Compare commits
8 Commits
788a51d15b
...
d4ba26d61d
Author | SHA1 | Date |
---|---|---|
Lennart Poettering | d4ba26d61d | |
Yu Watanabe | 5261c521e3 | |
Franck Bui | 514d9e1665 | |
Lennart Poettering | b480a4c15e | |
Lennart Poettering | af3baf174a | |
Lennart Poettering | 6fc93d269b | |
Lennart Poettering | 1487b7407d | |
Lennart Poettering | de9d4db272 |
25
TODO
25
TODO
|
@ -129,6 +129,10 @@ Deprecations and removals:
|
||||||
|
|
||||||
Features:
|
Features:
|
||||||
|
|
||||||
|
* format-table: introduce new cell type for strings with ansi sequences in
|
||||||
|
them. display them in regular output mode (via strip_tab_ansi()), but
|
||||||
|
suppress them in json mode.
|
||||||
|
|
||||||
* machined: when registering a machine, also take a relative cgroup path,
|
* machined: when registering a machine, also take a relative cgroup path,
|
||||||
relative to the machine's unit. This is useful when registering unpriv
|
relative to the machine's unit. This is useful when registering unpriv
|
||||||
machines, as they might sit down the cgroup tree, below a cgroup delegation
|
machines, as they might sit down the cgroup tree, below a cgroup delegation
|
||||||
|
@ -217,12 +221,8 @@ Features:
|
||||||
services where mount propagation from the root fs is off, an still have
|
services where mount propagation from the root fs is off, an still have
|
||||||
confext/sysext propagated in.
|
confext/sysext propagated in.
|
||||||
|
|
||||||
* support F_DUDFD_QUERY for comparing fds in same_fd (requires kernel 6.10)
|
|
||||||
|
|
||||||
* generic interface for varlink for setting log level and stuff that all our daemons can implement
|
* generic interface for varlink for setting log level and stuff that all our daemons can implement
|
||||||
|
|
||||||
* use pty ioctl to get peer wherever possible (TIOCGPTPEER)
|
|
||||||
|
|
||||||
* maybe teach repart.d/ dropins a new setting MakeMountNodes= or so, which is
|
* maybe teach repart.d/ dropins a new setting MakeMountNodes= or so, which is
|
||||||
just like MakeDirectories=, but uses an access mode of 0000 and sets the +i
|
just like MakeDirectories=, but uses an access mode of 0000 and sets the +i
|
||||||
chattr bit. This is useful as protection against early uses of /var/ or /tmp/
|
chattr bit. This is useful as protection against early uses of /var/ or /tmp/
|
||||||
|
@ -253,8 +253,6 @@ Features:
|
||||||
* initrd: when transitioning from initrd to host, validate that
|
* initrd: when transitioning from initrd to host, validate that
|
||||||
/lib/modules/`uname -r` exists, refuse otherwise
|
/lib/modules/`uname -r` exists, refuse otherwise
|
||||||
|
|
||||||
* tmpfiles: add "owning" flag for lines that limits effect of --purge
|
|
||||||
|
|
||||||
* signed bpf loading: to address need for signature verification for bpf
|
* signed bpf loading: to address need for signature verification for bpf
|
||||||
programs when they are loaded, and given the bpf folks don't think this is
|
programs when they are loaded, and given the bpf folks don't think this is
|
||||||
realistic in kernel space, maybe add small daemon that facilitates this
|
realistic in kernel space, maybe add small daemon that facilitates this
|
||||||
|
@ -458,9 +456,6 @@ Features:
|
||||||
* introduce mntid_t, and make it 64bit, as apparently the kernel switched to
|
* introduce mntid_t, and make it 64bit, as apparently the kernel switched to
|
||||||
64bit mount ids
|
64bit mount ids
|
||||||
|
|
||||||
* use udev rule networkd ownership property to take ownership of network
|
|
||||||
interfaces nspawn creates
|
|
||||||
|
|
||||||
* mountfsd/nsresourced
|
* mountfsd/nsresourced
|
||||||
- userdb: maybe allow callers to map one uid to their own uid
|
- userdb: maybe allow callers to map one uid to their own uid
|
||||||
- bpflsm: allow writes if resulting UID on disk would be userns' owner UID
|
- bpflsm: allow writes if resulting UID on disk would be userns' owner UID
|
||||||
|
@ -647,6 +642,7 @@ Features:
|
||||||
- openpt_allocate_in_namespace()
|
- openpt_allocate_in_namespace()
|
||||||
- unit_attach_pid_to_cgroup_via_bus()
|
- unit_attach_pid_to_cgroup_via_bus()
|
||||||
- cg_attach() – requires new kernel feature
|
- cg_attach() – requires new kernel feature
|
||||||
|
- journald's process cache
|
||||||
|
|
||||||
* ddi must be listed as block device fstype
|
* ddi must be listed as block device fstype
|
||||||
|
|
||||||
|
@ -1470,9 +1466,6 @@ Features:
|
||||||
|
|
||||||
* in sd-id128: also parse UUIDs in RFC4122 URN syntax (i.e. chop off urn:uuid: prefix)
|
* in sd-id128: also parse UUIDs in RFC4122 URN syntax (i.e. chop off urn:uuid: prefix)
|
||||||
|
|
||||||
* DynamicUser= + StateDirectory= → use uid mapping mounts, too, in order to
|
|
||||||
make dirs appear under right UID.
|
|
||||||
|
|
||||||
* systemd-sysext: optionally, run it in initrd already, before transitioning
|
* systemd-sysext: optionally, run it in initrd already, before transitioning
|
||||||
into host, to open up possibility for services shipped like that.
|
into host, to open up possibility for services shipped like that.
|
||||||
|
|
||||||
|
@ -1644,14 +1637,6 @@ Features:
|
||||||
|
|
||||||
* maybe add kernel cmdline params: to force random seed crediting
|
* maybe add kernel cmdline params: to force random seed crediting
|
||||||
|
|
||||||
* introduce a new per-process uuid, similar to the boot id, the machine id, the
|
|
||||||
invocation id, that is derived from process creds, specifically a hashed
|
|
||||||
combination of AT_RANDOM + getpid() + the starttime from
|
|
||||||
/proc/self/status. Then add these ids implicitly when logging. Deriving this
|
|
||||||
uuid from these three things has the benefit that it can be derived easily
|
|
||||||
from /proc/$PID/ in a stable, and unique way that changes on both fork() and
|
|
||||||
exec().
|
|
||||||
|
|
||||||
* let's not GC a unit while its ratelimits are still pending
|
* let's not GC a unit while its ratelimits are still pending
|
||||||
|
|
||||||
* when killing due to service watchdog timeout maybe detect whether target
|
* when killing due to service watchdog timeout maybe detect whether target
|
||||||
|
|
|
@ -15,27 +15,42 @@
|
||||||
#include "parse-util.h"
|
#include "parse-util.h"
|
||||||
#include "process-util.h"
|
#include "process-util.h"
|
||||||
#include "socket-util.h"
|
#include "socket-util.h"
|
||||||
|
#include "stat-util.h"
|
||||||
#include "user-util.h"
|
#include "user-util.h"
|
||||||
|
#include "virt.h"
|
||||||
|
|
||||||
int audit_session_from_pid(pid_t pid, uint32_t *id) {
|
int audit_session_from_pid(const PidRef *pid, uint32_t *ret_id) {
|
||||||
_cleanup_free_ char *s = NULL;
|
|
||||||
const char *p;
|
|
||||||
uint32_t u;
|
|
||||||
int r;
|
int r;
|
||||||
|
|
||||||
assert(id);
|
if (!pidref_is_set(pid))
|
||||||
|
return -ESRCH;
|
||||||
|
|
||||||
/* We don't convert ENOENT to ESRCH here, since we can't
|
/* Auditing is currently not virtualized for containers. Let's hence not use the audit session ID
|
||||||
* really distinguish between "audit is not available in the
|
* from now, it will be leaked in from the host */
|
||||||
* kernel" and "the process does not exist", both which will
|
if (detect_container() > 0)
|
||||||
* result in ENOENT. */
|
return -ENODATA;
|
||||||
|
|
||||||
p = procfs_file_alloca(pid, "sessionid");
|
const char *p = procfs_file_alloca(pid->pid, "sessionid");
|
||||||
|
|
||||||
r = read_one_line_file(p, &s);
|
_cleanup_free_ char *s = NULL;
|
||||||
|
bool enoent = false;
|
||||||
|
r = read_virtual_file(p, SIZE_MAX, &s, /* ret_size= */ NULL);
|
||||||
|
if (r == -ENOENT) {
|
||||||
|
if (proc_mounted() == 0)
|
||||||
|
return -ENOSYS;
|
||||||
|
enoent = true;
|
||||||
|
} else if (r < 0)
|
||||||
|
return r;
|
||||||
|
|
||||||
|
r = pidref_verify(pid);
|
||||||
if (r < 0)
|
if (r < 0)
|
||||||
return r;
|
return r;
|
||||||
|
|
||||||
|
if (enoent) /* We got ENOENT, but /proc/ was mounted and the PID still valid? In that case it appears
|
||||||
|
* auditing is not supported by the kernel. */
|
||||||
|
return -ENODATA;
|
||||||
|
|
||||||
|
uint32_t u;
|
||||||
r = safe_atou32(s, &u);
|
r = safe_atou32(s, &u);
|
||||||
if (r < 0)
|
if (r < 0)
|
||||||
return r;
|
return r;
|
||||||
|
@ -43,31 +58,53 @@ int audit_session_from_pid(pid_t pid, uint32_t *id) {
|
