diff --git a/src/analyze/analyze-security.c b/src/analyze/analyze-security.c index 69eab91bdb..62ec53d135 100644 --- a/src/analyze/analyze-security.c +++ b/src/analyze/analyze-security.c @@ -1207,7 +1207,7 @@ static const struct security_assessor security_assessor_table[] = { .weight = 25, .range = 1, .assess = assess_capability_bounding_set, - .parameter = (UINT64_C(1) << CAP_BLOCK_SUSPEND), + .parameter = (UINT64_C(1) << 1), }, { .id = "CapabilityBoundingSet=~CAP_WAKE_ALARM", diff --git a/src/basic/arphrd-util.c b/src/basic/arphrd-util.c index 3ea2c9d09a..493aead57b 100644 --- a/src/basic/arphrd-util.c +++ b/src/basic/arphrd-util.c @@ -37,8 +37,8 @@ size_t arphrd_to_hw_addr_len(uint16_t arphrd) { case ARPHRD_IPGRE: return sizeof(struct in_addr); case ARPHRD_TUNNEL6: - case ARPHRD_IP6GRE: - return sizeof(struct in6_addr); +// case ARPHRD_IP6GRE: +// return sizeof(struct in6_addr); default: return 0; } diff --git a/src/basic/filesystems-gperf.gperf b/src/basic/filesystems-gperf.gperf index e8c5357f91..30ec5d52a3 100644 --- a/src/basic/filesystems-gperf.gperf +++ b/src/basic/filesystems-gperf.gperf @@ -33,7 +33,6 @@ binder, {BINDERFS_SUPER_MAGIC} binfmt_misc, {BINFMTFS_MAGIC} bpf, {BPF_FS_MAGIC} btrfs, {BTRFS_SUPER_MAGIC} -btrfs_test_fs, {BTRFS_TEST_MAGIC} # cpuset's magic got reassigned to cgroupfs cpuset, {CGROUP_SUPER_MAGIC} ceph, {CEPH_SUPER_MAGIC} @@ -52,7 +51,6 @@ devpts, {DEVPTS_SUPER_MAGIC} devtmpfs, {TMPFS_MAGIC} dmabuf, {DMA_BUF_MAGIC} ecryptfs, {ECRYPTFS_SUPER_MAGIC} -efivarfs, {EFIVARFS_MAGIC} efs, {EFS_SUPER_MAGIC} erofs, {EROFS_SUPER_MAGIC_V1} # ext2 + ext3 + ext4 use the same magic @@ -60,7 +58,6 @@ ext2, {EXT2_SUPER_MAGIC} ext3, {EXT3_SUPER_MAGIC} ext4, {EXT4_SUPER_MAGIC} exfat, {EXFAT_SUPER_MAGIC} -f2fs, {F2FS_SUPER_MAGIC} # fuseblk is so closely related to fuse that it shares the same magic fuseblk, {FUSE_SUPER_MAGIC} fuse, {FUSE_SUPER_MAGIC} @@ -68,7 +65,6 @@ fusectl, {FUSE_CTL_SUPER_MAGIC} # gfs is an old version of gfs2 and reuses the magic gfs, {GFS2_MAGIC} gfs2, {GFS2_MAGIC} -hostfs, {HOSTFS_SUPER_MAGIC} hpfs, {HPFS_SUPER_MAGIC} hugetlbfs, {HUGETLBFS_MAGIC} iso9660, {ISOFS_SUPER_MAGIC} @@ -107,7 +103,6 @@ secretmem, {SECRETMEM_MAGIC} securityfs, {SECURITYFS_MAGIC} selinuxfs, {SELINUX_MAGIC} shiftfs, {SHIFTFS_MAGIC} -smackfs, {SMACK_MAGIC} # smb3 is an alias for cifs smb3, {CIFS_SUPER_MAGIC} # smbfs was removed from the kernel in 2010, the magic remains diff --git a/src/basic/process-util.c b/src/basic/process-util.c index fb0b38fa49..9709aa58f2 100644 --- a/src/basic/process-util.c +++ b/src/basic/process-util.c @@ -284,37 +284,6 @@ static int update_argv(const char name[], size_t l) { strncpy(nn, name, nn_size); - /* Now, let's tell the kernel about this new memory */ - if (prctl(PR_SET_MM, PR_SET_MM_ARG_START, (unsigned