[systemd-commits] 6 commits - Makefile.am TODO src/bus-proxyd src/core src/libsystemd
Lennart Poettering
lennart at kemper.freedesktop.org
Fri Nov 14 11:07:36 PST 2014
Makefile.am | 8 +-----
TODO | 2 +
src/bus-proxyd/bus-policy.c | 2 -
src/bus-proxyd/bus-proxyd.c | 41 -----------------------------------
src/core/kmod-setup.c | 24 ++++++++++++++++++--
src/core/main.c | 6 +----
src/libsystemd/sd-bus/bus-internal.c | 20 +++++++++++++++++
src/libsystemd/sd-bus/bus-internal.h | 1
8 files changed, 50 insertions(+), 54 deletions(-)
New commits:
commit e341912313db96f400ee5d5450aae7c67ebd44dd
Author: Lennart Poettering <lennart at poettering.net>
Date: Fri Nov 14 20:06:20 2014 +0100
bus-proxy: avoid redundant name validity checks
Our API calls check the validity of bus names anyway, hence we don't
have to do this before calling them...
diff --git a/src/bus-proxyd/bus-proxyd.c b/src/bus-proxyd/bus-proxyd.c
index 7037301..9c4f2a6 100644
--- a/src/bus-proxyd/bus-proxyd.c
+++ b/src/bus-proxyd/bus-proxyd.c
@@ -412,8 +412,6 @@ static int get_creds_by_name(sd_bus *bus, const char *name, uint64_t mask, sd_bu
assert(name);
assert(_creds);
- assert_return(service_name_is_valid(name), -EINVAL);
-
r = sd_bus_get_name_creds(bus, name, mask, &c);
if (r == -ESRCH || r == -ENXIO)
return sd_bus_error_setf(error, SD_BUS_ERROR_NAME_HAS_NO_OWNER, "Name %s is currently not owned by anyone.", name);
@@ -769,9 +767,6 @@ static int process_driver(sd_bus *a, sd_bus *b, sd_bus_message *m, Policy *polic
if (r < 0)
return synthetic_reply_method_errno(m, r, NULL);
- if (!service_name_is_valid(arg0))
- return synthetic_reply_method_errno(m, -EINVAL, NULL);
-
r = sd_bus_get_name_creds(a, arg0, 0, NULL);
if (r == -ESRCH || r == -ENXIO) {
sd_bus_error_setf(&error, SD_BUS_ERROR_NAME_HAS_NO_OWNER, "Could not get owners of name '%s': no such name.", arg0);
@@ -830,9 +825,6 @@ static int process_driver(sd_bus *a, sd_bus *b, sd_bus_message *m, Policy *polic
if (r < 0)
return synthetic_reply_method_errno(m, r, NULL);
- if (!service_name_is_valid(name))
- return synthetic_reply_method_errno(m, -EINVAL, NULL);
-
if (streq(name, "org.freedesktop.DBus"))
return synthetic_reply_method_return(m, "b", true);
@@ -849,9 +841,6 @@ static int process_driver(sd_bus *a, sd_bus *b, sd_bus_message *m, Policy *polic
if (r < 0)
return synthetic_reply_method_errno(m, r, NULL);
- if (!service_name_is_valid(name))
- return synthetic_reply_method_errno(m, -EINVAL, NULL);
-
r = sd_bus_release_name(a, name);
if (r < 0) {
if (r == -ESRCH)
@@ -885,8 +874,6 @@ static int process_driver(sd_bus *a, sd_bus *b, sd_bus_message *m, Policy *polic
if (policy && !policy_check_own(policy, ucred, name))
return synthetic_reply_method_errno(m, -EPERM, NULL);
- if (!service_name_is_valid(name))
- return synthetic_reply_method_errno(m, -EINVAL, NULL);
if ((flags & ~(BUS_NAME_ALLOW_REPLACEMENT|BUS_NAME_REPLACE_EXISTING|BUS_NAME_DO_NOT_QUEUE)) != 0)
return synthetic_reply_method_errno(m, -EINVAL, NULL);
@@ -927,8 +914,6 @@ static int process_driver(sd_bus *a, sd_bus *b, sd_bus_message *m, Policy *polic
if (r < 0)
return synthetic_reply_method_errno(m, r, NULL);
- if (!service_name_is_valid(name))
- return synthetic_reply_method_errno(m, -EINVAL, NULL);
if (flags != 0)
return synthetic_reply_method_errno(m, -EINVAL, NULL);
commit f5d8989ce5fc4e6eb338ec7b1b2c6d6a74c44c63
Author: Lennart Poettering <lennart at poettering.net>
Date: Fri Nov 14 20:06:01 2014 +0100
bus-proxy: properly check for bus name prefixes when enforcing policy
diff --git a/src/bus-proxyd/bus-policy.c b/src/bus-proxyd/bus-policy.c
index 625f5dd..cb0726a 100644
--- a/src/bus-proxyd/bus-policy.c
+++ b/src/bus-proxyd/bus-policy.c
@@ -651,7 +651,7 @@ static int check_policy_item(PolicyItem *i, const struct policy_check_filter *fi
case POLICY_ITEM_OWN_PREFIX:
assert(filter->name);
- if (streq(i->name, "*") || startswith(i->name, filter->name))
+ if (streq(i->name, "*") || service_name_startswith(i->name, filter->name))
return is_permissive(i);
break;
diff --git a/src/libsystemd/sd-bus/bus-internal.c b/src/libsystemd/sd-bus/bus-internal.c
index 0bea8ca..91b288c 100644
--- a/src/libsystemd/sd-bus/bus-internal.c
+++ b/src/libsystemd/sd-bus/bus-internal.c
@@ -166,6 +166,26 @@ bool service_name_is_valid(const char *p) {
return true;
}
+char* service_name_startswith(const char *a, const char *b) {
+ const char *p;
+
+ if (!service_name_is_valid(a) ||
+ !service_name_is_valid(b))
+ return NULL;
+
+ p = startswith(a, b);
+ if (!p)
+ return NULL;
+
+ if (*p == 0)
+ return (char*) p;
+
+ if (*p == '.')
