From 2b4cfbf91fdbe7c336fd374e78ae1dca5b342131 Mon Sep 17 00:00:00 2001 From: Mike Yuan Date: Sat, 29 Mar 2025 20:53:36 +0100 Subject: [PATCH] core/execute: drop unused function param and cg unified check for cgns While at it, remove TODO about assuming availability of cgns. We generally want to keep that optional still. --- src/core/exec-invoke.c | 17 ++++++++--------- src/core/execute.c | 30 ++++++++++++------------------ src/core/execute.h | 9 +++++---- 3 files changed, 25 insertions(+), 31 deletions(-) diff --git a/src/core/exec-invoke.c b/src/core/exec-invoke.c index 044a1da437f..c926a808e0e 100644 --- a/src/core/exec-invoke.c +++ b/src/core/exec-invoke.c @@ -3441,7 +3441,7 @@ static int apply_mount_namespace( /* We need to make the pressure path writable even if /sys/fs/cgroups is made read-only, as the * service will need to write to it in order to start the notifications. */ - if (exec_is_cgroup_mount_read_only(context, params) && memory_pressure_path && !streq(memory_pressure_path, "/dev/null")) { + if (exec_is_cgroup_mount_read_only(context) && memory_pressure_path && !streq(memory_pressure_path, "/dev/null")) { read_write_paths_cleanup = strv_copy(context->read_write_paths); if (!read_write_paths_cleanup) return -ENOMEM; @@ -3586,7 +3586,7 @@ static int apply_mount_namespace( * sandbox inside the mount namespace. */ .ignore_protect_paths = !needs_sandboxing && !context->dynamic_user && root_dir, - .protect_control_groups = needs_sandboxing ? exec_get_protect_control_groups(context, params) : PROTECT_CONTROL_GROUPS_NO, + .protect_control_groups = needs_sandboxing ? exec_get_protect_control_groups(context) : PROTECT_CONTROL_GROUPS_NO, .protect_kernel_tunables = needs_sandboxing && context->protect_kernel_tunables, .protect_kernel_modules = needs_sandboxing && context->protect_kernel_modules, .protect_kernel_logs = needs_sandboxing && context->protect_kernel_logs, @@ -4205,9 +4205,8 @@ static void log_command_line( LOG_EXEC_INVOCATION_ID(params)); } -static bool exec_context_needs_cap_sys_admin(const ExecContext *context, const ExecParameters *params) { +static bool exec_context_needs_cap_sys_admin(const ExecContext *context) { assert(context); - assert(params); return context->private_users != PRIVATE_USERS_NO || context->private_tmp != PRIVATE_TMP_NO || @@ -4229,7 +4228,7 @@ static bool exec_context_needs_cap_sys_admin(const ExecContext *context, const E context->protect_kernel_tunables || context->protect_kernel_modules || context->protect_kernel_logs || - exec_needs_cgroup_mount(context, params) || + exec_needs_cgroup_mount(context) || context->protect_clock || context->protect_hostname != PROTECT_HOSTNAME_NO || !strv_isempty(context->read_write_paths) || @@ -4270,7 +4269,7 @@ static bool exec_namespace_is_delegated( /* If we need unprivileged private users, we've already unshared a user namespace by the time we call * setup_delegated_namespaces() for the first time so let's make sure we do all other namespace * unsharing in the first call to setup_delegated_namespaces() by returning false here. */ - if (!have_cap_sys_admin && exec_context_needs_cap_sys_admin(context, params)) + if (!have_cap_sys_admin && exec_context_needs_cap_sys_admin(context)) return false; if (context->delegate_namespaces == NAMESPACE_FLAGS_INITIAL) @@ -4355,7 +4354,7 @@ static int setup_delegated_namespaces( log_exec_warning(context, params, "PrivateIPC=yes is configured, but the kernel does not support IPC namespaces, ignoring."); } - if (needs_sandboxing && exec_needs_cgroup_namespace(context, params) && + if (needs_sandboxing && exec_needs_cgroup_namespace(context) && exec_namespace_is_delegated(context, params, have_cap_sys_admin, CLONE_NEWCGROUP) == delegate) { if (unshare(CLONE_NEWCGROUP) < 0) { *reterr_exit_status = EXIT_NAMESPACE; @@ -5197,7 +5196,7 @@ int exec_invoke( * to the cgroup namespace to environment variables and mounts. If chown/chmod fails, we should not pass memory * pressure path environment variable or read-write mount to the unit. This is why we check if * memory_pressure_path != NULL in the conditional below. */ - if (memory_pressure_path && needs_sandboxing && exec_needs_cgroup_namespace(context, params)) { + if (memory_pressure_path && needs_sandboxing && exec_needs_cgroup_namespace(context)) { memory_pressure_path = mfree(memory_pressure_path); r = cg_get_path("memory", "", "memory.pressure", &memory_pressure_path); if (r < 0) { @@ -5364,7 +5363,7 @@ int exec_invoke( } } - if (needs_sandboxing && !have_cap_sys_admin && exec_context_needs_cap_sys_admin(context, params)) { + if (needs_sandboxing && !have_cap_sys_admin && exec_context_needs_cap_sys_admin(context)) { /* If we're unprivileged, set up the user namespace first to enable use of the other namespaces. * Users with CAP_SYS_ADMIN can set up user namespaces last because they will be able to * set up all of the other namespaces (i.e. network, mount, UTS) without