src/specifier.c \
src/unit-name.c \
src/fdset.c \
- src/namespace.c
+ src/namespace.c \
+ src/tcpwrap.c
EXTRA_DIST += \
${COMMON_SOURCES:.c=.h} \
systemd_LDADD = \
$(DBUS_LIBS) \
$(UDEV_LIBS) \
- $(CGROUP_LIBS)
+ $(CGROUP_LIBS) \
+ $(LIBWRAP_LIBS)
test_engine_SOURCES = \
$(COMMON_SOURCES) \
systemd_logger_SOURCES = \
$(BASIC_SOURCES) \
src/logger.c \
- src/sd-daemon.c
+ src/sd-daemon.c \
+ src/tcpwrap.c
+
+systemd_logger_LDADD = \
+ $(LIBWRAP_LIBS)
systemd_initctl_SOURCES = \
$(BASIC_SOURCES) \
AC_SUBST(CGROUP_CFLAGS)
AC_SUBST(CGROUP_LIBS)
+AC_ARG_ENABLE([tcpwrap],
+ AS_HELP_STRING([--disable-tcpwrap],[Disable optional TCP wrappers support]),
+ [case "${enableval}" in
+ yes) tcpwrap=yes ;;
+ no) tcpwrap=no ;;
+ *) AC_MSG_ERROR(bad value ${enableval} for --disable-tcpwrap) ;;
+ esac],
+ [tcpwrap=auto])
+
+if test "x${tcpwrap}" != xno ; then
+ ACX_LIBWRAP
+ if test "x${LIBWRAP_LIBS}" = x ; then
+ if test "x$tcpwrap" = xyes ; then
+ AC_MSG_ERROR([*** TCP wrappers support not found])
+ fi
+ else
+ tcpwrap=yes
+ fi
+else
+ LIBWRAP_LIBS=
+fi
+
+AC_SUBST(LIBWRAP_LIBS)
+
have_gtk=no
AC_ARG_ENABLE(gtk, AS_HELP_STRING([--disable-gtk], [disable GTK tools]))
if test "x$enable_gtk" != "xno"; then
Syslog service: ${SPECIAL_SYSLOG_SERVICE}
D-Bus service: ${SPECIAL_DBUS_SERVICE}
Gtk: ${have_gtk}
+ tcpwrap: ${tcpwrap}
prefix: ${prefix}
root dir: ${with_rootdir}
udev rules dir: ${with_udevrulesdir}
--- /dev/null
+AC_DEFUN([ACX_LIBWRAP], [
+LIBWRAP_LIBS=
+saved_LIBS="$LIBS"
+LIBS="$LIBS -lwrap"
+AC_MSG_CHECKING([for tcpwrap library and headers])
+AC_LINK_IFELSE(
+AC_LANG_PROGRAM(
+[#include <tcpd.h>
+#include <syslog.h>
+int allow_severity = LOG_INFO;
+int deny_severity = LOG_WARNING;],
+[struct request_info *req;
+return hosts_access (req);]),
+[AC_DEFINE(HAVE_LIBWRAP, [], [Have tcpwrap?])
+LIBWRAP_LIBS="-lwrap"
+AC_MSG_RESULT(yes)],
+[AC_MSG_RESULT(no)])
+LIBS="$saved_LIBS"
+])
" <property name=\"DirectoryMode\" type=\"u\" access=\"read\"/>\n" \
" <property name=\"SocketMode\" type=\"u\" access=\"read\"/>\n" \
" <property name=\"Accept\" type=\"b\" access=\"read\"/>\n" \
+ " <property name=\"TCPWrapName\" type=\"s\" access=\"read\"/>\n" \
" </interface>\n" \
#define INTROSPECTION \
{ "org.freedesktop.systemd1.Socket", "DirectoryMode", bus_property_append_mode, "u", &u->socket.directory_mode },
{ "org.freedesktop.systemd1.Socket", "SocketMode", bus_property_append_mode, "u", &u->socket.socket_mode },
{ "org.freedesktop.systemd1.Socket", "Accept", bus_property_append_bool, "b", &u->socket.accept },
+ { "org.freedesktop.systemd1.Socket", "TCPWrapName", bus_property_append_string, "s", u->socket.tcpwrap_name },
{ NULL, NULL, NULL, NULL, NULL }
};
{ "SocketMode", config_parse_mode, &u->socket.socket_mode, "Socket" },
{ "KillMode", config_parse_kill_mode, &u->socket.kill_mode, "Socket" },
{ "Accept", config_parse_bool, &u->socket.accept, "Socket" },
+ { "TCPWrapName", config_parse_string, &u->socket.tcpwrap_name, "Socket" },
EXEC_CONTEXT_CONFIG_ITEMS(u->socket.exec_context, "Socket"),
{ "What", config_parse_string, &u->mount.parameters_fragment.what, "Mount" },
#include "log.h"
#include "list.h"
#include "sd-daemon.h"
+#include "tcpwrap.h"
#define STREAM_BUFFER 2048
#define STREAMS_MAX 256
