]>
Commit | Line | Data |
---|---|---|
53e1b683 | 1 | /* SPDX-License-Identifier: LGPL-2.1+ */ |
4ad49000 LP |
2 | /*** |
3 | This file is part of systemd. | |
4 | ||
5 | Copyright 2013 Lennart Poettering | |
6 | ||
7 | systemd is free software; you can redistribute it and/or modify it | |
8 | under the terms of the GNU Lesser General Public License as published by | |
9 | the Free Software Foundation; either version 2.1 of the License, or | |
10 | (at your option) any later version. | |
11 | ||
12 | systemd is distributed in the hope that it will be useful, but | |
13 | WITHOUT ANY WARRANTY; without even the implied warranty of | |
14 | MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU | |
15 | Lesser General Public License for more details. | |
16 | ||
17 | You should have received a copy of the GNU Lesser General Public License | |
18 | along with systemd; If not, see <http://www.gnu.org/licenses/>. | |
19 | ***/ | |
20 | ||
3dc5ca97 | 21 | #include <arpa/inet.h> |
0d536673 | 22 | #include <stdio_ext.h> |
3dc5ca97 LP |
23 | |
24 | #include "af-list.h" | |
b5efdb8a | 25 | #include "alloc-util.h" |
078ba556 | 26 | #include "bpf-firewall.h" |
718db961 | 27 | #include "bus-util.h" |
718db961 LP |
28 | #include "cgroup-util.h" |
29 | #include "cgroup.h" | |
4ad49000 | 30 | #include "dbus-cgroup.h" |
681ae88e | 31 | #include "dbus-util.h" |
3ffd4af2 | 32 | #include "fd-util.h" |
0d39fa9c | 33 | #include "fileio.h" |
3ffd4af2 | 34 | #include "path-util.h" |
4ad49000 | 35 | |
718db961 LP |
36 | static BUS_DEFINE_PROPERTY_GET_ENUM(property_get_cgroup_device_policy, cgroup_device_policy, CGroupDevicePolicy); |
37 | ||
02638280 LP |
38 | static int property_get_delegate_controllers( |
39 | sd_bus *bus, | |
40 | const char *path, | |
41 | const char *interface, | |
42 | const char *property, | |
43 | sd_bus_message *reply, | |
44 | void *userdata, | |
45 | sd_bus_error *error) { | |
46 | ||
47 | CGroupContext *c = userdata; | |
48 | CGroupController cc; | |
49 | int r; | |
50 | ||
51 | assert(bus); | |
52 | assert(reply); | |
53 | assert(c); | |
54 | ||
55 | if (!c->delegate) | |
56 | return sd_bus_message_append(reply, "as", 0); | |
57 | ||
58 | r = sd_bus_message_open_container(reply, 'a', "s"); | |
59 | if (r < 0) | |
60 | return r; | |
61 | ||
62 | for (cc = 0; cc < _CGROUP_CONTROLLER_MAX; cc++) { | |
63 | if ((c->delegate_controllers & CGROUP_CONTROLLER_TO_MASK(cc)) == 0) | |
64 | continue; | |
65 | ||
66 | r = sd_bus_message_append(reply, "s", cgroup_controller_to_string(cc)); | |
67 | if (r < 0) | |
68 | return r; | |
69 | } | |
70 | ||
71 | return sd_bus_message_close_container(reply); | |
72 | } | |
73 | ||
13c31542 TH |
74 | static int property_get_io_device_weight( |
75 | sd_bus *bus, | |
76 | const char *path, | |
77 | const char *interface, | |
78 | const char *property, | |
79 | sd_bus_message *reply, | |
80 | void *userdata, | |
81 | sd_bus_error *error) { | |
82 | ||
83 | CGroupContext *c = userdata; | |
84 | CGroupIODeviceWeight *w; | |
85 | int r; | |
86 | ||
87 | assert(bus); | |
88 | assert(reply); | |
89 | assert(c); | |
90 | ||
91 | r = sd_bus_message_open_container(reply, 'a', "(st)"); | |
92 | if (r < 0) | |
93 | return r; | |
94 | ||
95 | LIST_FOREACH(device_weights, w, c->io_device_weights) { | |
96 | r = sd_bus_message_append(reply, "(st)", w->path, w->weight); | |
97 | if (r < 0) | |
98 | return r; | |
99 | } | |
100 | ||
101 | return sd_bus_message_close_container(reply); | |
102 | } | |
103 | ||
104 | static int property_get_io_device_limits( | |
105 | sd_bus *bus, | |
106 | const char *path, | |
107 | const char *interface, | |
108 | const char *property, | |
109 | sd_bus_message *reply, | |
110 | void *userdata, | |
111 | sd_bus_error *error) { | |
112 | ||
113 | CGroupContext *c = userdata; | |
114 | CGroupIODeviceLimit *l; | |
115 | int r; | |
116 | ||
117 | assert(bus); | |
118 | assert(reply); | |
119 | assert(c); | |
120 | ||
121 | r = sd_bus_message_open_container(reply, 'a', "(st)"); | |
122 | if (r < 0) | |
123 | return r; | |
124 | ||
125 | LIST_FOREACH(device_limits, l, c->io_device_limits) { | |
9be57249 | 126 | CGroupIOLimitType type; |
13c31542 | 127 | |
9be57249 TH |
128 | type = cgroup_io_limit_type_from_string(property); |
129 | if (type < 0 || l->limits[type] == cgroup_io_limit_defaults[type]) | |
13c31542 TH |
130 | continue; |
131 | ||
9be57249 | 132 | r = sd_bus_message_append(reply, "(st)", l->path, l->limits[type]); |
13c31542 TH |
133 | if (r < 0) |
134 | return r; | |
135 | } | |
136 | ||
137 | return sd_bus_message_close_container(reply); | |
138 | } | |
139 | ||
718db961 LP |
140 | static int property_get_blockio_device_weight( |
141 | sd_bus *bus, | |
142 | const char *path, | |
143 | const char *interface, | |
144 | const char *property, | |
145 | sd_bus_message *reply, | |
ebcf1f97 LP |
146 | void *userdata, |
147 | sd_bus_error *error) { | |
4ad49000 | 148 | |
718db961 | 149 | CGroupContext *c = userdata; |
4ad49000 | 150 | CGroupBlockIODeviceWeight *w; |
718db961 | 151 | int r; |
4ad49000 | 152 | |
718db961 LP |
153 | assert(bus); |
154 | assert(reply); | |
4ad49000 LP |
155 | assert(c); |
156 | ||
718db961 LP |
157 | r = sd_bus_message_open_container(reply, 'a', "(st)"); |
158 | if (r < 0) | |
159 | return r; | |
4ad49000 LP |
160 | |
161 | LIST_FOREACH(device_weights, w, c->blockio_device_weights) { | |
718db961 LP |
162 | r = sd_bus_message_append(reply, "(st)", w->path, w->weight); |
163 | if (r < 0) | |
164 | return r; | |
4ad49000 LP |
165 | } |
166 | ||
718db961 | 167 | return sd_bus_message_close_container(reply); |
