/src/systemd/src/nspawn/nspawn-settings.c
Line | Count | Source (jump to first uncovered line) |
1 | | /* SPDX-License-Identifier: LGPL-2.1+ */ |
2 | | |
3 | | #include "alloc-util.h" |
4 | | #include "cap-list.h" |
5 | | #include "conf-parser.h" |
6 | | #include "cpu-set-util.h" |
7 | | #include "hostname-util.h" |
8 | | #include "nspawn-network.h" |
9 | | #include "nspawn-settings.h" |
10 | | #include "parse-util.h" |
11 | | #include "process-util.h" |
12 | | #include "rlimit-util.h" |
13 | | #include "socket-util.h" |
14 | | #include "string-table.h" |
15 | | #include "string-util.h" |
16 | | #include "strv.h" |
17 | | #include "user-util.h" |
18 | | #include "util.h" |
19 | | |
20 | 9.52k | Settings *settings_new(void) { |
21 | 9.52k | Settings *s; |
22 | 9.52k | |
23 | 9.52k | s = new(Settings, 1); |
24 | 9.52k | if (!s) |
25 | 0 | return NULL; |
26 | 9.52k | |
27 | 9.52k | *s = (Settings) { |
28 | 9.52k | .start_mode = _START_MODE_INVALID, |
29 | 9.52k | .personality = PERSONALITY_INVALID, |
30 | 9.52k | |
31 | 9.52k | .resolv_conf = _RESOLV_CONF_MODE_INVALID, |
32 | 9.52k | .link_journal = _LINK_JOURNAL_INVALID, |
33 | 9.52k | .timezone = _TIMEZONE_MODE_INVALID, |
34 | 9.52k | |
35 | 9.52k | .userns_mode = _USER_NAMESPACE_MODE_INVALID, |
36 | 9.52k | .userns_chown = -1, |
37 | 9.52k | .uid_shift = UID_INVALID, |
38 | 9.52k | .uid_range = UID_INVALID, |
39 | 9.52k | |
40 | 9.52k | .no_new_privileges = -1, |
41 | 9.52k | |
42 | 9.52k | .read_only = -1, |
43 | 9.52k | .volatile_mode = _VOLATILE_MODE_INVALID, |
44 | 9.52k | |
45 | 9.52k | .private_network = -1, |
46 | 9.52k | .network_veth = -1, |
47 | 9.52k | |
48 | 9.52k | .full_capabilities = CAPABILITY_QUINTET_NULL, |
49 | 9.52k | |
50 | 9.52k | .uid = UID_INVALID, |
51 | 9.52k | .gid = GID_INVALID, |
52 | 9.52k | |
53 | 9.52k | .console_mode = _CONSOLE_MODE_INVALID, |
54 | 9.52k | .console_width = (unsigned) -1, |
55 | 9.52k | .console_height = (unsigned) -1, |
56 | 9.52k | |
57 | 9.52k | .clone_ns_flags = (unsigned long) -1, |
58 | 9.52k | .use_cgns = -1, |
59 | 9.52k | }; |
60 | 9.52k | |
61 | 9.52k | return s; |
62 | 9.52k | } |
63 | | |
64 | 6.76k | int settings_load(FILE *f, const char *path, Settings **ret) { |
65 | 6.76k | _cleanup_(settings_freep) Settings *s = NULL; |
66 | 6.76k | int r; |
67 | 6.76k | |
68 | 6.76k | assert(path); |
69 | 6.76k | assert(ret); |
70 | 6.76k | |
71 | 6.76k | s = settings_new(); |
72 | 6.76k | if (!s) |
73 | 0 | return -ENOMEM; |
74 | 6.76k | |
75 | 6.76k | r = config_parse(NULL, path, f, |
76 | 6.76k | "Exec\0" |
77 | 6.76k | "Network\0" |
78 | 6.76k | "Files\0", |
79 | 6.76k | config_item_perf_lookup, nspawn_gperf_lookup, |
80 | 6.76k | CONFIG_PARSE_WARN, |
81 | 6.76k | s); |
82 | 6.76k | if (r < 0) |
83 | 663 | return r; |
84 | 6.10k | |
85 | 6.10k | /* Make sure that if userns_mode is set, userns_chown is set to something appropriate, and vice versa. Either |
86 | 6.10k | * both fields shall be initialized or neither. */ |
87 | 6.10k | if (s->userns_mode == USER_NAMESPACE_PICK) |
88 | 8 | s->userns_chown = true; |
89 | 6.10k | else if (s->userns_mode != _USER_NAMESPACE_MODE_INVALID && s->userns_chown < 0) |
90 | 107 | s->userns_chown = false; |
91 | 6.10k | |
92 | 6.10k | if (s->userns_chown >= 0 && s->userns_mode == _USER_NAMESPACE_MODE_INVALID) |
93 | 1 | s->userns_mode = USER_NAMESPACE_NO; |
94 | 6.10k | |
95 | 6.10k | *ret = TAKE_PTR(s); |
96 | 6.10k | return 0; |
97 | 6.10k | } |
98 | | |
99 | 28.5k | static void free_oci_hooks(OciHook *h, size_t n) { |
100 | 28.5k | size_t i; |
101 | 28.5k | |
102 | 28.5k | assert(h || n == 0); |
103 | 28.5k | |
104 | 28.5k | for (i = 0; i < n; i++) { |
105 | 0 | free(h[i].path); |
