1
0
mirror of https://github.com/systemd/systemd.git synced 2024-12-22 17:35:35 +03:00

nspawn-oci: use SYNTHETIC_ERRNO

This commit is contained in:
Zbigniew Jędrzejewski-Szmek 2019-03-21 10:50:59 +01:00
parent a3fc6b55ac
commit 19130626a0
3 changed files with 212 additions and 268 deletions

View File

@ -0,0 +1,8 @@
@@
expression e, v, flags;
expression list args;
@@
+ return
- json_log(v, flags, 0, args);
+ json_log(v, flags, SYNTHETIC_ERRNO(e), args);
- return -e;

View File

@ -74,13 +74,13 @@
*/ */
static int oci_unexpected(const char *name, JsonVariant *v, JsonDispatchFlags flags, void *userdata) { static int oci_unexpected(const char *name, JsonVariant *v, JsonDispatchFlags flags, void *userdata) {
json_log(v, flags, 0, "Unexpected OCI element '%s' of type '%s'.", name, json_variant_type_to_string(json_variant_type(v))); return json_log(v, flags, SYNTHETIC_ERRNO(EINVAL),
return -EINVAL; "Unexpected OCI element '%s' of type '%s'.", name, json_variant_type_to_string(json_variant_type(v)));
} }
static int oci_unsupported(const char *name, JsonVariant *v, JsonDispatchFlags flags, void *userdata) { static int oci_unsupported(const char *name, JsonVariant *v, JsonDispatchFlags flags, void *userdata) {
json_log(v, flags, 0, "Unsupported OCI element '%s' of type '%s'.", name, json_variant_type_to_string(json_variant_type(v))); return json_log(v, flags, SYNTHETIC_ERRNO(EOPNOTSUPP),
return -EOPNOTSUPP; "Unsupported OCI element '%s' of type '%s'.", name, json_variant_type_to_string(json_variant_type(v)));
} }
static int oci_terminal(const char *name, JsonVariant *v, JsonDispatchFlags flags, void *userdata) { static int oci_terminal(const char *name, JsonVariant *v, JsonDispatchFlags flags, void *userdata) {
@ -99,14 +99,12 @@ static int oci_console_dimension(const char *name, JsonVariant *variant, JsonDis
assert(u); assert(u);
k = json_variant_unsigned(variant); k = json_variant_unsigned(variant);
if (k == 0) { if (k == 0)
json_log(variant, flags, 0, "Console size field '%s' is too small.", strna(name)); return json_log(variant, flags, SYNTHETIC_ERRNO(ERANGE),
return -ERANGE; "Console size field '%s' is too small.", strna(name));
} if (k > USHRT_MAX) /* TIOCSWINSZ's struct winsize uses "unsigned short" for width and height */
if (k > USHRT_MAX) { /* TIOCSWINSZ's struct winsize uses "unsigned short" for width and height */ return json_log(variant, flags, SYNTHETIC_ERRNO(ERANGE),
json_log(variant, flags, 0, "Console size field '%s' is too large.", strna(name)); "Console size field '%s' is too large.", strna(name));
return -ERANGE;
}
*u = (unsigned) k; *u = (unsigned) k;
return 0; return 0;
@ -132,10 +130,9 @@ static int oci_absolute_path(const char *name, JsonVariant *v, JsonDispatchFlags
n = json_variant_string(v); n = json_variant_string(v);
if (!path_is_absolute(n)) { if (!path_is_absolute(n))
json_log(v, flags, 0, "Path in JSON field '%s' is not absolute: %s", strna(name), n); return json_log(v, flags, SYNTHETIC_ERRNO(EINVAL),
return -EINVAL; "Path in JSON field '%s' is not absolute: %s", strna(name), n);
}
r = free_and_strdup(p, n); r = free_and_strdup(p, n);
if (r < 0) if (r < 0)
@ -154,17 +151,15 @@ static int oci_env(const char *name, JsonVariant *v, JsonDispatchFlags flags, vo
JSON_VARIANT_ARRAY_FOREACH(e, v) { JSON_VARIANT_ARRAY_FOREACH(e, v) {
const char *n; const char *n;
if (!json_variant_is_string(e)) { if (!json_variant_is_string(e))
json_log(e, flags, 0, "Environment array contains non-string."); return json_log(e, flags, SYNTHETIC_ERRNO(EINVAL),
return -EINVAL; "Environment array contains non-string.");
}
assert_se(n = json_variant_string(e)); assert_se(n = json_variant_string(e));
if (!env_assignment_is_valid(n)) { if (!env_assignment_is_valid(n))
json_log(e, flags, 0, "Environment assignment not valid: %s", n); return json_log(e, flags, SYNTHETIC_ERRNO(EINVAL),
return -EINVAL; "Environment assignment not valid: %s", n);
}
r = strv_extend(l, n); r = strv_extend(l, n);
if (r < 0) if (r < 0)
@ -185,10 +180,9 @@ static int oci_args(const char *name, JsonVariant *v, JsonDispatchFlags flags, v
JSON_VARIANT_ARRAY_FOREACH(e, v) { JSON_VARIANT_ARRAY_FOREACH(e, v) {
const char *n; const char *n;
if (!json_variant_is_string(e)) { if (!json_variant_is_string(e))
