morgan/systemd
1
0
Fork 0
mirror of https://github.com/morgan9e/systemd synced 2026-04-14 08:25:20 +09:00
Code Issues Packages Projects Releases Wiki Activity

core: rename BindJournalSockets= to BindLogSockets=

Browse Source 
Addresses https://github.com/systemd/systemd/pull/32487#issuecomment-2328465309
This commit is contained in:
Mike Yuan
2024-09-04 15:06:39 +02:00
parent cc4f736ae3
commit 7a9f0125bb
15 changed files with 49 additions and 49 deletions
Download Patch File Download Diff File Expand all files Collapse all files

32
man/org.freedesktop.systemd1.xml
View File

@@ -3333,7 +3333,7 @@ node /org/freedesktop/systemd1/unit/avahi_2ddaemon_2eservice {
@org.freedesktop.DBus.Property.EmitsChangedSignal("const")
readonly b MountAPIVFS = ...;
@org.freedesktop.DBus.Property.EmitsChangedSignal("const")
readonly b BindJournalSockets = ...;
readonly b BindLogSockets = ...;
@org.freedesktop.DBus.Property.EmitsChangedSignal("const")
readonly s KeyringMode = '...';
@org.freedesktop.DBus.Property.EmitsChangedSignal("const")
@@ -3934,7 +3934,7 @@ node /org/freedesktop/systemd1/unit/avahi_2ddaemon_2eservice {
<!--property MountAPIVFS is not documented!-->
<!--property BindJournalSockets is not documented!-->
<!--property BindLogSockets is not documented!-->
<!--property KeyringMode is not documented!-->
@@ -4646,7 +4646,7 @@ node /org/freedesktop/systemd1/unit/avahi_2ddaemon_2eservice {
<variablelist class="dbus-property" generated="True" extra-ref="MountAPIVFS"/>
<variablelist class="dbus-property" generated="True" extra-ref="BindJournalSockets"/>
<variablelist class="dbus-property" generated="True" extra-ref="BindLogSockets"/>
<variablelist class="dbus-property" generated="True" extra-ref="KeyringMode"/>
@@ -5474,7 +5474,7 @@ node /org/freedesktop/systemd1/unit/avahi_2ddaemon_2esocket {
@org.freedesktop.DBus.Property.EmitsChangedSignal("const")
readonly b MountAPIVFS = ...;
@org.freedesktop.DBus.Property.EmitsChangedSignal("const")
readonly b BindJournalSockets = ...;
readonly b BindLogSockets = ...;
@org.freedesktop.DBus.Property.EmitsChangedSignal("const")
readonly s KeyringMode = '...';
@org.freedesktop.DBus.Property.EmitsChangedSignal("const")
@@ -6087,7 +6087,7 @@ node /org/freedesktop/systemd1/unit/avahi_2ddaemon_2esocket {
<!--property MountAPIVFS is not documented!-->
<!--property BindJournalSockets is not documented!-->
<!--property BindLogSockets is not documented!-->
<!--property KeyringMode is not documented!-->
@@ -6773,7 +6773,7 @@ node /org/freedesktop/systemd1/unit/avahi_2ddaemon_2esocket {
<variablelist class="dbus-property" generated="True" extra-ref="MountAPIVFS"/>
<variablelist class="dbus-property" generated="True" extra-ref="BindJournalSockets"/>
<variablelist class="dbus-property" generated="True" extra-ref="BindLogSockets"/>
<variablelist class="dbus-property" generated="True" extra-ref="KeyringMode"/>
@@ -7465,7 +7465,7 @@ node /org/freedesktop/systemd1/unit/home_2emount {
@org.freedesktop.DBus.Property.EmitsChangedSignal("const")
readonly b MountAPIVFS = ...;
@org.freedesktop.DBus.Property.EmitsChangedSignal("const")
readonly b BindJournalSockets = ...;
readonly b BindLogSockets = ...;
@org.freedesktop.DBus.Property.EmitsChangedSignal("const")
readonly s KeyringMode = '...';
@org.freedesktop.DBus.Property.EmitsChangedSignal("const")
@@ -8004,7 +8004,7 @@ node /org/freedesktop/systemd1/unit/home_2emount {
<!--property MountAPIVFS is not documented!-->
