summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorZbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl>2019-10-28 14:57:00 +0100
committerGitHub <noreply@github.com>2019-10-28 14:57:00 +0100
commita5f6f346d3db9061fa73527e9dba3fa6b1d80b69 (patch)
tree924f5d0a1832be95944d64183fd51e5d31d2aabc
parentfec837e96e902c041adae552aa3101b8a8132869 (diff)
parentadc09af234047126b5ed65869d575c99dec3f9cc (diff)
downloadsystemd-a5f6f346d3db9061fa73527e9dba3fa6b1d80b69.tar.gz
Merge pull request #13423 from pwithnall/12035-session-time-limits
Add `RuntimeMaxSec=` support to scope units (time-limited login sessions)
-rw-r--r--docs/TRANSIENT-SETTINGS.md1
-rw-r--r--man/pam_systemd.xml7
-rw-r--r--man/systemd.scope.xml25
-rw-r--r--src/core/dbus-scope.c13
-rw-r--r--src/core/load-fragment-gperf.gperf.m41
-rw-r--r--src/core/scope.c41
-rw-r--r--src/core/scope.h1
-rw-r--r--src/login/pam_systemd.c32
-rw-r--r--src/shared/bus-unit-util.c20
-rwxr-xr-xtest/TEST-03-JOBS/test-jobs.sh10
-rw-r--r--test/fuzz/fuzz-unit-file/directives.scope2
11 files changed, 135 insertions, 18 deletions
diff --git a/docs/TRANSIENT-SETTINGS.md b/docs/TRANSIENT-SETTINGS.md
index 08d317ca41..05d6d4c068 100644
--- a/docs/TRANSIENT-SETTINGS.md
+++ b/docs/TRANSIENT-SETTINGS.md
@@ -370,6 +370,7 @@ Scope units are fully supported as transient units (in fact they only exist as
such).
```
+✓ RuntimeMaxSec=
✓ TimeoutStopSec=
```
diff --git a/man/pam_systemd.xml b/man/pam_systemd.xml
index fd8e4fb773..d5be98e4c0 100644
--- a/man/pam_systemd.xml
+++ b/man/pam_systemd.xml
@@ -263,6 +263,12 @@
<listitem><para>Sets unit <varname>IOWeight=</varname>.</para></listitem>
</varlistentry>
+
+ <varlistentry>
+ <term><varname>systemd.runtime_max_sec</varname></term>
+
+ <listitem><para>Sets unit <varname>RuntimeMaxSec=</varname>.</para></listitem>
+ </varlistentry>
</variablelist>
<para>Example data as can be provided from an another PAM module:
@@ -271,6 +277,7 @@ pam_set_data(handle, "systemd.memory_max", (void *)"200M", cleanup);
pam_set_data(handle, "systemd.tasks_max", (void *)"50", cleanup);
pam_set_data(handle, "systemd.cpu_weight", (void *)"100", cleanup);
pam_set_data(handle, "systemd.io_weight", (void *)"340", cleanup);
+pam_set_data(handle, "systemd.runtime_max_sec", (void *)"3600", cleanup);
</programlisting>
</para>
diff --git a/man/systemd.scope.xml b/man/systemd.scope.xml
index 503a480dd0..daf3554db2 100644
--- a/man/systemd.scope.xml
+++ b/man/systemd.scope.xml
@@ -78,6 +78,31 @@
</refsect1>
<refsect1>
+ <title>Options</title>
+
+ <para>Scope files may include a <literal>[Scope]</literal>
+ section, which carries information about the scope and the
+ units it contains. A number of options that may be used in
+ this section are shared with other unit types. These options are
+ documented in
+ <citerefentry><refentrytitle>systemd.kill</refentrytitle><manvolnum>5</manvolnum></citerefentry>
+ and
+ <citerefentry><refentrytitle>systemd.resource-control</refentrytitle><manvolnum>5</manvolnum></citerefentry>.
