static BUS_DEFINE_SET_TRANSIENT_PARSE(protect_proc, ProtectProc, protect_proc_from_string);
static BUS_DEFINE_SET_TRANSIENT_PARSE(proc_subset, ProcSubset, proc_subset_from_string);
static BUS_DEFINE_SET_TRANSIENT_PARSE(private_bpf, PrivateBPF, private_bpf_from_string);
-static BUS_DEFINE_SET_TRANSIENT_PARSE(memory_thp, MemoryTHP, memory_thp_from_string);
static BUS_DEFINE_SET_TRANSIENT_PARSE_PTR(bpf_delegate_commands, uint64_t, bpf_delegate_commands_from_string);
static BUS_DEFINE_SET_TRANSIENT_PARSE_PTR(bpf_delegate_maps, uint64_t, bpf_delegate_maps_from_string);
static BUS_DEFINE_SET_TRANSIENT_PARSE_PTR(bpf_delegate_programs, uint64_t, bpf_delegate_programs_from_string);
static BUS_DEFINE_SET_TRANSIENT_PARSE_PTR(bpf_delegate_attachments, uint64_t, bpf_delegate_attachments_from_string);
+static BUS_DEFINE_SET_TRANSIENT_PARSE(memory_thp, MemoryTHP, memory_thp_from_string);
BUS_DEFINE_SET_TRANSIENT_PARSE(exec_preserve_mode, ExecPreserveMode, exec_preserve_mode_from_string);
static BUS_DEFINE_SET_TRANSIENT_PARSE_PTR(personality, unsigned long, parse_personality);
static BUS_DEFINE_SET_TRANSIENT_TO_STRING_ALLOC(secure_bits, "i", int32_t, int, "%" PRIi32, secure_bits_to_string_alloc_with_check);
"%sProtectHostname: %s%s%s\n"
"%sProtectProc: %s\n"
"%sProcSubset: %s\n"
- "%sPrivateBPF: %s\n"
- "%sMemoryTHP: %s\n",
+ "%sMemoryTHP: %s\n"
+ "%sPrivateBPF: %s\n",
prefix, c->umask,
prefix, empty_to_root(c->working_directory),
prefix, empty_to_root(c->root_directory),
prefix, protect_hostname_to_string(c->protect_hostname), c->private_hostname ? ":" : "", strempty(c->private_hostname),
prefix, protect_proc_to_string(c->protect_proc),
prefix, proc_subset_to_string(c->proc_subset),
- prefix, private_bpf_to_string(c->private_bpf),
- prefix, memory_thp_to_string(c->memory_thp));
+ prefix, memory_thp_to_string(c->memory_thp),
+ prefix, private_bpf_to_string(c->private_bpf));
if (c->private_bpf == PRIVATE_BPF_YES) {
_cleanup_free_ char
};
DEFINE_STRING_TABLE_LOOKUP(exec_keyring_mode, ExecKeyringMode);
+
+static const char* const memory_thp_table[_MEMORY_THP_MAX] = {
+ [MEMORY_THP_INHERIT] = "inherit",
+ [MEMORY_THP_DISABLE] = "disable",
+ [MEMORY_THP_MADVISE] = "madvise",
+ [MEMORY_THP_SYSTEM] = "system",
+};
+
+DEFINE_STRING_TABLE_LOOKUP(memory_thp, MemoryTHP);
_EXEC_KEYRING_MODE_INVALID = -EINVAL,
} ExecKeyringMode;
+typedef enum MemoryTHP {
+ /*
+ * Inherit default from process that starts systemd, i.e. do not make
+ * any PR_SET_THP_DISABLE call.
+ */
+ MEMORY_THP_INHERIT,
+ MEMORY_THP_DISABLE, /* Disable THPs completely for the process */
+ MEMORY_THP_MADVISE, /* Disable THPs for the process except when madvised */
+ /*
+ * Use system default THP setting. this can be used when the process that
+ * starts systemd has already disabled THPs via PR_SET_THP_DISABLE, and we
+ * want to restore the system default THP setting at process invocation time.
