f2cb9d17da
This patch fixes an issue where, when not specifiying either at least one `SocketBindAllow` or `SocketBindDeny` rule, behavior for the bind syscall filtering would be unexpected. For example, when trying to bind to a port with only "SocketBindDeny=any" given, the syscall would succeed: > systemd-run -t -p "SocketBindDeny=any" nc -l 8080 Expected with this set of rules (also in accordance with the documentation) would be an Operation not permitted error. This behavior occurs because a default initialized socket_bind_rule struct matches what "any" represents. When creating the bpf list all elements get default initialized, as such represeting "any". Seemingly it is necressarry to set the size of the map to at least one, as such if no allow rule is given default initialization and minimal map size cause one any allow rule to be in the map, causing the behavior observed above. This patch solves this by introducing a new "match nothing" magic stored in the rule's address family and setting such a rule as the first one if no rule is given, making sure that default initialized rule structs are never used. Resolves #30556 |
||
|---|---|---|
| .clusterfuzzlite | ||
| .github | ||
| .semaphore | ||
| catalog | ||
| coccinelle | ||
| docs | ||
| factory | ||
| hwdb.d | ||
| LICENSES | ||
| man | ||
| mime | ||
| mkosi.conf.d | ||
| mkosi.images | ||
| modprobe.d | ||
| network | ||
| pkg | ||
| po | ||
| presets | ||
| rules.d | ||
| shell-completion | ||
| src | ||
| sysctl.d | ||
| sysusers.d | ||
| test | ||
| tmpfiles.d | ||
| tools | ||
| units | ||
| xorg | ||
| .clang-format | ||
| .ctags | ||
| .dir-locals.el | ||
| .editorconfig | ||
| .gitattributes | ||
| .gitignore | ||
| .gitmodules | ||
| .mailmap | ||
| .packit.yml | ||
| .pylintrc | ||
| .vimrc | ||
| .ycm_extra_conf.py | ||
| LICENSE.GPL2 | ||
| LICENSE.LGPL2.1 | ||
| meson_options.txt | ||
| meson.build | ||
| meson.version | ||
| mkosi.conf | ||
| NEWS | ||
| README | ||
| README.md | ||
| TODO | ||
System and Service Manager
Details
Most documentation is available on systemd's web site.
Assorted, older, general information about systemd can be found in the systemd Wiki.
Information about build requirements is provided in the README file.
Consult our NEWS file for information about what's new in the most recent systemd versions.
Please see the Code Map for information about this repository's layout and content.
Please see the Hacking guide for information on how to hack on systemd and test your modifications.
Please see our Contribution Guidelines for more information about filing GitHub Issues and posting GitHub Pull Requests.
When preparing patches for systemd, please follow our Coding Style Guidelines.
If you are looking for support, please contact our mailing list, join our IRC channel #systemd on libera.chat or Matrix channel
Stable branches with backported patches are available in the stable repo.