diff options
| author | Franck Bui <fbui@suse.com> | 2018-09-14 09:24:08 +0200 |
|---|---|---|
| committer | Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> | 2018-09-14 13:00:38 +0200 |
| commit | 10ce2e0681ac16e7bb3619b7bb1a72a6f98a2f2c (patch) | |
| tree | e0529075bed75d0a03106d47e8de93d1a8a95b85 | |
| parent | Merge pull request #9920 from yuwata/udev-cleanup-4 (diff) | |
| download | systemd-10ce2e0681ac16e7bb3619b7bb1a72a6f98a2f2c.tar.xz systemd-10ce2e0681ac16e7bb3619b7bb1a72a6f98a2f2c.zip | |
socket-util: attempt SO_RCVBUFFORCE/SO_SNDBUFFORCE only if SO_RCVBUF/SO_SNDBUF fails
Both SO_SNDBUFFORCE and SO_RCVBUFFORCE requires capability 'net_admin'.
If this capability is not granted to the service the first attempt to increase
the recv/snd buffers (via sd_notify()) with SO_RCVBUFFORCE/SO_SNDBUFFORCE will
fail, even if the requested size is lower than the limit enforced by the
kernel.
If apparmor is used, the DENIED logs for net_admin will show up. These log
entries are seen as red warning light, because they could indicate that a
program has been hacked and tries to compromise the system.
It would be nicer if they can be avoided without giving services (relying on
sd_notify) net_admin capability or dropping DENIED logs for all such services
via their apparmor profile.
I'm not sure if sd_notify really needs to forcibly increase the buffer sizes,
but at least if the requested size is below the kernel limit, the capability
(hence the log entries) should be avoided.
Hence let's first ask politely for increasing the buffers and only if it fails
then ignore the kernel limit if we have sufficient privileges.
| -rw-r--r-- | src/basic/socket-util.c | 8 |
1 files changed, 4 insertions, 4 deletions
diff --git a/src/basic/socket-util.c b/src/basic/socket-util.c index 986bc6e67f..4e8b2baf82 100644 --- a/src/basic/socket-util.c +++ b/src/basic/socket-util.c @@ -835,8 +835,8 @@ int fd_inc_sndbuf(int fd, size_t n) { /* If we have the privileges we will ignore the kernel limit. */ value = (int) n; - if (setsockopt(fd, SOL_SOCKET, SO_SNDBUFFORCE, &value, sizeof(value)) < 0) - if (setsockopt(fd, SOL_SOCKET, SO_SNDBUF, &value, sizeof(value)) < 0) + if (setsockopt(fd, SOL_SOCKET, SO_SNDBUF, &value, sizeof(value)) < 0) + if (setsockopt(fd, SOL_SOCKET, SO_SNDBUFFORCE, &value, sizeof(value)) < 0) return -errno; return 1; @@ -853,8 +853,8 @@ int fd_inc_rcvbuf(int fd, size_t n) { /* If we have the privileges we will ignore the kernel limit. */ value = (int) n; - if (setsockopt(fd, SOL_SOCKET, SO_RCVBUFFORCE, &value, sizeof(value)) < 0) - if (setsockopt(fd, SOL_SOCKET, SO_RCVBUF, &value, sizeof(value)) < 0) + if (setsockopt(fd, SOL_SOCKET, SO_RCVBUF, &value, sizeof(value)) < 0) + if (setsockopt(fd, SOL_SOCKET, SO_RCVBUFFORCE, &value, sizeof(value)) < 0) return -errno; return 1; } |