|
|
9fc0f6 |
From 6744ef720b34a87ff69acb8535cf5e83db6f5e8b Mon Sep 17 00:00:00 2001
|
|
|
9fc0f6 |
From: Michal Sekletar <msekleta@redhat.com>
|
|
|
9fc0f6 |
Date: Tue, 24 Jun 2014 14:50:26 +0200
|
|
|
9fc0f6 |
Subject: [PATCH] socket: add SocketUser= and SocketGroup= for chown()ing
|
|
|
9fc0f6 |
sockets in the file system
|
|
|
9fc0f6 |
|
|
|
9fc0f6 |
This is relatively complex, as we cannot invoke NSS from PID 1, and thus
|
|
|
9fc0f6 |
need to fork a helper process temporarily.
|
|
|
9fc0f6 |
|
|
|
9fc0f6 |
(cherry picked from commit 3900e5fdff688dc3c273f177d9d913b7389d5561)
|
|
|
9fc0f6 |
|
|
|
9fc0f6 |
Resolves: #1111761
|
|
|
9fc0f6 |
---
|
|
|
9fc0f6 |
man/systemd.socket.xml | 38 ++++--
|
|
|
9fc0f6 |
src/core/dbus-socket.c | 8 +-
|
|
|
9fc0f6 |
src/core/load-fragment-gperf.gperf.m4 | 4 +-
|
|
|
9fc0f6 |
src/core/socket.c | 220 +++++++++++++++++++++++++++-------
|
|
|
9fc0f6 |
src/core/socket.h | 5 +
|
|
|
9fc0f6 |
src/shared/exit-status.c | 4 +
|
|
|
9fc0f6 |
src/shared/exit-status.h | 3 +-
|
|
|
9fc0f6 |
7 files changed, 224 insertions(+), 58 deletions(-)
|
|
|
9fc0f6 |
|
|
|
9fc0f6 |
diff --git a/man/systemd.socket.xml b/man/systemd.socket.xml
|
|
|
9fc0f6 |
index 570a6fb..d146b3b 100644
|
|
|
9fc0f6 |
--- a/man/systemd.socket.xml
|
|
|
9fc0f6 |
+++ b/man/systemd.socket.xml
|
|
|
9fc0f6 |
@@ -372,16 +372,21 @@
|
|
|
9fc0f6 |
</varlistentry>
|
|
|
9fc0f6 |
|
|
|
9fc0f6 |
<varlistentry>
|
|
|
9fc0f6 |
- <term><varname>DirectoryMode=</varname></term>
|
|
|
9fc0f6 |
- <listitem><para>If listening on a file
|
|
|
9fc0f6 |
- system socket or FIFO, the parent
|
|
|
9fc0f6 |
- directories are automatically created
|
|
|
9fc0f6 |
- if needed. This option specifies the
|
|
|
9fc0f6 |
- file system access mode used when
|
|
|
9fc0f6 |
- creating these directories. Takes an
|
|
|
9fc0f6 |
- access mode in octal
|
|
|
9fc0f6 |
- notation. Defaults to
|
|
|
9fc0f6 |
- 0755.</para></listitem>
|
|
|
9fc0f6 |
+ <term><varname>SocketUser=</varname></term>
|
|
|
9fc0f6 |
+ <term><varname>SocketGroup=</varname></term>
|
|
|
9fc0f6 |
+
|
|
|
9fc0f6 |
+ <listitem><para>Takes a UNIX
|
|
|
9fc0f6 |
+ user/group name. When specified
|
|
|
9fc0f6 |
+ all AF_UNIX sockets and FIFO nodes in
|
|
|
9fc0f6 |
+ the file system are owned by the
|
|
|
9fc0f6 |
+ specified user and group. If unset
|
|
|
9fc0f6 |
+ (the default), the nodes are owned by
|
|
|
9fc0f6 |
+ the root user/group (if run in system
|
|
|
9fc0f6 |
+ context) or the invoking user/group
|
|
|
9fc0f6 |
+ (if run in user context). If only a
|
|
|
9fc0f6 |
+ user is specified but no group, then
|
|
|
9fc0f6 |
+ the group is derived from the user's
|
|
|
9fc0f6 |
+ default group.</para></listitem>
|
|
|
9fc0f6 |
</varlistentry>
|
|
|
9fc0f6 |
|
|
|
9fc0f6 |
<varlistentry>
|
|
|
9fc0f6 |
@@ -396,6 +401,19 @@
|
|
|
9fc0f6 |
</varlistentry>
|
|
|
9fc0f6 |
|
|
|
9fc0f6 |
<varlistentry>
|
|
|
9fc0f6 |
+ <term><varname>DirectoryMode=</varname></term>
|
|
|
9fc0f6 |
+ <listitem><para>If listening on a file
|
|
|
9fc0f6 |
+ system socket or FIFO, the parent
|
|
|
9fc0f6 |
+ directories are automatically created
|
|
|
9fc0f6 |
+ if needed. This option specifies the
|
|
|
9fc0f6 |
+ file system access mode used when
|
|
|
9fc0f6 |
+ creating these directories. Takes an
|
|
|
9fc0f6 |
+ access mode in octal
|
|
|
9fc0f6 |
+ notation. Defaults to
|
|
|
9fc0f6 |
+ 0755.</para></listitem>
|
|
|
9fc0f6 |
+ </varlistentry>
|
|
|
9fc0f6 |
+
|
|
|
9fc0f6 |
+ <varlistentry>
|
|
|
9fc0f6 |
<term><varname>Accept=</varname></term>