<!--property BindJournalSockets is not documented!-->
<!--property BindLogSockets is not documented!-->
<!--property KeyringMode is not documented!-->
@@ -8602,7 +8602,7 @@ node /org/freedesktop/systemd1/unit/home_2emount {
<variablelist class="dbus-property" generated="True" extra-ref="MountAPIVFS"/>
<variablelist class="dbus-property" generated="True" extra-ref="BindJournalSockets"/>
<variablelist class="dbus-property" generated="True" extra-ref="BindLogSockets"/>
<variablelist class="dbus-property" generated="True" extra-ref="KeyringMode"/>
@@ -9417,7 +9417,7 @@ node /org/freedesktop/systemd1/unit/dev_2dsda3_2eswap {
@org.freedesktop.DBus.Property.EmitsChangedSignal("const")
readonly b MountAPIVFS = ...;
@org.freedesktop.DBus.Property.EmitsChangedSignal("const")
readonly b BindJournalSockets = ...;
readonly b BindLogSockets = ...;
@org.freedesktop.DBus.Property.EmitsChangedSignal("const")
readonly s KeyringMode = '...';
@org.freedesktop.DBus.Property.EmitsChangedSignal("const")
@@ -9942,7 +9942,7 @@ node /org/freedesktop/systemd1/unit/dev_2dsda3_2eswap {
<!--property MountAPIVFS is not documented!-->
<!--property BindJournalSockets is not documented!-->
<!--property BindLogSockets is not documented!-->
<!--property KeyringMode is not documented!-->
@@ -10526,7 +10526,7 @@ node /org/freedesktop/systemd1/unit/dev_2dsda3_2eswap {
<variablelist class="dbus-property" generated="True" extra-ref="MountAPIVFS"/>
<variablelist class="dbus-property" generated="True" extra-ref="BindJournalSockets"/>
<variablelist class="dbus-property" generated="True" extra-ref="BindLogSockets"/>
<variablelist class="dbus-property" generated="True" extra-ref="KeyringMode"/>
@@ -12175,7 +12175,7 @@ $ gdbus introspect --system --dest org.freedesktop.systemd1 \
<varname>LiveMountResult</varname>,
<varname>PrivateTmpEx</varname>,
<varname>ImportCredentialEx</varname>, and
<varname>BindJournalSockets</varname> were added in version 257.</para>
<varname>BindLogSockets</varname> were added in version 257.</para>
</refsect2>
<refsect2>
<title>Socket Unit Objects</title>
@@ -12214,7 +12214,7 @@ $ gdbus introspect --system --dest org.freedesktop.systemd1 \
<varname>PassFileDescriptorsToExec</varname> were added in version 256.</para>
<para><varname>PrivateTmpEx</varname>,
<varname>ImportCredentialEx</varname>, and
<varname>BindJournalSockets</varname> were added in version 257.</para>
<varname>BindLogSockets</varname> were added in version 257.</para>
</refsect2>
<refsect2>
<title>Mount Unit Objects</title>
@@ -12250,7 +12250,7 @@ $ gdbus introspect --system --dest org.freedesktop.systemd1 \
<varname>MemoryZSwapWriteback</varname> were added in version 256.</para>
<para><varname>PrivateTmpEx</varname>,
<varname>ImportCredentialEx</varname>, and
<varname>BindJournalSockets</varname> were added in version 257.</para>
<varname>BindLogSockets</varname> were added in version 257.</para>
</refsect2>
<refsect2>
<title>Swap Unit Objects</title>
@@ -12286,7 +12286,7 @@ $ gdbus introspect --system --dest org.freedesktop.systemd1 \
<varname>MemoryZSwapWriteback</varname> were added in version 256.</para>
<para><varname>PrivateTmpEx</varname>,
<varname>ImportCredentialEx</varname>, and
<varname>BindJournalSockets</varname> were added in version 257.</para>
<varname>BindLogSockets</varname> were added in version 257.</para>
</refsect2>
<refsect2>
<title>Slice Unit Objects</title>

