core: add SocketBind{Allow|Deny} fragment parser

diff --git a/src/core/load-fragment-gperf.gperf.m4 b/src/core/load-fragment-gperf.gperf.m4
index 4bd1207e2c55ba5d7039e0cf2b4f7fcddec05f97..c531380401ed74ce646bbd703168be6ad1505fe0 100644 (file)
--- a/src/core/load-fragment-gperf.gperf.m4
+++ b/src/core/load-fragment-gperf.gperf.m4
@@ -235,7 +235,9 @@ $1.ManagedOOMMemoryPressure,             config_parse_managed_oom_mode,
 $1.ManagedOOMMemoryPressureLimit,        config_parse_managed_oom_mem_pressure_limit, 0,                                  offsetof($1, cgroup_context.moom_mem_pressure_limit)
 $1.ManagedOOMPreference,                 config_parse_managed_oom_preference,         0,                                  offsetof($1, cgroup_context.moom_preference)
 $1.NetClass,                             config_parse_warn_compat,                    DISABLED_LEGACY,                    0
-$1.BPFProgram,                           config_parse_bpf_foreign_program,            0,                                  offsetof($1, cgroup_context)'
+$1.BPFProgram,                           config_parse_bpf_foreign_program,            0,                                  offsetof($1, cgroup_context)
+$1.SocketBindAllow,                      config_parse_cgroup_socket_bind,             0,                                  offsetof($1, cgroup_context.socket_bind_allow)
+$1.SocketBindDeny,                       config_parse_cgroup_socket_bind,             0,                                  offsetof($1, cgroup_context.socket_bind_deny)'
 )m4_dnl
 Unit.Description,                        config_parse_unit_string_printf,             0,                                  offsetof(Unit, description)
 Unit.Documentation,                      config_parse_documentation,                  0,                                  offsetof(Unit, documentation)

diff --git a/src/core/load-fragment.c b/src/core/load-fragment.c
index 9be495e1efefbbc6733d71b91d7b7e71965b9d6f..4f506e51e8737e8c8ab6dcee7332eebe07982d87 100644 (file)
--- a/src/core/load-fragment.c
+++ b/src/core/load-fragment.c
@@ -55,6 +55,7 @@
 #endif
 #include "securebits-util.h"
 #include "signal-util.h"
+#include "socket-bind.h"
 #include "socket-netlink.h"
 #include "stat-util.h"
 #include "string-util.h"
@@ -5657,6 +5658,73 @@ int config_parse_bpf_foreign_program(
         return 0;
 }
 
+int config_parse_cgroup_socket_bind(
+                const char *unit,
+                const char *filename,
+                unsigned line,
+                const char *section,
+                unsigned section_line,
+                const char *lvalue,
+                int ltype,
+                const char *rvalue,
+                void *data,
+                void *userdata) {
+        _cleanup_free_ CGroupSocketBindItem *item = NULL;
+        const char *address_family = NULL, *user_port;
+        uint16_t nr_ports = 0, port_min = 0;
+        CGroupSocketBindItem **head = data;
+        _cleanup_free_ char *word = NULL;
+        int af = AF_UNSPEC, r;
+
+        if (isempty(rvalue)) {
+                cgroup_context_remove_socket_bind(head);
+                return 0;
+        }
+
+        r = extract_first_word(&rvalue, &word, ":", 0);
+        if (r == -ENOMEM)
+                return log_oom();
+
+        if (rvalue)
+                address_family = word;
+
+        if (address_family) {
+                if (streq(address_family, "IPv4"))
+                        af = AF_INET;
+                else if (streq(address_family, "IPv6"))
+                        af = AF_INET6;
+                else
+                        return log_warning_errno(SYNTHETIC_ERRNO(EINVAL),
+                                        "Only IPv4 or IPv6 protocols are supported, ignoring");
+        }
+
+        user_port = rvalue ?: word;
+        if (!streq(user_port, "any")) {
+                uint16_t port_max;
+
+                r = parse_ip_port_range(user_port, &port_min, &port_max);
+                if (r == -ENOMEM)
+                        return log_oom();
+                if (r < 0)
+                        return log_warning_errno(r, "Invalid port or port range, ignoring: %m");
+
+                nr_ports = 1 + port_max - port_min;
+        }
+
+        item = new(CGroupSocketBindItem, 1);
+        if (!item)
+                return log_oom();
+        *item = (CGroupSocketBindItem) {
+                .address_family = af,
+                .nr_ports = nr_ports,
+                .port_min = port_min,
+        };
+
+        LIST_PREPEND(socket_bind_items, *head, TAKE_PTR(item));
+
+        return 0;
+}
+
 static int merge_by_names(Unit **u, Set *names, const char *id) {
         char *k;
         int r;

diff --git a/src/core/load-fragment.h b/src/core/load-fragment.h
index e99c9a405598859a930877c7da8fded95f78c5ba..d722041f962363981cd2fd397e71f05d17b4b03f 100644 (file)
--- a/src/core/load-fragment.h
+++ b/src/core/load-fragment.h
@@ -141,6 +141,7 @@ CONFIG_PARSER_PROTOTYPE(config_parse_mount_images);
 CONFIG_PARSER_PROTOTYPE(config_parse_socket_timestamping);
 CONFIG_PARSER_PROTOTYPE(config_parse_extension_images);
 CONFIG_PARSER_PROTOTYPE(config_parse_bpf_foreign_program);
+CONFIG_PARSER_PROTOTYPE(config_parse_cgroup_socket_bind);
 
 /* gperf prototypes */
 const struct ConfigPerfItem* load_fragment_gperf_lookup(const char *key, GPERF_LEN_TYPE length);