+ The options specific to the <literal>[Scope]</literal> section
+ of scope units are the following:</para>
+
+ <variablelist class='unit-directives'>
+ <varlistentry>
+ <term><varname>RuntimeMaxSec=</varname></term>
+
+ <listitem><para>Configures a maximum time for the scope to run. If this is used and the scope has been
+ active for longer than the specified time it is terminated and put into a failure state. Pass
+ <literal>infinity</literal> (the default) to configure no runtime limit.</para></listitem>
+ </varlistentry>
+ </variablelist>
+ </refsect1>
+
+ <refsect1>
<title>See Also</title>
<para>
<citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
diff --git a/src/core/dbus-scope.c b/src/core/dbus-scope.c
index 8eb915e508..84d91dcfa3 100644
--- a/src/core/dbus-scope.c
+++ b/src/core/dbus-scope.c
@@ -47,6 +47,7 @@ const sd_bus_vtable bus_scope_vtable[] = {
SD_BUS_PROPERTY("Controller", "s", NULL, offsetof(Scope, controller), SD_BUS_VTABLE_PROPERTY_EMITS_CHANGE),
SD_BUS_PROPERTY("TimeoutStopUSec", "t", bus_property_get_usec, offsetof(Scope, timeout_stop_usec), SD_BUS_VTABLE_PROPERTY_CONST),
SD_BUS_PROPERTY("Result", "s", property_get_result, offsetof(Scope, result), SD_BUS_VTABLE_PROPERTY_EMITS_CHANGE),
+ SD_BUS_PROPERTY("RuntimeMaxUSec", "t", bus_property_get_usec, offsetof(Scope, runtime_max_usec), SD_BUS_VTABLE_PROPERTY_CONST),
SD_BUS_SIGNAL("RequestStop", NULL, 0),
SD_BUS_METHOD("Abandon", NULL, NULL, bus_scope_method_abandon, SD_BUS_VTABLE_UNPRIVILEGED),
SD_BUS_VTABLE_END
@@ -59,6 +60,7 @@ static int bus_scope_set_transient_property(
UnitWriteFlags flags,
sd_bus_error *error) {
+ Unit *u = UNIT(s);
int r;
assert(s);
@@ -68,7 +70,10 @@ static int bus_scope_set_transient_property(
flags |= UNIT_PRIVATE;
if (streq(name, "TimeoutStopUSec"))
- return bus_set_transient_usec(UNIT(s), name, &s->timeout_stop_usec, message, flags, error);
+ return bus_set_transient_usec(u, name, &s->timeout_stop_usec, message, flags, error);
+
+ if (streq(name, "RuntimeMaxUSec"))
+ return bus_set_transient_usec(u, name, &s->runtime_max_usec, message, flags, error);
if (streq(name, "PIDs")) {
_cleanup_(sd_bus_creds_unrefp) sd_bus_creds *creds = NULL;
@@ -101,12 +106,12 @@ static int bus_scope_set_transient_property(
} else
pid = (uid_t) upid;
- r = unit_pid_attachable(UNIT(s), pid, error);
+ r = unit_pid_attachable(u, pid, error);
if (r < 0)
return r;
if (!UNIT_WRITE_FLAGS_NOOP(flags)) {
- r = unit_watch_pid(UNIT(s), pid, false);
+ r = unit_watch_pid(u, pid, false);
if (r < 0 && r != -EEXIST)
return r;
}
@@ -128,7 +133,7 @@ static int bus_scope_set_transient_property(
/* We can't support direct connections with this, as direct connections know no service or unique name
* concept, but the Controller field stores exactly that. */
- if (sd_bus_message_get_bus(message) != UNIT(s)->manager->api_bus)
+ if (sd_bus_message_get_bus(message) != u->manager->api_bus)
return sd_bus_error_setf(error, SD_BUS_ERROR_NOT_SUPPORTED, "Sorry, Controller= logic only supported via the bus.");
r = sd_bus_message_read(message, "s", &controller);
diff --git a/src/core/load-fragment-gperf.gperf.m4 b/src/core/load-fragment-gperf.gperf.m4
index d057c0d18b..66e1a17183 100644
--- a/src/core/load-fragment-gperf.gperf.m4
+++ b/src/core/load-fragment-gperf.gperf.m4
@@ -471,6 +471,7 @@ CGROUP_CONTEXT_CONFIG_ITEMS(Slice)m4_dnl
m4_dnl
CGROUP_CONTEXT_CONFIG_ITEMS(Scope)m4_dnl
KILL_CONTEXT_CONFIG_ITEMS(Scope)m4_dnl
+Scope.RuntimeMaxSec, config_parse_sec, 0, offsetof(Scope, runtime_max_usec)
Scope.TimeoutStopSec, config_parse_sec, 0, offsetof(Scope, timeout_stop_usec)
m4_dnl The [Install] section is ignored here.
