picnoir
/
Systemd
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

Merge pull request #3764 from poettering/assorted-stuff-2 

Assorted fixes
This commit is contained in:
Martin Pitt 2016-07-22 09:10:04 +02:00 committed by GitHub
parent 31d28eabc1 c0f81393d1
commit 5c3c778014
9 changed files with 31 additions and 25 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
src/basic/nss-util.h
View File

@ -137,7 +137,7 @@ enum nss_status _nss_##module##_getpwnam_r( \
struct passwd *pwd, \
char *buffer, size_t buflen, \
int *errnop) _public_; \
enum nss_status _nss_mymachines_getpwuid_r( \
enum nss_status _nss_##module##_getpwuid_r( \
uid_t uid, \
struct passwd *pwd, \
char *buffer, size_t buflen, \

8
src/core/execute.c
View File

@ -290,10 +290,10 @@ static int connect_journal_socket(int fd, uid_t uid, gid_t gid) {
}
static int connect_logger_as(
Unit *unit,
const ExecContext *context,
ExecOutput output,
const char *ident,
const char *unit_id,
int nfd,
uid_t uid,
gid_t gid) {
@ -329,7 +329,7 @@ static int connect_logger_as(
"%i\n"
"%i\n",
context->syslog_identifier ? context->syslog_identifier : ident,
unit_id,
unit->id,
context->syslog_priority,
!!context->syslog_level_prefix,
output == EXEC_OUTPUT_SYSLOG || output == EXEC_OUTPUT_SYSLOG_AND_CONSOLE,
@ -544,7 +544,7 @@ static int setup_output(
case EXEC_OUTPUT_KMSG_AND_CONSOLE:
case EXEC_OUTPUT_JOURNAL:
case EXEC_OUTPUT_JOURNAL_AND_CONSOLE:
r = connect_logger_as(context, o, ident, unit->id, fileno, uid, gid);
r = connect_logger_as(unit, context, o, ident, fileno, uid, gid);
if (r < 0) {
log_unit_error_errno(unit, r, "Failed to connect %s to the journal socket, ignoring: %m", fileno == STDOUT_FILENO ? "stdout" : "stderr");
r = open_null_as(O_WRONLY, fileno);
@ -3062,7 +3062,7 @@ int exec_runtime_make(ExecRuntime **rt, ExecContext *c, const char *id) {
return r;
if (c->private_network && (*rt)->netns_storage_socket[0] < 0) {
if (socketpair(AF_UNIX, SOCK_DGRAM, 0, (*rt)->netns_storage_socket) < 0)
if (socketpair(AF_UNIX, SOCK_DGRAM|SOCK_CLOEXEC, 0, (*rt)->netns_storage_socket) < 0)
return -errno;
}

6
src/core/execute.h
View File

@ -30,6 +30,7 @@ typedef struct ExecParameters ExecParameters;
#include <stdio.h>
#include <sys/capability.h>
#include "cgroup-util.h"
#include "fdset.h"
#include "list.h"
#include "missing.h"
@ -203,9 +204,6 @@ struct ExecContext {
bool no_new_privileges_set:1;
};
#include "cgroup-util.h"
#include "cgroup.h"
struct ExecParameters {
char **argv;
char **environment;
@ -236,6 +234,8 @@ struct ExecParameters {
int stderr_fd;
};
#include "unit.h"
int exec_spawn(Unit *unit,
ExecCommand *command,
const ExecContext *context,

2
src/core/namespace.c
View File

@ -642,7 +642,7 @@ int setup_netns(int netns_storage_socket[2]) {
}
fail:
lockf(netns_storage_socket[0], F_ULOCK, 0);
(void) lockf(netns_storage_socket[0], F_ULOCK, 0);
return r;
}

2
src/core/scope.h
View File

@ -21,7 +21,9 @@
typedef struct Scope Scope;
#include "cgroup.h"
#include "kill.h"
#include "unit.h"
typedef enum ScopeResult {
SCOPE_SUCCESS,

