summaryrefslogtreecommitdiffstats
path: root/src/sysctl
diff options
context:
space:
mode:
Diffstat (limited to '')
-rw-r--r--src/sysctl/meson.build9
-rw-r--r--src/sysctl/sysctl.c490
2 files changed, 499 insertions, 0 deletions
diff --git a/src/sysctl/meson.build b/src/sysctl/meson.build
new file mode 100644
index 0000000..1fb85c2
--- /dev/null
+++ b/src/sysctl/meson.build
@@ -0,0 +1,9 @@
+# SPDX-License-Identifier: LGPL-2.1-or-later
+
+executables += [
+ libexec_template + {
+ 'name' : 'systemd-sysctl',
+ 'public' : true,
+ 'sources' : files('sysctl.c'),
+ },
+]
diff --git a/src/sysctl/sysctl.c b/src/sysctl/sysctl.c
new file mode 100644
index 0000000..aac965f
--- /dev/null
+++ b/src/sysctl/sysctl.c
@@ -0,0 +1,490 @@
+/* SPDX-License-Identifier: LGPL-2.1-or-later */
+
+#include <errno.h>
+#include <getopt.h>
+#include <limits.h>
+#include <stdbool.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <sys/stat.h>
+#include <sys/types.h>
+
+#include "build.h"
+#include "conf-files.h"
+#include "constants.h"
+#include "creds-util.h"
+#include "errno-util.h"
+#include "fd-util.h"
+#include "fileio.h"
+#include "glob-util.h"
+#include "hashmap.h"
+#include "log.h"
+#include "main-func.h"
+#include "pager.h"
+#include "path-util.h"
+#include "pretty-print.h"
+#include "string-util.h"
+#include "strv.h"
+#include "sysctl-util.h"
+
+static char **arg_prefixes = NULL;
+static CatFlags arg_cat_flags = CAT_CONFIG_OFF;
+static bool arg_strict = false;
+static PagerFlags arg_pager_flags = 0;
+
+STATIC_DESTRUCTOR_REGISTER(arg_prefixes, strv_freep);
+
+typedef struct Option {
+ char *key;
+ char *value;
+ bool ignore_failure;
+} Option;
+
+static Option *option_free(Option *o) {
+ if (!o)
+ return NULL;
+
+ free(o->key);
+ free(o->value);
+
+ return mfree(o);
+}
+
+DEFINE_TRIVIAL_CLEANUP_FUNC(Option*, option_free);
+DEFINE_HASH_OPS_WITH_VALUE_DESTRUCTOR(option_hash_ops, char, string_hash_func, string_compare_func, Option, option_free);
+
+static bool test_prefix(const char *p) {
+ if (strv_isempty(arg_prefixes))
+ return true;
+
+ return path_startswith_strv(p, arg_prefixes);
+}
+
+static Option *option_new(
+ const char *key,
+ const char *value,
+ bool ignore_failure) {
+
+ _cleanup_(option_freep) Option *o = NULL;
+
+ assert(key);
+
+ o = new(Option, 1);
+ if (!o)
+ return NULL;
+
+ *o = (Option) {
+ .key = strdup(key),
+ .value = value ? strdup(value) : NULL,
+ .ignore_failure = ignore_failure,
+ };
+
+ if (!o->key)
+ return NULL;
+ if (value && !o->value)
+ return NULL;
+
+ return TAKE_PTR(o);
+}
+
+static int sysctl_write_or_warn(const char *key, const char *value, bool ignore_failure, bool ignore_enoent) {
+ int r;
+
+ r = sysctl_write(key, value);
+ if (r < 0) {
+ /* Proceed without failing if ignore_failure is true.
+ * If the sysctl is not available in the kernel or we are running with reduced privileges and
+ * cannot write it, then log about the issue, and proceed without failing. Unless strict mode
+ * (arg_strict = true) is enabled, in which case we should fail. (EROFS is treated as a
+ * permission problem here, since that's how container managers usually protected their
+ * sysctls.)
+ * In all other cases log an error and make the tool fail. */
+ if (ignore_failure || (!arg_strict && (r == -EROFS || ERRNO_IS_PRIVILEGE(r))))
+ log_debug_errno(r, "Couldn't write '%s' to '%s', ignoring: %m", value, key);
+ else if (ignore_enoent && r == -ENOENT)
+ log_warning_errno(r, "Couldn't write '%s' to '%s', ignoring: %m", value, key);
+ else
+ return log_error_errno(r, "Couldn't write '%s' to '%s': %m", value, key);
+ }
+
+ return 0;
+}
+
+static int apply_glob_option_with_prefix(OrderedHashmap *sysctl_options, Option *option, const char *prefix) {
+ _cleanup_strv_free_ char **paths = NULL;
+ _cleanup_free_ char *pattern = NULL;
+ int r;
+
+ assert(sysctl_options);
+ assert(option);
+
+ if (prefix) {
+ _cleanup_free_ char *key = NULL;
+
+ r = path_glob_can_match(option->key, prefix, &key);
+ if (r < 0)
+ return log_error_errno(r, "Failed to check if the glob '%s' matches prefix '%s': %m",
+ option->key, prefix);
+ if (r == 0) {
+ log_debug("The glob '%s' does not match prefix '%s'.", option->key, prefix);
+ return 0;
+ }
+
+ log_debug("The glob '%s' is prefixed with '%s': '%s'", option->key, prefix, key);
+
+ if (!string_is_glob(key)) {
+ /* The prefixed pattern is not glob anymore. Let's skip to call glob(). */
+ if (ordered_hashmap_contains(sysctl_options, key)) {
+ log_debug("Not setting %s (explicit setting exists).", key);
+ return 0;
+ }
+
+ return sysctl_write_or_warn(key, option->value,
+ /* ignore_failure = */ option->ignore_failure,
+ /* ignore_enoent = */ true);
+ }
+
+ pattern = path_join("/proc/sys", key);
+ } else
+ pattern = path_join("/proc/sys", option->key);
+ if (!pattern)
+ return log_oom();
+
+ r = glob_extend(&paths, pattern, GLOB_NOCHECK);
+ if (r < 0) {
+ if (r == -ENOENT) {
+ log_debug("No match for glob: %s", option->key);
+ return 0;
+ }
+ if (option->ignore_failure || ERRNO_IS_PRIVILEGE(r)) {
+ log_debug_errno(r, "Failed to resolve glob '%s', ignoring: %m", option->key);
+ return 0;
+ } else
+ return log_error_errno(r, "Couldn't resolve glob '%s': %m", option->key);
+ }
+
+ STRV_FOREACH(s, paths) {
+ const char *key;
+
+ assert_se(key = path_startswith(*s, "/proc/sys"));
+
+ if (ordered_hashmap_contains(sysctl_options, key)) {
+ log_debug("Not setting %s (explicit setting exists).", key);
+ continue;
+ }
+
+ RET_GATHER(r,
+ sysctl_write_or_warn(key, option->value,
+ /* ignore_failure = */ option->ignore_failure,
+ /* ignore_enoent = */ !arg_strict));
+ }
+
+ return r;
+}
+
+static int apply_glob_option(OrderedHashmap *sysctl_options, Option *option) {
+ int r = 0;
+
+ if (strv_isempty(arg_prefixes))
+ return apply_glob_option_with_prefix(sysctl_options, option, NULL);
+
+ STRV_FOREACH(i, arg_prefixes)
+ RET_GATHER(r, apply_glob_option_with_prefix(sysctl_options, option, *i));
+ return r;
+}
+
+static int apply_all(OrderedHashmap *sysctl_options) {
+ Option *option;
+ int r = 0;
+
+ ORDERED_HASHMAP_FOREACH(option, sysctl_options) {
+ int k;
+
+ /* Ignore "negative match" options, they are there only to exclude stuff from globs. */
+ if (!option->value)
+ continue;
+
+ if (string_is_glob(option->key))
+ k = apply_glob_option(sysctl_options, option);
+ else
+ k = sysctl_write_or_warn(option->key, option->value,
+ /* ignore_failure = */ option->ignore_failure,
+ /* ignore_enoent = */ !arg_strict);
+ RET_GATHER(r, k);
+ }
+
+ return r;
+}
+
+static int parse_file(OrderedHashmap **sysctl_options, const char *path, bool ignore_enoent) {
+ _cleanup_fclose_ FILE *f = NULL;
+ _cleanup_free_ char *pp = NULL;
+ unsigned c = 0;
+ int r;
+
+ assert(path);
+
+ r = search_and_fopen(path, "re", NULL, (const char**) CONF_PATHS_STRV("sysctl.d"), &f, &pp);
+ if (r < 0) {
+ if (ignore_enoent && r == -ENOENT)
+ return 0;
+
+ return log_error_errno(r, "Failed to open file '%s', ignoring: %m", path);
+ }
+
+ log_debug("Parsing %s", pp);
+ for (;;) {
+ _cleanup_(option_freep) Option *new_option = NULL;
+ _cleanup_free_ char *l = NULL;
+ bool ignore_failure = false;
+ Option *existing;
+ char *value;
+ int k;
+
+ k = read_stripped_line(f, LONG_LINE_MAX, &l);
+ if (k == 0)
+ break;
+ if (k < 0)
+ return log_error_errno(k, "Failed to read file '%s', ignoring: %m", pp);
+
+ c++;
+
+ if (isempty(l))
+ continue;
+ if (strchr(COMMENTS, l[0]))
+ continue;
+
+ char *p = l;
+ value = strchr(p, '=');
+ if (value) {
+ if (p[0] == '-') {
+ ignore_failure = true;
+ p++;
+ }
+
+ *value = 0;
+ value++;
+ value = strstrip(value);
+
+ } else {
+ if (p[0] == '-')
+ /* We have a "negative match" option. Let's continue with value==NULL. */
+ p++;
+ else {
+ log_syntax(NULL, LOG_WARNING, pp, c, 0,
+ "Line is not an assignment, ignoring: %s", p);
+ if (r == 0)
+ r = -EINVAL;
+ continue;
+ }
+ }
+
+ p = strstrip(p);
+ p = sysctl_normalize(p);
+
+ /* We can't filter out globs at this point, we'll need to do that later. */
+ if (!string_is_glob(p) &&
+ !test_prefix(p))
+ continue;
+
+ existing = ordered_hashmap_get(*sysctl_options, p);
+ if (existing) {
+ if (streq_ptr(value, existing->value)) {
+ existing->ignore_failure = existing->ignore_failure || ignore_failure;
+ continue;
+ }
+
+ log_debug("Overwriting earlier assignment of %s at '%s:%u'.", p, pp, c);
+ option_free(ordered_hashmap_remove(*sysctl_options, p));
+ }
+
+ new_option = option_new(p, value, ignore_failure);
+ if (!new_option)
+ return log_oom();
+
+ k = ordered_hashmap_ensure_put(sysctl_options, &option_hash_ops, new_option->key, new_option);
+ if (k < 0)
+ return log_error_errno(k, "Failed to add sysctl variable %s to hashmap: %m", p);
+
+ TAKE_PTR(new_option);
+ }
+
+ return r;
+}
+
+static int read_credential_lines(OrderedHashmap **sysctl_options) {
+ _cleanup_free_ char *j = NULL;
+ const char *d;
+ int r;
+
+ r = get_credentials_dir(&d);
+ if (r == -ENXIO)
+ return 0;
+ if (r < 0)
+ return log_error_errno(r, "Failed to get credentials directory: %m");
+
+ j = path_join(d, "sysctl.extra");
+ if (!j)
+ return log_oom();
+
+ (void) parse_file(sysctl_options, j, /* ignore_enoent= */ true);
+ return 0;
+}
+
+static int cat_config(char **files) {
+ pager_open(arg_pager_flags);
+
+ return cat_files(NULL, files, arg_cat_flags);
+}
+
+static int help(void) {
+ _cleanup_free_ char *link = NULL;
+ int r;
+
+ r = terminal_urlify_man("systemd-sysctl.service", "8", &link);
+ if (r < 0)