json_log(v, flags, 0, "Argument is not a string."); return json_log(v, flags, SYNTHETIC_ERRNO(EINVAL),
return -EINVAL; "Argument is not a string.");
}
assert_se(n = json_variant_string(e)); assert_se(n = json_variant_string(e));
@ -197,15 +191,13 @@ static int oci_args(const char *name, JsonVariant *v, JsonDispatchFlags flags, v
return log_oom(); return log_oom();
} }
if (strv_isempty(l)) { if (strv_isempty(l))
json_log(v, flags, 0, "Argument list empty, refusing."); return json_log(v, flags, SYNTHETIC_ERRNO(EINVAL),
return -EINVAL; "Argument list empty, refusing.");
}
if (isempty(l[0])) { if (isempty(l[0]))
json_log(v, flags, 0, "Executable name is empty, refusing."); return json_log(v, flags, SYNTHETIC_ERRNO(EINVAL),
return -EINVAL; "Executable name is empty, refusing.");
}
strv_free_and_replace(*value, l); strv_free_and_replace(*value, l);
return 0; return 0;
@ -218,16 +210,15 @@ static int oci_rlimit_type(const char *name, JsonVariant *v, JsonDispatchFlags f
assert_se(type); assert_se(type);
z = startswith(json_variant_string(v), "RLIMIT_"); z = startswith(json_variant_string(v), "RLIMIT_");
if (!z) { if (!z)
json_log(v, flags, 0, "rlimit entry's name does not begin with 'RLIMIT_', refusing: %s", json_variant_string(v)); return json_log(v, flags, SYNTHETIC_ERRNO(EINVAL),
return -EINVAL; "rlimit entry's name does not begin with 'RLIMIT_', refusing: %s",
} json_variant_string(v));
t = rlimit_from_string(z); t = rlimit_from_string(z);
if (t < 0) { if (t < 0)
json_log(v, flags, 0, "rlimit name unknown: %s", json_variant_string(v)); return json_log(v, flags, SYNTHETIC_ERRNO(EINVAL),
return -EINVAL; "rlimit name unknown: %s", json_variant_string(v));
}
*type = t; *type = t;
return 0; return 0;
@ -241,17 +232,15 @@ static int oci_rlimit_value(const char *name, JsonVariant *v, JsonDispatchFlags
if (json_variant_is_negative(v)) if (json_variant_is_negative(v))
z = RLIM_INFINITY; z = RLIM_INFINITY;
else { else {
if (!json_variant_is_unsigned(v)) { if (!json_variant_is_unsigned(v))
json_log(v, flags, 0, "rlimits limit not unsigned, refusing."); return json_log(v, flags, SYNTHETIC_ERRNO(ERANGE),
return -ERANGE; "rlimits limit not unsigned, refusing.");
}
z = (rlim_t) json_variant_unsigned(v); z = (rlim_t) json_variant_unsigned(v);
if ((uintmax_t) z != json_variant_unsigned(v)) { if ((uintmax_t) z != json_variant_unsigned(v))
json_log(v, flags, 0, "rlimits limit out of range, refusing."); return json_log(v, flags, SYNTHETIC_ERRNO(EINVAL),
return -EINVAL; "rlimits limit out of range, refusing.");
}
} }
*value = z; *value = z;
@ -293,10 +282,9 @@ static int oci_rlimits(const char *name, JsonVariant *v, JsonDispatchFlags flags
assert(data.type >= 0); assert(data.type >= 0);
assert(data.type < _RLIMIT_MAX); assert(data.type < _RLIMIT_MAX);
if (s->rlimit[data.type]) { if (s->rlimit[data.type])
json_log(v, flags, 0, "rlimits array contains duplicate entry, refusing."); return json_log(v, flags, SYNTHETIC_ERRNO(EINVAL),
return -EINVAL; "rlimits array contains duplicate entry, refusing.");
}
s->rlimit[data.type] = new(struct rlimit, 1); s->rlimit[data.type] = new(struct rlimit, 1);
if (!s->rlimit[data.type]) if (!s->rlimit[data.type])
@ -319,18 +307,16 @@ static int oci_capability_array(const char *name, JsonVariant *v, JsonDispatchFl
const char *n; const char *n;
int cap; int cap;
if (!json_variant_is_string(e)) { if (!json_variant_is_string(e))
json_log(v, flags, 0, "Entry in capabilities array is not a string."); return json_log(v, flags, SYNTHETIC_ERRNO(EINVAL),
return -EINVAL; "Entry in capabilities array is not a string.");
}
assert_se(n = json_variant_string(e)); assert_se(n = json_variant_string(e));
cap = capability_from_name(n); cap = capability_from_name(n);
if (cap < 0) { if (cap < 0)
json_log(v, flags, 0, "Unknown capability: %s", n); return json_log(v, flags, SYNTHETIC_ERRNO(EINVAL),
return -EINVAL; "Unknown capability: %s", n);
}
m |= UINT64_C(1) << cap; m |= UINT64_C(1) << cap;
} }
@ -378,10 +364,9 @@ static int oci_oom_score_adj(const char *name, JsonVariant *v, JsonDispatchFlags
assert(s); assert(s);
k = json_variant_integer(v); k = json_variant_integer(v);
if (k < OOM_SCORE_ADJ_MIN || k > OOM_SCORE_ADJ_MAX) { if (k < OOM_SCORE_ADJ_MIN || k > OOM_SCORE_ADJ_MAX)
