-
-
Notifications
You must be signed in to change notification settings - Fork 3.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
core: make RootDirectory= and ProtectKernelModules= work #4594
core: make RootDirectory= and ProtectKernelModules= work #4594
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@tixxdz , thanks! I found two small issues (see comments). I'll run systemd
under valgrind
and under AddressSanitizer
tomorrow.
if (!path) | ||
return -ENOMEM; | ||
|
||
if (!path_is_absolute(path)) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There is a memleak here. I think should be something like:
_cleanup_free_ char *path = NULL;
...
path = strdup(*i);
...
set_bind_mount(p, path, mode, ignore);
path = NULL;
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hey @evverx could you please check again, since I reworked the whole logic and those paths are cleaned https://github.com/systemd/systemd/pull/4594/files#diff-f315b72505d5f0a92ec2f4d068d4f916R913 here and in different places where we chase symlinks, drop duplicate paths etc...
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Oh, I see. So
https://github.com/systemd/systemd/pull/4594/files#diff-f315b72505d5f0a92ec2f4d068d4f916L746
r = append_mounts(&m, read_write_paths, READWRITE);
if (r < 0)
return r;
should be
r = append_mounts(&m, read_write_paths, READWRITE);
if (r < 0)
goto finish;
Right?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It seems that strdup
should be done below the !path_is_absolute
check. This would avoid the memleak.
@@ -196,7 +200,7 @@ static int append_target_mounts(BindMount **p, const char *root_directory, const | |||
* declaration we do not support "-" at the beginning. | |||
*/ | |||
const TargetMount *m = &mounts[i]; | |||
const char *path = prefix_roota(root_directory, m->path); | |||
char *path = prefix_root(root_directory, m->path); | |||
|
|||
if (!path_is_absolute(path)) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There is a memleak. Similar to my previous comment
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hmm ? I'm a bit lost here, could you please confirm ? thanks ;-)
e9615f4
to
ca5acd1
Compare
@@ -756,64 +776,67 @@ int setup_namespace( | |||
return r; | |||
|
|||
if (tmp_dir) { | |||
m->path = prefix_roota(root_directory, "/tmp"); | |||
m->path = prefix_root(root_directory, "/tmp"); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Shouldn't we check the result of the prefix_root
?
Also, I'd prefer to not mix two commits in this PR. I think we should fix the memory issue first. @tixxdz , what do you think? |
ca5acd1
to
10e08b9
Compare
10e08b9
to
cd92950
Compare
@tixxdz , thanks! I'll run BTW TestPathsStat passed:
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks good in general, but there's still a few iffy places.
if (!path) | ||
return -ENOMEM; | ||
|
||
if (!path_is_absolute(path)) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It seems that strdup
should be done below the !path_is_absolute
check. This would avoid the memleak.
const char *path = prefix_roota(root_directory, m->path); | ||
char *path = prefix_root(root_directory, m->path); | ||
|
||
if (!path) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It'd be more idiomatic to move the initalization out of the declaration block:
char *path;
path = prefix_root(...);
if (!path)
...
@@ -309,6 +331,7 @@ static void drop_duplicates(BindMount *m, unsigned *n) { | |||
* above. */ | |||
if (previous && path_equal(f->path, previous->path)) { | |||
log_debug("%s is duplicate.", f->path); | |||
free(f->path); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hm, even though this free is correct, it looks dangerous. Maybe f->path = mfree(f->path)
would be safer.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
yes the mountcnt catches this but better safe than sorry, updated.
continue; | ||
if (r < 0) | ||
return log_debug_errno(r, "Failed to chase symlinks for %s: %m", f->path); | ||
} if (r < 0) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Newline here.
else { | ||
log_debug("Chased %s → %s", f->path, f->chased); | ||
f->path = f->chased; | ||
log_debug("Chased %s → %s", f->path, chased); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This manual string freeing looks error-prone. Maybe use _cleanup_free_
for chased, and free_and_replace
here.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think you mean free_and_strdup,
thanks!
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
No, free_and_replace
. No need to duplicate the string again.