long) nn, 0, 0) < 0) { - if (ERRNO_IS_PRIVILEGE(errno)) - return log_debug_errno(errno, "PR_SET_MM_ARG_START failed: %m"); - - /* HACK: prctl() API is kind of dumb on this point. The existing end address may already be - * below the desired start address, in which case the kernel may have kicked this back due - * to a range-check failure (see linux/kernel/sys.c:validate_prctl_map() to see this in - * action). The proper solution would be to have a prctl() API that could set both start+end - * simultaneously, or at least let us query the existing address to anticipate this condition - * and respond accordingly. For now, we can only guess at the cause of this failure and try - * a workaround--which will briefly expand the arg space to something potentially huge before - * resizing it to what we want. */ - log_debug_errno(errno, "PR_SET_MM_ARG_START failed, attempting PR_SET_MM_ARG_END hack: %m"); - - if (prctl(PR_SET_MM, PR_SET_MM_ARG_END, (unsigned long) nn + l + 1, 0, 0) < 0) { - r = log_debug_errno(errno, "PR_SET_MM_ARG_END hack failed, proceeding without: %m"); - (void) munmap(nn, nn_size); - return r; - } - - if (prctl(PR_SET_MM, PR_SET_MM_ARG_START, (unsigned long) nn, 0, 0) < 0) - return log_debug_errno(errno, "PR_SET_MM_ARG_START still failed, proceeding without: %m"); - } else { - /* And update the end pointer to the new end, too. If this fails, we don't really know what - * to do, it's pretty unlikely that we can rollback, hence we'll just accept the failure, - * and continue. */ - if (prctl(PR_SET_MM, PR_SET_MM_ARG_END, (unsigned long) nn + l + 1, 0, 0) < 0) - log_debug_errno(errno, "PR_SET_MM_ARG_END failed, proceeding without: %m"); - } - if (mm) (void) munmap(mm, mm_size); @@ -324,8 +293,8 @@ static int update_argv(const char name[], size_t l) { strncpy(mm, name, mm_size); /* Update the end pointer, continuing regardless of any failure. */ - if (prctl(PR_SET_MM, PR_SET_MM_ARG_END, (unsigned long) mm + l + 1, 0, 0) < 0) - log_debug_errno(errno, "PR_SET_MM_ARG_END failed, proceeding without: %m"); + //if (prctl(PR_SET_MM, PR_SET_MM_ARG_END, (unsigned long) mm + l + 1, 0, 0) < 0) + // log_debug_errno(errno, "PR_SET_MM_ARG_END failed, proceeding without: %m"); } can_do = true; diff --git a/src/core/execute.c b/src/core/execute.c index b5b7de6d2a..531da40ae7 100644 --- a/src/core/execute.c +++ b/src/core/execute.c @@ -5002,11 +5002,11 @@ static int exec_child( } } - if (context_has_no_new_privileges(context)) - if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0) < 0) { - *exit_status = EXIT_NO_NEW_PRIVILEGES; - return log_unit_error_errno(unit, errno, "Failed to disable new privileges: %m"); - } + //if (context_has_no_new_privileges(context)) + //if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0) < 0) { + // *exit_status = EXIT_NO_NEW_PRIVILEGES; + // return log_unit_error_errno(unit, errno, "Failed to disable new privileges: %m"); + //} #if HAVE_SECCOMP r = apply_address_families(unit, context); diff --git a/src/core/main.c b/src/core/main.c index 14a4f81452..20be43827a 100644 --- a/src/core/main.c +++ b/src/core/main.c @@ -2193,10 +2193,10 @@ static int initialize_runtime( } if (arg_system && arg_no_new_privs) { - if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0) < 0) { - *ret_error_message = "Failed to disable new privileges"; - return log_emergency_errno(errno, "Failed to disable new privileges: %m"); - } + //if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0) < 0) { + // *ret_error_message = "Failed to disable new privileges"; + // return log_emergency_errno(errno, "Failed to disable new privileges: %m"); + //} } if (arg_syscall_archs) { diff --git a/src/core/socket.c b/src/core/socket.c index 2a8aa54f7f..9742768f7f 100644 --- a/src/core/socket.c +++ b/src/core/socket.c @@ -8,7 +8,7 @@ #include #include #include -#include +//include #include "alloc-util.h" #include "bpf-firewall.h" @@ -997,9 +997,9 @@ static void socket_apply_socket_options(Socket *s, SocketPort *p, int fd) { if (s->no_delay) { if (s->socket_protocol == IPPROTO_SCTP) { - r = setsockopt_int(fd, SOL_SCTP, SCTP_NODELAY, true); - if (r < 0) - log_unit_warning_errno(UNIT(s), r, "SCTP_NODELAY failed: %m"); + //r = setsockopt_int(fd, SOL_SCTP, SCTP_NODELAY, true); + //if (r < 0) + // log_unit_warning_errno(UNIT(s), r, "SCTP_NODELAY failed: %m"); } else { r = setsockopt_int(fd, SOL_TCP, TCP_NODELAY, true); if (r < 0) diff --git a/src/libsystemd/sd-netlink/netlink-message-nfnl.c b/src/libsystemd/sd-netlink/netlink-message-nfnl.c index 582f623efe..e6807023e0 100644 --- a/src/libsystemd/sd-netlink/netlink-message-nfnl.c +++ b/src/libsystemd/sd-netlink/netlink-message-nfnl.c @@ -15,10 +15,10 @@ static bool nfproto_is_valid(int nfproto) { return IN_SET(nfproto, NFPROTO_UNSPEC, - NFPROTO_INET, + //NFPROTO_INET, NFPROTO_IPV4, NFPROTO_ARP, - NFPROTO_NETDEV, + //NFPROTO_NETDEV, NFPROTO_BRIDGE, NFPROTO_IPV6, NFPROTO_DECNET); diff --git a/src/libsystemd/sd-netlink/netlink-types-rtnl.c b/src/libsystemd/sd-netlink/netlink-types-rtnl.c index 919512d110..bc2855859b 100644 --- a/src/libsystemd/sd-netlink/netlink-types-rtnl.c +++ b/src/libsystemd/sd-netlink/netlink-types-rtnl.c @@ -971,10 +971,10 @@ static const NLAPolicy rtnl_neigh_policies[] = { [NDA_LLADDR] = BUILD_POLICY(ETHER_ADDR), [NDA_CACHEINFO] = BUILD_POLICY_WITH_SIZE(BINARY, sizeof(struct nda_cacheinfo)), [NDA_PROBES] = BUILD_POLICY(U32), - [NDA_VLAN] = BUILD_POLICY(U16), - [NDA_PORT] = BUILD_POLICY(U16), - [NDA_VNI] = BUILD_POLICY(U32), - [NDA_IFINDEX] = BUILD_POLICY(U32), + //[NDA_VLAN] = BUILD_POLICY(U16), + //[NDA_PORT] = BUILD_POLICY(U16), + //[NDA_VNI] = BUILD_POLICY(U32), + //[NDA_IFINDEX] = BUILD_POLICY(U32), }; DEFINE_POLICY_SET(rtnl_neigh); diff --git a/src/nspawn/nspawn-patch-uid.c b/src/nspawn/nspawn-patch-uid.c index 1535d19bbb..8f5c640b3b 100644 --- a/src/nspawn/nspawn-patch-uid.c +++ b/src/nspawn/nspawn-patch-uid.c @@ -271,13 +271,13 @@ static int is_fs_fully_userns_compatible(const struct statfs *sfs) { F_TYPE_EQUAL(sfs->f_type, CGROUP2_SUPER_MAGIC) || F_TYPE_EQUAL(sfs->f_type, DEBUGFS_MAGIC) || F_TYPE_EQUAL(sfs->f_type, DEVPTS_SUPER_MAGIC) || - F_TYPE_EQUAL(sfs->f_type, EFIVARFS_MAGIC) || + //F_TYPE_EQUAL(sfs->f_type, EFIVARFS_MAGIC) || F_TYPE_EQUAL(sfs->f_type, HUGETLBFS_MAGIC) || F_TYPE_EQUAL(sfs->f_type, MQUEUE_MAGIC) || F_TYPE_EQUAL(sfs->f_type, PROC_SUPER_MAGIC) || F_TYPE_EQUAL(sfs->f_type, PSTOREFS_MAGIC) || F_TYPE_EQUAL(sfs->f_type, SELINUX_MAGIC) || - F_TYPE_EQUAL(sfs->f_type, SMACK_MAGIC) || + //F_TYPE_EQUAL(sfs->f_type, SMACK_MAGIC) || F_TYPE_EQUAL(sfs->f_type, SECURITYFS_MAGIC) || F_TYPE_EQUAL(sfs->f_type, BPF_FS_MAGIC) || F_TYPE_EQUAL(sfs->f_type, TRACEFS_MAGIC) || diff --git a/src/nspawn/nspawn-stub-pid1.c b/src/nspawn/nspawn-stub-pid1.c index 85c439815c..0cbdb56799 100644 --- a/src/nspawn/nspawn-stub-pid1.c +++ b/src/nspawn/nspawn-stub-pid1.c @@ -21,11 +21,11 @@ static int reset_environ(const char *new_environment, size_t length) { start = (unsigned long) new_environment; end = start + length; - if (prctl(PR_SET_MM, PR_SET_MM_ENV_START, start, 0, 0) < 0) - return -errno; + //if (prctl(PR_SET_MM, PR_SET_MM_ENV_START, start, 0, 0) < 0) + // return -errno; - if (prctl(PR_SET_MM, PR_SET_MM_ENV_END, end, 0, 0) < 0) - return -errno; + //if (prctl(PR_SET_MM, PR_SET_MM_ENV_END, end, 0, 0) < 0) + // return -errno; return 0; } diff --git a/src/nspawn/nspawn.c b/src/nspawn/nspawn.c index 01a67b5553..4fb853c0bd 100644 --- a/src/nspawn/nspawn.c +++ b/src/nspawn/nspawn.c @@ -3446,9 +3446,9 @@ static int inner_child( if (r < 0) return log_error_errno(r, "Dropping capabilities failed: %m"); - if (arg_no_new_privileges) - if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0) < 0) - return log_error_errno(errno, "Failed to disable new privileges: %m"); + //if (arg_no_new_privileges) + // if (prctl(PR_SET_NO_NEW_PRIVS, 1, 0, 0, 0) < 0) + // return log_error_errno(errno, "Failed to disable new privileges: %m"); /* LXC sets container=lxc, so follow the scheme here */ envp[n_env++] = strjoina("container=", arg_container_service_name); diff --git a/src/shared/blockdev-util.c b/src/shared/blockdev-util.c index 72fad160ed..2921ac3a52 100644 --- a/src/shared/blockdev-util.c +++ b/src/shared/blockdev-util.c @@ -632,7 +632,7 @@ int block_device_resize_partition( }; struct blkpg_ioctl_arg ba = { - .op = BLKPG_RESIZE_PARTITION, + .op = 1, .data = &bp, .datalen = sizeof(bp), };