From: Yu Watanabe <watanabe.yu+github@gmail.com>
Date: Tue, 19 Dec 2017 02:05:43 +0000 (+0900)
Subject: core,seccomp: fix logic to parse RestrictAddressFamilies= in dbus-execute.c
X-Git-Tag: v237~183^2~20
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=9ee896d5dd98ee9fba7c0ee40784a1266661cd5f;p=thirdparty%2Fsystemd.git

core,seccomp: fix logic to parse RestrictAddressFamilies= in dbus-execute.c

If multiple RestrictAddressFamilies= settings, some of them are
whitelist and the others are blacklist, are sent to bus, then parsing
result was corrupted.
This fixes the parse logic, now it is the same as one used in
load-fragment.c
---

diff --git a/src/core/dbus-execute.c b/src/core/dbus-execute.c
index a3d601b1e9d..4b1160cab4d 100644
--- a/src/core/dbus-execute.c
+++ b/src/core/dbus-execute.c
@@ -1490,30 +1490,38 @@ int bus_exec_context_set_transient_property(
 
                 if (!UNIT_WRITE_FLAGS_NOOP(flags)) {
                         _cleanup_free_ char *joined = NULL;
+                        bool invert = !whitelist;
+                        char **s;
 
                         if (strv_isempty(l)) {
                                 c->address_families_whitelist = false;
                                 c->address_families = set_free(c->address_families);
-                        } else {
-                                char **s;
 
-                                c->address_families_whitelist = whitelist;
+                                unit_write_settingf(u, flags, name, "RestrictAddressFamilies=");
+                                return 1;
+                        }
 
-                                r = set_ensure_allocated(&c->address_families, NULL);
-                                if (r < 0)
-                                        return r;
+                        if (!c->address_families) {
+                                c->address_families = set_new(NULL);
+                                if (!c->address_families)
+                                        return log_oom();
 
-                                STRV_FOREACH(s, l) {
-                                        int af;
+                                c->address_families_whitelist = whitelist;
+                        }
 
-                                        af = af_from_name(*s);
-                                        if (af <= 0)
-                                                return -EINVAL;
+                        STRV_FOREACH(s, l) {
+                                int af;
+
+                                af = af_from_name(*s);
+                                if (af <= 0)
+                                        return -EINVAL;
 
+                                if (!invert == c->address_families_whitelist) {
                                         r = set_put(c->address_families, INT_TO_PTR(af));
                                         if (r < 0)
                                                 return r;
-                                }
+                                } else
+                                        (void) set_remove(c->address_families, INT_TO_PTR(af));
                         }
 
                         joined = strv_join(l, " ");