||||||
if (!audit_session_is_valid(u))
|
if (!audit_session_is_valid(u))
|
||||||
return -ENODATA;
|
return -ENODATA;
|
||||||
|
|
||||||
*id = u;
|
if (ret_id)
|
||||||
|
*ret_id = u;
|
||||||
|
|
||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
|
|
||||||
int audit_loginuid_from_pid(pid_t pid, uid_t *uid) {
|
int audit_loginuid_from_pid(const PidRef *pid, uid_t *ret_uid) {
|
||||||
_cleanup_free_ char *s = NULL;
|
|
||||||
const char *p;
|
|
||||||
uid_t u;
|
|
||||||
int r;
|
int r;
|
||||||
|
|
||||||
assert(uid);
|
if (!pidref_is_set(pid))
|
||||||
|
return -ESRCH;
|
||||||
|
|
||||||
p = procfs_file_alloca(pid, "loginuid");
|
/* Auditing is currently not virtualized for containers. Let's hence not use the audit session ID
|
||||||
|
* from now, it will be leaked in from the host */
|
||||||
|
if (detect_container() > 0)
|
||||||
|
return -ENODATA;
|
||||||
|
|
||||||
r = read_one_line_file(p, &s);
|
const char *p = procfs_file_alloca(pid->pid, "loginuid");
|
||||||
|
|
||||||
|
_cleanup_free_ char *s = NULL;
|
||||||
|
bool enoent = false;
|
||||||
|
r = read_virtual_file(p, SIZE_MAX, &s, /* ret_size= */ NULL);
|
||||||
|
if (r == -ENOENT) {
|
||||||
|
if (proc_mounted() == 0)
|
||||||
|
return -ENOSYS;
|
||||||
|
enoent = true;
|
||||||
|
} else if (r < 0)
|
||||||
|
return r;
|
||||||
|
|
||||||
|
r = pidref_verify(pid);
|
||||||
if (r < 0)
|
if (r < 0)
|
||||||
return r;
|
return r;
|
||||||
|
|
||||||
|
if (enoent) /* We got ENOENT, but /proc/ was mounted and the PID still valid? In that case it appears
|
||||||
|
* auditing is not supported by the kernel. */
|
||||||
|
return -ENODATA;
|
||||||
|
|
||||||
|
uid_t u;
|
||||||
r = parse_uid(s, &u);
|
r = parse_uid(s, &u);
|
||||||
if (r == -ENXIO) /* the UID was -1 */
|
if (r == -ENXIO) /* the UID was -1 */
|
||||||
return -ENODATA;
|
return -ENODATA;
|
||||||
if (r < 0)
|
if (r < 0)
|
||||||
return r;
|
return r;
|
||||||
|
|
||||||
*uid = u;
|
if (ret_uid)
|
||||||
|
*ret_uid = u;
|
||||||
|
|
||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -113,22 +150,24 @@ bool use_audit(void) {
|
||||||
static int cached_use = -1;
|
static int cached_use = -1;
|
||||||
int r;
|
int r;
|
||||||
|
|
||||||
if (cached_use < 0) {
|
if (cached_use >= 0)
|
||||||
int fd;
|
return cached_use;
|
||||||
|
|
||||||
fd = socket(AF_NETLINK, SOCK_RAW|SOCK_CLOEXEC|SOCK_NONBLOCK, NETLINK_AUDIT);
|
_cleanup_close_ int fd = socket(AF_NETLINK, SOCK_RAW|SOCK_CLOEXEC|SOCK_NONBLOCK, NETLINK_AUDIT);
|
||||||
if (fd < 0) {
|
if (fd < 0) {
|
||||||
cached_use = !IN_SET(errno, EAFNOSUPPORT, EPROTONOSUPPORT, EPERM);
|
cached_use = !ERRNO_IS_PRIVILEGE(errno) && !ERRNO_IS_NOT_SUPPORTED(errno);
|
||||||
if (!cached_use)
|
if (cached_use)
|
||||||
log_debug_errno(errno, "Won't talk to audit: %m");
|
log_debug_errno(errno, "Unexpected error while creating audit socket, proceeding with its use: %m");
|
||||||
|
else
|
||||||
|
log_debug_errno(errno, "Won't talk to audit, because feature or privilege absent: %m");
|
||||||
} else {
|
} else {
|
||||||
/* If we try and use the audit fd but get -ECONNREFUSED, it is because
|
/* If we try and use the audit fd but get -ECONNREFUSED, it is because we are not in the
|
||||||
* we are not in the initial user namespace, and the kernel does not
|
* initial user namespace, and the kernel does not have support for audit outside of the
|
||||||
* have support for audit outside of the initial user namespace
|
* initial user namespace (see
|
||||||
* (see https://elixir.bootlin.com/linux/latest/C/ident/audit_netlink_ok).
