]>
Commit | Line | Data |
---|---|---|
db9ecf05 | 1 | /* SPDX-License-Identifier: LGPL-2.1-or-later */ |
8e1bd70d | 2 | |
8e1bd70d | 3 | #include <errno.h> |
7a2a0b90 | 4 | #include <getopt.h> |
3f6fd1ba LP |
5 | #include <limits.h> |
6 | #include <stdbool.h> | |
7 | #include <stdio.h> | |
8 | #include <stdlib.h> | |
ca78ad1d ZJS |
9 | #include <sys/stat.h> |
10 | #include <sys/types.h> | |
8e1bd70d | 11 | |
2c21044f | 12 | #include "conf-files.h" |
39f0d1d2 | 13 | #include "creds-util.h" |
a0f29c76 | 14 | #include "def.h" |
32458cc9 | 15 | #include "errno-util.h" |
3ffd4af2 | 16 | #include "fd-util.h" |
a5c32cff | 17 | #include "fileio.h" |
e0f42479 | 18 | #include "glob-util.h" |
3f6fd1ba LP |
19 | #include "hashmap.h" |
20 | #include "log.h" | |
8eb42d90 | 21 | #include "main-func.h" |
dcd5c891 | 22 | #include "pager.h" |
3f6fd1ba | 23 | #include "path-util.h" |
294bf0c3 | 24 | #include "pretty-print.h" |
07630cea | 25 | #include "string-util.h" |
3f6fd1ba | 26 | #include "strv.h" |
88a60da0 | 27 | #include "sysctl-util.h" |
8e1bd70d | 28 | |
fabe5c0e | 29 | static char **arg_prefixes = NULL; |
3c51c626 | 30 | static bool arg_cat_config = false; |
e88748c1 | 31 | static bool arg_strict = false; |
0221d68a | 32 | static PagerFlags arg_pager_flags = 0; |
8e1bd70d | 33 | |
fd8bdbc7 LP |
34 | STATIC_DESTRUCTOR_REGISTER(arg_prefixes, strv_freep); |
35 | ||
dec02d6e LP |
36 | typedef struct Option { |
37 | char *key; | |
38 | char *value; | |
39 | bool ignore_failure; | |
40 | } Option; | |
41 | ||
42 | static Option *option_free(Option *o) { | |
43 | if (!o) | |
44 | return NULL; | |
45 | ||
46 | free(o->key); | |
47 | free(o->value); | |
48 | ||
49 | return mfree(o); | |
50 | } | |
51 | ||
52 | DEFINE_TRIVIAL_CLEANUP_FUNC(Option*, option_free); | |
53 | DEFINE_HASH_OPS_WITH_VALUE_DESTRUCTOR(option_hash_ops, char, string_hash_func, string_compare_func, Option, option_free); | |
54 | ||
e0f42479 | 55 | static bool test_prefix(const char *p) { |
e0f42479 ZJS |
56 | if (strv_isempty(arg_prefixes)) |
57 | return true; | |
58 | ||
59 | STRV_FOREACH(i, arg_prefixes) { | |
60 | const char *t; | |
61 | ||
62 | t = path_startswith(*i, "/proc/sys/"); | |
63 | if (!t) | |
64 | t = *i; | |
65 | ||
66 | if (path_startswith(p, t)) | |
67 | return true; | |
68 | } | |
69 | ||
70 | return false; | |
71 | } | |
72 | ||
dec02d6e LP |
73 | static Option *option_new( |
74 | const char *key, | |
75 | const char *value, | |
76 | bool ignore_failure) { | |
77 | ||
78 | _cleanup_(option_freep) Option *o = NULL; | |
79 | ||
80 | assert(key); | |
dec02d6e LP |
81 | |
82 | o = new(Option, 1); | |
83 | if (!o) | |
84 | return NULL; | |
85 | ||
86 | *o = (Option) { | |
87 | .key = strdup(key), | |
e0f42479 | 88 | .value = value ? strdup(value) : NULL, |
dec02d6e LP |
89 | .ignore_failure = ignore_failure, |
90 | }; | |
91 | ||
e0f42479 ZJS |
92 | if (!o->key) |
93 | return NULL; | |
94 | if (value && !o->value) | |
dec02d6e LP |
95 | return NULL; |
96 | ||
97 | return TAKE_PTR(o); | |
98 | } | |
99 | ||
e0f42479 ZJS |
100 | static int sysctl_write_or_warn(const char *key, const char *value, bool ignore_failure) { |
101 | int r; | |
102 | ||
103 | r = sysctl_write(key, value); | |
104 | if (r < 0) { | |