|
|
|
9fc0f6 |
<listitem><para>Takes a boolean
|
|
|
9fc0f6 |
argument. If true, a service instance
|
|
|
9fc0f6 |
diff --git a/src/core/dbus-socket.c b/src/core/dbus-socket.c
|
|
|
9fc0f6 |
index 30c4b63..870bcdc 100644
|
|
|
9fc0f6 |
--- a/src/core/dbus-socket.c
|
|
|
9fc0f6 |
+++ b/src/core/dbus-socket.c
|
|
|
9fc0f6 |
@@ -44,8 +44,10 @@
|
|
|
9fc0f6 |
BUS_CGROUP_CONTEXT_INTERFACE \
|
|
|
9fc0f6 |
" <property name=\"ControlPID\" type=\"u\" access=\"read\"/>\n" \
|
|
|
9fc0f6 |
" <property name=\"BindToDevice\" type=\"s\" access=\"read\"/>\n" \
|
|
|
9fc0f6 |
- " <property name=\"DirectoryMode\" type=\"u\" access=\"read\"/>\n" \
|
|
|
9fc0f6 |
+ " <property name=\"SocketUser\" type=\"s\" access=\"read\"/>\n" \
|
|
|
9fc0f6 |
+ " <property name=\"SocketGroup\" type=\"s\" access=\"read\"/>\n" \
|
|
|
9fc0f6 |
" <property name=\"SocketMode\" type=\"u\" access=\"read\"/>\n" \
|
|
|
9fc0f6 |
+ " <property name=\"DirectoryMode\" type=\"u\" access=\"read\"/>\n" \
|
|
|
9fc0f6 |
" <property name=\"Accept\" type=\"b\" access=\"read\"/>\n" \
|
|
|
9fc0f6 |
" <property name=\"KeepAlive\" type=\"b\" access=\"read\"/>\n" \
|
|
|
9fc0f6 |
" <property name=\"Priority\" type=\"i\" access=\"read\"/>\n" \
|
|
|
9fc0f6 |
@@ -172,8 +174,10 @@ static const BusProperty bus_socket_properties[] = {
|
|
|
9fc0f6 |
BUS_EXEC_COMMAND_PROPERTY("ExecStopPost", offsetof(Socket, exec_command[SOCKET_EXEC_STOP_POST]), true ),
|
|
|
9fc0f6 |
{ "ControlPID", bus_property_append_pid, "u", offsetof(Socket, control_pid) },
|
|
|
9fc0f6 |
{ "BindToDevice", bus_property_append_string, "s", offsetof(Socket, bind_to_device), true },
|
|
|
9fc0f6 |
- { "DirectoryMode", bus_property_append_mode, "u", offsetof(Socket, directory_mode) },
|
|
|
9fc0f6 |
+ { "SocketUser", bus_property_append_string, "s", offsetof(Socket, user), true },
|
|
|
9fc0f6 |
+ { "SocketGroup", bus_property_append_string, "s", offsetof(Socket, group), true },
|
|
|
9fc0f6 |
{ "SocketMode", bus_property_append_mode, "u", offsetof(Socket, socket_mode) },
|
|
|
9fc0f6 |
+ { "DirectoryMode", bus_property_append_mode, "u", offsetof(Socket, directory_mode) },
|
|
|
9fc0f6 |
{ "Accept", bus_property_append_bool, "b", offsetof(Socket, accept) },
|
|
|
9fc0f6 |
{ "KeepAlive", bus_property_append_bool, "b", offsetof(Socket, keep_alive) },
|
|
|
9fc0f6 |
{ "Priority", bus_property_append_int, "i", offsetof(Socket, priority) },
|
|
|
9fc0f6 |
diff --git a/src/core/load-fragment-gperf.gperf.m4 b/src/core/load-fragment-gperf.gperf.m4
|
|
|
9fc0f6 |
index d65bcc1..0991cb9 100644
|
|
|
9fc0f6 |
--- a/src/core/load-fragment-gperf.gperf.m4
|
|
|
9fc0f6 |
+++ b/src/core/load-fragment-gperf.gperf.m4
|
|
|
9fc0f6 |
@@ -193,8 +193,10 @@ Socket.ExecStartPost, config_parse_exec, SOCKET_EXEC
|
|
|
9fc0f6 |
Socket.ExecStopPre, config_parse_exec, SOCKET_EXEC_STOP_PRE, offsetof(Socket, exec_command)
|
|
|
9fc0f6 |
Socket.ExecStopPost, config_parse_exec, SOCKET_EXEC_STOP_POST, offsetof(Socket, exec_command)
|
|
|
9fc0f6 |
Socket.TimeoutSec, config_parse_sec, 0, offsetof(Socket, timeout_usec)
|
|
|
9fc0f6 |
-Socket.DirectoryMode, config_parse_mode, 0, offsetof(Socket, directory_mode)
|
|
|
9fc0f6 |
+Socket.SocketUser, config_parse_unit_string_printf, 0, offsetof(Socket, user)
|
|
|
9fc0f6 |
+Socket.SocketGroup, config_parse_unit_string_printf, 0, offsetof(Socket, group)
|
|
|
9fc0f6 |
Socket.SocketMode, config_parse_mode, 0, offsetof(Socket, socket_mode)
|
|
|
9fc0f6 |
+Socket.DirectoryMode, config_parse_mode, 0, offsetof(Socket, directory_mode)
|