|
* https://elixir.bootlin.com/linux/latest/C/ident/audit_netlink_ok).
|
||||||
*
|
*
|
||||||
* If we receive any other error, do not disable audit because we are not
|
* If we receive any other error, do not disable audit because we are not sure that the error
|
||||||
* sure that the error indicates that audit will not work in general. */
|
* indicates that audit will not work in general. */
|
||||||
r = try_audit_request(fd);
|
r = try_audit_request(fd);
|
||||||
if (r < 0) {
|
if (r < 0) {
|
||||||
cached_use = r != -ECONNREFUSED;
|
cached_use = r != -ECONNREFUSED;
|
||||||
|
@ -137,9 +176,6 @@ bool use_audit(void) {
|
||||||
"Won't talk to audit: %m");
|
"Won't talk to audit: %m");
|
||||||
} else
|
} else
|
||||||
cached_use = true;
|
cached_use = true;
|
||||||
|
|
||||||
safe_close(fd);
|
|
||||||
}
|
|
||||||
}
|
}
|
||||||
|
|
||||||
return cached_use;
|
return cached_use;
|
||||||
|
|
|
@ -5,10 +5,12 @@
|
||||||
#include <stdint.h>
|
#include <stdint.h>
|
||||||
#include <sys/types.h>
|
#include <sys/types.h>
|
||||||
|
|
||||||
|
#include "pidref.h"
|
||||||
|
|
||||||
#define AUDIT_SESSION_INVALID UINT32_MAX
|
#define AUDIT_SESSION_INVALID UINT32_MAX
|
||||||
|
|
||||||
int audit_session_from_pid(pid_t pid, uint32_t *id);
|
int audit_session_from_pid(const PidRef *pid, uint32_t *id);
|
||||||
int audit_loginuid_from_pid(pid_t pid, uid_t *uid);
|
int audit_loginuid_from_pid(const PidRef *pid, uid_t *uid);
|
||||||
|
|
||||||
bool use_audit(void);
|
bool use_audit(void);
|
||||||
|
|
||||||
|
|
|
@ -1131,6 +1131,8 @@ int xopenat_full(int dir_fd, const char *path, int open_flags, XOpenFlags xopen_
|
||||||
* • If O_CREAT is used with XO_LABEL, any created file will be immediately relabelled.
|
* • If O_CREAT is used with XO_LABEL, any created file will be immediately relabelled.
|
||||||
*
|
*
|
||||||
* • If the path is specified NULL or empty, behaves like fd_reopen().
|
* • If the path is specified NULL or empty, behaves like fd_reopen().
|
||||||
|
*
|
||||||
|
* • If XO_NOCOW is specified will turn on the NOCOW btrfs flag on the file, if available.
|
||||||
*/
|
*/
|
||||||
|
|
||||||
if (isempty(path)) {
|
if (isempty(path)) {
|
||||||
|
|
|
@ -1815,6 +1815,9 @@ int namespace_fork(
|
||||||
int set_oom_score_adjust(int value) {
|
int set_oom_score_adjust(int value) {
|
||||||
char t[DECIMAL_STR_MAX(int)];
|
char t[DECIMAL_STR_MAX(int)];
|
||||||
|
|
||||||
|
if (!oom_score_adjust_is_valid(value))
|
||||||
|
return -EINVAL;
|
||||||
|
|
||||||
xsprintf(t, "%i", value);
|
xsprintf(t, "%i", value);
|
||||||
|
|
||||||
return write_string_file("/proc/self/oom_score_adj", t,
|
return write_string_file("/proc/self/oom_score_adj", t,
|
||||||
|
@ -1831,11 +1834,16 @@ int get_oom_score_adjust(int *ret) {
|
||||||
|
|
||||||
delete_trailing_chars(t, WHITESPACE);
|
delete_trailing_chars(t, WHITESPACE);
|
||||||
|
|
||||||
assert_se(safe_atoi(t, &a) >= 0);
|
r = safe_atoi(t, &a);
|
||||||
assert_se(oom_score_adjust_is_valid(a));
|
if (r < 0)
|
||||||
|
return r;
|
||||||
|
|
||||||
|
if (!oom_score_adjust_is_valid(a))
|
||||||
|
return -ENODATA;
|
||||||
|
|
||||||
if (ret)
|
if (ret)
|
||||||
*ret = a;
|
*ret = a;
|
||||||
|
|
||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
@ -526,8 +526,8 @@ static void client_context_really_refresh(
