Commit b9240ff5 authored by Dimitri John Ledkov's avatar Dimitri John Ledkov Committed by Simon McVittie
Browse files

Import Debian changes 237-3ubuntu6

systemd (237-3ubuntu6) bionic; urgency=medium

  * Adjust the new dropin test, for v237 systemd.
  * Refresh the keyring patch, to the one merged.
parent b3308cbf
systemd (237-3ubuntu6) bionic; urgency=medium
* Adjust the new dropin test, for v237 systemd.
* Refresh the keyring patch, to the one merged.
-- Dimitri John Ledkov <xnox@ubuntu.com> Tue, 27 Mar 2018 13:40:09 +0100
systemd (237-3ubuntu5) bionic; urgency=medium
* Drop old keyring/invocation_id patch, which made keyring setup be skipped in containers.
......
......@@ -19,17 +19,19 @@ which now works in LXD containers as well as on the host.
Fixes: https://github.com/systemd/systemd/issues/7655
---
src/core/execute.c | 95 ++++++++++++++++++++++++++----------------------------
1 file changed, 46 insertions(+), 49 deletions(-)
src/core/execute.c | 117 +++++++++++++++++++++++++++--------------------------
1 file changed, 59 insertions(+), 58 deletions(-)
diff --git a/src/core/execute.c b/src/core/execute.c
index 0b5aa53..75fd8c9 100644
index 0b5aa53..2919bc1 100644
--- a/src/core/execute.c
+++ b/src/core/execute.c
@@ -2444,6 +2444,8 @@ static int setup_keyring(
@@ -2443,7 +2443,9 @@ static int setup_keyring(
uid_t uid, gid_t gid) {
key_serial_t keyring;
int r;
- int r;
+ int r = 0;
+ uid_t saved_uid;
+ gid_t saved_gid;
......@@ -54,47 +56,84 @@ index 0b5aa53..75fd8c9 100644
+
+ if (uid_is_valid(uid) && uid != saved_uid) {
+ if (setreuid(uid, -1) < 0) {
+ (void) setregid(saved_gid, -1);
+ return log_unit_error_errno(u, errno, "Failed to change UID for user keyring: %m");
+ r = log_unit_error_errno(u, errno, "Failed to change UID for user keyring: %m");
+ goto out;
+ }
+ }
+
keyring = keyctl(KEYCTL_JOIN_SESSION_KEYRING, 0, 0, 0, 0);
if (keyring == -1) {
if (errno == ENOSYS)
@@ -2476,49 +2498,8 @@ static int setup_keyring(
return 0;
@@ -2471,12 +2493,36 @@ static int setup_keyring(
else if (errno == EDQUOT)
log_unit_debug_errno(u, errno, "Out of kernel keyrings to allocate, ignoring.");
else
- return log_unit_error_errno(u, errno, "Setting up kernel keyring failed: %m");
+ r = log_unit_error_errno(u, errno, "Setting up kernel keyring failed: %m");
- return 0;
+ goto out;
}
- /* Populate they keyring with the invocation ID by default. */
- if (!sd_id128_is_null(u->invocation_id)) {
- key_serial_t key;
-
- key = add_key("user", "invocation_id", &u->invocation_id, sizeof(u->invocation_id), KEY_SPEC_SESSION_KEYRING);
- if (key == -1)
- log_unit_debug_errno(u, errno, "Failed to add invocation ID to keyring, ignoring: %m");
- else {
- if (keyctl(KEYCTL_SETPERM, key,
- KEY_POS_VIEW|KEY_POS_READ|KEY_POS_SEARCH|
- KEY_USR_VIEW|KEY_USR_READ|KEY_USR_SEARCH, 0, 0) < 0)
+ /* When requested link the user keyring into the session keyring. */
+ if (context->keyring_mode == EXEC_KEYRING_SHARED) {
+
+ if (keyctl(KEYCTL_LINK,
+ KEY_SPEC_USER_KEYRING,
+ KEY_SPEC_SESSION_KEYRING, 0, 0) < 0) {
+ r = log_unit_error_errno(u, errno, "Failed to link user keyring into session keyring: %m");
+ goto out;
+ }
+ }
+
+ /* Restore uid/gid back */
+ if (uid_is_valid(uid) && uid != saved_uid) {
+ if (setreuid(saved_uid, -1) < 0) {
+ r = log_unit_error_errno(u, errno, "Failed to change UID back for user keyring: %m");
+ goto out;
+ }
+ }
+
+ if (gid_is_valid(gid) && gid != saved_gid) {
+ if (setregid(saved_gid, -1) < 0)
+ return log_unit_error_errno(u, errno, "Failed to change GID back for user keyring: %m");
+ }
+
+ /* Populate they keyring with the invocation ID by default, as original saved_uid. */
if (!sd_id128_is_null(u->invocation_id)) {
key_serial_t key;
@@ -2487,65 +2533,20 @@ static int setup_keyring(
if (keyctl(KEYCTL_SETPERM, key,
KEY_POS_VIEW|KEY_POS_READ|KEY_POS_SEARCH|
KEY_USR_VIEW|KEY_USR_READ|KEY_USR_SEARCH, 0, 0) < 0)
- return log_unit_error_errno(u, errno, "Failed to restrict invocation ID permission: %m");
- }
- }
-
+ r = log_unit_error_errno(u, errno, "Failed to restrict invocation ID permission: %m");
