.
OBS-URL: https://build.opensuse.org/package/show/Base:System/systemd?expand=0&rev=788
This commit is contained in:
parent
901c6030e7
commit
714f5b5a68
@ -5,7 +5,7 @@
|
||||
|
||||
Index: systemd-210/src/login/logind-action.c
|
||||
===================================================================
|
||||
--- systemd-210/src/login/logind-action.c
|
||||
--- systemd-210.orig/src/login/logind-action.c
|
||||
+++ systemd-210/src/login/logind-action.c
|
||||
@@ -101,6 +101,11 @@ int manager_handle_action(
|
||||
|
||||
@ -21,7 +21,7 @@ Index: systemd-210/src/login/logind-action.c
|
||||
return 0;
|
||||
Index: systemd-210/src/login/logind-dbus.c
|
||||
===================================================================
|
||||
--- systemd-210/src/login/logind-dbus.c
|
||||
--- systemd-210.orig/src/login/logind-dbus.c
|
||||
+++ systemd-210/src/login/logind-dbus.c
|
||||
@@ -1469,9 +1469,11 @@ static int method_do_shutdown_or_sleep(
|
||||
sd_bus_error *error) {
|
||||
@ -43,7 +43,7 @@ Index: systemd-210/src/login/logind-dbus.c
|
||||
- if (multiple_sessions) {
|
||||
+ fd = open ("/run/systemd/acpi-shutdown", O_NOFOLLOW|O_PATH|O_CLOEXEC);
|
||||
+ if (fd >= 0) {
|
||||
+ shutdown_through_acpi = ((fstat(fd,&buf) == 0) && (time(NULL) - buf.st_mtime <= 65));
|
||||
+ shutdown_through_acpi = ((fstat(fd,&buf) == 0) && (time(NULL) - buf.st_mtime <= 65) && !sleep_verb);
|
||||
+ close(fd);
|
||||
+ unlink ("/run/systemd/acpi-shutdown");
|
||||
+ }
|
||||
|
135
0001-infinit-timeout-for-kmod-loaded-modules.patch
Normal file
135
0001-infinit-timeout-for-kmod-loaded-modules.patch
Normal file
@ -0,0 +1,135 @@
|
||||
---
|
||||
src/udev/udev-event.c | 42 ++++++++++++++++++++++++++++++++++++++++++
|
||||
src/udev/udev.h | 1 +
|
||||
src/udev/udevd.c | 23 +++++++++++++++++++++--
|
||||
3 files changed, 64 insertions(+), 2 deletions(-)
|
||||
|
||||
--- src/udev/udev-event.c
|
||||
+++ src/udev/udev-event.c 2014-09-24 14:32:53.115639820 +0000
|
||||
@@ -959,6 +959,46 @@ void udev_event_execute_rules(struct ude
|
||||
}
|
||||
}
|
||||
|
||||
+#ifdef HAVE_KMOD
|
||||
+static inline void udev_check_and_set_kmod(enum udev_builtin_cmd builtin_cmd, struct udev_event *event) {
|
||||
+ char filename[UTIL_PATH_SIZE];
|
||||
+ switch (builtin_cmd) {
|
||||
+ case UDEV_BUILTIN_KMOD:
|
||||
+ snprintf(filename, sizeof(filename), "/run/udev/kmod/%u", (unsigned)getpid());
|
||||
+ touch(filename);
|
||||
+ default:
|
||||
+ break;
|
||||
+ }
|
||||
+}
|
||||
+
|
||||
+static inline void udev_check_and_unset_kmod(enum udev_builtin_cmd builtin_cmd, struct udev_event *event) {
|
||||
+ char filename[UTIL_PATH_SIZE];
|
||||
+ switch (builtin_cmd) {
|
||||
+ case UDEV_BUILTIN_KMOD:
|
||||
+ snprintf(filename, sizeof(filename), "/run/udev/kmod/%u", (unsigned)getpid());
|
||||
+ unlink(filename);
|
||||
+ default:
|
||||
+ break;
|
||||
+ }
|
||||
+}
|
||||
+
|
||||
+bool udev_check_for_kmod(pid_t pid) {
|
||||
+ char filename[UTIL_PATH_SIZE];
|
||||
+ struct stat st;
|
||||
+ snprintf(filename, sizeof(filename), "/run/udev/kmod/%u", (unsigned)pid);
|
||||
+ if (stat(filename, &st) == 0) {
|
||||
+ return true;
|
||||
+ }
|
||||
+ return false;
|
||||
+}
|
||||
+#else
|
||||
+# define udev_set_kmod (a,b)
|
||||
+# define udev_unset_kmod(a,b)
|
||||
+bool udev_check_for_kmod(pid_t pid) {
|
||||
+ return false;
|
||||
+}
|
||||
+#endif
|
||||
+
|
||||
void udev_event_execute_run(struct udev_event *event, usec_t timeout_usec, usec_t timeout_warn_usec, const sigset_t *sigmask) {
|
||||
struct udev_list_entry *list_entry;
|
||||
|
||||
@@ -970,7 +1010,9 @@ void udev_event_execute_run(struct udev_
|
||||
char command[UTIL_PATH_SIZE];
|
||||
|
||||
udev_event_apply_format(event, cmd, command, sizeof(command));
|
||||
+ udev_check_and_set_kmod(builtin_cmd, event);
|
||||
udev_builtin_run(event->dev, builtin_cmd, command, false);