json_log(v, flags, 0, "oomScoreAdj value out of range: %ji", k); return json_log(v, flags, SYNTHETIC_ERRNO(EINVAL),
return -EINVAL; "oomScoreAdj value out of range: %ji", k);
}
s->oom_score_adjust = (int) k; s->oom_score_adjust = (int) k;
s->oom_score_adjust_set = true; s->oom_score_adjust_set = true;
@ -398,15 +383,13 @@ static int oci_uid_gid(const char *name, JsonVariant *v, JsonDispatchFlags flags
k = json_variant_unsigned(v); k = json_variant_unsigned(v);
u = (uid_t) k; u = (uid_t) k;
if ((uintmax_t) u != k) { if ((uintmax_t) u != k)
json_log(v, flags, 0, "UID/GID out of range: %ji", k); return json_log(v, flags, SYNTHETIC_ERRNO(EINVAL),
return -EINVAL; "UID/GID out of range: %ji", k);
}
if (!uid_is_valid(u)) { if (!uid_is_valid(u))
json_log(v, flags, 0, "UID/GID is not valid: " UID_FMT, u); return json_log(v, flags, SYNTHETIC_ERRNO(EINVAL),
return -EINVAL; "UID/GID is not valid: " UID_FMT, u);
}
*uid = u; *uid = u;
return 0; return 0;
@ -422,10 +405,9 @@ static int oci_supplementary_gids(const char *name, JsonVariant *v, JsonDispatch
JSON_VARIANT_ARRAY_FOREACH(e, v) { JSON_VARIANT_ARRAY_FOREACH(e, v) {
gid_t gid, *a; gid_t gid, *a;
if (!json_variant_is_unsigned(e)) { if (!json_variant_is_unsigned(e))
json_log(v, flags, 0, "Supplementary GID entry is not a UID."); return json_log(v, flags, SYNTHETIC_ERRNO(EINVAL),
return -EINVAL; "Supplementary GID entry is not a UID.");
}
r = oci_uid_gid(name, e, flags, &gid); r = oci_uid_gid(name, e, flags, &gid);
if (r < 0) if (r < 0)
@ -493,10 +475,9 @@ static int oci_hostname(const char *name, JsonVariant *v, JsonDispatchFlags flag
assert_se(n = json_variant_string(v)); assert_se(n = json_variant_string(v));
if (!hostname_is_valid(n, false)) { if (!hostname_is_valid(n, false))
json_log(v, flags, 0, "Hostname string is not a valid hostname: %s", n); return json_log(v, flags, SYNTHETIC_ERRNO(EINVAL),
return -EINVAL; "Hostname string is not a valid hostname: %s", n);
}
if (free_and_strdup(&s->hostname, n) < 0) if (free_and_strdup(&s->hostname, n) < 0)
return log_oom(); return log_oom();
@ -574,8 +555,8 @@ static int oci_mounts(const char *name, JsonVariant *v, JsonDispatchFlags flags,
goto fail_item; goto fail_item;
if (!path_is_absolute(data.destination)) { if (!path_is_absolute(data.destination)) {
json_log(e, flags, 0, "Mount destination not an absolute path: %s", data.destination); r = json_log(e, flags, SYNTHETIC_ERRNO(EINVAL),
r = -EINVAL; "Mount destination not an absolute path: %s", data.destination);
goto fail_item; goto fail_item;
} }
@ -663,10 +644,9 @@ static int oci_namespace_type(const char *name, JsonVariant *v, JsonDispatchFlag
*nsflags = CLONE_NEWUSER; *nsflags = CLONE_NEWUSER;
else if (streq(n, "cgroup")) else if (streq(n, "cgroup"))
*nsflags = CLONE_NEWCGROUP; *nsflags = CLONE_NEWCGROUP;
else { else
json_log(v, flags, 0, "Unknown cgroup type, refusing: %s", n); return json_log(v, flags, SYNTHETIC_ERRNO(EINVAL),
return -EINVAL; "Unknown cgroup type, refusing: %s", n);
}
return 0; return 0;
} }
@ -700,15 +680,15 @@ static int oci_namespaces(const char *name, JsonVariant *v, JsonDispatchFlags fl
if (data.path) { if (data.path) {
if (data.type != CLONE_NEWNET) { if (data.type != CLONE_NEWNET) {
json_log(e, flags, 0, "Specifying namespace path for non-network namespace is not supported.");
free(data.path); free(data.path);
return -EOPNOTSUPP; return json_log(e, flags, SYNTHETIC_ERRNO(EOPNOTSUPP),
"Specifying namespace path for non-network namespace is not supported.");
} }
if (s->network_namespace_path) { if (s->network_namespace_path) {
json_log(e, flags, 0, "Network namespace path specified more than once, refusing.");
free(data.path); free(data.path);
return -EINVAL; return json_log(e, flags, SYNTHETIC_ERRNO(EINVAL),
"Network namespace path specified more than once, refusing.");
} }
free(s->network_namespace_path); free(s->network_namespace_path);
@ -716,17 +696,16 @@ static int oci_namespaces(const char *name, JsonVariant *v, JsonDispatchFlags fl
} }
if (FLAGS_SET(n, data.type)) { if (FLAGS_SET(n, data.type)) {
json_log(e, flags, 0, "Duplicat namespace specification, refusing."); return json_log(e, flags, SYNTHETIC_ERRNO(EINVAL),
return -EINVAL; "Duplicate namespace specification, refusing.");
} }
n |= data.type; n |= data.type;