Install.Alias, NULL, 0, 0
diff --git a/src/core/scope.c b/src/core/scope.c
index 094c8979a8..e8cfedb0d4 100644
--- a/src/core/scope.c
+++ b/src/core/scope.c
@@ -34,6 +34,7 @@ static void scope_init(Unit *u) {
assert(u);
assert(u->load_state == UNIT_STUB);
+ s->runtime_max_usec = USEC_INFINITY;
s->timeout_stop_usec = u->manager->default_timeout_stop_usec;
u->ignore_on_isolate = true;
}
@@ -203,6 +204,23 @@ static int scope_load(Unit *u) {
return scope_verify(s);
}
+static usec_t scope_coldplug_timeout(Scope *s) {
+ assert(s);
+
+ switch (s->deserialized_state) {
+
+ case SCOPE_RUNNING:
+ return usec_add(UNIT(s)->active_enter_timestamp.monotonic, s->runtime_max_usec);
+
+ case SCOPE_STOP_SIGKILL:
+ case SCOPE_STOP_SIGTERM:
+ return usec_add(UNIT(s)->state_change_timestamp.monotonic, s->timeout_stop_usec);
+
+ default:
+ return USEC_INFINITY;
+ }
+}
+
static int scope_coldplug(Unit *u) {
Scope *s = SCOPE(u);
int r;
@@ -213,11 +231,9 @@ static int scope_coldplug(Unit *u) {
if (s->deserialized_state == s->state)
return 0;
- if (IN_SET(s->deserialized_state, SCOPE_STOP_SIGKILL, SCOPE_STOP_SIGTERM)) {
- r = scope_arm_timer(s, usec_add(u->state_change_timestamp.monotonic, s->timeout_stop_usec));
- if (r < 0)
- return r;
- }
+ r = scope_arm_timer(s, scope_coldplug_timeout(s));
+ if (r < 0)
+ return r;
if (!IN_SET(s->deserialized_state, SCOPE_DEAD, SCOPE_FAILED))
(void) unit_enqueue_rewatch_pids(u);
@@ -230,15 +246,18 @@ static int scope_coldplug(Unit *u) {
static void scope_dump(Unit *u, FILE *f, const char *prefix) {
Scope *s = SCOPE(u);
+ char buf_runtime[FORMAT_TIMESPAN_MAX];
assert(s);
assert(f);
fprintf(f,
"%sScope State: %s\n"
- "%sResult: %s\n",
+ "%sResult: %s\n"
+ "%sRuntimeMaxSec: %s\n",
prefix, scope_state_to_string(s->state),
- prefix, scope_result_to_string(s->result));
+ prefix, scope_result_to_string(s->result),
+ prefix, format_timespan(buf_runtime, sizeof(buf_runtime), s->runtime_max_usec, USEC_PER_SEC));
cgroup_context_dump(UNIT(s), f, prefix);
kill_context_dump(&s->kill_context, f, prefix);
@@ -351,6 +370,9 @@ static int scope_start(Unit *u) {
scope_set_state(s, SCOPE_RUNNING);
+ /* Set the maximum runtime timeout. */
+ scope_arm_timer(s, usec_add(UNIT(s)->active_enter_timestamp.monotonic, s->runtime_max_usec));
+
/* Start watching the PIDs currently in the scope */
(void) unit_enqueue_rewatch_pids(u);
return 1;
@@ -485,6 +507,11 @@ static int scope_dispatch_timer(sd_event_source *source, usec_t usec, void *user
switch (s->state) {
+ case SCOPE_RUNNING:
+ log_unit_warning(UNIT(s), "Scope reached runtime time limit. Stopping.");
+ scope_enter_signal(s, SCOPE_STOP_SIGTERM, SCOPE_FAILURE_TIMEOUT);
+ break;
+
case SCOPE_STOP_SIGTERM:
