[systemd-commits] 3 commits - src/core src/nspawn
Lennart Poettering
lennart at kemper.freedesktop.org
Thu May 21 11:49:32 PDT 2015
src/core/device.c | 3 +++
src/core/transaction.c | 7 ++++++-
src/nspawn/nspawn.c | 19 ++++++++++---------
3 files changed, 19 insertions(+), 10 deletions(-)
New commits:
commit 5ba7a26847846322740c02b9b469f42ea4c3f105
Author: Lennart Poettering <lennart at poettering.net>
Date: Thu May 21 20:48:39 2015 +0200
nspawn: prohibit access to the kernel log buffer by default
Unless CAP_SYSLOG is explicitly passed block all access to kmg
diff --git a/src/nspawn/nspawn.c b/src/nspawn/nspawn.c
index 73f292e..5009363 100644
--- a/src/nspawn/nspawn.c
+++ b/src/nspawn/nspawn.c
@@ -2932,15 +2932,16 @@ static int setup_seccomp(void) {
uint64_t capability;
int syscall_num;
} blacklist[] = {
- { CAP_SYS_RAWIO, SCMP_SYS(iopl)},
- { CAP_SYS_RAWIO, SCMP_SYS(ioperm)},
- { CAP_SYS_BOOT, SCMP_SYS(kexec_load)},
- { CAP_SYS_ADMIN, SCMP_SYS(swapon)},
- { CAP_SYS_ADMIN, SCMP_SYS(swapoff)},
- { CAP_SYS_ADMIN, SCMP_SYS(open_by_handle_at)},
- { CAP_SYS_MODULE, SCMP_SYS(init_module)},
- { CAP_SYS_MODULE, SCMP_SYS(finit_module)},
- { CAP_SYS_MODULE, SCMP_SYS(delete_module)},
+ { CAP_SYS_RAWIO, SCMP_SYS(iopl) },
+ { CAP_SYS_RAWIO, SCMP_SYS(ioperm) },
+ { CAP_SYS_BOOT, SCMP_SYS(kexec_load) },
+ { CAP_SYS_ADMIN, SCMP_SYS(swapon) },
+ { CAP_SYS_ADMIN, SCMP_SYS(swapoff) },
+ { CAP_SYS_ADMIN, SCMP_SYS(open_by_handle_at) },
+ { CAP_SYS_MODULE, SCMP_SYS(init_module) },
+ { CAP_SYS_MODULE, SCMP_SYS(finit_module) },
+ { CAP_SYS_MODULE, SCMP_SYS(delete_module) },
+ { CAP_SYSLOG, SCMP_SYS(syslog) },
};
scmp_filter_ctx seccomp;
commit 4c6d20dece1da97c31cd88ddebc007bf33204b82
Author: Lennart Poettering <lennart at poettering.net>
Date: Thu May 21 20:43:21 2015 +0200
device: never act on mount events for devices if device support is not available
diff --git a/src/core/device.c b/src/core/device.c
index c784cab..e7efcf0 100644
--- a/src/core/device.c
+++ b/src/core/device.c
@@ -771,6 +771,9 @@ int device_found_node(Manager *m, const char *node, bool add, DeviceFound found,
assert(m);
assert(node);
+ if (!device_supported())
+ return 0;
+
/* This is called whenever we find a device referenced in
* /proc/swaps or /proc/self/mounts. Such a device might be
* mounted/enabled at a time where udev has not finished
commit 48894cd07cdbd125688ade4a5772eaebe5969e74
Author: Lennart Poettering <lennart at poettering.net>
Date: Thu May 21 20:39:23 2015 +0200
core: properly handle jobs that are suppressed to JOB_NOPs when propagating restarts
diff --git a/src/core/transaction.c b/src/core/transaction.c
index 33fa675..090103f 100644
--- a/src/core/transaction.c
+++ b/src/core/transaction.c
@@ -1032,8 +1032,13 @@ int transaction_add_job_and_dependencies(
for (j = 0; j < ELEMENTSOF(propagate_deps); j++)
SET_FOREACH(dep, ret->unit->dependencies[propagate_deps[j]], i) {
+ JobType nt;
- r = transaction_add_job_and_dependencies(tr, job_type_collapse(ptype, dep), dep, ret, true, override, false, false, ignore_order, e);
+ nt = job_type_collapse(ptype, dep);
+ if (nt == JOB_NOP)
+ continue;
+
+ r = transaction_add_job_and_dependencies(tr, nt, dep, ret, true, override, false, false, ignore_order, e);
if (r < 0) {
if (r != -EBADR)
goto fail;
More information about the systemd-commits
mailing list