} }
if (!FLAGS_SET(n, CLONE_NEWNS)) { if (!FLAGS_SET(n, CLONE_NEWNS))
json_log(v, flags, 0, "Containers without file system namespace aren't supported."); return json_log(v, flags, SYNTHETIC_ERRNO(EOPNOTSUPP),
return -EOPNOTSUPP; "Containers without file system namespace aren't supported.");
}
s->private_network = FLAGS_SET(n, CLONE_NEWNET); s->private_network = FLAGS_SET(n, CLONE_NEWNET);
s->userns_mode = FLAGS_SET(n, CLONE_NEWUSER) ? USER_NAMESPACE_FIXED : USER_NAMESPACE_NO; s->userns_mode = FLAGS_SET(n, CLONE_NEWUSER) ? USER_NAMESPACE_FIXED : USER_NAMESPACE_NO;
@ -750,14 +729,12 @@ static int oci_uid_gid_range(const char *name, JsonVariant *v, JsonDispatchFlags
k = json_variant_unsigned(v); k = json_variant_unsigned(v);
u = (uid_t) k; u = (uid_t) k;
if ((uintmax_t) u != k) { if ((uintmax_t) u != k)
json_log(v, flags, 0, "UID/GID out of range: %ji", k); return json_log(v, flags, SYNTHETIC_ERRNO(ERANGE),
return -ERANGE; "UID/GID out of range: %ji", k);
} if (u == 0)
if (u == 0) { return json_log(v, flags, SYNTHETIC_ERRNO(ERANGE),
json_log(v, flags, 0, "UID/GID range can't be zero."); "UID/GID range can't be zero.");
return -ERANGE;
}
*uid = u; *uid = u;
return 0; return 0;
@ -790,10 +767,9 @@ static int oci_uid_gid_mappings(const char *name, JsonVariant *v, JsonDispatchFl
if (json_variant_elements(v) == 0) if (json_variant_elements(v) == 0)
return 0; return 0;
if (json_variant_elements(v) > 1) { if (json_variant_elements(v) > 1)
json_log(v, flags, 0, "UID/GID mappings with more than one entry are not supported."); return json_log(v, flags, SYNTHETIC_ERRNO(EOPNOTSUPP),
return -EOPNOTSUPP; "UID/GID mappings with more than one entry are not supported.");
}
assert_se(e = json_variant_by_index(v, 0)); assert_se(e = json_variant_by_index(v, 0));
@ -802,24 +778,22 @@ static int oci_uid_gid_mappings(const char *name, JsonVariant *v, JsonDispatchFl
return r; return r;
if (data.host_id + data.range < data.host_id || if (data.host_id + data.range < data.host_id ||
data.container_id + data.range < data.container_id) { data.container_id + data.range < data.container_id)
json_log(v, flags, 0, "UID/GID range goes beyond UID/GID validity range, refusing."); return json_log(v, flags, SYNTHETIC_ERRNO(EINVAL),
return -EINVAL; "UID/GID range goes beyond UID/GID validity range, refusing.");
}
if (data.container_id != 0) { if (data.container_id != 0)
json_log(v, flags, 0, "UID/GID mappings with a non-zero container base are not supported."); return json_log(v, flags, SYNTHETIC_ERRNO(EOPNOTSUPP),
return -EOPNOTSUPP; "UID/GID mappings with a non-zero container base are not supported.");
}
if (data.range < 0x10000) if (data.range < 0x10000)
json_log(v, flags|JSON_WARNING, 0, "UID/GID mapping with less than 65536 UID/GIDS set up, you are looking for trouble."); json_log(v, flags|JSON_WARNING, 0,
"UID/GID mapping with less than 65536 UID/GIDS set up, you are looking for trouble.");
if (s->uid_range != UID_INVALID && if (s->uid_range != UID_INVALID &&
(s->uid_shift != data.host_id || s->uid_range != data.range)) { (s->uid_shift != data.host_id || s->uid_range != data.range))
json_log(v, flags, 0, "Non-matching UID and GID mappings are not supported."); return json_log(v, flags, SYNTHETIC_ERRNO(EOPNOTSUPP),
return -EOPNOTSUPP; "Non-matching UID and GID mappings are not supported.");
}
s->uid_shift = data.host_id; s->uid_shift = data.host_id;
s->uid_range = data.range; s->uid_range = data.range;
@ -840,10 +814,9 @@ static int oci_device_type(const char *name, JsonVariant *v, JsonDispatchFlags f
*mode = (*mode & ~S_IFMT) | S_IFBLK; *mode = (*mode & ~S_IFMT) | S_IFBLK;
else if (streq(t, "p")) else if (streq(t, "p"))
*mode = (*mode & ~S_IFMT) | S_IFIFO; *mode = (*mode & ~S_IFMT) | S_IFIFO;
else { else
json_log(v, flags, 0, "Unknown device type: %s", t); return json_log(v, flags, SYNTHETIC_ERRNO(EINVAL),
return -EINVAL; "Unknown device type: %s", t);
}
return 0; return 0;
} }
@ -855,10 +828,9 @@ static int oci_device_major(const char *name, JsonVariant *v, JsonDispatchFlags
assert_se(u); assert_se(u);
k = json_variant_unsigned(v); k = json_variant_unsigned(v);
if (!DEVICE_MAJOR_VALID(k)) { if (!DEVICE_MAJOR_VALID(k))
json_log(v, flags, 0, "Device major %ji out of range.", k); return json_log(v, flags, SYNTHETIC_ERRNO(ERANGE),
