rpms/systemd
3
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Temporarily drop call to varlink method to avoid SELinux denial

Browse source 
There were a bunch of other commits incl. bugfixes that mean that it'd
make sense to update to the latest snapshot, but I chose not to do that to
avoid introducing new issues. We'll get -rc2 soon enough anyway.
This commit is contained in:
Zbigniew Jędrzejewski-Szmek 2024-05-11 13:28:34 +02:00
commit a2d3bbf3d2
2 changed files with 431 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

426
0001-Revert-machined-add-varlink-interface-for-registerin.patch Normal file
View file

@ -0,0 +1,426 @@
From a915f0937e7cf8cc7968a4cfb4a8880480a657a6 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= <zbyszek@in.waw.pl>
Date: Sat, 11 May 2024 13:27:12 +0200
Subject: [PATCH] Revert "machined: add varlink interface for registering
machines"
This reverts commit 5b44c81ff868a4d1b78a74e4770f7a8b2f1d0f91.
---
man/systemd-machined.service.xml | 6 +-
src/machine/machine-varlink.c | 171 ------------------------
src/machine/machine-varlink.h | 6 -
src/machine/machined-varlink.c | 62 +--------
src/machine/machined.c | 5 +-
src/machine/machined.h | 3 +-
src/machine/meson.build | 1 -
src/shared/meson.build | 1 -
src/shared/varlink-io.systemd.Machine.c | 22 ---
src/shared/varlink-io.systemd.Machine.h | 6 -
10 files changed, 8 insertions(+), 275 deletions(-)
delete mode 100644 src/machine/machine-varlink.c
delete mode 100644 src/machine/machine-varlink.h
delete mode 100644 src/shared/varlink-io.systemd.Machine.c
delete mode 100644 src/shared/varlink-io.systemd.Machine.h
diff --git a/man/systemd-machined.service.xml b/man/systemd-machined.service.xml
index b2899ff0fd..f3d7755973 100644
--- a/man/systemd-machined.service.xml
+++ b/man/systemd-machined.service.xml
@@ -100,12 +100,10 @@
<para>The daemon provides both a C library interface
(which is shared with <citerefentry><refentrytitle>systemd-logind.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>)
- as well as a D-Bus interface and a Varlink interface.
+ as well as a D-Bus interface.
The library interface may be used to introspect and watch the state of virtual machines/containers.
The bus interface provides the same but in addition may also be used to register or terminate
- machines. The Varlink interface may be used to register machines with optional extensions, e.g. with an
- SSH key / address; it can be queried with
- <command>varlinkctl introspect /run/systemd/machine/io.systemd.Machine io.systemd.Machine</command>.
+ machines.
For more information please consult
<citerefentry><refentrytitle>sd-login</refentrytitle><manvolnum>3</manvolnum></citerefentry>
and
diff --git a/src/machine/machine-varlink.c b/src/machine/machine-varlink.c
deleted file mode 100644
index 377b3d3f0e..0000000000
--- a/src/machine/machine-varlink.c
+++ /dev/null
@@ -1,171 +0,0 @@
-/* SPDX-License-Identifier: LGPL-2.1-or-later */
-
-#include <limits.h>
-
-#include "sd-id128.h"
-
-#include "hostname-util.h"
-#include "json.h"
-#include "machine-varlink.h"
-#include "machine.h"
-#include "path-util.h"
-#include "pidref.h"
