diff options
| author | networkException <git@nwex.de> | 2024-01-04 18:45:25 +0100 |
|---|---|---|
| committer | Yu Watanabe <watanabe.yu+github@gmail.com> | 2024-01-06 00:27:14 +0100 |
| commit | dcfac3a3f9d9a32bdb5679cd6dab4bb86a6cd6fe (patch) | |
| tree | 81c7237d7e0419219ee16308a9f48a8dd395255e /src/test/test-parse-helpers.c | |
| parent | Merge pull request #30791 from poettering/nspawn-restrict-run-host (diff) | |
| download | systemd-dcfac3a3f9d9a32bdb5679cd6dab4bb86a6cd6fe.tar.xz systemd-dcfac3a3f9d9a32bdb5679cd6dab4bb86a6cd6fe.zip | |
parse-helpers: allow port 0 for socket bind items
This patch adds a new parameter to parse_ip_port_range, giving callers
the option to allow ranges to have their min be 0 instead of 1.
This is then used by parse_ip_ports_token, intern used by
parse_socket_bind_item to allow port 0 when restricting bind system
calls with SocketBindDeny / SocketBindAllow.
With this, users running server software written using the golang
standard library will be able to effectively sandbox their software,
albeit with a small loss in security protections by allowing the
process to bind on a random port in the
/proc/sys/net/ipv4/ip_local_port_range.
Diffstat (limited to '')
| -rw-r--r-- | src/test/test-parse-helpers.c | 5 |
1 files changed, 3 insertions, 2 deletions
diff --git a/src/test/test-parse-helpers.c b/src/test/test-parse-helpers.c index 052e2514f4..4943871379 100644 --- a/src/test/test-parse-helpers.c +++ b/src/test/test-parse-helpers.c @@ -37,6 +37,7 @@ static void test_invalid_item(const char *str) { TEST(valid_items) { test_valid_item("any", AF_UNSPEC, 0, 0, 0); + test_valid_item("0-65535", AF_UNSPEC, 0, 0, 0); test_valid_item("ipv4", AF_INET, 0, 0, 0); test_valid_item("ipv6", AF_INET6, 0, 0, 0); test_valid_item("ipv4:any", AF_INET, 0, 0, 0); @@ -45,6 +46,7 @@ TEST(valid_items) { test_valid_item("udp", AF_UNSPEC, IPPROTO_UDP, 0, 0); test_valid_item("tcp:any", AF_UNSPEC, IPPROTO_TCP, 0, 0); test_valid_item("udp:any", AF_UNSPEC, IPPROTO_UDP, 0, 0); + test_valid_item("0", AF_UNSPEC, 0, 1, 0); test_valid_item("6666", AF_UNSPEC, 0, 1, 6666); test_valid_item("6666-6667", AF_UNSPEC, 0, 2, 6666); test_valid_item("65535", AF_UNSPEC, 0, 1, 65535); @@ -61,6 +63,7 @@ TEST(valid_items) { test_valid_item("ipv6:tcp:6666", AF_INET6, IPPROTO_TCP, 1, 6666); test_valid_item("ipv6:udp:6666-6667", AF_INET6, IPPROTO_UDP, 2, 6666); test_valid_item("ipv6:tcp:any", AF_INET6, IPPROTO_TCP, 0, 0); + test_valid_item("ipv6:tcp:0", AF_INET6, IPPROTO_TCP, 1, 0); } TEST(invalid_items) { @@ -77,9 +80,7 @@ TEST(invalid_items) { test_invalid_item("ipv6::"); test_invalid_item("ipv6:ipv6"); test_invalid_item("ipv6:icmp"); - test_invalid_item("ipv6:tcp:0"); test_invalid_item("65536"); - test_invalid_item("0-65535"); test_invalid_item("ipv6:tcp:6666-6665"); test_invalid_item("ipv6:tcp:6666-100000"); test_invalid_item("ipv6::6666"); |