+ return (char*) p + 1;
+
+ return NULL;
+}
+
bool member_name_is_valid(const char *p) {
const char *q;
diff --git a/src/libsystemd/sd-bus/bus-internal.h b/src/libsystemd/sd-bus/bus-internal.h
index 0738148..f6b0211 100644
--- a/src/libsystemd/sd-bus/bus-internal.h
+++ b/src/libsystemd/sd-bus/bus-internal.h
@@ -340,6 +340,7 @@ struct sd_bus {
bool interface_name_is_valid(const char *p) _pure_;
bool service_name_is_valid(const char *p) _pure_;
+char* service_name_startswith(const char *a, const char *b);
bool member_name_is_valid(const char *p) _pure_;
bool object_path_is_valid(const char *p) _pure_;
char *object_path_startswith(const char *a, const char *b) _pure_;
commit 49d4b1eecfefded66fd48a992633958da30035d7
Author: Lennart Poettering <lennart at poettering.net>
Date: Fri Nov 14 18:47:54 2014 +0100
bus-proxy: drop broken access check in driver
The access check call was broken (as it tried to read a service name
from the UpdateActivationEnvironment() method call which doesn't carry
any). Also, it's unnecessary to make any access checks here, as we just
forward the call to PID 1 which should do the access checks necessary.
diff --git a/src/bus-proxyd/bus-proxyd.c b/src/bus-proxyd/bus-proxyd.c
index cbbafcf..7037301 100644
--- a/src/bus-proxyd/bus-proxyd.c
+++ b/src/bus-proxyd/bus-proxyd.c
@@ -444,29 +444,6 @@ static int get_creds_by_message(sd_bus *bus, sd_bus_message *m, uint64_t mask, s
return get_creds_by_name(bus, name, mask, _creds, error);
}
-static int peer_is_privileged(sd_bus *bus, sd_bus_message *m) {
- _cleanup_bus_creds_unref_ sd_bus_creds *creds = NULL;
- uid_t uid;
- int r;
-
- r = get_creds_by_message(bus, m, SD_BUS_CREDS_UID, &creds, NULL);
- if (r < 0)
- return r;
-
- r = sd_bus_creds_get_uid(creds, &uid);
- if (r < 0)
- return r;
-
- r = sd_bus_creds_has_effective_cap(creds, CAP_SYS_ADMIN);
- if (r > 0)
- return true;
-
- if (uid == getuid())
- return true;
-
- return false;
-}
-
static int process_policy(sd_bus *a, sd_bus *b, sd_bus_message *m, Policy *policy, const struct ucred *ucred) {
int r;
char **name;
@@ -981,9 +958,6 @@ static int process_driver(sd_bus *a, sd_bus *b, sd_bus_message *m, Policy *polic
_cleanup_bus_message_unref_ sd_bus_message *msg = NULL;
_cleanup_strv_free_ char **args = NULL;
- if (!peer_is_privileged(a, m))
- return synthetic_reply_method_errno(m, -EPERM, NULL);
-
r = sd_bus_message_enter_container(m, SD_BUS_TYPE_ARRAY, "{ss}");
if (r < 0)
return synthetic_reply_method_errno(m, r, NULL);
commit 5f68e74b6a795c5e3e1a6b3be3db85dfcd6b68c2
Author: Lennart Poettering <lennart at poettering.net>
Date: Fri Nov 14 18:02:30 2014 +0100
kmod-setup: improve for "kdbus" word on the kernel cmdline
We really shouldn't check for words with "strstr()"...
diff --git a/src/core/kmod-setup.c b/src/core/kmod-setup.c
index 23df1fd..fd0a0e0 100644
--- a/src/core/kmod-setup.c
+++ b/src/core/kmod-setup.c
@@ -50,11 +50,24 @@ static void systemd_kmod_log(
static bool cmdline_check_kdbus(void) {
_cleanup_free_ char *line = NULL;
+ const char *p;
+ int r;
- if (proc_cmdline(&line) < 0)
+ r = proc_cmdline(&line);
+ if (r < 0)
return false;
- return strstr(line, "kdbus") != NULL;
+ p = line;
+ for (;;) {
+ _cleanup_free_ char *word = NULL;
+
+ r = unquote_first_word(&p, &word, true);
+ if (r <= 0)
+ return false;
+
+ if (streq(word, "kdbus"))
+ return true;
+ }
}
#endif
commit f84f9974d827314c8ee86f65a5007ccee210422b
Author: Lennart Poettering <lennart at poettering.net>
Date: Fri Nov 14 17:58:32 2014 +0100
kmod: move #ifdef checks for kmod-setup out of main.c into kmod-setup.c
diff --git a/Makefile.am b/Makefile.am
index 701666c..1aef242 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -1121,6 +1121,8 @@ libsystemd_core_la_SOURCES = \
src/core/machine-id-setup.h \
src/core/mount-setup.c \
src/core/mount-setup.h \
+ src/core/kmod-setup.c \
+ src/core/kmod-setup.h \
src/core/loopback-setup.h \
src/core/loopback-setup.c \
src/core/namespace.c \
@@ -1136,12 +1138,6 @@ libsystemd_core_la_SOURCES = \
src/core/failure-action.c \
src/core/failure-action.h
-if HAVE_KMOD
-libsystemd_core_la_SOURCES += \
- src/core/kmod-setup.c \
- src/core/kmod-setup.h
-endif
-
nodist_libsystemd_core_la_SOURCES = \
src/core/load-fragment-gperf.c \
src/core/load-fragment-gperf-nulstr.c
diff --git a/src/core/kmod-setup.c b/src/core/kmod-setup.c
index 8136d3c..23df1fd 100644
--- a/src/core/kmod-setup.c
+++ b/src/core/kmod-setup.c
@@ -23,13 +23,17 @@
#include <unistd.h>
#include <string.h>
#include <errno.h>
+
+#ifdef HAVE_KMOD
#include <libkmod.h>
+#endif
#include "macro.h"
#include "execute.h"
#include "capability.h"
#include "kmod-setup.h"
+#ifdef HAVE_KMOD
static void systemd_kmod_log(
void *data,
int priority,
@@ -52,8 +56,10 @@ static bool cmdline_check_kdbus(void) {
return strstr(line, "kdbus") != NULL;
}
+#endif
int kmod_setup(void) {
+#ifdef HAVE_KMOD
static const struct {
const char *module;
@@ -123,5 +129,6 @@ int kmod_setup(void) {
if (ctx)
kmod_unref(ctx);
+#endif
return 0;
}
diff --git a/src/core/main.c b/src/core/main.c
index 59a2be9..64acdf7 100644
--- a/src/core/main.c
+++ b/src/core/main.c
@@ -75,9 +75,7 @@
#include "selinux-setup.h"
#include "ima-setup.h"
#include "smack-setup.h"
-#ifdef HAVE_KMOD
#include "kmod-setup.h"
-#endif
static enum {
ACTION_RUN,
@@ -1389,10 +1387,10 @@ int main(int argc, char *argv[]) {
/* Mount /proc, /sys and friends, so that /proc/cmdline and
* /proc/$PID/fd is available. */
if (getpid() == 1) {
-#ifdef HAVE_KMOD
+
+ /* Load the kernel modules early, so that we kdbus.ko is loaded before kdbusfs shall be mounted */
if (!skip_setup)
kmod_setup();
-#endif
r = mount_setup(loaded_policy);
if (r < 0)
commit 264b8070715d2d19344c4991ace21147d998f56d
Author: Lennart Poettering <lennart at poettering.net>
Date: Fri Nov 14 17:55:19 2014 +0100
update TODO
diff --git a/TODO b/TODO
index cb0036a..8649edb 100644
--- a/TODO
+++ b/TODO
@@ -39,6 +39,8 @@ Features:
* firstboot: make it useful to be run immediately after yum --installroot to set up a machine.
+* timesyncd + resolved: add ugly bus calls to set NTP and DNS servers per-interface, for usage by NM
+
* networkd-wait-online really should have a timeout by default
* expose orientation sensors through logind
More information about the systemd-commits
mailing list