From 71d0448c4431cd0845bc1f2b50caa44808adf964 Mon Sep 17 00:00:00 2001 From: wchang kim Date: Thu, 10 Nov 2016 07:10:39 +0900 Subject: [PATCH] Description : Fixing the mistakes of rebase. Change-Id: I1309509e17ce5a8f80e962344c6fd79c33725ecc Signed-off-by: Woochang Kim --- src/basic/cgroup-util.h | 2 + src/basic/time-util.c | 12 ------ src/core/mount-setup.c | 7 +-- src/core/service.c | 19 +++------ src/core/smack-setup.c | 94 +++-------------------------------------- src/core/socket.c | 27 ------------ src/login/logind-user.c | 2 +- units/systemd-logind.service.in | 1 - 8 files changed, 19 insertions(+), 145 deletions(-) diff --git a/src/basic/cgroup-util.h b/src/basic/cgroup-util.h index 14ebde5..11f1d07 100644 --- a/src/basic/cgroup-util.h +++ b/src/basic/cgroup-util.h @@ -158,6 +158,8 @@ int cg_get_path_and_check(const char *controller, const char *path, const char * int cg_pid_get_path(const char *controller, pid_t pid, char **path); +int cg_check_cgroup_exist(const char *p); + int cg_trim(const char *controller, const char *path, bool delete_root); int cg_rmdir(const char *controller, const char *path); diff --git a/src/basic/time-util.c b/src/basic/time-util.c index 81a5314..24e681b 100644 --- a/src/basic/time-util.c +++ b/src/basic/time-util.c @@ -518,18 +518,6 @@ int timestamp_deserialize(const char *value, usec_t *timestamp) { return r; } -int timestamp_deserialize(const char *value, usec_t *timestamp) { - int r; - - assert(value); - - r = safe_atou64(value, timestamp); - if (r < 0) - return log_debug_errno(r, "Failed to parse timestamp value \"%s\": %m", value); - - return r; -} - int parse_timestamp(const char *t, usec_t *usec) { static const struct { const char *name; diff --git a/src/core/mount-setup.c b/src/core/mount-setup.c index a388923..e88b1df 100644 --- a/src/core/mount-setup.c +++ b/src/core/mount-setup.c @@ -91,9 +91,9 @@ static const MountPoint mount_table[] = { { "devpts", "/dev/pts", "devpts", "mode=620,gid=" STRINGIFY(TTY_GID), MS_NOSUID|MS_NOEXEC, NULL, MNT_IN_CONTAINER }, #ifdef HAVE_SMACK - { "tmpfs", "/run", "tmpfs", "mode=755,smackfstransmute=System::Run", MS_NOSUID|MS_NODEV|MS_STRICTATIME, + { "tmpfs", "/run", "tmpfs", "mode=755,smackfstransmute=System::Run", MS_NOSUID|MS_NODEV|MS_STRICTATIME, mac_smack_use, MNT_FATAL }, - { "tmpfs", "/sys/fs/cgroup", "tmpfs", "mode=755,smackfsroot=*", MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_STRICTATIME, + { "tmpfs", "/sys/fs/cgroup", "tmpfs", "mode=755,smackfsroot=*", MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_STRICTATIME, mac_smack_use, MNT_IN_CONTAINER }, #else { "tmpfs", "/run", "tmpfs", "mode=755", MS_NOSUID|MS_NODEV|MS_STRICTATIME, @@ -102,6 +102,7 @@ static const MountPoint mount_table[] = { cg_is_unified_wanted, MNT_FATAL|MNT_IN_CONTAINER }, { "tmpfs", "/sys/fs/cgroup", "tmpfs", "mode=755", MS_NOSUID|MS_NOEXEC|MS_NODEV|MS_STRICTATIME, cg_is_legacy_wanted, MNT_FATAL|MNT_IN_CONTAINER }, +#endif { "cgroup", "/sys/fs/cgroup/systemd", "cgroup", "none,name=systemd,xattr", MS_NOSUID|MS_NOEXEC|MS_NODEV, cg_is_legacy_wanted, MNT_IN_CONTAINER }, { "cgroup", "/sys/fs/cgroup/systemd", "cgroup", "none,name=systemd", MS_NOSUID|MS_NOEXEC|MS_NODEV, @@ -323,7 +324,7 @@ int mount_cgroup_controllers(char ***join_controllers) { } else if (errno != EEXIST) return log_error_errno(errno, "Failed to create symlink %s: %m", t); - r = mac_smack_apply(t, "*"); + r = mac_smack_apply(t, SMACK_ATTR_ACCESS, "*"); if (r < 0) log_error_errno(r, "Failed to set SMACK label '%s': %m", t); diff --git a/src/core/service.c