Merge pull request #16424 from keszybz/cap-bpf-compat

Handle new capabilities gracefully
Merge pull request #16426 from cgzones/run_user_label
2020-07-11 13:35:34 +02:00 · 2020-07-11 13:32:00 +02:00 · 2020-07-11 13:26:52 +02:00 · 2020-07-11 00:09:05 +02:00 · 2020-07-10 21:55:13 +02:00 · 2020-07-10 21:55:13 +02:00
31 changed files with 89 additions and 67 deletions
--- a/man/homectl.xml
+++ b/man/homectl.xml
@ -437,7 +437,7 @@
        <listitem><para>Each of these options takes a time span specification as argument (in the syntax
        documented in
-        <citerefentry><refentrytitle>systemd.time</refentrytitle><manvolnum>5</manvolnum></citerefentry>) and
+        <citerefentry><refentrytitle>systemd.time</refentrytitle><manvolnum>7</manvolnum></citerefentry>) and
        configures various aspects of the user's password expiration policy. Specifically,
        <option>--password-change-min=</option> configures how much time has to pass after changing the
        password of the user until the password may be changed again. If the user tries to change their
--- a/man/journal-remote.conf.xml
+++ b/man/journal-remote.conf.xml
@ -39,7 +39,7 @@
    <para>These files configure various parameters of
    <citerefentry><refentrytitle>systemd-journal-remote.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>.
    See
-    <citerefentry><refentrytitle>systemd.syntax</refentrytitle><manvolnum>5</manvolnum></citerefentry>
+    <citerefentry><refentrytitle>systemd.syntax</refentrytitle><manvolnum>7</manvolnum></citerefentry>
    for a general description of the syntax.</para>
  </refsect1>
--- a/man/journal-upload.conf.xml
+++ b/man/journal-upload.conf.xml
@ -34,7 +34,7 @@
    <para>These files configure various parameters of
    <citerefentry><refentrytitle>systemd-journal-upload.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>.
    See
-    <citerefentry><refentrytitle>systemd.syntax</refentrytitle><manvolnum>5</manvolnum></citerefentry>
+    <citerefentry><refentrytitle>systemd.syntax</refentrytitle><manvolnum>7</manvolnum></citerefentry>
    for a general description of the syntax.</para>
  </refsect1>
--- a/man/journalctl.xml
+++ b/man/journalctl.xml
@ -1022,7 +1022,7 @@ journalctl _SYSTEMD_CGROUP=/user.slice/user-42.slice/session-c1.scope</programli
  + OBJECT_SYSTEMD_UNIT=<replaceable>name</replaceable>.service _UID=0
  + COREDUMP_UNIT=<replaceable>name</replaceable>.service _UID=0 MESSAGE_ID=fc2e22bc6ee647b6b90729ab34a250b1
    </programlisting>
-    (see <citerefentry><refentrytitle>systemd.journal-fields</refentrytitle><manvolnum>5</manvolnum></citerefentry>
+    (see <citerefentry><refentrytitle>systemd.journal-fields</refentrytitle><manvolnum>7</manvolnum></citerefentry>
    for an explanation of those patterns).
    </para>
--- a/man/journald.conf.xml
+++ b/man/journald.conf.xml
@ -36,7 +36,7 @@
    <para>These files configure various parameters of the systemd journal service,
    <citerefentry><refentrytitle>systemd-journald.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>.
