return sd_bus_message_append_basic(reply, 'b', &b);
}
+static int property_get_protect_control_groups(
+ sd_bus *bus,
+ const char *path,
+ const char *interface,
+ const char *property,
+ sd_bus_message *reply,
+ void *userdata,
+ sd_bus_error *error) {
+
+ ProtectControlGroups *p = ASSERT_PTR(userdata);
+ int b = *p != PROTECT_CONTROL_GROUPS_NO;
+
+ return sd_bus_message_append_basic(reply, 'b', &b);
+}
+
const sd_bus_vtable bus_exec_vtable[] = {
SD_BUS_VTABLE_START(0),
SD_BUS_PROPERTY("Environment", "as", NULL, offsetof(ExecContext, environment), SD_BUS_VTABLE_PROPERTY_CONST),
SD_BUS_PROPERTY("ProtectKernelTunables", "b", bus_property_get_bool, offsetof(ExecContext, protect_kernel_tunables), SD_BUS_VTABLE_PROPERTY_CONST),
SD_BUS_PROPERTY("ProtectKernelModules", "b", bus_property_get_bool, offsetof(ExecContext, protect_kernel_modules), SD_BUS_VTABLE_PROPERTY_CONST),
SD_BUS_PROPERTY("ProtectKernelLogs", "b", bus_property_get_bool, offsetof(ExecContext, protect_kernel_logs), SD_BUS_VTABLE_PROPERTY_CONST),
- SD_BUS_PROPERTY("ProtectControlGroups", "b", bus_property_get_bool, offsetof(ExecContext, protect_control_groups), SD_BUS_VTABLE_PROPERTY_CONST),
+ SD_BUS_PROPERTY("ProtectControlGroups", "b", property_get_protect_control_groups, offsetof(ExecContext, protect_control_groups), SD_BUS_VTABLE_PROPERTY_CONST),
SD_BUS_PROPERTY("PrivateNetwork", "b", bus_property_get_bool, offsetof(ExecContext, private_network), SD_BUS_VTABLE_PROPERTY_CONST),
SD_BUS_PROPERTY("PrivateUsers", "b", property_get_private_users, offsetof(ExecContext, private_users), SD_BUS_VTABLE_PROPERTY_CONST),
SD_BUS_PROPERTY("PrivateUsersEx", "s", property_get_private_users_ex, offsetof(ExecContext, private_users), SD_BUS_VTABLE_PROPERTY_CONST),
return 1;
}
+ if (streq(name, "ProtectControlGroups")) {
+ int v;
+
+ r = sd_bus_message_read(message, "b", &v);
+ if (r < 0)
+ return r;
+
+ if (!UNIT_WRITE_FLAGS_NOOP(flags)) {
+ c->protect_control_groups = v ? PROTECT_CONTROL_GROUPS_YES : PROTECT_CONTROL_GROUPS_NO;
+ (void) unit_write_settingf(u, flags, name, "%s=%s", name, yes_no(v));
+ }
+
+ return 1;
+ }
+
if (streq(name, "PrivateDevices"))
return bus_set_transient_bool(u, name, &c->private_devices, message, flags, error);
if (streq(name, "ProtectClock"))
return bus_set_transient_bool(u, name, &c->protect_clock, message, flags, error);
- if (streq(name, "ProtectControlGroups"))
- return bus_set_transient_bool(u, name, &c->protect_control_groups, message, flags, error);
-
if (streq(name, "CPUSchedulingResetOnFork"))
return bus_set_transient_bool(u, name, &c->cpu_sched_reset_on_fork, message, flags, error);
/* We need to make the pressure path writable even if /sys/fs/cgroups is made read-only, as the
* service will need to write to it in order to start the notifications. */
- if (context->protect_control_groups && memory_pressure_path && !streq(memory_pressure_path, "/dev/null")) {
+ if (context->protect_control_groups != PROTECT_CONTROL_GROUPS_NO && memory_pressure_path && !streq(memory_pressure_path, "/dev/null")) {
read_write_paths_cleanup = strv_copy(context->read_write_paths);
if (!read_write_paths_cleanup)
return -ENOMEM;
* sandbox inside the mount namespace. */
.ignore_protect_paths = !needs_sandboxing && !context->dynamic_user && root_dir,
- .protect_control_groups = needs_sandboxing && context->protect_control_groups,
+ .protect_control_groups = needs_sandboxing ? context->protect_control_groups : PROTECT_CONTROL_GROUPS_NO,
