From: Zbigniew Jędrzejewski-Szmek Date: Tue, 22 Sep 2020 12:08:05 +0000 (+0200) Subject: core: remember when we set ExecContext.mount_apivfs X-Git-Tag: v247-rc1~136^2~2 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=5e98086d1629f5c5b73645ba2568de4b09b7d958;p=thirdparty%2Fsystemd.git core: remember when we set ExecContext.mount_apivfs No functional change intended so far. --- diff --git a/src/core/dbus-execute.c b/src/core/dbus-execute.c index 753b91d511a..488af98cd32 100644 --- a/src/core/dbus-execute.c +++ b/src/core/dbus-execute.c @@ -53,6 +53,7 @@ static BUS_DEFINE_PROPERTY_GET_ENUM(property_get_protect_home, protect_home, Pro static BUS_DEFINE_PROPERTY_GET_ENUM(property_get_protect_system, protect_system, ProtectSystem); static BUS_DEFINE_PROPERTY_GET_ENUM(property_get_personality, personality, unsigned long); static BUS_DEFINE_PROPERTY_GET(property_get_ioprio, "i", ExecContext, exec_context_get_effective_ioprio); +static BUS_DEFINE_PROPERTY_GET(property_get_mount_apivfs, "b", ExecContext, exec_context_get_effective_mount_apivfs); static BUS_DEFINE_PROPERTY_GET2(property_get_ioprio_class, "i", ExecContext, exec_context_get_effective_ioprio, IOPRIO_PRIO_CLASS); static BUS_DEFINE_PROPERTY_GET2(property_get_ioprio_priority, "i", ExecContext, exec_context_get_effective_ioprio, IOPRIO_PRIO_DATA); static BUS_DEFINE_PROPERTY_GET_GLOBAL(property_get_empty_string, "s", NULL); @@ -1143,7 +1144,7 @@ const sd_bus_vtable bus_exec_vtable[] = { SD_BUS_PROPERTY("BindPaths", "a(ssbt)", property_get_bind_paths, 0, SD_BUS_VTABLE_PROPERTY_CONST), SD_BUS_PROPERTY("BindReadOnlyPaths", "a(ssbt)", property_get_bind_paths, 0, SD_BUS_VTABLE_PROPERTY_CONST), SD_BUS_PROPERTY("TemporaryFileSystem", "a(ss)", property_get_temporary_filesystems, 0, SD_BUS_VTABLE_PROPERTY_CONST), - SD_BUS_PROPERTY("MountAPIVFS", "b", bus_property_get_bool, offsetof(ExecContext, mount_apivfs), SD_BUS_VTABLE_PROPERTY_CONST), + SD_BUS_PROPERTY("MountAPIVFS", "b", property_get_mount_apivfs, 0, SD_BUS_VTABLE_PROPERTY_CONST), SD_BUS_PROPERTY("KeyringMode", "s", property_get_exec_keyring_mode, offsetof(ExecContext, keyring_mode), SD_BUS_VTABLE_PROPERTY_CONST), SD_BUS_PROPERTY("ProtectProc", "s", property_get_protect_proc, offsetof(ExecContext, protect_proc), SD_BUS_VTABLE_PROPERTY_CONST), SD_BUS_PROPERTY("ProcSubset", "s", property_get_proc_subset, offsetof(ExecContext, proc_subset), SD_BUS_VTABLE_PROPERTY_CONST), @@ -1805,9 +1806,6 @@ int bus_exec_context_set_transient_property( if (streq(name, "ProtectControlGroups")) return bus_set_transient_bool(u, name, &c->protect_control_groups, message, flags, error); - if (streq(name, "MountAPIVFS")) - return bus_set_transient_bool(u, name, &c->mount_apivfs, message, flags, error); - if (streq(name, "CPUSchedulingResetOnFork")) return bus_set_transient_bool(u, name, &c->cpu_sched_reset_on_fork, message, flags, error); @@ -2635,6 +2633,20 @@ int bus_exec_context_set_transient_property( return 1; + } else if (streq(name, "MountAPIVFS")) { + bool b; + + r = bus_set_transient_bool(u, name, &b, message, flags, error); + if (r < 0) + return r; + + if (!UNIT_WRITE_FLAGS_NOOP(flags)) { + c->mount_apivfs = b; + c->mount_apivfs_set = true; + } + + return 1; + } else if (streq(name, "WorkingDirectory")) { const char *s; bool missing_ok; diff --git a/src/core/execute.c b/src/core/execute.c index 44f30cb6343..fd28f22c4ff 100644 --- a/src/core/execute.c +++ b/src/core/execute.c @@ -2027,7 +2027,7 @@ static bool exec_needs_mount_namespace( return true; if (context->root_directory) { - if (context->mount_apivfs) + if (exec_context_get_effective_mount_apivfs(context)) return true; for (ExecDirectoryType t = 0; t < _EXEC_DIRECTORY_TYPE_MAX; t++) { @@ -3147,7 +3147,7 @@ static int apply_mount_namespace( .protect_kernel_modules = context->protect_kernel_modules, .protect_kernel_logs = context->protect_kernel_logs, .protect_hostname = context->protect_hostname, - .mount_apivfs = context->mount_apivfs, + .mount_apivfs = exec_context_get_effective_mount_apivfs(context), .private_mounts = context->private_mounts, .protect_home = context->protect_home, .protect_system = context->protect_system, @@ -5185,7 +5185,7 @@ void exec_context_dump(const ExecContext *c, FILE* f, const char *prefix) { prefix, yes_no(c->private_users), prefix, protect_home_to_string(c->protect_home), prefix, protect_system_to_string(c->protect_system), - prefix, yes_no(c->mount_apivfs), + prefix, yes_no(exec_context_get_effective_mount_apivfs(c)), prefix, yes_no(c->ignore_sigpipe), prefix, yes_no(c->memory_deny_write_execute), prefix, yes_no(c->restrict_realtime), @@ -5650,6 +5650,15 @@ int exec_context_get_effective_ioprio(const ExecContext *c) { return p; } +bool exec_context_get_effective_mount_apivfs(const ExecContext *c) { + assert(c); + + if (c->mount_apivfs_set) + return c->mount_apivfs; + + return false; +} + void exec_context_free_log_extra_fields(ExecContext *c) { assert(c); diff --git a/src/core/execute.h b/src/core/execute.h index 02a2c8d1e71..c21154bda26 100644 --- a/src/core/execute.h +++ b/src/core/execute.h @@ -174,6 +174,7 @@ struct ExecContext { bool nice_set:1; bool ioprio_set:1; bool cpu_sched_set:1; + bool mount_apivfs_set:1; /* This is not exposed to the user but available internally. We need it to make sure that whenever we * spawn /usr/bin/mount it is run in the same process group as us so that the autofs logic detects @@ -409,6 +410,7 @@ bool exec_context_may_touch_console(const ExecContext *c); bool exec_context_maintains_privileges(const ExecContext *c); int exec_context_get_effective_ioprio(const ExecContext *c); +bool exec_context_get_effective_mount_apivfs(const ExecContext *c); void exec_context_free_log_extra_fields(ExecContext *c); diff --git a/src/core/load-fragment.c b/src/core/load-fragment.c index 480da2c0dd1..df401191758 100644 --- a/src/core/load-fragment.c +++ b/src/core/load-fragment.c @@ -1349,6 +1349,44 @@ int config_parse_exec_cpu_sched_policy(const char *unit, return 0; } +int config_parse_exec_mount_apivfs(const char *unit, + const char *filename, + unsigned line, + const char *section, + unsigned section_line, + const char *lvalue, + int ltype, + const char *rvalue, + void *data, + void *userdata) { + + ExecContext *c = data; + int k; + + assert(filename); + assert(lvalue); + assert(rvalue); + assert(data); + + if (isempty(rvalue)) { + c->mount_apivfs_set = false; + c->mount_apivfs = false; + return 0; + } + + k = parse_boolean(rvalue); + if (k < 0) { + log_syntax(unit, LOG_WARNING, filename, line, k, + "Failed to parse boolean value, ignoring: %s", + rvalue); + return 0; + } + + c->mount_apivfs_set = true; + c->mount_apivfs = k; + return 0; +} + int config_parse_numa_mask(const char *unit, const char *filename, unsigned line, diff --git a/src/core/load-fragment.h b/src/core/load-fragment.h index 3504227cae7..d67852a74d0 100644 --- a/src/core/load-fragment.h +++ b/src/core/load-fragment.h @@ -43,6 +43,7 @@ CONFIG_PARSER_PROTOTYPE(config_parse_exec_io_priority); CONFIG_PARSER_PROTOTYPE(config_parse_exec_cpu_sched_policy); CONFIG_PARSER_PROTOTYPE(config_parse_exec_cpu_sched_prio); CONFIG_PARSER_PROTOTYPE(config_parse_exec_cpu_affinity); +CONFIG_PARSER_PROTOTYPE(config_parse_exec_mount_apivfs); CONFIG_PARSER_PROTOTYPE(config_parse_exec_secure_bits); CONFIG_PARSER_PROTOTYPE(config_parse_root_image_options); CONFIG_PARSER_PROTOTYPE(config_parse_exec_root_hash);