packages/systemd
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
systemd/backport-core-allow-list-char-rtc-with-ProtectClock-yes-only-.patch
wangyuhang a4f95d3244 sync patch from systemd community 
(cherry picked from commit 88369f234ec01b60fb047caf87b90ef10a92b0db)
2023-10-10 10:04:24 +08:00

91 lines
4.7 KiB
Diff
Raw Blame History

From f6bba0b47e9038373627b7d2bfedac0b3e4f076e Mon Sep 17 00:00:00 2001
From: Luca Boccassi <bluca@debian.org>
Date: Thu, 20 Oct 2022 00:37:08 +0100
Subject: [PATCH] core: allow-list char-rtc with ProtectClock=yes only if
needed
Allow-listing a device implicitly blocks everything else, so this
has the opposite of the intended effect when PrivateDevices= is
not used.
Allow-list char-rtc only if there is a device policy set.
Fixes https://github.com/systemd/systemd/issues/18142
(cherry picked from commit 63857bf4f7a5dd48a2b971d9bae2c06cc829b630)
Conflict:delete modifications related to the ExecLoadCredential structure
Reference:https://github.com/systemd/systemd-stable/commit/f6bba0b47e9038373627b7d2bfedac0b3e4f076e
---
src/core/unit.c | 64 +++++++++++++++++++++++++------------------------
1 file changed, 33 insertions(+), 31 deletions(-)
diff --git a/src/core/unit.c b/src/core/unit.c
index ffac4ac719..fe509d400d 100644
--- a/src/core/unit.c
+++ b/src/core/unit.c
@@ -4134,36 +4134,39 @@ int unit_patch_contexts(Unit *u) {
cc->device_policy == CGROUP_DEVICE_POLICY_AUTO)
cc->device_policy = CGROUP_DEVICE_POLICY_CLOSED;
- if ((ec->root_image || !LIST_IS_EMPTY(ec->mount_images)) &&
- (cc->device_policy != CGROUP_DEVICE_POLICY_AUTO || cc->device_allow)) {
+ /* Only add these if needed, as they imply that everything else is blocked. */
+ if (cc->device_policy != CGROUP_DEVICE_POLICY_AUTO || cc->device_allow) {
+ if (ec->root_image || !LIST_IS_EMPTY(ec->mount_images)) {
- const char *p;
+ const char *p;
+
+ /* When RootImage= or MountImages= is specified, the following devices are touched. */
+ FOREACH_STRING(p, "/dev/loop-control", "/dev/mapper/control") {
+ r = cgroup_add_device_allow(cc, p, "rw");
+ if (r < 0)
+ return r;
+ }
+ FOREACH_STRING(p, "block-loop", "block-blkext", "block-device-mapper") {
+ r = cgroup_add_device_allow(cc, p, "rwm");
+ if (r < 0)
+ return r;
+ }
- /* When RootImage= or MountImages= is specified, the following devices are touched. */
- FOREACH_STRING(p, "/dev/loop-control", "/dev/mapper/control") {
- r = cgroup_add_device_allow(cc, p, "rw");
- if (r < 0)
- return r;
- }
- FOREACH_STRING(p, "block-loop", "block-blkext", "block-device-mapper") {
- r = cgroup_add_device_allow(cc, p, "rwm");
- if (r < 0)
- return r;
+ /* Make sure "block-loop" can be resolved, i.e. make sure "loop" shows up in /proc/devices.
+ * Same for mapper and verity. */
+ FOREACH_STRING(p, "modprobe@loop.service", "modprobe@dm_mod.service", "modprobe@dm_verity.service") {
+ r = unit_add_two_dependencies_by_name(u, UNIT_AFTER, UNIT_WANTS, p, true, UNIT_DEPENDENCY_FILE);
+ if (r < 0)
+ return r;
+ }
}
- /* Make sure "block-loop" can be resolved, i.e. make sure "loop" shows up in /proc/devices.
- * Same for mapper and verity. */
- FOREACH_STRING(p, "modprobe@loop.service", "modprobe@dm_mod.service", "modprobe@dm_verity.service") {
- r = unit_add_two_dependencies_by_name(u, UNIT_AFTER, UNIT_WANTS, p, true, UNIT_DEPENDENCY_FILE);
+ if (ec->protect_clock) {
+ r = cgroup_add_device_allow(cc, "char-rtc", "r");
if (r < 0)
return r;
}
- }
- if (ec->protect_clock) {
- r = cgroup_add_device_allow(cc, "char-rtc", "r");
- if (r < 0)
- return r;
}
}
return 0;
--
2.33.0
Reference in New Issue View Git Blame Copy Permalink