shaba/systemd
1
0
Fork 0
mirror of https://github.com/systemd/systemd.git synced 2025-02-04 21:47:31 +03:00
Code

core: make NotifyAccess= in combination with RootDirectory=/RootImage= work

Browse Source 
Previously if people enabled RootDirectory=/RootImage= and NotifyAccess=
together, things wouldn't work, they'd have to explicitly add
BindReadOnlyPaths=/run/systemd/notify too.

Let's make this implicit. Since both options are opt-in, if people use
them together it would be pointless not also defining the
BindReadOnlyPaths= entry, in which case we can just do it automatically.

See: #18051
This commit is contained in:
Lennart Poettering 2021-01-20 21:57:21 +01:00
parent 7504f599e1
commit 3bdc25a4cf
7 changed files with 26 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
src/core/execute.c
View File

@ -3223,6 +3223,7 @@ static int apply_mount_namespace(
context->root_verity, context->root_verity,
propagate_dir, propagate_dir,
incoming_dir, incoming_dir,
root_dir || root_image ? params->notify_socket : NULL,
DISSECT_IMAGE_DISCARD_ON_LOOP|DISSECT_IMAGE_RELAX_VAR_CHECK|DISSECT_IMAGE_FSCK, DISSECT_IMAGE_DISCARD_ON_LOOP|DISSECT_IMAGE_RELAX_VAR_CHECK|DISSECT_IMAGE_FSCK,
error_path); error_path);

2
src/core/execute.h
View File

@ -384,6 +384,8 @@ struct ExecParameters {
/* An fd that is closed by the execve(), and thus will result in EOF when the execve() is done */ /* An fd that is closed by the execve(), and thus will result in EOF when the execve() is done */
int exec_fd; int exec_fd;
const char *notify_socket;
}; };
#include "unit.h" #include "unit.h"

20
src/core/namespace.c
View File

@ -1302,7 +1302,8 @@ static size_t namespace_calculate_mounts(
const char* var_tmp_dir, const char* var_tmp_dir,
const char *creds_path, const char *creds_path,
const char* log_namespace, const char* log_namespace,
bool setup_propagate) { bool setup_propagate,
const char* notify_socket) {
size_t protect_home_cnt; size_t protect_home_cnt;
size_t protect_system_cnt = size_t protect_system_cnt =
@ -1329,7 +1330,6 @@ static size_t namespace_calculate_mounts(
n_bind_mounts + n_bind_mounts +
n_mount_images + n_mount_images +
n_temporary_filesystems + n_temporary_filesystems +
(setup_propagate ? 1 : 0) + /* /run/systemd/incoming */
ns_info->private_dev + ns_info->private_dev +
(ns_info->protect_kernel_tunables ? ELEMENTSOF(protect_kernel_tunables_table) : 0) + (ns_info->protect_kernel_tunables ? ELEMENTSOF(protect_kernel_tunables_table) : 0) +
(ns_info->protect_kernel_modules ? ELEMENTSOF(protect_kernel_modules_table) : 0) + (ns_info->protect_kernel_modules ? ELEMENTSOF(protect_kernel_modules_table) : 0) +
@ -1339,7 +1339,9 @@ static size_t namespace_calculate_mounts(
(ns_info->protect_hostname ? 2 : 0) + (ns_info->protect_hostname ? 2 : 0) +
(namespace_info_mount_apivfs(ns_info) ? ELEMENTSOF(apivfs_table) : 0) + (namespace_info_mount_apivfs(ns_info) ? ELEMENTSOF(apivfs_table) : 0) +
(creds_path ? 2 : 1) + (creds_path ? 2 : 1) +
!!log_namespace; !!log_namespace +
setup_propagate + /* /run/systemd/incoming */
!!notify_socket;
} }
static void normalize_mounts(const char *root_directory, MountEntry *mounts, size_t *n_mounts) { static void normalize_mounts(const char *root_directory, MountEntry *mounts, size_t *n_mounts) {
@ -1491,6 +1493,7 @@ int setup_namespace(
const char *verity_data_path, const char *verity_data_path,
const char *propagate_dir, const char *propagate_dir,
const char *incoming_dir, const char *incoming_dir,
const char *notify_socket,
DissectImageFlags dissect_image_flags, DissectImageFlags dissect_image_flags,
char **error_path) { char **error_path) {
@ -1593,7 +1596,8 @@ int setup_namespace(
tmp_dir, var_tmp_dir, tmp_dir, var_tmp_dir,
creds_path, creds_path,
log_namespace, log_namespace,
setup_propagate); setup_propagate,
notify_socket);
if (n_mounts > 0) { if (n_mounts > 0) {
m = mounts = new0(MountEntry, n_mounts); m = mounts = new0(MountEntry, n_mounts);
@ -1771,6 +1775,14 @@ int setup_namespace(
.read_only = true, .read_only = true,
}; };
if (notify_socket)
*(m++) = (MountEntry) {
.path_const = notify_socket,
.source_const = notify_socket,
.mode = BIND_MOUNT,
.read_only = true,
};
assert(mounts + n_mounts == m); assert(mounts + n_mounts == m);
/* Prepend the root directory where that's necessary */ /* Prepend the root directory where that's necessary */

1
src/core/namespace.h
View File

@ -129,6 +129,7 @@ int setup_namespace(
const char *root_verity, const char *root_verity,
const char *propagate_dir, const char *propagate_dir,
const char *incoming_dir, const char *incoming_dir,
const char *notify_socket,
DissectImageFlags dissected_image_flags, DissectImageFlags dissected_image_flags,
char **error_path); char **error_path);

5
src/core/service.c
View File

@ -1474,10 +1474,13 @@ static int service_spawn(
if (!our_env) if (!our_env)
return -ENOMEM; return -ENOMEM;
if (service_exec_needs_notify_socket(s, flags)) if (service_exec_needs_notify_socket(s, flags)) {
if (asprintf(our_env + n_env++, "NOTIFY_SOCKET=%s", UNIT(s)->manager->notify_socket) < 0) if (asprintf(our_env + n_env++, "NOTIFY_SOCKET=%s", UNIT(s)->manager->notify_socket) < 0)
return -ENOMEM; return -ENOMEM;
exec_params.notify_socket = UNIT(s)->manager->notify_socket;
}
if (s->main_pid > 0) if (s->main_pid > 0)
if (asprintf(our_env + n_env++, "MAINPID="PID_FMT, s->main_pid) < 0) if (asprintf(our_env + n_env++, "MAINPID="PID_FMT, s->main_pid) < 0)
return -ENOMEM; return -ENOMEM;

1
src/test/test-namespace.c
View File

@ -174,6 +174,7 @@ static void test_protect_kernel_logs(void) {
NULL, NULL,
NULL, NULL,
NULL, NULL,
NULL,
0, 0,
NULL); NULL);
assert_se(r == 0); assert_se(r == 0);

1
src/test/test-ns.c
View File

@ -89,6 +89,7 @@ int main(int argc, char *argv[]) {
NULL, NULL,
NULL, NULL,
NULL, NULL,
NULL,
0, 0,
NULL); NULL);
if (r < 0) { if (r < 0) {