|
|
9fc0f6 |
Socket.Accept, config_parse_bool, 0, offsetof(Socket, accept)
|
|
|
9fc0f6 |
Socket.MaxConnections, config_parse_unsigned, 0, offsetof(Socket, max_connections)
|
|
|
9fc0f6 |
Socket.KeepAlive, config_parse_bool, 0, offsetof(Socket, keep_alive)
|
|
|
9fc0f6 |
diff --git a/src/core/socket.c b/src/core/socket.c
|
|
|
9fc0f6 |
index e673f38..32e0d35 100644
|
|
|
9fc0f6 |
--- a/src/core/socket.c
|
|
|
9fc0f6 |
+++ b/src/core/socket.c
|
|
|
9fc0f6 |
@@ -54,6 +54,7 @@
|
|
|
9fc0f6 |
static const UnitActiveState state_translation_table[_SOCKET_STATE_MAX] = {
|
|
|
9fc0f6 |
[SOCKET_DEAD] = UNIT_INACTIVE,
|
|
|
9fc0f6 |
[SOCKET_START_PRE] = UNIT_ACTIVATING,
|
|
|
9fc0f6 |
+ [SOCKET_START_CHOWN] = UNIT_ACTIVATING,
|
|
|
9fc0f6 |
[SOCKET_START_POST] = UNIT_ACTIVATING,
|
|
|
9fc0f6 |
[SOCKET_LISTENING] = UNIT_ACTIVE,
|
|
|
9fc0f6 |
[SOCKET_RUNNING] = UNIT_ACTIVE,
|
|
|
9fc0f6 |
@@ -147,6 +148,8 @@ static void socket_done(Unit *u) {
|
|
|
9fc0f6 |
free(s->smack);
|
|
|
9fc0f6 |
free(s->smack_ip_in);
|
|
|
9fc0f6 |
free(s->smack_ip_out);
|
|
|
9fc0f6 |
+ free(s->user);
|
|
|
9fc0f6 |
+ free(s->group);
|
|
|
9fc0f6 |
|
|
|
9fc0f6 |
unit_unwatch_timer(u, &s->timer_watch);
|
|
|
9fc0f6 |
}
|
|
|
9fc0f6 |
@@ -527,6 +530,16 @@ static void socket_dump(Unit *u, FILE *f, const char *prefix) {
|
|
|
9fc0f6 |
"%sSmackLabelIPOut: %s\n",
|
|
|
9fc0f6 |
prefix, s->smack_ip_out);
|
|
|
9fc0f6 |
|
|
|
9fc0f6 |
+ if (s->user)
|
|
|
9fc0f6 |
+ fprintf(f,
|
|
|
9fc0f6 |
+ "%sOwnerUser: %s\n",
|
|
|
9fc0f6 |
+ prefix, s->user);
|
|
|
9fc0f6 |
+
|
|
|
9fc0f6 |
+ if (s->group)
|
|
|
9fc0f6 |
+ fprintf(f,
|
|
|
9fc0f6 |
+ "%sOwnerGroup: %s\n",
|
|
|
9fc0f6 |
+ prefix, s->user);
|
|
|
9fc0f6 |
+
|
|
|
9fc0f6 |
LIST_FOREACH(port, p, s->ports) {
|
|
|
9fc0f6 |
|
|
|
9fc0f6 |
if (p->type == SOCKET_SOCKET) {
|
|
|
9fc0f6 |
@@ -1100,6 +1113,7 @@ static void socket_set_state(Socket *s, SocketState state) {
|
|
|
9fc0f6 |
s->state = state;
|
|
|
9fc0f6 |
|
|
|
9fc0f6 |
if (state != SOCKET_START_PRE &&
|
|
|
9fc0f6 |
+ state != SOCKET_START_CHOWN &&
|
|
|
9fc0f6 |
state != SOCKET_START_POST &&
|
|
|
9fc0f6 |
state != SOCKET_STOP_PRE &&
|
|
|
9fc0f6 |
state != SOCKET_STOP_PRE_SIGTERM &&
|
|
|
9fc0f6 |
@@ -1116,7 +1130,8 @@ static void socket_set_state(Socket *s, SocketState state) {
|
|
|
9fc0f6 |
if (state != SOCKET_LISTENING)
|
|
|
9fc0f6 |
socket_unwatch_fds(s);
|
|
|
9fc0f6 |
|
|
|
9fc0f6 |
- if (state != SOCKET_START_POST &&
|
|
|
9fc0f6 |
+ if (state != SOCKET_START_CHOWN &&
|
|
|
9fc0f6 |
+ state != SOCKET_START_POST &&
|
|
|
9fc0f6 |
state != SOCKET_LISTENING &&
|
|
|
9fc0f6 |
state != SOCKET_RUNNING &&
|
|
|
9fc0f6 |
state != SOCKET_STOP_PRE &&
|
|
|
9fc0f6 |
@@ -1143,6 +1158,7 @@ static int socket_coldplug(Unit *u) {
|
|
|
9fc0f6 |
if (s->deserialized_state != s->state) {
|
|
|
9fc0f6 |
|
|
|
9fc0f6 |
if (s->deserialized_state == SOCKET_START_PRE ||
|
|
|
9fc0f6 |
+ s->deserialized_state == SOCKET_START_CHOWN ||
|
|
|
9fc0f6 |
s->deserialized_state == SOCKET_START_POST ||
|
|
|
9fc0f6 |
s->deserialized_state == SOCKET_STOP_PRE ||
|
|
|
9fc0f6 |
s->deserialized_state == SOCKET_STOP_PRE_SIGTERM ||
|
|
|
9fc0f6 |
@@ -1163,7 +1179,8 @@ static int socket_coldplug(Unit *u) {
|
|
|
9fc0f6 |
return r;
|
|
|
9fc0f6 |
}
|
|
|
9fc0f6 |
|
|
|
9fc0f6 |
- if (s->deserialized_state == SOCKET_START_POST ||
|
|
|
9fc0f6 |
+ if (s->deserialized_state == SOCKET_START_CHOWN ||
|
|
|
9fc0f6 |
+ s->deserialized_state == SOCKET_START_POST ||
|
|
|
9fc0f6 |
s->deserialized_state == SOCKET_LISTENING ||