-#include "process-util.h"
-#include "socket-util.h"
-#include "string-util.h"
-#include "varlink.h"
-
-static JSON_DISPATCH_ENUM_DEFINE(dispatch_machine_class, MachineClass, machine_class_from_string);
-
-static int machine_name(const char *name, JsonVariant *variant, JsonDispatchFlags flags, void *userdata) {
- char **m = ASSERT_PTR(userdata);
- const char *hostname;
- int r;
-
- assert(variant);
-
- if (!json_variant_is_string(variant))
- return json_log(variant, flags, SYNTHETIC_ERRNO(EINVAL), "JSON field '%s' is not a string.", strna(name));
-
- hostname = json_variant_string(variant);
- if (!hostname_is_valid(hostname, /* flags= */ 0))
- return json_log(variant, flags, SYNTHETIC_ERRNO(EINVAL), "Invalid machine name");
-
- r = free_and_strdup(m, hostname);
- if (r < 0)
- return json_log_oom(variant, flags);
-
- return 0;
-}
-
-static int machine_leader(const char *name, JsonVariant *variant, JsonDispatchFlags flags, void *userdata) {
- PidRef *leader = ASSERT_PTR(userdata);
- _cleanup_(pidref_done) PidRef temp = PIDREF_NULL;
- uint64_t k;
- int r;
-
- if (!json_variant_is_unsigned(variant))
- return json_log(variant, flags, SYNTHETIC_ERRNO(EINVAL), "JSON field '%s' is not an integer.", strna(name));
-
- k = json_variant_unsigned(variant);
- if (k > PID_T_MAX || !pid_is_valid(k))
- return json_log(variant, flags, SYNTHETIC_ERRNO(EINVAL), "JSON field '%s' is not a valid PID.", strna(name));
-
- if (k == 1)
- return json_log(variant, flags, SYNTHETIC_ERRNO(EINVAL), "JSON field '%s' is not a valid leader PID.", strna(name));
-
- r = pidref_set_pid(&temp, k);
- if (r < 0)
- return json_log(variant, flags, r, "Failed to pin process " PID_FMT ": %m", leader->pid);
-
- pidref_done(leader);
-
- *leader = TAKE_PIDREF(temp);
-
- return 0;
-}
-
-static int machine_ifindices(const char *name, JsonVariant *variant, JsonDispatchFlags flags, void *userdata) {
- Machine *m = ASSERT_PTR(userdata);
- _cleanup_free_ int *netif = NULL;
- size_t n_netif, k = 0;
-
- assert(variant);
-
- if (!json_variant_is_array(variant))
- return json_log(variant, flags, SYNTHETIC_ERRNO(EINVAL), "JSON field '%s' is not an array.", strna(name));
-
- n_netif = json_variant_elements(variant);
-
- netif = new(int, n_netif);
- if (!netif)
- return json_log_oom(variant, flags);
-
- JsonVariant *i;
- JSON_VARIANT_ARRAY_FOREACH(i, variant) {
- uint64_t b;
-
- if (!json_variant_is_unsigned(i))
- return json_log(variant, flags, SYNTHETIC_ERRNO(EINVAL), "Element %zu of JSON field '%s' is not an unsigned integer.", k, strna(name));
-
- b = json_variant_unsigned(i);
- if (b > INT_MAX || b <= 0)
- return json_log(variant, flags, SYNTHETIC_ERRNO(EINVAL), "Invalid network interface index %"PRIu64, b);
-
- netif[k++] = (int) b;
- }
- assert(k == n_netif);
-
- free_and_replace(m->netif, netif);
- m->n_netif = n_netif;
-
- return 0;
-}
-
-static int machine_cid(const char *name, JsonVariant *variant, JsonDispatchFlags flags, void *userdata) {
- unsigned cid, *c = ASSERT_PTR(userdata);
-
- assert(variant);
-
- if (!json_variant_is_unsigned(variant))
- return json_log(variant, flags, SYNTHETIC_ERRNO(EINVAL), "JSON field '%s' is not a string.", strna(name));
