projects
/
project
/
procd.git
/ blobdiff
commit
grep
author
committer
pickaxe
?
search:
re
summary
|
shortlog
|
log
|
commit
|
commitdiff
|
tree
raw
|
inline
| side by side
service: initialize supplementary group ids
[project/procd.git]
/
service
/
instance.c
diff --git
a/service/instance.c
b/service/instance.c
index
bb766ea
..
917b003
100644
(file)
--- a/
service/instance.c
+++ b/
service/instance.c
@@
-17,6
+17,7
@@
#include <sys/types.h>
#include <sys/socket.h>
#include <sys/stat.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <sys/stat.h>
+#include <grp.h>
#include <net/if.h>
#include <unistd.h>
#include <stdint.h>
#include <net/if.h>
#include <unistd.h>
#include <stdint.h>
@@
-141,8
+142,6
@@
static const struct rlimit_name rlimit_names[] = {
{ NULL, 0 }
};
{ NULL, 0 }
};
-static char trace[] = "/sbin/utrace";
-
static void closefd(int fd)
{
if (fd > STDERR_FILENO)
static void closefd(int fd)
{
if (fd > STDERR_FILENO)
@@
-243,8
+242,7
@@
instance_removepid(struct service_instance *in) {
if (!in->pidfile)
return 0;
if (unlink(in->pidfile)) {
if (!in->pidfile)
return 0;
if (unlink(in->pidfile)) {
- ERROR("Failed to removed pidfile: %s: %d - %s\n",
- in->pidfile, errno, strerror(errno));
+ ERROR("Failed to removed pidfile: %s: %m\n", in->pidfile);
return 1;
}
return 0;
return 1;
}
return 0;
@@
-260,19
+258,16
@@
instance_writepid(struct service_instance *in)
}
_pidfile = fopen(in->pidfile, "w");
if (_pidfile == NULL) {
}
_pidfile = fopen(in->pidfile, "w");
if (_pidfile == NULL) {
- ERROR("failed to open pidfile for writing: %s: %d (%s)",
- in->pidfile, errno, strerror(errno));
+ ERROR("failed to open pidfile for writing: %s: %m", in->pidfile);
return 1;
}
if (fprintf(_pidfile, "%d\n", in->proc.pid) < 0) {
return 1;
}
if (fprintf(_pidfile, "%d\n", in->proc.pid) < 0) {
- ERROR("failed to write pidfile: %s: %d (%s)",
- in->pidfile, errno, strerror(errno));
+ ERROR("failed to write pidfile: %s: %m", in->pidfile);
fclose(_pidfile);
return 2;
}
if (fclose(_pidfile)) {
fclose(_pidfile);
return 2;
}
if (fclose(_pidfile)) {
- ERROR("failed to close pidfile: %s: %d (%s)",
- in->pidfile, errno, strerror(errno));
+ ERROR("failed to close pidfile: %s: %m", in->pidfile);
return 3;
}
return 3;
}
@@
-285,7
+280,6
@@
instance_run(struct service_instance *in, int _stdout, int _stderr)
struct blobmsg_list_node *var;
struct blob_attr *cur;
char **argv;
struct blobmsg_list_node *var;
struct blob_attr *cur;
char **argv;
- char *ld_preload;
int argc = 1; /* NULL terminated */
int rem, _stdin;
bool seccomp = !in->trace && !in->has_jail && in->seccomp;
int argc = 1; /* NULL terminated */
int rem, _stdin;
bool seccomp = !in->trace && !in->has_jail && in->seccomp;
@@
-303,23
+297,27
@@
instance_run(struct service_instance *in, int _stdout, int _stderr)
if (seccomp)
setenv("SECCOMP_FILE", in->seccomp, 1);
if (seccomp)
setenv("SECCOMP_FILE", in->seccomp, 1);
- if ((seccomp || setlbf) && asprintf(&ld_preload, "LD_PRELOAD=%s%s%s",
- seccomp ? "/lib/libpreload-seccomp.so" : "",
