From c29761cd1628960ee2b11a469763479ac5ef1dfa Mon Sep 17 00:00:00 2001 From: José Bollo Date: Thu, 12 Dec 2019 18:10:48 +0100 Subject: Improve integration of cynagora MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Allow to be more flexible when starting with or without systemd. At end this change will allows to start within systemd with socket activation or not and by sending notification without need of option. Make setting of the sockets more accurate. The admin and agent socket are now accessible only to clients of the expected group, cynagora by default. Bug-AGL: SPEC-3230 Bug-AGL: SPEC-2968 Change-Id: I3e5c7c00dfa0494628c18ffc016cfc8599a5bf9b Signed-off-by: José Bollo --- CMakeLists.txt | 3 +++ src/CMakeLists.txt | 2 +- src/cyn-server.c | 8 ++++++ src/main-cynagorad.c | 57 ++++++++++++++++++---------------------- src/meson.build | 2 +- src/socket.c | 4 +-- systemd/CMakeLists.txt | 3 ++- systemd/cynagora-admin.socket.in | 4 ++- systemd/cynagora-agent.socket.in | 4 ++- systemd/cynagora-check.socket.in | 2 ++ systemd/cynagora.service | 26 ------------------ systemd/cynagora.service.in | 22 ++++++++++++++++ 12 files changed, 72 insertions(+), 65 deletions(-) delete mode 100644 systemd/cynagora.service create mode 100644 systemd/cynagora.service.in diff --git a/CMakeLists.txt b/CMakeLists.txt index 26942d6..3a508bb 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -44,6 +44,9 @@ set(CYNAGORA_SOVERSION ${PROJECT_VERSION_MAJOR}) option(WITH_SYSTEMD "should include systemd compatibility" ON) option(WITH_CYNARA_COMPAT "produce artifacts for compatibility with cynara" OFF) +set(USER cynagora CACHE STRING "user of the daemon") +set(GROUP cynagora CACHE STRING "group of the daemon") + set(DEFAULT_DB_DIR "${CMAKE_INSTALL_FULL_LOCALSTATEDIR}/lib/cynagora" CACHE PATH "directory path of the database") set(DEFAULT_SOCKET_DIR "${CMAKE_INSTALL_FULL_RUNSTATEDIR}/cynagora" diff --git a/src/CMakeLists.txt b/src/CMakeLists.txt index f9034de..6de796d 100644 --- a/src/CMakeLists.txt +++ b/src/CMakeLists.txt @@ -96,7 +96,7 @@ target_compile_definitions(cynagorad PRIVATE DEFAULT_INIT_FILE="${DEFAULT_INIT_FILE}" ) if(WITH_SYSTEMD) - target_compile_definitions(cynagorad PRIVATE WITH_SYSTEMD_ACTIVATION) + target_compile_definitions(cynagorad PRIVATE WITH_SYSTEMD) target_link_libraries(cynagorad ${libsystemd_LDFLAGS} ${libsystemd_LINK_LIBRARIES}) target_include_directories(cynagorad PRIVATE ${libsystemd_INCLUDE_DIRS}) target_compile_options(cynagorad PRIVATE ${libsystemd_CFLAGS}) diff --git a/src/cyn-server.c b/src/cyn-server.c index abf37d7..fbef41b 100644 --- a/src/cyn-server.c +++ b/src/cyn-server.c @@ -35,6 +35,7 @@ #include #include #include +#include #include "data.h" #include "prot.h" @@ -1008,6 +1009,7 @@ cyn_server_create( const char *check_socket_spec, const char *agent_socket_spec ) { + mode_t um; cyn_server_t *srv; int rc; @@ -1030,7 +1032,9 @@ cyn_server_create( /* create the admin server socket */ admin_socket_spec = cyn_get_socket_admin(admin_socket_spec); + um = umask(017); srv->admin.fd = socket_open(admin_socket_spec, 1); + umask(um); if (srv->admin.fd < 0) { rc = -errno; fprintf(stderr, "can't create admin server socket %s: %m\n", admin_socket_spec); @@ -1049,7 +1053,9 @@ cyn_server_create( /* create the check server socket */ check_socket_spec = cyn_get_socket_check(check_socket_spec); + um = umask(011); srv->check.fd = socket_open(check_socket_spec, 1); + umask(um); if (srv->check.fd < 0) { rc = -errno; fprintf(stderr, "can't create check server socket %s: %m\n", check_socket_spec); @@ -1068,7 +1074,9 @@ cyn_server_create( /* create the agent server socket */ agent_socket_spec = cyn_get_socket_agent(agent_socket_spec); + um = umask(017); srv->agent.fd = socket_open(agent_socket_spec, 1); + umask(um); if (srv->agent.fd < 0) { rc = -errno; fprintf(stderr, "can't