mirror of
https://github.com/systemd/systemd.git
synced 2024-12-22 17:35:35 +03:00
nspawn-oci: use SYNTHETIC_ERRNO
This commit is contained in:
parent
a3fc6b55ac
commit
19130626a0
8
coccinelle/log-json.cocci
Normal file
8
coccinelle/log-json.cocci
Normal file
@ -0,0 +1,8 @@
|
|||||||
|
@@
|
||||||
|
expression e, v, flags;
|
||||||
|
expression list args;
|
||||||
|
@@
|
||||||
|
+ return
|
||||||
|
- json_log(v, flags, 0, args);
|
||||||
|
+ json_log(v, flags, SYNTHETIC_ERRNO(e), args);
|
||||||
|
- return -e;
|
@ -74,13 +74,13 @@
|
|||||||
*/
|
*/
|
||||||
|
|
||||||
static int oci_unexpected(const char *name, JsonVariant *v, JsonDispatchFlags flags, void *userdata) {
|
static int oci_unexpected(const char *name, JsonVariant *v, JsonDispatchFlags flags, void *userdata) {
|
||||||
json_log(v, flags, 0, "Unexpected OCI element '%s' of type '%s'.", name, json_variant_type_to_string(json_variant_type(v)));
|
return json_log(v, flags, SYNTHETIC_ERRNO(EINVAL),
|
||||||
return -EINVAL;
|
"Unexpected OCI element '%s' of type '%s'.", name, json_variant_type_to_string(json_variant_type(v)));
|
||||||
}
|
}
|
||||||
|
|
||||||
static int oci_unsupported(const char *name, JsonVariant *v, JsonDispatchFlags flags, void *userdata) {
|
static int oci_unsupported(const char *name, JsonVariant *v, JsonDispatchFlags flags, void *userdata) {
|
||||||
json_log(v, flags, 0, "Unsupported OCI element '%s' of type '%s'.", name, json_variant_type_to_string(json_variant_type(v)));
|
return json_log(v, flags, SYNTHETIC_ERRNO(EOPNOTSUPP),
|
||||||
return -EOPNOTSUPP;
|
"Unsupported OCI element '%s' of type '%s'.", name, json_variant_type_to_string(json_variant_type(v)));
|
||||||
}
|
}
|
||||||
|
|
||||||
static int oci_terminal(const char *name, JsonVariant *v, JsonDispatchFlags flags, void *userdata) {
|
static int oci_terminal(const char *name, JsonVariant *v, JsonDispatchFlags flags, void *userdata) {
|
||||||
@ -99,14 +99,12 @@ static int oci_console_dimension(const char *name, JsonVariant *variant, JsonDis
|
|||||||
assert(u);
|
assert(u);
|
||||||
|
|
||||||
k = json_variant_unsigned(variant);
|
k = json_variant_unsigned(variant);
|
||||||
if (k == 0) {
|
if (k == 0)
|
||||||
json_log(variant, flags, 0, "Console size field '%s' is too small.", strna(name));
|
return json_log(variant, flags, SYNTHETIC_ERRNO(ERANGE),
|
||||||
return -ERANGE;
|
"Console size field '%s' is too small.", strna(name));
|
||||||
}
|
if (k > USHRT_MAX) /* TIOCSWINSZ's struct winsize uses "unsigned short" for width and height */
|
||||||
if (k > USHRT_MAX) { /* TIOCSWINSZ's struct winsize uses "unsigned short" for width and height */
|
return json_log(variant, flags, SYNTHETIC_ERRNO(ERANGE),
|
||||||
json_log(variant, flags, 0, "Console size field '%s' is too large.", strna(name));
|
"Console size field '%s' is too large.", strna(name));
|
||||||
return -ERANGE;
|
|
||||||
}
|
|
||||||
|
|
||||||
*u = (unsigned) k;
|
*u = (unsigned) k;
|
||||||
return 0;
|
return 0;
|
||||||
@ -132,10 +130,9 @@ static int oci_absolute_path(const char *name, JsonVariant *v, JsonDispatchFlags
|
|||||||
|
|
||||||
n = json_variant_string(v);
|
n = json_variant_string(v);
|
||||||
|
|
||||||
if (!path_is_absolute(n)) {
|
if (!path_is_absolute(n))
|
||||||
json_log(v, flags, 0, "Path in JSON field '%s' is not absolute: %s", strna(name), n);
|
return json_log(v, flags, SYNTHETIC_ERRNO(EINVAL),
|
||||||
return -EINVAL;
|
"Path in JSON field '%s' is not absolute: %s", strna(name), n);
|
||||||
}
|
|
||||||
|
|
||||||
r = free_and_strdup(p, n);
|
r = free_and_strdup(p, n);
|
||||||
if (r < 0)
|
if (r < 0)
|
||||||
@ -154,17 +151,15 @@ static int oci_env(const char *name, JsonVariant *v, JsonDispatchFlags flags, vo
|
|||||||
JSON_VARIANT_ARRAY_FOREACH(e, v) {
|
JSON_VARIANT_ARRAY_FOREACH(e, v) {
|
||||||
const char *n;
|
const char *n;
|
||||||
|
|
||||||
if (!json_variant_is_string(e)) {
|
if (!json_variant_is_string(e))
|
||||||
json_log(e, flags, 0, "Environment array contains non-string.");
|
return json_log(e, flags, SYNTHETIC_ERRNO(EINVAL),
|
||||||
return -EINVAL;
|
"Environment array contains non-string.");
|
||||||
}
|
|
||||||
|
|
||||||
assert_se(n = json_variant_string(e));
|
assert_se(n = json_variant_string(e));
|
||||||
|
|
||||||
if (!env_assignment_is_valid(n)) {
|
if (!env_assignment_is_valid(n))
|
||||||
json_log(e, flags, 0, "Environment assignment not valid: %s", n);
|
return json_log(e, flags, SYNTHETIC_ERRNO(EINVAL),
|
||||||
return -EINVAL;
|
"Environment assignment not valid: %s", n);
|
||||||
}
|
|
||||||
|
|
||||||
r = strv_extend(l, n);
|
r = strv_extend(l, n);
|
||||||
if (r < 0)
|
if (r < 0)
|
||||||
@ -185,10 +180,9 @@ static int oci_args(const char *name, JsonVariant *v, JsonDispatchFlags flags, v
|
|||||||
JSON_VARIANT_ARRAY_FOREACH(e, v) {
|
JSON_VARIANT_ARRAY_FOREACH(e, v) {
|
||||||
const char *n;
|
const char *n;
|
||||||
|
|
||||||
if (!json_variant_is_string(e)) {
|
if (!json_variant_is_string(e))
|
||||||
json_log(v, flags, 0, "Argument is not a string.");
|
return json_log(v, flags, SYNTHETIC_ERRNO(EINVAL),
|
||||||
return -EINVAL;
|
"Argument is not a string.");
|
||||||
}
|
|
||||||
|
|
||||||