e88748c1 QD |
105 | /* Proceed without failing if ignore_failure is true. |
106 | * If the sysctl is not available in the kernel or we are running with reduced privileges and | |
107 | * cannot write it, then log about the issue, and proceed without failing. Unless strict mode | |
108 | * (arg_strict = true) is enabled, in which case we should fail. (EROFS is treated as a | |
109 | * permission problem here, since that's how container managers usually protected their | |
110 | * sysctls.) | |
111 | * In all other cases log an error and make the tool fail. */ | |
112 | if (ignore_failure || (!arg_strict && (r == -EROFS || ERRNO_IS_PRIVILEGE(r)))) | |
e0f42479 | 113 | log_debug_errno(r, "Couldn't write '%s' to '%s', ignoring: %m", value, key); |
e88748c1 | 114 | else if (!arg_strict && r == -ENOENT) |
1805fbcf | 115 | log_warning_errno(r, "Couldn't write '%s' to '%s', ignoring: %m", value, key); |
e0f42479 ZJS |
116 | else |
117 | return log_error_errno(r, "Couldn't write '%s' to '%s': %m", value, key); | |
118 | } | |
119 | ||
120 | return 0; | |
121 | } | |
122 | ||
886cf982 | 123 | static int apply_all(OrderedHashmap *sysctl_options) { |
dec02d6e | 124 | Option *option; |
e50b33be | 125 | int r = 0; |
fabe5c0e | 126 | |
90e74a66 | 127 | ORDERED_HASHMAP_FOREACH(option, sysctl_options) { |
86fc77c4 MS |
128 | int k; |
129 | ||
e0f42479 ZJS |
130 | /* Ignore "negative match" options, they are there only to exclude stuff from globs. */ |
131 | if (!option->value) | |
132 | continue; | |
e50b33be | 133 | |
e0f42479 ZJS |
134 | if (string_is_glob(option->key)) { |
135 | _cleanup_strv_free_ char **paths = NULL; | |
136 | _cleanup_free_ char *pattern = NULL; | |
86fc77c4 | 137 | |
e0f42479 ZJS |
138 | pattern = path_join("/proc/sys", option->key); |
139 | if (!pattern) | |
140 | return log_oom(); | |
9c37b41c | 141 | |
544e146b | 142 | k = glob_extend(&paths, pattern, GLOB_NOCHECK); |
e0f42479 | 143 | if (k < 0) { |
c53ce14d | 144 | if (option->ignore_failure || ERRNO_IS_PRIVILEGE(k)) |
e0f42479 ZJS |
145 | log_debug_errno(k, "Failed to resolve glob '%s', ignoring: %m", |
146 | option->key); | |
147 | else { | |
148 | log_error_errno(k, "Couldn't resolve glob '%s': %m", | |
149 | option->key); | |
150 | if (r == 0) | |
151 | r = k; | |
152 | } | |
9c37b41c | 153 | |
e0f42479 ZJS |
154 | } else if (strv_isempty(paths)) |
155 | log_debug("No match for glob: %s", option->key); | |
9c37b41c | 156 | |
e0f42479 ZJS |
157 | STRV_FOREACH(s, paths) { |
158 | const char *key; | |
159 | ||
160 | assert_se(key = path_startswith(*s, "/proc/sys")); | |
161 | ||
162 | if (!test_prefix(key)) | |
163 | continue; | |
164 | ||
165 | if (ordered_hashmap_contains(sysctl_options, key)) { | |
42a033f7 | 166 | log_debug("Not setting %s (explicit setting exists).", key); |
e0f42479 ZJS |
167 | continue; |
168 | } | |
169 | ||
170 | k = sysctl_write_or_warn(key, option->value, option->ignore_failure); | |
171 | if (r == 0) | |
172 | r = k; | |
173 | } | |
174 | ||
175 | } else { | |
176 | k = sysctl_write_or_warn(option->key, option->value, option->ignore_failure); | |
177 | if (r == 0) | |
178 | r = k; | |
179 | } | |
9c37b41c LP |
180 | } |
181 | ||
e0f42479 | 182 | return r; |
9c37b41c LP |
183 | } |
184 | ||