return 0;
}
+ if (!socket_tcpwrap(fd, "systemd-logger")) {
+ close_nointr_nofail(fd);
+ return 0;
+ }
+
if (!(stream = new0(Stream, 1))) {
close_nointr_nofail(fd);
return -ENOMEM;
#include "strv.h"
#include "unit-name.h"
#include "dbus-socket.h"
+#include "tcpwrap.h"
static const UnitActiveState state_translation_table[_SOCKET_STATE_MAX] = {
[SOCKET_DEAD] = UNIT_INACTIVE,
free(s->bind_to_device);
s->bind_to_device = NULL;
+ free(s->tcpwrap_name);
+ s->tcpwrap_name = NULL;
+
unit_unwatch_timer(u, &s->timer_watch);
}
"%sBindToDevice: %s\n",
prefix, s->bind_to_device);
+ if (s->tcpwrap_name)
+ fprintf(f,
+ "%sTCPWrapName: %s\n",
+ prefix, s->tcpwrap_name);
+
if (s->accept)
fprintf(f,
"%sAccepted: %u\n",
break;
}
+
+ if (s->tcpwrap_name)
+ if (!socket_tcpwrap(cfd, s->tcpwrap_name)) {
+ close_nointr_nofail(cfd);
+ return;
+ }
}
socket_enter_running(s, cfd);
mode_t directory_mode;
mode_t socket_mode;
+ char *tcpwrap_name;
+
bool accept;
unsigned n_accepted;
--- /dev/null
+/*-*- Mode: C; c-basic-offset: 8 -*-*/
+
+/***
+ This file is part of systemd.
+
+ Copyright 2010 Lennart Poettering
+
+ systemd is free software; you can redistribute it and/or modify it
+ under the terms of the GNU General Public License as published by
+ the Free Software Foundation; either version 2 of the License, or
+ (at your option) any later version.
+
+ systemd is distributed in the hope that it will be useful, but
+ WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with systemd; If not, see <http://www.gnu.org/licenses/>.
+***/
+
+#include <sys/socket.h>
+#include <sys/un.h>
+
+#ifdef HAVE_LIBWRAP
+#include <tcpd.h>
+#endif
+
+#include "tcpwrap.h"
+#include "log.h"
+
+bool socket_tcpwrap(int fd, const char *name) {
+#ifdef HAVE_LIBWRAP
+ struct request_info req;
+ union {
+ struct sockaddr sa;
+ struct sockaddr_in in;
+ struct sockaddr_in6 in6;
+ struct sockaddr_un un;
+ struct sockaddr_storage storage;
+ } sa_union;
+ socklen_t l = sizeof(sa_union);
+
+ if (getsockname(fd, &sa_union.sa, &l) < 0)
+ return true;
+
+ if (sa_union.sa.sa_family != AF_INET &&
+ sa_union.sa.sa_family != AF_INET6)
+ return true;
+
+ request_init(&req,
+ RQ_DAEMON, name,
+ RQ_FILE, fd,
+ NULL);
+
+ fromhost(&req);
+
+ if (!hosts_access(&req)) {
+ log_warning("Connection refused by tcpwrap.");
+ return false;
+ }
+
+ log_debug("Connection accepted by tcpwrap.");
+#endif
+ return true;
+}
--- /dev/null
+/*-*- Mode: C; c-basic-offset: 8 -*-*/
+
+#ifndef foolibwraphfoo
+#define foolibwraphfoo
+
+/***
+ This file is part of systemd.
+
+ Copyright 2010 Lennart Poettering
+
+ systemd is free software; you can redistribute it and/or modify it
+ under the terms of the GNU General Public License as published by
+ the Free Software Foundation; either version 2 of the License, or
+ (at your option) any later version.
+
+ systemd is distributed in the hope that it will be useful, but
+ WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ General Public License for more details.
+
+ You should have received a copy of the GNU General Public License
+ along with systemd; If not, see <http://www.gnu.org/licenses/>.
+***/
+
+#include <stdbool.h>
+
+bool socket_tcpwrap(int fd, const char *name);
+
+#endif
projects / systemd / commitdiff