Now that we dlopen() so many deps, it might happen by accident that we
end up dlopen()ening stuff when we entered a container, which we should
really avoid, to not mix host and container libraries.
Let's add a global variable we can set when we want to block dlopen() to
ever succeed. This is then checked primarily in
dlopen_many_sym_or_warn(), where we'll generate EPERM plus a log
message.
There are a couple of other places we invoke dlopen(), without going
through dlopen_many_sym_or_warn(). This adds the same check there.
The function socket_address_listen() is declared at shared/socket-label.c,
however its prototype was in basic/socket-util.h. This moves the
prototype to shared/socket-label.h.
Also, enum SocketAddressBindIPv6Only is not used anymore in basic/*.[ch].
Let's move the definition and its string table to shared/socket-label.[ch].
Follow-up for b25a930f0e.
This checks whether a file descriptor is valid and opened in a mode that
allows writing (O_WRONLY or O_RDWR). This is useful when we want to
verify that inherited FDs can actually be used for output operations
before dup'ing them.
The helper explicitly handles O_PATH file descriptors, which cannot be
used for I/O operations and thus are never writable.
$ sudo build/systemd-run --uid=asdf whoami
$ journalctl -e
(whoami)[1007784]: run-p1007782-i5200512.service: Failed to determine user credentials: No such process
(whoami)[1007784]: run-p1007782-i5200512.service: Failed at step USER spawning /usr/sbin/whoami: No such process
systemd[1]: run-p1007782-i5200512.service: Main process exited, code=exited, status=217/USER
systemd[1]: run-p1007782-i5200512.service: Failed with result 'exit-code'.
Now:
(whoami)[1013204]: run-p1013202-i5205932.service: Failed to determine credentials for user 'asdf': Unknown user
(whoami)[1013204]: run-p1013202-i5205932.service: Failed at step USER spawning /usr/sbin/whoami: Invalid argument
systemd[1]: run-p1013202-i5205932.service: Main process exited, code=exited, status=217/USER
systemd[1]: run-p1013202-i5205932.service: Failed with result 'exit-code'.
We cannot just use %m, because strerror returns a confusing error message
for ESRCH or ENOEXEC. udev code was doing a good job, but the error handling
was very verbose. Let's encapsulate the customized error messages in a
helper.
No functional change, except that the error messages have a slightly different
form now. The old messages were a bit better, but we don't have as much
flexibility in the new scheme. "Failed to resolve user 'foo': Unknown user"
should be good enough.
Nowadays, we append an extra NUL for each data if possible for safety.
We already do the same for example at write_to_kmsg(), log_do_context(),
write_to_journal(), log_struct_iovec_internal(), and so on.
This does not change any behavior, as the iov_len field is unchanged.
Now the controller part is always ignored, hence let's skip check for
the controller part of the spec. This also make it acceppt unnormalized
path. Previously paths were checked by path_is_normalized(), but now
checked by path_is_safe(). Also, now this mapps an empty path to NULL.
We have dropped cgroup v1 support in v258. When running on cgroup v2,
cg_get_path_and_check() with SYSTEMD_CGROUP_CONTROLLER as controller is
equivalent with checking if we are running on cgroup v2 and then
cg_get_path(). As we can assume we are running on cgroup v2, then the
check is not necessary anymore, thus we can replace
cg_get_path_and_check() with cg_get_path().
We have dropped cgroup v1 support in v258. Let's drop legacy code.
Then, we can drop 'controller' argument from cg_pid_get_path() and
cg_pidref_get_path().
musl neither support GLOB_ALTDIRFUNC nor GLOB_BRACE.
Let's make safe_glob() work even when GLOB_ALTDIRFUNC is not supported.
Currently, GLOB_BRACE is simply ignored when it is not supported.
We try to read again from the beginning, hence let's seek back.
Apparently efivarfs doesn't strictly require this, but it's really weird
that it doesn't.
writev() returns the full size, not just the payload size, hence always
add sizeof(attr) where necessary.
Let's also change a couple of "4" into sizeof(attr) all over the place,
to make clear what they are about.
Fixes: #39695
Follow-up for: 9db9d6806e