106 | 0 | strv_free(h[i].args); |
107 | 0 | strv_free(h[i].env); |
108 | 0 | } |
109 | 28.5k | |
110 | 28.5k | free(h); |
111 | 28.5k | } |
112 | | |
113 | 9.52k | void device_node_array_free(DeviceNode *node, size_t n) { |
114 | 9.52k | size_t i; |
115 | 9.52k | |
116 | 9.52k | for (i = 0; i < n; i++) |
117 | 0 | free(node[i].path); |
118 | 9.52k | |
119 | 9.52k | free(node); |
120 | 9.52k | } |
121 | | |
122 | 9.52k | Settings* settings_free(Settings *s) { |
123 | 9.52k | if (!s) |
124 | 0 | return NULL; |
125 | 9.52k | |
126 | 9.52k | strv_free(s->parameters); |
127 | 9.52k | strv_free(s->environment); |
128 | 9.52k | free(s->user); |
129 | 9.52k | free(s->pivot_root_new); |
130 | 9.52k | free(s->pivot_root_old); |
131 | 9.52k | free(s->working_directory); |
132 | 9.52k | strv_free(s->syscall_whitelist); |
133 | 9.52k | strv_free(s->syscall_blacklist); |
134 | 9.52k | rlimit_free_all(s->rlimit); |
135 | 9.52k | free(s->hostname); |
136 | 9.52k | cpu_set_reset(&s->cpu_set); |
137 | 9.52k | |
138 | 9.52k | strv_free(s->network_interfaces); |
139 | 9.52k | strv_free(s->network_macvlan); |
140 | 9.52k | strv_free(s->network_ipvlan); |
141 | 9.52k | strv_free(s->network_veth_extra); |
142 | 9.52k | free(s->network_bridge); |
143 | 9.52k | free(s->network_zone); |
144 | 9.52k | expose_port_free_all(s->expose_ports); |
145 | 9.52k | |
146 | 9.52k | custom_mount_free_all(s->custom_mounts, s->n_custom_mounts); |
147 | 9.52k | |
148 | 9.52k | free(s->bundle); |
149 | 9.52k | free(s->root); |
150 | 9.52k | |
151 | 9.52k | free_oci_hooks(s->oci_hooks_prestart, s->n_oci_hooks_prestart); |
152 | 9.52k | free_oci_hooks(s->oci_hooks_poststart, s->n_oci_hooks_poststart); |
153 | 9.52k | free_oci_hooks(s->oci_hooks_poststop, s->n_oci_hooks_poststop); |
154 | 9.52k | |
155 | 9.52k | free(s->slice); |
156 | 9.52k | sd_bus_message_unref(s->properties); |
157 | 9.52k | |
158 | 9.52k | free(s->supplementary_gids); |
159 | 9.52k | device_node_array_free(s->extra_nodes, s->n_extra_nodes); |
160 | 9.52k | free(s->network_namespace_path); |
161 | 9.52k | |
162 | 9.52k | strv_free(s->sysctl); |
163 | 9.52k | |
164 | | #if HAVE_SECCOMP |
165 | | seccomp_release(s->seccomp); |
166 | | #endif |
167 | | |
168 | 9.52k | return mfree(s); |
169 | 9.52k | } |
170 | | |
171 | 0 | bool settings_private_network(Settings *s) { |
172 | 0 | assert(s); |
173 | 0 |
|
174 | 0 | return |
175 | 0 | s->private_network > 0 || |
176 | 0 | s->network_veth > 0 || |
177 | 0 | s->network_bridge || |
178 | 0 | s->network_zone || |
179 | 0 | s->network_interfaces || |
180 | 0 | s->network_macvlan || |
181 | 0 | s->network_ipvlan || |
182 | 0 | s->network_veth_extra; |
183 | 0 | } |
184 | | |
185 | 0 | bool settings_network_veth(Settings *s) { |
186 | 0 | assert(s); |
187 | 0 |
|
188 | 0 | return |
189 | 0 | s->network_veth > 0 || |
190 | 0 | s->network_bridge || |
191 | 0 | s->network_zone; |
192 | 0 | } |
193 | | |
194 | 43 | int settings_allocate_properties(Settings *s) { |
195 | 43 | _cleanup_(sd_bus_unrefp) sd_bus *bus = NULL; |
196 | 43 | int r; |
197 | 43 | |
198 | 43 | assert(s); |
199 | 43 | |
200 | 43 | if (s->properties) |
201 | 0 | return 0; |
202 | 43 | |
203 | 43 | r = sd_bus_default_system(&bus); |
204 | 43 | if (r < 0) |
205 | 43 | return r; |
206 | 0 | |
207 | 0 | r = sd_bus_message_new(bus, &s->properties, SD_BUS_MESSAGE_METHOD_CALL); |
208 | 0 | if (r < 0) |
209 | 0 | return r; |
210 | 0 | |
211 | 0 | return 0; |
212 | 0 | } |
213 | | |
214 | | DEFINE_CONFIG_PARSE_ENUM(config_parse_volatile_mode, volatile_mode, VolatileMode, "Failed to parse volatile mode"); |
215 | | |
216 | | int config_parse_expose_port( |
217 | | const char *unit, |
218 | | const char *filename, |
219 | | unsigned line, |