2
man/systemd.exec.xml
View File

@@ -367,7 +367,7 @@
</varlistentry>
<varlistentry>
<term><varname>BindJournalSockets=</varname></term>
<term><varname>BindLogSockets=</varname></term>
<listitem><para>Takes a boolean argument. If true, sockets from <citerefentry>
<refentrytitle>systemd-journald.socket</refentrytitle><manvolnum>8</manvolnum></citerefentry>

8
src/core/dbus-execute.c
View File

@@ -55,7 +55,7 @@ static BUS_DEFINE_PROPERTY_GET_ENUM(property_get_protect_system, protect_system,
static BUS_DEFINE_PROPERTY_GET_ENUM(property_get_personality, personality, unsigned long);
static BUS_DEFINE_PROPERTY_GET(property_get_ioprio, "i", ExecContext, exec_context_get_effective_ioprio);
static BUS_DEFINE_PROPERTY_GET(property_get_mount_apivfs, "b", ExecContext, exec_context_get_effective_mount_apivfs);
static BUS_DEFINE_PROPERTY_GET(property_get_bind_journal_sockets, "b", ExecContext, exec_context_get_effective_bind_journal_sockets);
static BUS_DEFINE_PROPERTY_GET(property_get_bind_log_sockets, "b", ExecContext, exec_context_get_effective_bind_log_sockets);
static BUS_DEFINE_PROPERTY_GET2(property_get_ioprio_class, "i", ExecContext, exec_context_get_effective_ioprio, ioprio_prio_class);
static BUS_DEFINE_PROPERTY_GET2(property_get_ioprio_priority, "i", ExecContext, exec_context_get_effective_ioprio, ioprio_prio_data);
static BUS_DEFINE_PROPERTY_GET_GLOBAL(property_get_empty_string, "s", NULL);
@@ -1194,7 +1194,7 @@ const sd_bus_vtable bus_exec_vtable[] = {
SD_BUS_PROPERTY("BindReadOnlyPaths", "a(ssbt)", property_get_bind_paths, 0, SD_BUS_VTABLE_PROPERTY_CONST),
SD_BUS_PROPERTY("TemporaryFileSystem", "a(ss)", property_get_temporary_filesystems, 0, SD_BUS_VTABLE_PROPERTY_CONST),
SD_BUS_PROPERTY("MountAPIVFS", "b", property_get_mount_apivfs, 0, SD_BUS_VTABLE_PROPERTY_CONST),
SD_BUS_PROPERTY("BindJournalSockets", "b", property_get_bind_journal_sockets, 0, SD_BUS_VTABLE_PROPERTY_CONST),
SD_BUS_PROPERTY("BindLogSockets", "b", property_get_bind_log_sockets, 0, SD_BUS_VTABLE_PROPERTY_CONST),
SD_BUS_PROPERTY("KeyringMode", "s", property_get_exec_keyring_mode, offsetof(ExecContext, keyring_mode), SD_BUS_VTABLE_PROPERTY_CONST),
SD_BUS_PROPERTY("ProtectProc", "s", property_get_protect_proc, offsetof(ExecContext, protect_proc), SD_BUS_VTABLE_PROPERTY_CONST),
SD_BUS_PROPERTY("ProcSubset", "s", property_get_proc_subset, offsetof(ExecContext, proc_subset), SD_BUS_VTABLE_PROPERTY_CONST),
@@ -1866,8 +1866,8 @@ int bus_exec_context_set_transient_property(
if (streq(name, "MountAPIVFS"))
return bus_set_transient_tristate(u, name, &c->mount_apivfs, message, flags, error);
if (streq(name, "BindJournalSockets"))
return bus_set_transient_tristate(u, name, &c->bind_journal_sockets, message, flags, error);
if (streq(name, "BindLogSockets"))
return bus_set_transient_tristate(u, name, &c->bind_log_sockets, message, flags, error);
if (streq(name, "PrivateNetwork"))
return bus_set_transient_bool(u, name, &c->private_network, message, flags, error);