- seccomp && setlbf ? ":" : "",
- setlbf ? "/lib/libsetlbf.so" : "") > 0)
- putenv(ld_preload);
+ if (setlbf)
+ setenv("LD_PRELOAD", "/lib/libsetlbf.so", 1);
blobmsg_list_for_each(&in->limits, var)
instance_limits(blobmsg_name(var->data), blobmsg_data(var->data));
blobmsg_list_for_each(&in->limits, var)
instance_limits(blobmsg_name(var->data), blobmsg_data(var->data));
- if (in->trace)
+ if (in->trace
|| seccomp
)
argc += 1;
argv = alloca(sizeof(char *) * (argc + in->jail.argc));
argc = 0;
argc += 1;
argv = alloca(sizeof(char *) * (argc + in->jail.argc));
argc = 0;
+#ifdef SECCOMP_SUPPORT
if (in->trace)
if (in->trace)
- argv[argc++] = trace;
+ argv[argc++] = "/sbin/utrace";
+ else if (seccomp)
+ argv[argc++] = "/sbin/seccomp-trace";
+#else
+ if (in->trace || seccomp)
+ ULOG_WARN("Seccomp support for %s::%s not available\n", in->srv->name, in->name);
+#endif
if (in->has_jail)
argc = jail_run(in, argv);
if (in->has_jail)
argc = jail_run(in, argv);
@@
-350,12
+348,16
@@
instance_run(struct service_instance *in, int _stdout, int _stderr)
closefd(_stderr);
}
closefd(_stderr);
}
+ if (in->user && in->gid && initgroups(in->user, in->gid)) {
+ ERROR("failed to initgroups() for user %s: %m\n", in->user);
+ exit(127);
+ }
if (in->gid && setgid(in->gid)) {
if (in->gid && setgid(in->gid)) {
- ERROR("failed to set group id %d: %
d (%s)\n", in->gid, errno, strerror(errno)
);
+ ERROR("failed to set group id %d: %
m\n", in->gid
);
exit(127);
}
if (in->uid && setuid(in->uid)) {
exit(127);
}
if (in->uid && setuid(in->uid)) {
- ERROR("failed to set user id %d: %
d (%s)\n", in->uid, errno, strerror(errno)
);
+ ERROR("failed to set user id %d: %
m\n", in->uid
);
exit(127);
}
exit(127);
}
@@
-405,14
+407,14
@@
instance_start(struct service_instance *in)
instance_free_stdio(in);
if (in->_stdout.fd.fd > -2) {
if (pipe(opipe)) {
instance_free_stdio(in);
if (in->_stdout.fd.fd > -2) {
if (pipe(opipe)) {
- ULOG_WARN("pipe() failed: %
d (%s)\n", errno, strerror(errno)
);
+ ULOG_WARN("pipe() failed: %
m\n"
);
opipe[0] = opipe[1] = -1;
}
}
if (in->_stderr.fd.fd > -2) {
if (pipe(epipe)) {
opipe[0] = opipe[1] = -1;
}
}
if (in->_stderr.fd.fd > -2) {
if (pipe(epipe)) {
- ULOG_WARN("pipe() failed: %
d (%s)\n", errno, strerror(errno)
);
+ ULOG_WARN("pipe() failed: %
m\n"
);
epipe[0] = epipe[1] = -1;
}
}
epipe[0] = epipe[1] = -1;
}
}
@@
-590,6
+592,11
@@
instance_restart(struct service_instance *in)
uloop_timeout_set(&in->timeout, in->term_timeout * 1000);
}
uloop_timeout_set(&in->timeout, in->term_timeout * 1000);
}
+static bool string_changed(const char *a, const char *b)
+{
+ return !((!a && !b) || (a && b && !strcmp(a, b)));
+}
+
static bool
instance_config_changed(struct service_instance *in, struct service_instance *in_new)
{
static bool
instance_config_changed(struct service_instance *in, struct service_instance *in_new)
{
@@
-611,20
+618,23
@@
instance_config_changed(struct service_instance *in, struct service_instance *in
if (in->nice != in_new->nice)
return true;