assert_se(n = json_variant_string(e));
|
assert_se(n = json_variant_string(e));
|
||||||
|
|
||||||
@ -197,15 +191,13 @@ static int oci_args(const char *name, JsonVariant *v, JsonDispatchFlags flags, v
|
|||||||
return log_oom();
|
return log_oom();
|
||||||
}
|
}
|
||||||
|
|
||||||
if (strv_isempty(l)) {
|
if (strv_isempty(l))
|
||||||
json_log(v, flags, 0, "Argument list empty, refusing.");
|
return json_log(v, flags, SYNTHETIC_ERRNO(EINVAL),
|
||||||
return -EINVAL;
|
"Argument list empty, refusing.");
|
||||||
}
|
|
||||||
|
|
||||||
if (isempty(l[0])) {
|
if (isempty(l[0]))
|
||||||
json_log(v, flags, 0, "Executable name is empty, refusing.");
|
return json_log(v, flags, SYNTHETIC_ERRNO(EINVAL),
|
||||||
return -EINVAL;
|
"Executable name is empty, refusing.");
|
||||||
}
|
|
||||||
|
|
||||||
strv_free_and_replace(*value, l);
|
strv_free_and_replace(*value, l);
|
||||||
return 0;
|
return 0;
|
||||||
@ -218,16 +210,15 @@ static int oci_rlimit_type(const char *name, JsonVariant *v, JsonDispatchFlags f
|
|||||||
assert_se(type);
|
assert_se(type);
|
||||||
|
|
||||||
z = startswith(json_variant_string(v), "RLIMIT_");
|
z = startswith(json_variant_string(v), "RLIMIT_");
|
||||||
if (!z) {
|
if (!z)
|
||||||
json_log(v, flags, 0, "rlimit entry's name does not begin with 'RLIMIT_', refusing: %s", json_variant_string(v));
|
return json_log(v, flags, SYNTHETIC_ERRNO(EINVAL),
|
||||||
return -EINVAL;
|
"rlimit entry's name does not begin with 'RLIMIT_', refusing: %s",
|
||||||
}
|
json_variant_string(v));
|
||||||
|
|
||||||
t = rlimit_from_string(z);
|
t = rlimit_from_string(z);
|
||||||
if (t < 0) {
|
if (t < 0)
|
||||||
json_log(v, flags, 0, "rlimit name unknown: %s", json_variant_string(v));
|
return json_log(v, flags, SYNTHETIC_ERRNO(EINVAL),
|
||||||
return -EINVAL;
|
"rlimit name unknown: %s", json_variant_string(v));
|
||||||
}
|
|
||||||
|
|
||||||
*type = t;
|
*type = t;
|
||||||
return 0;
|
return 0;
|
||||||
@ -241,17 +232,15 @@ static int oci_rlimit_value(const char *name, JsonVariant *v, JsonDispatchFlags
|
|||||||
if (json_variant_is_negative(v))
|
if (json_variant_is_negative(v))
|
||||||
z = RLIM_INFINITY;
|
z = RLIM_INFINITY;
|
||||||
else {
|
else {
|
||||||
if (!json_variant_is_unsigned(v)) {
|
if (!json_variant_is_unsigned(v))
|
||||||
json_log(v, flags, 0, "rlimits limit not unsigned, refusing.");
|
return json_log(v, flags, SYNTHETIC_ERRNO(ERANGE),
|
||||||
return -ERANGE;
|
"rlimits limit not unsigned, refusing.");
|
||||||
}
|
|
||||||
|
|
||||||
z = (rlim_t) json_variant_unsigned(v);
|
z = (rlim_t) json_variant_unsigned(v);
|
||||||
|
|
||||||
if ((uintmax_t) z != json_variant_unsigned(v)) {
|
if ((uintmax_t) z != json_variant_unsigned(v))
|
||||||
json_log(v, flags, 0, "rlimits limit out of range, refusing.");
|
return json_log(v, flags, SYNTHETIC_ERRNO(EINVAL),
|
||||||
return -EINVAL;
|
"rlimits limit out of range, refusing.");
|
||||||
}
|
|
||||||
}
|
}
|
||||||
|
|
||||||
*value = z;
|
*value = z;
|
||||||
@ -293,10 +282,9 @@ static int oci_rlimits(const char *name, JsonVariant *v, JsonDispatchFlags flags
|
|||||||
assert(data.type >= 0);
|
assert(data.type >= 0);
|
||||||
assert(data.type < _RLIMIT_MAX);
|
assert(data.type < _RLIMIT_MAX);
|
||||||
|
|
||||||
if (s->rlimit[data.type]) {
|
if (s->rlimit[data.type])
|
||||||
json_log(v, flags, 0, "rlimits array contains duplicate entry, refusing.");
|
return json_log(v, flags, SYNTHETIC_ERRNO(EINVAL),
|
||||||
return -EINVAL;
|
"rlimits array contains duplicate entry, refusing.");
|
||||||
}
|
|
||||||
|
|
||||||
s->rlimit[data.type] = new(struct rlimit, 1);
|
s->rlimit[data.type] = new(struct rlimit, 1);
|
||||||
if (!s->rlimit[data.type])
|
if (!s->rlimit[data.type])
|
||||||
@ -319,18 +307,16 @@ static int oci_capability_array(const char *name, JsonVariant *v, JsonDispatchFl
|
|||||||
const char *n;
|
const char *n;
|
||||||
int cap;
|
int cap;
|
||||||
|
|
||||||
if (!json_variant_is_string(e)) {
|
if (!json_variant_is_string(e))
|
||||||
json_log(v, flags, 0, "Entry in capabilities array is not a string.");
|
return json_log(v, flags, SYNTHETIC_ERRNO(EINVAL),
|
||||||
return -EINVAL;
|
"Entry in capabilities array is not a string.");
|
||||||
}
|
|
||||||
|
|
||||||
assert_se(n = json_variant_string(e));
|
assert_se(n = json_variant_string(e));
|
||||||
|
|
||||||
cap = capability_from_name(n);
|
cap = capability_from_name(n);
|
||||||
if (cap < 0) {
|
if (cap < 0)
|
||||||
json_log(v, flags, 0, "Unknown capability: %s", n);
|
return json_log(v, flags, SYNTHETIC_ERRNO(EINVAL),
|
||||||
return -EINVAL;
|
"Unknown capability: %s", n);
|
||||||
}
|
|
||||||
|
|
||||||
m |= UINT64_C(1) << cap;
|
m |= UINT64_C(1) << cap;
|
||||||
}
|
}
|
||||||
@ -378,10 +364,9 @@ static int oci_oom_score_adj(const char *name, JsonVariant *v, JsonDispatchFlags
|
|||||||
assert(s);
|
assert(s);
|
||||||
|
|
||||||
k = json_variant_integer(v);
|
k = json_variant_integer(v);
|
||||||
if (k < OOM_SCORE_ADJ_MIN || k > OOM_SCORE_ADJ_MAX) {
|
if (k < OOM_SCORE_ADJ_MIN || k > OOM_SCORE_ADJ_MAX)
|
||||||
json_log(v, flags, 0, "oomScoreAdj value out of range: %ji", k);
|
return json_log(v, flags, SYNTHETIC_ERRNO(EINVAL),
|
