machined: reject invalid class types when registering machines

Follow-up for fbe550738d03b178bb004a1390e74115e904118a

diff --git a/src/machine/machine-varlink.c b/src/machine/machine-varlink.c
index 118d8178f40fb3e2e08dd2575b5fe59fe7ced6ae..73edd781b58b56a0ebb14660b2aca302b55a806f 100644 (file)
--- a/src/machine/machine-varlink.c
+++ b/src/machine/machine-varlink.c
@@ -155,6 +155,9 @@ int vl_method_register(sd_varlink *link, sd_json_variant *parameters, sd_varlink
         if (r != 0)
                 return r;
 
+        if (!IN_SET(machine->class, MACHINE_CONTAINER, MACHINE_VM))
+                return sd_varlink_error_invalid_parameter_name(link, "class");
+
         if (manager->runtime_scope != RUNTIME_SCOPE_USER) {
                 r = varlink_verify_polkit_async(
                                 link,

diff --git a/src/machine/machined-dbus.c b/src/machine/machined-dbus.c
index ab7ca94fd01bd0b0d637b8060d0ab43136a8f1e7..87f0c15ee13d0e86d09fa1183e81ad7ce7ba1e1c 100644 (file)
--- a/src/machine/machined-dbus.c
+++ b/src/machine/machined-dbus.c
@@ -433,7 +433,7 @@ static int method_create_or_register_machine(
                 c = _MACHINE_CLASS_INVALID;
         else {
                 c = machine_class_from_string(class);
-                if (c < 0)
+                if (c < 0 || !IN_SET(c, MACHINE_CONTAINER, MACHINE_VM))
                         return sd_bus_error_set(error, SD_BUS_ERROR_INVALID_ARGS, "Invalid machine class parameter");
         }
 
@@ -608,7 +608,7 @@ static int method_create_or_register_machine_ex(
                 c = _MACHINE_CLASS_INVALID;
         else {
                 c = machine_class_from_string(class);
-                if (c < 0)
+                if (c < 0 || !IN_SET(c, MACHINE_CONTAINER, MACHINE_VM))
                         return sd_bus_error_set(error, SD_BUS_ERROR_INVALID_ARGS, "Invalid machine class parameter");
         }
 

diff --git a/test/units/TEST-13-NSPAWN.unpriv.sh b/test/units/TEST-13-NSPAWN.unpriv.sh
index 25867de7071155ab9b6564b767ef15b5e73c117d..75a9c1aac070bcda69b43177827b71ab71f70482 100755 (executable)
--- a/test/units/TEST-13-NSPAWN.unpriv.sh
+++ b/test/units/TEST-13-NSPAWN.unpriv.sh
@@ -120,6 +120,46 @@ run0 -u testuser  \
         /run/systemd/machine/io.systemd.Machine \
         io.systemd.Machine.Open \
         '{"name":"shouldnotwork3", "mode": "shell", "user":"root","path":"/usr/bin/bash","args":["bash","-c","''touch /shouldnotwork; sleep 20''"]}')
+(! varlinkctl \
+    call \
+    /run/systemd/machine/io.systemd.Machine \
+    io.systemd.Machine.Register \
+    "{\"name\":\"shouldnotwork4\", \"class\":\"host\", \"leader\": $sleep_pid}")
+(! machinectl list | grep shouldnotwork4)
+(! run0 -u testuser  \
+    varlinkctl \
+        call \
+        /run/systemd/machine/io.systemd.Machine \
+        io.systemd.Machine.Register \
+        "{\"name\":\"shouldnotwork5\", \"class\":\"host\", \"leader\": $sleep_pid}")
+(! machinectl list | grep shouldnotwork5)
+(! busctl call \
+    org.freedesktop.machine1 \
+    /org/freedesktop/machine1 \
+    org.freedesktop.machine1.Manager \
+    RegisterMachine \
+    'sayssus' \
+    shouldnotwork6 \
+    0 \
+    "" \
+    host \
+    0 \
+    "")
+(! machinectl list | grep shouldnotwork6)
+(! run0 -u testuser \
+    busctl call \
+        org.freedesktop.machine1 \
+        /org/freedesktop/machine1 \
+        org.freedesktop.machine1.Manager \
+        RegisterMachine \
+        'sayssus' \
+        shouldnotwork7 \
+        0 \
+        "" \
+        host \
+        0 \
+        "")
+(! machinectl list | grep shouldnotwork7)
 systemctl --user --machine testuser@ stop sleep.service
 test ! -f /shouldnotwork