return -ERANGE; "Device major %ji out of range.", k);
}
*u = (unsigned) k; *u = (unsigned) k;
return 0; return 0;
@ -871,10 +843,9 @@ static int oci_device_minor(const char *name, JsonVariant *v, JsonDispatchFlags
assert_se(u); assert_se(u);
k = json_variant_unsigned(v); k = json_variant_unsigned(v);
if (!DEVICE_MINOR_VALID(k)) { if (!DEVICE_MINOR_VALID(k))
json_log(v, flags, 0, "Device minor %ji out of range.", k); return json_log(v, flags, SYNTHETIC_ERRNO(ERANGE),
return -ERANGE; "Device minor %ji out of range.", k);
}
*u = (unsigned) k; *u = (unsigned) k;
return 0; return 0;
@ -889,10 +860,9 @@ static int oci_device_file_mode(const char *name, JsonVariant *v, JsonDispatchFl
k = json_variant_unsigned(v); k = json_variant_unsigned(v);
m = (mode_t) k; m = (mode_t) k;
if ((m & ~07777) != 0 || (uintmax_t) m != k) { if ((m & ~07777) != 0 || (uintmax_t) m != k)
json_log(v, flags, 0, "fileMode out of range, refusing."); return json_log(v, flags, SYNTHETIC_ERRNO(ERANGE),
return -ERANGE; "fileMode out of range, refusing.");
}
*mode = m; *mode = m;
return 0; return 0;
@ -943,8 +913,8 @@ static int oci_devices(const char *name, JsonVariant *v, JsonDispatchFlags flags
_cleanup_free_ char *path = NULL; _cleanup_free_ char *path = NULL;
if (node->major == (unsigned) -1 || node->minor == (unsigned) -1) { if (node->major == (unsigned) -1 || node->minor == (unsigned) -1) {
json_log(e, flags, 0, "Major/minor required when device node is device node"); r = json_log(e, flags, SYNTHETIC_ERRNO(EINVAL),
r = -EINVAL; "Major/minor required when device node is device node");
goto fail_element; goto fail_element;
} }
@ -1001,10 +971,9 @@ static int oci_cgroups_path(const char *name, JsonVariant *v, JsonDispatchFlags
if (r < 0) if (r < 0)
return json_log(v, flags, r, "Couldn't convert slice unit name '%s' back to path: %m", slice); return json_log(v, flags, r, "Couldn't convert slice unit name '%s' back to path: %m", slice);
if (!path_equal(backwards, p)) { if (!path_equal(backwards, p))
json_log(v, flags, 0, "Control group path '%s' does not refer to slice unit, refusing.", p); return json_log(v, flags, SYNTHETIC_ERRNO(EINVAL),
return -EINVAL; "Control group path '%s' does not refer to slice unit, refusing.", p);
}
free_and_replace(s->slice, slice); free_and_replace(s->slice, slice);
return 0; return 0;
@ -1020,10 +989,9 @@ static int oci_cgroup_device_type(const char *name, JsonVariant *v, JsonDispatch
*mode = S_IFCHR; *mode = S_IFCHR;
else if (streq(n, "b")) else if (streq(n, "b"))
*mode = S_IFBLK; *mode = S_IFBLK;
else { else
json_log(v, flags, 0, "Control group device type unknown: %s", n); return json_log(v, flags, SYNTHETIC_ERRNO(EINVAL),
return -EINVAL; "Control group device type unknown: %s", n);
}
return 0; return 0;
} }
@ -1046,18 +1014,16 @@ static int oci_cgroup_device_access(const char *name, JsonVariant *v, JsonDispat
assert_se(s = json_variant_string(v)); assert_se(s = json_variant_string(v));
for (i = 0; s[i]; i++) { for (i = 0; s[i]; i++)
if (s[i] == 'r') if (s[i] == 'r')
r = true; r = true;
else if (s[i] == 'w') else if (s[i] == 'w')
w = true; w = true;
else if (s[i] == 'm') else if (s[i] == 'm')
m = true; m = true;
else { else
json_log(v, flags, 0, "Unknown device access character '%c'.", s[i]); return json_log(v, flags, SYNTHETIC_ERRNO(EINVAL),
return -EINVAL; "Unknown device access character '%c'.", s[i]);
}
}
d->r = r; d->r = r;
d->w = w; d->w = w;
@ -1117,23 +1083,20 @@ static int oci_cgroup_devices(const char *name, JsonVariant *v, JsonDispatchFlag
continue; continue;
} }
if (data.minor != (unsigned) -1 && data.major == (unsigned) -1) { if (data.minor != (unsigned) -1 && data.major == (unsigned) -1)
json_log(v, flags, 0, "Device cgroup whitelist entries with minors but no majors not supported."); return json_log(v, flags, SYNTHETIC_ERRNO(EOPNOTSUPP),
return -EOPNOTSUPP; "Device cgroup whitelist entries with minors but no majors not supported.");
}
if (data.major != (unsigned) -1 && data.type == 0) { if (data.major != (unsigned) -1 && data.type == 0)
json_log(v, flags, 0, "Device cgroup whitelist entries with majors but no device node type not supported."); return json_log(v, flags, SYNTHETIC_ERRNO(EOPNOTSUPP),