if (s->kill_context.send_sigkill) {
log_unit_warning(UNIT(s), "Stopping timed out. Killing.");
diff --git a/src/core/scope.h b/src/core/scope.h
index c38afb5e5d..ae2bb80e55 100644
--- a/src/core/scope.h
+++ b/src/core/scope.h
@@ -24,6 +24,7 @@ struct Scope {
ScopeState state, deserialized_state;
ScopeResult result;
+ usec_t runtime_max_usec;
usec_t timeout_stop_usec;
char *controller;
diff --git a/src/login/pam_systemd.c b/src/login/pam_systemd.c
index 766d651c3f..1e38186e77 100644
--- a/src/login/pam_systemd.c
+++ b/src/login/pam_systemd.c
@@ -279,6 +279,27 @@ static int append_session_memory_max(pam_handle_t *handle, sd_bus_message *m, co
return 0;
}
+static int append_session_runtime_max_sec(pam_handle_t *handle, sd_bus_message *m, const char *limit) {
+ usec_t val;
+ int r;
+
+ /* No need to parse "infinity" here, it will be set by default later in scope_init() */
+ if (isempty(limit) || streq(limit, "infinity"))
+ return 0;
+
+ r = parse_sec(limit, &val);
+ if (r >= 0) {
+ r = sd_bus_message_append(m, "(sv)", "RuntimeMaxUSec", "t", (uint64_t) val);
+ if (r < 0) {
+ pam_syslog(handle, LOG_ERR, "Failed to append to bus message: %s", strerror_safe(r));
+ return r;
+ }
+ } else
+ pam_syslog(handle, LOG_WARNING, "Failed to parse systemd.runtime_max_sec: %s, ignoring.", limit);
+
+ return 0;
+}
+
static int append_session_tasks_max(pam_handle_t *handle, sd_bus_message *m, const char *limit) {
uint64_t val;
int r;
@@ -412,7 +433,7 @@ _public_ PAM_EXTERN int pam_sm_open_session(
*seat = NULL,
*type = NULL, *class = NULL,
*class_pam = NULL, *type_pam = NULL, *cvtnr = NULL, *desktop = NULL, *desktop_pam = NULL,
- *memory_max = NULL, *tasks_max = NULL, *cpu_weight = NULL, *io_weight = NULL;
+ *memory_max = NULL, *tasks_max = NULL, *cpu_weight = NULL, *io_weight = NULL, *runtime_max_sec = NULL;
_cleanup_(sd_bus_flush_close_unrefp) sd_bus *bus = NULL;
int session_fd = -1, existing, r;
bool debug = false, remote;
@@ -545,6 +566,7 @@ _public_ PAM_EXTERN int pam_sm_open_session(
(void) pam_get_data(handle, "systemd.tasks_max", (const void **)&tasks_max);
(void) pam_get_data(handle, "systemd.cpu_weight", (const void **)&cpu_weight);
(void) pam_get_data(handle, "systemd.io_weight", (const void **)&io_weight);
+ (void) pam_get_data(handle, "systemd.runtime_max_sec", (const void **)&runtime_max_sec);
/* Talk to logind over the message bus */
@@ -563,8 +585,8 @@ _public_ PAM_EXTERN int pam_sm_open_session(
strempty(seat), vtnr, strempty(tty), strempty(display),
yes_no(remote), strempty(remote_user), strempty(remote_host));
pam_syslog(handle, LOG_DEBUG, "Session limits: "
- "memory_max=%s tasks_max=%s cpu_weight=%s io_weight=%s",