4ad49000 LP |
168 | } |
169 | ||
718db961 LP |
170 | static int property_get_blockio_device_bandwidths( |
171 | sd_bus *bus, | |
172 | const char *path, | |
173 | const char *interface, | |
174 | const char *property, | |
175 | sd_bus_message *reply, | |
ebcf1f97 LP |
176 | void *userdata, |
177 | sd_bus_error *error) { | |
718db961 LP |
178 | |
179 | CGroupContext *c = userdata; | |
4ad49000 | 180 | CGroupBlockIODeviceBandwidth *b; |
718db961 | 181 | int r; |
4ad49000 | 182 | |
718db961 LP |
183 | assert(bus); |
184 | assert(reply); | |
4ad49000 LP |
185 | assert(c); |
186 | ||
718db961 LP |
187 | r = sd_bus_message_open_container(reply, 'a', "(st)"); |
188 | if (r < 0) | |
189 | return r; | |
4ad49000 LP |
190 | |
191 | LIST_FOREACH(device_bandwidths, b, c->blockio_device_bandwidths) { | |
979d0311 | 192 | uint64_t v; |
4ad49000 | 193 | |
979d0311 TH |
194 | if (streq(property, "BlockIOReadBandwidth")) |
195 | v = b->rbps; | |
196 | else | |
197 | v = b->wbps; | |
198 | ||
199 | if (v == CGROUP_LIMIT_MAX) | |
4ad49000 LP |
200 | continue; |
201 | ||
979d0311 | 202 | r = sd_bus_message_append(reply, "(st)", b->path, v); |
718db961 LP |
203 | if (r < 0) |
204 | return r; | |
4ad49000 LP |
205 | } |
206 | ||
718db961 | 207 | return sd_bus_message_close_container(reply); |
4ad49000 LP |
208 | } |
209 | ||
718db961 LP |
210 | static int property_get_device_allow( |
211 | sd_bus *bus, | |
212 | const char *path, | |
213 | const char *interface, | |
214 | const char *property, | |
215 | sd_bus_message *reply, | |
ebcf1f97 LP |
216 | void *userdata, |
217 | sd_bus_error *error) { | |
718db961 LP |
218 | |
219 | CGroupContext *c = userdata; | |
4ad49000 | 220 | CGroupDeviceAllow *a; |
718db961 | 221 | int r; |
4ad49000 | 222 | |
718db961 LP |
223 | assert(bus); |
224 | assert(reply); | |
4ad49000 LP |
225 | assert(c); |
226 | ||
718db961 LP |
227 | r = sd_bus_message_open_container(reply, 'a', "(ss)"); |
228 | if (r < 0) | |
229 | return r; | |
4ad49000 LP |
230 | |
231 | LIST_FOREACH(device_allow, a, c->device_allow) { | |
4ad49000 | 232 | unsigned k = 0; |
718db961 | 233 | char rwm[4]; |
4ad49000 LP |
234 | |
235 | if (a->r) | |
718db961 | 236 | rwm[k++] = 'r'; |
4ad49000 | 237 | if (a->w) |
718db961 | 238 | rwm[k++] = 'w'; |
4ad49000 | 239 | if (a->m) |
718db961 | 240 | rwm[k++] = 'm'; |
4ad49000 | 241 | |
718db961 | 242 | rwm[k] = 0; |
4ad49000 | 243 | |
718db961 LP |
244 | r = sd_bus_message_append(reply, "(ss)", a->path, rwm); |
245 | if (r < 0) | |
246 | return r; | |
4ad49000 LP |
247 | } |
248 | ||
718db961 | 249 | return sd_bus_message_close_container(reply); |
4ad49000 LP |
250 | } |
251 | ||
3dc5ca97 LP |
252 | static int property_get_ip_address_access( |
253 | sd_bus *bus, | |
254 | const char *path, | |
255 | const char *interface, | |
256 | const char *property, | |
257 | sd_bus_message *reply, | |
258 | void *userdata, | |
259 | sd_bus_error *error) { | |
260 | ||
261 | IPAddressAccessItem** items = userdata, *i; | |
262 | int r; | |
263 | ||
264 | r = sd_bus_message_open_container(reply, 'a', "(iayu)"); | |
265 | if (r < 0) | |
266 | return r; | |
267 | ||
268 | LIST_FOREACH(items, i, *items) { | |
269 | ||
270 | r = sd_bus_message_open_container(reply, 'r', "iayu"); | |
271 | if (r < 0) | |
272 | return r; | |
273 | ||
274 | r = sd_bus_message_append(reply, "i", i->family); | |
275 | if (r < 0) | |
276 | return r; | |
277 | ||
278 | r = sd_bus_message_append_array(reply, 'y', &i->address, FAMILY_ADDRESS_SIZE(i->family)); | |
279 | if (r < 0) | |
280 | return r; | |
281 | ||
282 | r = sd_bus_message_append(reply, "u", (uint32_t) i->prefixlen); | |
283 | if (r < 0) | |
284 | return r; | |
285 | ||
286 | r = sd_bus_message_close_container(reply); | |
287 | if (r < 0) | |
288 | return r; | |
289 | } | |
290 | ||
291 | return sd_bus_message_close_container(reply); | |
292 | } | |
293 | ||
718db961 LP |
294 | const sd_bus_vtable bus_cgroup_vtable[] = { |
295 | SD_BUS_VTABLE_START(0), | |
a931ad47 | 296 | SD_BUS_PROPERTY("Delegate", "b", bus_property_get_bool, offsetof(CGroupContext, delegate), 0), |
02638280 | 297 | SD_BUS_PROPERTY("DelegateControllers", "as", property_get_delegate_controllers, 0, 0), |
610f780c | 298 | SD_BUS_PROPERTY("CPUAccounting", "b", bus_property_get_bool, offsetof(CGroupContext, cpu_accounting), 0), |
66ebf6c0 TH |
299 | SD_BUS_PROPERTY("CPUWeight", "t", NULL, offsetof(CGroupContext, cpu_weight), 0), |
300 | SD_BUS_PROPERTY("StartupCPUWeight", "t", NULL, offsetof(CGroupContext, startup_cpu_weight), 0), | |
d53d9474 LP |
301 | SD_BUS_PROPERTY("CPUShares", "t", NULL, offsetof(CGroupContext, cpu_shares), 0), |
302 | SD_BUS_PROPERTY("StartupCPUShares", "t", NULL, offsetof(CGroupContext, startup_cpu_shares), 0), | |
ee26bcc0 | 303 | SD_BUS_PROPERTY("CPUQuotaPerSecUSec", "t", bus_property_get_usec, offsetof(CGroupContext, cpu_quota_per_sec_usec), 0), |
13c31542 TH |
304 | SD_BUS_PROPERTY("IOAccounting", "b", bus_property_get_bool, offsetof(CGroupContext, io_accounting), 0), |
305 | SD_BUS_PROPERTY("IOWeight", "t", NULL, offsetof(CGroupContext, io_weight), 0), | |
306 | SD_BUS_PROPERTY("StartupIOWeight", "t", NULL, offsetof(CGroupContext, startup_io_weight), 0), | |
307 | SD_BUS_PROPERTY("IODeviceWeight", "a(st)", property_get_io_device_weight, 0, 0), | |
308 | SD_BUS_PROPERTY("IOReadBandwidthMax", "a(st)", property_get_io_device_limits, 0, 0), | |
309 | SD_BUS_PROPERTY("IOWriteBandwidthMax", "a(st)", property_get_io_device_limits, 0, 0), | |
ac06a0cf TH |
310 | SD_BUS_PROPERTY("IOReadIOPSMax", "a(st)", property_get_io_device_limits, 0, 0), |
311 | SD_BUS_PROPERTY("IOWriteIOPSMax", "a(st)", property_get_io_device_limits, 0, 0), | |
610f780c | 312 | SD_BUS_PROPERTY("BlockIOAccounting", "b", bus_property_get_bool, offsetof(CGroupContext, blockio_accounting), 0), |
d53d9474 LP |
313 | SD_BUS_PROPERTY("BlockIOWeight", "t", NULL, offsetof(CGroupContext, blockio_weight), 0), |
314 | SD_BUS_PROPERTY("StartupBlockIOWeight", "t", NULL, offsetof(CGroupContext, startup_blockio_weight), 0), | |
610f780c LP |
315 | SD_BUS_PROPERTY("BlockIODeviceWeight", "a(st)", property_get_blockio_device_weight, 0, 0), |
316 | SD_BUS_PROPERTY("BlockIOReadBandwidth", "a(st)", property_get_blockio_device_bandwidths, 0, 0), | |
317 | SD_BUS_PROPERTY("BlockIOWriteBandwidth", "a(st)", property_get_blockio_device_bandwidths, 0, 0), | |
318 | SD_BUS_PROPERTY("MemoryAccounting", "b", bus_property_get_bool, offsetof(CGroupContext, memory_accounting), 0), | |
da4d897e TH |
319 | SD_BUS_PROPERTY("MemoryLow", "t", NULL, offsetof(CGroupContext, memory_low), 0), |
320 | SD_BUS_PROPERTY("MemoryHigh", "t", NULL, offsetof(CGroupContext, memory_high), 0), | |
321 | SD_BUS_PROPERTY("MemoryMax", "t", NULL, offsetof(CGroupContext, memory_max), 0), | |
96e131ea | 322 | SD_BUS_PROPERTY("MemorySwapMax", "t", NULL, offsetof(CGroupContext, memory_swap_max), 0), |
610f780c LP |
323 | SD_BUS_PROPERTY("MemoryLimit", "t", NULL, offsetof(CGroupContext, memory_limit), 0), |
324 | SD_BUS_PROPERTY("DevicePolicy", "s", property_get_cgroup_device_policy, offsetof(CGroupContext, device_policy), 0), | |
325 | SD_BUS_PROPERTY("DeviceAllow", "a(ss)", property_get_device_allow, 0, 0), | |
03a7b521 LP |
326 | SD_BUS_PROPERTY("TasksAccounting", "b", bus_property_get_bool, offsetof(CGroupContext, tasks_accounting), 0), |
327 | SD_BUS_PROPERTY("TasksMax", "t", NULL, offsetof(CGroupContext, tasks_max), 0), | |
3dc5ca97 LP |
328 | SD_BUS_PROPERTY("IPAccounting", "b", bus_property_get_bool, offsetof(CGroupContext, ip_accounting), 0), |
329 | SD_BUS_PROPERTY("IPAddressAllow", "a(iayu)", property_get_ip_address_access, offsetof(CGroupContext, ip_address_allow), 0), | |
330 | SD_BUS_PROPERTY("IPAddressDeny", "a(iayu)", property_get_ip_address_access, offsetof(CGroupContext, ip_address_deny), 0), | |
718db961 | 331 | SD_BUS_VTABLE_END |
4ad49000 | 332 | }; |
8e2af478 | 333 | |
a931ad47 LP |
334 | static int bus_cgroup_set_transient_property( |
335 | Unit *u, | |
336 | CGroupContext *c, | |
337 | const char *name, | |
338 | sd_bus_message *message, | |
2e59b241 | 339 | UnitWriteFlags flags, |
a931ad47 LP |
340 | sd_bus_error *error) { |
341 | ||
342 | int r; | |
343 | ||
344 | assert(u); | |
345 | assert(c); | |
346 | assert(name); | |
347 | assert(message); | |
348 | ||
2e59b241 LP |
349 | flags |= UNIT_PRIVATE; |
350 | ||
a931ad47 LP |
351 | if (streq(name, "Delegate")) { |
352 | int b; | |
353 | ||
354 | r = sd_bus_message_read(message, "b", &b); | |
355 | if (r < 0) | |
356 | return r; | |
357 | ||
2e59b241 | 358 | if (!UNIT_WRITE_FLAGS_NOOP(flags)) { |
a931ad47 | 359 | c->delegate = b; |
02638280 LP |
360 | c->delegate_controllers = b ? _CGROUP_MASK_ALL : 0; |
361 | ||
2e59b241 | 362 | unit_write_settingf(u, flags, name, "Delegate=%s", yes_no(b)); |
a931ad47 LP |
363 | } |
364 | ||
02638280 LP |
365 | return 1; |
366 | ||
367 | } else if (streq(name, "DelegateControllers")) { | |
368 | CGroupMask mask = 0; | |
369 | ||
370 | r = sd_bus_message_enter_container(message, 'a', "s"); | |
371 | if (r < 0) | |
372 | return r; | |
373 | ||
374 | for (;;) { | |
375 | CGroupController cc; | |
376 | const char *t; | |
377 | ||
378 | r = sd_bus_message_read(message, "s", &t); | |
379 | if (r < 0) | |
380 | return r; | |
381 | if (r == 0) | |
382 | break; | |
383 | ||
384 | cc = cgroup_controller_from_string(t); | |
385 | if (cc < 0) | |
e74f76ca | 386 | return sd_bus_error_setf(error, SD_BUS_ERROR_INVALID_ARGS, "Unknown cgroup contoller '%s'", t); |
02638280 LP |
387 | |
388 | mask |= CGROUP_CONTROLLER_TO_MASK(cc); | |
389 | } | |
390 | ||
391 | r = sd_bus_message_exit_container(message); | |
392 | if (r < 0) | |
393 | return r; | |
394 | ||
2e59b241 | 395 | if (!UNIT_WRITE_FLAGS_NOOP(flags)) { |
02638280 LP |
396 | _cleanup_free_ char *t = NULL; |
397 | ||
398 | r = cg_mask_to_string(mask, &t); | |
399 | if (r < 0) | |
400 | return r; | |
401 | ||
402 | c->delegate = true; | |
1bdfc7b9 YW |
403 | if (mask == 0) |
404 | c->delegate_controllers = 0; | |
405 | else | |
406 | c->delegate_controllers |= mask; | |
02638280 | 407 | |
2e59b241 | 408 | unit_write_settingf(u, flags, name, "Delegate=%s", strempty(t)); |
02638280 LP |
409 | } |
410 | ||
a931ad47 LP |
411 | return 1; |
412 | } | |
413 | ||
414 | return 0; | |
415 | } | |
416 | ||
681ae88e YW |
417 | static int bus_cgroup_set_boolean( |
418 | Unit *u, | |
419 | const char *name, | |
420 | bool *p, | |
421 | CGroupMask mask, | |
422 | sd_bus_message *message, | |
423 | UnitWriteFlags flags, | |
424 | sd_bus_error *error) { | |
425 | ||
426 | int b, r; | |
427 | ||
428 | assert(p); | |
429 | ||
430 | r = sd_bus_message_read(message, "b", &b); | |
431 | if (r < 0) | |
432 | return r; | |
433 | ||
434 | if (!UNIT_WRITE_FLAGS_NOOP(flags)) { | |
435 | *p = b; | |
436 | unit_invalidate_cgroup(u, mask); | |
437 | unit_write_settingf(u, flags, name, "%s=%s", name, yes_no(b)); | |
438 | } | |
439 | ||
440 | return 1; | |
441 | } | |
442 | ||
443 | static BUS_DEFINE_SET_CGROUP_WEIGHT(cpu_weight, CGROUP_MASK_CPU, CGROUP_WEIGHT_IS_OK, CGROUP_WEIGHT_INVALID,); | |
444 | static BUS_DEFINE_SET_CGROUP_WEIGHT(cpu_shares, CGROUP_MASK_CPU, CGROUP_CPU_SHARES_IS_OK, CGROUP_CPU_SHARES_INVALID,); | |