|
||||
+ udev_check_and_unset_kmod(builtin_cmd, event);
|
||||
} else {
|
||||
char program[UTIL_PATH_SIZE];
|
||||
char **envp;
|
||||
--- src/udev/udevd.c
|
||||
+++ src/udev/udevd.c 2014-09-24 15:02:30.895592379 +0000
|
||||
@@ -76,6 +76,7 @@ static int children_max;
|
||||
static int exec_delay;
|
||||
static usec_t event_timeout_usec = 180 * USEC_PER_SEC;
|
||||
static usec_t event_timeout_warn_usec = 180 * USEC_PER_SEC / 3;
|
||||
+static bool event_killkmod = false;
|
||||
static sigset_t sigmask_orig;
|
||||
static UDEV_LIST(event_list);
|
||||
static UDEV_LIST(worker_list);
|
||||
@@ -1017,6 +1018,12 @@ static void kernel_cmdline_options(struc
|
||||
}
|
||||
event_timeout_usec *= USEC_PER_SEC;
|
||||
event_timeout_warn_usec = (event_timeout_usec / 3) ? : 1;
|
||||
+ } else if (startswith(opt, "udev.killkmod=")) {
|
||||
+ r = parse_boolean(opt + 14);
|
||||
+ if (r < 0)
|
||||
+ log_warning("Invalid udev.killkmod Ignoring: %s", opt + 14);
|
||||
+ else
|
||||
+ event_killkmod = r;
|
||||
}
|
||||
|
||||
free(s);
|
||||
@@ -1065,7 +1072,7 @@ int main(int argc, char *argv[]) {
|
||||
}
|
||||
|
||||
for (;;) {
|
||||
- int option, r;
|
||||
+ int option;
|
||||
|
||||
option = getopt_long(argc, argv, "c:de:DtN:hV", options, NULL);
|
||||
if (option == -1)
|
||||
@@ -1356,6 +1363,12 @@ int main(int argc, char *argv[]) {
|
||||
udev_list_node_init(&event_list);
|
||||
udev_list_node_init(&worker_list);
|
||||
|
||||
+ r = mkdir_p("/run/udev/kmod", 0755);
|
||||
+ if (r < 0 && errno != EEXIST) {
|
||||
+ log_error("could not create /run/udev/kmod: %m");
|
||||
+ goto exit;
|
||||
+ }
|
||||
+
|
||||
for (;;) {
|
||||
static usec_t last_usec;
|
||||
struct epoll_event ev[8];
|
||||
@@ -1440,7 +1453,13 @@ int main(int argc, char *argv[]) {
|
||||
|
||||
if (worker->state != WORKER_RUNNING)
|
||||
continue;
|
||||
-
|
||||
+#ifdef HAVE_KMOD
|
||||
+ if (udev_check_for_kmod(worker->pid)) {
|
||||
+ log_debug("worker [%u] %s is using kmod", worker->pid, worker->event->devpath);
|
||||
+ if (!event_killkmod)
|
||||
+ continue;
|
||||
+ }
|
||||
+#endif
|
||||
ts = now(CLOCK_MONOTONIC);
|
||||
|
||||
if ((ts - worker->event_start_usec) > event_timeout_warn_usec) {
|
||||
--- src/udev/udev.h
|
||||
+++ src/udev/udev.h 2014-09-24 14:33:33.824008084 +0000
|
||||
@@ -88,6 +88,7 @@ int udev_event_spawn(struct udev_event *
|
||||
char *result, size_t ressize);
|
||||
void udev_event_execute_rules(struct udev_event *event, usec_t timeout_usec, usec_t timeout_warn_usec,
|
||||
struct udev_rules *rules, const sigset_t *sigset);
|
||||
+bool udev_check_for_kmod(pid_t pid);
|
||||
void udev_event_execute_run(struct udev_event *event, usec_t timeout_usec, usec_t timeout_warn_usec, const sigset_t *sigset);
|
||||
int udev_build_argv(struct udev *udev, char *cmd, int *argc, char *argv[]);
|
||||
|
@ -0,0 +1,82 @@
|
||||
Based on 2ec3ff668ff03410e94cfef8e3ee9384a8222211 Mon Sep 17 00:00:00 2001
|
||||
From: David Herrmann <dh.herrmann@gmail.com>
|
||||
Date: Fri, 19 Sep 2014 13:26:39 +0200
|
||||
Subject: [PATCH] login: pause devices before acknowledging VT switches
|
||||
|
||||
If a session controller does not need synchronous VT switches, we allow
|
||||
them to pass VT control to logind, which acknowledges all VT switches
|
||||
unconditionally. This works fine with all sessions using the dbus API,
|
||||
but causes out-of-sync device use if we switch to legacy sessions that
|
||||
are notified via VT signals. Those are processed before logind notices
|
||||
the session-switch via sysfs. Therefore, leaving the old session still
|
||||
active for a short amount of time.
|
||||
|
||||
This, in fact, may cause the legacy session to prepare graphics devices
|
||||
before the old session was deactivated, and thus, maybe causing the old
|
||||
session to interfer with graphics device usage.