-
- cid = json_variant_unsigned(variant);
- if (!VSOCK_CID_IS_REGULAR(cid))
- return json_log(variant, flags, SYNTHETIC_ERRNO(EINVAL), "JSON field '%s' is not a regular VSOCK CID.", strna(name));
-
- *c = cid;
-
- return 0;
-}
-
-int vl_method_register(Varlink *link, JsonVariant *parameters, VarlinkMethodFlags flags, void *userdata) {
- Manager *manager = ASSERT_PTR(userdata);
- _cleanup_(machine_freep) Machine *machine = NULL;
- int r;
-
- static const JsonDispatch dispatch_table[] = {
- { "name", JSON_VARIANT_STRING, machine_name, offsetof(Machine, name), JSON_MANDATORY },
- { "id", JSON_VARIANT_STRING, json_dispatch_id128, offsetof(Machine, id), 0 },
- { "service", JSON_VARIANT_STRING, json_dispatch_string, offsetof(Machine, service), 0 },
- { "class", JSON_VARIANT_STRING, dispatch_machine_class, offsetof(Machine, class), JSON_MANDATORY },
- { "leader", JSON_VARIANT_UNSIGNED, machine_leader, offsetof(Machine, leader), 0 },
- { "rootDirectory", JSON_VARIANT_STRING, json_dispatch_absolute_path, offsetof(Machine, root_directory), 0 },
- { "ifIndices", JSON_VARIANT_ARRAY, machine_ifindices, 0, 0 },
- { "vsockCid", JSON_VARIANT_UNSIGNED, machine_cid, offsetof(Machine, vsock_cid), 0 },
- { "sshAddress", JSON_VARIANT_STRING, json_dispatch_string, offsetof(Machine, ssh_address), JSON_SAFE },
- { "sshPrivateKeyPath", JSON_VARIANT_STRING, json_dispatch_absolute_path, offsetof(Machine, ssh_private_key_path), 0 },
- {}
- };
-
- r = machine_new(_MACHINE_CLASS_INVALID, NULL, &machine);
- if (r < 0)
- return r;
-
- r = varlink_dispatch(link, parameters, dispatch_table, machine);
- if (r != 0)
- return r;
-
- if (!pidref_is_set(&machine->leader)) {
- r = varlink_get_peer_pidref(link, &machine->leader);
- if (r < 0)
- return r;
- }
-
- r = machine_link(manager, machine);
- if (r < 0)
- return r;
-
- r = cg_pidref_get_unit(&machine->leader, &machine->unit);
- if (r < 0)
- return r;
-
- r = machine_start(machine, NULL, NULL);
- if (r < 0)
- return r;
-
- /* the manager will free this machine */
- TAKE_PTR(machine);
-
- return varlink_reply(link, NULL);
-}
diff --git a/src/machine/machine-varlink.h b/src/machine/machine-varlink.h
deleted file mode 100644
index ce4ec54dc1..0000000000
--- a/src/machine/machine-varlink.h
+++ /dev/null
@@ -1,6 +0,0 @@
-/* SPDX-License-Identifier: LGPL-2.1-or-later */
-#pragma once
-
-#include "varlink.h"
-
-int vl_method_register(Varlink *link, JsonVariant *parameters, VarlinkMethodFlags flags, void *userdata);
diff --git a/src/machine/machined-varlink.c b/src/machine/machined-varlink.c
index 0d3ae627c1..6ca98e27cf 100644
--- a/src/machine/machined-varlink.c
+++ b/src/machine/machined-varlink.c
@@ -1,12 +1,10 @@
/* SPDX-License-Identifier: LGPL-2.1-or-later */
#include "format-util.h"
-#include "machine-varlink.h"
#include "machined-varlink.h"
#include "mkdir.h"
#include "user-util.h"
#include "varlink.h"
-#include "varlink-io.systemd.Machine.h"
#include "varlink-io.systemd.UserDatabase.h"
typedef struct LookupParameters {
@@ -380,13 +378,13 @@ static int vl_method_get_memberships(Varlink *link, JsonVariant *parameters, Var