a user namespace. */ diff --git a/src/core/execute.c b/src/core/execute.c index e6a45e3c13e..3bc80cd6436 100644 --- a/src/core/execute.c +++ b/src/core/execute.c @@ -232,24 +232,18 @@ bool exec_needs_ipc_namespace(const ExecContext *context) { return context->private_ipc || context->ipc_namespace_path; } -static bool can_apply_cgroup_namespace(const ExecContext *context, const ExecParameters *params) { - return cg_all_unified() > 0 && ns_type_supported(NAMESPACE_CGROUP); -} - static bool needs_cgroup_namespace(ProtectControlGroups i) { return IN_SET(i, PROTECT_CONTROL_GROUPS_PRIVATE, PROTECT_CONTROL_GROUPS_STRICT); } -ProtectControlGroups exec_get_protect_control_groups(const ExecContext *context, const ExecParameters *params) { +ProtectControlGroups exec_get_protect_control_groups(const ExecContext *context) { assert(context); /* If cgroup namespace is configured via ProtectControlGroups=private or strict but we can't actually - * use cgroup namespace, either from not having unified hierarchy or kernel support, we ignore the - * setting and do not unshare the namespace. ProtectControlGroups=private and strict get downgraded - * to no and yes respectively. This ensures that strict always gets a read-only mount of /sys/fs/cgroup. - * - * TODO: Remove fallback once cgroupv1 support is removed in v258. */ - if (needs_cgroup_namespace(context->protect_control_groups) && !can_apply_cgroup_namespace(context, params)) { + * use cgroup namespace, we ignore the setting and do not unshare the namespace. + * ProtectControlGroups=private and strict get downgraded to no and yes respectively. This ensures + * that strict always gets a read-only mount of /sys/fs/cgroup/. */ + if (needs_cgroup_namespace(context->protect_control_groups) && !ns_type_supported(NAMESPACE_CGROUP)) { if (context->protect_control_groups == PROTECT_CONTROL_GROUPS_PRIVATE) return PROTECT_CONTROL_GROUPS_NO; if (context->protect_control_groups == PROTECT_CONTROL_GROUPS_STRICT) @@ -258,22 +252,22 @@ ProtectControlGroups exec_get_protect_control_groups(const ExecContext *context, return context->protect_control_groups; } -bool exec_needs_cgroup_namespace(const ExecContext *context, const ExecParameters *params) { +bool exec_needs_cgroup_namespace(const ExecContext *context) { assert(context); - return needs_cgroup_namespace(exec_get_protect_control_groups(context, params)); + return needs_cgroup_namespace(exec_get_protect_control_groups(context)); } -bool exec_needs_cgroup_mount(const ExecContext *context, const ExecParameters *params) { +bool exec_needs_cgroup_mount(const ExecContext *context) { assert(context); - return exec_get_protect_control_groups(context, params) != PROTECT_CONTROL_GROUPS_NO; + return exec_get_protect_control_groups(context) != PROTECT_CONTROL_GROUPS_NO; } -bool exec_is_cgroup_mount_read_only(const ExecContext *context, const ExecParameters *params) { +bool exec_is_cgroup_mount_read_only(const ExecContext *context) { assert(context); - return IN_SET(exec_get_protect_control_groups(context, params), PROTECT_CONTROL_GROUPS_YES, PROTECT_CONTROL_GROUPS_STRICT); + return IN_SET(exec_get_protect_control_groups(context), PROTECT_CONTROL_GROUPS_YES, PROTECT_CONTROL_GROUPS_STRICT); } bool exec_needs_pid_namespace(const ExecContext *context) { @@ -331,7 +325,7 @@ bool exec_needs_mount_namespace( context->protect_kernel_tunables || context->protect_kernel_modules || context->protect_kernel_logs || - exec_needs_cgroup_mount(context, params) || + exec_needs_cgroup_mount(context) || context->protect_proc != PROTECT_PROC_DEFAULT || context->proc_subset != PROC_SUBSET_ALL || exec_needs_ipc_namespace(context) || diff --git a/src/core/execute.h b/src/core/execute.h index af2d972406f..78f04d51739 100644 --- a/src/core/execute.h +++ b/src/core/execute.h @@ -631,10 +631,11 @@ bool exec_needs_network_namespace(const ExecContext *context); bool exec_needs_ipc_namespace(const ExecContext *context); bool exec_needs_pid_namespace(const ExecContext *context); -ProtectControlGroups exec_get_protect_control_groups(const ExecContext *context, const ExecParameters *params); -bool exec_needs_cgroup_namespace(const ExecContext *context, const ExecParameters *params); -bool exec_needs_cgroup_mount(const ExecContext *context, const ExecParameters *params); -bool exec_is_cgroup_mount_read_only(const ExecContext *context, const ExecParameters *params); +ProtectControlGroups exec_get_protect_control_groups(const ExecContext *context); +bool exec_needs_cgroup_namespace(const ExecContext *context); +bool exec_needs_cgroup_mount(const ExecContext *context); +bool exec_is_cgroup_mount_read_only(const ExecContext *context); + const char* exec_get_private_notify_socket_path(const ExecContext *context, const ExecParameters *params, bool needs_sandboxing); /* These logging macros do the same logging as those in unit.h, but using ExecContext and ExecParameters -- 2.47.3