445 | static BUS_DEFINE_SET_CGROUP_WEIGHT(io_weight, CGROUP_MASK_IO, CGROUP_WEIGHT_IS_OK, CGROUP_WEIGHT_INVALID,); | |
446 | static BUS_DEFINE_SET_CGROUP_WEIGHT(blockio_weight, CGROUP_MASK_BLKIO, CGROUP_BLKIO_WEIGHT_IS_OK, CGROUP_BLKIO_WEIGHT_INVALID,); | |
447 | static BUS_DEFINE_SET_CGROUP_WEIGHT(memory, CGROUP_MASK_MEMORY, , CGROUP_LIMIT_MAX, "infinity"); | |
448 | static BUS_DEFINE_SET_CGROUP_WEIGHT(tasks_max, CGROUP_MASK_PIDS, , (uint64_t) -1, "infinity"); | |
449 | static BUS_DEFINE_SET_CGROUP_SCALE(memory, CGROUP_MASK_MEMORY, physical_memory_scale); | |
450 | static BUS_DEFINE_SET_CGROUP_SCALE(tasks_max, CGROUP_MASK_PIDS, system_tasks_max_scale); | |
451 | ||
8e2af478 LP |
452 | int bus_cgroup_set_property( |
453 | Unit *u, | |
454 | CGroupContext *c, | |
455 | const char *name, | |
718db961 | 456 | sd_bus_message *message, |
2e59b241 | 457 | UnitWriteFlags flags, |
718db961 LP |
458 | sd_bus_error *error) { |
459 | ||
9be57249 | 460 | CGroupIOLimitType iol_type; |
718db961 | 461 | int r; |
8e2af478 | 462 | |
8e2af478 LP |
463 | assert(u); |
464 | assert(c); | |
718db961 LP |
465 | assert(name); |
466 | assert(message); | |
8e2af478 | 467 | |
2e59b241 LP |
468 | flags |= UNIT_PRIVATE; |
469 | ||
681ae88e YW |
470 | if (streq(name, "CPUAccounting")) |
471 | return bus_cgroup_set_boolean(u, name, &c->cpu_accounting, CGROUP_MASK_CPUACCT|CGROUP_MASK_CPU, message, flags, error); | |
8e2af478 | 472 | |
681ae88e YW |
473 | if (streq(name, "CPUWeight")) |
474 | return bus_cgroup_set_cpu_weight(u, name, &c->cpu_weight, message, flags, error); | |
8e2af478 | 475 | |
681ae88e YW |
476 | if (streq(name, "StartupCPUWeight")) |
477 | return bus_cgroup_set_cpu_weight(u, name, &c->startup_cpu_weight, message, flags, error); | |
b42defe3 | 478 | |
681ae88e YW |
479 | if (streq(name, "CPUShares")) |
480 | return bus_cgroup_set_cpu_shares(u, name, &c->cpu_shares, message, flags, error); | |
b42defe3 | 481 | |
681ae88e YW |
482 | if (streq(name, "StartupCPUShares")) |
483 | return bus_cgroup_set_cpu_shares(u, name, &c->startup_cpu_shares, message, flags, error); | |
66ebf6c0 | 484 | |
681ae88e YW |
485 | if (streq(name, "IOAccounting")) |
486 | return bus_cgroup_set_boolean(u, name, &c->io_accounting, CGROUP_MASK_IO, message, flags, error); | |
66ebf6c0 | 487 | |
681ae88e YW |
488 | if (streq(name, "IOWeight")) |
489 | return bus_cgroup_set_io_weight(u, name, &c->io_weight, message, flags, error); | |
66ebf6c0 | 490 | |
681ae88e YW |
491 | if (streq(name, "StartupIOWeight")) |
492 | return bus_cgroup_set_io_weight(u, name, &c->startup_io_weight, message, flags, error); | |
66ebf6c0 | 493 | |
681ae88e YW |
494 | if (streq(name, "BlockIOAccounting")) |
495 | return bus_cgroup_set_boolean(u, name, &c->blockio_accounting, CGROUP_MASK_BLKIO, message, flags, error); | |
66ebf6c0 | 496 | |
681ae88e YW |
497 | if (streq(name, "BlockIOWeight")) |
498 | return bus_cgroup_set_blockio_weight(u, name, &c->blockio_weight, message, flags, error); | |
66ebf6c0 | 499 | |
681ae88e YW |
500 | if (streq(name, "StartupBlockIOWeight")) |
501 | return bus_cgroup_set_blockio_weight(u, name, &c->startup_blockio_weight, message, flags, error); | |
66ebf6c0 | 502 | |
681ae88e YW |
503 | if (streq(name, "MemoryAccounting")) |
504 | return bus_cgroup_set_boolean(u, name, &c->memory_accounting, CGROUP_MASK_MEMORY, message, flags, error); | |
b42defe3 | 505 | |
681ae88e YW |
506 | if (streq(name, "MemoryLow")) |
507 | return bus_cgroup_set_memory(u, name, &c->memory_low, message, flags, error); | |
b42defe3 | 508 | |
681ae88e YW |
509 | if (streq(name, "MemoryHigh")) |
510 | return bus_cgroup_set_memory(u, name, &c->memory_high, message, flags, error); | |
b42defe3 | 511 | |
681ae88e YW |
512 | if (streq(name, "MemorySwapMax")) |
513 | return bus_cgroup_set_memory(u, name, &c->memory_swap_max, message, flags, error); | |
95ae05c0 | 514 | |
681ae88e YW |
515 | if (streq(name, "MemoryMax")) |
516 | return bus_cgroup_set_memory(u, name, &c->memory_max, message, flags, error); | |
d53d9474 | 517 | |
681ae88e YW |
518 | if (streq(name, "MemoryLimit")) |
519 | return bus_cgroup_set_memory(u, name, &c->memory_limit, message, flags, error); | |
95ae05c0 | 520 | |
681ae88e YW |
521 | if (streq(name, "MemoryLowScale")) |
522 | return bus_cgroup_set_memory_scale(u, name, &c->memory_low, message, flags, error); | |
523 | ||
524 | if (streq(name, "MemoryHighScale")) | |
525 | return bus_cgroup_set_memory_scale(u, name, &c->memory_high, message, flags, error); | |
526 | ||
527 | if (streq(name, "MemorySwapMaxScale")) | |
528 | return bus_cgroup_set_memory_scale(u, name, &c->memory_swap_max, message, flags, error); | |
529 | ||
530 | if (streq(name, "MemoryMaxScale")) | |
531 | return bus_cgroup_set_memory_scale(u, name, &c->memory_max, message, flags, error); | |
95ae05c0 | 532 | |
681ae88e YW |
533 | if (streq(name, "MemoryLimitScale")) |
534 | return bus_cgroup_set_memory_scale(u, name, &c->memory_limit, message, flags, error); | |
535 | ||
60644c3d | 536 | if (streq(name, "TasksAccounting")) |
681ae88e YW |
537 | return bus_cgroup_set_boolean(u, name, &c->tasks_accounting, CGROUP_MASK_PIDS, message, flags, error); |
538 | ||
539 | if (streq(name, "TasksMax")) | |
540 | return bus_cgroup_set_tasks_max(u, name, &c->tasks_max, message, flags, error); | |
541 | ||
542 | if (streq(name, "TasksMaxScale")) | |
543 | return bus_cgroup_set_tasks_max_scale(u, name, &c->tasks_max, message, flags, error); | |
544 | ||
545 | if (streq(name, "CPUQuotaPerSecUSec")) { | |
b2f8b02e LP |
546 | uint64_t u64; |
547 | ||
548 | r = sd_bus_message_read(message, "t", &u64); | |
549 | if (r < 0) | |
550 | return r; | |
551 | ||
552 | if (u64 <= 0) | |
e74f76ca | 553 | return sd_bus_error_setf(error, SD_BUS_ERROR_INVALID_ARGS, "CPUQuotaPerSecUSec= value out of range"); |
b2f8b02e | 554 | |
2e59b241 | 555 | if (!UNIT_WRITE_FLAGS_NOOP(flags)) { |
b2f8b02e | 556 | c->cpu_quota_per_sec_usec = u64; |
e7ab4d1a | 557 | unit_invalidate_cgroup(u, CGROUP_MASK_CPU); |
2e59b241 | 558 | |
d4bf82fc | 559 | if (c->cpu_quota_per_sec_usec == USEC_INFINITY) |
2e59b241 | 560 | unit_write_setting(u, flags, "CPUQuota", "CPUQuota="); |
d4bf82fc | 561 | else |
2e59b241 LP |
562 | /* config_parse_cpu_quota() requires an integer, so truncating division is used on |
563 | * purpose here. */ | |
564 | unit_write_settingf(u, flags, "CPUQuota", | |
565 | "CPUQuota=%0.f%%", | |
566 | (double) (c->cpu_quota_per_sec_usec / 10000)); | |
b2f8b02e LP |
567 | } |
568 | ||
569 | return 1; | |
570 | ||
9be57249 | 571 | } else if ((iol_type = cgroup_io_limit_type_from_string(name)) >= 0) { |
13c31542 | 572 | const char *path; |
13c31542 TH |
573 | unsigned n = 0; |
574 | uint64_t u64; | |
575 | ||
13c31542 TH |
576 | r = sd_bus_message_enter_container(message, 'a', "(st)"); |
577 | if (r < 0) | |
578 | return r; | |
579 | ||
580 | while ((r = sd_bus_message_read(message, "(st)", &path, &u64)) > 0) { | |
581 | ||
32048f54 YW |
582 | if (!path_startswith(path, "/dev") && |
583 | !path_startswith(path, "/run/systemd/inaccessible/")) | |
d9f7305f YW |
584 | return sd_bus_error_setf(error, SD_BUS_ERROR_INVALID_ARGS, "Path %s specified in %s= is not a device file in /dev", name, path); |
585 | ||
2e59b241 | 586 | if (!UNIT_WRITE_FLAGS_NOOP(flags)) { |
13c31542 TH |
587 | CGroupIODeviceLimit *a = NULL, *b; |
588 | ||
589 | LIST_FOREACH(device_limits, b, c->io_device_limits) { | |
590 | if (path_equal(path, b->path)) { | |
591 | a = b; | |
592 | break; | |
593 | } | |
594 | } | |
595 | ||
596 | if (!a) { | |
9be57249 TH |
597 | CGroupIOLimitType type; |
598 | ||
13c31542 TH |
599 | a = new0(CGroupIODeviceLimit, 1); |
600 | if (!a) | |
601 | return -ENOMEM; | |
602 | ||
603 | a->path = strdup(path); | |
604 | if (!a->path) { | |
605 | free(a); | |
606 | return -ENOMEM; | |
607 | } | |
608 | ||
9be57249 TH |
609 | for (type = 0; type < _CGROUP_IO_LIMIT_TYPE_MAX; type++) |
610 | a->limits[type] = cgroup_io_limit_defaults[type]; | |
13c31542 TH |
611 | |
612 | LIST_PREPEND(device_limits, c->io_device_limits, a); | |
613 | } | |
614 | ||
9be57249 | 615 | a->limits[iol_type] = u64; |
13c31542 TH |
616 | } |
617 | ||
618 | n++; | |
619 | } | |
620 | if (r < 0) | |
621 | return r; | |
622 | ||
623 | r = sd_bus_message_exit_container(message); | |
624 | if (r < 0) | |
625 | return r; | |
626 | ||
2e59b241 | 627 | if (!UNIT_WRITE_FLAGS_NOOP(flags)) { |
13c31542 TH |
628 | CGroupIODeviceLimit *a; |
629 | _cleanup_free_ char *buf = NULL; | |
630 | _cleanup_fclose_ FILE *f = NULL; | |
631 | size_t size = 0; | |
632 | ||
633 | if (n == 0) { | |
634 | LIST_FOREACH(device_limits, a, c->io_device_limits) | |
9be57249 | 635 | a->limits[iol_type] = cgroup_io_limit_defaults[iol_type]; |
13c31542 TH |
636 | } |
637 | ||
638 | unit_invalidate_cgroup(u, CGROUP_MASK_IO); | |
639 | ||
640 | f = open_memstream(&buf, &size); | |
641 | if (!f) | |
642 | return -ENOMEM; | |
643 | ||
0d536673 LP |
644 | (void) __fsetlocking(f, FSETLOCKING_BYCALLER); |
645 | ||
9be57249 TH |
646 | fprintf(f, "%s=\n", name); |
647 | LIST_FOREACH(device_limits, a, c->io_device_limits) | |
648 | if (a->limits[iol_type] != cgroup_io_limit_defaults[iol_type]) | |
649 | fprintf(f, "%s=%s %" PRIu64 "\n", name, a->path, a->limits[iol_type]); | |
13c31542 TH |
650 | |
651 | r = fflush_and_check(f); | |
652 | if (r < 0) | |
653 | return r; | |
2e59b241 | 654 | unit_write_setting(u, flags, name, buf); |
13c31542 TH |
655 | } |
656 | ||
657 | return 1; | |
658 | ||
659 | } else if (streq(name, "IODeviceWeight")) { | |
660 | const char *path; | |
661 | uint64_t weight; | |
662 | unsigned n = 0; | |
663 | ||
664 | r = sd_bus_message_enter_container(message, 'a', "(st)"); | |
665 | if (r < 0) | |
666 | return r; | |
667 | ||
668 | while ((r = sd_bus_message_read(message, "(st)", &path, &weight)) > 0) { | |
669 | ||
32048f54 YW |
670 | if (!path_startswith(path, "/dev") && |
671 | !path_startswith(path, "/run/systemd/inaccessible/")) | |
d9f7305f YW |
672 | return sd_bus_error_setf(error, SD_BUS_ERROR_INVALID_ARGS, "Path %s specified in %s= is not a device file in /dev", name, path); |
673 | ||
13c31542 | 674 | if (!CGROUP_WEIGHT_IS_OK(weight) || weight == CGROUP_WEIGHT_INVALID) |
e74f76ca | 675 | return sd_bus_error_setf(error, SD_BUS_ERROR_INVALID_ARGS, "IODeviceWeight= value out of range"); |
13c31542 | 676 | |
2e59b241 | 677 | if (!UNIT_WRITE_FLAGS_NOOP(flags)) { |
13c31542 TH |
678 | CGroupIODeviceWeight *a = NULL, *b; |
679 | ||
680 | LIST_FOREACH(device_weights, b, c->io_device_weights) { | |
681 | if (path_equal(b->path, path)) { | |
682 | a = b; | |
683 | break; | |
684 | } | |
685 | } | |
686 | ||
687 | if (!a) { | |
688 | a = new0(CGroupIODeviceWeight, 1); | |
689 | if (!a) | |
690 | return -ENOMEM; | |
691 | ||
692 | a->path = strdup(path); | |
693 | if (!a->path) { | |
694 | free(a); | |
695 | return -ENOMEM; | |
696 | } | |
fffbc1dc | 697 | LIST_PREPEND(device_weights, c->io_device_weights, a); |
13c31542 TH |
698 | } |
699 | ||
700 | a->weight = weight; | |
701 | } | |
702 | ||
703 | n++; | |
704 | } | |
705 | ||
706 | r = sd_bus_message_exit_container(message); | |
707 | if (r < 0) | |