||||||
return -EINVAL;
|
"oomScoreAdj value out of range: %ji", k);
|
||||||
}
|
|
||||||
|
|
||||||
s->oom_score_adjust = (int) k;
|
s->oom_score_adjust = (int) k;
|
||||||
s->oom_score_adjust_set = true;
|
s->oom_score_adjust_set = true;
|
||||||
@ -398,15 +383,13 @@ static int oci_uid_gid(const char *name, JsonVariant *v, JsonDispatchFlags flags
|
|||||||
|
|
||||||
k = json_variant_unsigned(v);
|
k = json_variant_unsigned(v);
|
||||||
u = (uid_t) k;
|
u = (uid_t) k;
|
||||||
if ((uintmax_t) u != k) {
|
if ((uintmax_t) u != k)
|
||||||
json_log(v, flags, 0, "UID/GID out of range: %ji", k);
|
return json_log(v, flags, SYNTHETIC_ERRNO(EINVAL),
|
||||||
return -EINVAL;
|
"UID/GID out of range: %ji", k);
|
||||||
}
|
|
||||||
|
|
||||||
if (!uid_is_valid(u)) {
|
if (!uid_is_valid(u))
|
||||||
json_log(v, flags, 0, "UID/GID is not valid: " UID_FMT, u);
|
return json_log(v, flags, SYNTHETIC_ERRNO(EINVAL),
|
||||||
return -EINVAL;
|
"UID/GID is not valid: " UID_FMT, u);
|
||||||
}
|
|
||||||
|
|
||||||
*uid = u;
|
*uid = u;
|
||||||
return 0;
|
return 0;
|
||||||
@ -422,10 +405,9 @@ static int oci_supplementary_gids(const char *name, JsonVariant *v, JsonDispatch
|
|||||||
JSON_VARIANT_ARRAY_FOREACH(e, v) {
|
JSON_VARIANT_ARRAY_FOREACH(e, v) {
|
||||||
gid_t gid, *a;
|
gid_t gid, *a;
|
||||||
|
|
||||||
if (!json_variant_is_unsigned(e)) {
|
if (!json_variant_is_unsigned(e))
|
||||||
json_log(v, flags, 0, "Supplementary GID entry is not a UID.");
|
return json_log(v, flags, SYNTHETIC_ERRNO(EINVAL),
|
||||||
return -EINVAL;
|
"Supplementary GID entry is not a UID.");
|
||||||
}
|
|
||||||
|
|
||||||
r = oci_uid_gid(name, e, flags, &gid);
|
r = oci_uid_gid(name, e, flags, &gid);
|
||||||
if (r < 0)
|
if (r < 0)
|
||||||
@ -493,10 +475,9 @@ static int oci_hostname(const char *name, JsonVariant *v, JsonDispatchFlags flag
|
|||||||
|
|
||||||
assert_se(n = json_variant_string(v));
|
assert_se(n = json_variant_string(v));
|
||||||
|
|
||||||
if (!hostname_is_valid(n, false)) {
|
if (!hostname_is_valid(n, false))
|
||||||
json_log(v, flags, 0, "Hostname string is not a valid hostname: %s", n);
|
return json_log(v, flags, SYNTHETIC_ERRNO(EINVAL),
|
||||||
return -EINVAL;
|
"Hostname string is not a valid hostname: %s", n);
|
||||||
}
|
|
||||||
|
|
||||||
if (free_and_strdup(&s->hostname, n) < 0)
|
if (free_and_strdup(&s->hostname, n) < 0)
|
||||||
return log_oom();
|
return log_oom();
|
||||||
@ -574,8 +555,8 @@ static int oci_mounts(const char *name, JsonVariant *v, JsonDispatchFlags flags,
|
|||||||
goto fail_item;
|
goto fail_item;
|
||||||
|
|
||||||
if (!path_is_absolute(data.destination)) {
|
if (!path_is_absolute(data.destination)) {
|
||||||
json_log(e, flags, 0, "Mount destination not an absolute path: %s", data.destination);
|
r = json_log(e, flags, SYNTHETIC_ERRNO(EINVAL),
|
||||||
r = -EINVAL;
|
"Mount destination not an absolute path: %s", data.destination);
|
||||||
goto fail_item;
|
goto fail_item;
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -663,10 +644,9 @@ static int oci_namespace_type(const char *name, JsonVariant *v, JsonDispatchFlag
|
|||||||
*nsflags = CLONE_NEWUSER;
|
*nsflags = CLONE_NEWUSER;
|
||||||
else if (streq(n, "cgroup"))
|
else if (streq(n, "cgroup"))
|
||||||
*nsflags = CLONE_NEWCGROUP;
|
*nsflags = CLONE_NEWCGROUP;
|
||||||
else {
|
else
|
||||||
json_log(v, flags, 0, "Unknown cgroup type, refusing: %s", n);
|
return json_log(v, flags, SYNTHETIC_ERRNO(EINVAL),
|
||||||
return -EINVAL;
|
"Unknown cgroup type, refusing: %s", n);
|
||||||
}
|
|
||||||
|
|
||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
@ -700,15 +680,15 @@ static int oci_namespaces(const char *name, JsonVariant *v, JsonDispatchFlags fl
|
|||||||
|
|
||||||
if (data.path) {
|
if (data.path) {
|
||||||
if (data.type != CLONE_NEWNET) {
|
if (data.type != CLONE_NEWNET) {
|
||||||
json_log(e, flags, 0, "Specifying namespace path for non-network namespace is not supported.");
|
|
||||||
free(data.path);
|
free(data.path);
|
||||||
return -EOPNOTSUPP;
|
return json_log(e, flags, SYNTHETIC_ERRNO(EOPNOTSUPP),
|
||||||
|
"Specifying namespace path for non-network namespace is not supported.");
|
||||||
}
|
}
|
||||||
|
|
||||||
if (s->network_namespace_path) {
|
if (s->network_namespace_path) {
|
||||||
json_log(e, flags, 0, "Network namespace path specified more than once, refusing.");
|
|
||||||
free(data.path);
|
free(data.path);
|
||||||
return -EINVAL;
|
return json_log(e, flags, SYNTHETIC_ERRNO(EINVAL),
|
||||||
|
"Network namespace path specified more than once, refusing.");
|
||||||
}
|
}
|
||||||
|
|
||||||
free(s->network_namespace_path);
|
free(s->network_namespace_path);
|
||||||
@ -716,17 +696,16 @@ static int oci_namespaces(const char *name, JsonVariant *v, JsonDispatchFlags fl
|
|||||||
}
|
}
|
||||||
|
|
||||||
if (FLAGS_SET(n, data.type)) {
|
if (FLAGS_SET(n, data.type)) {
|
||||||
json_log(e, flags, 0, "Duplicat namespace specification, refusing.");
|
return json_log(e, flags, SYNTHETIC_ERRNO(EINVAL),
|
||||||
return -EINVAL;
|
"Duplicate namespace specification, refusing.");
|
||||||
}
|
}
|
||||||
|
|
||||||
n |= data.type;
|
n |= data.type;
|
||||||
}
|
}
|