|
|
|
9fc0f6 |
s->deserialized_state == SOCKET_RUNNING ||
|
|
|
9fc0f6 |
s->deserialized_state == SOCKET_STOP_PRE ||
|
|
|
9fc0f6 |
@@ -1185,7 +1202,7 @@ static int socket_coldplug(Unit *u) {
|
|
|
9fc0f6 |
static int socket_spawn(Socket *s, ExecCommand *c, pid_t *_pid) {
|
|
|
9fc0f6 |
pid_t pid;
|
|
|
9fc0f6 |
int r;
|
|
|
9fc0f6 |
- char **argv;
|
|
|
9fc0f6 |
+ _cleanup_strv_free_ char **argv = NULL;
|
|
|
9fc0f6 |
|
|
|
9fc0f6 |
assert(s);
|
|
|
9fc0f6 |
assert(c);
|
|
|
9fc0f6 |
@@ -1216,11 +1233,11 @@ static int socket_spawn(Socket *s, ExecCommand *c, pid_t *_pid) {
|
|
|
9fc0f6 |
NULL,
|
|
|
9fc0f6 |
&pid;;
|
|
|
9fc0f6 |
|
|
|
9fc0f6 |
- strv_free(argv);
|
|
|
9fc0f6 |
if (r < 0)
|
|
|
9fc0f6 |
goto fail;
|
|
|
9fc0f6 |
|
|
|
9fc0f6 |
- if ((r = unit_watch_pid(UNIT(s), pid)) < 0)
|
|
|
9fc0f6 |
+ r = unit_watch_pid(UNIT(s), pid);
|
|
|
9fc0f6 |
+ if (r < 0)
|
|
|
9fc0f6 |
/* FIXME: we need to do something here */
|
|
|
9fc0f6 |
goto fail;
|
|
|
9fc0f6 |
|
|
|
9fc0f6 |
@@ -1234,6 +1251,88 @@ fail:
|
|
|
9fc0f6 |
return r;
|
|
|
9fc0f6 |
}
|
|
|
9fc0f6 |
|
|
|
9fc0f6 |
+static int socket_chown(Socket *s, pid_t *_pid) {
|
|
|
9fc0f6 |
+ pid_t pid;
|
|
|
9fc0f6 |
+ int r;
|
|
|
9fc0f6 |
+
|
|
|
9fc0f6 |
+ r = unit_watch_timer(UNIT(s), CLOCK_MONOTONIC, true, s->timeout_usec, &s->timer_watch);
|
|
|
9fc0f6 |
+ if (r < 0)
|
|
|
9fc0f6 |
+ goto fail;
|
|
|
9fc0f6 |
+
|
|
|
9fc0f6 |
+ pid = fork();
|
|
|
9fc0f6 |
+ if (pid < 0)
|
|
|
9fc0f6 |
+ return -errno;
|
|
|
9fc0f6 |
+
|
|
|
9fc0f6 |
+ if (pid == 0) {
|
|
|
9fc0f6 |
+ SocketPort *p;
|
|
|
9fc0f6 |
+ uid_t uid = (uid_t) -1;
|
|
|
9fc0f6 |
+ gid_t gid = (gid_t) -1;
|
|
|
9fc0f6 |
+ int ret;
|
|
|
9fc0f6 |
+
|
|
|
9fc0f6 |
+ default_signals(SIGNALS_CRASH_HANDLER, SIGNALS_IGNORE, -1);
|
|
|
9fc0f6 |
+ ignore_signals(SIGPIPE, -1);
|
|
|
9fc0f6 |
+ log_forget_fds();
|
|
|
9fc0f6 |
+
|
|
|
9fc0f6 |
+ if (!isempty(s->user)) {
|
|
|
9fc0f6 |
+ const char *user = s->user;
|
|
|
9fc0f6 |
+
|
|
|
9fc0f6 |
+ r = get_user_creds(&user, &uid, &gid, NULL, NULL);
|
|
|
9fc0f6 |
+ if (r < 0) {
|
|
|
9fc0f6 |
+ ret = EXIT_USER;
|
|
|
9fc0f6 |
+ goto fail_child;
|
|
|
9fc0f6 |
+ }
|
|
|
9fc0f6 |
+ }
|
|
|
9fc0f6 |
+
|
|
|
9fc0f6 |
+ if (!isempty(s->group)) {
|
|
|
9fc0f6 |
+ const char *group = s->group;
|
|
|
9fc0f6 |
+
|
|
|
9fc0f6 |
+ r = get_group_creds(&group, &gid;;
|
|
|
9fc0f6 |
+ if (r < 0) {
|
|
|
9fc0f6 |
+ ret = EXIT_GROUP;
|
|
|
9fc0f6 |
+ goto fail_child;
|
|
|
9fc0f6 |
+ }
|
|
|
9fc0f6 |
+ }
|
|
|
9fc0f6 |
+
|
|
|
9fc0f6 |
+ LIST_FOREACH(port, p, s->ports) {
|
|
|
9fc0f6 |
+ const char *path = NULL;
|
|
|
9fc0f6 |
+
|
|
|
9fc0f6 |
+ if (p->type == SOCKET_SOCKET)
|
|
|
9fc0f6 |
+ path = socket_address_get_path(&p->address);
|
|
|
9fc0f6 |
+ else if (p->type == SOCKET_FIFO)
|
|
|
9fc0f6 |
+ path = p->path;
|
|
|
9fc0f6 |
+
|
|
|
9fc0f6 |
+ if (!path)
|
|
|
9fc0f6 |
+ continue;
|
|
|
9fc0f6 |
+
|
|
|
9fc0f6 |
+ if (chown(path, uid, gid) < 0) {
|
|
|
9fc0f6 |
+ r = -errno;
|
|
|
9fc0f6 |
+ ret = EXIT_CHOWN;
|
|
|
9fc0f6 |
+ goto fail_child;
|
|
|
9fc0f6 |
+ }
|
|
|
9fc0f6 |
+ }
|
|
|
9fc0f6 |
+
|
|
|
9fc0f6 |
+ _exit(0);
|
|
|
9fc0f6 |
+
|
|
|
9fc0f6 |
+ fail_child:
|
|
|
9fc0f6 |
+ log_open();
|
|
|
9fc0f6 |
+ log_error("Failed to chown socket at step %s: %s", exit_status_to_string(ret, EXIT_STATUS_SYSTEMD), strerror(-r));
|
|
|
9fc0f6 |
+
|
|
|
9fc0f6 |
+ _exit(ret);
|
|
|
9fc0f6 |
+ }
|
|
|
9fc0f6 |
+
|
|
|
9fc0f6 |
+ r = unit_watch_pid(UNIT(s), pid);
|
|
|
9fc0f6 |
+ if (r < 0)
|
|
|
9fc0f6 |