220 | | const char *section, |
221 | | unsigned section_line, |
222 | | const char *lvalue, |
223 | | int ltype, |
224 | | const char *rvalue, |
225 | | void *data, |
226 | 3.11k | void *userdata) { |
227 | 3.11k | |
228 | 3.11k | Settings *s = data; |
229 | 3.11k | int r; |
230 | 3.11k | |
231 | 3.11k | assert(filename); |
232 | 3.11k | assert(lvalue); |
233 | 3.11k | assert(rvalue); |
234 | 3.11k | |
235 | 3.11k | r = expose_port_parse(&s->expose_ports, rvalue); |
236 | 3.11k | if (r == -EEXIST) { |
237 | 443 | log_syntax(unit, LOG_ERR, filename, line, r, "Duplicate port specification, ignoring: %s", rvalue); |
238 | 443 | return 0; |
239 | 443 | } |
240 | 2.66k | if (r < 0) { |
241 | 2.31k | log_syntax(unit, LOG_ERR, filename, line, r, "Failed to parse host port %s: %m", rvalue); |
242 | 2.31k | return 0; |
243 | 2.31k | } |
244 | 353 | |
245 | 353 | return 0; |
246 | 353 | } |
247 | | |
248 | | int config_parse_capability( |
249 | | const char *unit, |
250 | | const char *filename, |
251 | | unsigned line, |
252 | | const char *section, |
253 | | unsigned section_line, |
254 | | const char *lvalue, |
255 | | int ltype, |
256 | | const char *rvalue, |
257 | | void *data, |
258 | 1.30k | void *userdata) { |
259 | 1.30k | |
260 | 1.30k | uint64_t u = 0, *result = data; |
261 | 1.30k | int r; |
262 | 1.30k | |
263 | 1.30k | assert(filename); |
264 | 1.30k | assert(lvalue); |
265 | 1.30k | assert(rvalue); |
266 | 1.30k | |
267 | 6.90k | for (;;) { |
268 | 6.90k | _cleanup_free_ char *word = NULL; |
269 | 6.90k | |
270 | 6.90k | r = extract_first_word(&rvalue, &word, NULL, 0); |
271 | 6.90k | if (r < 0) { |
272 | 388 | log_syntax(unit, LOG_ERR, filename, line, r, "Failed to extract capability string, ignoring: %s", rvalue); |
273 | 388 | return 0; |
274 | 388 | } |
275 | 6.51k | if (r == 0) |
276 | 917 | break; |
277 | 5.60k | |
278 | 5.60k | r = capability_from_name(word); |
279 | 5.60k | if (r < 0) { |
280 | 3.86k | log_syntax(unit, LOG_ERR, filename, line, r, "Failed to parse capability, ignoring: %s", word); |
281 | 3.86k | continue; |
282 | 3.86k | } |
283 | 1.73k | |
284 | 1.73k | u |= UINT64_C(1) << r; |
285 | 1.73k | } |
286 | 1.30k | |
287 | 1.30k | if (u == 0) |
288 | 447 | return 0; |
289 | 470 | |
290 | 470 | *result |= u; |
291 | 470 | return 0; |
292 | 470 | } |
293 | | |
294 | | int config_parse_id128( |
295 | | const char *unit, |
296 | | const char *filename, |
297 | | unsigned line, |
298 | | const char *section, |
299 | | unsigned section_line, |
300 | | const char *lvalue, |
301 | | int ltype, |
302 | | const char *rvalue, |
303 | | void *data, |
304 | 2.84k | void *userdata) { |
305 | 2.84k | |
306 | 2.84k | sd_id128_t t, *result = data; |
307 | 2.84k | int r; |
308 | 2.84k | |
309 | 2.84k | assert(filename); |
310 | 2.84k | assert(lvalue); |
311 | 2.84k | assert(rvalue); |
312 | 2.84k | |
313 | 2.84k | r = sd_id128_from_string(rvalue, &t); |
314 | 2.84k | if (r < 0) { |
315 | 2.65k | log_syntax(unit, LOG_ERR, filename, line, r, "Failed to parse 128bit ID/UUID, ignoring: %s", rvalue); |
316 | 2.65k | return 0; |
317 | 2.65k | } |
318 | 196 | |
319 | 196 | *result = t; |
320 | 196 | return 0; |
321 | 196 | } |
322 | | |
323 | | int config_parse_pivot_root( |
324 | | const char *unit, |
325 | | const char *filename, |
326 | | unsigned line, |
327 | | const char *section, |
328 | | unsigned section_line, |
329 | | const char *lvalue, |
330 | | int ltype, |
331 | | const char *rvalue, |
332 | | void *data, |
333 | 1.19k | void *userdata) { |
334 | 1.19k | |
335 | 1.19k | Settings *settings = data; |
336 | 1.19k | int r; |
337 | 1.19k | |
338 | 1.19k | assert(filename); |
339 | 1.19k | assert(lvalue); |
