2020-11-09 05:23:58 +01:00
|
|
|
/* SPDX-License-Identifier: LGPL-2.1-or-later */
|
2010-02-03 13:03:47 +01:00
|
|
|
|
2009-11-18 00:42:52 +01:00
|
|
|
#include <errno.h>
|
2015-09-19 00:53:58 +02:00
|
|
|
#include <fcntl.h>
|
2011-10-07 21:06:39 +02:00
|
|
|
#include <sys/mman.h>
|
2015-02-11 18:50:38 +01:00
|
|
|
|
2015-10-27 03:01:06 +01:00
|
|
|
#include "alloc-util.h"
|
2015-09-23 03:01:06 +02:00
|
|
|
#include "build.h"
|
2015-11-16 22:09:36 +01:00
|
|
|
#include "dirent-util.h"
|
2018-11-30 22:08:41 +01:00
|
|
|
#include "env-file.h"
|
2018-09-26 07:15:55 +02:00
|
|
|
#include "env-util.h"
|
2015-10-25 13:14:12 +01:00
|
|
|
#include "fd-util.h"
|
2015-09-19 00:53:58 +02:00
|
|
|
#include "fileio.h"
|
|
|
|
#include "hostname-util.h"
|
2010-02-12 02:01:14 +01:00
|
|
|
#include "log.h"
|
2015-09-19 00:53:58 +02:00
|
|
|
#include "macro.h"
|
2015-10-26 16:18:16 +01:00
|
|
|
#include "parse-util.h"
|
2015-11-16 22:09:36 +01:00
|
|
|
#include "stat-util.h"
|
2015-10-24 22:58:24 +02:00
|
|
|
#include "string-util.h"
|
2015-10-23 18:52:53 +02:00
|
|
|
#include "util.h"
|
2018-01-10 10:36:14 +01:00
|
|
|
#include "virt.h"
|
Systemd is causing mislabeled devices to be created and then attempting to read them.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 07/28/2010 05:57 AM, Kay Sievers wrote:
> On Wed, Jul 28, 2010 at 11:43, Lennart Poettering
> <lennart@poettering.net> wrote:
>> On Mon, 26.07.10 16:42, Daniel J Walsh (dwalsh@redhat.com) wrote:
>>> tcontext=system_u:object_r:device_t:s0 tclass=chr_file
>>> type=1400 audit(1280174589.476:7): avc: denied { read } for pid=1
>>> comm="systemd" name="autofs" dev=devtmpfs ino=9482
>>> scontext=system_u:system_r:init_t:s0
>>> tcontext=system_u:object_r:device_t:s0 tclass=chr_file
>>> type=1400 audit(1280174589.476:8): avc: denied { read } for pid=1
>>> comm="systemd" name="autofs" dev=devtmpfs ino=9482
>>> scontext=system_u:system_r:init_t:s0
>>> tcontext=system_u:object_r:device_t:s0 tclass=chr_file
>>>
>>> Lennart, we talked about this earlier. I think this is caused by the
>>> modprobe calls to create /dev/autofs. Since udev is not created at the
>>> point that init loads the kernel modules, the devices get created with
>>> the wrong label. Once udev starts the labels get fixed.
>>>
>>> I can allow init_t to read device_t chr_files.
>>
>> Hmm, I think a cleaner fix would be to make systemd relabel this device
>> properly before accessing it? Given that this is only one device this
>> should not be a problem for us to maintain, I think? How would the
>> fixing of the label work? Would we have to spawn restorecon for this, or
>> can we actually do this in C without too much work?
>
> I guess we can just do what udev is doing, and call setfilecon(), with
> a context of an earlier matchpathcon().