+ goto fail;
|
|
|
9fc0f6 |
+
|
|
|
9fc0f6 |
+ *_pid = pid;
|
|
|
9fc0f6 |
+
|
|
|
9fc0f6 |
+ return 0;
|
|
|
9fc0f6 |
+
|
|
|
9fc0f6 |
+fail:
|
|
|
9fc0f6 |
+ unit_unwatch_timer(UNIT(s), &s->timer_watch);
|
|
|
9fc0f6 |
+ return r;
|
|
|
9fc0f6 |
+}
|
|
|
9fc0f6 |
+
|
|
|
9fc0f6 |
static void socket_enter_dead(Socket *s, SocketResult f) {
|
|
|
9fc0f6 |
assert(s);
|
|
|
9fc0f6 |
|
|
|
9fc0f6 |
@@ -1256,9 +1355,11 @@ static void socket_enter_stop_post(Socket *s, SocketResult f) {
|
|
|
9fc0f6 |
socket_unwatch_control_pid(s);
|
|
|
9fc0f6 |
|
|
|
9fc0f6 |
s->control_command_id = SOCKET_EXEC_STOP_POST;
|
|
|
9fc0f6 |
+ s->control_command = s->exec_command[SOCKET_EXEC_STOP_POST];
|
|
|
9fc0f6 |
|
|
|
9fc0f6 |
- if ((s->control_command = s->exec_command[SOCKET_EXEC_STOP_POST])) {
|
|
|
9fc0f6 |
- if ((r = socket_spawn(s, s->control_command, &s->control_pid)) < 0)
|
|
|
9fc0f6 |
+ if (s->control_command) {
|
|
|
9fc0f6 |
+ r = socket_spawn(s, s->control_command, &s->control_pid);
|
|
|
9fc0f6 |
+ if (r < 0)
|
|
|
9fc0f6 |
goto fail;
|
|
|
9fc0f6 |
|
|
|
9fc0f6 |
socket_set_state(s, SOCKET_STOP_POST);
|
|
|
9fc0f6 |
@@ -1326,9 +1427,11 @@ static void socket_enter_stop_pre(Socket *s, SocketResult f) {
|
|
|
9fc0f6 |
socket_unwatch_control_pid(s);
|
|
|
9fc0f6 |
|
|
|
9fc0f6 |
s->control_command_id = SOCKET_EXEC_STOP_PRE;
|
|
|
9fc0f6 |
+ s->control_command = s->exec_command[SOCKET_EXEC_STOP_PRE];
|
|
|
9fc0f6 |
|
|
|
9fc0f6 |
- if ((s->control_command = s->exec_command[SOCKET_EXEC_STOP_PRE])) {
|
|
|
9fc0f6 |
- if ((r = socket_spawn(s, s->control_command, &s->control_pid)) < 0)
|
|
|
9fc0f6 |
+ if (s->control_command) {
|
|
|
9fc0f6 |
+ r = socket_spawn(s, s->control_command, &s->control_pid);
|
|
|
9fc0f6 |
+ if (r < 0)
|
|
|
9fc0f6 |
goto fail;
|
|
|
9fc0f6 |
|
|
|
9fc0f6 |
socket_set_state(s, SOCKET_STOP_PRE);
|
|
|
9fc0f6 |
@@ -1376,15 +1479,13 @@ static void socket_enter_start_post(Socket *s) {
|
|
|
9fc0f6 |
}
|
|
|
9fc0f6 |
|
|
|
9fc0f6 |
socket_unwatch_control_pid(s);
|
|
|
9fc0f6 |
-
|
|
|
9fc0f6 |
s->control_command_id = SOCKET_EXEC_START_POST;
|
|
|
9fc0f6 |
+ s->control_command = s->exec_command[SOCKET_EXEC_START_POST];
|
|
|
9fc0f6 |
|
|
|
9fc0f6 |
- if ((s->control_command = s->exec_command[SOCKET_EXEC_START_POST])) {
|
|
|
9fc0f6 |
+ if (s->control_command) {
|
|
|
9fc0f6 |
r = socket_spawn(s, s->control_command, &s->control_pid);
|
|
|
9fc0f6 |
if (r < 0) {
|
|
|
9fc0f6 |
- log_warning_unit(UNIT(s)->id,
|
|
|
9fc0f6 |
- "%s failed to run 'start-post' task: %s",
|
|
|
9fc0f6 |
- UNIT(s)->id, strerror(-r));
|
|
|
9fc0f6 |
+ log_warning_unit(UNIT(s)->id, "%s failed to run 'start-post' task: %s", UNIT(s)->id, strerror(-r));
|
|
|
9fc0f6 |
goto fail;
|
|
|
9fc0f6 |
}
|
|
|
9fc0f6 |
|
|
|
9fc0f6 |
@@ -1398,6 +1499,38 @@ fail:
|
|
|
9fc0f6 |
socket_enter_stop_pre(s, SOCKET_FAILURE_RESOURCES);
|
|
|
9fc0f6 |
}
|
|
|
9fc0f6 |
|
|
|
9fc0f6 |
+static void socket_enter_start_chown(Socket *s) {
|
|
|
9fc0f6 |
+ int r;
|
|
|
9fc0f6 |
+
|
|
|
9fc0f6 |
+ assert(s);
|
|
|
9fc0f6 |
+
|
|
|
9fc0f6 |
+ r = socket_open_fds(s);
|
|
|
9fc0f6 |
+ if (r < 0) {
|
|
|
9fc0f6 |
+ log_warning_unit(UNIT(s)->id, "%s failed to listen on sockets: %s", UNIT(s)->id, strerror(-r));
|
|
|
9fc0f6 |
+ goto fail;
|
|
|
9fc0f6 |
+ }
|
|
|
9fc0f6 |
+
|
|
|
9fc0f6 |
+ if (!isempty(s->user) || !isempty(s->group)) {
|
|
|
9fc0f6 |
+ socket_unwatch_control_pid(s);
|
|
|
9fc0f6 |
+ s->control_command_id = SOCKET_EXEC_START_CHOWN;
|
|
|
9fc0f6 |
+ s->control_command = NULL;
|
|
|
9fc0f6 |