340 | 1.19k | assert(rvalue); |
341 | 1.19k | |
342 | 1.19k | r = pivot_root_parse(&settings->pivot_root_new, &settings->pivot_root_old, rvalue); |
343 | 1.19k | if (r < 0) { |
344 | 607 | log_syntax(unit, LOG_ERR, filename, line, r, "Invalid pivot root mount specification %s: %m", rvalue); |
345 | 607 | return 0; |
346 | 607 | } |
347 | 583 | |
348 | 583 | return 0; |
349 | 583 | } |
350 | | |
351 | | int config_parse_bind( |
352 | | const char *unit, |
353 | | const char *filename, |
354 | | unsigned line, |
355 | | const char *section, |
356 | | unsigned section_line, |
357 | | const char *lvalue, |
358 | | int ltype, |
359 | | const char *rvalue, |
360 | | void *data, |
361 | 57.8k | void *userdata) { |
362 | 57.8k | |
363 | 57.8k | Settings *settings = data; |
364 | 57.8k | int r; |
365 | 57.8k | |
366 | 57.8k | assert(filename); |
367 | 57.8k | assert(lvalue); |
368 | 57.8k | assert(rvalue); |
369 | 57.8k | |
370 | 57.8k | r = bind_mount_parse(&settings->custom_mounts, &settings->n_custom_mounts, rvalue, ltype); |
371 | 57.8k | if (r < 0) { |
372 | 3.26k | log_syntax(unit, LOG_ERR, filename, line, r, "Invalid bind mount specification %s: %m", rvalue); |
373 | 3.26k | return 0; |
374 | 3.26k | } |
375 | 54.5k | |
376 | 54.5k | return 0; |
377 | 54.5k | } |
378 | | |
379 | | int config_parse_tmpfs( |
380 | | const char *unit, |
381 | | const char *filename, |
382 | | unsigned line, |
383 | | const char *section, |
384 | | unsigned section_line, |
385 | | const char *lvalue, |
386 | | int ltype, |
387 | | const char *rvalue, |
388 | | void *data, |
389 | 4.18k | void *userdata) { |
390 | 4.18k | |
391 | 4.18k | Settings *settings = data; |
392 | 4.18k | int r; |
393 | 4.18k | |
394 | 4.18k | assert(filename); |
395 | 4.18k | assert(lvalue); |
396 | 4.18k | assert(rvalue); |
397 | 4.18k | |
398 | 4.18k | r = tmpfs_mount_parse(&settings->custom_mounts, &settings->n_custom_mounts, rvalue); |
399 | 4.18k | if (r < 0) { |
400 | 2.30k | log_syntax(unit, LOG_ERR, filename, line, r, "Invalid temporary file system specification %s: %m", rvalue); |
401 | 2.30k | return 0; |
402 | 2.30k | } |
403 | 1.88k | |
404 | 1.88k | return 0; |
405 | 1.88k | } |
406 | | |
407 | | int config_parse_inaccessible( |
408 | | const char *unit, |
409 | | const char *filename, |
410 | | unsigned line, |
411 | | const char *section, |
412 | | unsigned section_line, |
413 | | const char *lvalue, |
414 | | int ltype, |
415 | | const char *rvalue, |
416 | | void *data, |
417 | 0 | void *userdata) { |
418 | 0 |
|
419 | 0 | Settings *settings = data; |
420 | 0 | int r; |
421 | 0 |
|
422 | 0 | assert(filename); |
423 | 0 | assert(lvalue); |
424 | 0 | assert(rvalue); |
425 | 0 |
|
426 | 0 | r = inaccessible_mount_parse(&settings->custom_mounts, &settings->n_custom_mounts, rvalue); |
427 | 0 | if (r < 0) { |
428 | 0 | log_syntax(unit, LOG_ERR, filename, line, r, "Invalid inaccessible file system specification %s: %m", rvalue); |
429 | 0 | return 0; |
430 | 0 | } |
431 | 0 |
|
432 | 0 | return 0; |
433 | 0 | } |
434 | | |
435 | | int config_parse_overlay( |
436 | | const char *unit, |
437 | | const char *filename, |
438 | | unsigned line, |
439 | | const char *section, |
440 | | unsigned section_line, |
441 | | const char *lvalue, |
442 | | int ltype, |
443 | | const char *rvalue, |
444 | | void *data, |
445 | 3.61k | void *userdata) { |
446 | 3.61k | |
447 | 3.61k | Settings *settings = data; |
448 | 3.61k | int r; |
449 | 3.61k | |
450 | 3.61k | assert(filename); |
451 | 3.61k | assert(lvalue); |
452 | 3.61k | assert(rvalue); |
453 | 3.61k | |
454 | 3.61k | r = overlay_mount_parse(&settings->custom_mounts, &settings->n_custom_mounts, rvalue, ltype); |
455 | 3.61k | if (r < 0) |
