core: make RootDirectory= and ProtectKernelModules= work #4594
Conversation
| if (!path) | ||
| return -ENOMEM; | ||
|
|
||
| if (!path_is_absolute(path)) |
There was a problem hiding this comment.
There is a memleak here. I think should be something like:
_cleanup_free_ char *path = NULL;
...
path = strdup(*i);
...
set_bind_mount(p, path, mode, ignore);
path = NULL;There was a problem hiding this comment.
Hey @evverx could you please check again, since I reworked the whole logic and those paths are cleaned https://github.com/systemd/systemd/pull/4594/files#diff-f315b72505d5f0a92ec2f4d068d4f916R913 here and in different places where we chase symlinks, drop duplicate paths etc...
There was a problem hiding this comment.
Oh, I see. So
https://github.com/systemd/systemd/pull/4594/files#diff-f315b72505d5f0a92ec2f4d068d4f916L746
r = append_mounts(&m, read_write_paths, READWRITE);
if (r < 0)
return r;should be
r = append_mounts(&m, read_write_paths, READWRITE);
if (r < 0)
goto finish;Right?
There was a problem hiding this comment.
It seems that strdup should be done below the !path_is_absolute check. This would avoid the memleak.
| @@ -196,7 +200,7 @@ static int append_target_mounts(BindMount **p, const char *root_directory, const | |||
| * declaration we do not support "-" at the beginning. | |||
| */ | |||
| const TargetMount *m = &mounts[i]; | |||
| const char *path = prefix_roota(root_directory, m->path); | |||
| char *path = prefix_root(root_directory, m->path); | |||
|
|
|||
| if (!path_is_absolute(path)) | |||
There was a problem hiding this comment.
There is a memleak. Similar to my previous comment
There was a problem hiding this comment.
Hmm ? I'm a bit lost here, could you please confirm ? thanks ;-)
tixxdz
force-pushed
the
djalal/fix-rootdir-apply-mntns
branch
from
e9615f4
to
ca5acd1
Compare
tixxdz
changed the title
| @@ -756,64 +776,67 @@ int setup_namespace( | |||
| return r; | |||
|
|
|||
| if (tmp_dir) { | |||
| m->path = prefix_roota(root_directory, "/tmp"); | |||
| m->path = prefix_root(root_directory, "/tmp"); | |||
There was a problem hiding this comment.
Shouldn't we check the result of the prefix_root?
|
Also, I'd prefer to not mix two commits in this PR. I think we should fix the memory issue first. @tixxdz , what do you think? |
tixxdz
force-pushed
the
djalal/fix-rootdir-apply-mntns
branch
from
ca5acd1
to
10e08b9
Compare
tixxdz
force-pushed
the
djalal/fix-rootdir-apply-mntns
branch
from
10e08b9
to
cd92950
Compare
|
@tixxdz , thanks! I'll run BTW TestPathsStat passed: |
| if (!path) | ||
| return -ENOMEM; | ||
|
|
||
| if (!path_is_absolute(path)) |
There was a problem hiding this comment.
It seems that strdup should be done below the !path_is_absolute check. This would avoid the memleak.
| const char *path = prefix_roota(root_directory, m->path); | ||
| char *path = prefix_root(root_directory, m->path); | ||
|
|
||
| if (!path) |
There was a problem hiding this comment.
It'd be more idiomatic to move the initalization out of the declaration block:
char *path;
path = prefix_root(...);
if (!path)
...
| @@ -309,6 +331,7 @@ static void drop_duplicates(BindMount *m, unsigned *n) { | |||
| * above. */ | |||
| if (previous && path_equal(f->path, previous->path)) { | |||
| log_debug("%s is duplicate.", f->path); | |||
| free(f->path); | |||
There was a problem hiding this comment.
Hm, even though this free is correct, it looks dangerous. Maybe f->path = mfree(f->path) would be safer.
There was a problem hiding this comment.
yes the mountcnt catches this but better safe than sorry, updated.
| continue; | ||
| if (r < 0) | ||
| return log_debug_errno(r, "Failed to chase symlinks for %s: %m", f->path); | ||
| } if (r < 0) |
| else { | ||
| log_debug("Chased %s → %s", f->path, f->chased); | ||
| f->path = f->chased; | ||
| log_debug("Chased %s → %s", f->path, chased); |
There was a problem hiding this comment.
This manual string freeing looks error-prone. Maybe use _cleanup_free_ for chased, and free_and_replace here.
There was a problem hiding this comment.
I think you mean free_and_strdup, thanks!
There was a problem hiding this comment.
No, free_and_replace. No need to duplicate the string again.
| @@ -724,96 +753,96 @@ int setup_namespace( | |||
|
|
|||
| BindMount *m, *mounts = NULL; | |||
| bool make_slave = false; | |||
| unsigned n; | |||
| unsigned mountcnt; | |||
tixxdz
force-pushed
the
djalal/fix-rootdir-apply-mntns
branch
from
cd92950
to
ec066d2
Compare
|
@keszybz updated, thanks! |
|
@martinpitt this one failed at xeinal-i386 test where previous versions of it succeeded, and this #4596 with same commit + another one succeeded, should I re-push or maybe a valid bug ? failed at this one https://anonscm.debian.org/cgit/pkg-systemd/systemd.git/tree/debian/tests/boot-and-services#n62 ? thanks! |
Instead of having two fields inside BindMount struct where one is stack based and the other one is heap, use one field to store the full path and updated it when we chase symlinks. This way we avoid dealing with both at the same time. This makes RootDirectory= work with ProtectHome= and ProtectKernelModules=yes Fixes: systemd#4567
tixxdz
force-pushed
the
djalal/fix-rootdir-apply-mntns
branch
from
ec066d2
to
f0a4feb
Compare
|
@tixxdz , the lightdm test is indeed a bit flaky; if that happens, I usually just retry it. But it's re-running now anyway due to new commits. |
|
@martinpitt I see ok, thank you for the info. I forced pushed the same patch again. |
|
I added two small changes on top, please re-review. |
|
@keszybz ah free_and_replace() sets chased to null, didn't notice that. Lgtm thank you! |
|
@tixxdz , sorry for the delay. I'm testing. Stay tuned :-) |
|
Hm, another test: === RUN TestVolumeSysfs
--- FAIL: TestVolumeSysfs (12.67s)
...
[309106.757998] rkt-inspect[12]: *** Error in `(inspect)': double free or corruption (fasttop): 0x000055bbdd76c550 ***
[FAILED] Failed to start Application=rkt-inspect Image=coreos.com/rkt-inspect.
... |
…s() fails This certainly fixes a bug that was introduced by PR systemd#4594 that intended to fix systemd#4567. The fix was not complete. This patch makes sure that we count freed paths when chase_all_symlinks() fails and we do not return directly. Also go ahead and remove assert() checks against mount counts being zero. This does not make sense since we are explicitly decrementing and freeing mount paths which makes it easy to hit the assert. If users did provide a misconfigured paths then just log a debug message, ignore and continue. Note that if mount count is zero at the beginning, then we we never hit this code path. Fixes systemd#4567
…s() fails This certainly fixes a bug that was introduced by PR systemd#4594 that intended to fix systemd#4567. The fix was not complete. This patch makes sure that we count freed paths when chase_all_symlinks() fails and we do not return directly. Also go ahead and remove assert() checks against mount counts being zero. This does not make sense since we are explicitly decrementing and freeing mount paths which makes it easy to hit the assert. If users did provide a misconfigured paths then just log a debug message, ignore and continue. Note that if mount count is zero at the beginning, then we we never hit this code path. Fixes systemd#4567
…s() fails This certainly fixes a bug that was introduced by PR systemd#4594 that intended to fix systemd#4567. The fix was not complete. This patch makes sure that we count freed paths when chase_all_symlinks() fails and we do not return directly. Also go ahead and remove assert() checks against mount counts being zero. This does not make sense since we are explicitly decrementing and freeing mount paths which makes it easy to hit the assert. If users did provide a misconfigured paths then just log a debug message, ignore and continue. Note that if mount count is zero at the beginning, then we we never hit this code path. Fixes systemd#4567
This certainly fixes a bug that was introduced by PR systemd#4594 that intended to fix systemd#4567. The fix was not complete. This patch makes sure that we count and free all paths that fail inside chase_all_symlinks(). Fixes systemd#4567
rkt currently tries to switch on `ProtectKernelTunables` for supported systemd versions (ie. >=232), but it does not work together with `RootDirectory` due to systemd/systemd#4594 which is targeted at v233. This commit bumps the version check accordingly.
…() (#4619) This certainly fixes a bug that was introduced by PR systemd/systemd#4594 that intended to fix systemd/systemd#4567. The fix was not complete. This patch makes sure that we count and free all paths that fail inside chase_all_symlinks(). Fixes systemd/systemd#4567 (cherry picked from commit 1d54cd5)
Instead of having two fields inside BindMount struct where one is stack
based and the other one is heap, use one field to store the full path
and updated it when we chase symlinks. This way we avoid dealing with
both at the same time.
This makes RootDirectory= work with ProtectHome=, ProtectControlGroups= and
ProtectKernelModules=yes
Fixes: #4567