    See
-    <citerefentry><refentrytitle>systemd.syntax</refentrytitle><manvolnum>5</manvolnum></citerefentry>
+    <citerefentry><refentrytitle>systemd.syntax</refentrytitle><manvolnum>7</manvolnum></citerefentry>
    for a general description of the syntax.</para>
    <para>The <command>systemd-journald</command> instance managing the default namespace is configured by
--- a/man/logind.conf.xml
+++ b/man/logind.conf.xml
@ -36,7 +36,7 @@
    <para>These files configure various parameters of the systemd login manager,
    <citerefentry><refentrytitle>systemd-logind.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>. See
-    <citerefentry><refentrytitle>systemd.syntax</refentrytitle><manvolnum>5</manvolnum></citerefentry>
+    <citerefentry><refentrytitle>systemd.syntax</refentrytitle><manvolnum>7</manvolnum></citerefentry>
    for a general description of the syntax.</para>
  </refsect1>
--- a/man/systemd-bless-boot.service.xml
+++ b/man/systemd-bless-boot.service.xml
@ -106,7 +106,7 @@
    <para>
      <citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
      <citerefentry><refentrytitle>systemd-boot</refentrytitle><manvolnum>7</manvolnum></citerefentry>,
-      <citerefentry><refentrytitle>systemd.special</refentrytitle><manvolnum>1</manvolnum></citerefentry>
+      <citerefentry><refentrytitle>systemd.special</refentrytitle><manvolnum>7</manvolnum></citerefentry>
    </para>
  </refsect1>
--- a/man/systemd-boot-check-no-failures.service.xml
+++ b/man/systemd-boot-check-no-failures.service.xml
@ -45,7 +45,7 @@
    <title>See Also</title>
    <para>
      <citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
-      <citerefentry><refentrytitle>systemd.special</refentrytitle><manvolnum>1</manvolnum></citerefentry>
+      <citerefentry><refentrytitle>systemd.special</refentrytitle><manvolnum>7</manvolnum></citerefentry>
    </para>
  </refsect1>
--- a/man/systemd-environment-d-generator.xml
+++ b/man/systemd-environment-d-generator.xml
@ -46,7 +46,7 @@
      <citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
      <citerefentry><refentrytitle>systemctl</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
      <citerefentry><refentrytitle>systemd.environment-generator</refentrytitle><manvolnum>7</manvolnum></citerefentry>,
-      <citerefentry><refentrytitle>systemd.generator</refentrytitle><manvolnum>5</manvolnum></citerefentry>
+      <citerefentry><refentrytitle>systemd.generator</refentrytitle><manvolnum>7</manvolnum></citerefentry>
    </para>
  </refsect1>
--- a/man/systemd-sleep.conf.xml
+++ b/man/systemd-sleep.conf.xml
@ -95,7 +95,7 @@
    <citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry>
    attempts to suspend or hibernate the machine.
    See
-    <citerefentry><refentrytitle>systemd.syntax</refentrytitle><manvolnum>5</manvolnum></citerefentry>
+    <citerefentry><refentrytitle>systemd.syntax</refentrytitle><manvolnum>7</manvolnum></citerefentry>
    for a general description of the syntax.</para>
  </refsect1>
--- a/man/systemd-system.conf.xml
+++ b/man/systemd-system.conf.xml
@ -48,7 +48,7 @@
    <filename>user.conf.d</filename> directories. These configuration
    files contain a few settings controlling basic manager
    operations. See
-    <citerefentry><refentrytitle>systemd.syntax</refentrytitle><manvolnum>5</manvolnum></citerefentry>
+    <citerefentry><refentrytitle>systemd.syntax</refentrytitle><manvolnum>7</manvolnum></citerefentry>
    for a general description of the syntax.</para>
  </refsect1>
--- a/man/systemd-sysv-generator.xml
+++ b/man/systemd-sysv-generator.xml
@ -43,7 +43,7 @@
    <literal>$named</literal>, <literal>$portmap</literal>,
    <literal>$time</literal> are supported and will be turned into
    dependencies on specific native systemd targets.  See
-    <citerefentry><refentrytitle>systemd.special</refentrytitle><manvolnum>5</manvolnum></citerefentry>
+    <citerefentry><refentrytitle>systemd.special</refentrytitle><manvolnum>7</manvolnum></citerefentry>
    for more details.</para>
    <para>SysV runlevels have corresponding systemd targets
--- a/man/systemd-xdg-autostart-generator.xml
+++ b/man/systemd-xdg-autostart-generator.xml
@ -38,7 +38,7 @@
    <para>Units created by <filename>systemd-xdg-autostart-generator</filename>
    can be started by the desktop environment using <literal>xdg-desktop-autostart.target</literal>.
    See
-    <citerefentry><refentrytitle>systemd.special</refentrytitle><manvolnum>5</manvolnum></citerefentry>
+    <citerefentry><refentrytitle>systemd.special</refentrytitle><manvolnum>7</manvolnum></citerefentry>
    for more details.</para>
    <para><filename>systemd-xdg-autostart-generator</filename> implements
--- a/man/systemd.link.xml
+++ b/man/systemd.link.xml
@ -29,7 +29,7 @@
    <para>A plain ini-style text file that encodes configuration for matching network devices, used by
    <citerefentry><refentrytitle>systemd-udevd</refentrytitle><manvolnum>8</manvolnum></citerefentry> and in
    particular its <command>net_setup_link</command> builtin. See
-    <citerefentry><refentrytitle>systemd.syntax</refentrytitle><manvolnum>5</manvolnum></citerefentry> for a
+    <citerefentry><refentrytitle>systemd.syntax</refentrytitle><manvolnum>7</manvolnum></citerefentry> for a
    general description of the syntax.</para>
    <para>The link files are read from the files located in the system
--- a/man/systemd.netdev.xml
+++ b/man/systemd.netdev.xml
@ -29,7 +29,7 @@
    <para>A plain ini-style text file that encodes configuration about a virtual network device, used by
    <citerefentry><refentrytitle>systemd-networkd</refentrytitle><manvolnum>8</manvolnum></citerefentry>.
-    See <citerefentry><refentrytitle>systemd.syntax</refentrytitle><manvolnum>5</manvolnum></citerefentry>
+    See <citerefentry><refentrytitle>systemd.syntax</refentrytitle><manvolnum>7</manvolnum></citerefentry>
    for a general description of the syntax.</para>
    <para>The main Virtual Network Device file must have the extension <filename>.netdev</filename>;
--- a/man/systemd.network.xml
+++ b/man/systemd.network.xml
@ -31,7 +31,7 @@
    <para>A plain ini-style text file that encodes network configuration for matching network interfaces,
    used by
    <citerefentry><refentrytitle>systemd-networkd</refentrytitle><manvolnum>8</manvolnum></citerefentry>.
-    See <citerefentry><refentrytitle>systemd.syntax</refentrytitle><manvolnum>5</manvolnum></citerefentry>
+    See <citerefentry><refentrytitle>systemd.syntax</refentrytitle><manvolnum>7</manvolnum></citerefentry>
    for a general description of the syntax.</para>
    <para>The main network file must have the extension <filename>.network</filename>; other
--- a/man/systemd.slice.xml
+++ b/man/systemd.slice.xml
@ -43,12 +43,12 @@
    <para>By default, service and scope units are placed in
    <filename>system.slice</filename>, virtual machines and containers
    registered with
-    <citerefentry><refentrytitle>systemd-machined</refentrytitle><manvolnum>1</manvolnum></citerefentry>
+    <citerefentry><refentrytitle>systemd-machined</refentrytitle><manvolnum>8</manvolnum></citerefentry>
    are found in <filename>machine.slice</filename>, and user sessions
    handled by
-    <citerefentry><refentrytitle>systemd-logind</refentrytitle><manvolnum>1</manvolnum></citerefentry>
+    <citerefentry><refentrytitle>systemd-logind</refentrytitle><manvolnum>8</manvolnum></citerefentry>
    in <filename>user.slice</filename>. See
-    <citerefentry><refentrytitle>systemd.special</refentrytitle><manvolnum>5</manvolnum></citerefentry>
+    <citerefentry><refentrytitle>systemd.special</refentrytitle><manvolnum>7</manvolnum></citerefentry>
    for more information.</para>
    <para>See
--- a/man/systemd.unit.xml
+++ b/man/systemd.unit.xml
@ -81,7 +81,7 @@
    target, a watched file system path, a timer controlled and supervised by
    <citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry>, a
    resource management slice or a group of externally created processes. See
-    <citerefentry><refentrytitle>systemd.syntax</refentrytitle><manvolnum>5</manvolnum></citerefentry>
+    <citerefentry><refentrytitle>systemd.syntax</refentrytitle><manvolnum>7</manvolnum></citerefentry>
    for a general description of the syntax.</para>
    <para>This man page lists the common configuration options of all
--- a/man/systemd.xml
+++ b/man/systemd.xml
@ -1259,7 +1259,7 @@
      <citerefentry><refentrytitle>sd-daemon</refentrytitle><manvolnum>3</manvolnum></citerefentry>,
      <citerefentry><refentrytitle>org.freedesktop.systemd1</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
      <citerefentry><refentrytitle>systemd.unit</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
-      <citerefentry><refentrytitle>systemd.special</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
+      <citerefentry><refentrytitle>systemd.special</refentrytitle><manvolnum>7</manvolnum></citerefentry>,
      <citerefentry project='die-net'><refentrytitle>pkg-config</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
      <citerefentry><refentrytitle>kernel-command-line</refentrytitle><manvolnum>7</manvolnum></citerefentry>,
      <citerefentry project='man-pages'><refentrytitle>bootup</refentrytitle><manvolnum>7</manvolnum></citerefentry>,
--- a/man/timesyncd.conf.xml
+++ b/man/timesyncd.conf.xml
@ -32,7 +32,7 @@
    <title>Description</title>
    <para>These configuration files control NTP network time synchronization. See
-    <citerefentry><refentrytitle>systemd.syntax</refentrytitle><manvolnum>5</manvolnum></citerefentry>
+    <citerefentry><refentrytitle>systemd.syntax</refentrytitle><manvolnum>7</manvolnum></citerefentry>
    for a general description of the syntax.</para>
  </refsect1>
--- a/man/user@.service.xml
+++ b/man/user@.service.xml
@ -39,7 +39,7 @@
    hierarchy of units specific to that user. See
    <citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry> for a
    discussion of units and
-    <citerefentry><refentrytitle>systemd.special</refentrytitle><manvolnum>1</manvolnum></citerefentry> for a
+    <citerefentry><refentrytitle>systemd.special</refentrytitle><manvolnum>7</manvolnum></citerefentry> for a
    list of units that form the basis of the unit hierarchies of system and user units.</para>
    <para><filename>user@<replaceable>UID</replaceable>.service</filename> is accompanied by the
@ -60,7 +60,7 @@
    <para>Individual <filename>user-<replaceable>UID</replaceable>.slice</filename> slices are
    collected under <filename>user.slice</filename>, see
-    <citerefentry><refentrytitle>systemd.special</refentrytitle><manvolnum>8</manvolnum></citerefentry>.
+    <citerefentry><refentrytitle>systemd.special</refentrytitle><manvolnum>7</manvolnum></citerefentry>.
    </para>
  </refsect1>
--- a/src/basic/cap-list.c
+++ b/src/basic/cap-list.c
@ -9,6 +9,7 @@
 #include "extract-word.h"
 #include "macro.h"
 #include "parse-util.h"
 #include "stdio-util.h"
 #include "util.h"
 static const struct capability_name* lookup_capability(register const char *str, register GPERF_LEN_TYPE len);
@ -17,7 +18,6 @@ static const struct capability_name* lookup_capability(register const char *str,
 #include "cap-to-name.h"
 const char *capability_to_name(int id) {
        if (id < 0)
                return NULL;
@ -36,7 +36,7 @@ int capability_from_name(const char *name) {
        /* Try to parse numeric capability */
        r = safe_atoi(name, &i);
        if (r >= 0) {
-                if (i >= 0 && (size_t) i < ELEMENTSOF(capability_names))
+                if (i >= 0 && i < 64)
                        return i;
                else
                        return -EINVAL;
@ -56,19 +56,21 @@ int capability_list_length(void) {
 int capability_set_to_string_alloc(uint64_t set, char **s) {
        _cleanup_free_ char *str = NULL;
        unsigned long i;
        size_t allocated = 0, n = 0;
        assert(s);
-        for (i = 0; i <= cap_last_cap(); i++)
+        for (unsigned i = 0; i <= cap_last_cap(); i++)
                if (set & (UINT64_C(1) << i)) {
                        const char *p;
                        char buf[2 + 16 + 1];
                        size_t add;
                        p = capability_to_name(i);
-                        if (!p)
+                        if (!p) {
-                                return -EINVAL;
+                                xsprintf(buf, "0x%x", i);
                                p = buf;
                        }
                        add = strlen(p);
@ -91,11 +93,10 @@ int capability_set_to_string_alloc(uint64_t set, char **s) {
 int capability_set_from_string(const char *s, uint64_t *set) {
        uint64_t val = 0;
        const char *p;
        assert(set);
-        for (p = s;;) {
+        for (const char *p = s;;) {
                _cleanup_free_ char *word = NULL;
                int r;
--- a/src/basic/capability-util.c
+++ b/src/basic/capability-util.c
@ -31,8 +31,8 @@ int have_effective_cap(int value) {
        return fv == CAP_SET;
 }
-unsigned long cap_last_cap(void) {
+unsigned cap_last_cap(void) {
-        static thread_local unsigned long saved;
+        static thread_local unsigned saved;
        static thread_local bool valid = false;
        _cleanup_free_ char *content = NULL;
        unsigned long p = 0;
@ -65,7 +65,7 @@ unsigned long cap_last_cap(void) {
        if (prctl(PR_CAPBSET_READ, p) < 0) {
                /* Hmm, look downwards, until we find one that works */
-                for (p--; p > 0; p --)
+                for (p--; p > 0; p--)
                        if (prctl(PR_CAPBSET_READ, p) >= 0)
                                break;
@ -84,12 +84,10 @@ unsigned long cap_last_cap(void) {
 }
 int capability_update_inherited_set(cap_t caps, uint64_t set) {
        unsigned long i;
        /* Add capabilities in the set to the inherited caps, drops capabilities not in the set.
         * Do not apply them yet. */
-        for (i = 0; i <= cap_last_cap(); i++) {
+        for (unsigned i = 0; i <= cap_last_cap(); i++) {
                cap_flag_value_t flag = set & (UINT64_C(1) << i) ? CAP_SET : CAP_CLEAR;
                cap_value_t v;
@ -104,11 +102,10 @@ int capability_update_inherited_set(cap_t caps, uint64_t set) {
 int capability_ambient_set_apply(uint64_t set, bool also_inherit) {
        _cleanup_cap_free_ cap_t caps = NULL;
        unsigned long i;
        int r;
        /* Remove capabilities requested in ambient set, but not in the bounding set */
-        for (i = 0; i <= cap_last_cap(); i++) {
+        for (unsigned i = 0; i <= cap_last_cap(); i++) {
                if (set == 0)
                        break;
@ -140,7 +137,7 @@ int capability_ambient_set_apply(uint64_t set, bool also_inherit) {
                        return -errno;
        }
-        for (i = 0; i <= cap_last_cap(); i++) {
+        for (unsigned i = 0; i <= cap_last_cap(); i++) {
                if (set & (UINT64_C(1) << i)) {
@ -167,7 +164,6 @@ int capability_ambient_set_apply(uint64_t set, bool also_inherit) {
 int capability_bounding_set_drop(uint64_t keep, bool right_now) {
        _cleanup_cap_free_ cap_t before_cap = NULL, after_cap = NULL;
        cap_flag_value_t fv;
        unsigned long i;
        int r;
        /* If we are run as PID 1 we will lack CAP_SETPCAP by default
@ -204,7 +200,7 @@ int capability_bounding_set_drop(uint64_t keep, bool right_now) {
        if (!after_cap)
                return -errno;
-        for (i = 0; i <= cap_last_cap(); i++) {
+        for (unsigned i = 0; i <= cap_last_cap(); i++) {
                cap_value_t v;
                if ((keep & (UINT64_C(1) << i)))
@ -390,7 +386,6 @@ bool ambient_capabilities_supported(void) {
 }
 bool capability_quintet_mangle(CapabilityQuintet *q) {
        unsigned long i;
        uint64_t combined, drop = 0;
        bool ambient_supported;
@ -402,7 +397,7 @@ bool capability_quintet_mangle(CapabilityQuintet *q) {
        if (ambient_supported)
                combined |= q->ambient;
-        for (i = 0; i <= cap_last_cap(); i++) {
+        for (unsigned i = 0; i <= cap_last_cap(); i++) {
                unsigned long bit = UINT64_C(1) << i;
                if (!FLAGS_SET(combined, bit))
                        continue;
@ -431,16 +426,15 @@ int capability_quintet_enforce(const CapabilityQuintet *q) {
        int r;
        if (q->ambient != (uint64_t) -1) {
                unsigned long i;
                bool changed = false;
                c = cap_get_proc();
                if (!c)
                        return -errno;
-                /* In order to raise the ambient caps set we first need to raise the matching inheritable + permitted
+                /* In order to raise the ambient caps set we first need to raise the matching
-                 * cap */
+                 * inheritable + permitted cap */
-                for (i = 0; i <= cap_last_cap(); i++) {
+                for (unsigned i = 0; i <= cap_last_cap(); i++) {
                        uint64_t m = UINT64_C(1) << i;
                        cap_value_t cv = (cap_value_t) i;
                        cap_flag_value_t old_value_inheritable, old_value_permitted;
@ -475,7 +469,6 @@ int capability_quintet_enforce(const CapabilityQuintet *q) {
        if (q->inheritable != (uint64_t) -1 || q->permitted != (uint64_t) -1 || q->effective != (uint64_t) -1) {
                bool changed = false;
                unsigned long i;
                if (!c) {
                        c = cap_get_proc();
@ -483,7 +476,7 @@ int capability_quintet_enforce(const CapabilityQuintet *q) {
                                return -errno;
                }
-                for (i = 0; i <= cap_last_cap(); i++) {
+                for (unsigned i = 0; i <= cap_last_cap(); i++) {
                        uint64_t m = UINT64_C(1) << i;
                        cap_value_t cv = (cap_value_t) i;
--- a/src/basic/capability-util.h
+++ b/src/basic/capability-util.h
@ -12,7 +12,7 @@
 #define CAP_ALL (uint64_t) -1
-unsigned long cap_last_cap(void);
+unsigned cap_last_cap(void);
 int have_effective_cap(int value);
 int capability_bounding_set_drop(uint64_t keep, bool right_now);
 int capability_bounding_set_drop_usermode(uint64_t keep);
--- a/src/basic/label.c
+++ b/src/basic/label.c
@ -45,6 +45,26 @@ int symlink_label(const char *old_path, const char *new_path) {
        return mac_smack_fix(new_path, 0);
 }
 int mknod_label(const char *pathname, mode_t mode, dev_t dev) {
        int r;
        assert(pathname);
        r = mac_selinux_create_file_prepare(pathname, mode);
        if (r < 0)
                return r;
        if (mknod(pathname, mode, dev) < 0)
                r = -errno;
        mac_selinux_create_file_clear();
        if (r < 0)
                return r;
        return mac_smack_fix(pathname, 0);
 }
 int btrfs_subvol_make_label(const char *path) {
        int r;
--- a/src/basic/label.h
+++ b/src/basic/label.h
@ -17,5 +17,6 @@ static inline int label_fix(const char *path, LabelFixFlags flags) {
 int mkdir_label(const char *path, mode_t mode);
 int mkdirat_label(int dirfd, const char *path, mode_t mode);
 int symlink_label(const char *old_path, const char *new_path);
 int mknod_label(const char *pathname, mode_t mode, dev_t dev);
 int btrfs_subvol_make_label(const char *path);
--- a/src/core/namespace.c
+++ b/src/core/namespace.c
@ -860,15 +860,23 @@ static int mount_procfs(const MountEntry *m) {
 }
 static int mount_tmpfs(const MountEntry *m) {
        int r;
        const char *entry_path = mount_entry_path(m);
        const char *source_path = m->path_const;
        assert(m);
        /* First, get rid of everything that is below if there is anything. Then, overmount with our new tmpfs */
-        (void) mkdir_p_label(mount_entry_path(m), 0755);
+        (void) mkdir_p_label(entry_path, 0755);
-        (void) umount_recursive(mount_entry_path(m), 0);
+        (void) umount_recursive(entry_path, 0);
-        if (mount("tmpfs", mount_entry_path(m), "tmpfs", m->flags, mount_entry_options(m)) < 0)
+        if (mount("tmpfs", entry_path, "tmpfs", m->flags, mount_entry_options(m)) < 0)
-                return log_debug_errno(errno, "Failed to mount %s: %m", mount_entry_path(m));
+                return log_debug_errno(errno, "Failed to mount %s: %m", entry_path);
        r = label_fix_container(entry_path, source_path, 0);
        if (r < 0)
                return log_error_errno(r, "Failed to fix label of '%s' as '%s': %m", entry_path, source_path);
        return 1;
 }
--- a/src/libsystemd/sd-bus/bus-creds.c
+++ b/src/libsystemd/sd-bus/bus-creds.c
@ -650,16 +650,15 @@ _public_ int sd_bus_creds_get_description(sd_bus_creds *c, const char **ret) {
 }
 static int has_cap(sd_bus_creds *c, size_t offset, int capability) {
        unsigned long lc;
        size_t sz;
        assert(c);
        assert(capability >= 0);
        assert(c->capability);
-        lc = cap_last_cap();
+        unsigned lc = cap_last_cap();
-        if ((unsigned long) capability > lc)
+        if ((unsigned) capability > lc)
                return 0;
        /* If the last cap is 63, then there are 64 caps defined, and we need 2 entries á 32bit hence. *
--- a/src/shared/dev-setup.c
+++ b/src/shared/dev-setup.c
@ -103,9 +103,9 @@ int make_inaccessible_nodes(
                        return log_oom();
                if (S_ISDIR(table[i].mode))
-                        r = mkdir(path, table[i].mode & 07777);
+                        r = mkdir_label(path, table[i].mode & 07777);
                else
-                        r = mknod(path, table[i].mode, makedev(0, 0));
+                        r = mknod_label(path, table[i].mode, makedev(0, 0));
                if (r < 0) {
                        if (errno != EEXIST)
                                log_debug_errno(errno, "Failed to create '%s', ignoring: %m", path);
--- a/src/test/test-cap-list.c
+++ b/src/test/test-cap-list.c
@ -12,12 +12,10 @@
 /* verify the capability parser */
 static void test_cap_list(void) {
        int i;
        assert_se(!capability_to_name(-1));
        assert_se(!capability_to_name(capability_list_length()));
-        for (i = 0; i < capability_list_length(); i++) {
+        for (int i = 0; i < capability_list_length(); i++) {
                const char *n;
                assert_se(n = capability_to_name(i));
@ -31,9 +29,11 @@ static void test_cap_list(void) {
        assert_se(capability_from_name("cAp_aUdIt_rEAd") == CAP_AUDIT_READ);
        assert_se(capability_from_name("0") == 0);
        assert_se(capability_from_name("15") == 15);