|
||||
|
||||
Fix this by releasing devices immediately before acknowledging VT
|
||||
switches. This way, sessions without VT handlers are required to support
|
||||
async session switching (which they do in that case, anyway).
|
||||
---
|
||||
src/login/logind-session.c | 21 +++++++++++++++++++++
|
||||
src/login/logind-session.h | 1 +
|
||||
src/login/logind.c | 4 ++--
|
||||
3 files changed, 24 insertions(+), 2 deletions(-)
|
||||
|
||||
--- src/login/logind-session.c
|
||||
+++ src/login/logind-session.c 2014-09-24 07:40:45.786639180 +0000
|
||||
@@ -1040,6 +1040,27 @@ void session_restore_vt(Session *s) {
|
||||
s->vtfd = -1;
|
||||
}
|
||||
|
||||
+void session_leave_vt(Session *s) {
|
||||
+ assert(s);
|
||||
+
|
||||
+ /* This is called whenever we get a VT-switch signal from the kernel.
|
||||
+ * We acknowledge all of them unconditionally. Note that session are
|
||||
+ * free to overwrite those handlers and we only register them for
|
||||
+ * sessions with controllers. Legacy sessions are not affected.
|
||||
+ * However, if we switch from a non-legacy to a legacy session, we must
|
||||
+ * make sure to pause all device before acknowledging the switch. We
|
||||
+ * process the real switch only after we are notified via sysfs, so the
|
||||
+ * legacy session might have already started using the devices. If we
|
||||
+ * don't pause the devices before the switch, we might confuse the
|
||||
+ * session we switch to. */
|
||||
+
|
||||
+ if (s->vtfd < 0)
|
||||
+ return;
|
||||
+
|
||||
+ session_device_pause_all(s);
|
||||
+ ioctl(s->vtfd, VT_RELDISP, 1);
|
||||
+}
|
||||
+
|
||||
bool session_is_controller(Session *s, const char *sender) {
|
||||
assert(s);
|
||||
|
||||
--- src/login/logind-session.h
|
||||
+++ src/login/logind-session.h 2014-09-24 07:41:50.290236363 +0000
|
||||
@@ -173,6 +173,7 @@ KillWho kill_who_from_string(const char
|
||||
|
||||
int session_mute_vt(Session *s);
|
||||
void session_restore_vt(Session *s);
|
||||
+void session_leave_vt(Session *s);
|
||||
|
||||
bool session_is_controller(Session *s, const char *sender);
|
||||
int session_set_controller(Session *s, const char *sender, bool force);
|
||||
--- src/login/logind.c
|
||||
+++ src/login/logind.c 2014-09-24 00:00:00.000000000 +0000
|
||||
@@ -743,11 +743,11 @@ static int manager_vt_switch(sd_event_so
|
||||
}
|
||||
|
||||
if (active->vtfd >= 0) {
|
||||
- ioctl(active->vtfd, VT_RELDISP, 1);
|
||||
+ session_leave_vt(active);
|
||||
} else {
|
||||
LIST_FOREACH(sessions_by_seat, iter, m->seat0->sessions) {
|
||||
if (iter->vtnr == active->vtnr && iter->vtfd >= 0) {
|
||||
- ioctl(iter->vtfd, VT_RELDISP, 1);
|
||||
+ session_leave_vt(iter);
|
||||
break;
|
||||
}
|
||||
}
|
@ -0,0 +1,21 @@
|
||||
Based on c00524c9cc7fb498c7244350e25823b8352f078c Mon Sep 17 00:00:00 2001
|
||||
From: Tom Gundersen <teg@jklm.no>
|
||||
Date: Fri, 19 Sep 2014 23:02:00 +0200
|
||||
Subject: [PATCH] nspawn: don't try to create veth link with too long ifname
|
||||
|
||||
Reported by: James Lott <james@lottspot.com>
|
||||
---
|
||||
src/nspawn/nspawn.c | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
--- src/nspawn/nspawn.c
|
||||
+++ src/nspawn/nspawn.c 2014-09-23 15:33:06.766236272 +0000
|
||||
@@ -1383,7 +1383,7 @@ static int setup_veth(pid_t pid, char if
|
||||
|
||||
/* Use two different interface name prefixes depending whether
|
||||
* we are in bridge mode or not. */
|
||||
- snprintf(iface_name, IFNAMSIZ, "%s-%s",
|
||||
+ snprintf(iface_name, IFNAMSIZ - 1, "%s-%s",
|
||||
arg_network_bridge ? "vb" : "ve", arg_machine);
|
||||
|
||||
r = sd_rtnl_open(&rtnl, 0);
|
414
0001-socket-introduce-SELinuxContextFromNet-option.patch
Normal file
414
0001-socket-introduce-SELinuxContextFromNet-option.patch
Normal file
@ -0,0 +1,414 @@
|
||||
Based on 16115b0a7b7cdf08fb38084d857d572d8a9088dc Mon Sep 17 00:00:00 2001
|
||||
From: Michal Sekletar <msekleta@redhat.com>
|
||||
Date: Thu, 24 Jul 2014 10:40:28 +0200
|
||||
Subject: [PATCH] socket: introduce SELinuxContextFromNet option
|
||||
|
||||
This makes possible to spawn service instances triggered by socket with
|
||||
MLS/MCS SELinux labels which are created based on information provided by
|
||||
connected peer.