+
|
|
|
9fc0f6 |
+ r = socket_chown(s, &s->control_pid);
|
|
|
9fc0f6 |
+ if (r < 0) {
|
|
|
9fc0f6 |
+ log_warning_unit(UNIT(s)->id, "%s failed to fork 'start-chown' task: %s", UNIT(s)->id, strerror(-r));
|
|
|
9fc0f6 |
+ goto fail;
|
|
|
9fc0f6 |
+ }
|
|
|
9fc0f6 |
+
|
|
|
9fc0f6 |
+ socket_set_state(s, SOCKET_START_CHOWN);
|
|
|
9fc0f6 |
+ } else
|
|
|
9fc0f6 |
+ socket_enter_start_post(s);
|
|
|
9fc0f6 |
+
|
|
|
9fc0f6 |
+ return;
|
|
|
9fc0f6 |
+
|
|
|
9fc0f6 |
+fail:
|
|
|
9fc0f6 |
+ socket_enter_stop_pre(s, SOCKET_FAILURE_RESOURCES);
|
|
|
9fc0f6 |
+}
|
|
|
9fc0f6 |
+
|
|
|
9fc0f6 |
static void socket_enter_start_pre(Socket *s) {
|
|
|
9fc0f6 |
int r;
|
|
|
9fc0f6 |
assert(s);
|
|
|
9fc0f6 |
@@ -1405,21 +1538,21 @@ static void socket_enter_start_pre(Socket *s) {
|
|
|
9fc0f6 |
socket_unwatch_control_pid(s);
|
|
|
9fc0f6 |
|
|
|
9fc0f6 |
s->control_command_id = SOCKET_EXEC_START_PRE;
|
|
|
9fc0f6 |
+ s->control_command = s->exec_command[SOCKET_EXEC_START_PRE];
|
|
|
9fc0f6 |
|
|
|
9fc0f6 |
- if ((s->control_command = s->exec_command[SOCKET_EXEC_START_PRE])) {
|
|
|
9fc0f6 |
- if ((r = socket_spawn(s, s->control_command, &s->control_pid)) < 0)
|
|
|
9fc0f6 |
+ if (s->control_command) {
|
|
|
9fc0f6 |
+ r = socket_spawn(s, s->control_command, &s->control_pid);
|
|
|
9fc0f6 |
+ if (r < 0)
|
|
|
9fc0f6 |
goto fail;
|
|
|
9fc0f6 |
|
|
|
9fc0f6 |
socket_set_state(s, SOCKET_START_PRE);
|
|
|
9fc0f6 |
} else
|
|
|
9fc0f6 |
- socket_enter_start_post(s);
|
|
|
9fc0f6 |
+ socket_enter_start_chown(s);
|
|
|
9fc0f6 |
|
|
|
9fc0f6 |
return;
|
|
|
9fc0f6 |
|
|
|
9fc0f6 |
fail:
|
|
|
9fc0f6 |
- log_warning_unit(UNIT(s)->id,
|
|
|
9fc0f6 |
- "%s failed to run 'start-pre' task: %s",
|
|
|
9fc0f6 |
- UNIT(s)->id, strerror(-r));
|
|
|
9fc0f6 |
+ log_warning_unit(UNIT(s)->id, "%s failed to run 'start-pre' task: %s", UNIT(s)->id, strerror(-r));
|
|
|
9fc0f6 |
socket_enter_dead(s, SOCKET_FAILURE_RESOURCES);
|
|
|
9fc0f6 |
}
|
|
|
9fc0f6 |
|
|
|
9fc0f6 |
@@ -1609,6 +1742,7 @@ static int socket_start(Unit *u) {
|
|
|
9fc0f6 |
return -EAGAIN;
|
|
|
9fc0f6 |
|
|
|
9fc0f6 |
if (s->state == SOCKET_START_PRE ||
|
|
|
9fc0f6 |
+ s->state == SOCKET_START_CHOWN ||
|
|
|
9fc0f6 |
s->state == SOCKET_START_POST)
|
|
|
9fc0f6 |
return 0;
|
|
|
9fc0f6 |
|
|
|
9fc0f6 |
@@ -1669,6 +1803,7 @@ static int socket_stop(Unit *u) {
|
|
|
9fc0f6 |
/* If there's already something running we go directly into
|
|
|
9fc0f6 |
* kill mode. */
|
|
|
9fc0f6 |
if (s->state == SOCKET_START_PRE ||
|
|
|
9fc0f6 |
+ s->state == SOCKET_START_CHOWN ||
|
|
|
9fc0f6 |
s->state == SOCKET_START_POST) {
|
|
|
9fc0f6 |
socket_enter_signal(s, SOCKET_STOP_PRE_SIGTERM, SOCKET_SUCCESS);
|
|
|
9fc0f6 |
return -EAGAIN;
|
|
|
9fc0f6 |
@@ -2098,11 +2233,18 @@ static void socket_sigchld_event(Unit *u, pid_t pid, int code, int status) {
|
|
|
9fc0f6 |
|
|
|
9fc0f6 |
case SOCKET_START_PRE:
|
|
|
9fc0f6 |
if (f == SOCKET_SUCCESS)
|
|
|
9fc0f6 |
- socket_enter_start_post(s);
|
|
|
9fc0f6 |
+ socket_enter_start_chown(s);
|
|
|
9fc0f6 |
else
|
|
|
9fc0f6 |
socket_enter_signal(s, SOCKET_FINAL_SIGTERM, f);
|
|
|
9fc0f6 |
break;
|
|
|
9fc0f6 |
|
|
|
9fc0f6 |
+ case SOCKET_START_CHOWN:
|
|
|
9fc0f6 |
+ if (f == SOCKET_SUCCESS)
|
|
|
9fc0f6 |
+ socket_enter_start_post(s);
|
|
|
9fc0f6 |
+ else
|
|
|
9fc0f6 |
+ socket_enter_stop_pre(s, f);
|
|
|
9fc0f6 |
+ break;
|
|
|
9fc0f6 |
+
|
|
|
9fc0f6 |
case SOCKET_START_POST:
|
|
|
9fc0f6 |
if (f == SOCKET_SUCCESS)
|
|
|
9fc0f6 |
socket_enter_listening(s);
|
|
|
9fc0f6 |