||||||
|
|
||||||
if (!FLAGS_SET(n, CLONE_NEWNS)) {
|
if (!FLAGS_SET(n, CLONE_NEWNS))
|
||||||
json_log(v, flags, 0, "Containers without file system namespace aren't supported.");
|
return json_log(v, flags, SYNTHETIC_ERRNO(EOPNOTSUPP),
|
||||||
return -EOPNOTSUPP;
|
"Containers without file system namespace aren't supported.");
|
||||||
}
|
|
||||||
|
|
||||||
s->private_network = FLAGS_SET(n, CLONE_NEWNET);
|
s->private_network = FLAGS_SET(n, CLONE_NEWNET);
|
||||||
s->userns_mode = FLAGS_SET(n, CLONE_NEWUSER) ? USER_NAMESPACE_FIXED : USER_NAMESPACE_NO;
|
s->userns_mode = FLAGS_SET(n, CLONE_NEWUSER) ? USER_NAMESPACE_FIXED : USER_NAMESPACE_NO;
|
||||||
@ -750,14 +729,12 @@ static int oci_uid_gid_range(const char *name, JsonVariant *v, JsonDispatchFlags
|
|||||||
|
|
||||||
k = json_variant_unsigned(v);
|
k = json_variant_unsigned(v);
|
||||||
u = (uid_t) k;
|
u = (uid_t) k;
|
||||||
if ((uintmax_t) u != k) {
|
if ((uintmax_t) u != k)
|
||||||
json_log(v, flags, 0, "UID/GID out of range: %ji", k);
|
return json_log(v, flags, SYNTHETIC_ERRNO(ERANGE),
|
||||||
return -ERANGE;
|
"UID/GID out of range: %ji", k);
|
||||||
}
|
if (u == 0)
|
||||||
if (u == 0) {
|
return json_log(v, flags, SYNTHETIC_ERRNO(ERANGE),
|
||||||
json_log(v, flags, 0, "UID/GID range can't be zero.");
|
"UID/GID range can't be zero.");
|
||||||
return -ERANGE;
|
|
||||||
}
|
|
||||||
|
|
||||||
*uid = u;
|
*uid = u;
|
||||||
return 0;
|
return 0;
|
||||||
@ -790,10 +767,9 @@ static int oci_uid_gid_mappings(const char *name, JsonVariant *v, JsonDispatchFl
|
|||||||
if (json_variant_elements(v) == 0)
|
if (json_variant_elements(v) == 0)
|
||||||
return 0;
|
return 0;
|
||||||
|
|
||||||
if (json_variant_elements(v) > 1) {
|
if (json_variant_elements(v) > 1)
|
||||||
json_log(v, flags, 0, "UID/GID mappings with more than one entry are not supported.");
|
return json_log(v, flags, SYNTHETIC_ERRNO(EOPNOTSUPP),
|
||||||
return -EOPNOTSUPP;
|
"UID/GID mappings with more than one entry are not supported.");
|
||||||
}
|
|
||||||
|
|
||||||
assert_se(e = json_variant_by_index(v, 0));
|
assert_se(e = json_variant_by_index(v, 0));
|
||||||
|
|
||||||
@ -802,24 +778,22 @@ static int oci_uid_gid_mappings(const char *name, JsonVariant *v, JsonDispatchFl
|
|||||||
return r;
|
return r;
|
||||||
|
|
||||||
if (data.host_id + data.range < data.host_id ||
|
if (data.host_id + data.range < data.host_id ||
|
||||||
data.container_id + data.range < data.container_id) {
|
data.container_id + data.range < data.container_id)
|
||||||
json_log(v, flags, 0, "UID/GID range goes beyond UID/GID validity range, refusing.");
|
return json_log(v, flags, SYNTHETIC_ERRNO(EINVAL),
|
||||||
return -EINVAL;
|
"UID/GID range goes beyond UID/GID validity range, refusing.");
|
||||||
}
|
|
||||||
|
|
||||||
if (data.container_id != 0) {
|
if (data.container_id != 0)
|
||||||
json_log(v, flags, 0, "UID/GID mappings with a non-zero container base are not supported.");
|
return json_log(v, flags, SYNTHETIC_ERRNO(EOPNOTSUPP),
|
||||||
return -EOPNOTSUPP;
|
"UID/GID mappings with a non-zero container base are not supported.");
|
||||||
}
|
|
||||||
|
|
||||||
if (data.range < 0x10000)
|
if (data.range < 0x10000)
|
||||||
json_log(v, flags|JSON_WARNING, 0, "UID/GID mapping with less than 65536 UID/GIDS set up, you are looking for trouble.");
|
json_log(v, flags|JSON_WARNING, 0,
|
||||||
|
"UID/GID mapping with less than 65536 UID/GIDS set up, you are looking for trouble.");
|
||||||
|
|
||||||
if (s->uid_range != UID_INVALID &&
|
if (s->uid_range != UID_INVALID &&
|
||||||
(s->uid_shift != data.host_id || s->uid_range != data.range)) {
|
(s->uid_shift != data.host_id || s->uid_range != data.range))
|
||||||
json_log(v, flags, 0, "Non-matching UID and GID mappings are not supported.");
|
return json_log(v, flags, SYNTHETIC_ERRNO(EOPNOTSUPP),
|
||||||
return -EOPNOTSUPP;
|
"Non-matching UID and GID mappings are not supported.");
|
||||||
}
|
|
||||||
|
|
||||||
s->uid_shift = data.host_id;
|
s->uid_shift = data.host_id;
|
||||||
s->uid_range = data.range;
|
s->uid_range = data.range;
|
||||||
@ -840,10 +814,9 @@ static int oci_device_type(const char *name, JsonVariant *v, JsonDispatchFlags f
|
|||||||
*mode = (*mode & ~S_IFMT) | S_IFBLK;
|
*mode = (*mode & ~S_IFMT) | S_IFBLK;
|
||||||
else if (streq(t, "p"))
|
else if (streq(t, "p"))
|
||||||
*mode = (*mode & ~S_IFMT) | S_IFIFO;
|
*mode = (*mode & ~S_IFMT) | S_IFIFO;
|
||||||
else {
|
else
|
||||||
json_log(v, flags, 0, "Unknown device type: %s", t);
|
return json_log(v, flags, SYNTHETIC_ERRNO(EINVAL),
|
||||||
return -EINVAL;
|
"Unknown device type: %s", t);
|
||||||
}
|
|
||||||
|
|
||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
@ -855,10 +828,9 @@ static int oci_device_major(const char *name, JsonVariant *v, JsonDispatchFlags
|
|||||||
assert_se(u);
|
assert_se(u);
|
||||||
|
|
||||||
k = json_variant_unsigned(v);
|
k = json_variant_unsigned(v);
|
||||||
if (!DEVICE_MAJOR_VALID(k)) {
|
if (!DEVICE_MAJOR_VALID(k))
|
||||||
json_log(v, flags, 0, "Device major %ji out of range.", k);
|
return json_log(v, flags, SYNTHETIC_ERRNO(ERANGE),
|
||||||
return -ERANGE;
|
"Device major %ji out of range.", k);
