From: Yu Watanabe Date: Tue, 1 May 2018 01:36:39 +0000 (+0900) Subject: load-fragment: allow to specify RestrictNamespaces= multiple times X-Git-Tag: v239~210^2~3 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=aa9d574de9f4817e5c948018f14e02ccca5c0e42;p=thirdparty%2Fsystemd.git load-fragment: allow to specify RestrictNamespaces= multiple times If multiple RestrictNamespaces= settings are set, then merge the settings. This also drops supporting "~yes" and "~no". --- diff --git a/src/core/execute.c b/src/core/execute.c index a910eb89a30..87909c07e94 100644 --- a/src/core/execute.c +++ b/src/core/execute.c @@ -3562,7 +3562,8 @@ void exec_context_init(ExecContext *c) { for (i = 0; i < _EXEC_DIRECTORY_TYPE_MAX; i++) c->directories[i].mode = 0755; c->capability_bounding_set = CAP_ALL; - c->restrict_namespaces = NAMESPACE_FLAGS_ALL; + assert_cc(NAMESPACE_FLAGS_INITIAL != NAMESPACE_FLAGS_ALL); + c->restrict_namespaces = NAMESPACE_FLAGS_INITIAL; c->log_level_max = -1; } diff --git a/src/core/load-fragment.c b/src/core/load-fragment.c index dc9914b2769..dd8d1874fd2 100644 --- a/src/core/load-fragment.c +++ b/src/core/load-fragment.c @@ -3123,11 +3123,22 @@ int config_parse_restrict_namespaces( void *userdata) { ExecContext *c = data; + unsigned long flags; bool invert = false; int r; if (isempty(rvalue)) { /* Reset to the default. */ + c->restrict_namespaces = NAMESPACE_FLAGS_INITIAL; + return 0; + } + + /* Boolean parameter ignores the previous settings */ + r = parse_boolean(rvalue); + if (r > 0) { + c->restrict_namespaces = 0; + return 0; + } else if (r == 0) { c->restrict_namespaces = NAMESPACE_FLAGS_ALL; return 0; } @@ -3137,23 +3148,19 @@ int config_parse_restrict_namespaces( rvalue++; } - r = parse_boolean(rvalue); - if (r > 0) - c->restrict_namespaces = 0; - else if (r == 0) - c->restrict_namespaces = NAMESPACE_FLAGS_ALL; - else { - /* Not a boolean argument, in this case it's a list of namespace types. */ - - r = namespace_flags_from_string(rvalue, &c->restrict_namespaces); - if (r < 0) { - log_syntax(unit, LOG_ERR, filename, line, r, "Failed to parse namespace type string, ignoring: %s", rvalue); - return 0; - } + /* Not a boolean argument, in this case it's a list of namespace types. */ + r = namespace_flags_from_string(rvalue, &flags); + if (r < 0) { + log_syntax(unit, LOG_ERR, filename, line, r, "Failed to parse namespace type string, ignoring: %s", rvalue); + return 0; } - if (invert) - c->restrict_namespaces = (~c->restrict_namespaces) & NAMESPACE_FLAGS_ALL; + if (c->restrict_namespaces == NAMESPACE_FLAGS_INITIAL) + /* Initial assignment. Just set the value. */ + c->restrict_namespaces = invert ? (~flags) & NAMESPACE_FLAGS_ALL : flags; + else + /* Merge the value with the previous one. */ + SET_FLAG(c->restrict_namespaces, flags, !invert); return 0; } diff --git a/src/shared/bus-unit-util.c b/src/shared/bus-unit-util.c index 1a375ac88bd..253ac80b875 100644 --- a/src/shared/bus-unit-util.c +++ b/src/shared/bus-unit-util.c @@ -1003,12 +1003,7 @@ static int bus_append_execute_property(sd_bus_message *m, const char *field, con if (streq(field, "RestrictNamespaces")) { bool invert = false; - unsigned long flags = 0; - - if (eq[0] == '~') { - invert = true; - eq++; - } + unsigned long flags; r = parse_boolean(eq); if (r > 0) @@ -1016,6 +1011,11 @@ static int bus_append_execute_property(sd_bus_message *m, const char *field, con else if (r == 0) flags = NAMESPACE_FLAGS_ALL; else { + if (eq[0] == '~') { + invert = true; + eq++; + } + r = namespace_flags_from_string(eq, &flags); if (r < 0) return log_error_errno(r, "Failed to parse %s value %s.", field, eq); diff --git a/src/shared/nsflags.h b/src/shared/nsflags.h index d3ed5c38575..2133a6c1be9 100644 --- a/src/shared/nsflags.h +++ b/src/shared/nsflags.h @@ -24,6 +24,8 @@ CLONE_NEWUSER| \ CLONE_NEWUTS)) +#define NAMESPACE_FLAGS_INITIAL ((unsigned long) -1) + int namespace_flags_from_string(const char *name, unsigned long *ret); int namespace_flags_to_string(unsigned long flags, char **ret);