456 | 3.61k | log_syntax(unit, LOG_ERR, filename, line, r, "Invalid overlay file system specification %s, ignoring: %m", rvalue); |
457 | 3.61k | |
458 | 3.61k | return 0; |
459 | 3.61k | } |
460 | | |
461 | | int config_parse_veth_extra( |
462 | | const char *unit, |
463 | | const char *filename, |
464 | | unsigned line, |
465 | | const char *section, |
466 | | unsigned section_line, |
467 | | const char *lvalue, |
468 | | int ltype, |
469 | | const char *rvalue, |
470 | | void *data, |
471 | 36.0k | void *userdata) { |
472 | 36.0k | |
473 | 36.0k | Settings *settings = data; |
474 | 36.0k | int r; |
475 | 36.0k | |
476 | 36.0k | assert(filename); |
477 | 36.0k | assert(lvalue); |
478 | 36.0k | assert(rvalue); |
479 | 36.0k | |
480 | 36.0k | r = veth_extra_parse(&settings->network_veth_extra, rvalue); |
481 | 36.0k | if (r < 0) { |
482 | 2.50k | log_syntax(unit, LOG_ERR, filename, line, r, "Invalid extra virtual Ethernet link specification %s: %m", rvalue); |
483 | 2.50k | return 0; |
484 | 2.50k | } |
485 | 33.5k | |
486 | 33.5k | return 0; |
487 | 33.5k | } |
488 | | |
489 | | int config_parse_network_zone( |
490 | | const char *unit, |
491 | | const char *filename, |
492 | | unsigned line, |
493 | | const char *section, |
494 | | unsigned section_line, |
495 | | const char *lvalue, |
496 | | int ltype, |
497 | | const char *rvalue, |
498 | | void *data, |
499 | 1.49k | void *userdata) { |
500 | 1.49k | |
501 | 1.49k | Settings *settings = data; |
502 | 1.49k | _cleanup_free_ char *j = NULL; |
503 | 1.49k | |
504 | 1.49k | assert(filename); |
505 | 1.49k | assert(lvalue); |
506 | 1.49k | assert(rvalue); |
507 | 1.49k | |
508 | 1.49k | j = strappend("vz-", rvalue); |
509 | 1.49k | if (!ifname_valid(j)) { |
510 | 1.11k | log_syntax(unit, LOG_ERR, filename, line, 0, "Invalid network zone name, ignoring: %s", rvalue); |
511 | 1.11k | return 0; |
512 | 1.11k | } |
513 | 382 | |
514 | 382 | free_and_replace(settings->network_zone, j); |
515 | 382 | |
516 | 382 | return 0; |
517 | 382 | } |
518 | | |
519 | | int config_parse_boot( |
520 | | const char *unit, |
521 | | const char *filename, |
522 | | unsigned line, |
523 | | const char *section, |
524 | | unsigned section_line, |
525 | | const char *lvalue, |
526 | | int ltype, |
527 | | const char *rvalue, |
528 | | void *data, |
529 | 3.21k | void *userdata) { |
530 | 3.21k | |
531 | 3.21k | Settings *settings = data; |
532 | 3.21k | int r; |
533 | 3.21k | |
534 | 3.21k | assert(filename); |
535 | 3.21k | assert(lvalue); |
536 | 3.21k | assert(rvalue); |
537 | 3.21k | |
538 | 3.21k | r = parse_boolean(rvalue); |
539 | 3.21k | if (r < 0) { |
540 | 453 | log_syntax(unit, LOG_ERR, filename, line, r, "Failed to parse Boot= parameter %s, ignoring: %m", rvalue); |
541 | 453 | return 0; |
542 | 453 | } |
543 | 2.76k | |
544 | 2.76k | if (r > 0) { |
545 | 1.35k | if (settings->start_mode == START_PID2) |
546 | 313 | goto conflict; |
547 | 1.04k | |
548 | 1.04k | settings->start_mode = START_BOOT; |
549 | 1.40k | } else { |
550 | 1.40k | if (settings->start_mode == START_BOOT) |
551 | 437 | goto conflict; |
552 | 970 | |
553 | 970 | if (settings->start_mode < 0) |
554 | 66 | settings->start_mode = START_PID1; |
555 | 970 | } |
556 | 2.76k | |
557 | 2.76k | return 0; |
558 | 750 | |
559 | 750 | conflict: |
560 | 750 | log_syntax(unit, LOG_ERR, filename, line, r, "Conflicting Boot= or ProcessTwo= setting found. Ignoring."); |
561 | 750 | return 0; |
562 | 2.76k | } |
563 | | |
564 | | int config_parse_pid2( |
565 | | const char *unit, |
566 | | const char *filename, |
567 | | unsigned line, |
568 | | const char *section, |
569 | | unsigned section_line, |
570 | | const char *lvalue, |
571 | | int ltype, |