>
> Kay
> _______________________________________________
> systemd-devel mailing list
> systemd-devel@lists.freedesktop.org
> http://lists.freedesktop.org/mailman/listinfo/systemd-devel
Here is the updated patch with a fix for the labeling of /dev/autofs
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.14 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
iEYEARECAAYFAkxQMyoACgkQrlYvE4MpobNviACfWgxsjW2xzz1qznFex8RVAQHf
gIEAmwRmRcLvGqYtwQaZ3WKIg8wmrwNk
=pC2e
2010-07-28 15:39:54 +02:00
|
|
|
|
2011-06-30 04:16:10 +02:00
|
|
|
int saved_argc = 0;
|
|
|
|
char **saved_argv = NULL;
|
2016-06-13 16:28:42 +02:00
|
|
|
static int saved_in_initrd = -1;
|
2012-09-24 14:43:07 +02:00
|
|
|
|
2011-08-22 14:58:50 +02:00
|
|
|
bool kexec_loaded(void) {
|
2017-10-15 23:00:54 +02:00
|
|
|
_cleanup_free_ char *s = NULL;
|
|
|
|
|
|
|
|
if (read_one_line_file("/sys/kernel/kexec_loaded", &s) < 0)
|
|
|
|
return false;
|
|
|
|
|
|
|
|
return s[0] == '1';
|
2011-08-22 14:58:50 +02:00
|
|
|
}
|
2011-09-28 04:25:13 +02:00
|
|
|
|
2011-10-07 21:06:39 +02:00
|
|
|
int prot_from_flags(int flags) {
|
|
|
|
|
|
|
|
switch (flags & O_ACCMODE) {
|
|
|
|
|
|
|
|
case O_RDONLY:
|
|
|
|
return PROT_READ;
|
|
|
|
|
|
|
|
case O_WRONLY:
|
|
|
|
return PROT_WRITE;
|
|
|
|
|
|
|
|
case O_RDWR:
|
|
|
|
return PROT_READ|PROT_WRITE;
|
|
|
|
|
|
|
|
default:
|
|
|
|
return -EINVAL;
|
|
|
|
}
|
2011-10-12 04:42:38 +02:00
|
|
|
}
|
2011-10-12 04:29:11 +02:00
|
|
|
|
2012-05-16 14:22:40 +02:00
|
|
|
bool in_initrd(void) {
|
2012-07-10 18:46:26 +02:00
|
|
|
struct statfs s;
|
2018-09-26 07:15:55 +02:00
|
|
|
int r;
|
2012-05-21 20:00:58 +02:00
|
|
|
|
2016-06-13 16:28:42 +02:00
|
|
|
if (saved_in_initrd >= 0)
|
|
|
|
return saved_in_initrd;
|
2012-07-10 18:46:26 +02:00
|
|
|
|
|
|
|
/* We make two checks here:
|
|
|
|
*
|
|
|
|
* 1. the flag file /etc/initrd-release must exist
|
|
|
|
* 2. the root file system must be a memory file system
|
|
|
|
*
|
|
|
|
* The second check is extra paranoia, since misdetecting an
|
2016-10-02 19:37:21 +02:00
|
|
|
* initrd can have bad consequences due the initrd
|
2012-07-10 18:46:26 +02:00
|
|
|
* emptying when transititioning to the main systemd.
|
|
|
|
*/
|
|
|
|
|
2018-09-26 07:15:55 +02:00
|
|
|
r = getenv_bool_secure("SYSTEMD_IN_INITRD");
|
|
|
|
if (r < 0 && r != -ENXIO)
|
|
|
|
log_debug_errno(r, "Failed to parse $SYSTEMD_IN_INITRD, ignoring: %m");
|
|
|
|
|
|
|
|
if (r >= 0)
|
|
|
|
saved_in_initrd = r > 0;
|
|
|
|
else
|
|
|
|
saved_in_initrd = access("/etc/initrd-release", F_OK) >= 0 &&
|
|
|
|
statfs("/", &s) >= 0 &&
|
|
|
|
is_temporary_fs(&s);
|
2012-05-16 14:22:40 +02:00
|
|
|
|
2016-06-13 16:28:42 +02:00
|
|
|
return saved_in_initrd;
|
|
|
|
}
|
|
|
|
|
|
|
|