708 | return r; | |
709 | ||
2e59b241 | 710 | if (!UNIT_WRITE_FLAGS_NOOP(flags)) { |
13c31542 TH |
711 | _cleanup_free_ char *buf = NULL; |
712 | _cleanup_fclose_ FILE *f = NULL; | |
713 | CGroupIODeviceWeight *a; | |
714 | size_t size = 0; | |
715 | ||
716 | if (n == 0) { | |
717 | while (c->io_device_weights) | |
718 | cgroup_context_free_io_device_weight(c, c->io_device_weights); | |
719 | } | |
720 | ||
721 | unit_invalidate_cgroup(u, CGROUP_MASK_IO); | |
722 | ||
723 | f = open_memstream(&buf, &size); | |
724 | if (!f) | |
725 | return -ENOMEM; | |
726 | ||
0d536673 LP |
727 | (void) __fsetlocking(f, FSETLOCKING_BYCALLER); |
728 | ||
729 | fputs("IODeviceWeight=\n", f); | |
13c31542 TH |
730 | LIST_FOREACH(device_weights, a, c->io_device_weights) |
731 | fprintf(f, "IODeviceWeight=%s %" PRIu64 "\n", a->path, a->weight); | |
732 | ||
733 | r = fflush_and_check(f); | |
734 | if (r < 0) | |
735 | return r; | |
2e59b241 | 736 | unit_write_setting(u, flags, name, buf); |
13c31542 TH |
737 | } |
738 | ||
739 | return 1; | |
740 | ||
cd0a7a8e | 741 | } else if (STR_IN_SET(name, "BlockIOReadBandwidth", "BlockIOWriteBandwidth")) { |
718db961 | 742 | const char *path; |
f004c2ca | 743 | bool read = true; |
718db961 LP |
744 | unsigned n = 0; |
745 | uint64_t u64; | |
f004c2ca G |
746 | |
747 | if (streq(name, "BlockIOWriteBandwidth")) | |
748 | read = false; | |
749 | ||
718db961 LP |
750 | r = sd_bus_message_enter_container(message, 'a', "(st)"); |
751 | if (r < 0) | |
752 | return r; | |
f004c2ca | 753 | |
718db961 | 754 | while ((r = sd_bus_message_read(message, "(st)", &path, &u64)) > 0) { |
f004c2ca | 755 | |
32048f54 YW |
756 | if (!path_startswith(path, "/dev") && |
757 | !path_startswith(path, "/run/systemd/inaccessible/")) | |
d9f7305f YW |
758 | return sd_bus_error_setf(error, SD_BUS_ERROR_INVALID_ARGS, "Path %s specified in %s= is not a device file in /dev", name, path); |
759 | ||
2e59b241 | 760 | if (!UNIT_WRITE_FLAGS_NOOP(flags)) { |
718db961 | 761 | CGroupBlockIODeviceBandwidth *a = NULL, *b; |
f004c2ca G |
762 | |
763 | LIST_FOREACH(device_bandwidths, b, c->blockio_device_bandwidths) { | |
979d0311 | 764 | if (path_equal(path, b->path)) { |
f004c2ca | 765 | a = b; |
f004c2ca G |
766 | break; |
767 | } | |
768 | } | |
769 | ||
718db961 | 770 | if (!a) { |
f004c2ca G |
771 | a = new0(CGroupBlockIODeviceBandwidth, 1); |
772 | if (!a) | |
773 | return -ENOMEM; | |
774 | ||
979d0311 TH |
775 | a->rbps = CGROUP_LIMIT_MAX; |
776 | a->wbps = CGROUP_LIMIT_MAX; | |
f004c2ca G |
777 | a->path = strdup(path); |
778 | if (!a->path) { | |
779 | free(a); | |
780 | return -ENOMEM; | |
781 | } | |
718db961 LP |
782 | |
783 | LIST_PREPEND(device_bandwidths, c->blockio_device_bandwidths, a); | |
f004c2ca G |
784 | } |
785 | ||
979d0311 TH |
786 | if (read) |
787 | a->rbps = u64; | |
788 | else | |
789 | a->wbps = u64; | |
f004c2ca G |
790 | } |
791 | ||
792 | n++; | |
f004c2ca | 793 | } |
718db961 LP |
794 | if (r < 0) |
795 | return r; | |
f004c2ca | 796 | |
9c96019d LP |
797 | r = sd_bus_message_exit_container(message); |
798 | if (r < 0) | |
799 | return r; | |
800 | ||
2e59b241 | 801 | if (!UNIT_WRITE_FLAGS_NOOP(flags)) { |
979d0311 | 802 | CGroupBlockIODeviceBandwidth *a; |
f004c2ca G |
803 | _cleanup_free_ char *buf = NULL; |
804 | _cleanup_fclose_ FILE *f = NULL; | |
f004c2ca G |
805 | size_t size = 0; |
806 | ||
807 | if (n == 0) { | |
979d0311 TH |
808 | LIST_FOREACH(device_bandwidths, a, c->blockio_device_bandwidths) { |
809 | if (read) | |
810 | a->rbps = CGROUP_LIMIT_MAX; | |
811 | else | |
812 | a->wbps = CGROUP_LIMIT_MAX; | |
813 | } | |
f004c2ca G |
814 | } |
815 | ||
e7ab4d1a | 816 | unit_invalidate_cgroup(u, CGROUP_MASK_BLKIO); |
3051f187 | 817 | |
f004c2ca G |
818 | f = open_memstream(&buf, &size); |
819 | if (!f) | |
820 | return -ENOMEM; | |
821 | ||
0d536673 LP |
822 | (void) __fsetlocking(f, FSETLOCKING_BYCALLER); |
823 | ||
7d6884b6 | 824 | if (read) { |
0d536673 | 825 | fputs("BlockIOReadBandwidth=\n", f); |
7d6884b6 | 826 | LIST_FOREACH(device_bandwidths, a, c->blockio_device_bandwidths) |
979d0311 TH |
827 | if (a->rbps != CGROUP_LIMIT_MAX) |
828 | fprintf(f, "BlockIOReadBandwidth=%s %" PRIu64 "\n", a->path, a->rbps); | |
f004c2ca | 829 | } else { |
0d536673 | 830 | fputs("BlockIOWriteBandwidth=\n", f); |
f004c2ca | 831 | LIST_FOREACH(device_bandwidths, a, c->blockio_device_bandwidths) |
979d0311 TH |
832 | if (a->wbps != CGROUP_LIMIT_MAX) |
833 | fprintf(f, "BlockIOWriteBandwidth=%s %" PRIu64 "\n", a->path, a->wbps); | |
f004c2ca G |
834 | } |
835 | ||
1f2f874c NC |
836 | r = fflush_and_check(f); |
837 | if (r < 0) | |
838 | return r; | |
2e59b241 LP |
839 | |
840 | unit_write_setting(u, flags, name, buf); | |
6f68ecb4 G |
841 | } |
842 | ||
843 | return 1; | |
844 | ||
845 | } else if (streq(name, "BlockIODeviceWeight")) { | |
718db961 | 846 | const char *path; |
d53d9474 | 847 | uint64_t weight; |
6f68ecb4 G |
848 | unsigned n = 0; |
849 | ||
718db961 LP |
850 | r = sd_bus_message_enter_container(message, 'a', "(st)"); |
851 | if (r < 0) | |
852 | return r; | |
6f68ecb4 | 853 | |
d53d9474 | 854 | while ((r = sd_bus_message_read(message, "(st)", &path, &weight)) > 0) { |
6f68ecb4 | 855 | |
32048f54 YW |
856 | if (!path_startswith(path, "/dev") && |
857 | !path_startswith(path, "/run/systemd/inaccessible/")) | |
d9f7305f YW |
858 | return sd_bus_error_setf(error, SD_BUS_ERROR_INVALID_ARGS, "Path %s specified in %s= is not a device file in /dev", name, path); |
859 | ||
d53d9474 | 860 | if (!CGROUP_BLKIO_WEIGHT_IS_OK(weight) || weight == CGROUP_BLKIO_WEIGHT_INVALID) |
