core: move check for combination of PAMName= + KillMode= to unit_verify_contexts()

While at it, allow "mixed" for all unit types too, i.e. also apply ebc2259da1 to socket/mount/swap units.
2026-04-14 00:14:32 +09:00 · 2024-08-25 23:42:07 +02:00
parent bca5505839
commit 2234032c47
6 changed files with 14 additions and 20 deletions
--- a/src/core/mount.c
+++ b/src/core/mount.c
@@ -574,9 +574,6 @@ static int mount_verify(Mount *m) {
        if (p && !p->what && !UNIT(m)->perpetual)
                return log_unit_error_errno(UNIT(m), SYNTHETIC_ERRNO(ENOEXEC), "What= setting is missing. Refusing.");

-        if (m->exec_context.pam_name && m->kill_context.kill_mode != KILL_CONTROL_GROUP)
-                return log_unit_error_errno(UNIT(m), SYNTHETIC_ERRNO(ENOEXEC), "Unit has PAM enabled. Kill mode must be set to control-group'. Refusing.");
-
        return 0;
 }

--- a/src/core/service.c
+++ b/src/core/service.c
@@ -683,9 +683,6 @@ static int service_verify(Service *s) {
        if (s->type == SERVICE_DBUS && !s->bus_name)
                return log_unit_error_errno(UNIT(s), SYNTHETIC_ERRNO(ENOEXEC), "Service is of type D-Bus but no D-Bus service name has been specified. Refusing.");

-        if (s->exec_context.pam_name && !IN_SET(s->kill_context.kill_mode, KILL_CONTROL_GROUP, KILL_MIXED))
-                return log_unit_error_errno(UNIT(s), SYNTHETIC_ERRNO(ENOEXEC), "Service has PAM enabled. Kill mode must be set to 'control-group' or 'mixed'. Refusing.");
-
        if (s->usb_function_descriptors && !s->usb_function_strings)
                log_unit_warning(UNIT(s), "Service has USBFunctionDescriptors= setting, but no USBFunctionStrings=. Ignoring.");

--- a/src/core/socket.c
+++ b/src/core/socket.c
@@ -419,9 +419,6 @@ static int socket_verify(Socket *s) {
        if (s->accept && UNIT_ISSET(s->service))
                return log_unit_error_errno(UNIT(s), SYNTHETIC_ERRNO(ENOEXEC), "Explicit service configuration for accepting socket units not supported. Refusing.");

-        if (s->exec_context.pam_name && s->kill_context.kill_mode != KILL_CONTROL_GROUP)
-                return log_unit_error_errno(UNIT(s), SYNTHETIC_ERRNO(ENOEXEC), "Unit has PAM enabled. Kill mode must be set to 'control-group'. Refusing.");
-
        if (!strv_isempty(s->symlinks) && !socket_find_symlink_target(s))
                return log_unit_error_errno(UNIT(s), SYNTHETIC_ERRNO(ENOEXEC), "Unit has symlinks set but none or more than one node in the file system. Refusing.");

--- a/src/core/swap.c
+++ b/src/core/swap.c
@@ -256,9 +256,6 @@ static int swap_verify(Swap *s) {
        if (!unit_has_name(UNIT(s), e))
                return log_unit_error_errno(UNIT(s), SYNTHETIC_ERRNO(ENOEXEC), "Value of What= and unit name do not match, not loading.");

-        if (s->exec_context.pam_name && s->kill_context.kill_mode != KILL_CONTROL_GROUP)
-                return log_unit_error_errno(UNIT(s), SYNTHETIC_ERRNO(ENOEXEC), "Unit has PAM enabled. Kill mode must be set to 'control-group'. Refusing to load.");
-
        return 0;
 }

--- a/src/core/unit.c
+++ b/src/core/unit.c
@@ -4216,9 +4216,10 @@ static int user_from_unit_name(Unit *u, char **ret) {
        return 0;
 }

-static int unit_verify_contexts(const Unit *u, const ExecContext *ec) {
+static int unit_verify_contexts(const Unit *u) {
        assert(u);

+        const ExecContext *ec = unit_get_exec_context(u);
        if (!ec)
                return 0;

@@ -4232,6 +4233,11 @@ static int unit_verify_contexts(const Unit *u, const ExecContext *ec) {
            exec_needs_mount_namespace(ec, /* params = */ NULL, /* runtime = */ NULL))
                return log_unit_error_errno(u, SYNTHETIC_ERRNO(ENOEXEC), "WorkingDirectory= may not be below /proc/, /sys/ or /dev/ when using mount namespacing. Refusing.");

+        const KillContext *kc = unit_get_kill_context(u);
+
+        if (ec->pam_name && kc && !IN_SET(kc->kill_mode, KILL_CONTROL_GROUP, KILL_MIXED))
+                return log_unit_error_errno(u, SYNTHETIC_ERRNO(ENOEXEC), "Unit has PAM enabled. Kill mode must be set to 'control-group' or 'mixed'. Refusing.");
+
        return 0;
 }

@@ -4362,7 +4368,7 @@ int unit_patch_contexts(Unit *u) {
                }
        }

-        return unit_verify_contexts(u, ec);
+        return unit_verify_contexts(u);
 }

 ExecContext *unit_get_exec_context(const Unit *u) {
--- a/src/core/unit.h
+++ b/src/core/unit.h
@@ -926,15 +926,15 @@ void unit_ref_unset(UnitRef *ref);

 int unit_patch_contexts(Unit *u);

-ExecContext *unit_get_exec_context(const Unit *u) _pure_;
-KillContext *unit_get_kill_context(const Unit *u) _pure_;
-CGroupContext *unit_get_cgroup_context(const Unit *u) _pure_;
+ExecContext* unit_get_exec_context(const Unit *u) _pure_;
+KillContext* unit_get_kill_context(const Unit *u) _pure_;
+CGroupContext* unit_get_cgroup_context(const Unit *u) _pure_;

-ExecRuntime *unit_get_exec_runtime(const Unit *u) _pure_;
-CGroupRuntime *unit_get_cgroup_runtime(const Unit *u) _pure_;
+ExecRuntime* unit_get_exec_runtime(const Unit *u) _pure_;
+CGroupRuntime* unit_get_cgroup_runtime(const Unit *u) _pure_;

 int unit_setup_exec_runtime(Unit *u);
-CGroupRuntime *unit_setup_cgroup_runtime(Unit *u);
+CGroupRuntime* unit_setup_cgroup_runtime(Unit *u);

 const char* unit_escape_setting(const char *s, UnitWriteFlags flags, char **buf);
 char* unit_concat_strv(char **l, UnitWriteFlags flags);