void in_initrd_force(bool value) {
|
|
|
|
saved_in_initrd = value;
|
2012-05-16 14:22:40 +02:00
|
|
|
}
|
2012-05-30 15:01:51 +02:00
|
|
|
|
2012-12-25 16:29:51 +01:00
|
|
|
int on_ac_power(void) {
|
|
|
|
bool found_offline = false, found_online = false;
|
|
|
|
_cleanup_closedir_ DIR *d = NULL;
|
2016-12-09 10:04:30 +01:00
|
|
|
struct dirent *de;
|
2012-12-25 16:29:51 +01:00
|
|
|
|
|
|
|
d = opendir("/sys/class/power_supply");
|
|
|
|
if (!d)
|
2015-03-04 01:07:28 +01:00
|
|
|
return errno == ENOENT ? true : -errno;
|
2012-12-25 16:29:51 +01:00
|
|
|
|
2016-12-09 10:04:30 +01:00
|
|
|
FOREACH_DIRENT(de, d, return -errno) {
|
2012-12-25 16:29:51 +01:00
|
|
|
_cleanup_close_ int fd = -1, device = -1;
|
|
|
|
char contents[6];
|
|
|
|
ssize_t n;
|
|
|
|
|
|
|
|
device = openat(dirfd(d), de->d_name, O_DIRECTORY|O_RDONLY|O_CLOEXEC|O_NOCTTY);
|
|
|
|
if (device < 0) {
|
2017-09-29 00:37:23 +02:00
|
|
|
if (IN_SET(errno, ENOENT, ENOTDIR))
|
2012-12-25 16:29:51 +01:00
|
|
|
continue;
|
|
|
|
|
|
|
|
return -errno;
|
|
|
|
}
|
|
|
|
|
|
|
|
fd = openat(device, "type", O_RDONLY|O_CLOEXEC|O_NOCTTY);
|
|
|
|
if (fd < 0) {
|
|
|
|
if (errno == ENOENT)
|
|
|
|
continue;
|
|
|
|
|
|
|
|
return -errno;
|
|
|
|
}
|
|
|
|
|
|
|
|
n = read(fd, contents, sizeof(contents));
|
|
|
|
if (n < 0)
|
|
|
|
return -errno;
|
|
|
|
|
|
|
|
if (n != 6 || memcmp(contents, "Mains\n", 6))
|
|
|
|
continue;
|
|
|
|
|
2014-03-18 19:22:43 +01:00
|
|
|
safe_close(fd);
|
2012-12-25 16:29:51 +01:00
|
|
|
fd = openat(device, "online", O_RDONLY|O_CLOEXEC|O_NOCTTY);
|
|
|
|
if (fd < 0) {
|
|
|
|
if (errno == ENOENT)
|
|
|
|
continue;
|
|
|
|
|
|
|
|
return -errno;
|
|
|
|
}
|
|
|
|
|
|
|
|
n = read(fd, contents, sizeof(contents));
|
|
|
|
if (n < 0)
|
|
|
|
return -errno;
|
|
|
|
|
|
|
|
if (n != 2 || contents[1] != '\n')
|
|
|
|
return -EIO;
|
|
|
|
|
|
|
|
if (contents[0] == '1') {
|
|
|
|
found_online = true;
|
|
|
|
break;
|
|
|
|
} else if (contents[0] == '0')
|
|
|
|
found_offline = true;
|
|
|
|
else
|
|
|
|
return -EIO;
|
|
|
|
}
|
|
|
|
|
|
|
|
return found_online || !found_offline;
|
|
|
|
}
|
2013-02-11 23:48:36 +01:00
|
|
|
|
2013-12-13 22:02:47 +01:00
|
|
|
int container_get_leader(const char *machine, pid_t *pid) {
|
|
|
|
_cleanup_free_ char *s = NULL, *class = NULL;
|
|
|
|
const char *p;
|
|
|
|
pid_t leader;
|
|
|
|
int r;
|
|
|
|
|
|
|
|
assert(machine);
|
|
|
|
assert(pid);
|
|
|
|
|
2018-07-17 12:23:26 +02:00
|
|
|
if (streq(machine, ".host")) {
|
|
|
|
*pid = 1;
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
2020-12-11 16:40:45 +01:00
|
|
|
if (!hostname_is_valid(machine, 0))
|
2015-08-23 14:33:50 +02:00
|
|
|
return -EINVAL;
|
|
|
|
|
2015-02-03 02:05:59 +01:00
|
|
|
