-/*-*- Mode: C; c-basic-offset: 8; indent-tabs-mode: nil -*-*/
-
/***
This file is part of systemd.
along with systemd; If not, see <http://www.gnu.org/licenses/>.
***/
-#include "sd-event.h"
#include "sd-daemon.h"
-#include "mkdir.h"
-#include "capability.h"
+#include "sd-event.h"
-#include "resolved-manager.h"
+#include "capability-util.h"
+#include "mkdir.h"
#include "resolved-conf.h"
+#include "resolved-manager.h"
+#include "resolved-resolv-conf.h"
+#include "selinux-util.h"
+#include "signal-util.h"
+#include "user-util.h"
int main(int argc, char *argv[]) {
_cleanup_(manager_freep) Manager *m = NULL;
log_parse_environment();
log_open();
- umask(0022);
-
if (argc != 1) {
log_error("This program takes no arguments.");
r = -EINVAL;
goto finish;
}
+ umask(0022);
+
+ r = mac_selinux_init();
+ if (r < 0) {
+ log_error_errno(r, "SELinux setup failed: %m");
+ goto finish;
+ }
+
r = get_user_creds(&user, &uid, &gid, NULL, NULL);
if (r < 0) {
- log_error("Cannot resolve user name %s: %s", user, strerror(-r));
+ log_error_errno(r, "Cannot resolve user name %s: %m", user);
goto finish;
}
/* Always create the directory where resolv.conf will live */
r = mkdir_safe_label("/run/systemd/resolve", 0755, uid, gid);
if (r < 0) {
- log_error("Could not create runtime directory: %s", strerror(-r));
+ log_error_errno(r, "Could not create runtime directory: %m");
goto finish;
}
- r = drop_privileges(uid, gid, 0);
+ /* Drop privileges, but keep three caps. Note that we drop those too, later on (see below) */
+ r = drop_privileges(uid, gid,
+ (UINT64_C(1) << CAP_NET_RAW)| /* needed for SO_BINDTODEVICE */
+ (UINT64_C(1) << CAP_NET_BIND_SERVICE)| /* needed to bind on port 53 */
+ (UINT64_C(1) << CAP_SETPCAP) /* needed in order to drop the caps later */);
if (r < 0)
goto finish;
- assert_se(sigprocmask_many(SIG_BLOCK, SIGTERM, SIGINT, -1) == 0);
+ assert_se(sigprocmask_many(SIG_BLOCK, NULL, SIGTERM, SIGINT, SIGUSR1, SIGUSR2, -1) >= 0);
r = manager_new(&m);
if (r < 0) {
- log_error("Could not create manager: %s", strerror(-r));
+ log_error_errno(r, "Could not create manager: %m");
goto finish;
}
- r = manager_parse_config_file(m);
- if (r < 0)
- log_warning("Failed to parse configuration file: %s", strerror(-r));
+ r = manager_start(m);
+ if (r < 0) {
+ log_error_errno(r, "Failed to start manager: %m");
+ goto finish;
+ }
- /* Write finish default resolv.conf to avoid a dangling
- * symlink */
- r = manager_write_resolv_conf(m);
- if (r < 0)
- log_warning("Could not create resolv.conf: %s", strerror(-r));
+ /* Write finish default resolv.conf to avoid a dangling symlink */
+ (void) manager_write_resolv_conf(m);
+
+ /* Let's drop the remaining caps now */
+ r = capability_bounding_set_drop(0, true);
+ if (r < 0) {
+ log_error_errno(r, "Failed to drop remaining caps: %m");
+ goto finish;
+ }
sd_notify(false,
"READY=1\n"
r = sd_event_loop(m->event);
if (r < 0) {
- log_error("Event loop failed: %s", strerror(-r));
+ log_error_errno(r, "Event loop failed: %m");
goto finish;
}
+ sd_event_get_exit_code(m->event, &r);
+
finish:
- sd_notify(false, "STATUS=Shutting down...");
+ sd_notify(false,
+ "STOPPING=1\n"
+ "STATUS=Shutting down...");
return r < 0 ? EXIT_FAILURE : EXIT_SUCCESS;
}