return varlink_error(link, "io.systemd.UserDatabase.NoRecordFound", NULL);
}
-static int manager_varlink_init_userdb(Manager *m) {
+int manager_varlink_init(Manager *m) {
_cleanup_(varlink_server_unrefp) VarlinkServer *s = NULL;
int r;
assert(m);
- if (m->varlink_userdb_server)
+ if (m->varlink_server)
return 0;
r = varlink_server_new(&s, VARLINK_SERVER_ACCOUNT_UID|VARLINK_SERVER_INHERIT_USERDATA);
@@ -417,64 +415,12 @@ static int manager_varlink_init_userdb(Manager *m) {
if (r < 0)
return log_error_errno(r, "Failed to attach varlink connection to event loop: %m");
- m->varlink_userdb_server = TAKE_PTR(s);
- return 0;
-}
-
-static int manager_varlink_init_machine(Manager *m) {
- _cleanup_(varlink_server_unrefp) VarlinkServer *s = NULL;
- int r;
-
- assert(m);
-
- if (m->varlink_machine_server)
- return 0;
-
- r = varlink_server_new(&s, VARLINK_SERVER_ROOT_ONLY|VARLINK_SERVER_INHERIT_USERDATA);
- if (r < 0)
- return log_error_errno(r, "Failed to allocate varlink server object: %m");
-
- varlink_server_set_userdata(s, m);
-
- r = varlink_server_add_interface(s, &vl_interface_io_systemd_Machine);
- if (r < 0)
- return log_error_errno(r, "Failed to add UserDatabase interface to varlink server: %m");
-
- r = varlink_server_bind_method(s, "io.systemd.Machine.Register", vl_method_register);
- if (r < 0)
- return log_error_errno(r, "Failed to register varlink methods: %m");
-
- (void) mkdir_p("/run/systemd/machine", 0755);
-
- r = varlink_server_listen_address(s, "/run/systemd/machine/io.systemd.Machine", 0666);
- if (r < 0)
- return log_error_errno(r, "Failed to bind to varlink socket: %m");
-
- r = varlink_server_attach_event(s, m->event, SD_EVENT_PRIORITY_NORMAL);
- if (r < 0)
- return log_error_errno(r, "Failed to attach varlink connection to event loop: %m");
-
- m->varlink_machine_server = TAKE_PTR(s);
- return 0;
-}
-
-int manager_varlink_init(Manager *m) {
- int r;
-
- r = manager_varlink_init_userdb(m);
- if (r < 0)
- return r;
-
- r = manager_varlink_init_machine(m);
- if (r < 0)
- return r;
-
+ m->varlink_server = TAKE_PTR(s);
return 0;
}
void manager_varlink_done(Manager *m) {
assert(m);
- m->varlink_userdb_server = varlink_server_unref(m->varlink_userdb_server);
- m->varlink_machine_server = varlink_server_unref(m->varlink_machine_server);
+ m->varlink_server = varlink_server_unref(m->varlink_server);
}
diff --git a/src/machine/machined.c b/src/machine/machined.c
index d7087e4672..2638ed572e 100644
--- a/src/machine/machined.c
+++ b/src/machine/machined.c
@@ -316,10 +316,7 @@ static bool check_idle(void *userdata) {
if (m->operations)
return false;
- if (varlink_server_current_connections(m->varlink_userdb_server) > 0)
- return false;
-
- if (varlink_server_current_connections(m->varlink_machine_server) > 0)
+ if (varlink_server_current_connections(m->varlink_server) > 0)
return false;
manager_gc(m, true);
diff --git a/src/machine/machined.h b/src/machine/machined.h
index 67abed0fd6..280c32bab6 100644
--- a/src/machine/machined.h
+++ b/src/machine/machined.h
@@ -40,8 +40,7 @@ struct Manager {
sd_event_source *nscd_cache_flush_event;
#endif
- VarlinkServer *varlink_userdb_server;