e74f76ca | 861 | return sd_bus_error_setf(error, SD_BUS_ERROR_INVALID_ARGS, "BlockIODeviceWeight= out of range"); |
6f68ecb4 | 862 | |
2e59b241 | 863 | if (!UNIT_WRITE_FLAGS_NOOP(flags)) { |
718db961 | 864 | CGroupBlockIODeviceWeight *a = NULL, *b; |
6f68ecb4 G |
865 | |
866 | LIST_FOREACH(device_weights, b, c->blockio_device_weights) { | |
867 | if (path_equal(b->path, path)) { | |
868 | a = b; | |
6f68ecb4 G |
869 | break; |
870 | } | |
871 | } | |
872 | ||
718db961 | 873 | if (!a) { |
6f68ecb4 G |
874 | a = new0(CGroupBlockIODeviceWeight, 1); |
875 | if (!a) | |
876 | return -ENOMEM; | |
877 | ||
878 | a->path = strdup(path); | |
879 | if (!a->path) { | |
880 | free(a); | |
881 | return -ENOMEM; | |
882 | } | |
fffbc1dc | 883 | LIST_PREPEND(device_weights, c->blockio_device_weights, a); |
6f68ecb4 G |
884 | } |
885 | ||
d53d9474 | 886 | a->weight = weight; |
6f68ecb4 G |
887 | } |
888 | ||
889 | n++; | |
6f68ecb4 G |
890 | } |
891 | ||
9c96019d LP |
892 | r = sd_bus_message_exit_container(message); |
893 | if (r < 0) | |
894 | return r; | |
895 | ||
2e59b241 | 896 | if (!UNIT_WRITE_FLAGS_NOOP(flags)) { |
6f68ecb4 G |
897 | _cleanup_free_ char *buf = NULL; |
898 | _cleanup_fclose_ FILE *f = NULL; | |
899 | CGroupBlockIODeviceWeight *a; | |
900 | size_t size = 0; | |
901 | ||
902 | if (n == 0) { | |
903 | while (c->blockio_device_weights) | |
904 | cgroup_context_free_blockio_device_weight(c, c->blockio_device_weights); | |
905 | } | |
906 | ||
e7ab4d1a | 907 | unit_invalidate_cgroup(u, CGROUP_MASK_BLKIO); |
3051f187 | 908 | |
6f68ecb4 G |
909 | f = open_memstream(&buf, &size); |
910 | if (!f) | |
911 | return -ENOMEM; | |
912 | ||
0d536673 LP |
913 | (void) __fsetlocking(f, FSETLOCKING_BYCALLER); |
914 | ||
915 | fputs("BlockIODeviceWeight=\n", f); | |
6f68ecb4 | 916 | LIST_FOREACH(device_weights, a, c->blockio_device_weights) |
d53d9474 | 917 | fprintf(f, "BlockIODeviceWeight=%s %" PRIu64 "\n", a->path, a->weight); |
6f68ecb4 | 918 | |
1f2f874c NC |
919 | r = fflush_and_check(f); |
920 | if (r < 0) | |
921 | return r; | |
2e59b241 LP |
922 | |
923 | unit_write_setting(u, flags, name, buf); | |
f004c2ca G |
924 | } |
925 | ||
926 | return 1; | |
927 | ||
7041efe9 LP |
928 | } else if (streq(name, "DevicePolicy")) { |
929 | const char *policy; | |
930 | CGroupDevicePolicy p; | |
931 | ||
718db961 LP |
932 | r = sd_bus_message_read(message, "s", &policy); |
933 | if (r < 0) | |
934 | return r; | |
7041efe9 | 935 | |
7041efe9 LP |
936 | p = cgroup_device_policy_from_string(policy); |
937 | if (p < 0) | |
938 | return -EINVAL; | |
939 | ||
2e59b241 | 940 | if (!UNIT_WRITE_FLAGS_NOOP(flags)) { |
7041efe9 | 941 | c->device_policy = p; |
e7ab4d1a | 942 | unit_invalidate_cgroup(u, CGROUP_MASK_DEVICES); |
2e59b241 | 943 | unit_write_settingf(u, flags, name, "DevicePolicy=%s", policy); |
7041efe9 LP |
944 | } |
945 | ||
946 | return 1; | |
947 | ||
948 | } else if (streq(name, "DeviceAllow")) { | |
718db961 | 949 | const char *path, *rwm; |
7041efe9 LP |
950 | unsigned n = 0; |
951 | ||
718db961 LP |
952 | r = sd_bus_message_enter_container(message, 'a', "(ss)"); |
953 | if (r < 0) | |
954 | return r; | |
7041efe9 | 955 | |
718db961 | 956 | while ((r = sd_bus_message_read(message, "(ss)", &path, &rwm)) > 0) { |
7041efe9 | 957 | |
d9f7305f YW |
958 | if ((!is_deviceallow_pattern(path) && |
959 | !path_startswith(path, "/run/systemd/inaccessible/")) || | |
90060676 | 960 | strpbrk(path, WHITESPACE)) |
e74f76ca | 961 | return sd_bus_error_setf(error, SD_BUS_ERROR_INVALID_ARGS, "DeviceAllow= requires device node"); |
7041efe9 LP |
962 | |
963 | if (isempty(rwm)) | |
964 | rwm = "rwm"; | |
965 | ||
718db961 | 966 | if (!in_charset(rwm, "rwm")) |
e74f76ca | 967 | return sd_bus_error_setf(error, SD_BUS_ERROR_INVALID_ARGS, "DeviceAllow= requires combination of rwm flags"); |
7041efe9 | 968 | |
2e59b241 | 969 | if (!UNIT_WRITE_FLAGS_NOOP(flags)) { |
718db961 | 970 | CGroupDeviceAllow *a = NULL, *b; |
ad7bfffd G |
971 | |
972 | LIST_FOREACH(device_allow, b, c->device_allow) { | |
06eb4e3b | 973 | if (path_equal(b->path, path)) { |
ad7bfffd | 974 | a = b; |
ad7bfffd G |
975 | break; |
976 | } | |
977 | } | |
978 | ||
718db961 | 979 | if (!a) { |
ad7bfffd G |
980 | a = new0(CGroupDeviceAllow, 1); |
981 | if (!a) | |
982 | return -ENOMEM; | |
983 | ||
984 | a->path = strdup(path); | |
985 | if (!a->path) { | |
986 | free(a); | |
987 | return -ENOMEM; | |
988 | } | |
718db961 LP |
989 | |
990 | LIST_PREPEND(device_allow, c->device_allow, a); | |
7041efe9 LP |
991 | } |
992 | ||
993 | a->r = !!strchr(rwm, 'r'); | |
994 | a->w = !!strchr(rwm, 'w'); | |
995 | a->m = !!strchr(rwm, 'm'); | |
7041efe9 LP |
996 | } |
997 | ||
c2756a68 | 998 | n++; |
7041efe9 | 999 | } |
43a99a7a LP |
1000 | if (r < 0) |
1001 | return r; | |
7041efe9 | 1002 | |
9c96019d LP |
1003 | r = sd_bus_message_exit_container(message); |
1004 | if (r < 0) | |
1005 | return r; | |
1006 | ||
2e59b241 | 1007 | if (!UNIT_WRITE_FLAGS_NOOP(flags)) { |
7041efe9 LP |
1008 | _cleanup_free_ char *buf = NULL; |
1009 | _cleanup_fclose_ FILE *f = NULL; | |
1010 | CGroupDeviceAllow *a; | |
1011 | size_t size = 0; | |
1012 | ||
1013 | if (n == 0) { | |
1014 | while (c->device_allow) | |
1015 | cgroup_context_free_device_allow(c, c->device_allow); | |
1016 | } | |
1017 | ||
e7ab4d1a | 1018 | unit_invalidate_cgroup(u, CGROUP_MASK_DEVICES); |
3051f187 | 1019 | |
7041efe9 LP |
1020 | f = open_memstream(&buf, &size); |
1021 | if (!f) | |
1022 | return -ENOMEM; | |
1023 | ||
0d536673 LP |
1024 | (void) __fsetlocking(f, FSETLOCKING_BYCALLER); |