+ */
+ MEMORY_THP_SYSTEM,
+ _MEMORY_THP_MAX,
+ _MEMORY_THP_INVALID = -EINVAL,
+} MemoryTHP;
+
/* Contains start and exit information about an executed command. */
typedef struct ExecStatus {
dual_timestamp start_timestamp;
DECLARE_STRING_TABLE_LOOKUP_FROM_STRING(exec_clean_mask, ExecCleanMask);
-DECLARE_STRING_TABLE_LOOKUP(exec_output, ExecOutput);
-
DECLARE_STRING_TABLE_LOOKUP(exec_input, ExecInput);
+DECLARE_STRING_TABLE_LOOKUP(exec_output, ExecOutput);
DECLARE_STRING_TABLE_LOOKUP(exec_utmp_mode, ExecUtmpMode);
DECLARE_STRING_TABLE_LOOKUP(exec_keyring_mode, ExecKeyringMode);
DECLARE_STRING_TABLE_LOOKUP(exec_directory_type_symlink, ExecDirectoryType);
-
DECLARE_STRING_TABLE_LOOKUP(exec_directory_type_mode, ExecDirectoryType);
DECLARE_STRING_TABLE_LOOKUP(exec_resource_type, ExecDirectoryType);
+DECLARE_STRING_TABLE_LOOKUP(memory_thp, MemoryTHP);
+
bool exec_needs_mount_namespace(const ExecContext *context, const ExecParameters *params, const ExecRuntime *runtime);
bool exec_needs_network_namespace(const ExecContext *context);
bool exec_needs_ipc_namespace(const ExecContext *context);
DEFINE_STRING_TABLE_LOOKUP(bpf_delegate_prog_type, uint64_t);
DEFINE_STRING_TABLE_LOOKUP(bpf_delegate_attach_type, uint64_t);
-static const char* const memory_thp_table[_MEMORY_THP_MAX] = {
- [MEMORY_THP_INHERIT] = "inherit",
- [MEMORY_THP_DISABLE] = "disable",
- [MEMORY_THP_MADVISE] = "madvise",
- [MEMORY_THP_SYSTEM] = "system",
-};
-
-DEFINE_STRING_TABLE_LOOKUP(memory_thp, MemoryTHP);
-
char* bpf_delegate_to_string(uint64_t u, const char * (*parser)(uint64_t) _const_ ) {
assert(parser);
_PRIVATE_PIDS_INVALID = -EINVAL,
} PrivatePIDs;
-typedef enum MemoryTHP {
- /*
- * Inherit default from process that starts systemd, i.e. do not make
- * any PR_SET_THP_DISABLE call.
- */
- MEMORY_THP_INHERIT,
- MEMORY_THP_DISABLE, /* Disable THPs completely for the process */
- MEMORY_THP_MADVISE, /* Disable THPs for the process except when madvised */
- /*
- * Use system default THP setting. this can be used when the process that
- * starts systemd has already disabled THPs via PR_SET_THP_DISABLE, and we
- * want to restore the system default THP setting at process invocation time.
- */
- MEMORY_THP_SYSTEM,
- _MEMORY_THP_MAX,
- _MEMORY_THP_INVALID = -EINVAL,
-} MemoryTHP;
-
typedef struct BindMount {
char *source;
char *destination;
DECLARE_STRING_TABLE_LOOKUP(private_bpf, PrivateBPF);
-DECLARE_STRING_TABLE_LOOKUP(memory_thp, MemoryTHP);
-
DECLARE_STRING_TABLE_LOOKUP(bpf_delegate_cmd, uint64_t);
DECLARE_STRING_TABLE_LOOKUP(bpf_delegate_map_type, uint64_t);
SD_JSON_BUILD_PAIR_CALLBACK("IOSchedulingClass", ioprio_class_build_json, c),
SD_JSON_BUILD_PAIR_INTEGER("IOSchedulingPriority", ioprio_prio_data(exec_context_get_effective_ioprio(c))),
+ JSON_BUILD_PAIR_TRISTATE_NON_NULL("MemoryKSM", c->memory_ksm),
+ SD_JSON_BUILD_PAIR_STRING("MemoryTHP", memory_thp_to_string(c->memory_thp)),
+
/* Sandboxing */
SD_JSON_BUILD_PAIR_STRING("ProtectSystem", protect_system_to_string(c->protect_system)),
SD_JSON_BUILD_PAIR_STRING("ProtectHome", protect_home_to_string(c->protect_home)),
JSON_BUILD_PAIR_STRING_NON_EMPTY("NetworkNamespacePath", c->network_namespace_path),
JSON_BUILD_PAIR_YES_NO("PrivateIPC", c->private_ipc),
JSON_BUILD_PAIR_STRING_NON_EMPTY("IPCNamespacePath", c->ipc_namespace_path),
- JSON_BUILD_PAIR_TRISTATE_NON_NULL("MemoryKSM", c->memory_ksm),
SD_JSON_BUILD_PAIR_STRING("PrivatePIDs", private_pids_to_string(c->private_pids)),
SD_JSON_BUILD_PAIR_STRING("PrivateUsers", private_users_to_string(c->private_users)),