- VarlinkServer *varlink_machine_server;
+ VarlinkServer *varlink_server;
};
int manager_add_machine(Manager *m, const char *name, Machine **_machine);
diff --git a/src/machine/meson.build b/src/machine/meson.build
index 3150b33de5..c82a32589d 100644
--- a/src/machine/meson.build
+++ b/src/machine/meson.build
@@ -3,7 +3,6 @@
libmachine_core_sources = files(
'image-dbus.c',
'machine-dbus.c',
- 'machine-varlink.c',
'machine.c',
'machined-core.c',
'machined-dbus.c',
diff --git a/src/shared/meson.build b/src/shared/meson.build
index d01367a159..17313aefed 100644
--- a/src/shared/meson.build
+++ b/src/shared/meson.build
@@ -180,7 +180,6 @@ shared_sources = files(
'varlink-io.systemd.Credentials.c',
'varlink-io.systemd.Hostname.c',
'varlink-io.systemd.Journal.c',
- 'varlink-io.systemd.Machine.c',
'varlink-io.systemd.ManagedOOM.c',
'varlink-io.systemd.MountFileSystem.c',
'varlink-io.systemd.NamespaceResource.c',
diff --git a/src/shared/varlink-io.systemd.Machine.c b/src/shared/varlink-io.systemd.Machine.c
deleted file mode 100644
index 936f01f366..0000000000
--- a/src/shared/varlink-io.systemd.Machine.c
+++ /dev/null
@@ -1,22 +0,0 @@
-/* SPDX-License-Identifier: LGPL-2.1-or-later */
-
-#include "varlink-idl.h"
-#include "varlink-io.systemd.Machine.h"
-
-static VARLINK_DEFINE_METHOD(
- Register,
- VARLINK_DEFINE_INPUT(name, VARLINK_STRING, 0),
- VARLINK_DEFINE_INPUT(id, VARLINK_STRING, VARLINK_NULLABLE),
- VARLINK_DEFINE_INPUT(service, VARLINK_STRING, VARLINK_NULLABLE),
- VARLINK_DEFINE_INPUT(class, VARLINK_STRING, 0),
- VARLINK_DEFINE_INPUT(leader, VARLINK_INT, VARLINK_NULLABLE),
- VARLINK_DEFINE_INPUT(rootDirectory, VARLINK_STRING, VARLINK_NULLABLE),
- VARLINK_DEFINE_INPUT(ifIndices, VARLINK_INT, VARLINK_ARRAY|VARLINK_NULLABLE),
- VARLINK_DEFINE_INPUT(vsockCid, VARLINK_INT, VARLINK_NULLABLE),
- VARLINK_DEFINE_INPUT(sshAddress, VARLINK_STRING, VARLINK_NULLABLE),
- VARLINK_DEFINE_INPUT(sshPrivateKeyPath, VARLINK_STRING, VARLINK_NULLABLE));
-
-VARLINK_DEFINE_INTERFACE(
- io_systemd_Machine,
- "io.systemd.Machine",
- &vl_method_Register);
diff --git a/src/shared/varlink-io.systemd.Machine.h b/src/shared/varlink-io.systemd.Machine.h
deleted file mode 100644
index c9fc85f150..0000000000
--- a/src/shared/varlink-io.systemd.Machine.h
+++ /dev/null
@@ -1,6 +0,0 @@
-/* SPDX-License-Identifier: LGPL-2.1-or-later */
-#pragma once
-
-#include "varlink-idl.h"
-
-extern const VarlinkInterface vl_interface_io_systemd_Machine;

5
systemd.spec
View file

@ -98,6 +98,11 @@ GIT_DIR=../../src/systemd/.git git diffab -M v233..master@{2017-06-15} -- hwdb/[
# applying upstream pull requests.
%if %{without upstream}
# Drop varlink method call until selinux policy is updated,
# see https://bodhi.fedoraproject.org/updates/FEDORA-2024-d5c99f5063,
# https://bugzilla.redhat.com/show_bug.cgi?id=2279923.
# Reverts https://github.com/systemd/systemd/commit/5b44c81ff868a4d1b78a74e4770f7a8b2f1d0f91.
Patch0001: 0001-Revert-machined-add-varlink-interface-for-registerin.patch
# Those are downstream-only patches, but we don't want them in packit builds:
# https://bugzilla.redhat.com/show_bug.cgi?id=1738828