1025 | ||
1026 | fputs("DeviceAllow=\n", f); | |
7041efe9 LP |
1027 | LIST_FOREACH(device_allow, a, c->device_allow) |
1028 | fprintf(f, "DeviceAllow=%s %s%s%s\n", a->path, a->r ? "r" : "", a->w ? "w" : "", a->m ? "m" : ""); | |
1029 | ||
1f2f874c NC |
1030 | r = fflush_and_check(f); |
1031 | if (r < 0) | |
1032 | return r; | |
2e59b241 | 1033 | unit_write_setting(u, flags, name, buf); |
7041efe9 LP |
1034 | } |
1035 | ||
b42defe3 | 1036 | return 1; |
a931ad47 | 1037 | |
3dc5ca97 LP |
1038 | } else if (streq(name, "IPAccounting")) { |
1039 | int b; | |
1040 | ||
1041 | r = sd_bus_message_read(message, "b", &b); | |
1042 | if (r < 0) | |
1043 | return r; | |
1044 | ||
2e59b241 | 1045 | if (!UNIT_WRITE_FLAGS_NOOP(flags)) { |
3dc5ca97 LP |
1046 | c->ip_accounting = b; |
1047 | ||
1048 | unit_invalidate_cgroup_bpf(u); | |
2e59b241 | 1049 | unit_write_settingf(u, flags, name, "IPAccounting=%s", yes_no(b)); |
3dc5ca97 LP |
1050 | } |
1051 | ||
1052 | return 1; | |
1053 | ||
1054 | } else if (STR_IN_SET(name, "IPAddressAllow", "IPAddressDeny")) { | |
1055 | IPAddressAccessItem **list; | |
1056 | size_t n = 0; | |
1057 | ||
1058 | list = streq(name, "IPAddressAllow") ? &c->ip_address_allow : &c->ip_address_deny; | |
1059 | ||
1060 | r = sd_bus_message_enter_container(message, 'a', "(iayu)"); | |
1061 | if (r < 0) | |
1062 | return r; | |
1063 | ||
1064 | for (;;) { | |
1065 | const void *ap; | |
1066 | int32_t family; | |
1067 | uint32_t prefixlen; | |
1068 | size_t an; | |
1069 | ||
1070 | r = sd_bus_message_enter_container(message, 'r', "iayu"); | |
1071 | if (r < 0) | |
1072 | return r; | |
1073 | if (r == 0) | |
1074 | break; | |
1075 | ||
1076 | r = sd_bus_message_read(message, "i", &family); | |
1077 | if (r < 0) | |
1078 | return r; | |
1079 | ||
1080 | if (!IN_SET(family, AF_INET, AF_INET6)) | |
e74f76ca | 1081 | return sd_bus_error_setf(error, SD_BUS_ERROR_INVALID_ARGS, "%s= expects IPv4 or IPv6 addresses only.", name); |
3dc5ca97 LP |
1082 | |
1083 | r = sd_bus_message_read_array(message, 'y', &ap, &an); | |
1084 | if (r < 0) | |
1085 | return r; | |
1086 | ||
1087 | if (an != FAMILY_ADDRESS_SIZE(family)) | |
e74f76ca | 1088 | return sd_bus_error_setf(error, SD_BUS_ERROR_INVALID_ARGS, "IP address has wrong size for family (%s, expected %zu, got %zu)", |
3dc5ca97 LP |
1089 | af_to_name(family), FAMILY_ADDRESS_SIZE(family), an); |
1090 | ||
1091 | r = sd_bus_message_read(message, "u", &prefixlen); | |
1092 | if (r < 0) | |
1093 | return r; | |
1094 | ||
1095 | if (prefixlen > FAMILY_ADDRESS_SIZE(family)*8) | |
e74f76ca | 1096 | return sd_bus_error_setf(error, SD_BUS_ERROR_INVALID_ARGS, "Prefix length %" PRIu32 " too large for address family %s.", prefixlen, af_to_name(family)); |
3dc5ca97 | 1097 | |
2e59b241 | 1098 | if (!UNIT_WRITE_FLAGS_NOOP(flags)) { |
3dc5ca97 LP |
1099 | IPAddressAccessItem *item; |
1100 | ||
1101 | item = new0(IPAddressAccessItem, 1); | |
1102 | if (!item) | |
1103 | return -ENOMEM; | |
1104 | ||
1105 | item->family = family; | |
1106 | item->prefixlen = prefixlen; | |
1107 | memcpy(&item->address, ap, an); | |
1108 | ||
1109 | LIST_PREPEND(items, *list, item); | |
1110 | } | |
1111 | ||
1112 | r = sd_bus_message_exit_container(message); | |
1113 | if (r < 0) | |
1114 | return r; | |
1115 | ||
1116 | n++; | |
1117 | } | |
1118 | ||
1119 | r = sd_bus_message_exit_container(message); | |
1120 | if (r < 0) | |
1121 | return r; | |
1122 | ||
1274b6c6 LP |
1123 | *list = ip_address_access_reduce(*list); |
1124 | ||
2e59b241 | 1125 | if (!UNIT_WRITE_FLAGS_NOOP(flags)) { |
3dc5ca97 LP |
1126 | _cleanup_free_ char *buf = NULL; |
1127 | _cleanup_fclose_ FILE *f = NULL; | |
1128 | IPAddressAccessItem *item; | |
1129 | size_t size = 0; | |
1130 | ||
1131 | if (n == 0) | |
1132 | *list = ip_address_access_free_all(*list); | |
1133 | ||
1134 | unit_invalidate_cgroup_bpf(u); | |
1135 | f = open_memstream(&buf, &size); | |
1136 | if (!f) | |
1137 | return -ENOMEM; | |
1138 | ||
0d536673 LP |
1139 | (void) __fsetlocking(f, FSETLOCKING_BYCALLER); |
1140 | ||
1141 | fputs(name, f); | |
1142 | fputs("=\n", f); | |
3dc5ca97 LP |
1143 | |
1144 | LIST_FOREACH(items, item, *list) { | |
1145 | char buffer[CONST_MAX(INET_ADDRSTRLEN, INET6_ADDRSTRLEN)]; | |
1146 | ||
1147 | errno = 0; | |
1148 | if (!inet_ntop(item->family, &item->address, buffer, sizeof(buffer))) | |
1149 | return errno > 0 ? -errno : -EINVAL; | |
1150 | ||
1151 | fprintf(f, "%s=%s/%u\n", name, buffer, item->prefixlen); | |
1152 | } | |
1153 | ||
1154 | r = fflush_and_check(f); | |
1155 | if (r < 0) | |
1156 | return r; | |
2e59b241 LP |
1157 | |
1158 | unit_write_setting(u, flags, name, buf); | |
078ba556 LP |
1159 | |
1160 | if (*list) { | |
1161 | r = bpf_firewall_supported(); | |
1162 | if (r < 0) | |
1163 | return r; | |
ab8519c2 LP |
1164 | if (r == 0) { |
1165 | static bool warned = false; | |
1166 | ||
1167 | log_full(warned ? LOG_DEBUG : LOG_WARNING, | |
1168 | "Transient unit %s configures an IP firewall, but the local system does not support BPF/cgroup firewalling.\n" | |
1169 | "Proceeding WITHOUT firewalling in effect! (This warning is only shown for the first started transient unit using IP firewalling.)", u->id); | |
1170 | ||
1171 | warned = true; | |
1172 | } | |
078ba556 | 1173 | } |
3dc5ca97 LP |
1174 | } |
1175 | ||
03a7b521 | 1176 | return 1; |
a931ad47 LP |
1177 | } |
1178 | ||
13ec20d4 YW |
1179 | if (u->transient && u->load_state == UNIT_STUB) |
1180 | return bus_cgroup_set_transient_property(u, c, name, message, flags, error); | |
8e2af478 LP |
1181 | |
1182 | return 0; | |
1183 | } |