return -EOPNOTSUPP; "Device cgroup whitelist entries with majors but no device node type not supported.");
}
if (data.type == 0) { if (data.type == 0) {
if (data.r && data.w && data.m) /* a catchall whitelist entry means we are looking at a noop */ if (data.r && data.w && data.m) /* a catchall whitelist entry means we are looking at a noop */
noop = true; noop = true;
else { else
json_log(v, flags, 0, "Device cgroup whitelist entries with no type not supported."); return json_log(v, flags, SYNTHETIC_ERRNO(EOPNOTSUPP),
return -EOPNOTSUPP; "Device cgroup whitelist entries with no type not supported.");
}
} }
a = reallocarray(list, n_list + 1, sizeof(struct device_data)); a = reallocarray(list, n_list + 1, sizeof(struct device_data));
@ -1240,16 +1203,14 @@ static int oci_cgroup_memory_limit(const char *name, JsonVariant *v, JsonDispatc
return 0; return 0;
} }
if (!json_variant_is_unsigned(v)) { if (!json_variant_is_unsigned(v))
json_log(v, flags, 0, "Memory limit is not an unsigned integer"); return json_log(v, flags, SYNTHETIC_ERRNO(EINVAL),
return -EINVAL; "Memory limit is not an unsigned integer");
}
k = json_variant_unsigned(v); k = json_variant_unsigned(v);
if (k >= UINT64_MAX) { if (k >= UINT64_MAX)
json_log(v, flags, 0, "Memory limit too large: %ji", k); return json_log(v, flags, SYNTHETIC_ERRNO(ERANGE),
return -ERANGE; "Memory limit too large: %ji", k);
}
*m = (uint64_t) k; *m = (uint64_t) k;
return 0; return 0;
@ -1339,10 +1300,9 @@ static int oci_cgroup_cpu_shares(const char *name, JsonVariant *v, JsonDispatchF
assert(u); assert(u);
k = json_variant_unsigned(v); k = json_variant_unsigned(v);
if (k < CGROUP_CPU_SHARES_MIN || k > CGROUP_CPU_SHARES_MAX) { if (k < CGROUP_CPU_SHARES_MIN || k > CGROUP_CPU_SHARES_MAX)
json_log(v, flags, 0, "shares value out of range."); return json_log(v, flags, SYNTHETIC_ERRNO(ERANGE),
return -ERANGE; "shares value out of range.");
}
*u = (uint64_t) k; *u = (uint64_t) k;
return 0; return 0;
@ -1355,10 +1315,9 @@ static int oci_cgroup_cpu_quota(const char *name, JsonVariant *v, JsonDispatchFl
assert(u); assert(u);
k = json_variant_unsigned(v); k = json_variant_unsigned(v);
if (k <= 0 || k >= UINT64_MAX) { if (k <= 0 || k >= UINT64_MAX)
json_log(v, flags, 0, "period/quota value out of range."); return json_log(v, flags, SYNTHETIC_ERRNO(ERANGE),
return -ERANGE; "period/quota value out of range.");
}
*u = (uint64_t) k; *u = (uint64_t) k;
return 0; return 0;
@ -1436,10 +1395,9 @@ static int oci_cgroup_cpu(const char *name, JsonVariant *v, JsonDispatchFlags fl
if (r < 0) if (r < 0)
return bus_log_create_error(r); return bus_log_create_error(r);
} else if ((data.quota != UINT64_MAX) != (data.period != UINT64_MAX)) { } else if ((data.quota != UINT64_MAX) != (data.period != UINT64_MAX))
json_log(v, flags, 0, "CPU quota and period not used together."); return json_log(v, flags, SYNTHETIC_ERRNO(EINVAL),
return -EINVAL; "CPU quota and period not used together.");
}
return 0; return 0;
} }
@ -1452,10 +1410,9 @@ static int oci_cgroup_block_io_weight(const char *name, JsonVariant *v, JsonDisp
assert(s); assert(s);
k = json_variant_unsigned(v); k = json_variant_unsigned(v);
if (k < CGROUP_BLKIO_WEIGHT_MIN || k > CGROUP_BLKIO_WEIGHT_MAX) { if (k < CGROUP_BLKIO_WEIGHT_MIN || k > CGROUP_BLKIO_WEIGHT_MAX)
json_log(v, flags, 0, "Block I/O weight out of range."); return json_log(v, flags, SYNTHETIC_ERRNO(ERANGE),
return -ERANGE; "Block I/O weight out of range.");
}
r = settings_allocate_properties(s); r = settings_allocate_properties(s);
if (r < 0) if (r < 0)
@ -1503,10 +1460,9 @@ static int oci_cgroup_block_io_weight_device(const char *name, JsonVariant *v, J
if (data.weight == UINTMAX_MAX) if (data.weight == UINTMAX_MAX)
continue; continue;
if (data.weight < CGROUP_BLKIO_WEIGHT_MIN || data.weight > CGROUP_BLKIO_WEIGHT_MAX) { if (data.weight < CGROUP_BLKIO_WEIGHT_MIN || data.weight > CGROUP_BLKIO_WEIGHT_MAX)
json_log(v, flags, 0, "Block I/O device weight out of range."); return json_log(v, flags, SYNTHETIC_ERRNO(ERANGE),
return -ERANGE; "Block I/O device weight out of range.");
}
r = device_path_make_major_minor(S_IFBLK, makedev(data.major, data.minor), &path); r = device_path_make_major_minor(S_IFBLK, makedev(data.major, data.minor), &path);
if (r < 0) if (r < 0)
