From 2234032c47f0abaf59e93b2a42ee926f9233f05c Mon Sep 17 00:00:00 2001 From: Mike Yuan Date: Sun, 25 Aug 2024 23:42:07 +0200 Subject: [PATCH] core: move check for combination of PAMName= + KillMode= to unit_verify_contexts() While at it, allow "mixed" for all unit types too, i.e. also apply ebc2259da1d1579347b86fc2ebca9f96334b6f22 to socket/mount/swap units. --- src/core/mount.c | 3 --- src/core/service.c | 3 --- src/core/socket.c | 3 --- src/core/swap.c | 3 --- src/core/unit.c | 10 ++++++++-- src/core/unit.h | 12 ++++++------ 6 files changed, 14 insertions(+), 20 deletions(-) diff --git a/src/core/mount.c b/src/core/mount.c index 3f53b2be7bc..28701df231b 100644 --- a/src/core/mount.c +++ b/src/core/mount.c @@ -574,9 +574,6 @@ static int mount_verify(Mount *m) { if (p && !p->what && !UNIT(m)->perpetual) return log_unit_error_errno(UNIT(m), SYNTHETIC_ERRNO(ENOEXEC), "What= setting is missing. Refusing."); - if (m->exec_context.pam_name && m->kill_context.kill_mode != KILL_CONTROL_GROUP) - return log_unit_error_errno(UNIT(m), SYNTHETIC_ERRNO(ENOEXEC), "Unit has PAM enabled. Kill mode must be set to control-group'. Refusing."); - return 0; } diff --git a/src/core/service.c b/src/core/service.c index ca6040a0557..eda355ad9ed 100644 --- a/src/core/service.c +++ b/src/core/service.c @@ -683,9 +683,6 @@ static int service_verify(Service *s) { if (s->type == SERVICE_DBUS && !s->bus_name) return log_unit_error_errno(UNIT(s), SYNTHETIC_ERRNO(ENOEXEC), "Service is of type D-Bus but no D-Bus service name has been specified. Refusing."); - if (s->exec_context.pam_name && !IN_SET(s->kill_context.kill_mode, KILL_CONTROL_GROUP, KILL_MIXED)) - return log_unit_error_errno(UNIT(s), SYNTHETIC_ERRNO(ENOEXEC), "Service has PAM enabled. Kill mode must be set to 'control-group' or 'mixed'. Refusing."); - if (s->usb_function_descriptors && !s->usb_function_strings) log_unit_warning(UNIT(s), "Service has USBFunctionDescriptors= setting, but no USBFunctionStrings=. Ignoring."); diff --git a/src/core/socket.c b/src/core/socket.c index 88c92876a14..333079277b3 100644 --- a/src/core/socket.c +++ b/src/core/socket.c @@ -419,9 +419,6 @@ static int socket_verify(Socket *s) { if (s->accept && UNIT_ISSET(s->service)) return log_unit_error_errno(UNIT(s), SYNTHETIC_ERRNO(ENOEXEC), "Explicit service configuration for accepting socket units not supported. Refusing."); - if (s->exec_context.pam_name && s->kill_context.kill_mode != KILL_CONTROL_GROUP) - return log_unit_error_errno(UNIT(s), SYNTHETIC_ERRNO(ENOEXEC), "Unit has PAM enabled. Kill mode must be set to 'control-group'. Refusing."); - if (!strv_isempty(s->symlinks) && !socket_find_symlink_target(s)) return log_unit_error_errno(UNIT(s), SYNTHETIC_ERRNO(ENOEXEC), "Unit has symlinks set but none or more than one node in the file system. Refusing."); diff --git a/src/core/swap.c b/src/core/swap.c index 3b76ae33a3c..ff6c4255ab7 100644 --- a/src/core/swap.c +++ b/src/core/swap.c @@ -256,9 +256,6 @@ static int swap_verify(Swap *s) { if (!unit_has_name(UNIT(s), e)) return log_unit_error_errno(UNIT(s), SYNTHETIC_ERRNO(ENOEXEC), "Value of What= and unit name do not match, not loading."); - if (s->exec_context.pam_name && s->kill_context.kill_mode != KILL_CONTROL_GROUP) - return log_unit_error_errno(UNIT(s), SYNTHETIC_ERRNO(ENOEXEC), "Unit has PAM enabled. Kill mode must be set to 'control-group'. Refusing to load."); - return 0; } diff --git a/src/core/unit.c b/src/core/unit.c index 5d8b940608c..b52ee90936f 100644 --- a/src/core/unit.c +++ b/src/core/unit.c @@ -4216,9 +4216,10 @@ static int user_from_unit_name(Unit *u, char **ret) { return 0; } -static int unit_verify_contexts(const Unit *u, const ExecContext *ec) { +static int unit_verify_contexts(const Unit *u) { assert(u); + const ExecContext *ec = unit_get_exec_context(u); if (!ec) return 0; @@ -4232,6 +4233,11 @@ static int unit_verify_contexts(const Unit *u, const ExecContext *ec) { exec_needs_mount_namespace(ec, /* params = */ NULL, /* runtime = */ NULL)) return log_unit_error_errno(u, SYNTHETIC_ERRNO(ENOEXEC), "WorkingDirectory= may not be below /proc/, /sys/ or /dev/ when using mount namespacing. Refusing."); + const KillContext *kc = unit_get_kill_context(u); + + if (ec->pam_name && kc && !IN_SET(kc->kill_mode, KILL_CONTROL_GROUP, KILL_MIXED)) + return log_unit_error_errno(u, SYNTHETIC_ERRNO(ENOEXEC), "Unit has PAM enabled. Kill mode must be set to 'control-group' or 'mixed'. Refusing."); + return 0; } @@ -4362,7 +4368,7 @@ int unit_patch_contexts(Unit *u) { } } - return unit_verify_contexts(u, ec); + return unit_verify_contexts(u); } ExecContext *unit_get_exec_context(const Unit *u) { diff --git a/src/core/unit.h b/src/core/unit.h index cabf7cc4219..04a4189de38 100644 --- a/src/core/unit.h +++ b/src/core/unit.h @@ -926,15 +926,15 @@ void unit_ref_unset(UnitRef *ref); int unit_patch_contexts(Unit *u); -ExecContext *unit_get_exec_context(const Unit *u) _pure_; -KillContext *unit_get_kill_context(const Unit *u) _pure_; -CGroupContext *unit_get_cgroup_context(const Unit *u) _pure_; +ExecContext* unit_get_exec_context(const Unit *u) _pure_; +KillContext* unit_get_kill_context(const Unit *u) _pure_; +CGroupContext* unit_get_cgroup_context(const Unit *u) _pure_; -ExecRuntime *unit_get_exec_runtime(const Unit *u) _pure_; -CGroupRuntime *unit_get_cgroup_runtime(const Unit *u) _pure_; +ExecRuntime* unit_get_exec_runtime(const Unit *u) _pure_; +CGroupRuntime* unit_get_cgroup_runtime(const Unit *u) _pure_; int unit_setup_exec_runtime(Unit *u); -CGroupRuntime *unit_setup_cgroup_runtime(Unit *u); +CGroupRuntime* unit_setup_cgroup_runtime(Unit *u); const char* unit_escape_setting(const char *s, UnitWriteFlags flags, char **buf); char* unit_concat_strv(char **l, UnitWriteFlags flags); -- 2.47.3