- strna(memory_max), strna(tasks_max), strna(cpu_weight), strna(io_weight));
+ "memory_max=%s tasks_max=%s cpu_weight=%s io_weight=%s runtime_max_sec=%s",
+ strna(memory_max), strna(tasks_max), strna(cpu_weight), strna(io_weight), strna(runtime_max_sec));
}
r = sd_bus_message_new_method_call(
@@ -608,6 +630,10 @@ _public_ PAM_EXTERN int pam_sm_open_session(
if (r < 0)
return PAM_SESSION_ERR;
+ r = append_session_runtime_max_sec(handle, m, runtime_max_sec);
+ if (r < 0)
+ return PAM_SESSION_ERR;
+
r = append_session_tasks_max(handle, m, tasks_max);
if (r < 0)
return PAM_SESSION_ERR;
diff --git a/src/shared/bus-unit-util.c b/src/shared/bus-unit-util.c
index cdd30e1e2d..c9f352f796 100644
--- a/src/shared/bus-unit-util.c
+++ b/src/shared/bus-unit-util.c
@@ -1381,6 +1381,18 @@ static int bus_append_path_property(sd_bus_message *m, const char *field, const
return 0;
}
+static int bus_append_scope_property(sd_bus_message *m, const char *field, const char *eq) {
+ if (streq(field, "RuntimeMaxSec"))
+
+ return bus_append_parse_sec_rename(m, field, eq);
+
+ if (streq(field, "TimeoutStopSec"))
+
+ return bus_append_parse_sec_rename(m, field, eq);
+
+ return 0;
+}
+
static int bus_append_service_property(sd_bus_message *m, const char *field, const char *eq) {
int r;
@@ -1747,10 +1759,6 @@ int bus_append_unit_property_assignment(sd_bus_message *m, UnitType t, const cha
break;
case UNIT_SCOPE:
-
- if (streq(field, "TimeoutStopSec"))
- return bus_append_parse_sec_rename(m, field, eq);
-
r = bus_append_cgroup_property(m, field, eq);
if (r != 0)
return r;
@@ -1758,6 +1766,10 @@ int bus_append_unit_property_assignment(sd_bus_message *m, UnitType t, const cha
r = bus_append_kill_property(m, field, eq);
if (r != 0)
return r;
+
+ r = bus_append_scope_property(m, field, eq);
+ if (r != 0)
+ return r;
break;
case UNIT_MOUNT:
diff --git a/test/TEST-03-JOBS/test-jobs.sh b/test/TEST-03-JOBS/test-jobs.sh
index 42190cf478..fca6cccb4f 100755
--- a/test/TEST-03-JOBS/test-jobs.sh
+++ b/test/TEST-03-JOBS/test-jobs.sh
@@ -84,4 +84,14 @@ END_SEC=$(date -u '+%s')
ELAPSED=$(($END_SEC-$START_SEC))
[[ "$ELAPSED" -ge 5 ]] && [[ "$ELAPSED" -le 7 ]] || exit 1
+# Test time-limited scopes
+START_SEC=$(date -u '+%s')
+set +e
+systemd-run --scope --property=RuntimeMaxSec=3s sleep 10
+RESULT=$?
+END_SEC=$(date -u '+%s')
+ELAPSED=$(($END_SEC-$START_SEC))
+[[ "$ELAPSED" -ge 3 ]] && [[ "$ELAPSED" -le 5 ]] || exit 1
+[[ "$RESULT" -ne 0 ]] || exit 1
+
touch /testok
diff --git a/test/fuzz/fuzz-unit-file/directives.scope b/test/fuzz/fuzz-unit-file/directives.scope
new file mode 100644
index 0000000000..d0e194c371
--- /dev/null
+++ b/test/fuzz/fuzz-unit-file/directives.scope
@@ -0,0 +1,2 @@
+scope
+RuntimeMaxSec=