|
||||||
}
|
|
||||||
|
|
||||||
*u = (unsigned) k;
|
*u = (unsigned) k;
|
||||||
return 0;
|
return 0;
|
||||||
@ -871,10 +843,9 @@ static int oci_device_minor(const char *name, JsonVariant *v, JsonDispatchFlags
|
|||||||
assert_se(u);
|
assert_se(u);
|
||||||
|
|
||||||
k = json_variant_unsigned(v);
|
k = json_variant_unsigned(v);
|
||||||
if (!DEVICE_MINOR_VALID(k)) {
|
if (!DEVICE_MINOR_VALID(k))
|
||||||
json_log(v, flags, 0, "Device minor %ji out of range.", k);
|
return json_log(v, flags, SYNTHETIC_ERRNO(ERANGE),
|
||||||
return -ERANGE;
|
"Device minor %ji out of range.", k);
|
||||||
}
|
|
||||||
|
|
||||||
*u = (unsigned) k;
|
*u = (unsigned) k;
|
||||||
return 0;
|
return 0;
|
||||||
@ -889,10 +860,9 @@ static int oci_device_file_mode(const char *name, JsonVariant *v, JsonDispatchFl
|
|||||||
k = json_variant_unsigned(v);
|
k = json_variant_unsigned(v);
|
||||||
m = (mode_t) k;
|
m = (mode_t) k;
|
||||||
|
|
||||||
if ((m & ~07777) != 0 || (uintmax_t) m != k) {
|
if ((m & ~07777) != 0 || (uintmax_t) m != k)
|
||||||
json_log(v, flags, 0, "fileMode out of range, refusing.");
|
return json_log(v, flags, SYNTHETIC_ERRNO(ERANGE),
|
||||||
return -ERANGE;
|
"fileMode out of range, refusing.");
|
||||||
}
|
|
||||||
|
|
||||||
*mode = m;
|
*mode = m;
|
||||||
return 0;
|
return 0;
|
||||||
@ -943,8 +913,8 @@ static int oci_devices(const char *name, JsonVariant *v, JsonDispatchFlags flags
|
|||||||
_cleanup_free_ char *path = NULL;
|
_cleanup_free_ char *path = NULL;
|
||||||
|
|
||||||
if (node->major == (unsigned) -1 || node->minor == (unsigned) -1) {
|
if (node->major == (unsigned) -1 || node->minor == (unsigned) -1) {
|
||||||
json_log(e, flags, 0, "Major/minor required when device node is device node");
|
r = json_log(e, flags, SYNTHETIC_ERRNO(EINVAL),
|
||||||
r = -EINVAL;
|
"Major/minor required when device node is device node");
|
||||||
goto fail_element;
|
goto fail_element;
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -1001,10 +971,9 @@ static int oci_cgroups_path(const char *name, JsonVariant *v, JsonDispatchFlags
|
|||||||
if (r < 0)
|
if (r < 0)
|
||||||
return json_log(v, flags, r, "Couldn't convert slice unit name '%s' back to path: %m", slice);
|
return json_log(v, flags, r, "Couldn't convert slice unit name '%s' back to path: %m", slice);
|
||||||
|
|
||||||
if (!path_equal(backwards, p)) {
|
if (!path_equal(backwards, p))
|
||||||
json_log(v, flags, 0, "Control group path '%s' does not refer to slice unit, refusing.", p);
|
return json_log(v, flags, SYNTHETIC_ERRNO(EINVAL),
|
||||||
return -EINVAL;
|
"Control group path '%s' does not refer to slice unit, refusing.", p);
|
||||||
}
|
|
||||||
|
|
||||||
free_and_replace(s->slice, slice);
|
free_and_replace(s->slice, slice);
|
||||||
return 0;
|
return 0;
|
||||||
@ -1020,10 +989,9 @@ static int oci_cgroup_device_type(const char *name, JsonVariant *v, JsonDispatch
|
|||||||
*mode = S_IFCHR;
|
*mode = S_IFCHR;
|
||||||
else if (streq(n, "b"))
|
else if (streq(n, "b"))
|
||||||
*mode = S_IFBLK;
|
*mode = S_IFBLK;
|
||||||
else {
|
else
|
||||||
json_log(v, flags, 0, "Control group device type unknown: %s", n);
|
return json_log(v, flags, SYNTHETIC_ERRNO(EINVAL),
|
||||||
return -EINVAL;
|
"Control group device type unknown: %s", n);
|
||||||
}
|
|
||||||
|
|
||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
@ -1046,18 +1014,16 @@ static int oci_cgroup_device_access(const char *name, JsonVariant *v, JsonDispat
|
|||||||
|
|
||||||
assert_se(s = json_variant_string(v));
|
assert_se(s = json_variant_string(v));
|
||||||
|
|
||||||
for (i = 0; s[i]; i++) {
|
for (i = 0; s[i]; i++)
|
||||||
if (s[i] == 'r')
|
if (s[i] == 'r')
|
||||||
r = true;
|
r = true;
|
||||||
else if (s[i] == 'w')
|
else if (s[i] == 'w')
|
||||||
w = true;
|
w = true;
|
||||||
else if (s[i] == 'm')
|
else if (s[i] == 'm')
|
||||||
m = true;
|
m = true;
|
||||||
else {
|
else
|
||||||
json_log(v, flags, 0, "Unknown device access character '%c'.", s[i]);
|
return json_log(v, flags, SYNTHETIC_ERRNO(EINVAL),
|
||||||
return -EINVAL;
|
"Unknown device access character '%c'.", s[i]);
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
d->r = r;
|
d->r = r;
|
||||||
d->w = w;
|
d->w = w;
|
||||||
@ -1117,23 +1083,20 @@ static int oci_cgroup_devices(const char *name, JsonVariant *v, JsonDispatchFlag
|
|||||||
continue;
|
continue;
|
||||||
}
|
}
|
||||||
|
|
||||||
if (data.minor != (unsigned) -1 && data.major == (unsigned) -1) {
|
if (data.minor != (unsigned) -1 && data.major == (unsigned) -1)
|
||||||
json_log(v, flags, 0, "Device cgroup whitelist entries with minors but no majors not supported.");
|
return json_log(v, flags, SYNTHETIC_ERRNO(EOPNOTSUPP),
|
||||||
return -EOPNOTSUPP;
|
"Device cgroup whitelist entries with minors but no majors not supported.");
|
||||||
}
|
|
||||||
|
|
||||||
if (data.major != (unsigned) -1 && data.type == 0) {
|
if (data.major != (unsigned) -1 && data.type == 0)
|
||||||
json_log(v, flags, 0, "Device cgroup whitelist entries with majors but no device node type not supported.");
|
return json_log(v, flags, SYNTHETIC_ERRNO(EOPNOTSUPP),
|
||||||
return -EOPNOTSUPP;
|