b2ae4d9e | 185 | static int parse_file(OrderedHashmap **sysctl_options, const char *path, bool ignore_enoent) { |
fabe5c0e | 186 | _cleanup_fclose_ FILE *f = NULL; |
2708160c | 187 | _cleanup_free_ char *pp = NULL; |
98bf5011 | 188 | unsigned c = 0; |
fabe5c0e | 189 | int r; |
8e1bd70d LP |
190 | |
191 | assert(path); | |
192 | ||
2708160c | 193 | r = search_and_fopen(path, "re", NULL, (const char**) CONF_PATHS_STRV("sysctl.d"), &f, &pp); |
fabe5c0e | 194 | if (r < 0) { |
6f6fad96 | 195 | if (ignore_enoent && r == -ENOENT) |
c1b664d0 LP |
196 | return 0; |
197 | ||
8d3d7072 | 198 | return log_error_errno(r, "Failed to open file '%s', ignoring: %m", path); |
8e1bd70d LP |
199 | } |
200 | ||
2708160c | 201 | log_debug("Parsing %s", pp); |
4f14f2bb | 202 | for (;;) { |
dec02d6e | 203 | _cleanup_(option_freep) Option *new_option = NULL; |
a668bfe8 | 204 | _cleanup_free_ char *l = NULL; |
e0f42479 | 205 | bool ignore_failure = false; |
dec02d6e LP |
206 | Option *existing; |
207 | char *p, *value; | |
fabe5c0e | 208 | int k; |
548f6937 | 209 | |
a668bfe8 TSH |
210 | k = read_line(f, LONG_LINE_MAX, &l); |
211 | if (k == 0) | |
212 | break; | |
a668bfe8 | 213 | if (k < 0) |
2708160c | 214 | return log_error_errno(k, "Failed to read file '%s', ignoring: %m", pp); |
8e1bd70d | 215 | |
98bf5011 LP |
216 | c++; |
217 | ||
8e1bd70d | 218 | p = strstrip(l); |
8e1bd70d | 219 | |
548f6937 LP |
220 | if (isempty(p)) |
221 | continue; | |
d3b6d0c2 | 222 | if (strchr(COMMENTS "\n", *p)) |
8e1bd70d LP |
223 | continue; |
224 | ||
86fc77c4 | 225 | value = strchr(p, '='); |
e0f42479 ZJS |
226 | if (value) { |
227 | if (p[0] == '-') { | |
228 | ignore_failure = true; | |
229 | p++; | |
230 | } | |
8e1bd70d | 231 | |
e0f42479 ZJS |
232 | *value = 0; |
233 | value++; | |
234 | value = strstrip(value); | |
8e1bd70d | 235 | |
e0f42479 ZJS |
236 | } else { |
237 | if (p[0] == '-') | |
238 | /* We have a "negative match" option. Let's continue with value==NULL. */ | |
239 | p++; | |
240 | else { | |
2708160c | 241 | log_syntax(NULL, LOG_WARNING, pp, c, 0, |
e0f42479 ZJS |
242 | "Line is not an assignment, ignoring: %s", p); |
243 | if (r == 0) | |
244 | r = -EINVAL; | |
245 | continue; | |
246 | } | |
247 | } | |
dec02d6e | 248 | |
e0f42479 | 249 | p = strstrip(p); |
dec02d6e | 250 | p = sysctl_normalize(p); |
fabe5c0e | 251 | |
e0f42479 ZJS |
252 | /* We can't filter out globs at this point, we'll need to do that later. */ |
253 | if (!string_is_glob(p) && | |
254 | !test_prefix(p)) | |
b99802f7 | 255 | continue; |
b99802f7 | 256 | |
b2ae4d9e ZJS |
257 | if (ordered_hashmap_ensure_allocated(sysctl_options, &option_hash_ops) < 0) |
258 | return log_oom(); | |
259 | ||
260 | existing = ordered_hashmap_get(*sysctl_options, p); | |
fabe5c0e | 261 | if (existing) { |
db99904b | 262 | if (streq_ptr(value, existing->value)) { |
dec02d6e | 263 | existing->ignore_failure = existing->ignore_failure || ignore_failure; |
04bf3c1a | 264 | continue; |
dec02d6e | 265 | } |
fabe5c0e | 266 | |
2708160c | 267 | log_debug("Overwriting earlier assignment of %s at '%s:%u'.", p, pp, c); |
b2ae4d9e | 268 | option_free(ordered_hashmap_remove(*sysctl_options, p)); |
86fc77c4 MS |
269 | } |
270 | ||
dec02d6e LP |
271 | new_option = option_new(p, value, ignore_failure); |
272 | if (!new_option) | |
fabe5c0e LP |
273 | return log_oom(); |
274 | ||
b2ae4d9e | 275 | k = ordered_hashmap_put(*sysctl_options, new_option->key, new_option); |
dec02d6e LP |
276 | if (k < 0) |
277 | return log_error_errno(k, "Failed to add sysctl variable %s to hashmap: %m", p); | |
86fc77c4 | 278 | |
dec02d6e | 279 | TAKE_PTR(new_option); |
8e1bd70d LP |
280 | } |
281 | ||
c1b664d0 | 282 | return r; |
8e1bd70d LP |
283 | } |
284 | ||
39f0d1d2 LP |
285 | static int read_credential_lines(OrderedHashmap **sysctl_options) { |
286 | _cleanup_free_ char *j = NULL; | |
287 | const char *d; | |
288 | int r; | |
289 | ||
290 | r = get_credentials_dir(&d); | |
291 | if (r == -ENXIO) | |
292 | return 0; | |
293 | if (r < 0) | |
294 | return log_error_errno(r, "Failed to get credentials directory: %m"); | |
295 | ||
296 | j = path_join(d, "sysctl.extra"); | |
297 | if (!j) | |
298 | return log_oom(); | |
299 | ||
300 | (void) parse_file(sysctl_options, j, /* ignore_enoent= */ true); | |
301 | return 0; | |
302 | } | |
303 | ||
37ec0fdd LP |
304 | static int help(void) { |
305 | _cleanup_free_ char *link = NULL; | |
306 | int r; | |
307 | ||
308 | r = terminal_urlify_man("systemd-sysctl.service", "8", &link); | |
309 | if (r < 0) | |
310 | return log_oom(); | |
311 | ||
7a2a0b90 LP |
312 | printf("%s [OPTIONS...] [CONFIGURATION FILE...]\n\n" |
313 | "Applies kernel sysctl settings.\n\n" | |
314 | " -h --help Show this help\n" | |
eb9da376 | 315 | " --version Show package version\n" |
3c51c626 | 316 | " --cat-config Show configuration files\n" |
0e1f5792 | 317 | " --prefix=PATH Only apply rules with the specified prefix\n" |
dcd5c891 | 318 | " --no-pager Do not pipe output into a pager\n" |
bc556335 DDM |
319 | "\nSee the %s for details.\n", |
320 | program_invocation_short_name, | |
321 | link); | |
37ec0fdd LP |
322 | |
323 | return 0; | |
7a2a0b90 LP |
324 | } |
325 | ||
326 | static int parse_argv(int argc, char *argv[]) { | |
327 | ||
328 | enum { | |
eb9da376 | 329 | ARG_VERSION = 0x100, |
3c51c626 ZJS |
330 | ARG_CAT_CONFIG, |
331 | ARG_PREFIX, | |
dcd5c891 | 332 | ARG_NO_PAGER, |
e88748c1 | 333 | ARG_STRICT, |
7a2a0b90 LP |
334 | }; |
335 | ||
336 | static const struct option options[] = { | |
3c51c626 ZJS |
337 | { "help", no_argument, NULL, 'h' }, |
338 | { "version", no_argument, NULL, ARG_VERSION }, | |
339 | { "cat-config", no_argument, NULL, ARG_CAT_CONFIG }, | |
340 | { "prefix", required_argument, NULL, ARG_PREFIX }, | |
dcd5c891 | 341 | { "no-pager", no_argument, NULL, ARG_NO_PAGER }, |
e88748c1 | 342 | { "strict", no_argument, NULL, ARG_STRICT }, |
eb9da376 | 343 | {} |
7a2a0b90 LP |
344 | }; |
345 | ||
346 | int c; | |
347 | ||
348 | assert(argc >= 0); | |
349 | assert(argv); | |
350 | ||
601185b4 | 351 | while ((c = getopt_long(argc, argv, "h", options, NULL)) >= 0) |
7a2a0b90 LP |
352 | |
353 | switch (c) { | |
354 | ||
355 | case 'h': | |
37ec0fdd | 356 | return help(); |
eb9da376 LP |
357 | |
358 | case ARG_VERSION: | |
3f6fd1ba | 359 | return version(); |
7a2a0b90 | 360 | |
3c51c626 ZJS |
361 | case ARG_CAT_CONFIG: |
362 | arg_cat_config = true; | |
363 | break; | |
364 | ||
7a2a0b90 LP |
365 | case ARG_PREFIX: { |
366 | char *p; | |
367 | ||
0e1f5792 DH |
368 | /* We used to require people to specify absolute paths |
369 | * in /proc/sys in the past. This is kinda useless, but | |
370 | * we need to keep compatibility. We now support any | |
371 | * sysctl name available. */ | |
88a60da0 | 372 | sysctl_normalize(optarg); |
e50b33be | 373 | |
27458ed6 | 374 | if (path_startswith(optarg, "/proc/sys")) |
0e1f5792 DH |
375 | p = strdup(optarg); |
376 | else | |
b910cc72 | 377 | p = path_join("/proc/sys", optarg); |
0e1f5792 DH |
378 | if (!p) |
379 | return log_oom(); | |
e50b33be | 380 | |
0e1f5792 | 381 | if (strv_consume(&arg_prefixes, p) < 0) |
0d0f0c50 | 382 | return log_oom(); |
f68c5a70 | 383 | |
7a2a0b90 LP |
384 | break; |
385 | } | |
386 | ||
dcd5c891 | 387 | case ARG_NO_PAGER: |
0221d68a | 388 | arg_pager_flags |= PAGER_DISABLE; |
dcd5c891 LP |
389 | break; |
390 | ||
e88748c1 QD |
391 | case ARG_STRICT: |
392 | arg_strict = true; | |
393 | break; | |
394 | ||
7a2a0b90 LP |
395 | case '?': |
396 | return -EINVAL; | |
397 | ||
398 | default: | |
04499a70 | 399 | assert_not_reached(); |
7a2a0b90 | 400 | } |
7a2a0b90 | 401 | |
baaa35ad ZJS |
402 | if (arg_cat_config && argc > optind) |
403 | return log_error_errno(SYNTHETIC_ERRNO(EINVAL), | |
404 | "Positional arguments are not allowed with --cat-config"); | |
3c51c626 | 405 | |
7a2a0b90 LP |
406 | return 1; |
407 | } | |
408 | ||
8eb42d90 | 409 | static int run(int argc, char *argv[]) { |
dec02d6e | 410 | _cleanup_(ordered_hashmap_freep) OrderedHashmap *sysctl_options = NULL; |
a34c79d0 | 411 | int r, k; |
8e1bd70d | 412 | |
7a2a0b90 LP |
413 | r = parse_argv(argc, argv); |
414 | if (r <= 0) | |
a34c79d0 | 415 | return r; |
7a2a0b90 | 416 | |
d2acb93d | 417 | log_setup(); |
8e1bd70d | 418 | |
4c12626c LP |
419 | umask(0022); |
420 | ||
de19ece7 LP |
421 | if (argc > optind) { |
422 | int i; | |
423 | ||
2de30233 LP |
424 | r = 0; |
425 | ||
de19ece7 | 426 | for (i = optind; i < argc; i++) { |
b2ae4d9e | 427 | k = parse_file(&sysctl_options, argv[i], false); |
fabe5c0e | 428 | if (k < 0 && r == 0) |
de19ece7 LP |
429 | r = k; |
430 | } | |
431 | } else { | |
fabe5c0e | 432 | _cleanup_strv_free_ char **files = NULL; |
c1b664d0 | 433 | |
a826d4f7 | 434 | r = conf_files_list_strv(&files, ".conf", NULL, 0, (const char**) CONF_PATHS_STRV("sysctl.d")); |
a34c79d0 ZJS |
435 | if (r < 0) |
436 | return log_error_errno(r, "Failed to enumerate sysctl.d files: %m"); | |
db1413d7 | 437 | |
3c51c626 | 438 | if (arg_cat_config) { |
384c2c32 | 439 | pager_open(arg_pager_flags); |
dcd5c891 | 440 | |
a34c79d0 | 441 | return cat_files(NULL, files, 0); |
3c51c626 ZJS |
442 | } |
443 | ||
fabe5c0e | 444 | STRV_FOREACH(f, files) { |
b2ae4d9e | 445 | k = parse_file(&sysctl_options, *f, true); |
fabe5c0e | 446 | if (k < 0 && r == 0) |
db1413d7 KS |
447 | r = k; |
448 | } | |
39f0d1d2 LP |
449 | |
450 | k = read_credential_lines(&sysctl_options); | |
451 | if (k < 0 && r == 0) | |
452 | r = k; | |
8e1bd70d | 453 | } |
86fc77c4 | 454 | |
fabe5c0e LP |
455 | k = apply_all(sysctl_options); |
456 | if (k < 0 && r == 0) | |
0187f62b LP |
457 | r = k; |
458 | ||
8eb42d90 | 459 | return r; |
8e1bd70d | 460 | } |
8eb42d90 LP |
461 | |
462 | DEFINE_MAIN_FUNCTION(run); |