[systemd-commits] 2 commits - man/systemd.exec.xml src/libsystemd
Zbigniew JÄdrzejewski-Szmek
zbyszek at kemper.freedesktop.org
Fri Oct 3 18:07:41 PDT 2014
man/systemd.exec.xml | 20 +++++++++++---------
src/libsystemd/sd-id128/sd-id128.c | 7 +++++--
2 files changed, 16 insertions(+), 11 deletions(-)
New commits:
commit e060073a8f05cfdfad621b1bb59abe944b17d5f9
Author: Zbigniew Jędrzejewski-Szmek <zbyszek at in.waw.pl>
Date: Fri Oct 3 21:06:52 2014 -0400
man: say that SecureBits= are space separated
diff --git a/man/systemd.exec.xml b/man/systemd.exec.xml
index 6d0113f..939983f 100644
--- a/man/systemd.exec.xml
+++ b/man/systemd.exec.xml
@@ -776,20 +776,22 @@
<varlistentry>
<term><varname>SecureBits=</varname></term>
<listitem><para>Controls the secure
- bits set for the executed process. See
- <citerefentry project='man-pages'><refentrytitle>capabilities</refentrytitle><manvolnum>7</manvolnum></citerefentry>
- for details. Takes a list of strings:
+ bits set for the executed process.
+ Takes a space-separated combination of
+ options from the following list:
<option>keep-caps</option>,
<option>keep-caps-locked</option>,
<option>no-setuid-fixup</option>,
<option>no-setuid-fixup-locked</option>,
- <option>noroot</option> and/or
+ <option>noroot</option>, and
<option>noroot-locked</option>. This
option may appear more than once in
- which case the secure bits are
- ORed. If the empty string is assigned
- to this option, the bits are reset to
- 0.</para></listitem>
+ which case the secure bits are ORed.
+ If the empty string is assigned to
+ this option, the bits are reset to 0.
+ See <citerefentry
+ project='man-pages'><refentrytitle>capabilities</refentrytitle><manvolnum>7</manvolnum></citerefentry>
+ for details.</para></listitem>
</varlistentry>
<varlistentry>
@@ -806,7 +808,7 @@
attached to the executed file. Due to
that
<varname>CapabilityBoundingSet=</varname>
- is probably the much more useful
+ is probably a much more useful
setting.</para></listitem>
</varlistentry>
commit cef3566998fcae6936d781e678c309950a8a5787
Author: Zbigniew Jędrzejewski-Szmek <zbyszek at in.waw.pl>
Date: Fri Oct 3 20:57:30 2014 -0400
sd-id128: do stricter checking of random boot id
If we are bothering to check whether the kernel is not feeding us
bad data, we might as well do it properly.
CID #1237692.
diff --git a/src/libsystemd/sd-id128/sd-id128.c b/src/libsystemd/sd-id128/sd-id128.c
index a1e44e6..233ffa0 100644
--- a/src/libsystemd/sd-id128/sd-id128.c
+++ b/src/libsystemd/sd-id128/sd-id128.c
@@ -183,11 +183,14 @@ _public_ int sd_id128_get_boot(sd_id128_t *ret) {
for (j = 0, p = buf; j < 16; j++) {
int a, b;
- if (p >= buf + k)
+ if (p >= buf + k - 1)
return -EIO;
- if (*p == '-')
+ if (*p == '-') {
p++;
+ if (p >= buf + k - 1)
+ return -EIO;
+ }
a = unhexchar(p[0]);
b = unhexchar(p[1]);
More information about the systemd-commits
mailing list