572 | | const char *rvalue, |
573 | | void *data, |
574 | 1.18k | void *userdata) { |
575 | 1.18k | |
576 | 1.18k | Settings *settings = data; |
577 | 1.18k | int r; |
578 | 1.18k | |
579 | 1.18k | assert(filename); |
580 | 1.18k | assert(lvalue); |
581 | 1.18k | assert(rvalue); |
582 | 1.18k | |
583 | 1.18k | r = parse_boolean(rvalue); |
584 | 1.18k | if (r < 0) { |
585 | 203 | log_syntax(unit, LOG_ERR, filename, line, r, "Failed to parse ProcessTwo= parameter %s, ignoring: %m", rvalue); |
586 | 203 | return 0; |
587 | 203 | } |
588 | 980 | |
589 | 980 | if (r > 0) { |
590 | 433 | if (settings->start_mode == START_BOOT) |
591 | 212 | goto conflict; |
592 | 221 | |
593 | 221 | settings->start_mode = START_PID2; |
594 | 547 | } else { |
595 | 547 | if (settings->start_mode == START_PID2) |
596 | 194 | goto conflict; |
597 | 353 | |
598 | 353 | if (settings->start_mode < 0) |
599 | 7 | settings->start_mode = START_PID1; |
600 | 353 | } |
601 | 980 | |
602 | 980 | return 0; |
603 | 406 | |
604 | 406 | conflict: |
605 | 406 | log_syntax(unit, LOG_ERR, filename, line, r, "Conflicting Boot= or ProcessTwo= setting found. Ignoring."); |
606 | 406 | return 0; |
607 | 980 | } |
608 | | |
609 | | int config_parse_private_users( |
610 | | const char *unit, |
611 | | const char *filename, |
612 | | unsigned line, |
613 | | const char *section, |
614 | | unsigned section_line, |
615 | | const char *lvalue, |
616 | | int ltype, |
617 | | const char *rvalue, |
618 | | void *data, |
619 | 3.61k | void *userdata) { |
620 | 3.61k | |
621 | 3.61k | Settings *settings = data; |
622 | 3.61k | int r; |
623 | 3.61k | |
624 | 3.61k | assert(filename); |
625 | 3.61k | assert(lvalue); |
626 | 3.61k | assert(rvalue); |
627 | 3.61k | |
628 | 3.61k | r = parse_boolean(rvalue); |
629 | 3.61k | if (r == 0) { |
630 | 317 | /* no: User namespacing off */ |
631 | 317 | settings->userns_mode = USER_NAMESPACE_NO; |
632 | 317 | settings->uid_shift = UID_INVALID; |
633 | 317 | settings->uid_range = UINT32_C(0x10000); |
634 | 3.29k | } else if (r > 0) { |
635 | 194 | /* yes: User namespacing on, UID range is read from root dir */ |
636 | 194 | settings->userns_mode = USER_NAMESPACE_FIXED; |
637 | 194 | settings->uid_shift = UID_INVALID; |
638 | 194 | settings->uid_range = UINT32_C(0x10000); |
639 | 3.10k | } else if (streq(rvalue, "pick")) { |
640 | 194 | /* pick: User namespacing on, UID range is picked randomly */ |
641 | 194 | settings->userns_mode = USER_NAMESPACE_PICK; |
642 | 194 | settings->uid_shift = UID_INVALID; |
643 | 194 | settings->uid_range = UINT32_C(0x10000); |
644 | 2.90k | } else { |
645 | 2.90k | const char *range, *shift; |
646 | 2.90k | uid_t sh, rn; |
647 | 2.90k | |
648 | 2.90k | /* anything else: User namespacing on, UID range is explicitly configured */ |
649 | 2.90k | |
650 | 2.90k | range = strchr(rvalue, ':'); |
651 | 2.90k | if (range) { |
652 | 1.21k | shift = strndupa(rvalue, range - rvalue); |
653 | 1.21k | range++; |
654 | 1.21k | |
655 | 1.21k | r = safe_atou32(range, &rn); |
656 | 1.21k | if (r < 0 || rn <= 0) { |
657 | 806 | log_syntax(unit, LOG_ERR, filename, line, r, "UID/GID range invalid, ignoring: %s", range); |
658 | 806 | return 0; |
659 | 806 | } |
660 | 1.69k | } else { |
661 | 1.69k | shift = rvalue; |
662 | 1.69k | rn = UINT32_C(0x10000); |
663 | 1.69k | } |
664 | 2.90k | |
665 | 2.90k | r = parse_uid(shift, &sh); |
666 | 2.10k | if (r < 0) { |
667 | 1.57k | log_syntax(unit, LOG_ERR, filename, line, r, "UID/GID shift invalid, ignoring: %s", range); |
668 | 1.57k | return 0; |
669 | 1.57k | } |
670 | 528 | |
671 | 528 | settings->userns_mode = USER_NAMESPACE_FIXED; |
672 | 528 | settings->uid_shift = sh; |
673 | 528 | settings->uid_range = rn; |
674 | 528 | } |
675 | 3.61k | |
676 | 3.61k | return 0; |
677 | 3.61k | } |
678 | | |
679 | | int config_parse_syscall_filter( |
680 | | const char *unit, |
681 | | const char *filename, |
682 | | unsigned line, |
683 | | const char *section, |
684 | | unsigned section_line, |
685 | | const char *lvalue, |
686 | | int ltype, |
687 | | const char *rvalue, |
688 | | void *data, |
689 | 1.86k | void *userdata) { |
690 | 1.86k | |
691 | 1.86k | Settings *settings = data; |
692 | 1.86k | bool negative; |
693 | 1.86k | const char *items; |
694 | 1.86k | int r; |
695 | 1.86k | |
696 | 1.86k | assert(filename); |
697 | 1.86k | assert(lvalue); |
698 | 1.86k | assert(rvalue); |
699 | 1.86k | |
700 | 1.86k | negative = rvalue[0] == '~'; |
701 | 1.86k | items = negative ? rvalue + 1 : rvalue; |
702 | 1.86k | |
703 | 72.4k | for (;;) { |
704 | 72.4k | _cleanup_free_ char *word = NULL; |
705 | 72.4k | |
706 | 72.4k | r = extract_first_word(&items, &word, NULL, 0); |
707 | 72.4k | if (r == 0) |
708 | 1.67k | break; |
709 | 70.7k | if (r == -ENOMEM) |
710 | 70.7k | return log_oom(); |
711 | 70.7k | if (r < 0) { |
712 | 194 | log_syntax(unit, LOG_ERR, filename, line, r, "Failed to parse SystemCallFilter= parameter %s, ignoring: %m", rvalue); |
713 | 194 | return 0; |
714 | 194 | } |
715 | 70.6k | |
716 | 70.6k | if (negative) |
717 | 2.05k | r = strv_extend(&settings->syscall_blacklist, word); |
718 | 68.5k | else |
719 | 68.5k | r = strv_extend(&settings->syscall_whitelist, word); |
720 | 70.6k | if (r < 0) |
721 | 0 | return log_oom(); |
722 | 70.6k | } |
723 | 1.86k | |
724 | 1.86k | return 0; |
725 | 1.86k | } |
726 | | |
727 | | int config_parse_hostname( |
728 | | const char *unit, |
729 | | const char *filename, |
730 | | unsigned line, |
731 | | const char *section, |
732 | | unsigned section_line, |
733 | | const char *lvalue, |
734 | | int ltype, |
735 | | const char *rvalue, |
736 | | void *data, |
737 | 2.96k | void *userdata) { |
738 | 2.96k | |
739 | 2.96k | char **s = data; |
740 | 2.96k | |
741 | 2.96k | assert(rvalue); |
742 | 2.96k | assert(s); |
743 | 2.96k | |
744 | 2.96k | if (!hostname_is_valid(rvalue, false)) { |
745 | 2.71k | log_syntax(unit, LOG_ERR, filename, line, 0, "Invalid hostname, ignoring: %s", rvalue); |
746 | 2.71k | return 0; |
747 | 2.71k | } |
748 | 245 | |
749 | 245 | if (free_and_strdup(s, empty_to_null(rvalue)) < 0) |
750 | 0 | return log_oom(); |
751 | 245 | |
752 | 245 | return 0; |
753 | 245 | } |
754 | | |
755 | | int config_parse_oom_score_adjust( |
756 | | const char *unit, |
757 | | const char *filename, |
758 | | unsigned line, |
759 | | const char *section, |
760 | | unsigned section_line, |
761 | | const char *lvalue, |
762 | | int ltype, |
763 | | const char *rvalue, |
764 | | void *data, |
765 | 0 | void *userdata) { |
766 | 0 |
|
767 | 0 | Settings *settings = data; |
768 | 0 | int oa, r; |
769 | 0 |
|
770 | 0 | assert(rvalue); |
771 | 0 | assert(settings); |
772 | 0 |
|
773 | 0 | if (isempty(rvalue)) { |
774 | 0 | settings->oom_score_adjust_set = false; |
775 | 0 | return 0; |
776 | 0 | } |
777 | 0 | |
778 | 0 | r = parse_oom_score_adjust(rvalue, &oa); |
779 | 0 | if (r == -ERANGE) { |
780 | 0 | log_syntax(unit, LOG_ERR, filename, line, r, "OOM score adjust value out of range, ignoring: %s", rvalue); |
781 | 0 | return 0; |
782 | 0 | } |
783 | 0 | if (r < 0) { |
784 | 0 | log_syntax(unit, LOG_ERR, filename, line, r, "Failed to parse the OOM score adjust value, ignoring: %s", rvalue); |
785 | 0 | return 0; |
786 | 0 | } |
787 | 0 |
|
788 | 0 | settings->oom_score_adjust = oa; |
789 | 0 | settings->oom_score_adjust_set = true; |
790 | 0 |
|
791 | 0 | return 0; |
792 | 0 | } |
793 | | |