.protect_kernel_tunables = needs_sandboxing && context->protect_kernel_tunables,
.protect_kernel_modules = needs_sandboxing && context->protect_kernel_modules,
.protect_kernel_logs = needs_sandboxing && context->protect_kernel_logs,
context->protect_kernel_tunables ||
context->protect_kernel_modules ||
context->protect_kernel_logs ||
- context->protect_control_groups ||
+ context->protect_control_groups != PROTECT_CONTROL_GROUPS_NO ||
context->protect_clock ||
context->protect_hostname ||
!strv_isempty(context->read_write_paths) ||
if (r < 0)
return r;
- r = serialize_bool_elide(f, "exec-context-protect-control-groups", c->protect_control_groups);
+ r = serialize_item(f, "exec-context-protect-control-groups", protect_control_groups_to_string(c->protect_control_groups));
if (r < 0)
return r;
return r;
c->protect_clock = r;
} else if ((val = startswith(l, "exec-context-protect-control-groups="))) {
- r = parse_boolean(val);
+ r = protect_control_groups_from_string(val);
if (r < 0)
return r;
c->protect_control_groups = r;
context->protect_kernel_tunables ||
context->protect_kernel_modules ||
context->protect_kernel_logs ||
- context->protect_control_groups ||
+ context->protect_control_groups != PROTECT_CONTROL_GROUPS_NO ||
context->protect_proc != PROTECT_PROC_DEFAULT ||
context->proc_subset != PROC_SUBSET_ALL ||
exec_needs_ipc_namespace(context))
prefix, yes_no(c->protect_kernel_modules),
prefix, yes_no(c->protect_kernel_logs),
prefix, yes_no(c->protect_clock),
- prefix, yes_no(c->protect_control_groups),
+ prefix, protect_control_groups_to_string(c->protect_control_groups),
prefix, yes_no(c->private_network),
prefix, private_users_to_string(c->private_users),
prefix, protect_home_to_string(c->protect_home),
bool protect_kernel_modules;
bool protect_kernel_logs;
bool protect_clock;
- bool protect_control_groups;
+ ProtectControlGroups protect_control_groups;
ProtectSystem protect_system;
ProtectHome protect_home;
bool protect_hostname;
{{type}}.ProtectKernelModules, config_parse_bool, 0, offsetof({{type}}, exec_context.protect_kernel_modules)
{{type}}.ProtectKernelLogs, config_parse_bool, 0, offsetof({{type}}, exec_context.protect_kernel_logs)
{{type}}.ProtectClock, config_parse_bool, 0, offsetof({{type}}, exec_context.protect_clock)
-{{type}}.ProtectControlGroups, config_parse_bool, 0, offsetof({{type}}, exec_context.protect_control_groups)
+{{type}}.ProtectControlGroups, config_parse_protect_control_groups, 0, offsetof({{type}}, exec_context.protect_control_groups)
{{type}}.NetworkNamespacePath, config_parse_unit_path_printf, 0, offsetof({{type}}, exec_context.network_namespace_path)
{{type}}.IPCNamespacePath, config_parse_unit_path_printf, 0, offsetof({{type}}, exec_context.ipc_namespace_path)
{{type}}.LogNamespace, config_parse_log_namespace, 0, offsetof({{type}}, exec_context)
DEFINE_CONFIG_PARSE_ENUM(config_parse_proc_subset, proc_subset, ProcSubset);
DEFINE_CONFIG_PARSE_ENUM(config_parse_private_tmp, private_tmp, PrivateTmp);
DEFINE_CONFIG_PARSE_ENUM(config_parse_private_users, private_users, PrivateUsers);
+DEFINE_CONFIG_PARSE_ENUM(config_parse_protect_control_groups, protect_control_groups, ProtectControlGroups);
DEFINE_CONFIG_PARSE_ENUM(config_parse_exec_utmp_mode, exec_utmp_mode, ExecUtmpMode);
DEFINE_CONFIG_PARSE_ENUM(config_parse_job_mode, job_mode, JobMode);
DEFINE_CONFIG_PARSE_ENUM(config_parse_notify_access, notify_access, NotifyAccess);