|
||||
|
||||
Implementation of label_get_child_mls_label derived from xinetd.
|
||||
|
||||
Reviewed-by: Paul Moore <pmoore@redhat.com>
|
||||
---
|
||||
man/systemd.socket.xml | 26 +++++++
|
||||
src/core/execute.c | 30 +++++++--
|
||||
src/core/execute.h | 1
|
||||
src/core/load-fragment-gperf.gperf.m4 | 3
|
||||
src/core/mount.c | 1
|
||||
src/core/service.c | 4 -
|
||||
src/core/service.h | 3
|
||||
src/core/socket.c | 16 +++-
|
||||
src/core/socket.h | 2
|
||||
src/core/swap.c | 1
|
||||
src/shared/label.c | 113 ++++++++++++++++++++++++++++++++++
|
||||
src/shared/label.h | 2
|
||||
12 files changed, 191 insertions(+), 11 deletions(-)
|
||||
|
||||
--- man/systemd.socket.xml
|
||||
+++ man/systemd.socket.xml 2014-09-23 15:36:49.000000000 +0000
|
||||
@@ -570,6 +570,32 @@
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
+ <term><varname>SELinuxContextFromNet=</varname></term>
|
||||
+ <listitem><para>Takes a boolean
|
||||
+ argument. When true systemd will attempt
|
||||
+ to figure out the SELinux label used
|
||||
+ for the instantiated service from the
|
||||
+ information handed by the peer over the
|
||||
+ network. Note that only the security
|
||||
+ level is used from the information
|
||||
+ provided by the peer. Other parts of
|
||||
+ the resulting SELinux context originate
|
||||
+ from either the target binary that is
|
||||
+ effectively triggered by socket unit
|
||||
+ are taken from the value of the
|
||||
+ <varname>SELinuxContext=</varname>
|
||||
+ option.This configuration option only
|
||||
+ affects sockets with
|
||||
+ <varname>Accept=</varname> mode set to
|
||||
+ <literal>true</literal>. Also note that
|
||||
+ this option is useful only when
|
||||
+ MLS/MCS SELinux policy is
|
||||
+ deployed. Defaults to
|
||||
+ <literal>false</literal>.
|
||||
+ </para></listitem>
|
||||
+ </varlistentry>
|
||||
+
|
||||
+ <varlistentry>
|
||||
<term><varname>PipeSize=</varname></term>
|
||||
<listitem><para>Takes an size in
|
||||
bytes. Controls the pipe buffer size
|
||||
--- src/core/execute.c
|
||||
+++ src/core/execute.c 2014-09-24 09:22:08.882735864 +0000
|
||||
@@ -82,6 +82,7 @@
|
||||
#include "selinux-util.h"
|
||||
#include "errno-list.h"
|
||||
#include "apparmor-util.h"
|
||||
+#include "label.h"
|
||||
|
||||
#ifdef HAVE_SECCOMP
|
||||
#include "seccomp-util.h"
|
||||
@@ -1123,6 +1124,7 @@ int exec_spawn(ExecCommand *command,
|
||||
bool apply_chroot,
|
||||
bool apply_tty_stdin,
|
||||
bool confirm_spawn,
|
||||
+ bool selinux_context_net,
|
||||
CGroupControllerMask cgroup_supported,
|
||||
const char *cgroup_path,
|
||||
const char *unit_id,
|
||||
@@ -1594,11 +1596,29 @@ int exec_spawn(ExecCommand *command,
|
||||
#endif
|
||||
|
||||
#ifdef HAVE_SELINUX
|
||||
- if (context->selinux_context && use_selinux()) {
|
||||
- err = setexeccon(context->selinux_context);
|
||||
- if (err < 0 && !context->selinux_context_ignore) {
|
||||
- r = EXIT_SELINUX_CONTEXT;
|
||||
- goto fail_child;
|
||||
+ if (use_selinux()) {
|
||||
+ if (context->selinux_context) {
|
||||
+ err = setexeccon(context->selinux_context);
|
||||
+ if (err < 0 && !context->selinux_context_ignore) {
|
||||
+ r = EXIT_SELINUX_CONTEXT;
|
||||
+ goto fail_child;
|
||||
+ }
|
||||
+ }
|
||||
+
|
||||
+ if (selinux_context_net && socket_fd >= 0) {
|
||||
+ _cleanup_free_ char *label = NULL;
|
||||
+
|
||||
+ err = label_get_child_mls_label(socket_fd, command->path, &label);
|
||||
+ if (err < 0) {