|
||||||
client_context_read_basic(c);
|
client_context_read_basic(c);
|
||||||
(void) client_context_read_label(c, label, label_size);
|
(void) client_context_read_label(c, label, label_size);
|
||||||
|
|
||||||
(void) audit_session_from_pid(c->pid, &c->auditid);
|
(void) audit_session_from_pid(&PIDREF_MAKE_FROM_PID(c->pid), &c->auditid);
|
||||||
(void) audit_loginuid_from_pid(c->pid, &c->loginuid);
|
(void) audit_loginuid_from_pid(&PIDREF_MAKE_FROM_PID(c->pid), &c->loginuid);
|
||||||
|
|
||||||
(void) client_context_read_cgroup(s, c, unit_id);
|
(void) client_context_read_cgroup(s, c, unit_id);
|
||||||
(void) client_context_read_invocation_id(s, c);
|
(void) client_context_read_invocation_id(s, c);
|
||||||
|
|
|
@ -1118,7 +1118,7 @@ int bus_creds_add_more(sd_bus_creds *c, uint64_t mask, PidRef *pidref, pid_t tid
|
||||||
}
|
}
|
||||||
|
|
||||||
if (missing & SD_BUS_CREDS_AUDIT_SESSION_ID) {
|
if (missing & SD_BUS_CREDS_AUDIT_SESSION_ID) {
|
||||||
r = audit_session_from_pid(pidref->pid, &c->audit_session_id);
|
r = audit_session_from_pid(pidref, &c->audit_session_id);
|
||||||
if (r == -ENODATA) {
|
if (r == -ENODATA) {
|
||||||
/* ENODATA means: no audit session id assigned */
|
/* ENODATA means: no audit session id assigned */
|
||||||
c->audit_session_id = AUDIT_SESSION_INVALID;
|
c->audit_session_id = AUDIT_SESSION_INVALID;
|
||||||
|
@ -1131,7 +1131,7 @@ int bus_creds_add_more(sd_bus_creds *c, uint64_t mask, PidRef *pidref, pid_t tid
|
||||||
}
|
}
|
||||||
|
|
||||||
if (missing & SD_BUS_CREDS_AUDIT_LOGIN_UID) {
|
if (missing & SD_BUS_CREDS_AUDIT_LOGIN_UID) {
|
||||||
r = audit_loginuid_from_pid(pidref->pid, &c->audit_login_uid);
|
r = audit_loginuid_from_pid(pidref, &c->audit_login_uid);
|
||||||
if (r == -ENODATA) {
|
if (r == -ENODATA) {
|
||||||
/* ENODATA means: no audit login uid assigned */
|
/* ENODATA means: no audit login uid assigned */
|
||||||
c->audit_login_uid = UID_INVALID;
|
c->audit_login_uid = UID_INVALID;
|
||||||
|
|
|
@ -1006,7 +1006,7 @@ static int create_session(
|
||||||
"Maximum number of sessions (%" PRIu64 ") reached, refusing further sessions.",
|
"Maximum number of sessions (%" PRIu64 ") reached, refusing further sessions.",
|
||||||
m->sessions_max);
|
m->sessions_max);
|
||||||
|
|
||||||
(void) audit_session_from_pid(leader.pid, &audit_id);
|
(void) audit_session_from_pid(&leader, &audit_id);
|
||||||
if (audit_session_is_valid(audit_id)) {
|
if (audit_session_is_valid(audit_id)) {
|
||||||
/* Keep our session IDs and the audit session IDs in sync */
|
/* Keep our session IDs and the audit session IDs in sync */
|
||||||
|
|
||||||
|
|
|
@ -254,7 +254,7 @@ int session_set_leader_consume(Session *s, PidRef _leader) {
|
||||||
s->leader_fd_saved = true;
|
s->leader_fd_saved = true;
|
||||||
}
|
}
|
||||||
|
|
||||||
(void) audit_session_from_pid(s->leader.pid, &s->audit_id);
|
(void) audit_session_from_pid(&s->leader, &s->audit_id);
|
||||||
|
|
||||||
return 1;
|
return 1;
|
||||||
}
|
}
|
||||||
|
|
|
@ -1808,40 +1808,50 @@ char* umount_and_unlink_and_free(char *p) {
|
||||||
return mfree(p);
|
return mfree(p);
|
||||||
}
|
}
|
||||||
|
|
||||||
static int path_get_mount_info(
|
static int path_get_mount_info_at(
|
||||||
|
int dir_fd,
|
||||||
const char *path,