4
src/core/exec-invoke.c
View File

@@ -3226,7 +3226,7 @@ static int apply_mount_namespace(
.private_tmp = needs_sandboxing ? context->private_tmp : false,
.mount_apivfs = needs_sandboxing && exec_context_get_effective_mount_apivfs(context),
.bind_journal_sockets = needs_sandboxing && exec_context_get_effective_bind_journal_sockets(context),
.bind_log_sockets = needs_sandboxing && exec_context_get_effective_bind_log_sockets(context),
/* If NNP is on, we can turn on MS_NOSUID, since it won't have any effect anymore. */
.mount_nosuid = needs_sandboxing && context->no_new_privileges && !mac_selinux_use(),
@@ -3848,7 +3848,7 @@ static bool exec_context_need_unprivileged_private_users(
context->ipc_namespace_path ||
context->private_mounts > 0 ||
context->mount_apivfs > 0 ||
context->bind_journal_sockets > 0 ||
context->bind_log_sockets > 0 ||
context->n_bind_mounts > 0 ||
context->n_temporary_filesystems > 0 ||
context->root_directory ||

6
src/core/execute-serialize.c
View File

@@ -1854,7 +1854,7 @@ static int exec_context_serialize(const ExecContext *c, FILE *f) {
if (r < 0)
return r;
r = serialize_item_tristate(f, "exec-context-bind-journal-sockets", c->bind_journal_sockets);
r = serialize_item_tristate(f, "exec-context-bind-log-sockets", c->bind_log_sockets);
if (r < 0)
return r;
@@ -2730,8 +2730,8 @@ static int exec_context_deserialize(ExecContext *c, FILE *f) {
r = safe_atoi(val, &c->mount_apivfs);
if (r < 0)
return r;
} else if ((val = startswith(l, "exec-context-bind-journal-sockets="))) {
r = safe_atoi(val, &c->bind_journal_sockets);
} else if ((val = startswith(l, "exec-context-bind-log-sockets="))) {
r = safe_atoi(val, &c->bind_log_sockets);
if (r < 0)
return r;
} else if ((val = startswith(l, "exec-context-memory-ksm="))) {

16
src/core/execute.c
View File

@@ -284,7 +284,7 @@ bool exec_needs_mount_namespace(
context->directories[EXEC_DIRECTORY_LOGS].n_items > 0))
return true;
if (exec_context_get_effective_bind_journal_sockets(context))
if (exec_context_get_effective_bind_log_sockets(context))
return true;
return false;
@@ -539,7 +539,7 @@ void exec_context_init(ExecContext *c) {
.tty_cols = UINT_MAX,
.private_mounts = -1,
.mount_apivfs = -1,
.bind_journal_sockets = -1,
.bind_log_sockets = -1,
.memory_ksm = -1,
.set_login_environment = -1,
};
@@ -980,7 +980,7 @@ void exec_context_dump(const ExecContext *c, FILE* f, const char *prefix) {
"%sProtectHome: %s\n"
"%sProtectSystem: %s\n"
"%sMountAPIVFS: %s\n"
"%sBindJournalSockets: %s\n"
"%sBindLogSockets: %s\n"
"%sIgnoreSIGPIPE: %s\n"
"%sMemoryDenyWriteExecute: %s\n"
"%sRestrictRealtime: %s\n"
@@ -1006,7 +1006,7 @@ void exec_context_dump(const ExecContext *c, FILE* f, const char *prefix) {
prefix, protect_home_to_string(c->protect_home),
prefix, protect_system_to_string(c->protect_system),
prefix, yes_no(exec_context_get_effective_mount_apivfs(c)),
prefix, yes_no(exec_context_get_effective_bind_journal_sockets(c)),
prefix, yes_no(exec_context_get_effective_bind_log_sockets(c)),
prefix, yes_no(c->ignore_sigpipe),
prefix, yes_no(c->memory_deny_write_execute),
prefix, yes_no(c->restrict_realtime),
@@ -1489,16 +1489,16 @@ bool exec_context_get_effective_mount_apivfs(const ExecContext *c) {
return false;
}
bool exec_context_get_effective_bind_journal_sockets(const ExecContext *c) {
bool exec_context_get_effective_bind_log_sockets(const ExecContext *c) {
assert(c);
/* If log namespace is specified, "/run/systemd/journal.namespace/" would be bind mounted to
* "/run/systemd/journal/", which effectively means BindJournalSockets=yes */
* "/run/systemd/journal/", which effectively means BindLogSockets=yes */
if (c->log_namespace)
return true;
if (c->bind_journal_sockets >= 0)
return c->bind_journal_sockets > 0;
if (c->bind_log_sockets >= 0)
return c->bind_log_sockets > 0;
if (exec_context_get_effective_mount_apivfs(c))
return true;