|
||||
+ r = EXIT_SELINUX_CONTEXT;
|
||||
+ goto fail_child;
|
||||
+ }
|
||||
+
|
||||
+ err = setexeccon(label);
|
||||
+ if (err < 0) {
|
||||
+ r = EXIT_SELINUX_CONTEXT;
|
||||
+ goto fail_child;
|
||||
+ }
|
||||
}
|
||||
}
|
||||
#endif
|
||||
--- src/core/execute.h
|
||||
+++ src/core/execute.h 2014-09-23 15:46:26.000000000 +0000
|
||||
@@ -195,6 +195,7 @@ int exec_spawn(ExecCommand *command,
|
||||
bool apply_chroot,
|
||||
bool apply_tty_stdin,
|
||||
bool confirm_spawn,
|
||||
+ bool selinux_context_net,
|
||||
CGroupControllerMask cgroup_mask,
|
||||
const char *cgroup_path,
|
||||
const char *unit_id,
|
||||
--- src/core/load-fragment-gperf.gperf.m4
|
||||
+++ src/core/load-fragment-gperf.gperf.m4 2014-09-23 00:00:00.000000000 +0000
|
||||
@@ -242,6 +242,9 @@ Socket.SmackLabelIPOut, config_
|
||||
`Socket.SmackLabel, config_parse_warn_compat, 0, 0
|
||||
Socket.SmackLabelIPIn, config_parse_warn_compat, 0, 0
|
||||
Socket.SmackLabelIPOut, config_parse_warn_compat, 0, 0')
|
||||
+m4_ifdef(`HAVE_SELINUX',
|
||||
+`Socket.SELinuxContextFromNet, config_parse_bool, 0, offsetof(Socket, selinux_context_from_net)',
|
||||
+`Socket.SELinuxContextFromNet, config_parse_warn_compat, 0, 0')
|
||||
EXEC_CONTEXT_CONFIG_ITEMS(Socket)m4_dnl
|
||||
CGROUP_CONTEXT_CONFIG_ITEMS(Socket)m4_dnl
|
||||
KILL_CONTEXT_CONFIG_ITEMS(Socket)m4_dnl
|
||||
--- src/core/mount.c
|
||||
+++ src/core/mount.c 2014-09-24 09:16:26.234235379 +0000
|
||||
@@ -785,6 +785,7 @@ static int mount_spawn(Mount *m, ExecCom
|
||||
true,
|
||||
true,
|
||||
UNIT(m)->manager->confirm_spawn,
|
||||
+ false,
|
||||
UNIT(m)->manager->cgroup_supported,
|
||||
UNIT(m)->cgroup_path,
|
||||
UNIT(m)->id,
|
||||
--- src/core/service.c
|
||||
+++ src/core/service.c 2014-09-23 15:49:24.000000000 +0000
|
||||
@@ -1856,6 +1856,7 @@ static int service_spawn(
|
||||
apply_chroot,
|
||||
apply_tty_stdin,
|
||||
UNIT(s)->manager->confirm_spawn,
|
||||
+ s->socket_fd_selinux_context_net,
|
||||
UNIT(s)->manager->cgroup_supported,
|
||||
path,
|
||||
UNIT(s)->id,
|
||||
@@ -3787,7 +3788,7 @@ static void service_bus_name_owner_chang
|
||||
}
|
||||
}
|
||||
|
||||
-int service_set_socket_fd(Service *s, int fd, Socket *sock) {
|
||||
+int service_set_socket_fd(Service *s, int fd, Socket *sock, bool selinux_context_net) {
|
||||
_cleanup_free_ char *peer = NULL;
|
||||
int r;
|
||||
|
||||
@@ -3825,6 +3826,7 @@ int service_set_socket_fd(Service *s, in
|
||||
}
|
||||
|
||||
s->socket_fd = fd;
|
||||
+ s->socket_fd_selinux_context_net = selinux_context_net;
|
||||
|
||||
unit_ref_set(&s->accept_socket, UNIT(sock));
|
||||
|
||||
--- src/core/service.h
|
||||
+++ src/core/service.h 2014-09-23 15:51:13.000000000 +0000
|
||||
@@ -159,6 +159,7 @@ struct Service {
|
||||
pid_t main_pid, control_pid;
|
||||
int socket_fd;
|
||||
|
||||
+ bool socket_fd_selinux_context_net;
|
||||
bool permissions_start_only;
|
||||
bool root_directory_start_only;
|
||||
bool remain_after_exit;
|
||||
@@ -204,7 +205,7 @@ extern const UnitVTable service_vtable;
|
||||
|
||||
struct Socket;
|
||||
|
||||
-int service_set_socket_fd(Service *s, int fd, struct Socket *socket);
|
||||
+int service_set_socket_fd(Service *s, int fd, struct Socket *socket, bool selinux_context_net);
|
||||
|
||||
const char* service_state_to_string(ServiceState i) _const_;
|
||||
ServiceState service_state_from_string(const char *s) _pure_;
|
||||
--- src/core/socket.c
|
||||
+++ src/core/socket.c 2014-09-24 09:13:29.698735735 +0000
