diff options
author | Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> | 2021-01-19 08:41:15 +0100 |
---|---|---|
committer | GitHub <noreply@github.com> | 2021-01-19 08:41:15 +0100 |
commit | f1fb046a985521f7d4a662f02546686ff20b7e5d (patch) | |
tree | 2c61e56270f7067757ebf0c961f1bb0926024e94 | |
parent | Merge pull request #18303 from yuwata/verity-cleanup (diff) | |
parent | analyze: resolve executable path if it is relative (diff) | |
download | systemd-f1fb046a985521f7d4a662f02546686ff20b7e5d.tar.xz systemd-f1fb046a985521f7d4a662f02546686ff20b7e5d.zip |
Merge pull request #18300 from yuwata/analyze-verify-18252
analyze: resolve executable path if it is relative
-rw-r--r-- | src/analyze/analyze-verify.c | 7 | ||||
-rw-r--r-- | src/basic/path-util.c | 57 |
2 files changed, 33 insertions, 31 deletions
diff --git a/src/analyze/analyze-verify.c b/src/analyze/analyze-verify.c index a9c89173bf..bf28624d41 100644 --- a/src/analyze/analyze-verify.c +++ b/src/analyze/analyze-verify.c @@ -115,14 +115,17 @@ static int verify_socket(Unit *u) { } int verify_executable(Unit *u, const ExecCommand *exec) { + int r; + if (!exec) return 0; if (exec->flags & EXEC_COMMAND_IGNORE_FAILURE) return 0; - if (access(exec->path, X_OK) < 0) - return log_unit_error_errno(u, errno, "Command %s is not executable: %m", exec->path); + r = find_executable_full(exec->path, false, NULL, NULL); + if (r < 0) + return log_unit_error_errno(u, r, "Command %s is not executable: %m", exec->path); return 0; } diff --git a/src/basic/path-util.c b/src/basic/path-util.c index dae8b7341a..1644c15fb3 100644 --- a/src/basic/path-util.c +++ b/src/basic/path-util.c @@ -586,10 +586,11 @@ char* path_join_internal(const char *first, ...) { } static int check_x_access(const char *path, int *ret_fd) { - if (ret_fd) { - _cleanup_close_ int fd = -1; - int r; + _cleanup_close_ int fd = -1; + const char *with_dash; + int r; + if (ret_fd) { /* We need to use O_PATH because there may be executables for which we have only exec * permissions, but not read (usually suid executables). */ fd = open(path, O_PATH|O_CLOEXEC); @@ -599,14 +600,24 @@ static int check_x_access(const char *path, int *ret_fd) { r = access_fd(fd, X_OK); if (r < 0) return r; - - *ret_fd = TAKE_FD(fd); } else { /* Let's optimize things a bit by not opening the file if we don't need the fd. */ if (access(path, X_OK) < 0) return -errno; } + with_dash = strjoina(path, "/"); + + /* If this passes, it must be a directory. */ + if (access(with_dash, X_OK) >= 0) + return -EISDIR; + + if (errno != ENOTDIR) + return -errno; + + if (ret_fd) + *ret_fd = TAKE_FD(fd); + return 0; } @@ -663,32 +674,20 @@ int find_executable_full(const char *name, bool use_path_envvar, char **ret_file return -ENOMEM; r = check_x_access(j, ret_fd ? &fd : NULL); - if (r >= 0) { - _cleanup_free_ char *with_dash; - - with_dash = strjoin(j, "/"); - if (!with_dash) - return -ENOMEM; - - /* If this passes, it must be a directory, and so should be skipped. */ - if (access(with_dash, X_OK) >= 0) - continue; - - /* We can't just `continue` inverting this case, since we need to update last_error. */ - if (errno == ENOTDIR) { - /* Found it! */ - if (ret_filename) - *ret_filename = path_simplify(TAKE_PTR(j), false); - if (ret_fd) - *ret_fd = TAKE_FD(fd); - - return 0; - } + if (r < 0) { + /* PATH entries which we don't have access to are ignored, as per tradition. */ + if (r != -EACCES) + last_error = r; + continue; } - /* PATH entries which we don't have access to are ignored, as per tradition. */ - if (errno != EACCES) - last_error = -errno; + /* Found it! */ + if (ret_filename) + *ret_filename = path_simplify(TAKE_PTR(j), false); + if (ret_fd) + *ret_fd = TAKE_FD(fd); + + return 0; } return last_error; |