From 065b47749df8bc1280b733e0bb8371c2a626d8e2 Mon Sep 17 00:00:00 2001 From: Lennart Poettering Date: Tue, 22 Sep 2020 14:13:18 +0200 Subject: [PATCH] tree-wide: use ERRNO_IS_PRIVILEGE() whereever appropriate --- src/core/cgroup.c | 2 +- src/core/execute.c | 4 ++-- src/libsystemd/sd-bus/bus-creds.c | 13 +++++++------ src/nspawn/nspawn.c | 2 +- src/shared/mount-util.c | 7 ++++--- 5 files changed, 15 insertions(+), 13 deletions(-) diff --git a/src/core/cgroup.c b/src/core/cgroup.c index 8b97d1514e..211e4a5945 100644 --- a/src/core/cgroup.c +++ b/src/core/cgroup.c @@ -1977,7 +1977,7 @@ int unit_attach_pids_to_cgroup(Unit *u, Set *pids, const char *suffix_path) { if (q < 0) { log_unit_debug_errno(u, q, "Couldn't move process " PID_FMT " to requested cgroup '%s': %m", pid, p); - if (MANAGER_IS_USER(u->manager) && IN_SET(q, -EPERM, -EACCES)) { + if (MANAGER_IS_USER(u->manager) && ERRNO_IS_PRIVILEGE(q)) { int z; /* If we are in a user instance, and we can't move the process ourselves due to diff --git a/src/core/execute.c b/src/core/execute.c index be35093969..07a4d3610f 100644 --- a/src/core/execute.c +++ b/src/core/execute.c @@ -3324,7 +3324,7 @@ static int setup_keyring( if (keyring == -1) { if (errno == ENOSYS) log_unit_debug_errno(u, errno, "Kernel keyring not supported, ignoring."); - else if (IN_SET(errno, EACCES, EPERM)) + else if (ERRNO_IS_PRIVILEGE(errno)) log_unit_debug_errno(u, errno, "Kernel keyring access prohibited, ignoring."); else if (errno == EDQUOT) log_unit_debug_errno(u, errno, "Out of kernel keyrings to allocate, ignoring."); @@ -3863,7 +3863,7 @@ static int exec_child( /* When we can't make this change due to EPERM, then let's silently skip over it. User namespaces * prohibit write access to this file, and we shouldn't trip up over that. */ r = set_oom_score_adjust(context->oom_score_adjust); - if (IN_SET(r, -EPERM, -EACCES)) + if (ERRNO_IS_PRIVILEGE(r)) log_unit_debug_errno(unit, r, "Failed to adjust OOM setting, assuming containerized execution, ignoring: %m"); else if (r < 0) { *exit_status = EXIT_OOM_ADJUST; diff --git a/src/libsystemd/sd-bus/bus-creds.c b/src/libsystemd/sd-bus/bus-creds.c index 2740be9226..88d679f64c 100644 --- a/src/libsystemd/sd-bus/bus-creds.c +++ b/src/libsystemd/sd-bus/bus-creds.c @@ -11,6 +11,7 @@ #include "bus-util.h" #include "capability-util.h" #include "cgroup-util.h" +#include "errno-util.h" #include "fd-util.h" #include "fileio.h" #include "format-util.h" @@ -801,7 +802,7 @@ int bus_creds_add_more(sd_bus_creds *c, uint64_t mask, pid_t pid, pid_t tid) { if (!f) { if (errno == ENOENT) return -ESRCH; - else if (!IN_SET(errno, EPERM, EACCES)) + else if (!ERRNO_IS_PRIVILEGE(errno)) return -errno; } else { @@ -973,7 +974,7 @@ int bus_creds_add_more(sd_bus_creds *c, uint64_t mask, pid_t pid, pid_t tid) { if (missing & SD_BUS_CREDS_COMM) { r = get_process_comm(pid, &c->comm); if (r < 0) { - if (!IN_SET(r, -EPERM, -EACCES)) + if (!ERRNO_IS_PRIVILEGE(r)) return r; } else c->mask |= SD_BUS_CREDS_COMM; @@ -992,7 +993,7 @@ int bus_creds_add_more(sd_bus_creds *c, uint64_t mask, pid_t pid, pid_t tid) { c->exe = NULL; c->mask |= SD_BUS_CREDS_EXE; } else if (r < 0) { - if (!IN_SET(r, -EPERM, -EACCES)) + if (!ERRNO_IS_PRIVILEGE(r)) return r; } else c->mask |= SD_BUS_CREDS_EXE; @@ -1006,7 +1007,7 @@ int bus_creds_add_more(sd_bus_creds *c, uint64_t mask, pid_t pid, pid_t tid) { if (r == -ENOENT) return -ESRCH; if (r < 0) { - if (!IN_SET(r, -EPERM, -EACCES)) + if (!ERRNO_IS_PRIVILEGE(r)) return r; } else { if (c->cmdline_size == 0) @@ -1026,7 +1027,7 @@ int bus_creds_add_more(sd_bus_creds *c, uint64_t mask, pid_t pid, pid_t tid) { if (r == -ENOENT) return -ESRCH; if (r < 0) { - if (!IN_SET(r, -EPERM, -EACCES)) + if (!ERRNO_IS_PRIVILEGE(r)) return r; } else c->mask |= SD_BUS_CREDS_TID_COMM; @@ -1037,7 +1038,7 @@ int bus_creds_add_more(sd_bus_creds *c, uint64_t mask, pid_t pid, pid_t tid) { if (!c->cgroup) { r = cg_pid_get_path(NULL, pid, &c->cgroup); if (r < 0) { - if (!IN_SET(r, -EPERM, -EACCES)) + if (!ERRNO_IS_PRIVILEGE(r)) return r; } } diff --git a/src/nspawn/nspawn.c b/src/nspawn/nspawn.c index 42ba0f5e47..9ab131ef9b 100644 --- a/src/nspawn/nspawn.c +++ b/src/nspawn/nspawn.c @@ -2335,7 +2335,7 @@ static int setup_keyring(void) { if (keyring == -1) { if (errno == ENOSYS) log_debug_errno(errno, "Kernel keyring not supported, ignoring."); - else if (IN_SET(errno, EACCES, EPERM)) + else if (ERRNO_IS_PRIVILEGE(errno)) log_debug_errno(errno, "Kernel keyring access prohibited, ignoring."); else return log_error_errno(errno, "Setting up kernel keyring failed: %m"); diff --git a/src/shared/mount-util.c b/src/shared/mount-util.c index 4d40acfb4c..53fb46e7bc 100644 --- a/src/shared/mount-util.c +++ b/src/shared/mount-util.c @@ -282,7 +282,10 @@ int bind_remount_recursive_with_mountinfo( r = path_is_mount_point(x, NULL, 0); if (IN_SET(r, 0, -ENOENT)) continue; - if (IN_SET(r, -EACCES, -EPERM)) { + if (r < 0) { + if (!ERRNO_IS_PRIVILEGE(r)) + return r; + /* Even if root user invoke this, submounts under private FUSE or NFS mount points * may not be acceessed. E.g., * @@ -294,8 +297,6 @@ int bind_remount_recursive_with_mountinfo( log_debug_errno(r, "Failed to determine '%s' is mount point or not, ignoring: %m", x); continue; } - if (r < 0) - return r; /* Try to reuse the original flag set */ orig_flags = 0;