if (in->nice != in_new->nice)
return true;
+ if (string_changed(in->user, in_new->user))
+ return true;
+
if (in->uid != in_new->uid)
return true;
if (in->gid != in_new->gid)
return true;
if (in->uid != in_new->uid)
return true;
if (in->gid != in_new->gid)
return true;
- if (in->pidfile && in_new->pidfile)
- if (strcmp(in->pidfile, in_new->pidfile))
- return true;
-
- if (in->pidfile && !in_new->pidfile)
+ if (string_changed(in->pidfile, in_new->pidfile))
return true;
return true;
- if (!in->pidfile && in_new->pidfile)
+ if (in->respawn_retry != in_new->respawn_retry)
+ return true;
+ if (in->respawn_threshold != in_new->respawn_threshold)
+ return true;
+ if (in->respawn_timeout != in_new->respawn_timeout)
return true;
if (!blobmsg_list_equal(&in->limits, &in_new->limits))
return true;
if (!blobmsg_list_equal(&in->limits, &in_new->limits))
@@
-860,8
+870,10
@@
instance_config_parse(struct service_instance *in)
}
if (tb[INSTANCE_ATTR_USER]) {
}
if (tb[INSTANCE_ATTR_USER]) {
- struct passwd *p = getpwnam(blobmsg_get_string(tb[INSTANCE_ATTR_USER]));
+ const char *user = blobmsg_get_string(tb[INSTANCE_ATTR_USER]);
+ struct passwd *p = getpwnam(user);
if (p) {
if (p) {
+ in->user = strdup(user);
in->uid = p->pw_uid;
in->gid = p->pw_gid;
}
in->uid = p->pw_uid;
in->gid = p->pw_gid;
}
@@
-873,15
+885,8
@@
instance_config_parse(struct service_instance *in)
if (tb[INSTANCE_ATTR_NO_NEW_PRIVS])
in->no_new_privs = blobmsg_get_bool(tb[INSTANCE_ATTR_NO_NEW_PRIVS]);
if (tb[INSTANCE_ATTR_NO_NEW_PRIVS])
in->no_new_privs = blobmsg_get_bool(tb[INSTANCE_ATTR_NO_NEW_PRIVS]);
- if (!in->trace && tb[INSTANCE_ATTR_SECCOMP]) {
- char *seccomp = blobmsg_get_string(tb[INSTANCE_ATTR_SECCOMP]);
- struct stat s;
-
- if (stat(seccomp, &s))
- ERROR("%s: not starting seccomp as %s is missing\n", in->name, seccomp);
- else
- in->seccomp = seccomp;
- }
+ if (!in->trace && tb[INSTANCE_ATTR_SECCOMP])
+ in->seccomp = blobmsg_get_string(tb[INSTANCE_ATTR_SECCOMP]);
if (tb[INSTANCE_ATTR_PIDFILE]) {
char *pidfile = blobmsg_get_string(tb[INSTANCE_ATTR_PIDFILE]);
if (tb[INSTANCE_ATTR_PIDFILE]) {
char *pidfile = blobmsg_get_string(tb[INSTANCE_ATTR_PIDFILE]);
@@
-947,7
+952,11
@@
instance_config_move(struct service_instance *in, struct service_instance *in_sr
in->trigger = in_src->trigger;
in->command = in_src->command;
in->pidfile = in_src->pidfile;
in->trigger = in_src->trigger;
in->command = in_src->command;
in->pidfile = in_src->pidfile;
+ in->respawn_retry = in_src->respawn_retry;
+ in->respawn_threshold = in_src->respawn_threshold;
+ in->respawn_timeout = in_src->respawn_timeout;
in->name = in_src->name;
in->name = in_src->name;
+ in->trace = in_src->trace;
in->node.avl.key = in_src->node.avl.key;
free(in->config);
in->node.avl.key = in_src->node.avl.key;
free(in->config);
@@
-983,6
+992,7
@@
instance_free(struct service_instance *in)
watch_del(in);
instance_config_cleanup(in);
free(in->config);
watch_del(in);
instance_config_cleanup(in);
free(in->config);
+ free(in->user);
free(in);
}
free(in);
}