create agent server socket %s: %m\n", agent_socket_spec); diff --git a/src/main-cynagorad.c b/src/main-cynagorad.c index 0af145c..836e7c8 100644 --- a/src/main-cynagorad.c +++ b/src/main-cynagorad.c @@ -38,7 +38,7 @@ #include #include -#if defined(WITH_SYSTEMD_ACTIVATION) +#if defined(WITH_SYSTEMD) #include #endif @@ -82,11 +82,7 @@ static const char -shortopts[] = "d:g:hi:lmMOoS:u:v" -#if defined(WITH_SYSTEMD_ACTIVATION) - "s" -#endif -; +shortopts[] = "d:g:hi:lmMOoS:u:v"; static const struct option @@ -101,9 +97,6 @@ longopts[] = { { "own-db-dir", 0, NULL, _OWNDBDIR_ }, { "own-socket-dir", 0, NULL, _OWNSOCKDIR_ }, { "socketdir", 1, NULL, _SOCKETDIR_ }, -#if defined(WITH_SYSTEMD_ACTIVATION) - { "systemd", 0, NULL, _SYSTEMD_ }, -#endif { "user", 1, NULL, _USER_ }, { "version", 0, NULL, _VERSION_ }, { NULL, 0, NULL, 0 } @@ -116,9 +109,6 @@ helptxt[] = "usage: cynagorad [options]...\n" "\n" "otpions:\n" -#if defined(WITH_SYSTEMD_ACTIVATION) - " -s, --systemd socket activation by systemd\n" -#endif " -u, --user xxx set the user\n" " -g, --group xxx set the group\n" " -i, --init xxx initialize if needed the database with file xxx\n" @@ -161,7 +151,6 @@ int main(int ac, char **av) int help = 0; int version = 0; int error = 0; - int systemd = 0; int uid = -1; int gid = -1; const char *init = NULL; @@ -215,11 +204,6 @@ int main(int ac, char **av) case _SOCKETDIR_: socketdir = optarg; break; -#if defined(WITH_SYSTEMD_ACTIVATION) - case _SYSTEMD_: - systemd = 1; - break; -#endif case _USER_: user = optarg; break; @@ -243,11 +227,6 @@ int main(int ac, char **av) } if (error) return 1; - if (systemd && (socketdir || makesockdir)) { - fprintf(stderr, "can't set options --systemd and --%s together\n", - socketdir ? "socketdir" : "make-socket-dir"); - return 1; - } /* set the defaults */ dbdir = dbdir ?: DEFAULT_DB_DIR; @@ -261,15 +240,30 @@ int main(int ac, char **av) /* compute socket specs */ spec_socket_admin = spec_socket_check = spec_socket_agent = 0; - if (systemd) { - spec_socket_admin = strdup("sd:admin"); - spec_socket_check = strdup("sd:check"); - spec_socket_agent = strdup("sd:agent"); - } else { +#if defined(WITH_SYSTEMD) + { + char **names = 0; + rc = sd_listen_fds_with_names(0, &names); + if (rc >= 0 && names) { + for (rc = 0 ; names[rc] ; rc++) { + if (!strcmp(names[rc], "admin")) + spec_socket_admin = strdup("sd:admin"); + else if (!strcmp(names[rc], "check")) + spec_socket_check = strdup("sd:check"); + else if (!strcmp(names[rc], "agent")) + spec_socket_agent = strdup("sd:agent"); + free(names[rc]); + } + free(names); + } + } +#endif + if (!spec_socket_admin) rc = asprintf(&spec_socket_admin, "%s:%s/%s", cyn_default_socket_scheme, socketdir, cyn_default_admin_socket_base); + if (!spec_socket_check) rc = asprintf(&spec_socket_check, "%s:%s/%s", cyn_default_socket_scheme, socketdir, cyn_default_check_socket_base); + if (!spec_socket_agent) rc = asprintf(&spec_socket_agent, "%s:%s/%s", cyn_default_socket_scheme, socketdir, cyn_default_agent_socket_base); - } if (!spec_socket_admin || !spec_socket_check || !spec_socket_agent) { fprintf(stderr, "can't make socket paths\n"); return 1; @@ -361,9 +355,8 @@ int main(int ac, char **av) } /* ready ! */ -#if defined(WITH_SYSTEMD_ACTIVATION) - if (systemd) - sd_notify(0, "READY=1"); +#if defined(WITH_SYSTEMD) + sd_notify(0, "READY=1"); #endif /* serve */ diff --git a/src/meson.build b/src/meson.build index bb0f4d7..c9778e8 100644 --- a/src/meson.build +++ b/src/meson.build @@ -79,7 +79,7 @@ executable('cynagorad', srvsrcs, '-DDEFAULT_DB_DIR="' + dbdir + '"', '-DDEFAULT_SOCKET_DIR="' + socketdir + '"', '-DDEFAULT_INIT_FILE="' + init_file + '"', - get_option('with-cynara-compat') ? '-DWITH_SYSTEMD_ACTIVATION' : '-DWITHOUT_SYSTEMD_ACTIVATION' + get_option('with-systemd') ? '-DWITH_SYSTEMD' : '-DWITHOUT_SYSTEMD' ], dependencies: [ sysd, cap ], link_with: corelib, diff --git a/src/socket.c b/src/socket.c index fde9648..6f8a060 100644 --- a/src/socket.c +++ b/src/socket.c @@ -32,7 +32,7 @@ #include #include -#if defined(WITH_SYSTEMD_ACTIVATION) +#if defined(WITH_SYSTEMD) #include #endif @@ -212,7 +212,7 @@ static int open_tcp(const char *spec, int server) */ static int open_systemd(const char *spec) { -#if defined(WITH_SYSTEMD_ACTIVATION) +#if defined(WITH_SYSTEMD) char **names; int fd = -1; int c = sd_listen_fds_with_names(0, &names); diff --git a/systemd/CMakeLists.txt b/systemd/CMakeLists.txt index c68f7f5..bb9d059 100644 --- a/systemd/CMakeLists.txt +++ b/systemd/CMakeLists.txt @@ -19,12 +19,13 @@ set(SYSTEMD_UNIT_DIR "${CMAKE_INSTALL_FULL_LIBDIR}/systemd/system" CACHE PATH "Path to systemd system unit files") +CONFIGURE_FILE(cynagora.service.in cynagora.service @ONLY) CONFIGURE_FILE(cynagora-admin.socket.in cynagora-admin.socket @ONLY) CONFIGURE_FILE(cynagora-check.socket.in cynagora-check.socket @ONLY) CONFIGURE_FILE(cynagora-agent.socket.in cynagora-agent.socket @ONLY) INSTALL(FILES - ${CMAKE_CURRENT_SOURCE_DIR}/cynagora.service + ${CMAKE_CURRENT_BINARY_DIR}/cynagora.service ${CMAKE_CURRENT_SOURCE_DIR}/cynagora.target ${CMAKE_CURRENT_BINARY_DIR}/cynagora-admin.socket ${CMAKE_CURRENT_BINARY_DIR}/cynagora-check.socket diff --git a/systemd/cynagora-admin.socket.in b/systemd/cynagora-admin.socket.in index 622c023..b2f5874 100644 --- a/systemd/cynagora-admin.socket.in +++ b/systemd/cynagora-admin.socket.in @@ -1,7 +1,9 @@ [Socket] FileDescriptorName=admin ListenStream=@DEFAULT_SOCKET_DIR@/cynagora.admin -SocketMode=0600 +SocketUser=@USER@ +SocketGroup=@GROUP@ +SocketMode=0660 SmackLabelIPIn=@ SmackLabelIPOut=@ diff --git a/systemd/cynagora-agent.socket.in b/systemd/cynagora-agent.socket.in index a5e66b8..3671113 100644 --- a/systemd/cynagora-agent.socket.in +++ b/systemd/cynagora-agent.socket.in @@ -1,7 +1,9 @@ [Socket] FileDescriptorName=agent ListenStream=@DEFAULT_SOCKET_DIR@/cynagora.agent -SocketMode=0600 +SocketUser=@USER@ +SocketGroup=@GROUP@ +SocketMode=0660 SmackLabelIPIn=@ SmackLabelIPOut=@ diff --git a/systemd/cynagora-check.socket.in b/systemd/cynagora-check.socket.in index fcd6ed1..0eeae57 100644 --- a/systemd/cynagora-check.socket.in +++ b/systemd/cynagora-check.socket.in @@ -1,6 +1,8 @@ [Socket] FileDescriptorName=check ListenStream=@DEFAULT_SOCKET_DIR@/cynagora.check +SocketUser=@USER@ +SocketGroup=@GROUP@ SocketMode=0666 SmackLabelIPIn=* SmackLabelIPOut=@ diff --git a/systemd/cynagora.service b/systemd/cynagora.service deleted file mode 100644 index 97a0f36..0000000 --- a/systemd/cynagora.service +++ /dev/null @@ -1,26 +0,0 @@ -[Unit] -Description=Cynagora service -Requires=afm-system-setup.service -After=afm-system-setup.service - -[Service] -ExecStart=/usr/bin/cynagorad --systemd --user cynagora --group cynagora --make-db-dir --own-db-dir - -Type=notify - -KillMode=process -TimeoutStopSec=3 -Restart=always - -Sockets=cynagora-admin.socket -Sockets=cynagora-check.socket -Sockets=cynagora-agent.socket -SmackProcessLabel=System - -#UMask=0000 -#User=cynagora -#Group=cynagora -#NoNewPrivileges=true - -[Install] -WantedBy=multi-user.target diff --git a/systemd/cynagora.service.in b/systemd/cynagora.service.in new file mode 100644 index 0000000..9035d00 --- /dev/null +++ b/systemd/cynagora.service.in @@ -0,0 +1,22 @@ +[Unit] +Description=Cynagora service +Requires=afm-system-setup.service +After=afm-system-setup.service + +[Service] +ExecStart=/usr/bin/cynagorad --user @USER@ --group @GROUP@ --make-db-dir --own-db-dir + +Type=notify + +KillMode=process +TimeoutStopSec=3 +Restart=always + +Sockets=cynagora-admin.socket +Sockets=cynagora-check.socket +Sockets=cynagora-agent.socket + +#NoNewPrivileges=true + +[Install] +WantedBy=multi-user.target -- cgit 1.2.3-korg