From a59cb62cf22a1618b6fa7e4e7dffe0b6f8920b96 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Mauricio=20V=C3=A1squez?= Date: Thu, 21 Jan 2021 11:29:36 -0500 Subject: [PATCH] core: add D-bus properties for RestrictNetworkInterfaces= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Mauricio Vásquez --- src/core/dbus-cgroup.c | 101 +++++++++++++++++++++++++++++++++++++ src/shared/bus-unit-util.c | 3 +- 2 files changed, 103 insertions(+), 1 deletion(-) diff --git a/src/core/dbus-cgroup.c b/src/core/dbus-cgroup.c index 77fbca8389..75efa9fe1f 100644 --- a/src/core/dbus-cgroup.c +++ b/src/core/dbus-cgroup.c @@ -20,6 +20,7 @@ #include "parse-util.h" #include "path-util.h" #include "percent-util.h" +#include "socket-util.h" BUS_DEFINE_PROPERTY_GET(bus_property_get_tasks_max, "t", TasksMax, tasks_max_resolve); @@ -403,6 +404,47 @@ static int property_get_socket_bind( return sd_bus_message_close_container(reply); } +static int property_get_restrict_network_interfaces( + sd_bus *bus, + const char *path, + const char *interface, + const char *property, + sd_bus_message *reply, + void *userdata, + sd_bus_error *error) { + int r; + CGroupContext *c = userdata; + char *iface; + + assert(bus); + assert(reply); + assert(c); + + r = sd_bus_message_open_container(reply, 'r', "bas"); + if (r < 0) + return r; + + r = sd_bus_message_append(reply, "b", c->restrict_network_interfaces_is_allow_list); + if (r < 0) + return r; + + r = sd_bus_message_open_container(reply, 'a', "s"); + if (r < 0) + return r; + + SET_FOREACH(iface, c->restrict_network_interfaces) { + r = sd_bus_message_append(reply, "s", iface); + if (r < 0) + return r; + } + + r = sd_bus_message_close_container(reply); + if (r < 0) + return r; + + return sd_bus_message_close_container(reply); +} + const sd_bus_vtable bus_cgroup_vtable[] = { SD_BUS_VTABLE_START(0), SD_BUS_PROPERTY("Delegate", "b", bus_property_get_bool, offsetof(CGroupContext, delegate), 0), @@ -457,6 +499,7 @@ const sd_bus_vtable bus_cgroup_vtable[] = { SD_BUS_PROPERTY("BPFProgram", "a(ss)", property_get_bpf_foreign_program, 0, 0), SD_BUS_PROPERTY("SocketBindAllow", "a(iiqq)", property_get_socket_bind, offsetof(CGroupContext, socket_bind_allow), 0), SD_BUS_PROPERTY("SocketBindDeny", "a(iiqq)", property_get_socket_bind, offsetof(CGroupContext, socket_bind_deny), 0), + SD_BUS_PROPERTY("RestrictNetworkInterfaces", "(bas)", property_get_restrict_network_interfaces, 0, 0), SD_BUS_VTABLE_END }; @@ -1963,6 +2006,64 @@ int bus_cgroup_set_property( return 1; } + if (streq(name, "RestrictNetworkInterfaces")) { + int is_allow_list; + _cleanup_strv_free_ char **l = NULL; + + r = sd_bus_message_enter_container(message, 'r', "bas"); + if (r < 0) + return r; + + r = sd_bus_message_read(message, "b", &is_allow_list); + if (r < 0) + return r; + + r = sd_bus_message_read_strv(message, &l); + if (r < 0) + return r; + + r = sd_bus_message_exit_container(message); + if (r < 0) + return r; + + if (!UNIT_WRITE_FLAGS_NOOP(flags)) { + _cleanup_free_ char *joined = NULL; + char **s; + + if (strv_isempty(l)) { + c->restrict_network_interfaces_is_allow_list = false; + c->restrict_network_interfaces = set_free(c->restrict_network_interfaces); + + unit_write_settingf(u, flags, name, "%s=", name); + return 1; + } + + if (set_isempty(c->restrict_network_interfaces)) + c->restrict_network_interfaces_is_allow_list = is_allow_list; + + STRV_FOREACH(s, l) { + if (!ifname_valid(*s)) { + log_full(LOG_WARNING, "Invalid interface name, ignoring: %s", *s); + continue; + } + if (c->restrict_network_interfaces_is_allow_list != (bool) is_allow_list) + free(set_remove(c->restrict_network_interfaces, *s)); + else { + r = set_put_strdup(&c->restrict_network_interfaces, *s); + if (r < 0) + return log_oom(); + } + } + + joined = strv_join(l, " "); + if (!joined) + return -ENOMEM; + + unit_write_settingf(u, flags, name, "%s=%s%s", name, is_allow_list ? "" : "~", joined); + } + + return 1; + } if (streq(name, "DisableControllers") || (u->transient && u->load_state == UNIT_STUB)) return bus_cgroup_set_transient_property(u, c, name, message, flags, error); diff --git a/src/shared/bus-unit-util.c b/src/shared/bus-unit-util.c index 1ff1e7600d..669d0df058 100644 --- a/src/shared/bus-unit-util.c +++ b/src/shared/bus-unit-util.c @@ -1384,7 +1384,8 @@ static int bus_append_execute_property(sd_bus_message *m, const char *field, con if (STR_IN_SET(field, "RestrictAddressFamilies", "SystemCallFilter", - "SystemCallLog")) { + "SystemCallLog", + "RestrictNetworkInterfaces")) { int allow_list = 1; const char *p = eq;