|
const char *path,
|
||||||
char **ret_fstype,
|
char **ret_fstype,
|
||||||
char **ret_options) {
|
char **ret_options) {
|
||||||
|
|
||||||
_cleanup_(mnt_free_tablep) struct libmnt_table *table = NULL;
|
_cleanup_(mnt_free_tablep) struct libmnt_table *table = NULL;
|
||||||
_cleanup_free_ char *fstype = NULL, *options = NULL;
|
_cleanup_(mnt_free_iterp) struct libmnt_iter *iter = NULL;
|
||||||
struct libmnt_fs *fs;
|
int r, mnt_id;
|
||||||
int r;
|
|
||||||
|
|
||||||
assert(path);
|
assert(dir_fd >= 0 || dir_fd == AT_FDCWD);
|
||||||
|
|
||||||
table = mnt_new_table();
|
r = path_get_mnt_id_at(dir_fd, path, &mnt_id);
|
||||||
if (!table)
|
|
||||||
return -ENOMEM;
|
|
||||||
|
|
||||||
r = mnt_table_parse_mtab(table, /* filename = */ NULL);
|
|
||||||
if (r < 0)
|
if (r < 0)
|
||||||
return r;
|
return log_debug_errno(r, "Failed to get mount ID: %m");
|
||||||
|
|
||||||
fs = mnt_table_find_mountpoint(table, path, MNT_ITER_FORWARD);
|
r = libmount_parse("/proc/self/mountinfo", NULL, &table, &iter);
|
||||||
if (!fs)
|
if (r < 0)
|
||||||
return -EINVAL;
|
return log_debug_errno(r, "Failed to parse /proc/self/mountinfo: %m");
|
||||||
|
|
||||||
|
for (;;) {
|
||||||
|
struct libmnt_fs *fs;
|
||||||
|
|
||||||
|
r = mnt_table_next_fs(table, iter, &fs);
|
||||||
|
if (r == 1)
|
||||||
|
break; /* EOF */
|
||||||
|
if (r < 0)
|
||||||
|
return log_debug_errno(r, "Failed to get next entry from /proc/self/mountinfo: %m");
|
||||||
|
|
||||||
|
if (mnt_fs_get_id(fs) != mnt_id)
|
||||||
|
continue;
|
||||||
|
|
||||||
|
_cleanup_free_ char *fstype = NULL, *options = NULL;
|
||||||
|
|
||||||
if (ret_fstype) {
|
if (ret_fstype) {
|
||||||
fstype = strdup(strempty(mnt_fs_get_fstype(fs)));
|
fstype = strdup(strempty(mnt_fs_get_fstype(fs)));
|
||||||
if (!fstype)
|
if (!fstype)
|
||||||
return -ENOMEM;
|
return log_oom_debug();
|
||||||
}
|
}
|
||||||
|
|
||||||
if (ret_options) {
|
if (ret_options) {
|
||||||
options = strdup(strempty(mnt_fs_get_options(fs)));
|
options = strdup(strempty(mnt_fs_get_options(fs)));
|
||||||
if (!options)
|
if (!options)
|
||||||
return -ENOMEM;
|
return log_oom_debug();
|
||||||
}
|
}
|
||||||
|
|
||||||
if (ret_fstype)
|
if (ret_fstype)
|
||||||
|
@ -1852,19 +1862,27 @@ static int path_get_mount_info(
|
||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
|
|
||||||
int path_is_network_fs_harder(const char *path) {
|
return log_debug_errno(SYNTHETIC_ERRNO(ESTALE), "Cannot find mount ID %i from /proc/self/mountinfo.", mnt_id);
|
||||||
|
}
|
||||||
|
|
||||||
|
int path_is_network_fs_harder_at(int dir_fd, const char *path) {
|
||||||
|
_cleanup_close_ int fd = -EBADF;
|
||||||
|
int r;
|
||||||
|
|
||||||
|
assert(dir_fd >= 0 || dir_fd == AT_FDCWD);
|
||||||
|
|
||||||
|
fd = xopenat(dir_fd, path, O_PATH | O_CLOEXEC | O_NOFOLLOW);
|
||||||
|
if (fd < 0)
|
||||||
|
return fd;
|
||||||
|
|
||||||
|
r = fd_is_network_fs(fd);
|
||||||
|
if (r != 0)
|
||||||
|
return r;
|
||||||
|
|
||||||
_cleanup_free_ char *fstype = NULL, *options = NULL;
|
_cleanup_free_ char *fstype = NULL, *options = NULL;
|
||||||
int r, ret;
|
r = path_get_mount_info_at(fd, /* path = */ NULL, &fstype, &options);
|
||||||
|
|
||||||
assert(path);
|
|
||||||
|
|
||||||
ret = path_is_network_fs(path);
|
|
||||||
if (ret > 0)
