Compare commits

..

4 Commits

5 changed files with 103 additions and 36 deletions

8
TODO
View File

@ -19,6 +19,14 @@ Janitorial Clean-ups:
Features: Features:
* journalctl --image= which is like --root= but operates on disk images
* when systemd-nspawn and suchlike dissect an OS image, and there are multiple
root partitions, do an strverscmp() on the partition label and boot
first. That is inspired how sd-boot figures out which kernel to boot, and
thus allows defining OS images which can be A/B updated and we default to the
newest version automatically, both in nspawn and in sd-boot
* drop sd_bus_message_set_priority() from sd-bus API and documentation as much * drop sd_bus_message_set_priority() from sd-bus API and documentation as much
as we can, it's a kdbus left-over and unlikely to come back on AF_UNIX, since as we can, it's a kdbus left-over and unlikely to come back on AF_UNIX, since
it's not really implementable there. it's not really implementable there.

View File

@ -1577,7 +1577,7 @@ static int apply_protect_kernel_logs(const Unit *u, const ExecContext *c) {
return seccomp_protect_syslog(); return seccomp_protect_syslog();
} }
static int apply_protect_clock(const Unit *u, const ExecContext *c) { static int apply_protect_clock(const Unit *u, const ExecContext *c) {
assert(u); assert(u);
assert(c); assert(c);
@ -1646,6 +1646,41 @@ static int apply_lock_personality(const Unit* u, const ExecContext *c) {
#endif #endif
static int apply_protect_hostname(const Unit *u, const ExecContext *c, int *ret_exit_status) {
int r;
assert(u);
assert(c);
if (!c->protect_hostname)
return 0;
if (ns_type_supported(NAMESPACE_UTS)) {
if (unshare(CLONE_NEWUTS) < 0) {
if (!ERRNO_IS_NOT_SUPPORTED(errno) && !ERRNO_IS_PRIVILEGE(errno)) {
*ret_exit_status = EXIT_NAMESPACE;
return log_unit_error_errno(u, errno, "Failed to set up UTS namespacing: %m");
}
log_unit_warning(u, "ProtectHostname=yes is configured, but UTS namespace setup is prohibited (container manager?), ignoring namespace setup.");
}
} else
log_unit_warning(u, "ProtectHostname=yes is configured, but the kernel does not support UTS namespaces, ignoring namespace setup.");
#if HAVE_SECCOMP
if (skip_seccomp_unavailable(u, "ProtectHostname="))
return 0;
r = seccomp_protect_hostname();
if (r < 0) {
*ret_exit_status = EXIT_SECCOMP;
return log_unit_error_errno(u, r, "Failed to apply hostname restrictions: %m");
}
#endif
return 0;
}
static void do_idle_pipe_dance(int idle_pipe[static 4]) { static void do_idle_pipe_dance(int idle_pipe[static 4]) {
assert(idle_pipe); assert(idle_pipe);
@ -3596,25 +3631,10 @@ static int exec_child(
} }
} }
if (context->protect_hostname) { if (needs_sandboxing) {
if (ns_type_supported(NAMESPACE_UTS)) { r = apply_protect_hostname(unit, context, exit_status);
if (unshare(CLONE_NEWUTS) < 0) { if (r < 0)
if (!ERRNO_IS_NOT_SUPPORTED(errno) && !ERRNO_IS_PRIVILEGE(errno)) { return r;
*exit_status = EXIT_NAMESPACE;
return log_unit_error_errno(unit, errno, "Failed to set up UTS namespacing: %m");
}
log_unit_warning(unit, "ProtectHostname=yes is configured, but UTS namespace setup is prohibited (container manager?), ignoring namespace setup.");
}
} else
log_unit_warning(unit, "ProtectHostname=yes is configured, but the kernel does not support UTS namespaces, ignoring namespace setup.");
#if HAVE_SECCOMP
r = seccomp_protect_hostname();
if (r < 0) {
*exit_status = EXIT_SECCOMP;
return log_unit_error_errno(unit, r, "Failed to apply hostname restrictions: %m");
}
#endif
} }
/* Drop groups as early as possible. /* Drop groups as early as possible.

View File

@ -52,9 +52,12 @@ static int parse_argv(
else if (please_suspend) else if (please_suspend)
*please_suspend = k; *please_suspend = k;
} else if (streq(argv[i], "debug")) {
if (debug)
*debug = true;
} else if ((v = startswith(argv[i], "debug="))) { } else if ((v = startswith(argv[i], "debug="))) {
int k; int k;
k = parse_boolean(v); k = parse_boolean(v);
if (k < 0) if (k < 0)
pam_syslog(handle, LOG_WARNING, "Failed to parse debug= argument, ignoring: %s", v); pam_syslog(handle, LOG_WARNING, "Failed to parse debug= argument, ignoring: %s", v);