23
src/nspawn/nspawn-mount.c
View File

@ -297,18 +297,19 @@ int mount_all(const char *dest,
} MountPoint;
static const MountPoint mount_table[] = {
{ "proc", "/proc", "proc", NULL, MS_NOSUID|MS_NOEXEC|MS_NODEV, true, true, false },
{ "/proc/sys", "/proc/sys", NULL, NULL, MS_BIND, true, true, false }, /* Bind mount first */
{ NULL, "/proc/sys", NULL, NULL, MS_BIND|MS_RDONLY|MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_REMOUNT, true, true, false }, /* Then, make it r/o */
{ "tmpfs", "/sys", "tmpfs", "mode=755", MS_NOSUID|MS_NOEXEC|MS_NODEV, true, false, true },
{ "sysfs", "/sys", "sysfs", NULL, MS_RDONLY|MS_NOSUID|MS_NOEXEC|MS_NODEV, true, false, false },
{ "tmpfs", "/dev", "tmpfs", "mode=755", MS_NOSUID|MS_STRICTATIME, true, false, false },
{ "tmpfs", "/dev/shm", "tmpfs", "mode=1777", MS_NOSUID|MS_NODEV|MS_STRICTATIME, true, false, false },
{ "tmpfs", "/run", "tmpfs", "mode=755", MS_NOSUID|MS_NODEV|MS_STRICTATIME, true, false, false },
{ "tmpfs", "/tmp", "tmpfs", "mode=1777", MS_STRICTATIME, true, false, false },
{ "proc", "/proc", "proc", NULL, MS_NOSUID|MS_NOEXEC|MS_NODEV, true, true, false },
{ "/proc/sys", "/proc/sys", NULL, NULL, MS_BIND, true, true, false }, /* Bind mount first ...*/
{ "/proc/sys/net", "/proc/sys/net", NULL, NULL, MS_BIND, true, true, true }, /* (except for this) */
{ NULL, "/proc/sys", NULL, NULL, MS_BIND|MS_RDONLY|MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_REMOUNT, true, true, false }, /* ... then, make it r/o */
{ "tmpfs", "/sys", "tmpfs", "mode=755", MS_NOSUID|MS_NOEXEC|MS_NODEV, true, false, true },
{ "sysfs", "/sys", "sysfs", NULL, MS_RDONLY|MS_NOSUID|MS_NOEXEC|MS_NODEV, true, false, false },
{ "tmpfs", "/dev", "tmpfs", "mode=755", MS_NOSUID|MS_STRICTATIME, true, false, false },
{ "tmpfs", "/dev/shm", "tmpfs", "mode=1777", MS_NOSUID|MS_NODEV|MS_STRICTATIME, true, false, false },
{ "tmpfs", "/run", "tmpfs", "mode=755", MS_NOSUID|MS_NODEV|MS_STRICTATIME, true, false, false },
{ "tmpfs", "/tmp", "tmpfs", "mode=1777", MS_STRICTATIME, true, false, false },
#ifdef HAVE_SELINUX
{ "/sys/fs/selinux", "/sys/fs/selinux", NULL, NULL, MS_BIND, false, false, false }, /* Bind mount first */
{ NULL, "/sys/fs/selinux", NULL, NULL, MS_BIND|MS_RDONLY|MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_REMOUNT, false, false, false }, /* Then, make it r/o */
{ "/sys/fs/selinux", "/sys/fs/selinux", NULL, NULL, MS_BIND, false, false, false }, /* Bind mount first */
{ NULL, "/sys/fs/selinux", NULL, NULL, MS_BIND|MS_RDONLY|MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_REMOUNT, false, false, false }, /* Then, make it r/o */
#endif
};

5
src/nspawn/nspawn.c
View File

@ -101,9 +101,11 @@
#include "util.h"
/* Note that devpts's gid= parameter parses GIDs as signed values, hence we stay away from the upper half of the 32bit
* UID range here */
* UID range here. We leave a bit of room at the lower end and a lot of room at the upper end, so that other subsystems
* may have their own allocation ranges too. */
#define UID_SHIFT_PICK_MIN ((uid_t) UINT32_C(0x00080000))
#define UID_SHIFT_PICK_MAX ((uid_t) UINT32_C(0x6FFF0000))
/* nspawn is listening on the socket at the path in the constant nspawn_notify_socket_path
* nspawn_notify_socket_path is relative to the container
* the init process in the container pid can send messages to nspawn following the sd_notify(3) protocol */
@ -277,7 +279,6 @@ static void help(void) {
, program_invocation_short_name);
}
static int custom_mounts_prepare(void) {
unsigned i;
int r;

6
src/shared/conf-parser.c
View File

@ -708,6 +708,7 @@ int config_parse_strv(const char *unit,
void *userdata) {
char ***sv = data;
int r;
assert(filename);
assert(lvalue);
@ -721,18 +722,19 @@ int config_parse_strv(const char *unit,
* we actually fill in a real empty array here rather
* than NULL, since some code wants to know if
* something was set at all... */
empty = strv_new(NULL, NULL);
empty = new0(char*, 1);
if (!empty)
return log_oom();
strv_free(*sv);
*sv = empty;
return 0;
}
for (;;) {
char *word = NULL;
int r;
r = extract_first_word(&rvalue, &word, WHITESPACE, EXTRACT_QUOTES|EXTRACT_RETAIN_ESCAPE);
if (r == 0)
break;

2
units/systemd-nspawn@.service.in
View File

@ -20,7 +20,7 @@ RestartForceExitStatus=133
SuccessExitStatus=133
Slice=machine.slice
Delegate=yes
TasksMax=8192
TasksMax=16384
# Enforce a strict device policy, similar to the one nspawn configures
# when it allocates its own scope unit. Make sure to keep these