"Device cgroup whitelist entries with majors but no device node type not supported.");
|
||||||
}
|
|
||||||
|
|
||||||
if (data.type == 0) {
|
if (data.type == 0) {
|
||||||
if (data.r && data.w && data.m) /* a catchall whitelist entry means we are looking at a noop */
|
if (data.r && data.w && data.m) /* a catchall whitelist entry means we are looking at a noop */
|
||||||
noop = true;
|
noop = true;
|
||||||
else {
|
else
|
||||||
json_log(v, flags, 0, "Device cgroup whitelist entries with no type not supported.");
|
return json_log(v, flags, SYNTHETIC_ERRNO(EOPNOTSUPP),
|
||||||
return -EOPNOTSUPP;
|
"Device cgroup whitelist entries with no type not supported.");
|
||||||
}
|
|
||||||
}
|
}
|
||||||
|
|
||||||
a = reallocarray(list, n_list + 1, sizeof(struct device_data));
|
a = reallocarray(list, n_list + 1, sizeof(struct device_data));
|
||||||
@ -1240,16 +1203,14 @@ static int oci_cgroup_memory_limit(const char *name, JsonVariant *v, JsonDispatc
|
|||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
|
|
||||||
if (!json_variant_is_unsigned(v)) {
|
if (!json_variant_is_unsigned(v))
|
||||||
json_log(v, flags, 0, "Memory limit is not an unsigned integer");
|
return json_log(v, flags, SYNTHETIC_ERRNO(EINVAL),
|
||||||
return -EINVAL;
|
"Memory limit is not an unsigned integer");
|
||||||
}
|
|
||||||
|
|
||||||
k = json_variant_unsigned(v);
|
k = json_variant_unsigned(v);
|
||||||
if (k >= UINT64_MAX) {
|
if (k >= UINT64_MAX)
|
||||||
json_log(v, flags, 0, "Memory limit too large: %ji", k);
|
return json_log(v, flags, SYNTHETIC_ERRNO(ERANGE),
|
||||||
return -ERANGE;
|
"Memory limit too large: %ji", k);
|
||||||
}
|
|
||||||
|
|
||||||
*m = (uint64_t) k;
|
*m = (uint64_t) k;
|
||||||
return 0;
|
return 0;
|
||||||
@ -1339,10 +1300,9 @@ static int oci_cgroup_cpu_shares(const char *name, JsonVariant *v, JsonDispatchF
|
|||||||
assert(u);
|
assert(u);
|
||||||
|
|
||||||
k = json_variant_unsigned(v);
|
k = json_variant_unsigned(v);
|
||||||
if (k < CGROUP_CPU_SHARES_MIN || k > CGROUP_CPU_SHARES_MAX) {
|
if (k < CGROUP_CPU_SHARES_MIN || k > CGROUP_CPU_SHARES_MAX)
|
||||||
json_log(v, flags, 0, "shares value out of range.");
|
return json_log(v, flags, SYNTHETIC_ERRNO(ERANGE),
|
||||||
return -ERANGE;
|
"shares value out of range.");
|
||||||
}
|
|
||||||
|
|
||||||
*u = (uint64_t) k;
|
*u = (uint64_t) k;
|
||||||
return 0;
|
return 0;
|
||||||
@ -1355,10 +1315,9 @@ static int oci_cgroup_cpu_quota(const char *name, JsonVariant *v, JsonDispatchFl
|
|||||||
assert(u);
|
assert(u);
|
||||||
|
|
||||||
k = json_variant_unsigned(v);
|
k = json_variant_unsigned(v);
|
||||||
if (k <= 0 || k >= UINT64_MAX) {
|
if (k <= 0 || k >= UINT64_MAX)
|
||||||
json_log(v, flags, 0, "period/quota value out of range.");
|
return json_log(v, flags, SYNTHETIC_ERRNO(ERANGE),
|
||||||
return -ERANGE;
|
"period/quota value out of range.");
|
||||||
}
|
|
||||||
|
|
||||||
*u = (uint64_t) k;
|
*u = (uint64_t) k;
|
||||||
return 0;
|
return 0;
|
||||||
@ -1436,10 +1395,9 @@ static int oci_cgroup_cpu(const char *name, JsonVariant *v, JsonDispatchFlags fl
|
|||||||
if (r < 0)
|
if (r < 0)
|
||||||
return bus_log_create_error(r);
|
return bus_log_create_error(r);
|
||||||
|
|
||||||
} else if ((data.quota != UINT64_MAX) != (data.period != UINT64_MAX)) {
|
} else if ((data.quota != UINT64_MAX) != (data.period != UINT64_MAX))
|
||||||
json_log(v, flags, 0, "CPU quota and period not used together.");
|
return json_log(v, flags, SYNTHETIC_ERRNO(EINVAL),
|
||||||
return -EINVAL;
|
"CPU quota and period not used together.");
|
||||||
}
|
|
||||||
|
|
||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
@ -1452,10 +1410,9 @@ static int oci_cgroup_block_io_weight(const char *name, JsonVariant *v, JsonDisp
|
|||||||
assert(s);
|
assert(s);
|
||||||
|
|
||||||
k = json_variant_unsigned(v);
|
k = json_variant_unsigned(v);
|
||||||
if (k < CGROUP_BLKIO_WEIGHT_MIN || k > CGROUP_BLKIO_WEIGHT_MAX) {
|
if (k < CGROUP_BLKIO_WEIGHT_MIN || k > CGROUP_BLKIO_WEIGHT_MAX)
|
||||||
json_log(v, flags, 0, "Block I/O weight out of range.");
|
return json_log(v, flags, SYNTHETIC_ERRNO(ERANGE),
|
||||||
return -ERANGE;
|
"Block I/O weight out of range.");
|
||||||
}
|
|
||||||
|
|
||||||
r = settings_allocate_properties(s);
|
r = settings_allocate_properties(s);
|
||||||
if (r < 0)
|
if (r < 0)
|
||||||
@ -1503,10 +1460,9 @@ static int oci_cgroup_block_io_weight_device(const char *name, JsonVariant *v, J
|
|||||||
if (data.weight == UINTMAX_MAX)
|
if (data.weight == UINTMAX_MAX)
|
||||||
continue;
|
continue;
|
||||||
|
|
||||||
if (data.weight < CGROUP_BLKIO_WEIGHT_MIN || data.weight > CGROUP_BLKIO_WEIGHT_MAX) {
|
if (data.weight < CGROUP_BLKIO_WEIGHT_MIN || data.weight > CGROUP_BLKIO_WEIGHT_MAX)
|
||||||
json_log(v, flags, 0, "Block I/O device weight out of range.");
|
return json_log(v, flags, SYNTHETIC_ERRNO(ERANGE),
|
||||||
return -ERANGE;
|
"Block I/O device weight out of range.");
|
||||||
}
|
|
||||||
|
|
||||||
r = device_path_make_major_minor(S_IFBLK, makedev(data.major, data.minor), &path);
|
r = device_path_make_major_minor(S_IFBLK, makedev(data.major, data.minor), &path);
|
||||||
if (r < 0)
|
if (r < 0)
|
||||||
