diff options
author | Lennart Poettering <lennart@poettering.net> | 2021-06-16 00:24:54 +0200 |
---|---|---|
committer | GitHub <noreply@github.com> | 2021-06-16 00:24:54 +0200 |
commit | ad64e3e8d649949a33be6daae6e9821e694b37c2 (patch) | |
tree | 68de3ae762b0c33013e767021801dce8c096207c | |
parent | e7848266dae240abe64aba1b1086ba8025ae50ad (diff) | |
parent | a5f19be8b1e3c2bff9b84f0484a84aa716ab2524 (diff) | |
download | systemd-249-rc1.tar.gz |
Merge pull request #19942 from wat-ze-hex/socket-bind-ip-proto-2021-06-10v249-rc1
dbus: extend SocktBind{Allow|Deny}= with ip proto
-rw-r--r-- | man/org.freedesktop.systemd1.xml | 24 | ||||
-rw-r--r-- | src/core/cgroup.h | 3 | ||||
-rw-r--r-- | src/core/dbus-cgroup.c | 18 | ||||
-rw-r--r-- | src/core/load-fragment.c | 2 | ||||
-rw-r--r-- | src/shared/bus-unit-util.c | 9 | ||||
-rw-r--r-- | src/systemctl/systemctl-show.c | 6 |
6 files changed, 35 insertions, 27 deletions
diff --git a/man/org.freedesktop.systemd1.xml b/man/org.freedesktop.systemd1.xml index 1edaf157b9..8249e31d07 100644 --- a/man/org.freedesktop.systemd1.xml +++ b/man/org.freedesktop.systemd1.xml @@ -2527,9 +2527,9 @@ node /org/freedesktop/systemd1/unit/avahi_2ddaemon_2eservice { @org.freedesktop.DBus.Property.EmitsChangedSignal("false") readonly a(ss) BPFProgram = [...]; @org.freedesktop.DBus.Property.EmitsChangedSignal("false") - readonly a(iqq) SocketBindAllow = [...]; + readonly a(iiqq) SocketBindAllow = [...]; @org.freedesktop.DBus.Property.EmitsChangedSignal("false") - readonly a(iqq) SocketBindDeny = [...]; + readonly a(iiqq) SocketBindDeny = [...]; @org.freedesktop.DBus.Property.EmitsChangedSignal("const") readonly as Environment = ['...', ...]; @org.freedesktop.DBus.Property.EmitsChangedSignal("const") @@ -4331,9 +4331,9 @@ node /org/freedesktop/systemd1/unit/avahi_2ddaemon_2esocket { @org.freedesktop.DBus.Property.EmitsChangedSignal("false") readonly a(ss) BPFProgram = [...]; @org.freedesktop.DBus.Property.EmitsChangedSignal("false") - readonly a(iqq) SocketBindAllow = [...]; + readonly a(iiqq) SocketBindAllow = [...]; @org.freedesktop.DBus.Property.EmitsChangedSignal("false") - readonly a(iqq) SocketBindDeny = [...]; + readonly a(iiqq) SocketBindDeny = [...]; @org.freedesktop.DBus.Property.EmitsChangedSignal("const") readonly as Environment = ['...', ...]; @org.freedesktop.DBus.Property.EmitsChangedSignal("const") @@ -6054,9 +6054,9 @@ node /org/freedesktop/systemd1/unit/home_2emount { @org.freedesktop.DBus.Property.EmitsChangedSignal("false") readonly a(ss) BPFProgram = [...]; @org.freedesktop.DBus.Property.EmitsChangedSignal("false") - readonly a(iqq) SocketBindAllow = [...]; + readonly a(iiqq) SocketBindAllow = [...]; @org.freedesktop.DBus.Property.EmitsChangedSignal("false") - readonly a(iqq) SocketBindDeny = [...]; + readonly a(iiqq) SocketBindDeny = [...]; @org.freedesktop.DBus.Property.EmitsChangedSignal("const") readonly as Environment = ['...', ...]; @org.freedesktop.DBus.Property.EmitsChangedSignal("const") @@ -7744,9 +7744,9 @@ node /org/freedesktop/systemd1/unit/dev_2dsda3_2eswap { @org.freedesktop.DBus.Property.EmitsChangedSignal("false") readonly a(ss) BPFProgram = [...]; @org.freedesktop.DBus.Property.EmitsChangedSignal("false") - readonly a(iqq) SocketBindAllow = [...]; + readonly a(iiqq) SocketBindAllow = [...]; @org.freedesktop.DBus.Property.EmitsChangedSignal("false") - readonly a(iqq) SocketBindDeny = [...]; + readonly a(iiqq) SocketBindDeny = [...]; @org.freedesktop.DBus.Property.EmitsChangedSignal("const") readonly as Environment = ['...', ...]; @org.freedesktop.DBus.Property.EmitsChangedSignal("const") @@ -9259,9 +9259,9 @@ node /org/freedesktop/systemd1/unit/system_2eslice { @org.freedesktop.DBus.Property.EmitsChangedSignal("false") readonly a(ss) BPFProgram = [...]; @org.freedesktop.DBus.Property.EmitsChangedSignal("false") - readonly a(iqq) SocketBindAllow = [...]; + readonly a(iiqq) SocketBindAllow = [...]; @org.freedesktop.DBus.Property.EmitsChangedSignal("false") - readonly a(iqq) SocketBindDeny = [...]; + readonly a(iiqq) SocketBindDeny = [...]; }; interface org.freedesktop.DBus.Peer { ... }; interface org.freedesktop.DBus.Introspectable { ... }; @@ -9722,9 +9722,9 @@ node /org/freedesktop/systemd1/unit/session_2d1_2escope { @org.freedesktop.DBus.Property.EmitsChangedSignal("false") readonly a(ss) BPFProgram = [...]; @org.freedesktop.DBus.Property.EmitsChangedSignal("false") - readonly a(iqq) SocketBindAllow = [...]; + readonly a(iiqq) SocketBindAllow = [...]; @org.freedesktop.DBus.Property.EmitsChangedSignal("false") - readonly a(iqq) SocketBindDeny = [...]; + readonly a(iiqq) SocketBindDeny = [...]; @org.freedesktop.DBus.Property.EmitsChangedSignal("const") readonly s KillMode = '...'; @org.freedesktop.DBus.Property.EmitsChangedSignal("const") diff --git a/src/core/cgroup.h b/src/core/cgroup.h index e6790eb0e8..526f056d1e 100644 --- a/src/core/cgroup.h +++ b/src/core/cgroup.h @@ -104,7 +104,8 @@ struct CGroupBPFForeignProgram { struct CGroupSocketBindItem { LIST_FIELDS(CGroupSocketBindItem, socket_bind_items); - int address_family; + int32_t address_family; + int32_t ip_protocol; uint16_t nr_ports; uint16_t port_min; }; diff --git a/src/core/dbus-cgroup.c b/src/core/dbus-cgroup.c index d7f03d0cfd..9f20d547cb 100644 --- a/src/core/dbus-cgroup.c +++ b/src/core/dbus-cgroup.c @@ -389,12 +389,12 @@ static int property_get_socket_bind( assert(items); - r = sd_bus_message_open_container(reply, 'a', "(iqq)"); + r = sd_bus_message_open_container(reply, 'a', "(iiqq)"); if (r < 0) return r; LIST_FOREACH(socket_bind_items, i, *items) { - r = sd_bus_message_append(reply, "(iqq)", i->address_family, i->nr_ports, i->port_min); + r = sd_bus_message_append(reply, "(iiqq)", i->address_family, i->ip_protocol, i->nr_ports, i->port_min); if (r < 0) return r; } @@ -454,8 +454,8 @@ const sd_bus_vtable bus_cgroup_vtable[] = { SD_BUS_PROPERTY("ManagedOOMMemoryPressureLimit", "u", NULL, offsetof(CGroupContext, moom_mem_pressure_limit), 0), SD_BUS_PROPERTY("ManagedOOMPreference", "s", property_get_managed_oom_preference, offsetof(CGroupContext, moom_preference), 0), SD_BUS_PROPERTY("BPFProgram", "a(ss)", property_get_bpf_foreign_program, 0, 0), - SD_BUS_PROPERTY("SocketBindAllow", "a(iqq)", property_get_socket_bind, offsetof(CGroupContext, socket_bind_allow), 0), - SD_BUS_PROPERTY("SocketBindDeny", "a(iqq)", property_get_socket_bind, offsetof(CGroupContext, socket_bind_deny), 0), + SD_BUS_PROPERTY("SocketBindAllow", "a(iiqq)", property_get_socket_bind, offsetof(CGroupContext, socket_bind_allow), 0), + SD_BUS_PROPERTY("SocketBindDeny", "a(iiqq)", property_get_socket_bind, offsetof(CGroupContext, socket_bind_deny), 0), SD_BUS_VTABLE_END }; @@ -1882,19 +1882,22 @@ int bus_cgroup_set_property( CGroupSocketBindItem **list; uint16_t nr_ports, port_min; size_t n = 0; - int family; + int32_t family, ip_protocol; list = streq(name, "SocketBindAllow") ? &c->socket_bind_allow : &c->socket_bind_deny; - r = sd_bus_message_enter_container(message, 'a', "(iqq)"); + r = sd_bus_message_enter_container(message, 'a', "(iiqq)"); if (r < 0) return r; - while ((r = sd_bus_message_read(message, "(iqq)", &family, &nr_ports, &port_min)) > 0) { + while ((r = sd_bus_message_read(message, "(iiqq)", &family, &ip_protocol, &nr_ports, &port_min)) > 0) { if (!IN_SET(family, AF_UNSPEC, AF_INET, AF_INET6)) return sd_bus_error_setf(error, SD_BUS_ERROR_INVALID_ARGS, "%s= expects INET or INET6 family, if specified.", name); + if (ip_protocol != 0) + return sd_bus_error_setf(error, SD_BUS_ERROR_INVALID_ARGS, "%s= expects ip protocol equals to 0, for the time being.", name); + if (port_min + (uint32_t) nr_ports > (1 << 16)) return sd_bus_error_setf(error, SD_BUS_ERROR_INVALID_ARGS, "%s= expects maximum port value lesser than 65536.", name); @@ -1910,6 +1913,7 @@ int bus_cgroup_set_property( *item = (CGroupSocketBindItem) { .address_family = family, + .ip_protocol = ip_protocol, .nr_ports = nr_ports, .port_min = port_min }; diff --git a/src/core/load-fragment.c b/src/core/load-fragment.c index 46b6549d16..b18f3b34d1 100644 --- a/src/core/load-fragment.c +++ b/src/core/load-fragment.c @@ -5687,6 +5687,8 @@ int config_parse_cgroup_socket_bind( return log_oom(); *item = (CGroupSocketBindItem) { .address_family = af, + /* No ip protocol specified for now. */ + .ip_protocol = 0, .nr_ports = nr_ports, .port_min = port_min, }; diff --git a/src/shared/bus-unit-util.c b/src/shared/bus-unit-util.c index 54d04aae50..4c9fb305e4 100644 --- a/src/shared/bus-unit-util.c +++ b/src/shared/bus-unit-util.c @@ -866,11 +866,12 @@ static int bus_append_cgroup_property(sd_bus_message *m, const char *field, cons if (STR_IN_SET(field, "SocketBindAllow", "SocketBindDeny")) { if (isempty(eq)) - r = sd_bus_message_append(m, "(sv)", field, "a(iqq)", 0); + r = sd_bus_message_append(m, "(sv)", field, "a(iiqq)", 0); else { + /* No ip protocol specified for now. */ + int32_t family = AF_UNSPEC, ip_protocol = 0; const char *address_family, *user_port; _cleanup_free_ char *word = NULL; - int family = AF_UNSPEC; r = extract_first_word(&eq, &word, ":", 0); if (r == -ENOMEM) @@ -888,7 +889,7 @@ static int bus_append_cgroup_property(sd_bus_message *m, const char *field, cons user_port = eq ? eq : word; if (streq(user_port, "any")) { - r = sd_bus_message_append(m, "(sv)", field, "a(iqq)", 1, family, 0, 0); + r = sd_bus_message_append(m, "(sv)", field, "a(iiqq)", 1, family, ip_protocol, 0, 0); if (r < 0) return bus_log_create_error(r); } else { @@ -901,7 +902,7 @@ static int bus_append_cgroup_property(sd_bus_message *m, const char *field, cons return log_error_errno(r, "Invalid port or port range: %s", user_port); r = sd_bus_message_append( - m, "(sv)", field, "a(iqq)", 1, family, port_max - port_min + 1, port_min); + m, "(sv)", field, "a(iiqq)", 1, family, ip_protocol, port_max - port_min + 1, port_min); } } if (r < 0) diff --git a/src/systemctl/systemctl-show.c b/src/systemctl/systemctl-show.c index d4d5a2b427..178270b4b0 100644 --- a/src/systemctl/systemctl-show.c +++ b/src/systemctl/systemctl-show.c @@ -1712,12 +1712,12 @@ static int print_property(const char *name, const char *expected_value, sd_bus_m return 1; } else if (STR_IN_SET(name, "SocketBindAllow", "SocketBindDeny")) { uint16_t nr_ports, port_min; - int af; + int32_t af, ip_protocol; - r = sd_bus_message_enter_container(m, SD_BUS_TYPE_ARRAY, "(iqq)"); + r = sd_bus_message_enter_container(m, SD_BUS_TYPE_ARRAY, "(iiqq)"); if (r < 0) return bus_log_parse_error(r); - while ((r = sd_bus_message_read(m, "(iqq)", &af, &nr_ports, &port_min)) > 0) { + while ((r = sd_bus_message_read(m, "(iiqq)", &af, &ip_protocol, &nr_ports, &port_min)) > 0) { const char *family, *colon; family = strempty(af_to_ipv4_ipv6(af)); |