p = strjoina("/run/systemd/machines/", machine);
|
2018-11-12 14:18:03 +01:00
|
|
|
r = parse_env_file(NULL, p,
|
|
|
|
"LEADER", &s,
|
|
|
|
"CLASS", &class);
|
2013-12-13 22:02:47 +01:00
|
|
|
if (r == -ENOENT)
|
|
|
|
return -EHOSTDOWN;
|
|
|
|
if (r < 0)
|
|
|
|
return r;
|
|
|
|
if (!s)
|
|
|
|
return -EIO;
|
|
|
|
|
|
|
|
if (!streq_ptr(class, "container"))
|
|
|
|
return -EIO;
|
|
|
|
|
|
|
|
r = parse_pid(s, &leader);
|
|
|
|
if (r < 0)
|
|
|
|
return r;
|
|
|
|
if (leader <= 1)
|
|
|
|
return -EIO;
|
|
|
|
|
|
|
|
*pid = leader;
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
2015-09-23 03:01:06 +02:00
|
|
|
int version(void) {
|
2020-12-03 11:12:59 +01:00
|
|
|
printf("systemd " STRINGIFY(PROJECT_VERSION) " (" GIT_VERSION ")\n%s\n",
|
|
|
|
systemd_features);
|
2015-09-23 03:01:06 +02:00
|
|
|
return 0;
|
|
|
|
}
|
2017-12-23 15:02:58 +01:00
|
|
|
|
|
|
|
/* This is a direct translation of str_verscmp from boot.c */
|
|
|
|
static bool is_digit(int c) {
|
|
|
|
return c >= '0' && c <= '9';
|
|
|
|
}
|
|
|
|
|
|
|
|
static int c_order(int c) {
|
|
|
|
if (c == 0 || is_digit(c))
|
|
|
|
return 0;
|
|
|
|
|
|
|
|
if ((c >= 'a') && (c <= 'z'))
|
|
|
|
return c;
|
|
|
|
|
|
|
|
return c + 0x10000;
|
|
|
|
}
|
|
|
|
|
|
|
|
int str_verscmp(const char *s1, const char *s2) {
|
|
|
|
const char *os1, *os2;
|
|
|
|
|
|
|
|
assert(s1);
|
|
|
|
assert(s2);
|
|
|
|
|
|
|
|
os1 = s1;
|
|
|
|
os2 = s2;
|
|
|
|
|
|
|
|
while (*s1 || *s2) {
|
|
|
|
int first;
|
|
|
|
|
|
|
|
while ((*s1 && !is_digit(*s1)) || (*s2 && !is_digit(*s2))) {
|
|
|
|
int order;
|
|
|
|
|
|
|
|
order = c_order(*s1) - c_order(*s2);
|
|
|
|
if (order != 0)
|
|
|
|
return order;
|
|
|
|
s1++;
|
|
|
|
s2++;
|
|
|
|
}
|
|
|
|
|
|
|
|
while (*s1 == '0')
|
|
|
|
s1++;
|
|
|
|
while (*s2 == '0')
|
|
|
|
s2++;
|
|
|
|
|
|
|
|
first = 0;
|
|
|
|
while (is_digit(*s1) && is_digit(*s2)) {
|
|
|
|
if (first == 0)
|
|
|
|
first = *s1 - *s2;
|
|
|
|
s1++;
|
|
|
|
s2++;
|
|
|
|
}
|
|
|
|
|
|
|
|
if (is_digit(*s1))
|
|
|
|
return 1;
|
|
|
|
if (is_digit(*s2))
|
|
|
|
return -1;
|
|
|
|
|
|
|
|
if (first != 0)
|
|
|
|
return first;
|
|
|
|
}
|
|
|
|
|
|
|
|
return strcmp(os1, os2);
|
|
|
|
}
|
2018-01-10 10:36:14 +01:00
|
|
|
|
|
|
|
/* Turn off core dumps but only if we're running outside of a container. */
|
2018-01-10 18:37:54 +01:00
|
|
|
void disable_coredumps(void) {
|
|
|
|
int r;
|
|
|
|
|
|
|
|
if (detect_container() > 0)
|
|
|
|
return;
|
|
|
|
|
2018-11-06 13:00:07 +01:00
|
|
|
r = write_string_file("/proc/sys/kernel/core_pattern", "|/bin/false", WRITE_STRING_FILE_DISABLE_BUFFER);
|
2018-01-10 18:37:54 +01:00
|
|
|
if (r < 0)
|
|
|
|
log_debug_errno(r, "Failed to turn off coredumps, ignoring: %m");
|
2018-01-10 10:36:14 +01:00
|
|
|
}
|