@ -1560,10 +1516,9 @@ static int oci_cgroup_block_io_throttle(const char *name, JsonVariant *v, JsonDi
|
|||||||
if (r < 0)
|
if (r < 0)
|
||||||
return r;
|
return r;
|
||||||
|
|
||||||
if (data.rate >= UINT64_MAX) {
|
if (data.rate >= UINT64_MAX)
|
||||||
json_log(v, flags, 0, "Block I/O device rate out of range.");
|
return json_log(v, flags, SYNTHETIC_ERRNO(ERANGE),
|
||||||
return -ERANGE;
|
"Block I/O device rate out of range.");
|
||||||
}
|
|
||||||
|
|
||||||
r = device_path_make_major_minor(S_IFBLK, makedev(data.major, data.minor), &path);
|
r = device_path_make_major_minor(S_IFBLK, makedev(data.major, data.minor), &path);
|
||||||
if (r < 0)
|
if (r < 0)
|
||||||
@ -1618,17 +1573,15 @@ static int oci_cgroup_pids(const char *name, JsonVariant *v, JsonDispatchFlags f
|
|||||||
if (json_variant_is_negative(k))
|
if (json_variant_is_negative(k))
|
||||||
m = UINT64_MAX;
|
m = UINT64_MAX;
|
||||||
else {
|
else {
|
||||||
if (!json_variant_is_unsigned(k)) {
|
if (!json_variant_is_unsigned(k))
|
||||||
json_log(k, flags, 0, "pids limit not unsigned integer, refusing.");
|
return json_log(k, flags, SYNTHETIC_ERRNO(EINVAL),
|
||||||
return -EINVAL;
|
"pids limit not unsigned integer, refusing.");
|
||||||
}
|
|
||||||
|
|
||||||
m = (uint64_t) json_variant_unsigned(k);
|
m = (uint64_t) json_variant_unsigned(k);
|
||||||
|
|
||||||
if ((uintmax_t) m != json_variant_unsigned(k)) {
|
if ((uintmax_t) m != json_variant_unsigned(k))
|
||||||
json_log(v, flags, 0, "pids limit out of range, refusing.");
|
return json_log(v, flags, SYNTHETIC_ERRNO(EINVAL),
|
||||||
return -EINVAL;
|
"pids limit out of range, refusing.");
|
||||||
}
|
|
||||||
}
|
}
|
||||||
|
|
||||||
r = settings_allocate_properties(s);
|
r = settings_allocate_properties(s);
|
||||||
@ -1700,18 +1653,16 @@ static int oci_sysctl(const char *name, JsonVariant *v, JsonDispatchFlags flags,
|
|||||||
JSON_VARIANT_OBJECT_FOREACH(k, w, v) {
|
JSON_VARIANT_OBJECT_FOREACH(k, w, v) {
|
||||||
const char *n, *m;
|
const char *n, *m;
|
||||||
|
|
||||||
if (!json_variant_is_string(w)) {
|
if (!json_variant_is_string(w))
|
||||||
json_log(v, flags, 0, "sysctl parameter is not a string, refusing.");
|
return json_log(v, flags, SYNTHETIC_ERRNO(EINVAL),
|
||||||
return -EINVAL;
|
"sysctl parameter is not a string, refusing.");
|
||||||
}
|
|
||||||
|
|
||||||
assert_se(n = json_variant_string(k));
|
assert_se(n = json_variant_string(k));
|
||||||
assert_se(m = json_variant_string(w));
|
assert_se(m = json_variant_string(w));
|
||||||
|
|
||||||
if (sysctl_key_valid(n)) {
|
if (sysctl_key_valid(n))
|
||||||
json_log(v, flags, 0, "sysctl key invalid, refusing: %s", n);
|
return json_log(v, flags, SYNTHETIC_ERRNO(EINVAL),
|
||||||
return -EINVAL;
|
"sysctl key invalid, refusing: %s", n);
|
||||||
}
|
|
||||||
|
|
||||||
r = strv_extend_strv(&s->sysctl, STRV_MAKE(n, m), false);
|
r = strv_extend_strv(&s->sysctl, STRV_MAKE(n, m), false);
|
||||||
if (r < 0)
|
if (r < 0)
|
||||||
@ -1828,10 +1779,9 @@ static int oci_seccomp_archs(const char *name, JsonVariant *v, JsonDispatchFlags
|
|||||||
JSON_VARIANT_ARRAY_FOREACH(e, v) {
|
JSON_VARIANT_ARRAY_FOREACH(e, v) {
|
||||||
uint32_t a;
|
uint32_t a;
|
||||||
|
|
||||||
if (!json_variant_is_string(e)) {
|
if (!json_variant_is_string(e))
|
||||||
json_log(e, flags, 0, "Architecture entry is not a string");
|
return json_log(e, flags, SYNTHETIC_ERRNO(EINVAL),
|
||||||
return -EINVAL;
|
"Architecture entry is not a string");
|
||||||
}
|
|
||||||
|
|
||||||
r = oci_seccomp_arch_from_string(json_variant_string(e), &a);
|
r = oci_seccomp_arch_from_string(json_variant_string(e), &a);
|
||||||
if (r < 0)
|
if (r < 0)
|
||||||
@ -2009,25 +1959,19 @@ static int oci_seccomp(const char *name, JsonVariant *v, JsonDispatchFlags flags
|
|||||||
assert(s);
|
assert(s);
|
||||||
|
|
||||||
def = json_variant_by_key(v, "defaultAction");
|
def = json_variant_by_key(v, "defaultAction");
|
||||||
if (!def) {
|
if (!def)
|
||||||
json_log(v, flags, 0, "defaultAction element missing.");
|
return json_log(v, flags, SYNTHETIC_ERRNO(EINVAL), "defaultAction element missing.");
|
||||||
return -EINVAL;
|
|
||||||
}
|
|
||||||
|
|
||||||
if (!json_variant_is_string(def)) {
|
if (!json_variant_is_string(def))
|
||||||
json_log(def, flags, 0, "defaultAction is not a string.");
|
return json_log(def, flags, SYNTHETIC_ERRNO(EINVAL), "defaultAction is not a string.");
|
||||||
return -EINVAL;
|
|
||||||
}
|
|
||||||
|
|
||||||
r = oci_seccomp_action_from_string(json_variant_string(def), &d);
|
r = oci_seccomp_action_from_string(json_variant_string(def), &d);
|
||||||
if (r < 0)
|
if (r < 0)
|
||||||
return json_log(def, flags, r, "Unknown default action: %s", json_variant_string(def));
|
return json_log(def, flags, r, "Unknown default action: %s", json_variant_string(def));
|
||||||
|
|
||||||
sc = seccomp_init(d);
|
sc = seccomp_init(d);
|
||||||
if (!sc) {
|
if (!sc)
|
||||||
log_error("Couldn't allocate seccomp object.");
|
return log_error_errno(SYNTHETIC_ERRNO(ENOMEM), "Couldn't allocate seccomp object.");
|
||||||
return -ENOMEM;
|
|
||||||
}
|
|
||||||
|
|
||||||
r = json_dispatch(v, table, oci_unexpected, flags, sc);
|
