socket: add option for SO_PASSEC
https://bugzilla.redhat.com/show_bug.cgi?id=798760 (Note that this work is not complete yet, as the kernel seems to send us useless data with SCM_SECURITY enabled)
This commit is contained in:
parent
fa734f4da8
commit
54ecda32c6
2
TODO
2
TODO
|
@ -18,6 +18,8 @@ Bugfixes:
|
||||||
|
|
||||||
Features:
|
Features:
|
||||||
|
|
||||||
|
* journal: extend sd-journal.h logging calls to implicitly log function names/line numbers/...
|
||||||
|
|
||||||
* document crypttab(5)
|
* document crypttab(5)
|
||||||
|
|
||||||
* There's currently no way to cancel fsck (used to be possible via C-c or c on the console)
|
* There's currently no way to cancel fsck (used to be possible via C-c or c on the console)
|
||||||
|
|
|
@ -528,13 +528,24 @@
|
||||||
<term><varname>PassCredentials=</varname></term>
|
<term><varname>PassCredentials=</varname></term>
|
||||||
<listitem><para>Takes a boolean
|
<listitem><para>Takes a boolean
|
||||||
value. This controls the SO_PASSCRED
|
value. This controls the SO_PASSCRED
|
||||||
socket option, which allows UNIX sockets to
|
socket option, which allows AF_UNIX sockets to
|
||||||
receive the credentials of the sending
|
receive the credentials of the sending
|
||||||
process in an ancillary message.
|
process in an ancillary message.
|
||||||
Defaults to
|
Defaults to
|
||||||
<option>false</option>.</para></listitem>
|
<option>false</option>.</para></listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
|
|
||||||
|
<varlistentry>
|
||||||
|
<term><varname>PassSecurity=</varname></term>
|
||||||
|
<listitem><para>Takes a boolean
|
||||||
|
value. This controls the SO_PASSSEC
|
||||||
|
socket option, which allows AF_UNIX
|
||||||
|
sockets to receive the security
|
||||||
|
context of the sending process in an
|
||||||
|
ancillary message. Defaults to
|
||||||
|
<option>false</option>.</para></listitem>
|
||||||
|
</varlistentry>
|
||||||
|
|
||||||
<varlistentry>
|
<varlistentry>
|
||||||
<term><varname>TCPCongestion=</varname></term>
|
<term><varname>TCPCongestion=</varname></term>
|
||||||
<listitem><para>Takes a string
|
<listitem><para>Takes a string
|
||||||
|
|
|
@ -52,6 +52,7 @@
|
||||||
" <property name=\"Transparent\" type=\"b\" access=\"read\"/>\n" \
|
" <property name=\"Transparent\" type=\"b\" access=\"read\"/>\n" \
|
||||||
" <property name=\"Broadcast\" type=\"b\" access=\"read\"/>\n" \
|
" <property name=\"Broadcast\" type=\"b\" access=\"read\"/>\n" \
|
||||||
" <property name=\"PassCredentials\" type=\"b\" access=\"read\"/>\n" \
|
" <property name=\"PassCredentials\" type=\"b\" access=\"read\"/>\n" \
|
||||||
|
" <property name=\"PassSecurity\" type=\"b\" access=\"read\"/>\n" \
|
||||||
" <property name=\"Mark\" type=\"i\" access=\"read\"/>\n" \
|
" <property name=\"Mark\" type=\"i\" access=\"read\"/>\n" \
|
||||||
" <property name=\"MaxConnections\" type=\"u\" access=\"read\"/>\n" \
|
" <property name=\"MaxConnections\" type=\"u\" access=\"read\"/>\n" \
|
||||||
" <property name=\"NAccepted\" type=\"u\" access=\"read\"/>\n" \
|
" <property name=\"NAccepted\" type=\"u\" access=\"read\"/>\n" \
|
||||||
|
@ -114,6 +115,7 @@ static const BusProperty bus_socket_properties[] = {
|
||||||
{ "Transparent", bus_property_append_bool, "b", offsetof(Socket, transparent) },
|
{ "Transparent", bus_property_append_bool, "b", offsetof(Socket, transparent) },
