Compare commits
2 Commits
debda5a4e5
...
84043bfd74
Author | SHA1 | Date |
---|---|---|
Yu Watanabe | 84043bfd74 | |
Topi Miettinen | 07317d6e34 |
|
@ -19,9 +19,6 @@
|
||||||
static int run(int argc, char *argv[]) {
|
static int run(int argc, char *argv[]) {
|
||||||
_cleanup_(notify_on_cleanup) const char *notify_message = NULL;
|
_cleanup_(notify_on_cleanup) const char *notify_message = NULL;
|
||||||
_cleanup_(manager_freep) Manager *m = NULL;
|
_cleanup_(manager_freep) Manager *m = NULL;
|
||||||
const char *user = "systemd-network";
|
|
||||||
uid_t uid;
|
|
||||||
gid_t gid;
|
|
||||||
int r;
|
int r;
|
||||||
|
|
||||||
log_setup_service();
|
log_setup_service();
|
||||||
|
@ -31,6 +28,13 @@ static int run(int argc, char *argv[]) {
|
||||||
if (argc != 1)
|
if (argc != 1)
|
||||||
return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "This program takes no arguments.");
|
return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "This program takes no arguments.");
|
||||||
|
|
||||||
|
/* Drop privileges, but only if we have been started as root. If we are not running as root we assume all
|
||||||
|
* privileges are already dropped and we can't create our runtime directory. */
|
||||||
|
if (geteuid() == 0) {
|
||||||
|
const char *user = "systemd-network";
|
||||||
|
uid_t uid;
|
||||||
|
gid_t gid;
|
||||||
|
|
||||||
r = get_user_creds(&user, &uid, &gid, NULL, NULL, 0);
|
r = get_user_creds(&user, &uid, &gid, NULL, NULL, 0);
|
||||||
if (r < 0)
|
if (r < 0)
|
||||||
return log_error_errno(r, "Cannot resolve user name %s: %m", user);
|
return log_error_errno(r, "Cannot resolve user name %s: %m", user);
|
||||||
|
@ -42,9 +46,6 @@ static int run(int argc, char *argv[]) {
|
||||||
if (r < 0)
|
if (r < 0)
|
||||||
log_warning_errno(r, "Could not create runtime directory: %m");
|
log_warning_errno(r, "Could not create runtime directory: %m");
|
||||||
|
|
||||||
/* Drop privileges, but only if we have been started as root. If we are not running as root we assume all
|
|
||||||
* privileges are already dropped. */
|
|
||||||
if (geteuid() == 0) {
|
|
||||||
r = drop_privileges(uid, gid,
|
r = drop_privileges(uid, gid,
|
||||||
(1ULL << CAP_NET_ADMIN) |
|
(1ULL << CAP_NET_ADMIN) |
|
||||||
(1ULL << CAP_NET_BIND_SERVICE) |
|
(1ULL << CAP_NET_BIND_SERVICE) |
|
||||||
|
@ -57,15 +58,15 @@ static int run(int argc, char *argv[]) {
|
||||||
/* Always create the directories people can create inotify watches in.
|
/* Always create the directories people can create inotify watches in.
|
||||||
* It is necessary to create the following subdirectories after drop_privileges()
|
* It is necessary to create the following subdirectories after drop_privileges()
|
||||||
* to support old kernels not supporting AmbientCapabilities=. */
|
* to support old kernels not supporting AmbientCapabilities=. */
|
||||||
r = mkdir_safe_label("/run/systemd/netif/links", 0755, uid, gid, MKDIR_WARN_MODE);
|
r = mkdir_safe_label("/run/systemd/netif/links", 0755, UID_INVALID, GID_INVALID, MKDIR_WARN_MODE);
|
||||||
if (r < 0)
|
if (r < 0)
|
||||||
log_warning_errno(r, "Could not create runtime directory 'links': %m");
|
log_warning_errno(r, "Could not create runtime directory 'links': %m");
|
||||||
|
|
||||||
r = mkdir_safe_label("/run/systemd/netif/leases", 0755, uid, gid, MKDIR_WARN_MODE);
|
r = mkdir_safe_label("/run/systemd/netif/leases", 0755, UID_INVALID, GID_INVALID, MKDIR_WARN_MODE);
|
||||||
if (r < 0)
|
if (r < 0)
|
||||||
log_warning_errno(r, "Could not create runtime directory 'leases': %m");
|
log_warning_errno(r, "Could not create runtime directory 'leases': %m");
|
||||||
|
|