|
|
||||||
return true;
|
|
||||||
|
|
||||||
r = path_get_mount_info(path, &fstype, &options);
|
|
||||||
if (r < 0)
|
if (r < 0)
|
||||||
return RET_GATHER(ret, r);
|
return r;
|
||||||
|
|
||||||
if (fstype_is_network(fstype))
|
if (fstype_is_network(fstype))
|
||||||
return true;
|
return true;
|
||||||
|
|
|
@ -181,4 +181,7 @@ int mount_credentials_fs(const char *path, size_t size, bool ro);
|
||||||
|
|
||||||
int make_fsmount(int error_log_level, const char *what, const char *type, unsigned long flags, const char *options, int userns_fd);
|
int make_fsmount(int error_log_level, const char *what, const char *type, unsigned long flags, const char *options, int userns_fd);
|
||||||
|
|
||||||
int path_is_network_fs_harder(const char *path);
|
int path_is_network_fs_harder_at(int dir_fd, const char *path);
|
||||||
|
static inline int path_is_network_fs_harder(const char *path) {
|
||||||
|
return path_is_network_fs_harder_at(AT_FDCWD, path);
|
||||||
|
}
|
||||||
|
|
|
@ -46,6 +46,7 @@ simple_tests += files(
|
||||||
'test-alloc-util.c',
|
'test-alloc-util.c',
|
||||||
'test-architecture.c',
|
'test-architecture.c',
|
||||||
'test-argv-util.c',
|
'test-argv-util.c',
|
||||||
|
'test-audit-util.c',
|
||||||
'test-barrier.c',
|
'test-barrier.c',
|
||||||
'test-bitfield.c',
|
'test-bitfield.c',
|
||||||
'test-bitmap.c',
|
'test-bitmap.c',
|
||||||
|
|
|
@ -0,0 +1,35 @@
|
||||||
|
/* SPDX-License-Identifier: LGPL-2.1-or-later */
|
||||||
|
|
||||||
|
#include "audit-util.h"
|
||||||
|
#include "tests.h"
|
||||||
|
|
||||||
|
TEST(audit_loginuid_from_pid) {
|
||||||
|
_cleanup_(pidref_done) PidRef self = PIDREF_NULL, pid1 = PIDREF_NULL;
|
||||||
|
int r;
|
||||||
|
|
||||||
|
assert_se(pidref_set_self(&self) >= 0);
|
||||||
|
assert_se(pidref_set_pid(&pid1, 1) >= 0);
|
||||||
|
|
||||||
|
uid_t uid;
|
||||||
|
r = audit_loginuid_from_pid(&self, &uid);
|
||||||
|
assert_se(r >= 0 || r == -ENODATA);
|
||||||
|
if (r >= 0)
|
||||||
|
log_info("self audit login uid: " UID_FMT, uid);
|
||||||
|
|
||||||
|
assert_se(audit_loginuid_from_pid(&pid1, &uid) == -ENODATA);
|
||||||
|
|
||||||
|
uint32_t sessionid;
|
||||||
|
r = audit_session_from_pid(&self, &sessionid);
|
||||||
|
assert_se(r >= 0 || r == -ENODATA);
|
||||||
|
if (r >= 0)
|
||||||
|
log_info("self audit session id: %" PRIu32, sessionid);
|
||||||
|
|
||||||
|
assert_se(audit_session_from_pid(&pid1, &sessionid) == -ENODATA);
|
||||||
|
}
|
||||||
|
|
||||||
|
static int intro(void) {
|
||||||
|
log_show_color(true);
|
||||||
|
return EXIT_SUCCESS;
|
||||||
|
}
|
||||||
|
|
||||||
|
DEFINE_TEST_MAIN_WITH_INTRO(LOG_INFO, intro);
|
|
@ -538,9 +538,53 @@ TEST(bind_mount_submounts) {
|
||||||
}
|
}
|
||||||
|
|
||||||
TEST(path_is_network_fs_harder) {
|
TEST(path_is_network_fs_harder) {
|
||||||
ASSERT_OK_ZERO(path_is_network_fs_harder("/dev"));
|
_cleanup_close_ int dir_fd = -EBADF;
|
||||||
ASSERT_OK_ZERO(path_is_network_fs_harder("/sys"));
|
int r;
|
||||||
ASSERT_OK_ZERO(path_is_network_fs_harder("/run"));
|
|
||||||
|
ASSERT_OK(dir_fd = open("/", O_PATH | O_CLOEXEC));
|
||||||
|
FOREACH_STRING(s,
|
||||||
|
"/", "/dev/", "/proc/", "/run/", "/sys/", "/tmp/", "/usr/", "/var/tmp/",
|
||||||
|
"", ".", "../../../", "/this/path/should/not/exist/for/test-mount-util/") {
|
||||||
