diff options
author | Yu Watanabe <watanabe.yu+github@gmail.com> | 2022-06-14 15:06:27 +0900 |
---|---|---|
committer | Yu Watanabe <watanabe.yu+github@gmail.com> | 2022-06-22 22:23:58 +0900 |
commit | b48ed70c79c6482e1f39b77d16e62043ff5042a5 (patch) | |
tree | 58245c4075beb60a8558020b647dc67134beb68e /src/core/dbus-execute.c | |
parent | 127b26f3d8b589907ed75a34d34ab330995778f9 (diff) | |
download | systemd-b48ed70c79c6482e1f39b77d16e62043ff5042a5.tar.gz |
Revert NFTSet feature
This reverts PR #22587 and its follow-up commit. More specifically,
2299b1cae32c1fb8911da0ce26efced68032f4f8 (partially),
e176f855278d5098d3fecc5aa24ba702147d42e0,
ceb46a31a01b3d3d1d6095d857e29ea214a2776b, and
51bb9076ab8c050bebb64db5035852385accda35.
The PR was merged without final approval, and has several issues:
- OSS fuzz reported issues in the conf parser,
- It calls synchrnous netlink call, it should not be especially in PID1,
- The importance of NFTSet for CGroup and DynamicUser may be
questionable, at least, there was no justification PID1 should support
it.
- For networkd, it should be implemented with Request object,
- There is no test for the feature.
Fixes #23711.
Fixes #23717.
Fixes #23719.
Fixes #23720.
Fixes #23721.
Fixes #23759.
Diffstat (limited to 'src/core/dbus-execute.c')
-rw-r--r-- | src/core/dbus-execute.c | 85 |
1 files changed, 0 insertions, 85 deletions
diff --git a/src/core/dbus-execute.c b/src/core/dbus-execute.c index 0b28d4f603..1a9e5da635 100644 --- a/src/core/dbus-execute.c +++ b/src/core/dbus-execute.c @@ -22,7 +22,6 @@ #include "execute.h" #include "fd-util.h" #include "fileio.h" -#include "firewall-util.h" #include "hexdecoct.h" #include "io-util.h" #include "ioprio-util.h" @@ -1143,37 +1142,6 @@ static int bus_property_get_exec_dir_symlink( return sd_bus_message_close_container(reply); } -static int property_get_dynamic_user_nft_set( - sd_bus *bus, - const char *path, - const char *interface, - const char *property, - sd_bus_message *reply, - void *userdata, - sd_bus_error *error) { - - ExecContext *c = userdata; - int r; - - assert(bus); - assert(reply); - assert(c); - - r = sd_bus_message_open_container(reply, 'a', "(iss)"); - if (r < 0) - return r; - - for (size_t i = 0; i < c->n_dynamic_user_nft_set_contexts; i++) { - NFTSetContext *s = &c->dynamic_user_nft_set_context[i]; - - r = sd_bus_message_append(reply, "(iss)", s->nfproto, s->table, s->set); - if (r < 0) - return r; - } - - return sd_bus_message_close_container(reply); -} - const sd_bus_vtable bus_exec_vtable[] = { SD_BUS_VTABLE_START(0), SD_BUS_PROPERTY("Environment", "as", NULL, offsetof(ExecContext, environment), SD_BUS_VTABLE_PROPERTY_CONST), @@ -1268,7 +1236,6 @@ const sd_bus_vtable bus_exec_vtable[] = { SD_BUS_PROPERTY("User", "s", NULL, offsetof(ExecContext, user), SD_BUS_VTABLE_PROPERTY_CONST), SD_BUS_PROPERTY("Group", "s", NULL, offsetof(ExecContext, group), SD_BUS_VTABLE_PROPERTY_CONST), SD_BUS_PROPERTY("DynamicUser", "b", bus_property_get_bool, offsetof(ExecContext, dynamic_user), SD_BUS_VTABLE_PROPERTY_CONST), - SD_BUS_PROPERTY("DynamicUserNFTSet", "a(iss)", property_get_dynamic_user_nft_set, 0, SD_BUS_VTABLE_PROPERTY_CONST), SD_BUS_PROPERTY("RemoveIPC", "b", bus_property_get_bool, offsetof(ExecContext, remove_ipc), SD_BUS_VTABLE_PROPERTY_CONST), SD_BUS_PROPERTY("SetCredential", "a(say)", property_get_set_credential, 0, SD_BUS_VTABLE_PROPERTY_CONST), SD_BUS_PROPERTY("SetCredentialEncrypted", "a(say)", property_get_set_credential, 0, SD_BUS_VTABLE_PROPERTY_CONST), @@ -3540,58 +3507,6 @@ int bus_exec_context_set_transient_property( return 1; - } else if (streq(name, "DynamicUserNFTSet")) { - int nfproto; - const char *table, *set; - bool empty = true; - - r = sd_bus_message_enter_container(message, 'a', "(iss)"); - if (r < 0) - return r; - - while ((r = sd_bus_message_read(message, "(iss)", &nfproto, &table, &set)) > 0) { - const char *nfproto_name; - - nfproto_name = nfproto_to_string(nfproto); - if (!nfproto_name) - return sd_bus_error_setf(error, SD_BUS_ERROR_INVALID_ARGS, "Invalid protocol %d.", nfproto); - - if (nft_identifier_bad(table)) - return sd_bus_error_setf(error, SD_BUS_ERROR_INVALID_ARGS, "Invalid NFT table name %s.", table); - - if (nft_identifier_bad(set)) - return sd_bus_error_setf(error, SD_BUS_ERROR_INVALID_ARGS, "Invalid NFT set name %s.", set); - - if (!UNIT_WRITE_FLAGS_NOOP(flags)) { - r = nft_set_context_add(&c->dynamic_user_nft_set_context, &c->n_dynamic_user_nft_set_contexts, nfproto, table, set); - if (r < 0) - return r; - - unit_write_settingf( - u, flags|UNIT_ESCAPE_SPECIFIERS, name, - "%s=%s:%s:%s", - name, - nfproto_name, - table, - set); - } - - empty = false; - } - if (r < 0) - return r; - - r = sd_bus_message_exit_container(message); - if (r < 0) - return r; - - if (empty) { - c->dynamic_user_nft_set_context = nft_set_context_free_many(c->dynamic_user_nft_set_context, &c->n_dynamic_user_nft_set_contexts); - unit_write_settingf(u, flags, name, "%s=", name); - } - - return 1; - } else if ((suffix = startswith(name, "Limit"))) { const char *soft = NULL; int ri; |