@ -1560,10 +1516,9 @@ static int oci_cgroup_block_io_throttle(const char *name, JsonVariant *v, JsonDi
if (r < 0) if (r < 0)
return r; return r;
if (data.rate >= UINT64_MAX) { if (data.rate >= UINT64_MAX)
json_log(v, flags, 0, "Block I/O device rate out of range."); return json_log(v, flags, SYNTHETIC_ERRNO(ERANGE),
return -ERANGE; "Block I/O device rate out of range.");
}
r = device_path_make_major_minor(S_IFBLK, makedev(data.major, data.minor), &path); r = device_path_make_major_minor(S_IFBLK, makedev(data.major, data.minor), &path);
if (r < 0) if (r < 0)
@ -1618,17 +1573,15 @@ static int oci_cgroup_pids(const char *name, JsonVariant *v, JsonDispatchFlags f
if (json_variant_is_negative(k)) if (json_variant_is_negative(k))
m = UINT64_MAX; m = UINT64_MAX;
else { else {
if (!json_variant_is_unsigned(k)) { if (!json_variant_is_unsigned(k))
json_log(k, flags, 0, "pids limit not unsigned integer, refusing."); return json_log(k, flags, SYNTHETIC_ERRNO(EINVAL),
return -EINVAL; "pids limit not unsigned integer, refusing.");
}
m = (uint64_t) json_variant_unsigned(k); m = (uint64_t) json_variant_unsigned(k);
if ((uintmax_t) m != json_variant_unsigned(k)) { if ((uintmax_t) m != json_variant_unsigned(k))
json_log(v, flags, 0, "pids limit out of range, refusing."); return json_log(v, flags, SYNTHETIC_ERRNO(EINVAL),
return -EINVAL; "pids limit out of range, refusing.");
}
} }
r = settings_allocate_properties(s); r = settings_allocate_properties(s);
@ -1700,18 +1653,16 @@ static int oci_sysctl(const char *name, JsonVariant *v, JsonDispatchFlags flags,
JSON_VARIANT_OBJECT_FOREACH(k, w, v) { JSON_VARIANT_OBJECT_FOREACH(k, w, v) {
const char *n, *m; const char *n, *m;
if (!json_variant_is_string(w)) { if (!json_variant_is_string(w))
json_log(v, flags, 0, "sysctl parameter is not a string, refusing."); return json_log(v, flags, SYNTHETIC_ERRNO(EINVAL),
return -EINVAL; "sysctl parameter is not a string, refusing.");
}
assert_se(n = json_variant_string(k)); assert_se(n = json_variant_string(k));
assert_se(m = json_variant_string(w)); assert_se(m = json_variant_string(w));
if (sysctl_key_valid(n)) { if (sysctl_key_valid(n))
json_log(v, flags, 0, "sysctl key invalid, refusing: %s", n); return json_log(v, flags, SYNTHETIC_ERRNO(EINVAL),
return -EINVAL; "sysctl key invalid, refusing: %s", n);
}
r = strv_extend_strv(&s->sysctl, STRV_MAKE(n, m), false); r = strv_extend_strv(&s->sysctl, STRV_MAKE(n, m), false);
if (r < 0) if (r < 0)
@ -1828,10 +1779,9 @@ static int oci_seccomp_archs(const char *name, JsonVariant *v, JsonDispatchFlags
JSON_VARIANT_ARRAY_FOREACH(e, v) { JSON_VARIANT_ARRAY_FOREACH(e, v) {
uint32_t a; uint32_t a;
if (!json_variant_is_string(e)) { if (!json_variant_is_string(e))
json_log(e, flags, 0, "Architecture entry is not a string"); return json_log(e, flags, SYNTHETIC_ERRNO(EINVAL),
return -EINVAL; "Architecture entry is not a string");
}
r = oci_seccomp_arch_from_string(json_variant_string(e), &a); r = oci_seccomp_arch_from_string(json_variant_string(e), &a);
if (r < 0) if (r < 0)
@ -2009,25 +1959,19 @@ static int oci_seccomp(const char *name, JsonVariant *v, JsonDispatchFlags flags
assert(s); assert(s);
def = json_variant_by_key(v, "defaultAction"); def = json_variant_by_key(v, "defaultAction");
if (!def) { if (!def)
json_log(v, flags, 0, "defaultAction element missing."); return json_log(v, flags, SYNTHETIC_ERRNO(EINVAL), "defaultAction element missing.");
return -EINVAL;
}
if (!json_variant_is_string(def)) { if (!json_variant_is_string(def))
json_log(def, flags, 0, "defaultAction is not a string."); return json_log(def, flags, SYNTHETIC_ERRNO(EINVAL), "defaultAction is not a string.");
return -EINVAL;
}
r = oci_seccomp_action_from_string(json_variant_string(def), &d); r = oci_seccomp_action_from_string(json_variant_string(def), &d);
if (r < 0) if (r < 0)
return json_log(def, flags, r, "Unknown default action: %s", json_variant_string(def)); return json_log(def, flags, r, "Unknown default action: %s", json_variant_string(def));
sc = seccomp_init(d); sc = seccomp_init(d);
if (!sc) { if (!sc)
log_error("Couldn't allocate seccomp object."); return log_error_errno(SYNTHETIC_ERRNO(ENOMEM), "Couldn't allocate seccomp object.");
return -ENOMEM;
}