4
src/core/execute.h
View File

@@ -313,7 +313,7 @@ struct ExecContext {
int private_mounts;
int mount_apivfs;
int bind_journal_sockets;
int bind_log_sockets;
int memory_ksm;
PrivateTmp private_tmp;
bool private_network;
@@ -520,7 +520,7 @@ bool exec_context_maintains_privileges(const ExecContext *c);
int exec_context_get_effective_ioprio(const ExecContext *c);
bool exec_context_get_effective_mount_apivfs(const ExecContext *c);
bool exec_context_get_effective_bind_journal_sockets(const ExecContext *c);
bool exec_context_get_effective_bind_log_sockets(const ExecContext *c);
void exec_context_free_log_extra_fields(ExecContext *c);

2
src/core/load-fragment-gperf.gperf.in
View File

@@ -137,7 +137,7 @@
{{type}}.ProtectHome, config_parse_protect_home, 0, offsetof({{type}}, exec_context.protect_home)
{{type}}.MountFlags, config_parse_exec_mount_propagation_flag, 0, offsetof({{type}}, exec_context.mount_propagation_flag)
{{type}}.MountAPIVFS, config_parse_tristate, 0, offsetof({{type}}, exec_context.mount_apivfs)
{{type}}.BindJournalSockets, config_parse_tristate, 0, offsetof({{type}}, exec_context.bind_journal_sockets)
{{type}}.BindLogSockets, config_parse_tristate, 0, offsetof({{type}}, exec_context.bind_log_sockets)
{{type}}.Personality, config_parse_personality, 0, offsetof({{type}}, exec_context.personality)
{{type}}.RuntimeDirectoryPreserve, config_parse_exec_preserve_mode, 0, offsetof({{type}}, exec_context.runtime_directory_preserve_mode)
{{type}}.RuntimeDirectoryMode, config_parse_mode, 0, offsetof({{type}}, exec_context.directories[EXEC_DIRECTORY_RUNTIME].mode)

8
src/core/namespace.c
View File

@@ -120,7 +120,7 @@ typedef struct MountList {
size_t n_mounts;
} MountList;
static const BindMount bind_journal_sockets_table[] = {
static const BindMount bind_log_sockets_table[] = {
{ (char*) "/run/systemd/journal/socket", (char*) "/run/systemd/journal/socket", .read_only = true, .nosuid = true, .noexec = true, .nodev = true, .ignore_enoent = true },
{ (char*) "/run/systemd/journal/stdout", (char*) "/run/systemd/journal/stdout", .read_only = true, .nosuid = true, .noexec = true, .nodev = true, .ignore_enoent = true },
{ (char*) "/run/systemd/journal/dev-log", (char*) "/run/systemd/journal/dev-log", .read_only = true, .nosuid = true, .noexec = true, .nodev = true, .ignore_enoent = true },
@@ -1150,7 +1150,7 @@ static int mount_private_dev(const MountEntry *m, const NamespaceParameters *p)
/* We assume /run/systemd/journal/ is available if not changing root, which isn't entirely accurate
* but shouldn't matter, as either way the user would get ENOENT when accessing /dev/log */
if ((!p->root_image && !p->root_directory) || p->bind_journal_sockets) {
if ((!p->root_image && !p->root_directory) || p->bind_log_sockets) {
const char *devlog = strjoina(temporary_mount, "/dev/log");
if (symlink("/run/systemd/journal/dev-log", devlog) < 0)
log_debug_errno(errno,
@@ -2601,8 +2601,8 @@ int setup_namespace(const NamespaceParameters *p, char **error_path) {
.source_malloc = TAKE_PTR(q),
};
} else if (p->bind_journal_sockets) {
r = append_bind_mounts(&ml, bind_journal_sockets_table, ELEMENTSOF(bind_journal_sockets_table));
} else if (p->bind_log_sockets) {
r = append_bind_mounts(&ml, bind_log_sockets_table, ELEMENTSOF(bind_log_sockets_table));
if (r < 0)
return r;
}

