r( \
|
||||
struct passwd *pwd, \
|
||||
char *buffer, size_t buflen, \
|
||||
int *errnop) _public_; \
|
||||
enum nss_status _nss_mymachines_getpwuid_r( \
|
||||
enum nss_status _nss_##module##_getpwuid_r( \
|
||||
uid_t uid, \
|
||||
struct passwd *pwd, \
|
||||
char *buffer, size_t buflen, \
|
||||
|
@ -290,10 +290,10 @@ static int connect_journal_socket(int fd, uid_t uid, gid_t gid) {
|
||||
}
|
||||
|
||||
static int connect_logger_as(
|
||||
Unit *unit,
|
||||
const ExecContext *context,
|
||||
ExecOutput output,
|
||||
const char *ident,
|
||||
const char *unit_id,
|
||||
int nfd,
|
||||
uid_t uid,
|
||||
gid_t gid) {
|
||||
@ -329,7 +329,7 @@ static int connect_logger_as(
|
||||
"%i\n"
|
||||
"%i\n",
|
||||
context->syslog_identifier ? context->syslog_identifier : ident,
|
||||
unit_id,
|
||||
unit->id,
|
||||
context->syslog_priority,
|
||||
!!context->syslog_level_prefix,
|
||||
output == EXEC_OUTPUT_SYSLOG || output == EXEC_OUTPUT_SYSLOG_AND_CONSOLE,
|
||||
@ -544,7 +544,7 @@ static int setup_output(
|
||||
case EXEC_OUTPUT_KMSG_AND_CONSOLE:
|
||||
case EXEC_OUTPUT_JOURNAL:
|
||||
case EXEC_OUTPUT_JOURNAL_AND_CONSOLE:
|
||||
r = connect_logger_as(context, o, ident, unit->id, fileno, uid, gid);
|
||||
r = connect_logger_as(unit, context, o, ident, fileno, uid, gid);
|
||||
if (r < 0) {
|
||||
log_unit_error_errno(unit, r, "Failed to connect %s to the journal socket, ignoring: %m", fileno == STDOUT_FILENO ? "stdout" : "stderr");
|
||||
r = open_null_as(O_WRONLY, fileno);
|
||||
@ -3062,7 +3062,7 @@ int exec_runtime_make(ExecRuntime **rt, ExecContext *c, const char *id) {
|
||||
return r;
|
||||
|
||||
if (c->private_network && (*rt)->netns_storage_socket[0] < 0) {
|
||||
if (socketpair(AF_UNIX, SOCK_DGRAM, 0, (*rt)->netns_storage_socket) < 0)
|
||||
if (socketpair(AF_UNIX, SOCK_DGRAM|SOCK_CLOEXEC, 0, (*rt)->netns_storage_socket) < 0)
|
||||
return -errno;
|
||||
}
|
||||
|
||||
|
@ -30,6 +30,7 @@ typedef struct ExecParameters ExecParameters;
|
||||
#include <stdio.h>
|
||||
#include <sys/capability.h>
|
||||
|
||||
#include "cgroup-util.h"
|
||||
#include "fdset.h"
|
||||
#include "list.h"
|
||||
#include "missing.h"
|
||||
@ -203,9 +204,6 @@ struct ExecContext {
|
||||
bool no_new_privileges_set:1;
|
||||
};
|
||||
|
||||
#include "cgroup-util.h"
|
||||
#include "cgroup.h"
|
||||
|
||||
struct ExecParameters {
|
||||
char **argv;
|
||||
char **environment;
|
||||
@ -236,6 +234,8 @@ struct ExecParameters {
|
||||
int stderr_fd;
|
||||
};
|
||||
|
||||
#include "unit.h"
|
||||
|
||||
int exec_spawn(Unit *unit,
|
||||
ExecCommand *command,
|
||||
const ExecContext *context,
|
||||
|
@ -642,7 +642,7 @@ int setup_netns(int netns_storage_socket[2]) {
|
||||
}
|
||||
|
||||
fail:
|
||||
lockf(netns_storage_socket[0], F_ULOCK, 0);
|
||||
(void) lockf(netns_storage_socket[0], F_ULOCK, 0);
|
||||
return r;
|
||||
}
|
||||
|
||||
|
@ -21,7 +21,9 @@
|
||||
|
||||
typedef struct Scope Scope;
|
||||
|
||||
#include "cgroup.h"
|
||||
#include "kill.h"
|
||||
#include "unit.h"
|
||||
|
||||
typedef enum ScopeResult {
|
||||
SCOPE_SUCCESS,
|
||||
|
@ -297,18 +297,19 @@ int mount_all(const char *dest,
|
||||
} MountPoint;
|
||||
|
||||
static const MountPoint mount_table[] = {
|
||||
{ "proc", "/proc", "proc", NULL, MS_NOSUID|MS_NOEXEC|MS_NODEV, true, true, false },
|
||||
{ "/proc/sys", "/proc/sys", NULL, NULL, MS_BIND, true, true, false }, /* Bind mount first */
|
||||
{ NULL, "/proc/sys", NULL, NULL, MS_BIND|MS_RDONLY|MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_REMOUNT, true, true, false }, /* Then, make it r/o */
|
||||
{ "tmpfs", "/sys", "tmpfs", "mode=755", MS_NOSUID|MS_NOEXEC|MS_NODEV, true, false, true },
|
||||
{ "sysfs", "/sys", "sysfs", NULL, MS_RDONLY|MS_NOSUID|MS_NOEXEC|MS_NODEV, true, false, false },
|
||||
{ "tmpfs", "/dev", "tmpfs", "mode=755", MS_NOSUID|MS_STRICTATIME, true, false, false },
|
||||
{ "tmpfs", "/dev/shm", "tmpfs", "mode=1777", MS_NOSUID|MS_NODEV|MS_STRICTATIME, true, false, false },
|
||||