View File

@ -82,15 +82,35 @@ enum {
DHCP6_NTP_SUBOPTION_SRV_FQDN = 3, DHCP6_NTP_SUBOPTION_SRV_FQDN = 3,
}; };
/*
* RFC 8415, RFC 5007 and RFC 7653 status codes:
* https://www.iana.org/assignments/dhcpv6-parameters/dhcpv6-parameters.xhtml#dhcpv6-parameters-5
*/
enum { enum {
DHCP6_STATUS_SUCCESS = 0, DHCP6_STATUS_SUCCESS = 0,
DHCP6_STATUS_UNSPEC_FAIL = 1, DHCP6_STATUS_UNSPEC_FAIL = 1,
DHCP6_STATUS_NO_ADDRS_AVAIL = 2, DHCP6_STATUS_NO_ADDRS_AVAIL = 2,
DHCP6_STATUS_NO_BINDING = 3, DHCP6_STATUS_NO_BINDING = 3,
DHCP6_STATUS_NOT_ON_LINK = 4, DHCP6_STATUS_NOT_ON_LINK = 4,
DHCP6_STATUS_USE_MULTICAST = 5, DHCP6_STATUS_USE_MULTICAST = 5,
DHCP6_STATUS_NO_PREFIX_AVAIL = 6, DHCP6_STATUS_NO_PREFIX_AVAIL = 6,
_DHCP6_STATUS_MAX = 7, DHCP6_STATUS_UNKNOWN_QUERY_TYPE = 7,
DHCP6_STATUS_MALFORMED_QUERY = 8,
DHCP6_STATUS_NOT_CONFIGURED = 9,
DHCP6_STATUS_NOT_ALLOWED = 10,
DHCP6_STATUS_QUERY_TERMINATED = 11,
DHCP6_STATUS_DATA_MISSING = 12,
DHCP6_STATUS_CATCHUP_COMPLETE = 13,
DHCP6_STATUS_NOT_SUPPORTED = 14,
DHCP6_STATUS_TLS_CONNECTION_REFUSED = 15,
DHCP6_STATUS_ADDRESS_IN_USE = 16,
DHCP6_STATUS_CONFIGURATION_CONFLICT = 17,
DHCP6_STATUS_MISSING_BINDING_INFORMATION = 18,
DHCP6_STATUS_OUTDATED_BINDING_INFORMATION = 19,
DHCP6_STATUS_SERVER_SHUTTING_DOWN = 20,
DHCP6_STATUS_DNS_UPDATE_NOT_SUPPORTED = 21,
DHCP6_STATUS_EXCESSIVE_TIME_SKEW = 22,
_DHCP6_STATUS_MAX = 23,
}; };
enum { enum {

View File

@ -106,13 +106,29 @@ const char * dhcp6_message_type_table[_DHCP6_MESSAGE_MAX] = {
DEFINE_STRING_TABLE_LOOKUP(dhcp6_message_type, int); DEFINE_STRING_TABLE_LOOKUP(dhcp6_message_type, int);
const char * dhcp6_message_status_table[_DHCP6_STATUS_MAX] = { const char * dhcp6_message_status_table[_DHCP6_STATUS_MAX] = {
[DHCP6_STATUS_SUCCESS] = "Success", [DHCP6_STATUS_SUCCESS] = "Success",
[DHCP6_STATUS_UNSPEC_FAIL] = "Unspecified failure", [DHCP6_STATUS_UNSPEC_FAIL] = "Unspecified failure",
[DHCP6_STATUS_NO_ADDRS_AVAIL] = "No addresses available", [DHCP6_STATUS_NO_ADDRS_AVAIL] = "No addresses available",
[DHCP6_STATUS_NO_BINDING] = "Binding unavailable", [DHCP6_STATUS_NO_BINDING] = "Binding unavailable",
[DHCP6_STATUS_NOT_ON_LINK] = "Not on link", [DHCP6_STATUS_NOT_ON_LINK] = "Not on link",
[DHCP6_STATUS_USE_MULTICAST] = "Use multicast", [DHCP6_STATUS_USE_MULTICAST] = "Use multicast",
[DHCP6_STATUS_NO_PREFIX_AVAIL] = "No prefix available", [DHCP6_STATUS_NO_PREFIX_AVAIL] = "No prefix available",
[DHCP6_STATUS_UNKNOWN_QUERY_TYPE] = "Unknown query type",
[DHCP6_STATUS_MALFORMED_QUERY] = "Malformed query",
[DHCP6_STATUS_NOT_CONFIGURED] = "Not configured",
[DHCP6_STATUS_NOT_ALLOWED] = "Not allowed",
[DHCP6_STATUS_QUERY_TERMINATED] = "Query terminated",
[DHCP6_STATUS_DATA_MISSING] = "Data missing",
[DHCP6_STATUS_CATCHUP_COMPLETE] = "Catch up complete",
[DHCP6_STATUS_NOT_SUPPORTED] = "Not supported",
[DHCP6_STATUS_TLS_CONNECTION_REFUSED] = "TLS connection refused",
[DHCP6_STATUS_ADDRESS_IN_USE] = "Address in use",
[DHCP6_STATUS_CONFIGURATION_CONFLICT] = "Configuration conflict",
[DHCP6_STATUS_MISSING_BINDING_INFORMATION] = "Missing binding information",
[DHCP6_STATUS_OUTDATED_BINDING_INFORMATION] = "Outdated binding information",
[DHCP6_STATUS_SERVER_SHUTTING_DOWN] = "Server shutting down",
[DHCP6_STATUS_DNS_UPDATE_NOT_SUPPORTED] = "DNS update not supported",
[DHCP6_STATUS_EXCESSIVE_TIME_SKEW] = "Excessive time skew",
}; };
DEFINE_STRING_TABLE_LOOKUP(dhcp6_message_status, int); DEFINE_STRING_TABLE_LOOKUP(dhcp6_message_status, int);