        assert_se(capability_from_name("63") == 63);
        assert_se(capability_from_name("64") == -EINVAL);
        assert_se(capability_from_name("-1") == -EINVAL);
-        for (i = 0; i < capability_list_length(); i++) {
+        for (int i = 0; i < capability_list_length(); i++) {
                _cleanup_cap_free_charp_ char *a = NULL;
                const char *b;
                unsigned u;
@ -65,7 +65,7 @@ static void test_capability_set_one(uint64_t c, const char *t) {
        free(t1);
        assert_se(t1 = strjoin("'cap_chown cap_dac_override' \"cap_setgid cap_setuid\"", t,
-                               " hogehoge foobar 12345 3.14 -3 ", t));
+                               " hogehoge foobar 18446744073709551616 3.14 -3 ", t));
        assert_se(capability_set_from_string(t1, &c1) == 0);
        assert_se(c1 == c_masked);
 }
--- a/src/test/test-capability.c
+++ b/src/test/test-capability.c
@ -243,7 +243,7 @@ static void test_ensure_cap_64bit(void) {
        assert_se(p <= 63);
        /* Also check for the header definition */
-        assert_se(CAP_LAST_CAP <= 63);
+        assert_cc(CAP_LAST_CAP <= 63);
 }
 int main(int argc, char *argv[]) {
Author	SHA1	Message	Date
Zbigniew Jędrzejewski-Szmek	b159831b61	Merge pull request #16424 from keszybz/cap-bpf-compat Handle new capabilities gracefully	2020-07-11 13:35:34 +02:00
Zbigniew Jędrzejewski-Szmek	b0ff0eaa01	Merge pull request #16426 from cgzones/run_user_label selinux: create standard user-runtime nodes with default context	2020-07-11 13:32:00 +02:00
Anita Zhang	675fa6ea28	man: fix some manvolnum	2020-07-11 13:26:52 +02:00
Christian Göttsche	abad72be4d	namespace: fix MAC labels of TemporaryFileSystem= Reproducible with: systemd-run -p TemporaryFileSystem=/root -t /bin/bash ls -dZ /root Prior: root:object_r:tmpfs_t:s0 /root Past: root:object_r:user_home_dir_t:s0 /root	2020-07-11 00:09:05 +02:00
Christian Göttsche	8d9cbd809d	selinux: create standard user-runtime nodes with default context Currently systemd-user-runtime-dir does not create the files in /run/user/$UID/systemd/inaccessible with the default SELinux label. The user and role part of these labels should be based on the user related to $UID and not based on the process context of systemd-user-runtime-dir. Since v246-rc1 (`9664be199a`) /run/user/$UID/systemd is also created by systemd-user-runtime-dir and should also be created with the default SELinux context.	2020-07-10 21:55:13 +02:00
Christian Göttsche	7a3e4dc38b	basic: add helper function mknod_label()	2020-07-10 21:55:13 +02:00
Zbigniew Jędrzejewski-Szmek	5700780389	basic/cap-list: reduce scope of variables	2020-07-10 16:55:24 +02:00
Zbigniew Jędrzejewski-Szmek	864a25d99b	basic/capability-util: let cap_last_cap() return unsigned integer We never return anything higher than 63, so using "long unsigned" as the type only confused the reader. (We can still use "long unsigned" and safe_atolu() to parse the kernel file.)	2020-07-10 16:55:24 +02:00
Zbigniew Jędrzejewski-Szmek	417770f303	basic/cap-list: parse/print numerical capabilities We would refuse to print capabilities which were didn't have a name for. The kernel adds new capabilities from time to time, most recently cap_bpf. 'systmectl show -p CapabilityBoundingSet ...' would fail with "Failed to parse bus message: Invalid argument" because capability_set_to_string_alloc() would fail with -EINVAL. So let's print such capabilities in hexadecimal: CapabilityBoundingSet=cap_chown cap_dac_override cap_dac_read_search cap_fowner cap_fsetid cap_kill cap_setgid cap_setuid cap_setpcap cap_linux_immutable cap_net_bind_service cap_net_broadcast cap_net_admin cap_net_raw cap_ipc_lock cap_ipc_owner 0x10 0x11 0x12 0x13 0x14 0x15 0x16 0x17 0x18 0x19 0x1a ... For symmetry, also allow capabilities that we don't know to be specified. Fixes https://bugzilla.redhat.com/show_bug.cgi?id=1853736.	2020-07-10 16:55:24 +02:00