From: Zbigniew Jędrzejewski-Szmek Date: Wed, 9 Nov 2016 00:54:21 +0000 (-0500) Subject: Merge pull request #4536 from poettering/seccomp-namespaces X-Git-Tag: v233~444 X-Git-Url: http://git.ipfire.org/?p=thirdparty%2Fsystemd.git;a=commitdiff_plain;h=d85a0f802851e79efdb09acaa1ce517f7127ad28 Merge pull request #4536 from poettering/seccomp-namespaces core: add new RestrictNamespaces= unit file setting Merging, not rebasing, because this touches many files and there were tree-wide cleanups in the mean time. --- d85a0f802851e79efdb09acaa1ce517f7127ad28 diff --cc src/core/load-fragment.c index 75c048a23e9,e0fa484c1e8..52079980d83 --- a/src/core/load-fragment.c +++ b/src/core/load-fragment.c @@@ -2918,7 -2902,59 +2918,55 @@@ int config_parse_address_families } else set_remove(c->address_families, INT_TO_PTR(af)); } - if (!isempty(state)) - log_syntax(unit, LOG_ERR, filename, line, 0, "Trailing garbage, ignoring."); - - return 0; } + + int config_parse_restrict_namespaces( + const char *unit, + const char *filename, + unsigned line, + const char *section, + unsigned section_line, + const char *lvalue, + int ltype, + const char *rvalue, + void *data, + void *userdata) { + + ExecContext *c = data; + bool invert = false; + int r; + + if (isempty(rvalue)) { + /* Reset to the default. */ + c->restrict_namespaces = NAMESPACE_FLAGS_ALL; + return 0; + } + + if (rvalue[0] == '~') { + invert = true; + rvalue++; + } + + r = parse_boolean(rvalue); + if (r > 0) + c->restrict_namespaces = 0; + else if (r == 0) + c->restrict_namespaces = NAMESPACE_FLAGS_ALL; + else { + /* Not a boolean argument, in this case it's a list of namespace types. */ + + r = namespace_flag_from_string_many(rvalue, &c->restrict_namespaces); + if (r < 0) { + log_syntax(unit, LOG_ERR, filename, line, r, "Failed to parse namespace type string, ignoring: %s", rvalue); + return 0; + } + } + + if (invert) + c->restrict_namespaces = (~c->restrict_namespaces) & NAMESPACE_FLAGS_ALL; + + return 0; + } #endif int config_parse_unit_slice(