|
||||
@@ -453,7 +453,8 @@ static void socket_dump(Unit *u, FILE *f
|
||||
"%sBroadcast: %s\n"
|
||||
"%sPassCredentials: %s\n"
|
||||
"%sPassSecurity: %s\n"
|
||||
- "%sTCPCongestion: %s\n",
|
||||
+ "%sTCPCongestion: %s\n"
|
||||
+ "%sSELinuxContextFromNet: %s\n",
|
||||
prefix, socket_state_to_string(s->state),
|
||||
prefix, socket_result_to_string(s->result),
|
||||
prefix, socket_address_bind_ipv6_only_to_string(s->bind_ipv6_only),
|
||||
@@ -466,7 +467,8 @@ static void socket_dump(Unit *u, FILE *f
|
||||
prefix, yes_no(s->broadcast),
|
||||
prefix, yes_no(s->pass_cred),
|
||||
prefix, yes_no(s->pass_sec),
|
||||
- prefix, strna(s->tcp_congestion));
|
||||
+ prefix, strna(s->tcp_congestion),
|
||||
+ prefix, yes_no(s->selinux_context_from_net));
|
||||
|
||||
if (s->control_pid > 0)
|
||||
fprintf(f,
|
||||
@@ -1000,7 +1002,12 @@ static int socket_open_fds(Socket *s) {
|
||||
|
||||
if (p->type == SOCKET_SOCKET) {
|
||||
|
||||
- if (!know_label) {
|
||||
+ if (!know_label && s->selinux_context_from_net) {
|
||||
+ r = label_get_our_label(&label);
|
||||
+ if (r < 0)
|
||||
+ return r;
|
||||
+ know_label = true;
|
||||
+ } else if (!know_label) {
|
||||
|
||||
if ((r = socket_instantiate_service(s)) < 0)
|
||||
return r;
|
||||
@@ -1247,6 +1254,7 @@ static int socket_spawn(Socket *s, ExecC
|
||||
true,
|
||||
true,
|
||||
UNIT(s)->manager->confirm_spawn,
|
||||
+ s->selinux_context_from_net,
|
||||
UNIT(s)->manager->cgroup_supported,
|
||||
UNIT(s)->cgroup_path,
|
||||
UNIT(s)->id,
|
||||
@@ -1568,7 +1576,7 @@ static void socket_enter_running(Socket
|
||||
|
||||
unit_choose_id(UNIT(service), name);
|
||||
|
||||
- r = service_set_socket_fd(service, cfd, s);
|
||||
+ r = service_set_socket_fd(service, cfd, s, s->selinux_context_from_net);
|
||||
if (r < 0)
|
||||
goto fail;
|
||||
|
||||
--- src/core/socket.h
|
||||
+++ src/core/socket.h 2014-09-23 15:55:17.000000000 +0000
|
||||
@@ -154,6 +154,8 @@ struct Socket {
|
||||
char *smack;
|
||||
char *smack_ip_in;
|
||||
char *smack_ip_out;
|
||||
+
|
||||
+ bool selinux_context_from_net;
|
||||
};
|
||||
|
||||
/* Called from the service code when collecting fds */
|
||||
--- src/core/swap.c
|
||||
+++ src/core/swap.c 2014-09-24 09:17:18.438735618 +0000
|
||||
@@ -642,6 +642,7 @@ static int swap_spawn(Swap *s, ExecComma
|
||||
true,
|
||||
true,
|
||||
UNIT(s)->manager->confirm_spawn,
|
||||
+ false,
|
||||
UNIT(s)->manager->cgroup_supported,
|
||||
UNIT(s)->cgroup_path,
|
||||
UNIT(s)->id,
|
||||
--- src/shared/label.c
|
||||
+++ src/shared/label.c 2014-09-23 00:00:00.000000000 +0000
|
||||
@@ -31,6 +31,7 @@
|
||||
#ifdef HAVE_SELINUX
|
||||
#include <selinux/selinux.h>
|
||||
#include <selinux/label.h>
|
||||
+#include <selinux/context.h>
|
||||
#endif
|
||||
|
||||
#include "label.h"
|
||||
@@ -41,6 +42,12 @@
|
||||
#include "smack-util.h"
|
||||
|
||||
#ifdef HAVE_SELINUX
|
||||
+DEFINE_TRIVIAL_CLEANUP_FUNC(security_context_t, freecon);
|
||||
+DEFINE_TRIVIAL_CLEANUP_FUNC(context_t, context_free);
|
||||
+
|
||||
+#define _cleanup_security_context_free_ _cleanup_(freeconp)
|
||||
+#define _cleanup_context_free_ _cleanup_(context_freep)
|
||||
+
|
||||
static struct selabel_handle *label_hnd = NULL;
|
||||
#endif
|
||||
|
||||
@@ -243,6 +250,112 @@ fail:
|
||||
return r;
|
||||
}
|
||||
|
||||
+int label_get_our_label(char **label) {
|
||||
+ int r = -EOPNOTSUPP;
|
||||
+ char *l = NULL;
|
||||
+
|
||||