|
|
||||||
|
r = path_is_network_fs_harder(s);
|
||||||
|
log_debug("path_is_network_fs_harder(%s) → %i: %s", s, r, r < 0 ? STRERROR(r) : yes_no(r));
|
||||||
|
|
||||||
|
const char *q = path_startswith(s, "/") ?: s;
|
||||||
|
r = path_is_network_fs_harder_at(dir_fd, q);
|
||||||
|
log_debug("path_is_network_fs_harder_at(root, %s) → %i: %s", q, r, r < 0 ? STRERROR(r) : yes_no(r));
|
||||||
|
}
|
||||||
|
|
||||||
|
if (geteuid() != 0 || have_effective_cap(CAP_SYS_ADMIN) <= 0) {
|
||||||
|
(void) log_tests_skipped("not running privileged");
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
|
||||||
|
_cleanup_(rm_rf_physical_and_freep) char *t = NULL;
|
||||||
|
assert_se(mkdtemp_malloc("/tmp/test-mount-util.path_is_network_fs_harder.XXXXXXX", &t) >= 0);
|
||||||
|
|
||||||
|
r = safe_fork("(make_mount-point)",
|
||||||
|
FORK_RESET_SIGNALS |
|
||||||
|
FORK_CLOSE_ALL_FDS |
|
||||||
|
FORK_DEATHSIG_SIGTERM |
|
||||||
|
FORK_WAIT |
|
||||||
|
FORK_REOPEN_LOG |
|
||||||
|
FORK_LOG |
|
||||||
|
FORK_NEW_MOUNTNS |
|
||||||
|
FORK_MOUNTNS_SLAVE,
|
||||||
|
NULL);
|
||||||
|
ASSERT_OK(r);
|
||||||
|
|
||||||
|
if (r == 0) {
|
||||||
|
ASSERT_OK(mount_nofollow_verbose(LOG_INFO, "tmpfs", t, "tmpfs", 0, NULL));
|
||||||
|
ASSERT_OK_ZERO(path_is_network_fs_harder(t));
|
||||||
|
ASSERT_OK_ERRNO(umount(t));
|
||||||
|
|
||||||
|
ASSERT_OK(mount_nofollow_verbose(LOG_INFO, "tmpfs", t, "tmpfs", 0, "x-systemd-growfs,x-systemd-automount"));
|
||||||
|
ASSERT_OK_ZERO(path_is_network_fs_harder(t));
|
||||||
|
ASSERT_OK_ERRNO(umount(t));
|
||||||
|
|
||||||
|
_exit(EXIT_SUCCESS);
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
DEFINE_TEST_MAIN(LOG_DEBUG);
|
DEFINE_TEST_MAIN(LOG_DEBUG);
|
||||||
|
|
|
@ -142,11 +142,13 @@ endif
|
||||||
############################################################
|
############################################################
|
||||||
|
|
||||||
if install_tests
|
if install_tests
|
||||||
foreach script : ['integration-test-setup.sh', 'run-unit-tests.py']
|
install_data('run-unit-tests.py',
|
||||||
install_data(script,
|
|
||||||
install_mode : 'rwxr-xr-x',
|
install_mode : 'rwxr-xr-x',
|
||||||
install_dir : testsdir)
|
install_dir : testsdir)
|
||||||
endforeach
|
|
||||||
|
install_data('integration-test-setup.sh',
|
||||||
|
install_mode : 'rwxr-xr-x',
|
||||||
|
install_dir : testdata_dir)
|
||||||
endif
|
endif
|
||||||
|
|
||||||
############################################################
|
############################################################
|
||||||
|
|
|
@ -7,9 +7,9 @@ Before=getty-pre.target
|
||||||
|
|
||||||
[Service]
|
[Service]
|
||||||
ExecStartPre=rm -f /failed /testok
|
ExecStartPre=rm -f /failed /testok
|
||||||
ExecStartPre=/usr/lib/systemd/tests/integration-test-setup.sh setup
|
ExecStartPre=/usr/lib/systemd/tests/testdata/integration-test-setup.sh setup
|
||||||
ExecStart=@command@
|
ExecStart=@command@
|
||||||
ExecStopPost=/usr/lib/systemd/tests/integration-test-setup.sh finalize
|
ExecStopPost=/usr/lib/systemd/tests/testdata/integration-test-setup.sh finalize
|
||||||
Type=oneshot
|
Type=oneshot
|
||||||
MemoryAccounting=@memory-accounting@
|
MemoryAccounting=@memory-accounting@
|
||||||
StateDirectory=%N
|
StateDirectory=%N
|
||||||
|
|
Loading…
Reference in New Issue