|
||||||
{ "Broadcast", bus_property_append_bool, "b", offsetof(Socket, broadcast) },
|
{ "Broadcast", bus_property_append_bool, "b", offsetof(Socket, broadcast) },
|
||||||
{ "PassCredentials",bus_property_append_bool, "b", offsetof(Socket, pass_cred) },
|
{ "PassCredentials",bus_property_append_bool, "b", offsetof(Socket, pass_cred) },
|
||||||
|
{ "PassSecurity", bus_property_append_bool, "b", offsetof(Socket, pass_sec) },
|
||||||
{ "Mark", bus_property_append_int, "i", offsetof(Socket, mark) },
|
{ "Mark", bus_property_append_int, "i", offsetof(Socket, mark) },
|
||||||
{ "MaxConnections", bus_property_append_unsigned, "u", offsetof(Socket, max_connections) },
|
{ "MaxConnections", bus_property_append_unsigned, "u", offsetof(Socket, max_connections) },
|
||||||
{ "NConnections", bus_property_append_unsigned, "u", offsetof(Socket, n_connections) },
|
{ "NConnections", bus_property_append_unsigned, "u", offsetof(Socket, n_connections) },
|
||||||
|
|
|
@ -2252,6 +2252,11 @@ static int open_syslog_socket(Server *s) {
|
||||||
return -errno;
|
return -errno;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
one = 1;
|
||||||
|
r = setsockopt(s->syslog_fd, SOL_SOCKET, SO_PASSSEC, &one, sizeof(one));
|
||||||
|
if (r < 0)
|
||||||
|
log_warning("SO_PASSSEC failed: %m");
|
||||||
|
|
||||||
one = 1;
|
one = 1;
|
||||||
r = setsockopt(s->syslog_fd, SOL_SOCKET, SO_TIMESTAMP, &one, sizeof(one));
|
r = setsockopt(s->syslog_fd, SOL_SOCKET, SO_TIMESTAMP, &one, sizeof(one));
|
||||||
if (r < 0) {
|
if (r < 0) {
|
||||||
|
@ -2308,6 +2313,11 @@ static int open_native_socket(Server*s) {
|
||||||
return -errno;
|
return -errno;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
one = 1;
|
||||||
|
r = setsockopt(s->syslog_fd, SOL_SOCKET, SO_PASSSEC, &one, sizeof(one));
|
||||||
|
if (r < 0)
|
||||||
|
log_warning("SO_PASSSEC failed: %m");
|
||||||
|
|
||||||
one = 1;
|
one = 1;
|
||||||
r = setsockopt(s->native_fd, SOL_SOCKET, SO_TIMESTAMP, &one, sizeof(one));
|
r = setsockopt(s->native_fd, SOL_SOCKET, SO_TIMESTAMP, &one, sizeof(one));
|
||||||
if (r < 0) {
|
if (r < 0) {
|
||||||
|
|
|
@ -186,6 +186,7 @@ Socket.FreeBind, config_parse_bool, 0,
|
||||||
Socket.Transparent, config_parse_bool, 0, offsetof(Socket, transparent)
|
Socket.Transparent, config_parse_bool, 0, offsetof(Socket, transparent)
|
||||||
Socket.Broadcast, config_parse_bool, 0, offsetof(Socket, broadcast)
|
Socket.Broadcast, config_parse_bool, 0, offsetof(Socket, broadcast)
|
||||||
Socket.PassCredentials, config_parse_bool, 0, offsetof(Socket, pass_cred)
|
Socket.PassCredentials, config_parse_bool, 0, offsetof(Socket, pass_cred)
|
||||||
|
Socket.PassSecurity, config_parse_bool, 0, offsetof(Socket, pass_sec)
|
||||||
Socket.TCPCongestion, config_parse_string, 0, offsetof(Socket, tcp_congestion)
|
Socket.TCPCongestion, config_parse_string, 0, offsetof(Socket, tcp_congestion)
|
||||||
Socket.MessageQueueMaxMessages, config_parse_long, 0, offsetof(Socket, mq_maxmsg)
|
Socket.MessageQueueMaxMessages, config_parse_long, 0, offsetof(Socket, mq_maxmsg)
|
||||||
Socket.MessageQueueMessageSize, config_parse_long, 0, offsetof(Socket, mq_msgsize)
|
Socket.MessageQueueMessageSize, config_parse_long, 0, offsetof(Socket, mq_msgsize)
|
||||||
|
|
|
@ -180,4 +180,8 @@ static inline pid_t gettid(void) {
|
||||||
return (pid_t) syscall(SYS_gettid);
|