+#ifdef HAVE_SELINUX
|
||||
+ r = getcon(&l);
|
||||
+ if (r < 0)
|
||||
+ return r;
|
||||
+
|
||||
+ *label = l;
|
||||
+#endif
|
||||
+
|
||||
+ return r;
|
||||
+}
|
||||
+
|
||||
+int label_get_child_mls_label(int socket_fd, const char *exe, char **label) {
|
||||
+ int r = -EOPNOTSUPP;
|
||||
+
|
||||
+#ifdef HAVE_SELINUX
|
||||
+
|
||||
+ _cleanup_security_context_free_ security_context_t mycon = NULL, peercon = NULL, fcon = NULL, ret = NULL;
|
||||
+ _cleanup_context_free_ context_t pcon = NULL, bcon = NULL;
|
||||
+ security_class_t sclass;
|
||||
+
|
||||
+ const char *range = NULL;
|
||||
+
|
||||
+ assert(socket_fd >= 0);
|
||||
+ assert(exe);
|
||||
+ assert(label);
|
||||
+
|
||||
+ r = getcon(&mycon);
|
||||
+ if (r < 0) {
|
||||
+ r = -EINVAL;
|
||||
+ goto out;
|
||||
+ }
|
||||
+
|
||||
+ r = getpeercon(socket_fd, &peercon);
|
||||
+ if (r < 0) {
|
||||
+ r = -EINVAL;
|
||||
+ goto out;
|
||||
+ }
|
||||
+
|
||||
+ r = getexeccon(&fcon);
|
||||
+ if (r < 0) {
|
||||
+ r = -EINVAL;
|
||||
+ goto out;
|
||||
+ }
|
||||
+
|
||||
+ if (!fcon) {
|
||||
+ /* If there is no context set for next exec let's use context
|
||||
+ of target executable */
|
||||
+ r = getfilecon(exe, &fcon);
|
||||
+ if (r < 0) {
|
||||
+ r = -errno;
|
||||
+ goto out;
|
||||
+ }
|
||||
+ }
|
||||
+
|
||||
+ bcon = context_new(mycon);
|
||||
+ if (!bcon) {
|
||||
+ r = -ENOMEM;
|
||||
+ goto out;
|
||||
+ }
|
||||
+
|
||||
+ pcon = context_new(peercon);
|
||||
+ if (!pcon) {
|
||||
+ r = -ENOMEM;
|
||||
+ goto out;
|
||||
+ }
|
||||
+
|
||||
+ range = context_range_get(pcon);
|
||||
+ if (!range) {
|
||||
+ r = -errno;
|
||||
+ goto out;
|
||||
+ }
|
||||
+
|
||||
+ r = context_range_set(bcon, range);
|
||||
+ if (r) {
|
||||
+ r = -errno;
|
||||
+ goto out;
|
||||
+ }
|
||||
+
|
||||
+ freecon(mycon);
|
||||
+ mycon = context_str(bcon);
|
||||
+ if (!mycon) {
|
||||
+ r = -errno;
|
||||
+ goto out;
|
||||
+ }
|
||||
+
|
||||
+ sclass = string_to_security_class("process");
|
||||
+ r = security_compute_create(mycon, fcon, sclass, &ret);
|
||||
+ if (r < 0) {
|
||||
+ r = -EINVAL;
|
||||
+ goto out;
|
||||
+ }
|
||||
+
|
||||
+ *label = ret;
|
||||
+ r = 0;
|
||||
+
|
||||
+out:
|
||||
+ if (r < 0 && security_getenforce() == 1)
|
||||
+ return r;
|
||||
+#endif
|
||||
+ return r;
|
||||
+}
|
||||
+
|
||||
int label_context_set(const char *path, mode_t mode) {
|
||||
int r = 0;
|
||||
|
||||
--- src/shared/label.h
|
||||
+++ src/shared/label.h 2014-09-23 00:00:00.000000000 +0000
|
||||
@@ -40,6 +40,8 @@ void label_context_clear(void);
|
||||
void label_free(const char *label);
|
||||
|
||||
int label_get_create_label_from_exe(const char *exe, char **label);
|
||||
+int label_get_our_label(char **label);
|
||||
+int label_get_child_mls_label(int socket_fd, const char *exec, char **label);
|
||||
|
||||
int label_mkdir(const char *path, mode_t mode);
|
||||
|
25
0002-util-avoid-non-portable-__WORDSIZE.patch
Normal file
25
0002-util-avoid-non-portable-__WORDSIZE.patch
Normal file
@ -0,0 +1,25 @@
|
||||
Based on 8507eb20b64010b26f23822cbf442bb0bf96511c Mon Sep 17 00:00:00 2001
|
||||
From: Emil Renner Berthing <systemd@esmil.dk>
|
||||
Date: Fri, 19 Sep 2014 20:26:53 +0200
|
||||
Subject: [PATCH] util: avoid non-portable __WORDSIZE
|
||||
|
||||
Lets not unnecessarily rely on __WORDSIZE, which is not clearly specified
|
||||
by any spec. Use explicit size comparisons if we're not interested in the
|
||||
WORDSIZE, anyway.