794 | | int config_parse_cpu_affinity( |
795 | | const char *unit, |
796 | | const char *filename, |
797 | | unsigned line, |
798 | | const char *section, |
799 | | unsigned section_line, |
800 | | const char *lvalue, |
801 | | int ltype, |
802 | | const char *rvalue, |
803 | | void *data, |
804 | 0 | void *userdata) { |
805 | 0 |
|
806 | 0 | Settings *settings = data; |
807 | 0 |
|
808 | 0 | assert(rvalue); |
809 | 0 | assert(settings); |
810 | 0 |
|
811 | 0 | return parse_cpu_set_extend(rvalue, &settings->cpu_set, true, unit, filename, line, lvalue); |
812 | 0 | } |
813 | | |
814 | | DEFINE_CONFIG_PARSE_ENUM(config_parse_resolv_conf, resolv_conf_mode, ResolvConfMode, "Failed to parse resolv.conf mode"); |
815 | | |
816 | | static const char *const resolv_conf_mode_table[_RESOLV_CONF_MODE_MAX] = { |
817 | | [RESOLV_CONF_OFF] = "off", |
818 | | [RESOLV_CONF_COPY_HOST] = "copy-host", |
819 | | [RESOLV_CONF_COPY_STATIC] = "copy-static", |
820 | | [RESOLV_CONF_BIND_HOST] = "bind-host", |
821 | | [RESOLV_CONF_BIND_STATIC] = "bind-static", |
822 | | [RESOLV_CONF_DELETE] = "delete", |
823 | | [RESOLV_CONF_AUTO] = "auto", |
824 | | }; |
825 | | |
826 | | DEFINE_STRING_TABLE_LOOKUP_WITH_BOOLEAN(resolv_conf_mode, ResolvConfMode, RESOLV_CONF_AUTO); |
827 | | |
828 | 2.05k | int parse_link_journal(const char *s, LinkJournal *ret_mode, bool *ret_try) { |
829 | 2.05k | assert(s); |
830 | 2.05k | assert(ret_mode); |
831 | 2.05k | assert(ret_try); |
832 | 2.05k | |
833 | 2.05k | if (streq(s, "auto")) { |
834 | 194 | *ret_mode = LINK_AUTO; |
835 | 194 | *ret_try = false; |
836 | 1.85k | } else if (streq(s, "no")) { |
837 | 348 | *ret_mode = LINK_NO; |
838 | 348 | *ret_try = false; |
839 | 1.50k | } else if (streq(s, "guest")) { |
840 | 197 | *ret_mode = LINK_GUEST; |
841 | 197 | *ret_try = false; |
842 | 1.31k | } else if (streq(s, "host")) { |
843 | 194 | *ret_mode = LINK_HOST; |
844 | 194 | *ret_try = false; |
845 | 1.11k | } else if (streq(s, "try-guest")) { |
846 | 194 | *ret_mode = LINK_GUEST; |
847 | 194 | *ret_try = true; |
848 | 923 | } else if (streq(s, "try-host")) { |
849 | 194 | *ret_mode = LINK_HOST; |
850 | 194 | *ret_try = true; |
851 | 194 | } else |
852 | 729 | return -EINVAL; |
853 | 1.32k | |
854 | 1.32k | return 0; |
855 | 1.32k | } |
856 | | |
857 | | int config_parse_link_journal( |
858 | | const char *unit, |
859 | | const char *filename, |
860 | | unsigned line, |
861 | | const char *section, |
862 | | unsigned section_line, |
863 | | const char *lvalue, |
864 | | int ltype, |
865 | | const char *rvalue, |
866 | | void *data, |
867 | 2.05k | void *userdata) { |
868 | 2.05k | |
869 | 2.05k | Settings *settings = data; |
870 | 2.05k | int r; |
871 | 2.05k | |
872 | 2.05k | assert(rvalue); |
873 | 2.05k | assert(settings); |
874 | 2.05k | |
875 | 2.05k | r = parse_link_journal(rvalue, &settings->link_journal, &settings->link_journal_try); |
876 | 2.05k | if (r < 0) { |
877 | 729 | log_syntax(unit, LOG_ERR, filename, line, r, "Failed to parse link journal mode, ignoring: %s", rvalue); |
878 | 729 | return 0; |
879 | 729 | } |
880 | 1.32k | |
881 | 1.32k | return 0; |
882 | 1.32k | } |
883 | | |
884 | | DEFINE_CONFIG_PARSE_ENUM(config_parse_timezone, timezone_mode, TimezoneMode, "Failed to parse timezone mode"); |
885 | | |
886 | | static const char *const timezone_mode_table[_TIMEZONE_MODE_MAX] = { |
887 | | [TIMEZONE_OFF] = "off", |
888 | | [TIMEZONE_COPY] = "copy", |
889 | | [TIMEZONE_BIND] = "bind", |
890 | | [TIMEZONE_SYMLINK] = "symlink", |
891 | | [TIMEZONE_DELETE] = "delete", |
892 | | [TIMEZONE_AUTO] = "auto", |
893 | | }; |
894 | | |
895 | | DEFINE_STRING_TABLE_LOOKUP_WITH_BOOLEAN(timezone_mode, TimezoneMode, TIMEZONE_AUTO); |