return (pid_t) syscall(SYS_gettid);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
#ifndef SCM_SECURITY
|
||||||
|
#define SCM_SECURITY 0x03
|
||||||
|
#endif
|
||||||
|
|
||||||
#endif
|
#endif
|
||||||
|
|
|
@ -417,6 +417,7 @@ static void socket_dump(Unit *u, FILE *f, const char *prefix) {
|
||||||
"%sTransparent: %s\n"
|
"%sTransparent: %s\n"
|
||||||
"%sBroadcast: %s\n"
|
"%sBroadcast: %s\n"
|
||||||
"%sPassCredentials: %s\n"
|
"%sPassCredentials: %s\n"
|
||||||
|
"%sPassSecurity: %s\n"
|
||||||
"%sTCPCongestion: %s\n",
|
"%sTCPCongestion: %s\n",
|
||||||
prefix, socket_state_to_string(s->state),
|
prefix, socket_state_to_string(s->state),
|
||||||
prefix, socket_result_to_string(s->result),
|
prefix, socket_result_to_string(s->result),
|
||||||
|
@ -429,6 +430,7 @@ static void socket_dump(Unit *u, FILE *f, const char *prefix) {
|
||||||
prefix, yes_no(s->transparent),
|
prefix, yes_no(s->transparent),
|
||||||
prefix, yes_no(s->broadcast),
|
prefix, yes_no(s->broadcast),
|
||||||
prefix, yes_no(s->pass_cred),
|
prefix, yes_no(s->pass_cred),
|
||||||
|
prefix, yes_no(s->pass_sec),
|
||||||
prefix, strna(s->tcp_congestion));
|
prefix, strna(s->tcp_congestion));
|
||||||
|
|
||||||
if (s->control_pid > 0)
|
if (s->control_pid > 0)
|
||||||
|
@ -676,6 +678,12 @@ static void socket_apply_socket_options(Socket *s, int fd) {
|
||||||
log_warning("SO_PASSCRED failed: %m");
|
log_warning("SO_PASSCRED failed: %m");
|
||||||
}
|
}
|
||||||
|
|
||||||
|
if (s->pass_sec) {
|
||||||
|
int one = 1;
|
||||||
|
if (setsockopt(fd, SOL_SOCKET, SO_PASSSEC, &one, sizeof(one)) < 0)
|
||||||
|
log_warning("SO_PASSSEC failed: %m");
|
||||||
|
}
|
||||||
|
|
||||||
if (s->priority >= 0)
|
if (s->priority >= 0)
|
||||||
if (setsockopt(fd, SOL_SOCKET, SO_PRIORITY, &s->priority, sizeof(s->priority)) < 0)
|
if (setsockopt(fd, SOL_SOCKET, SO_PRIORITY, &s->priority, sizeof(s->priority)) < 0)
|
||||||
log_warning("SO_PRIORITY failed: %m");
|
log_warning("SO_PRIORITY failed: %m");
|
||||||
|
|
|
@ -129,6 +129,7 @@ struct Socket {
|
||||||
bool transparent;
|
bool transparent;
|
||||||
bool broadcast;
|
bool broadcast;
|
||||||
bool pass_cred;
|
bool pass_cred;
|
||||||
|
bool pass_sec;
|
||||||
int priority;
|
int priority;
|
||||||
int mark;
|
int mark;
|
||||||
size_t receive_buffer;
|
size_t receive_buffer;
|
||||||
|
|
|
@ -21,6 +21,7 @@ Wants=syslog.target
|
||||||
ListenDatagram=/run/systemd/journal/syslog
|
ListenDatagram=/run/systemd/journal/syslog
|
||||||
SocketMode=0666
|
SocketMode=0666
|
||||||
PassCredentials=yes
|
PassCredentials=yes
|
||||||
|
PassSecurity=yes
|
||||||
ReceiveBuffer=8M
|
ReceiveBuffer=8M
|
||||||
|
|
||||||
# The default syslog implementation should make syslog.service a
|
# The default syslog implementation should make syslog.service a
|
||||||
|
|
|
@ -23,4 +23,5 @@ ListenDatagram=/run/systemd/journal/socket
|
||||||
ListenDatagram=/dev/log
|
ListenDatagram=/dev/log
|
||||||
SocketMode=0666
|
SocketMode=0666
|
||||||
PassCredentials=yes
|
PassCredentials=yes
|
||||||
|
PassSecurity=yes
|
||||||
ReceiveBuffer=8M
|
ReceiveBuffer=8M
|
||||||
|
|
|
@ -16,3 +16,4 @@ Before=sockets.target
|
||||||
ListenDatagram=/run/systemd/shutdownd
|
ListenDatagram=/run/systemd/shutdownd
|
||||||
SocketMode=0600
|
SocketMode=0600
|
||||||
PassCredentials=yes
|
PassCredentials=yes
|
||||||
|
PassSecurity=yes
|
||||||
|
|
Loading…
Reference in a new issue