}
}
- /* And now, make the keyring owned by the service's user */
- if (uid_is_valid(uid) || gid_is_valid(gid))
- if (keyctl(KEYCTL_CHOWN, keyring, uid, gid, 0) < 0)
- return log_unit_error_errno(u, errno, "Failed to change ownership of session keyring: %m");
-
/* When requested link the user keyring into the session keyring. */
if (context->keyring_mode == EXEC_KEYRING_SHARED) {
- /* When requested link the user keyring into the session keyring. */
- if (context->keyring_mode == EXEC_KEYRING_SHARED) {
- uid_t saved_uid;
- gid_t saved_gid;
-
+out:
+ /* Revert back uid & gid for the the last time, and exit */
+ /* no extra logging, as only the first already reported error matters */
+ if (getuid() != saved_uid)
+ (void) setreuid(saved_uid, -1);
- /* Acquiring a reference to the user keyring is nasty. We briefly change identity in order to get things
- * set up properly by the kernel. If we don't do that then we can't create it atomically, and that
- * sucks for parallel execution. This mimics what pam_keyinit does, too.*/
-
+ if (getgid() != saved_gid)
+ (void) setregid(saved_gid, -1);
- saved_uid = getuid();
- saved_gid = getgid();
-
......@@ -109,48 +148,34 @@ index 0b5aa53..75fd8c9 100644
- return log_unit_error_errno(u, errno, "Failed to change UID for user keyring: %m");
- }
- }
if (keyctl(KEYCTL_LINK,
KEY_SPEC_USER_KEYRING,
@@ -2531,17 +2512,33 @@ static int setup_keyring(
return log_unit_error_errno(u, r, "Failed to link user keyring into session keyring: %m");
}
+ }
-
- if (keyctl(KEYCTL_LINK,
- KEY_SPEC_USER_KEYRING,
- KEY_SPEC_SESSION_KEYRING, 0, 0) < 0) {
-
- r = -errno;
-
- (void) setreuid(saved_uid, -1);
- (void) setregid(saved_gid, -1);
-
- return log_unit_error_errno(u, r, "Failed to link user keyring into session keyring: %m");
- }
-
- if (uid_is_valid(uid) && uid != saved_uid) {
- if (setreuid(saved_uid, -1) < 0) {
- (void) setregid(saved_gid, -1);
- return log_unit_error_errno(u, errno, "Failed to change UID back for user keyring: %m");
- }
+ /* Restore uid/gid back */
+ if (uid_is_valid(uid) && uid != saved_uid) {
+ if (setreuid(saved_uid, -1) < 0) {
+ (void) setregid(saved_gid, -1);
+ return log_unit_error_errno(u, errno, "Failed to change UID back for user keyring: %m");
}
+ }
+
+ if (gid_is_valid(gid) && gid != saved_gid) {
+ if (setregid(saved_gid, -1) < 0)
+ return log_unit_error_errno(u, errno, "Failed to change GID back for user keyring: %m");
+ }
- }
-
- if (gid_is_valid(gid) && gid != saved_gid) {
- if (setregid(saved_gid, -1) < 0)
- return log_unit_error_errno(u, errno, "Failed to change GID back for user keyring: %m");
+ /* Populate they keyring with the invocation ID by default, as original saved_uid. */
+ if (!sd_id128_is_null(u->invocation_id)) {
+ key_serial_t key;
+
+ key = add_key("user", "invocation_id", &u->invocation_id, sizeof(u->invocation_id), KEY_SPEC_SESSION_KEYRING);
+ if (key == -1)
+ log_unit_debug_errno(u, errno, "Failed to add invocation ID to keyring, ignoring: %m");
+ else {
+ if (keyctl(KEYCTL_SETPERM, key,
+ KEY_POS_VIEW|KEY_POS_READ|KEY_POS_SEARCH|
+ KEY_USR_VIEW|KEY_USR_READ|KEY_USR_SEARCH, 0, 0) < 0)
+ return log_unit_error_errno(u, errno, "Failed to restrict invocation ID permission: %m");
}
}
- }
- }
-
- return 0;
+ return r;
}
static void append_socket_pair(int *array, unsigned *n, int pair[2]) {
......@@ -8,7 +8,7 @@ Subject: test: masked unit with drop-ins
1 file changed, 10 insertions(+)
diff --git a/test/TEST-15-DROPIN/test-dropin.sh b/test/TEST-15-DROPIN/test-dropin.sh
index 9d8af99..ab0a58c 100755
index 9d8af99..3819cad 100755
--- a/test/TEST-15-DROPIN/test-dropin.sh
+++ b/test/TEST-15-DROPIN/test-dropin.sh
@@ -179,6 +179,16 @@ test_masked_dropins () {
......@@ -23,7 +23,7 @@ index 9d8af99..ab0a58c 100755
+[Unit]
+After=b.service
+EOF
+ check_ok a UnitFileState masked
+ [ `systemctl is-enabled a` = "masked" ]
+
# 'b1' is an alias for 'b': masking 'b' dep should not influence 'b1' dep
echo "*** test a wants b, b1, and one is masked"
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment