core,seccomp: fix logic to parse RestrictAddressFamilies= in dbus-execute.c

If multiple RestrictAddressFamilies= settings, some of them are
whitelist and the others are blacklist, are sent to bus, then parsing
result was corrupted.
This fixes the parse logic, now it is the same as one used in
load-fragment.c

diff --git a/src/core/dbus-execute.c b/src/core/dbus-execute.c
index a3d601b1e9d559af21c58d1240b14aef50271c04..4b1160cab4d57d55b49c980fba41bfeccd6d4110 100644 (file)
--- a/src/core/dbus-execute.c
+++ b/src/core/dbus-execute.c
@@ -1490,30 +1490,38 @@ int bus_exec_context_set_transient_property(
 
                 if (!UNIT_WRITE_FLAGS_NOOP(flags)) {
                         _cleanup_free_ char *joined = NULL;
+                        bool invert = !whitelist;
+                        char **s;
 
                         if (strv_isempty(l)) {
                                 c->address_families_whitelist = false;
                                 c->address_families = set_free(c->address_families);
-                        } else {
-                                char **s;
 
-                                c->address_families_whitelist = whitelist;
+                                unit_write_settingf(u, flags, name, "RestrictAddressFamilies=");
+                                return 1;
+                        }
 
-                                r = set_ensure_allocated(&c->address_families, NULL);
-                                if (r < 0)
-                                        return r;
+                        if (!c->address_families) {
+                                c->address_families = set_new(NULL);
+                                if (!c->address_families)
+                                        return log_oom();
 
-                                STRV_FOREACH(s, l) {
-                                        int af;
+                                c->address_families_whitelist = whitelist;
+                        }
 
-                                        af = af_from_name(*s);
-                                        if (af <= 0)
-                                                return -EINVAL;
+                        STRV_FOREACH(s, l) {
+                                int af;
+
+                                af = af_from_name(*s);
+                                if (af <= 0)
+                                        return -EINVAL;
 
+                                if (!invert == c->address_families_whitelist) {
                                         r = set_put(c->address_families, INT_TO_PTR(af));
                                         if (r < 0)
                                                 return r;
-                                }
+                                } else
+                                        (void) set_remove(c->address_families, INT_TO_PTR(af));
                         }
 
                         joined = strv_join(l, " ");