r = json_dispatch(v, table, oci_unexpected, flags, sc); r = json_dispatch(v, table, oci_unexpected, flags, sc);
if (r < 0) if (r < 0)
@ -2062,17 +2006,15 @@ static int oci_masked_paths(const char *name, JsonVariant *v, JsonDispatchFlags
CustomMount *m; CustomMount *m;
const char *p; const char *p;
if (!json_variant_is_string(e)) { if (!json_variant_is_string(e))
json_log(v, flags, 0, "Path is not a string, refusing."); return json_log(v, flags, SYNTHETIC_ERRNO(EINVAL),
return -EINVAL; "Path is not a string, refusing.");
}
assert_se(p = json_variant_string(e)); assert_se(p = json_variant_string(e));
if (!path_is_absolute(p)) { if (!path_is_absolute(p))
json_log(v, flags, 0, "Path is not not absolute, refusing: %s", p); return json_log(v, flags, SYNTHETIC_ERRNO(EINVAL),
return -EINVAL; "Path is not not absolute, refusing: %s", p);
}
if (oci_exclude_mount(p)) if (oci_exclude_mount(p))
continue; continue;
@ -2106,17 +2048,15 @@ static int oci_readonly_paths(const char *name, JsonVariant *v, JsonDispatchFlag
CustomMount *m; CustomMount *m;
const char *p; const char *p;
if (!json_variant_is_string(e)) { if (!json_variant_is_string(e))
json_log(v, flags, 0, "Path is not a string, refusing."); return json_log(v, flags, SYNTHETIC_ERRNO(EINVAL),
return -EINVAL; "Path is not a string, refusing.");
}
assert_se(p = json_variant_string(e)); assert_se(p = json_variant_string(e));
if (!path_is_absolute(p)) { if (!path_is_absolute(p))
json_log(v, flags, 0, "Path is not not absolute, refusing: %s", p); return json_log(v, flags, SYNTHETIC_ERRNO(EINVAL),
return -EINVAL; "Path is not not absolute, refusing: %s", p);
}
if (oci_exclude_mount(p)) if (oci_exclude_mount(p))
continue; continue;
@ -2168,15 +2108,13 @@ static int oci_hook_timeout(const char *name, JsonVariant *v, JsonDispatchFlags
uintmax_t k; uintmax_t k;
k = json_variant_unsigned(v); k = json_variant_unsigned(v);
if (k == 0) { if (k == 0)
json_log(v, flags, 0, "Hook timeout cannot be zero."); return json_log(v, flags, SYNTHETIC_ERRNO(EINVAL),
return -EINVAL; "Hook timeout cannot be zero.");
}
if (k > (UINT64_MAX-1/USEC_PER_SEC)) { if (k > (UINT64_MAX-1/USEC_PER_SEC))
json_log(v, flags, 0, "Hook timeout too large."); return json_log(v, flags, SYNTHETIC_ERRNO(EINVAL),
return -EINVAL; "Hook timeout too large.");
}
*u = k * USEC_PER_SEC; *u = k * USEC_PER_SEC;
return 0; return 0;
@ -2259,15 +2197,13 @@ static int oci_annotations(const char *name, JsonVariant *v, JsonDispatchFlags f
assert_se(n = json_variant_string(k)); assert_se(n = json_variant_string(k));
if (isempty(n)) { if (isempty(n))
json_log(k, flags, 0, "Annotation with empty key, refusing."); return json_log(k, flags, SYNTHETIC_ERRNO(EINVAL),
return -EINVAL; "Annotation with empty key, refusing.");
}
if (!json_variant_is_string(w)) { if (!json_variant_is_string(w))
json_log(w, flags, 0, "Annotation has non-string value, refusing."); return json_log(w, flags, SYNTHETIC_ERRNO(EINVAL),
return -EINVAL; "Annotation has non-string value, refusing.");
}
json_log(k, flags|JSON_DEBUG, 0, "Ignoring annotation '%s' with value '%s'.", n, json_variant_string(w)); json_log(k, flags|JSON_DEBUG, 0, "Ignoring annotation '%s' with value '%s'.", n, json_variant_string(w));
} }

View File

@ -264,12 +264,12 @@ static inline int json_dispatch_level(JsonDispatchFlags flags) {
int json_log_internal(JsonVariant *variant, int level, int error, const char *file, int line, const char *func, const char *format, ...) _printf_(7, 8); int json_log_internal(JsonVariant *variant, int level, int error, const char *file, int line, const char *func, const char *format, ...) _printf_(7, 8);
#define json_log(variant, flags, error, ...) \ #define json_log(variant, flags, error, ...) \
({ \ ({ \
int _level = json_dispatch_level(flags), _e = (error); \ int _level = json_dispatch_level(flags), _e = (error); \
(log_get_max_level() >= LOG_PRI(_level)) \ (log_get_max_level() >= LOG_PRI(_level)) \
? json_log_internal(variant, _level, _e, __FILE__, __LINE__, __func__, __VA_ARGS__) \ ? json_log_internal(variant, _level, _e, __FILE__, __LINE__, __func__, __VA_ARGS__) \
: -abs(_e); \ : -ERRNO_VALUE(_e); \
}) })
#define JSON_VARIANT_STRING_CONST(x) _JSON_VARIANT_STRING_CONST(UNIQ, (x)) #define JSON_VARIANT_STRING_CONST(x) _JSON_VARIANT_STRING_CONST(UNIQ, (x))