JSON_BUILD_PAIR_STRING_NON_EMPTY("UserNamespacePath", c->user_namespace_path),
SD_JSON_BUILD_PAIR_BOOLEAN("RemoveIPC", c->remove_ipc),
JSON_BUILD_PAIR_TRISTATE_NON_NULL("PrivateMounts", c->private_mounts),
JSON_BUILD_PAIR_STRING_NON_EMPTY("MountFlags", mount_propagation_flag_to_string(c->mount_propagation_flag)),
- SD_JSON_BUILD_PAIR_STRING("MemoryTHP", memory_thp_to_string(c->memory_thp)),
/* System Call Filtering */
JSON_BUILD_PAIR_CALLBACK_NON_NULL("SystemCallFilter", syscall_filter_build_json, c),
{ "CPUSchedulingResetOnFork", bus_append_parse_boolean },
{ "LockPersonality", bus_append_parse_boolean },
{ "MemoryKSM", bus_append_parse_boolean },
+ { "MemoryTHP", bus_append_string },
{ "RestrictSUIDSGID", bus_append_parse_boolean },
{ "RootEphemeral", bus_append_parse_boolean },
{ "SetLoginEnvironment", bus_append_parse_boolean },
{ "LogRateLimitBurst", bus_append_safe_atou },
{ "TTYRows", bus_append_safe_atou },
{ "TTYColumns", bus_append_safe_atou },
- { "MemoryTHP", bus_append_string },
{ "MountFlags", bus_append_mount_propagation_flag_from_string },
{ "Environment", bus_append_strv_cunescape },
{ "UnsetEnvironment", bus_append_strv_cunescape },
SD_VARLINK_FIELD_COMMENT("https://www.freedesktop.org/software/systemd/man"PROJECT_VERSION_STR"systemd.exec.html#IOSchedulingPriority="),
SD_VARLINK_DEFINE_FIELD(IOSchedulingPriority, SD_VARLINK_INT, 0),
+ SD_VARLINK_FIELD_COMMENT("https://www.freedesktop.org/software/systemd/man"PROJECT_VERSION_STR"systemd.exec.html#MemoryKSM="),
+ SD_VARLINK_DEFINE_FIELD(MemoryKSM, SD_VARLINK_BOOL, SD_VARLINK_NULLABLE),
+ SD_VARLINK_FIELD_COMMENT("https://www.freedesktop.org/software/systemd/man"PROJECT_VERSION_STR"systemd.exec.html#MemoryTHP="),
+ SD_VARLINK_DEFINE_FIELD(MemoryTHP, SD_VARLINK_STRING, SD_VARLINK_NULLABLE),
+
/* Sandboxing
* https://www.freedesktop.org/software/systemd/man/latest/systemd.exec.html#Sandboxing */
SD_VARLINK_FIELD_COMMENT("https://www.freedesktop.org/software/systemd/man"PROJECT_VERSION_STR"systemd.exec.html#ProtectSystem="),
SD_VARLINK_DEFINE_FIELD(PrivateIPC, SD_VARLINK_STRING, 0),
SD_VARLINK_FIELD_COMMENT("https://www.freedesktop.org/software/systemd/man"PROJECT_VERSION_STR"systemd.exec.html#IPCNamespacePath="),
SD_VARLINK_DEFINE_FIELD(IPCNamespacePath, SD_VARLINK_STRING, SD_VARLINK_NULLABLE),
- SD_VARLINK_FIELD_COMMENT("https://www.freedesktop.org/software/systemd/man"PROJECT_VERSION_STR"systemd.exec.html#MemoryKSM="),
- SD_VARLINK_DEFINE_FIELD(MemoryKSM, SD_VARLINK_BOOL, SD_VARLINK_NULLABLE),
SD_VARLINK_FIELD_COMMENT("https://www.freedesktop.org/software/systemd/man"PROJECT_VERSION_STR"systemd.exec.html#PrivatePIDs="),
SD_VARLINK_DEFINE_FIELD(PrivatePIDs, SD_VARLINK_STRING, 0),
SD_VARLINK_FIELD_COMMENT("https://www.freedesktop.org/software/systemd/man"PROJECT_VERSION_STR"systemd.exec.html#PrivateUsers="),
SD_VARLINK_DEFINE_FIELD(PrivateMounts, SD_VARLINK_BOOL, SD_VARLINK_NULLABLE),
SD_VARLINK_FIELD_COMMENT("https://www.freedesktop.org/software/systemd/man"PROJECT_VERSION_STR"systemd.exec.html#MountFlags="),
SD_VARLINK_DEFINE_FIELD(MountFlags, SD_VARLINK_STRING, SD_VARLINK_NULLABLE),
- SD_VARLINK_FIELD_COMMENT("https://www.freedesktop.org/software/systemd/man"PROJECT_VERSION_STR"systemd.exec.html#MemoryTHP="),
- SD_VARLINK_DEFINE_FIELD(MemoryTHP, SD_VARLINK_STRING, SD_VARLINK_NULLABLE),
/* System Call Filtering
* https://www.freedesktop.org/software/systemd/man/latest/systemd.exec.html#System%20Call%20Filtering */
projects / thirdparty / systemd.git / commitdiff