@@ -2141,65 +2283,53 @@ static void socket_timer_event(Unit *u, uint64_t elapsed, Watch *w) {
|
|
|
9fc0f6 |
switch (s->state) {
|
|
|
9fc0f6 |
|
|
|
9fc0f6 |
case SOCKET_START_PRE:
|
|
|
9fc0f6 |
- log_warning_unit(u->id,
|
|
|
9fc0f6 |
- "%s starting timed out. Terminating.", u->id);
|
|
|
9fc0f6 |
+ log_warning_unit(u->id, "%s starting timed out. Terminating.", u->id);
|
|
|
9fc0f6 |
socket_enter_signal(s, SOCKET_FINAL_SIGTERM, SOCKET_FAILURE_TIMEOUT);
|
|
|
9fc0f6 |
break;
|
|
|
9fc0f6 |
|
|
|
9fc0f6 |
+ case SOCKET_START_CHOWN:
|
|
|
9fc0f6 |
case SOCKET_START_POST:
|
|
|
9fc0f6 |
- log_warning_unit(u->id,
|
|
|
9fc0f6 |
- "%s starting timed out. Stopping.", u->id);
|
|
|
9fc0f6 |
+ log_warning_unit(u->id, "%s starting timed out. Stopping.", u->id);
|
|
|
9fc0f6 |
socket_enter_stop_pre(s, SOCKET_FAILURE_TIMEOUT);
|
|
|
9fc0f6 |
break;
|
|
|
9fc0f6 |
|
|
|
9fc0f6 |
case SOCKET_STOP_PRE:
|
|
|
9fc0f6 |
- log_warning_unit(u->id,
|
|
|
9fc0f6 |
- "%s stopping timed out. Terminating.", u->id);
|
|
|
9fc0f6 |
+ log_warning_unit(u->id, "%s stopping timed out. Terminating.", u->id);
|
|
|
9fc0f6 |
socket_enter_signal(s, SOCKET_STOP_PRE_SIGTERM, SOCKET_FAILURE_TIMEOUT);
|
|
|
9fc0f6 |
break;
|
|
|
9fc0f6 |
|
|
|
9fc0f6 |
case SOCKET_STOP_PRE_SIGTERM:
|
|
|
9fc0f6 |
if (s->kill_context.send_sigkill) {
|
|
|
9fc0f6 |
- log_warning_unit(u->id,
|
|
|
9fc0f6 |
- "%s stopping timed out. Killing.", u->id);
|
|
|
9fc0f6 |
+ log_warning_unit(u->id, "%s stopping timed out. Killing.", u->id);
|
|
|
9fc0f6 |
socket_enter_signal(s, SOCKET_STOP_PRE_SIGKILL, SOCKET_FAILURE_TIMEOUT);
|
|
|
9fc0f6 |
} else {
|
|
|
9fc0f6 |
- log_warning_unit(u->id,
|
|
|
9fc0f6 |
- "%s stopping timed out. Skipping SIGKILL. Ignoring.",
|
|
|
9fc0f6 |
- u->id);
|
|
|
9fc0f6 |
+ log_warning_unit(u->id, "%s stopping timed out. Skipping SIGKILL. Ignoring.", u->id);
|
|
|
9fc0f6 |
socket_enter_stop_post(s, SOCKET_FAILURE_TIMEOUT);
|
|
|
9fc0f6 |
}
|
|
|
9fc0f6 |
break;
|
|
|
9fc0f6 |
|
|
|
9fc0f6 |
case SOCKET_STOP_PRE_SIGKILL:
|
|
|
9fc0f6 |
- log_warning_unit(u->id,
|
|
|
9fc0f6 |
- "%s still around after SIGKILL. Ignoring.", u->id);
|
|
|
9fc0f6 |
+ log_warning_unit(u->id, "%s still around after SIGKILL. Ignoring.", u->id);
|
|
|
9fc0f6 |
socket_enter_stop_post(s, SOCKET_FAILURE_TIMEOUT);
|
|
|
9fc0f6 |
break;
|
|
|
9fc0f6 |
|
|
|
9fc0f6 |
case SOCKET_STOP_POST:
|
|
|
9fc0f6 |
- log_warning_unit(u->id,
|
|
|
9fc0f6 |
- "%s stopping timed out (2). Terminating.", u->id);
|
|
|
9fc0f6 |
+ log_warning_unit(u->id, "%s stopping timed out (2). Terminating.", u->id);
|
|
|
9fc0f6 |
socket_enter_signal(s, SOCKET_FINAL_SIGTERM, SOCKET_FAILURE_TIMEOUT);
|
|
|
9fc0f6 |
break;
|
|
|
9fc0f6 |
|
|
|
9fc0f6 |
case SOCKET_FINAL_SIGTERM:
|
|
|
9fc0f6 |
if (s->kill_context.send_sigkill) {
|
|
|
9fc0f6 |
- log_warning_unit(u->id,
|
|
|
9fc0f6 |
- "%s stopping timed out (2). Killing.", u->id);
|
|
|
9fc0f6 |
+ log_warning_unit(u->id, "%s stopping timed out (2). Killing.", u->id);
|
|
|
9fc0f6 |
socket_enter_signal(s, SOCKET_FINAL_SIGKILL, SOCKET_FAILURE_TIMEOUT);
|
|
|
9fc0f6 |
} else {
|
|
|
9fc0f6 |
- log_warning_unit(u->id,
|
|
|
9fc0f6 |
- "%s stopping timed out (2). Skipping SIGKILL. Ignoring.",
|
|
|
9fc0f6 |
- u->id);
|
|
|
9fc0f6 |
+ log_warning_unit(u->id, "%s stopping timed out (2). Skipping SIGKILL. Ignoring.", u->id);
|
|
|
9fc0f6 |
socket_enter_dead(s, SOCKET_FAILURE_TIMEOUT);
|
|
|
9fc0f6 |
}
|
|
|
9fc0f6 |
break;
|
|
|
9fc0f6 |
|
|
|
9fc0f6 |
case SOCKET_FINAL_SIGKILL:
|
|
|
9fc0f6 |
- log_warning_unit(u->id,
|
|
