projects / platform / upstream / systemd.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: 46a5859) | patch
core/load-fragment: refuse units with errors in certain directives
authorZbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl>
Thu, 6 Jul 2017 17:28:19 +0000 (13:28 -0400)
committerZbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl>
Tue, 11 Jul 2017 17:38:02 +0000 (13:38 -0400)
commitbb28e68477a3a39796e4999a6cbc6ac6345a9159
tree686b6db538c7104cf5bb8bbbeb7814c1eafb07c9tree | snapshot
parent46a58596731684ba511b04ee9e8f7a9af490fbc2commit | diff
core/load-fragment: refuse units with errors in certain directives

If an error is encountered in any of the Exec* lines, WorkingDirectory,
SELinuxContext, ApparmorProfile, SmackProcessLabel, Service (in .socket
units), User, or Group, refuse to load the unit. If the config stanza
has support, ignore the failure if '-' is present.

For those configuration directives, even if we started the unit, it's
pretty likely that it'll do something unexpected (like write files
in a wrong place, or with a wrong context, or run with wrong permissions,
etc). It seems better to refuse to start the unit and have the admin
clean up the configuration without giving the service a chance to mess
up stuff.

Note that all "security" options that restrict what the unit can do
(Capabilities, AmbientCapabilities, Restrict*, SystemCallFilter, Limit*,
PrivateDevices, Protect*, etc) are _not_ treated like this. Such options are
only supplementary, and are not always available depending on the architecture
and compilation options, so unit authors have to make sure that the service
runs correctly without them anyway.

Fixes #6237, #6277.
src/core/load-fragment.c diff | blob | history
src/test/test-unit-file.c diff | blob | history
Domain: System / System Framework;