CONFIG_PARSER_PROTOTYPE(config_parse_temporary_filesystems);
CONFIG_PARSER_PROTOTYPE(config_parse_private_tmp);
CONFIG_PARSER_PROTOTYPE(config_parse_private_users);
+CONFIG_PARSER_PROTOTYPE(config_parse_protect_control_groups);
CONFIG_PARSER_PROTOTYPE(config_parse_cpu_quota);
CONFIG_PARSER_PROTOTYPE(config_parse_allowed_cpuset);
CONFIG_PARSER_PROTOTYPE(config_parse_protect_home);
{ "/root", MOUNT_INACCESSIBLE, true },
};
+/* ProtectControlGroups=yes table */
+static const MountEntry protect_control_groups_yes_table[] = {
+ { "/sys/fs/cgroup", MOUNT_READ_ONLY, false },
+};
+
/* ProtectSystem=yes table */
static const MountEntry protect_system_yes_table[] = {
{ "/usr", MOUNT_READ_ONLY, false },
return 0;
}
+static int append_protect_control_groups(MountList *ml, ProtectControlGroups protect_control_groups, bool ignore_protect) {
+ assert(ml);
+
+ switch (protect_control_groups) {
+
+ case PROTECT_CONTROL_GROUPS_NO:
+ return 0;
+
+ case PROTECT_CONTROL_GROUPS_YES:
+ return append_static_mounts(ml, protect_control_groups_yes_table, ELEMENTSOF(protect_control_groups_yes_table), ignore_protect);
+
+ default:
+ assert_not_reached();
+ }
+}
+
static int append_protect_home(MountList *ml, ProtectHome protect_home, bool ignore_protect) {
assert(ml);
*/
return p->mount_apivfs ||
- p->protect_control_groups ||
+ p->protect_control_groups != PROTECT_CONTROL_GROUPS_NO ||
p->protect_kernel_tunables ||
p->protect_proc != PROTECT_PROC_DEFAULT ||
p->proc_subset != PROC_SUBSET_ALL;
return r;
}
- if (p->protect_control_groups) {
- MountEntry *me = mount_list_extend(&ml);
- if (!me)
- return log_oom_debug();
-
- *me = (MountEntry) {
- .path_const = "/sys/fs/cgroup",
- .mode = MOUNT_READ_ONLY,
- };
- }
+ r = append_protect_control_groups(&ml, p->protect_control_groups, false);
+ if (r < 0)
+ return r;
r = append_protect_home(&ml, p->protect_home, p->ignore_protect_paths);
if (r < 0)
DEFINE_STRING_TABLE_LOOKUP_WITH_BOOLEAN(protect_system, ProtectSystem, PROTECT_SYSTEM_YES);
+static const char *const protect_control_groups_table[_PROTECT_CONTROL_GROUPS_MAX] = {
+ [PROTECT_CONTROL_GROUPS_NO] = "no",
+ [PROTECT_CONTROL_GROUPS_YES] = "yes",
+};
+
+DEFINE_STRING_TABLE_LOOKUP_WITH_BOOLEAN(protect_control_groups, ProtectControlGroups, PROTECT_CONTROL_GROUPS_YES);
+
static const char* const namespace_type_table[] = {
[NAMESPACE_MOUNT] = "mnt",
[NAMESPACE_CGROUP] = "cgroup",
_PRIVATE_USERS_INVALID = -EINVAL,
} PrivateUsers;
+typedef enum ProtectControlGroups {
+ PROTECT_CONTROL_GROUPS_NO,
+ PROTECT_CONTROL_GROUPS_YES,
+ _PROTECT_CONTROL_GROUPS_MAX,
+ _PROTECT_CONTROL_GROUPS_INVALID = -EINVAL,
+} ProtectControlGroups;
+
struct BindMount {
char *source;
char *destination;
bool ignore_protect_paths;
- bool protect_control_groups;
bool protect_kernel_tunables;
bool protect_kernel_modules;
bool protect_kernel_logs;
bool bind_log_sockets;
bool mount_nosuid;
+ ProtectControlGroups protect_control_groups;
ProtectHome protect_home;
ProtectSystem protect_system;
ProtectProc protect_proc;
const char* private_users_to_string(PrivateUsers i) _const_;
PrivateUsers private_users_from_string(const char *s) _pure_;
+const char* protect_control_groups_to_string(ProtectControlGroups i) _const_;
+ProtectControlGroups protect_control_groups_from_string(const char *s) _pure_;
+
void bind_mount_free_many(BindMount *b, size_t n);
int bind_mount_add(BindMount **b, size_t *n, const BindMount *item);
projects / thirdparty / systemd.git / commitdiff
