rpms / systemd

Clone
Source Code
GIT

Blame 0001-core-pass-bpf_outer_map_fd-to-sd-executor-only-if-Re.patch

c10s-sig-hyperscale c4 c5 c5-plus c6 c6-plus c7 c7-alt c7-atomic c7-atomic-beta c7-beta c7-sig-altarch-fasttrack c8 c8-beta c8s c8s-sig-hyperscale c9 c9-beta c9s-sig-hyperscale
  1.   453bbcb4233717f8e5ad5213882582484da8b7b1
  2.   0001-core-pass-bpf_outer_map_fd-to-sd-executor-only-if-Re.patch
Blob History Raw
Adam Williamson f41ff6 
From 60ef4baeedc34b5c7ab0e2f211684f9b96d63f82 Mon Sep 17 00:00:00 2001
Adam Williamson f41ff6 
From: Luca Boccassi <bluca@debian.org>
Adam Williamson f41ff6 
Date: Thu, 23 Nov 2023 19:08:22 +0000
Adam Williamson f41ff6 
Subject: [PATCH 1/3] core: pass bpf_outer_map_fd to sd-executor only if
Adam Williamson f41ff6 
 RestrictFileSystems was set
Adam Williamson f41ff6
Adam Williamson f41ff6 
It causes SELinux denials to be raised, so restrict it only where needed
Adam Williamson f41ff6
Adam Williamson f41ff6 
Follow-up for beb4ae87558cae
Adam Williamson f41ff6 
---
Adam Williamson f41ff6 
 src/core/execute-serialize.c | 6 +++---
Adam Williamson f41ff6 
 1 file changed, 3 insertions(+), 3 deletions(-)
Adam Williamson f41ff6
Adam Williamson f41ff6 
diff --git a/src/core/execute-serialize.c b/src/core/execute-serialize.c
Adam Williamson f41ff6 
index 342883994a..60c121a0d1 100644
Adam Williamson f41ff6 
--- a/src/core/execute-serialize.c
Adam Williamson f41ff6 
+++ b/src/core/execute-serialize.c
Adam Williamson f41ff6 
@@ -1244,7 +1244,7 @@ static bool exec_parameters_is_idle_pipe_set(const ExecParameters *p) {
Adam Williamson f41ff6 
                 p->idle_pipe[3] >= 0;
Adam Williamson f41ff6 
 }
Adam Williamson f41ff6
Adam Williamson f41ff6 
-static int exec_parameters_serialize(const ExecParameters *p, FILE *f, FDSet *fds) {
Adam Williamson f41ff6 
+static int exec_parameters_serialize(const ExecParameters *p, const ExecContext *c, FILE *f, FDSet *fds) {
Adam Williamson f41ff6 
         int r;
Adam Williamson f41ff6
Adam Williamson f41ff6 
         assert(f);
Adam Williamson f41ff6 
@@ -1375,7 +1375,7 @@ static int exec_parameters_serialize(const ExecParameters *p, FILE *f, FDSet *fd
Adam Williamson f41ff6 
                         return r;
Adam Williamson f41ff6 
         }
Adam Williamson f41ff6
Adam Williamson f41ff6 
-        if (p->bpf_outer_map_fd >= 0) {
Adam Williamson f41ff6 
+        if (c && exec_context_restrict_filesystems_set(c) && p->bpf_outer_map_fd >= 0) {
Adam Williamson f41ff6 
                 r = serialize_fd(f, fds, "exec-parameters-bpf-outer-map-fd", p->bpf_outer_map_fd);
Adam Williamson f41ff6 
                 if (r < 0)
Adam Williamson f41ff6 
                         return r;
Adam Williamson f41ff6 
@@ -3860,7 +3860,7 @@ int exec_serialize_invocation(
Adam Williamson f41ff6 
         if (r < 0)
Adam Williamson f41ff6 
                 return log_debug_errno(r, "Failed to serialize command: %m");
Adam Williamson f41ff6
Adam Williamson f41ff6 
-        r = exec_parameters_serialize(p, f, fds);
Adam Williamson f41ff6 
+        r = exec_parameters_serialize(p, ctx, f, fds);
Adam Williamson f41ff6 
         if (r < 0)
Adam Williamson f41ff6 
                 return log_debug_errno(r, "Failed to serialize parameters: %m");
Adam Williamson f41ff6
Adam Williamson f41ff6 
--
Adam Williamson f41ff6 
2.43.0
Adam Williamson f41ff6

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation