diff options
Diffstat (limited to 'src/nspawn')
-rw-r--r-- | src/nspawn/nspawn-gperf.gperf | 6 | ||||
-rw-r--r-- | src/nspawn/nspawn-settings.c | 28 | ||||
-rw-r--r-- | src/nspawn/nspawn-settings.h | 8 | ||||
-rw-r--r-- | src/nspawn/nspawn.c | 49 |
4 files changed, 58 insertions, 33 deletions
diff --git a/src/nspawn/nspawn-gperf.gperf b/src/nspawn/nspawn-gperf.gperf index 4af00c8d95..d25bef7468 100644 --- a/src/nspawn/nspawn-gperf.gperf +++ b/src/nspawn/nspawn-gperf.gperf @@ -20,7 +20,7 @@ struct ConfigPerfItem; %includes %% Exec.Boot, config_parse_boot, 0, 0 -Exec.Ephemeral, config_parse_bool, 0, offsetof(Settings, ephemeral) +Exec.Ephemeral, config_parse_tristate, 0, offsetof(Settings, ephemeral) Exec.ProcessTwo, config_parse_pid2, 0, 0 Exec.Parameters, config_parse_strv, 0, offsetof(Settings, parameters) Exec.Environment, config_parse_strv, 0, offsetof(Settings, environment) @@ -34,7 +34,7 @@ Exec.MachineID, config_parse_id128, 0, of Exec.WorkingDirectory, config_parse_path, 0, offsetof(Settings, working_directory) Exec.PivotRoot, config_parse_pivot_root, 0, 0 Exec.PrivateUsers, config_parse_private_users, 0, 0 -Exec.NotifyReady, config_parse_bool, 0, offsetof(Settings, notify_ready) +Exec.NotifyReady, config_parse_tristate, 0, offsetof(Settings, notify_ready) Exec.SystemCallFilter, config_parse_syscall_filter, 0, 0, Exec.LimitCPU, config_parse_rlimit, RLIMIT_CPU, offsetof(Settings, rlimit) Exec.LimitFSIZE, config_parse_rlimit, RLIMIT_FSIZE, offsetof(Settings, rlimit) @@ -59,7 +59,7 @@ Exec.CPUAffinity, config_parse_cpu_affinity, 0, 0 Exec.ResolvConf, config_parse_resolv_conf, 0, offsetof(Settings, resolv_conf) Exec.LinkJournal, config_parse_link_journal, 0, 0 Exec.Timezone, config_parse_timezone, 0, offsetof(Settings, timezone) -Exec.SuppressSync, config_parse_bool, 0, offsetof(Settings, suppress_sync) +Exec.SuppressSync, config_parse_tristate, 0, offsetof(Settings, suppress_sync) Files.ReadOnly, config_parse_tristate, 0, offsetof(Settings, read_only) Files.Volatile, config_parse_volatile_mode, 0, offsetof(Settings, volatile_mode) Files.Bind, config_parse_bind, 0, 0 diff --git a/src/nspawn/nspawn-settings.c b/src/nspawn/nspawn-settings.c index edc0f663bb..1f58bf3ed4 100644 --- a/src/nspawn/nspawn-settings.c +++ b/src/nspawn/nspawn-settings.c @@ -27,6 +27,7 @@ Settings *settings_new(void) { *s = (Settings) { .start_mode = _START_MODE_INVALID, + .ephemeral = -1, .personality = PERSONALITY_INVALID, .resolv_conf = _RESOLV_CONF_MODE_INVALID, @@ -57,6 +58,9 @@ Settings *settings_new(void) { .clone_ns_flags = ULONG_MAX, .use_cgns = -1, + + .notify_ready = -1, + .suppress_sync = -1, }; return s; @@ -170,6 +174,8 @@ Settings* settings_free(Settings *s) { bool settings_private_network(Settings *s) { assert(s); + /* Determines whether we shall open up our own private network */ + return s->private_network > 0 || s->network_veth > 0 || @@ -190,6 +196,25 @@ bool settings_network_veth(Settings *s) { s->network_zone; } +bool settings_network_configured(Settings *s) { + assert(s); + + /* Determines whether any network configuration setting was used. (i.e. in contrast to + * settings_private_network() above this might also indicate if private networking was explicitly + * turned off.) */ + + return + s->private_network >= 0 || + s->network_veth >= 0 || + s->network_bridge || + s->network_zone || + s->network_interfaces || + s->network_macvlan || + s->network_ipvlan || + s->network_veth_extra || + s->network_namespace_path; +} + int settings_allocate_properties(Settings *s) { _cleanup_(sd_bus_unrefp) sd_bus *bus = NULL; int r; @@ -285,9 +310,6 @@ int config_parse_capability( } } - if (u == 0) - return 0; - *result |= u; return 0; } diff --git a/src/nspawn/nspawn-settings.h b/src/nspawn/nspawn-settings.h index 1b3ace5f8f..59397ca54b 100644 --- a/src/nspawn/nspawn-settings.h +++ b/src/nspawn/nspawn-settings.h @@ -162,7 +162,7 @@ typedef struct OciHook { typedef struct Settings { /* [Exec] */ StartMode start_mode; - bool ephemeral; + int ephemeral; char **parameters; char **environment; char *user; @@ -177,7 +177,7 @@ typedef struct Settings { char *pivot_root_old; UserNamespaceMode userns_mode; uid_t uid_shift, uid_range; - bool notify_ready; + int notify_ready; char **syscall_allow_list; char **syscall_deny_list; struct rlimit *rlimit[_RLIMIT_MAX]; @@ -190,7 +190,7 @@ typedef struct Settings { LinkJournal link_journal; bool link_journal_try; TimezoneMode timezone; - bool suppress_sync; + int suppress_sync; /* [Files] */ int read_only; @@ -242,6 +242,8 @@ Settings* settings_free(Settings *s); bool settings_network_veth(Settings *s); bool settings_private_network(Settings *s); +bool settings_network_configured(Settings *s); + int settings_allocate_properties(Settings *s); DEFINE_TRIVIAL_CLEANUP_FUNC(Settings*, settings_free); diff --git a/src/nspawn/nspawn.c b/src/nspawn/nspawn.c index 1f327b0952..66daeb4f64 100644 --- a/src/nspawn/nspawn.c +++ b/src/nspawn/nspawn.c @@ -4284,7 +4284,8 @@ static int merge_settings(Settings *settings, const char *path) { strv_free_and_replace(arg_parameters, settings->parameters); } - if ((arg_settings_mask & SETTING_EPHEMERAL) == 0) + if ((arg_settings_mask & SETTING_EPHEMERAL) == 0 && + settings->ephemeral >= 0) arg_ephemeral = settings->ephemeral; if ((arg_settings_mask & SETTING_DIRECTORY) == 0 && @@ -4336,7 +4337,8 @@ static int merge_settings(Settings *settings, const char *path) { plus = settings->capability; minus = settings->drop_capability; - if ((arg_settings_mask & SETTING_NETWORK) == 0) { + if ((arg_settings_mask & SETTING_NETWORK) == 0 && + settings_network_configured(settings)) { if (settings_private_network(settings)) plus |= UINT64_C(1) << CAP_NET_ADMIN; else @@ -4407,15 +4409,7 @@ static int merge_settings(Settings *settings, const char *path) { } if ((arg_settings_mask & SETTING_NETWORK) == 0 && - (settings->private_network >= 0 || - settings->network_veth >= 0 || - settings->network_bridge || - settings->network_zone || - settings->network_interfaces || - settings->network_macvlan || - settings->network_ipvlan || - settings->network_veth_extra || - settings->network_namespace_path)) { + settings_network_configured(settings)) { if (!arg_settings_trusted) log_warning("Ignoring network settings, file %s is not trusted.", path); @@ -4459,27 +4453,33 @@ static int merge_settings(Settings *settings, const char *path) { } } - if ((arg_settings_mask & SETTING_BIND_USER) == 0) + if ((arg_settings_mask & SETTING_BIND_USER) == 0 && + !strv_isempty(settings->bind_user)) strv_free_and_replace(arg_bind_user, settings->bind_user); - if ((arg_settings_mask & SETTING_NOTIFY_READY) == 0) + if ((arg_settings_mask & SETTING_NOTIFY_READY) == 0 && + settings->notify_ready >= 0) arg_notify_ready = settings->notify_ready; if ((arg_settings_mask & SETTING_SYSCALL_FILTER) == 0) { - if (!arg_settings_trusted && !strv_isempty(settings->syscall_allow_list)) - log_warning("Ignoring SystemCallFilter= settings, file %s is not trusted.", path); - else { - strv_free_and_replace(arg_syscall_allow_list, settings->syscall_allow_list); - strv_free_and_replace(arg_syscall_deny_list, settings->syscall_deny_list); + if (!strv_isempty(settings->syscall_allow_list) || !strv_isempty(settings->syscall_deny_list)) { + if (!arg_settings_trusted && !strv_isempty(settings->syscall_allow_list)) + log_warning("Ignoring SystemCallFilter= settings, file %s is not trusted.", path); + else { + strv_free_and_replace(arg_syscall_allow_list, settings->syscall_allow_list); + strv_free_and_replace(arg_syscall_deny_list, settings->syscall_deny_list); + } } #if HAVE_SECCOMP - if (!arg_settings_trusted && settings->seccomp) - log_warning("Ignoring SECCOMP filter, file %s is not trusted.", path); - else { - seccomp_release(arg_seccomp); - arg_seccomp = TAKE_PTR(settings->seccomp); + if (settings->seccomp) { + if (!arg_settings_trusted) + log_warning("Ignoring SECCOMP filter, file %s is not trusted.", path); + else { + seccomp_release(arg_seccomp); + arg_seccomp = TAKE_PTR(settings->seccomp); + } } #endif } @@ -4585,7 +4585,8 @@ static int merge_settings(Settings *settings, const char *path) { arg_console_mode = settings->console_mode; } - if ((arg_settings_mask & SETTING_SUPPRESS_SYNC) == 0) + if ((arg_settings_mask & SETTING_SUPPRESS_SYNC) == 0 && + settings->suppress_sync >= 0) arg_suppress_sync = settings->suppress_sync; /* The following properties can only be set through the OCI settings logic, not from the command line, hence we |