||||||
r = mkdir_safe_label("/run/systemd/netif/lldp", 0755, uid, gid, MKDIR_WARN_MODE);
|
r = mkdir_safe_label("/run/systemd/netif/lldp", 0755, UID_INVALID, GID_INVALID, MKDIR_WARN_MODE);
|
||||||
if (r < 0)
|
if (r < 0)
|
||||||
log_warning_errno(r, "Could not create runtime directory 'lldp': %m");
|
log_warning_errno(r, "Could not create runtime directory 'lldp': %m");
|
||||||
|
|
||||||
|
|
|
@ -21,9 +21,6 @@
|
||||||
static int run(int argc, char *argv[]) {
|
static int run(int argc, char *argv[]) {
|
||||||
_cleanup_(notify_on_cleanup) const char *notify_stop = NULL;
|
_cleanup_(notify_on_cleanup) const char *notify_stop = NULL;
|
||||||
_cleanup_(manager_freep) Manager *m = NULL;
|
_cleanup_(manager_freep) Manager *m = NULL;
|
||||||
const char *user = "systemd-resolve";
|
|
||||||
uid_t uid;
|
|
||||||
gid_t gid;
|
|
||||||
int r;
|
int r;
|
||||||
|
|
||||||
log_setup_service();
|
log_setup_service();
|
||||||
|
@ -37,19 +34,22 @@ static int run(int argc, char *argv[]) {
|
||||||
if (r < 0)
|
if (r < 0)
|
||||||
return log_error_errno(r, "SELinux setup failed: %m");
|
return log_error_errno(r, "SELinux setup failed: %m");
|
||||||
|
|
||||||
|
/* Drop privileges, but only if we have been started as root. If we are not running as root we assume most
|
||||||
|
* privileges are already dropped and we can't create our directory. */
|
||||||
|
if (getuid() == 0) {
|
||||||
|
const char *user = "systemd-resolve";
|
||||||
|
uid_t uid;
|
||||||
|
gid_t gid;
|
||||||
|
|
||||||
r = get_user_creds(&user, &uid, &gid, NULL, NULL, 0);
|
r = get_user_creds(&user, &uid, &gid, NULL, NULL, 0);
|
||||||
if (r < 0)
|
if (r < 0)
|
||||||
return log_error_errno(r, "Cannot resolve user name %s: %m", user);
|
return log_error_errno(r, "Cannot resolve user name %s: %m", user);
|
||||||
|
|
||||||
/* Always create the directory where resolv.conf will live */
|
/* As we're root, we can create the directory where resolv.conf will live */
|
||||||
r = mkdir_safe_label("/run/systemd/resolve", 0755, uid, gid, MKDIR_WARN_MODE);
|
r = mkdir_safe_label("/run/systemd/resolve", 0755, uid, gid, MKDIR_WARN_MODE);
|
||||||
if (r < 0)
|
if (r < 0)
|
||||||
return log_error_errno(r, "Could not create runtime directory: %m");
|
return log_error_errno(r, "Could not create runtime directory: %m");
|
||||||
|
|
||||||
/* Drop privileges, but only if we have been started as root. If we are not running as root we assume most
|
|
||||||
* privileges are already dropped. */
|
|
||||||
if (getuid() == 0) {
|
|
||||||
|
|
||||||
/* Drop privileges, but keep three caps. Note that we drop those too, later on (see below) */
|
/* Drop privileges, but keep three caps. Note that we drop those too, later on (see below) */
|
||||||
r = drop_privileges(uid, gid,
|
r = drop_privileges(uid, gid,
|
||||||
(UINT64_C(1) << CAP_NET_RAW)| /* needed for SO_BINDTODEVICE */
|
(UINT64_C(1) << CAP_NET_RAW)| /* needed for SO_BINDTODEVICE */
|
||||||
|
|
|
@ -22,6 +22,7 @@ m4_ifdef(`ENABLE_NETWORKD',
|
||||||
d /run/systemd/netif 0755 systemd-network systemd-network -
|
d /run/systemd/netif 0755 systemd-network systemd-network -
|
||||||
d /run/systemd/netif/links 0755 systemd-network systemd-network -
|
d /run/systemd/netif/links 0755 systemd-network systemd-network -
|
||||||
d /run/systemd/netif/leases 0755 systemd-network systemd-network -
|
d /run/systemd/netif/leases 0755 systemd-network systemd-network -
|
||||||
|
d /run/systemd/netif/lldp 0755 systemd-network systemd-network -
|
||||||
)m4_dnl
|
)m4_dnl
|
||||||
|
|
||||||
d /run/log 0755 root root -
|
d /run/log 0755 root root -
|
||||||
|
|
Loading…
Reference in New Issue