{ "tmpfs", "/run", "tmpfs", "mode=755", MS_NOSUID|MS_NODEV|MS_STRICTATIME, true, false, false },
|
||||
{ "tmpfs", "/tmp", "tmpfs", "mode=1777", MS_STRICTATIME, true, false, false },
|
||||
{ "proc", "/proc", "proc", NULL, MS_NOSUID|MS_NOEXEC|MS_NODEV, true, true, false },
|
||||
{ "/proc/sys", "/proc/sys", NULL, NULL, MS_BIND, true, true, false }, /* Bind mount first ...*/
|
||||
{ "/proc/sys/net", "/proc/sys/net", NULL, NULL, MS_BIND, true, true, true }, /* (except for this) */
|
||||
{ NULL, "/proc/sys", NULL, NULL, MS_BIND|MS_RDONLY|MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_REMOUNT, true, true, false }, /* ... then, make it r/o */
|
||||
{ "tmpfs", "/sys", "tmpfs", "mode=755", MS_NOSUID|MS_NOEXEC|MS_NODEV, true, false, true },
|
||||
{ "sysfs", "/sys", "sysfs", NULL, MS_RDONLY|MS_NOSUID|MS_NOEXEC|MS_NODEV, true, false, false },
|
||||
{ "tmpfs", "/dev", "tmpfs", "mode=755", MS_NOSUID|MS_STRICTATIME, true, false, false },
|
||||
{ "tmpfs", "/dev/shm", "tmpfs", "mode=1777", MS_NOSUID|MS_NODEV|MS_STRICTATIME, true, false, false },
|
||||
{ "tmpfs", "/run", "tmpfs", "mode=755", MS_NOSUID|MS_NODEV|MS_STRICTATIME, true, false, false },
|
||||
{ "tmpfs", "/tmp", "tmpfs", "mode=1777", MS_STRICTATIME, true, false, false },
|
||||
#ifdef HAVE_SELINUX
|
||||
{ "/sys/fs/selinux", "/sys/fs/selinux", NULL, NULL, MS_BIND, false, false, false }, /* Bind mount first */
|
||||
{ NULL, "/sys/fs/selinux", NULL, NULL, MS_BIND|MS_RDONLY|MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_REMOUNT, false, false, false }, /* Then, make it r/o */
|
||||
{ "/sys/fs/selinux", "/sys/fs/selinux", NULL, NULL, MS_BIND, false, false, false }, /* Bind mount first */
|
||||
{ NULL, "/sys/fs/selinux", NULL, NULL, MS_BIND|MS_RDONLY|MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_REMOUNT, false, false, false }, /* Then, make it r/o */
|
||||
#endif
|
||||
};
|
||||
|
||||
|
@ -101,9 +101,11 @@
|
||||
#include "util.h"
|
||||
|
||||
/* Note that devpts's gid= parameter parses GIDs as signed values, hence we stay away from the upper half of the 32bit
|
||||
* UID range here */
|
||||
* UID range here. We leave a bit of room at the lower end and a lot of room at the upper end, so that other subsystems
|
||||
* may have their own allocation ranges too. */
|
||||
#define UID_SHIFT_PICK_MIN ((uid_t) UINT32_C(0x00080000))
|
||||
#define UID_SHIFT_PICK_MAX ((uid_t) UINT32_C(0x6FFF0000))
|
||||
|
||||
/* nspawn is listening on the socket at the path in the constant nspawn_notify_socket_path
|
||||
* nspawn_notify_socket_path is relative to the container
|
||||
* the init process in the container pid can send messages to nspawn following the sd_notify(3) protocol */
|
||||
@ -277,7 +279,6 @@ static void help(void) {
|
||||
, program_invocation_short_name);
|
||||
}
|
||||
|
||||
|
||||
static int custom_mounts_prepare(void) {
|
||||
unsigned i;
|
||||
int r;
|
||||
|
@ -708,6 +708,7 @@ int config_parse_strv(const char *unit,
|
||||
void *userdata) {
|
||||
|
||||
char ***sv = data;
|
||||
int r;
|
||||
|
||||
assert(filename);
|
||||
assert(lvalue);
|
||||
@ -721,18 +722,19 @@ int config_parse_strv(const char *unit,
|
||||
* we actually fill in a real empty array here rather
|
||||
* than NULL, since some code wants to know if
|
||||
* something was set at all... */
|
||||
empty = strv_new(NULL, NULL);
|
||||
empty = new0(char*, 1);
|
||||
if (!empty)
|
||||
return log_oom();
|
||||
|
||||
strv_free(*sv);
|
||||
*sv = empty;
|
||||
|
||||
return 0;
|
||||
}
|
||||
|
||||
for (;;) {
|
||||
char *word = NULL;
|
||||
int r;
|
||||
|
||||
r = extract_first_word(&rvalue, &word, WHITESPACE, EXTRACT_QUOTES|EXTRACT_RETAIN_ESCAPE);
|
||||
if (r == 0)
|
||||
break;
|
||||
|
@ -20,7 +20,7 @@ RestartForceExitStatus=133
|
||||
SuccessExitStatus=133
|
||||
Slice=machine.slice
|
||||
Delegate=yes
|
||||
TasksMax=8192
|
||||
TasksMax=16384
|
||||
|
||||
# Enforce a strict device policy, similar to the one nspawn configures
|
||||
# when it allocates its own scope unit. Make sure to keep these
|
||||
|
Loading…
Reference in New Issue
Block a user