summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorZbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl>2021-01-19 08:41:15 +0100
committerGitHub <noreply@github.com>2021-01-19 08:41:15 +0100
commitf1fb046a985521f7d4a662f02546686ff20b7e5d (patch)
tree2c61e56270f7067757ebf0c961f1bb0926024e94
parentMerge pull request #18303 from yuwata/verity-cleanup (diff)
parentanalyze: resolve executable path if it is relative (diff)
downloadsystemd-f1fb046a985521f7d4a662f02546686ff20b7e5d.tar.xz
systemd-f1fb046a985521f7d4a662f02546686ff20b7e5d.zip
Merge pull request #18300 from yuwata/analyze-verify-18252
analyze: resolve executable path if it is relative
-rw-r--r--src/analyze/analyze-verify.c7
-rw-r--r--src/basic/path-util.c57
2 files changed, 33 insertions, 31 deletions
diff --git a/src/analyze/analyze-verify.c b/src/analyze/analyze-verify.c
index a9c89173bf..bf28624d41 100644
--- a/src/analyze/analyze-verify.c
+++ b/src/analyze/analyze-verify.c
@@ -115,14 +115,17 @@ static int verify_socket(Unit *u) {
}
int verify_executable(Unit *u, const ExecCommand *exec) {
+ int r;
+
if (!exec)
return 0;
if (exec->flags & EXEC_COMMAND_IGNORE_FAILURE)
return 0;
- if (access(exec->path, X_OK) < 0)
- return log_unit_error_errno(u, errno, "Command %s is not executable: %m", exec->path);
+ r = find_executable_full(exec->path, false, NULL, NULL);
+ if (r < 0)
+ return log_unit_error_errno(u, r, "Command %s is not executable: %m", exec->path);
return 0;
}
diff --git a/src/basic/path-util.c b/src/basic/path-util.c
index dae8b7341a..1644c15fb3 100644
--- a/src/basic/path-util.c
+++ b/src/basic/path-util.c
@@ -586,10 +586,11 @@ char* path_join_internal(const char *first, ...) {
}
static int check_x_access(const char *path, int *ret_fd) {
- if (ret_fd) {
- _cleanup_close_ int fd = -1;
- int r;
+ _cleanup_close_ int fd = -1;
+ const char *with_dash;
+ int r;
+ if (ret_fd) {
/* We need to use O_PATH because there may be executables for which we have only exec
* permissions, but not read (usually suid executables). */
fd = open(path, O_PATH|O_CLOEXEC);
@@ -599,14 +600,24 @@ static int check_x_access(const char *path, int *ret_fd) {
r = access_fd(fd, X_OK);
if (r < 0)
return r;
-
- *ret_fd = TAKE_FD(fd);
} else {
/* Let's optimize things a bit by not opening the file if we don't need the fd. */
if (access(path, X_OK) < 0)
return -errno;
}
+ with_dash = strjoina(path, "/");
+
+ /* If this passes, it must be a directory. */
+ if (access(with_dash, X_OK) >= 0)
+ return -EISDIR;
+
+ if (errno != ENOTDIR)
+ return -errno;
+
+ if (ret_fd)
+ *ret_fd = TAKE_FD(fd);
+
return 0;
}
@@ -663,32 +674,20 @@ int find_executable_full(const char *name, bool use_path_envvar, char **ret_file
return -ENOMEM;
r = check_x_access(j, ret_fd ? &fd : NULL);
- if (r >= 0) {
- _cleanup_free_ char *with_dash;
-
- with_dash = strjoin(j, "/");
- if (!with_dash)
- return -ENOMEM;
-
- /* If this passes, it must be a directory, and so should be skipped. */
- if (access(with_dash, X_OK) >= 0)
- continue;
-
- /* We can't just `continue` inverting this case, since we need to update last_error. */
- if (errno == ENOTDIR) {
- /* Found it! */
- if (ret_filename)
- *ret_filename = path_simplify(TAKE_PTR(j), false);
- if (ret_fd)
- *ret_fd = TAKE_FD(fd);
-
- return 0;
- }
+ if (r < 0) {
+ /* PATH entries which we don't have access to are ignored, as per tradition. */
+ if (r != -EACCES)
+ last_error = r;
+ continue;
}
- /* PATH entries which we don't have access to are ignored, as per tradition. */
- if (errno != EACCES)
- last_error = -errno;
+ /* Found it! */
+ if (ret_filename)
+ *ret_filename = path_simplify(TAKE_PTR(j), false);
+ if (ret_fd)
+ *ret_fd = TAKE_FD(fd);
+
+ return 0;
}
return last_error;