r = json_dispatch(v, table, oci_unexpected, flags, sc);
|
||||||
if (r < 0)
|
if (r < 0)
|
||||||
@ -2062,17 +2006,15 @@ static int oci_masked_paths(const char *name, JsonVariant *v, JsonDispatchFlags
|
|||||||
CustomMount *m;
|
CustomMount *m;
|
||||||
const char *p;
|
const char *p;
|
||||||
|
|
||||||
if (!json_variant_is_string(e)) {
|
if (!json_variant_is_string(e))
|
||||||
json_log(v, flags, 0, "Path is not a string, refusing.");
|
return json_log(v, flags, SYNTHETIC_ERRNO(EINVAL),
|
||||||
return -EINVAL;
|
"Path is not a string, refusing.");
|
||||||
}
|
|
||||||
|
|
||||||
assert_se(p = json_variant_string(e));
|
assert_se(p = json_variant_string(e));
|
||||||
|
|
||||||
if (!path_is_absolute(p)) {
|
if (!path_is_absolute(p))
|
||||||
json_log(v, flags, 0, "Path is not not absolute, refusing: %s", p);
|
return json_log(v, flags, SYNTHETIC_ERRNO(EINVAL),
|
||||||
return -EINVAL;
|
"Path is not not absolute, refusing: %s", p);
|
||||||
}
|
|
||||||
|
|
||||||
if (oci_exclude_mount(p))
|
if (oci_exclude_mount(p))
|
||||||
continue;
|
continue;
|
||||||
@ -2106,17 +2048,15 @@ static int oci_readonly_paths(const char *name, JsonVariant *v, JsonDispatchFlag
|
|||||||
CustomMount *m;
|
CustomMount *m;
|
||||||
const char *p;
|
const char *p;
|
||||||
|
|
||||||
if (!json_variant_is_string(e)) {
|
if (!json_variant_is_string(e))
|
||||||
json_log(v, flags, 0, "Path is not a string, refusing.");
|
return json_log(v, flags, SYNTHETIC_ERRNO(EINVAL),
|
||||||
return -EINVAL;
|
"Path is not a string, refusing.");
|
||||||
}
|
|
||||||
|
|
||||||
assert_se(p = json_variant_string(e));
|
assert_se(p = json_variant_string(e));
|
||||||
|
|
||||||
if (!path_is_absolute(p)) {
|
if (!path_is_absolute(p))
|
||||||
json_log(v, flags, 0, "Path is not not absolute, refusing: %s", p);
|
return json_log(v, flags, SYNTHETIC_ERRNO(EINVAL),
|
||||||
return -EINVAL;
|
"Path is not not absolute, refusing: %s", p);
|
||||||
}
|
|
||||||
|
|
||||||
if (oci_exclude_mount(p))
|
if (oci_exclude_mount(p))
|
||||||
continue;
|
continue;
|
||||||
@ -2168,15 +2108,13 @@ static int oci_hook_timeout(const char *name, JsonVariant *v, JsonDispatchFlags
|
|||||||
uintmax_t k;
|
uintmax_t k;
|
||||||
|
|
||||||
k = json_variant_unsigned(v);
|
k = json_variant_unsigned(v);
|
||||||
if (k == 0) {
|
if (k == 0)
|
||||||
json_log(v, flags, 0, "Hook timeout cannot be zero.");
|
return json_log(v, flags, SYNTHETIC_ERRNO(EINVAL),
|
||||||
return -EINVAL;
|
"Hook timeout cannot be zero.");
|
||||||
}
|
|
||||||
|
|
||||||
if (k > (UINT64_MAX-1/USEC_PER_SEC)) {
|
if (k > (UINT64_MAX-1/USEC_PER_SEC))
|
||||||
json_log(v, flags, 0, "Hook timeout too large.");
|
return json_log(v, flags, SYNTHETIC_ERRNO(EINVAL),
|
||||||
return -EINVAL;
|
"Hook timeout too large.");
|
||||||
}
|
|
||||||
|
|
||||||
*u = k * USEC_PER_SEC;
|
*u = k * USEC_PER_SEC;
|
||||||
return 0;
|
return 0;
|
||||||
@ -2259,15 +2197,13 @@ static int oci_annotations(const char *name, JsonVariant *v, JsonDispatchFlags f
|
|||||||
|
|
||||||
assert_se(n = json_variant_string(k));
|
assert_se(n = json_variant_string(k));
|
||||||
|
|
||||||
if (isempty(n)) {
|
if (isempty(n))
|
||||||
json_log(k, flags, 0, "Annotation with empty key, refusing.");
|
return json_log(k, flags, SYNTHETIC_ERRNO(EINVAL),
|
||||||
return -EINVAL;
|
"Annotation with empty key, refusing.");
|
||||||
}
|
|
||||||
|
|
||||||
if (!json_variant_is_string(w)) {
|
if (!json_variant_is_string(w))
|
||||||
json_log(w, flags, 0, "Annotation has non-string value, refusing.");
|
return json_log(w, flags, SYNTHETIC_ERRNO(EINVAL),
|
||||||
return -EINVAL;
|
"Annotation has non-string value, refusing.");
|
||||||
}
|
|
||||||
|
|
||||||
json_log(k, flags|JSON_DEBUG, 0, "Ignoring annotation '%s' with value '%s'.", n, json_variant_string(w));
|
json_log(k, flags|JSON_DEBUG, 0, "Ignoring annotation '%s' with value '%s'.", n, json_variant_string(w));
|
||||||
}
|
}
|
||||||
|
@ -264,12 +264,12 @@ static inline int json_dispatch_level(JsonDispatchFlags flags) {
|
|||||||
|
|
||||||
int json_log_internal(JsonVariant *variant, int level, int error, const char *file, int line, const char *func, const char *format, ...) _printf_(7, 8);
|
int json_log_internal(JsonVariant *variant, int level, int error, const char *file, int line, const char *func, const char *format, ...) _printf_(7, 8);
|
||||||
|
|
||||||
#define json_log(variant, flags, error, ...) \
|
#define json_log(variant, flags, error, ...) \
|
||||||
({ \
|
({ \
|
||||||
int _level = json_dispatch_level(flags), _e = (error); \
|
int _level = json_dispatch_level(flags), _e = (error); \
|
||||||
(log_get_max_level() >= LOG_PRI(_level)) \
|
(log_get_max_level() >= LOG_PRI(_level)) \
|
||||||
? json_log_internal(variant, _level, _e, __FILE__, __LINE__, __func__, __VA_ARGS__) \
|
? json_log_internal(variant, _level, _e, __FILE__, __LINE__, __func__, __VA_ARGS__) \
|
||||||
: -abs(_e); \
|
: -ERRNO_VALUE(_e); \
|
||||||
})
|
})
|
||||||
|
|
||||||
#define JSON_VARIANT_STRING_CONST(x) _JSON_VARIANT_STRING_CONST(UNIQ, (x))
|
#define JSON_VARIANT_STRING_CONST(x) _JSON_VARIANT_STRING_CONST(UNIQ, (x))
|
||||||
|
Loading…
Reference in New Issue
Block a user