b/src/core/service.c index 27c94f3..bf10cc1 100644 --- a/src/core/service.c +++ b/src/core/service.c @@ -1176,7 +1176,6 @@ static int service_spawn( assert(c); assert(_pid); - /* TODO workaround code */ if (UNIT(s)->cgroup_realized) { _cleanup_free_ char *path = NULL; @@ -1189,7 +1188,11 @@ static int service_spawn( } } - unit_realize_cgroup(UNIT(s)); + (void) unit_realize_cgroup(UNIT(s)); + if (s->reset_cpu_usage) { + (void) unit_reset_cpu_usage(UNIT(s)); + s->reset_cpu_usage = false; + } r = unit_setup_exec_runtime(UNIT(s)); if (r < 0) @@ -2162,9 +2165,6 @@ static int service_serialize(Unit *u, FILE *f, FDSet *fds) { if (s->watchdog_override_enable) unit_serialize_item_format(u, f, "watchdog-override-usec", USEC_FMT, s->watchdog_override_usec); - if (s->watchdog_override_enable) - unit_serialize_item_format(u, f, "watchdog-override-usec", USEC_FMT, s->watchdog_override_usec); - return 0; } @@ -3099,15 +3099,6 @@ static void service_notify_message(Unit *u, pid_t pid, char **tags, FDSet *fds) service_reset_watchdog_timeout(s, watchdog_override_usec); } - e = strv_find_startswith(tags, "WATCHDOG_USEC="); - if (e) { - usec_t watchdog_override_usec; - if (safe_atou64(e, &watchdog_override_usec) < 0) - log_unit_warning(u->id, "Failed to parse WATCHDOG_USEC=%s", e); - else - service_reset_watchdog_timeout(s, watchdog_override_usec); - } - /* Notify clients about changed status or main pid */ if (notify_dbus) unit_add_to_dbus_queue(u); diff --git a/src/core/smack-setup.c b/src/core/smack-setup.c index 596dfb1..6022f54 100644 --- a/src/core/smack-setup.c +++ b/src/core/smack-setup.c @@ -280,11 +280,11 @@ static int write_netlabel_rules(const char* srcdir) { return -errno; /* negative error */ } - /* write rules to load2 or change-rule from every file in the directory */ + /* write rules to dst from every file in the directory */ dir = opendir(srcdir); if (!dir) { if (errno != ENOENT) - log_warning_errno(errno, "Failed to opendir '%s': %m", srcdir); + log_warning_errno(errno, "Failed to opendir %s: %m", srcdir); return errno; /* positive on purpose */ } @@ -295,14 +295,11 @@ static int write_netlabel_rules(const char* srcdir) { int fd; _cleanup_fclose_ FILE *policy = NULL; - if (!dirent_is_file(entry)) - continue; - fd = openat(dfd, entry->d_name, O_RDONLY|O_CLOEXEC); if (fd < 0) { if (r == 0) r = -errno; - log_warning_errno(errno, "Failed to open '%s': %m", entry->d_name); + log_warning_errno(errno, "Failed to open %s: %m", entry->d_name); continue; } @@ -311,98 +308,21 @@ static int write_netlabel_rules(const char* srcdir) { if (r == 0) r = -errno; safe_close(fd); - log_error_errno(errno, "Failed to open '%s': %m", entry->d_name); + log_error_errno(errno, "Failed to open %s: %m", entry->d_name); continue; } /* load2 write rules in the kernel require a line buffered stream */ FOREACH_LINE(buf, policy, - log_error(errno, "Failed to read line from '%s': %m", + log_error_errno(errno, "Failed to read line from %s: %m", entry->d_name)) { - - _cleanup_free_ char *sbj = NULL, *obj = NULL, *acc1 = NULL, *acc2 = NULL; - - if (isempty(truncate_nl(buf))) - continue; - - /* if 3 args -> load rule : subject object access1 */ - /* if 4 args -> change rule : subject object access1 access2 */ - if (sscanf(buf, "%ms %ms %ms %ms", &sbj, &obj, &acc1, &acc2) < 3) { - log_error_errno(errno, "Failed to parse rule '%s' in '%s', ignoring.", buf, entry->d_name); - continue; - } - - if (write(isempty(acc2) ? load2_fd : change_fd, buf, strlen(buf)) < 0) { + if (!fputs(buf, dst)) { if (r == 0) r = -EINVAL; log_error_errno(errno, "Failed to write line to /sys/fs/smackfs/netlabel"); break; } - } - } - - return r; -} - -static int write_cipso2_rules(const char* srcdir) { - _cleanup_close_ int cipso2_fd = -1; - _cleanup_closedir_ DIR *dir = NULL; - struct dirent *entry; - char buf[NAME_MAX]; - int dfd = -1; - int r = 0; - - cipso2_fd = open("/sys/fs/smackfs/cipso2", O_RDWR|O_CLOEXEC|O_NONBLOCK|O_NOCTTY); - if (cipso2_fd < 0) { - if (errno != ENOENT) - log_warning_errno(errno, "Failed to open '/sys/fs/smackfs/cipso2': %m"); - return -errno; /* negative error */ - } - - /* write rules to cipso2 from every file in the directory */ - dir = opendir(srcdir); - if (!dir) { - if (errno != ENOENT) - log_warning_errno(errno, "Failed to opendir '%s': %m", srcdir); - return errno; /* positive on purpose */ - } - - dfd = dirfd(dir); - assert(dfd >= 0); - - FOREACH_DIRENT(entry, dir, return 0) { - int fd; - _cleanup_fclose_ FILE *policy = NULL; - - if (!dirent_is_file(entry)) - continue; - - fd = openat(dfd, entry->d_name, O_RDONLY|O_CLOEXEC); - if (fd < 0) { - if (r == 0) - r = -errno; - log_error_errno(errno, "Failed to open '%s': %m", entry->d_name); - continue; - } - - policy = fdopen(fd, "re"); - if (!policy) { - if (r == 0) - r = -errno; - safe_close(fd); - log_error_errno(errno, "Failed to open '%s': %m", entry->d_name); - continue; - } - - /* cipso2 write rules in the kernel require a line buffered stream */ - FOREACH_LINE(buf, policy, - log_error_errno(errno, "Failed to read line from '%s': %m", - entry->d_name)) { - - if (isempty(truncate_nl(buf))) - continue; - - if (write(cipso2_fd, buf, strlen(buf)) < 0) { + if (fflush(dst)) { if (r == 0) r = -errno; log_error_errno(errno, "Failed to flush writes to /sys/fs/smackfs/netlabel: %m"); diff --git a/src/core/socket.c b/src/core/socket.c index f6b93c6..5824e8d 100644 --- a/src/core/socket.c +++ b/src/core/socket.c @@ -1116,33 +1116,6 @@ static int usbffs_address_create(const char *path) { return r; } -static int ffs_address_create( - const char *path, - int *_fd) { - - _cleanup_close_ int fd = -1; - struct stat st; - - assert(path); - assert(_fd); - - fd = open(path, O_RDWR|O_CLOEXEC|O_NOCTTY|O_NONBLOCK|O_NOFOLLOW); - if (fd < 0) - return -errno; - - if (fstat(fd, &st) < 0) - return -errno; - - /* Check whether this is a regular file (ffs endpoint)*/ - if (!S_ISREG(st.st_mode)) - return -EEXIST; - - *_fd = fd; - fd = -1; - - return 0; -} - static int mq_address_create( const char *path, mode_t mq_mode, diff --git a/src/login/logind-user.c b/src/login/logind-user.c index 348e396..d7af761 100644 --- a/src/login/logind-user.c +++ b/src/login/logind-user.c @@ -351,7 +351,7 @@ static int user_mkdir_runtime_path(User *u) { goto fail; } - r = mount("tmpfs", u->runtime_path, "tmpfs", MS_NODEV|MS_NOSUID, t); + r = mount("tmpfs", u->runtime_path, "tmpfs", MS_NODEV|MS_NOSUID|MS_NOEXEC, t); if (r < 0) { if (errno != EPERM) { r = log_error_errno(errno, "Failed to mount per-user tmpfs directory %s: %m", u->runtime_path); diff --git a/units/systemd-logind.service.in b/units/systemd-logind.service.in index e6cfeda..3ec499f 100644 --- a/units/systemd-logind.service.in +++ b/units/systemd-logind.service.in @@ -27,7 +27,6 @@ CapabilityBoundingSet=CAP_SYS_ADMIN CAP_MAC_ADMIN CAP_AUDIT_CONTROL CAP_CHOWN CA WatchdogSec=3min MemoryDenyWriteExecute=yes SystemCallFilter=~@clock @cpu-emulation @debug @keyring @module @obsolete @raw-io -WatchdogSec=1min SmackProcessLabel=System::Privileged # Increase the default a bit in order to allow many simultaneous -- 2.7.4