Compare commits
No commits in common. "7be830c6e8cd3852e3468203812445115f5ea183" and "67f5b9e06eabd9bf3037caf354f77fce0117d616" have entirely different histories.
7be830c6e8
...
67f5b9e06e
|
@ -1701,7 +1701,7 @@
|
|||
<varlistentry>
|
||||
<term><varname>PrefixDelegationHint=</varname></term>
|
||||
<listitem>
|
||||
<para>Takes an IPv6 address with prefix length as <varname>Address=</varname> in
|
||||
<para>Takes an IPv6 address with prefix length as <varname>Addresss=</varname> in
|
||||
the "[Network]" section. Specifies the DHCPv6 client for the requesting router to include
|
||||
a prefix-hint in the DHCPv6 solicitation. Prefix ranges 1-128. Defaults to unset.</para>
|
||||
</listitem>
|
||||
|
|
|
@ -274,7 +274,7 @@ static inline int missing_renameat2(int oldfd, const char *oldname, int newfd, c
|
|||
|
||||
#if !HAVE_KCMP
|
||||
static inline int missing_kcmp(pid_t pid1, pid_t pid2, int type, unsigned long idx1, unsigned long idx2) {
|
||||
# if defined __NR_kcmp && __NR_kcmp > 0
|
||||
# ifdef __NR_kcmp
|
||||
return syscall(__NR_kcmp, pid1, pid2, type, idx1, idx2);
|
||||
# else
|
||||
errno = ENOSYS;
|
||||
|
@ -289,7 +289,7 @@ static inline int missing_kcmp(pid_t pid1, pid_t pid2, int type, unsigned long i
|
|||
|
||||
#if !HAVE_KEYCTL
|
||||
static inline long missing_keyctl(int cmd, unsigned long arg2, unsigned long arg3, unsigned long arg4, unsigned long arg5) {
|
||||
# if defined __NR_keyctl && __NR_keyctl > 0
|
||||
# ifdef __NR_keyctl
|
||||
return syscall(__NR_keyctl, cmd, arg2, arg3, arg4, arg5);
|
||||
# else
|
||||
errno = ENOSYS;
|
||||
|
@ -300,7 +300,7 @@ static inline long missing_keyctl(int cmd, unsigned long arg2, unsigned long arg
|
|||
}
|
||||
|
||||
static inline key_serial_t missing_add_key(const char *type, const char *description, const void *payload, size_t plen, key_serial_t ringid) {
|
||||
# if defined __NR_add_key && __NR_add_key > 0
|
||||
# ifdef __NR_add_key
|
||||
return syscall(__NR_add_key, type, description, payload, plen, ringid);
|
||||
# else
|
||||
errno = ENOSYS;
|
||||
|
@ -311,7 +311,7 @@ static inline key_serial_t missing_add_key(const char *type, const char *descrip
|
|||
}
|
||||
|
||||
static inline key_serial_t missing_request_key(const char *type, const char *description, const char * callout_info, key_serial_t destringid) {
|
||||
# if defined __NR_request_key && __NR_request_key > 0
|
||||
# ifdef __NR_request_key
|
||||
return syscall(__NR_request_key, type, description, callout_info, destringid);
|
||||
# else
|
||||
errno = ENOSYS;
|
||||
|
@ -496,7 +496,7 @@ enum {
|
|||
static inline long missing_set_mempolicy(int mode, const unsigned long *nodemask,
|
||||
unsigned long maxnode) {
|
||||
long i;
|
||||
# if defined __NR_set_mempolicy && __NR_set_mempolicy > 0
|
||||
# ifdef __NR_set_mempolicy
|
||||
i = syscall(__NR_set_mempolicy, mode, nodemask, maxnode);
|
||||
# else
|
||||
errno = ENOSYS;
|
||||
|
|
|
@ -3770,7 +3770,6 @@ static int merge_settings(Settings *settings, const char *path) {
|
|||
|
||||
if ((arg_settings_mask & SETTING_CAPABILITY) == 0) {
|
||||
uint64_t plus, minus;
|
||||
uint64_t network_minus = 0;
|
||||
|
||||
/* Note that we copy both the simple plus/minus caps here, and the full quintet from the
|
||||
* Settings structure */
|
||||
|
@ -3782,16 +3781,14 @@ static int merge_settings(Settings *settings, const char *path) {
|
|||
if (settings_private_network(settings))
|
||||
plus |= UINT64_C(1) << CAP_NET_ADMIN;
|
||||
else
|
||||
network_minus |= UINT64_C(1) << CAP_NET_ADMIN;
|
||||
minus |= UINT64_C(1) << CAP_NET_ADMIN;
|
||||
}
|
||||
|
||||
if (!arg_settings_trusted && plus != 0) {
|
||||
if (settings->capability != 0)
|
||||
log_warning("Ignoring Capability= setting, file %s is not trusted.", path);
|
||||
} else {
|
||||
arg_caps_retain &= ~network_minus;
|
||||
} else
|
||||
arg_caps_retain |= plus;
|
||||
}
|
||||
|
||||
arg_caps_retain &= ~minus;
|
||||
|
||||
|
|
|
@ -411,8 +411,7 @@ int bus_verify_polkit_async(
|
|||
e = sd_bus_message_get_error(q->reply);