@@ -724,96 +753,96 @@ int setup_namespace( | |||
|
|||
BindMount *m, *mounts = NULL; | |||
bool make_slave = false; | |||
unsigned n; | |||
unsigned mountcnt; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
n_mounts
?
cd92950
to
ec066d2
Compare
@keszybz updated, thanks! |
@martinpitt this one failed at xeinal-i386 test where previous versions of it succeeded, and this #4596 with same commit + another one succeeded, should I re-push or maybe a valid bug ? failed at this one https://anonscm.debian.org/cgit/pkg-systemd/systemd.git/tree/debian/tests/boot-and-services#n62 ? thanks! |
Instead of having two fields inside BindMount struct where one is stack based and the other one is heap, use one field to store the full path and updated it when we chase symlinks. This way we avoid dealing with both at the same time. This makes RootDirectory= work with ProtectHome= and ProtectKernelModules=yes Fixes: systemd#4567
ec066d2
to
f0a4feb
Compare
@tixxdz , the lightdm test is indeed a bit flaky; if that happens, I usually just retry it. But it's re-running now anyway due to new commits. |
@martinpitt I see ok, thank you for the info. I forced pushed the same patch again. |
I added two small changes on top, please re-review. |
@keszybz ah free_and_replace() sets chased to null, didn't notice that. Lgtm thank you! |
@tixxdz , sorry for the delay. I'm testing. Stay tuned :-) |
Hm, another test: === RUN TestVolumeSysfs
--- FAIL: TestVolumeSysfs (12.67s)
...
[309106.757998] rkt-inspect[12]: *** Error in `(inspect)': double free or corruption (fasttop): 0x000055bbdd76c550 ***
[FAILED] Failed to start Application=rkt-inspect Image=coreos.com/rkt-inspect.
... |
…s() fails This certainly fixes a bug that was introduced by PR systemd#4594 that intended to fix systemd#4567. The fix was not complete. This patch makes sure that we count freed paths when chase_all_symlinks() fails and we do not return directly. Also go ahead and remove assert() checks against mount counts being zero. This does not make sense since we are explicitly decrementing and freeing mount paths which makes it easy to hit the assert. If users did provide a misconfigured paths then just log a debug message, ignore and continue. Note that if mount count is zero at the beginning, then we we never hit this code path. Fixes systemd#4567
…s() fails This certainly fixes a bug that was introduced by PR systemd#4594 that intended to fix systemd#4567. The fix was not complete. This patch makes sure that we count freed paths when chase_all_symlinks() fails and we do not return directly. Also go ahead and remove assert() checks against mount counts being zero. This does not make sense since we are explicitly decrementing and freeing mount paths which makes it easy to hit the assert. If users did provide a misconfigured paths then just log a debug message, ignore and continue. Note that if mount count is zero at the beginning, then we we never hit this code path. Fixes systemd#4567
…s() fails This certainly fixes a bug that was introduced by PR systemd#4594 that intended to fix systemd#4567. The fix was not complete. This patch makes sure that we count freed paths when chase_all_symlinks() fails and we do not return directly. Also go ahead and remove assert() checks against mount counts being zero. This does not make sense since we are explicitly decrementing and freeing mount paths which makes it easy to hit the assert. If users did provide a misconfigured paths then just log a debug message, ignore and continue. Note that if mount count is zero at the beginning, then we we never hit this code path. Fixes systemd#4567
This certainly fixes a bug that was introduced by PR systemd#4594 that intended to fix systemd#4567. The fix was not complete. This patch makes sure that we count and free all paths that fail inside chase_all_symlinks(). Fixes systemd#4567
rkt currently tries to switch on `ProtectKernelTunables` for supported systemd versions (ie. >=232), but it does not work together with `RootDirectory` due to systemd/systemd#4594 which is targeted at v233. This commit bumps the version check accordingly.
…() (#4619) This certainly fixes a bug that was introduced by PR systemd/systemd#4594 that intended to fix systemd/systemd#4567. The fix was not complete. This patch makes sure that we count and free all paths that fail inside chase_all_symlinks(). Fixes systemd/systemd#4567 (cherry picked from commit 1d54cd5)
Instead of having two fields inside BindMount struct where one is stack
based and the other one is heap, use one field to store the full path
and updated it when we chase symlinks. This way we avoid dealing with
both at the same time.
This makes RootDirectory= work with ProtectHome=, ProtectControlGroups= and
ProtectKernelModules=yes
Fixes: #4567