2
src/core/namespace.h
View File

@@ -154,7 +154,7 @@ struct NamespaceParameters {
bool private_ipc;
bool mount_apivfs;
bool bind_journal_sockets;
bool bind_log_sockets;
bool mount_nosuid;
ProtectHome protect_home;

2
src/portable/profile/default/service.conf
View File

@@ -2,7 +2,7 @@
[Service]
MountAPIVFS=yes
BindJournalSockets=yes
BindLogSockets=yes
BindReadOnlyPaths=/etc/machine-id
BindReadOnlyPaths=-/etc/resolv.conf
BindReadOnlyPaths=/run/dbus/system_bus_socket

2
src/portable/profile/nonetwork/service.conf
View File

@@ -2,7 +2,7 @@
[Service]
MountAPIVFS=yes
BindJournalSockets=yes
BindLogSockets=yes
BindReadOnlyPaths=/etc/machine-id
BindReadOnlyPaths=/run/dbus/system_bus_socket
DynamicUser=yes

2
src/portable/profile/strict/service.conf
View File

@@ -2,7 +2,7 @@
[Service]
MountAPIVFS=yes
BindJournalSockets=yes
BindLogSockets=yes
BindReadOnlyPaths=/etc/machine-id
DynamicUser=yes
RemoveIPC=yes

2
src/shared/bus-unit-util.c
View File

@@ -1076,7 +1076,7 @@ static int bus_append_execute_property(sd_bus_message *m, const char *field, con
"ProtectClock",
"ProtectControlGroups",
"MountAPIVFS",
"BindJournalSockets",
"BindLogSockets",
"CPUSchedulingResetOnFork",
"LockPersonality",
"ProtectHostname",

6
test/units/TEST-50-DISSECT.dissect.sh
View File

@@ -74,9 +74,9 @@ fi
systemd-dissect --umount "$IMAGE_DIR/mount"
systemd-dissect --umount "$IMAGE_DIR/mount2"
# Test BindJournalSockets=
# Test BindLogSockets=
systemd-run --wait -p RootImage="$MINIMAL_IMAGE.raw" mountpoint /run/systemd/journal/socket
(! systemd-run --wait -p RootImage="$MINIMAL_IMAGE.raw" -p BindJournalSockets=no ls /run/systemd/journal/socket)
(! systemd-run --wait -p RootImage="$MINIMAL_IMAGE.raw" -p BindLogSockets=no ls /run/systemd/journal/socket)
(! systemd-run --wait -p RootImage="$MINIMAL_IMAGE.raw" -p MountAPIVFS=no ls /run/systemd/journal/socket)
systemd-run -P -p RootImage="$MINIMAL_IMAGE.raw" cat /usr/lib/os-release | grep -q -F "MARKER=1"
@@ -86,7 +86,7 @@ systemd-run -P \
-p RootImage="$MINIMAL_IMAGE.raw" \
-p RootHash="$MINIMAL_IMAGE.foohash" \
-p RootVerity="$MINIMAL_IMAGE.fooverity" \
-p BindJournalSockets=yes \
-p BindLogSockets=yes \
cat /usr/lib/os-release | grep -q -F "MARKER=1"
# Let's use the long option name just here as a test
systemd-run -P \