|
9fc0f6 |
- "%s still around after SIGKILL (2). Entering failed mode.",
|
|
|
9fc0f6 |
- u->id);
|
|
|
9fc0f6 |
+ log_warning_unit(u->id, "%s still around after SIGKILL (2). Entering failed mode.", u->id);
|
|
|
9fc0f6 |
socket_enter_dead(s, SOCKET_FAILURE_TIMEOUT);
|
|
|
9fc0f6 |
break;
|
|
|
9fc0f6 |
|
|
|
9fc0f6 |
@@ -2333,6 +2463,7 @@ static int socket_kill(Unit *u, KillWho who, int signo, DBusError *error) {
|
|
|
9fc0f6 |
static const char* const socket_state_table[_SOCKET_STATE_MAX] = {
|
|
|
9fc0f6 |
[SOCKET_DEAD] = "dead",
|
|
|
9fc0f6 |
[SOCKET_START_PRE] = "start-pre",
|
|
|
9fc0f6 |
+ [SOCKET_START_CHOWN] = "start-chown",
|
|
|
9fc0f6 |
[SOCKET_START_POST] = "start-post",
|
|
|
9fc0f6 |
[SOCKET_LISTENING] = "listening",
|
|
|
9fc0f6 |
[SOCKET_RUNNING] = "running",
|
|
|
9fc0f6 |
@@ -2349,6 +2480,7 @@ DEFINE_STRING_TABLE_LOOKUP(socket_state, SocketState);
|
|
|
9fc0f6 |
|
|
|
9fc0f6 |
static const char* const socket_exec_command_table[_SOCKET_EXEC_COMMAND_MAX] = {
|
|
|
9fc0f6 |
[SOCKET_EXEC_START_PRE] = "StartPre",
|
|
|
9fc0f6 |
+ [SOCKET_EXEC_START_CHOWN] = "StartChown",
|
|
|
9fc0f6 |
[SOCKET_EXEC_START_POST] = "StartPost",
|
|
|
9fc0f6 |
[SOCKET_EXEC_STOP_PRE] = "StopPre",
|
|
|
9fc0f6 |
[SOCKET_EXEC_STOP_POST] = "StopPost"
|
|
|
9fc0f6 |
diff --git a/src/core/socket.h b/src/core/socket.h
|
|
|
9fc0f6 |
index 3d7eadc..6a24883 100644
|
|
|
9fc0f6 |
--- a/src/core/socket.h
|
|
|
9fc0f6 |
+++ b/src/core/socket.h
|
|
|
9fc0f6 |
@@ -32,6 +32,7 @@ typedef struct Socket Socket;
|
|
|
9fc0f6 |
typedef enum SocketState {
|
|
|
9fc0f6 |
SOCKET_DEAD,
|
|
|
9fc0f6 |
SOCKET_START_PRE,
|
|
|
9fc0f6 |
+ SOCKET_START_CHOWN,
|
|
|
9fc0f6 |
SOCKET_START_POST,
|
|
|
9fc0f6 |
SOCKET_LISTENING,
|
|
|
9fc0f6 |
SOCKET_RUNNING,
|
|
|
9fc0f6 |
@@ -48,6 +49,7 @@ typedef enum SocketState {
|
|
|
9fc0f6 |
|
|
|
9fc0f6 |
typedef enum SocketExecCommand {
|
|
|
9fc0f6 |
SOCKET_EXEC_START_PRE,
|
|
|
9fc0f6 |
+ SOCKET_EXEC_START_CHOWN,
|
|
|
9fc0f6 |
SOCKET_EXEC_START_POST,
|
|
|
9fc0f6 |
SOCKET_EXEC_STOP_PRE,
|
|
|
9fc0f6 |
SOCKET_EXEC_STOP_POST,
|
|
|
9fc0f6 |
@@ -151,6 +153,9 @@ struct Socket {
|
|
|
9fc0f6 |
char *smack;
|
|
|
9fc0f6 |
char *smack_ip_in;
|
|
|
9fc0f6 |
char *smack_ip_out;
|
|
|
9fc0f6 |
+
|
|
|
9fc0f6 |
+ char *user;
|
|
|
9fc0f6 |
+ char *group;
|
|
|
9fc0f6 |
};
|
|
|
9fc0f6 |
|
|
|
9fc0f6 |
/* Called from the service code when collecting fds */
|
|
|
9fc0f6 |
diff --git a/src/shared/exit-status.c b/src/shared/exit-status.c
|
|
|
9fc0f6 |
index 45131f2..f15fdba 100644
|
|
|
9fc0f6 |
--- a/src/shared/exit-status.c
|
|
|
9fc0f6 |
+++ b/src/shared/exit-status.c
|
|
|
9fc0f6 |
@@ -130,6 +130,10 @@ const char* exit_status_to_string(ExitStatus status, ExitStatusLevel level) {
|
|
|
9fc0f6 |
|
|
|
9fc0f6 |
case EXIT_SECCOMP:
|
|
|
9fc0f6 |
return "SECCOMP";
|
|
|
9fc0f6 |
+
|
|
|
9fc0f6 |
+ case EXIT_CHOWN:
|
|
|
9fc0f6 |
+ return "CHOWN";
|
|
|
9fc0f6 |
+
|
|
|
9fc0f6 |
}
|
|
|
9fc0f6 |
}
|
|
|
9fc0f6 |
|
|
|
9fc0f6 |
diff --git a/src/shared/exit-status.h b/src/shared/exit-status.h
|
|
|
9fc0f6 |
index 1f035a3..52dd3d0 100644
|
|
|
9fc0f6 |
--- a/src/shared/exit-status.h
|
|
|
9fc0f6 |
+++ b/src/shared/exit-status.h
|
|
|
9fc0f6 |
@@ -67,7 +67,8 @@ typedef enum ExitStatus {
|
|
|
9fc0f6 |
EXIT_NETWORK,
|
|
|
9fc0f6 |
EXIT_NAMESPACE,
|
|
|
9fc0f6 |
EXIT_NO_NEW_PRIVILEGES,
|
|
|
9fc0f6 |
- EXIT_SECCOMP
|
|
|
9fc0f6 |
+ EXIT_SECCOMP,
|
|
|
9fc0f6 |
+ EXIT_CHOWN
|
|
|
9fc0f6 |
} ExitStatus;
|
|
|
9fc0f6 |
|
|
|
9fc0f6 |
typedef enum ExitStatusLevel {
|