|
||||
|
||||
(David: adjust commit message to explain why we do this)
|
||||
---
|
||||
src/shared/util.h | 2 +-
|
||||
1 file changed, 1 insertion(+), 1 deletion(-)
|
||||
|
||||
--- src/shared/util.h
|
||||
+++ src/shared/util.h 2014-09-24 06:58:11.378235669 +0000
|
||||
@@ -166,7 +166,7 @@ int safe_atolli(const char *s, long long
|
||||
|
||||
int safe_atod(const char *s, double *ret_d);
|
||||
|
||||
-#if __WORDSIZE == 32
|
||||
+#if LONG_MAX == INT_MAX
|
||||
static inline int safe_atolu(const char *s, unsigned long *ret_u) {
|
||||
assert_cc(sizeof(unsigned long) == sizeof(unsigned));
|
||||
return safe_atou(s, (unsigned*) ret_u);
|
@ -1,3 +1,18 @@
|
||||
-------------------------------------------------------------------
|
||||
Wed Sep 24 08:36:42 UTC 2014 - werner@suse.de
|
||||
|
||||
- Update patch 0001-bnc888612-logind-polkit-acpi.patch
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Wed Sep 24 07:47:54 UTC 2014 - werner@suse.de
|
||||
|
||||
- Add upstream patches
|
||||
0001-login-pause-devices-before-acknowledging-VT-switches.patch
|
||||
May help that history of the shell is saved
|
||||
0001-nspawn-don-t-try-to-create-veth-link-with-too-long-i.patch
|
||||
0001-socket-introduce-SELinuxContextFromNet-option.patch (bsc#897801)
|
||||
0002-util-avoid-non-portable-__WORDSIZE.patch
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Fri Sep 19 13:08:14 UTC 2014 - werner@suse.de
|
||||
|
||||
|
@ -888,6 +888,14 @@ Patch428: 0005-shared-label.h-add-missing-stdio.h-include.patch
|
||||
Patch429: 0006-shared-sparse-endian.h-add-missing-byteswap.h-includ.patch
|
||||
# PATCH-FIX-SUSE AUDIT-0: Power button press at gdm login should not prompt for credentials (bnc#888612)
|
||||
Patch430: 0001-bnc888612-logind-polkit-acpi.patch
|
||||
# PATCH-FIX-UPSTREAM added at 2014/09/24 -- May help that history of the shell is saved
|
||||
Patch431: 0001-login-pause-devices-before-acknowledging-VT-switches.patch
|
||||
# PATCH-FIX-UPSTREAM added at 2014/09/24
|
||||
Patch432: 0001-nspawn-don-t-try-to-create-veth-link-with-too-long-i.patch
|
||||
# PATCH-FIX-UPSTREAM added at 2014/09/24 (bsc#897801)
|
||||
Patch433: 0001-socket-introduce-SELinuxContextFromNet-option.patch
|
||||
# PATCH-FIX-UPSTREAM added at 2014/09/24
|
||||
Patch434: 0002-util-avoid-non-portable-__WORDSIZE.patch
|
||||
|
||||
# UDEV PATCHES
|
||||
# ============
|
||||
@ -1658,6 +1666,10 @@ cp %{SOURCE7} m4/
|
||||
%patch428 -p0
|
||||
%patch429 -p0
|
||||
%patch430 -p1
|
||||
%patch431 -p0
|
||||
%patch432 -p0
|
||||
%patch433 -p0
|
||||
%patch434 -p0
|
||||
|
||||
# udev patches
|
||||
%patch1001 -p1
|
||||
|
@ -1,3 +1,24 @@
|
||||
-------------------------------------------------------------------
|
||||
Wed Sep 24 15:05:49 UTC 2014 - werner@suse.de
|
||||
|
||||
- Add patch 0001-infinit-timeout-for-kmod-loaded-modules.patch to
|
||||
be able to avoid killing a running kmod/modprobe (bnc#889297)
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Wed Sep 24 08:36:42 UTC 2014 - werner@suse.de
|
||||
|
||||
- Update patch 0001-bnc888612-logind-polkit-acpi.patch
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Wed Sep 24 07:47:54 UTC 2014 - werner@suse.de
|
||||
|
||||
- Add upstream patches
|
||||
0001-login-pause-devices-before-acknowledging-VT-switches.patch
|
||||
May help that history of the shell is saved
|
||||
0001-nspawn-don-t-try-to-create-veth-link-with-too-long-i.patch
|
||||
0001-socket-introduce-SELinuxContextFromNet-option.patch (bsc#897801)
|
||||
0002-util-avoid-non-portable-__WORDSIZE.patch
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Fri Sep 19 13:08:14 UTC 2014 - werner@suse.de
|
||||
|
||||
|
12
systemd.spec
12
systemd.spec
@ -883,6 +883,14 @@ Patch428: 0005-shared-label.h-add-missing-stdio.h-include.patch
|
||||
Patch429: 0006-shared-sparse-endian.h-add-missing-byteswap.h-includ.patch
|
||||
# PATCH-FIX-SUSE AUDIT-0: Power button press at gdm login should not prompt for credentials (bnc#888612)
|
||||
Patch430: 0001-bnc888612-logind-polkit-acpi.patch
|
||||
# PATCH-FIX-UPSTREAM added at 2014/09/24 -- May help that history of the shell is saved
|
||||
Patch431: 0001-login-pause-devices-before-acknowledging-VT-switches.patch
|
||||
# PATCH-FIX-UPSTREAM added at 2014/09/24
|
||||
Patch432: 0001-nspawn-don-t-try-to-create-veth-link-with-too-long-i.patch
|
||||
# PATCH-FIX-UPSTREAM added at 2014/09/24 (bsc#897801)
|
||||
Patch433: 0001-socket-introduce-SELinuxContextFromNet-option.patch
|
||||
# PATCH-FIX-UPSTREAM added at 2014/09/24
|
||||
Patch434: 0002-util-avoid-non-portable-__WORDSIZE.patch
|
||||
|
||||
# UDEV PATCHES
|
||||
# ============
|
||||
@ -1653,6 +1661,10 @@ cp %{SOURCE7} m4/
|
||||
%patch428 -p0
|
||||
%patch429 -p0
|
||||
%patch430 -p1
|
||||
%patch431 -p0
|
||||
%patch432 -p0
|
||||
%patch433 -p0
|
||||
%patch434 -p0
|
||||
|
||||
# udev patches
|
||||
%patch1001 -p1
|
||||
|
Loading…
Reference in New Issue
Block a user