|
||||
|
||||
/* Treat no PK available as access denied */
|
||||
if (sd_bus_error_has_name(e, SD_BUS_ERROR_SERVICE_UNKNOWN) ||
|
||||
sd_bus_error_has_name(e, SD_BUS_ERROR_NAME_HAS_NO_OWNER))
|
||||
if (sd_bus_error_has_name(e, SD_BUS_ERROR_SERVICE_UNKNOWN))
|
||||
return -EACCES;
|
||||
|
||||
/* Copy error from polkit reply */
|
||||
|
@ -423,6 +422,7 @@ int bus_verify_polkit_async(
|
|||
r = sd_bus_message_enter_container(q->reply, 'r', "bba{ss}");
|
||||
if (r >= 0)
|
||||
r = sd_bus_message_read(q->reply, "bb", &authorized, &challenge);
|
||||
|
||||
if (r < 0)
|
||||
return r;
|
||||
|
||||
|
|
|
@ -28,8 +28,7 @@
|
|||
#include "tmpfile-util.h"
|
||||
#include "virt.h"
|
||||
|
||||
/* __NR_socket may be invalid due to libseccomp */
|
||||
#if !defined(__NR_socket) || __NR_socket <= 0 || defined(__i386__) || defined(__s390x__) || defined(__s390__)
|
||||
#if SCMP_SYS(socket) < 0 || defined(__i386__) || defined(__s390x__) || defined(__s390__)
|
||||
/* On these archs, socket() is implemented via the socketcall() syscall multiplexer,
|
||||
* and we can't restrict it hence via seccomp. */
|
||||
# define SECCOMP_RESTRICT_ADDRESS_FAMILIES_BROKEN 1
|
||||
|
@ -305,14 +304,14 @@ static void test_protect_sysctl(void) {
|
|||
assert_se(pid >= 0);
|
||||
|
||||
if (pid == 0) {
|
||||
#if defined __NR__sysctl && __NR__sysctl > 0
|
||||
#if __NR__sysctl > 0
|
||||
assert_se(syscall(__NR__sysctl, NULL) < 0);
|
||||
assert_se(errno == EFAULT);
|
||||
#endif
|
||||
|
||||
assert_se(seccomp_protect_sysctl() >= 0);
|
||||
|
||||
#if defined __NR__sysctl && __NR__sysctl > 0
|
||||
#if __NR__sysctl > 0
|
||||
assert_se(syscall(__NR__sysctl, 0, 0, 0) < 0);
|
||||
assert_se(errno == EPERM);
|
||||
#endif
|
||||
|
@ -641,7 +640,7 @@ static void test_load_syscall_filter_set_raw(void) {
|
|||
assert_se(poll(NULL, 0, 0) == 0);
|
||||
|
||||
assert_se(s = hashmap_new(NULL));
|
||||
#if defined __NR_access && __NR_access > 0
|
||||
#if SCMP_SYS(access) >= 0
|
||||
assert_se(hashmap_put(s, UINT32_TO_PTR(__NR_access + 1), INT_TO_PTR(-1)) >= 0);
|
||||
#else
|
||||
assert_se(hashmap_put(s, UINT32_TO_PTR(__NR_faccessat + 1), INT_TO_PTR(-1)) >= 0);
|
||||
|
@ -657,7 +656,7 @@ static void test_load_syscall_filter_set_raw(void) {
|
|||
s = hashmap_free(s);
|
||||
|
||||
assert_se(s = hashmap_new(NULL));
|
||||
#if defined __NR_access && __NR_access > 0
|
||||
#if SCMP_SYS(access) >= 0
|
||||
assert_se(hashmap_put(s, UINT32_TO_PTR(__NR_access + 1), INT_TO_PTR(EILSEQ)) >= 0);
|
||||
#else
|
||||
assert_se(hashmap_put(s, UINT32_TO_PTR(__NR_faccessat + 1), INT_TO_PTR(EILSEQ)) >= 0);
|
||||
|
@ -673,7 +672,7 @@ static void test_load_syscall_filter_set_raw(void) {
|
|||
s = hashmap_free(s);
|
||||
|
||||
assert_se(s = hashmap_new(NULL));
|
||||
#if defined __NR_poll && __NR_poll > 0
|
||||
#if SCMP_SYS(poll) >= 0
|
||||
assert_se(hashmap_put(s, UINT32_TO_PTR(__NR_poll + 1), INT_TO_PTR(-1)) >= 0);
|
||||
#else
|
||||
assert_se(hashmap_put(s, UINT32_TO_PTR(__NR_ppoll + 1), INT_TO_PTR(-1)) >= 0);
|
||||
|
@ -690,7 +689,7 @@ static void test_load_syscall_filter_set_raw(void) {
|
|||
s = hashmap_free(s);
|
||||
|
||||
assert_se(s = hashmap_new(NULL));
|
||||
#if defined __NR_poll && __NR_poll > 0
|
||||
#if SCMP_SYS(poll) >= 0
|
||||
assert_se(hashmap_put(s, UINT32_TO_PTR(__NR_poll + 1), INT_TO_PTR(EILSEQ)) >= 0);
|
||||
#else
|
||||
assert_se(hashmap_put(s, UINT32_TO_PTR(__NR_ppoll + 1), INT_TO_PTR(EILSEQ)) >= 0);
|
||||
|
@ -768,8 +767,8 @@ static int real_open(const char *path, int flags, mode_t mode) {
|
|||
* testing purposes that calls the real syscall, on architectures where SYS_open is defined. On
|
||||
* other architectures, let's just fall back to the glibc call. */
|
||||
|
||||
#if defined __NR_open && __NR_open > 0
|
||||
return (int) syscall(__NR_open, path, flags, mode);
|
||||
#ifdef SYS_open
|
||||
return (int) syscall(SYS_open, path, flags, mode);
|
||||
#else
|
||||
return open(path, flags, mode);
|
||||
#endif
|
||||
|
|
Loading…
Reference in New Issue