+ return log_oom();
+
+ printf("%s [OPTIONS...] [CONFIGURATION FILE...]\n\n"
+ "Applies kernel sysctl settings.\n\n"
+ " -h --help Show this help\n"
+ " --version Show package version\n"
+ " --cat-config Show configuration files\n"
+ " --tldr Show non-comment parts of configuration\n"
+ " --prefix=PATH Only apply rules with the specified prefix\n"
+ " --no-pager Do not pipe output into a pager\n"
+ "\nSee the %s for details.\n",
+ program_invocation_short_name,
+ link);
+
+ return 0;
+}
+
+static int parse_argv(int argc, char *argv[]) {
+
+ enum {
+ ARG_VERSION = 0x100,
+ ARG_CAT_CONFIG,
+ ARG_TLDR,
+ ARG_PREFIX,
+ ARG_NO_PAGER,
+ ARG_STRICT,
+ };
+
+ static const struct option options[] = {
+ { "help", no_argument, NULL, 'h' },
+ { "version", no_argument, NULL, ARG_VERSION },
+ { "cat-config", no_argument, NULL, ARG_CAT_CONFIG },
+ { "tldr", no_argument, NULL, ARG_TLDR },
+ { "prefix", required_argument, NULL, ARG_PREFIX },
+ { "no-pager", no_argument, NULL, ARG_NO_PAGER },
+ { "strict", no_argument, NULL, ARG_STRICT },
+ {}
+ };
+
+ int c;
+
+ assert(argc >= 0);
+ assert(argv);
+
+ while ((c = getopt_long(argc, argv, "h", options, NULL)) >= 0)
+
+ switch (c) {
+
+ case 'h':
+ return help();
+
+ case ARG_VERSION:
+ return version();
+
+ case ARG_CAT_CONFIG:
+ arg_cat_flags = CAT_CONFIG_ON;
+ break;
+
+ case ARG_TLDR:
+ arg_cat_flags = CAT_TLDR;
+ break;
+
+ case ARG_PREFIX: {
+ const char *s;
+ char *p;
+
+ /* We used to require people to specify absolute paths
+ * in /proc/sys in the past. This is kinda useless, but
+ * we need to keep compatibility. We now support any
+ * sysctl name available. */
+ sysctl_normalize(optarg);
+
+ s = path_startswith(optarg, "/proc/sys");
+ p = strdup(s ?: optarg);
+ if (!p)
+ return log_oom();
+
+ if (strv_consume(&arg_prefixes, p) < 0)
+ return log_oom();
+
+ break;
+ }
+
+ case ARG_NO_PAGER:
+ arg_pager_flags |= PAGER_DISABLE;
+ break;
+
+ case ARG_STRICT:
+ arg_strict = true;
+ break;
+
+ case '?':
+ return -EINVAL;
+
+ default:
+ assert_not_reached();
+ }
+
+ if (arg_cat_flags != CAT_CONFIG_OFF && argc > optind)
+ return log_error_errno(SYNTHETIC_ERRNO(EINVAL),
+ "Positional arguments are not allowed with --cat-config/--tldr.");
+
+ return 1;
+}
+
+static int run(int argc, char *argv[]) {
+ _cleanup_ordered_hashmap_free_ OrderedHashmap *sysctl_options = NULL;
+ int r;
+
+ r = parse_argv(argc, argv);
+ if (r <= 0)
+ return r;
+
+ log_setup();
+
+ umask(0022);
+
+ if (argc > optind) {
+ r = 0;
+
+ for (int i = optind; i < argc; i++)
+ RET_GATHER(r, parse_file(&sysctl_options, argv[i], false));
+
+ } else {
+ _cleanup_strv_free_ char **files = NULL;
+
+ r = conf_files_list_strv(&files, ".conf", NULL, 0, (const char**) CONF_PATHS_STRV("sysctl.d"));
+ if (r < 0)
+ return log_error_errno(r, "Failed to enumerate sysctl.d files: %m");
+
+ if (arg_cat_flags != CAT_CONFIG_OFF)
+ return cat_config(files);
+
+ STRV_FOREACH(f, files)
+ RET_GATHER(r, parse_file(&sysctl_options, *f, true));
+
+ RET_GATHER(r, read_credential_lines(&sysctl_options));
+ }
+
+ RET_GATHER(r, apply_all(sysctl_options));
+
+ return r;
+}
+
+DEFINE_MAIN_FUNCTION(run);