From 6045e95e3633af28e9b76bff260abe10741b33c8 Mon Sep 17 00:00:00 2001
From: Laurent Bercot <ska-skaware@skarnet.org>
Date: Mon, 21 Sep 2015 16:01:47 +0000
Subject:  Change s6rc-oneshot-runner to use s6-rc-oneshot-run, as well as
 s6-rc's s6-sudo invocation.  It's less efficient (s6-rc-oneshot-run loads and
 parses the database every time) but it's more secure, because only programs
 in the database can be executed with s6-sudod privileges.

---
 src/s6-rc/s6-rc-compile.c |  5 ++++-
 src/s6-rc/s6-rc.c         | 15 ++++++++-------
 2 files changed, 12 insertions(+), 8 deletions(-)

(limited to 'src')

diff --git a/src/s6-rc/s6-rc-compile.c b/src/s6-rc/s6-rc-compile.c
index f76bd57..b1b4808 100644
--- a/src/s6-rc/s6-rc-compile.c
+++ b/src/s6-rc/s6-rc-compile.c
@@ -41,7 +41,10 @@ EXECLINE_EXTBINPREFIX "fdmove 1 3\n" \
 S6_EXTBINPREFIX "s6-ipcserver-socketbinder -- s\n" \
 S6_EXTBINPREFIX "s6-ipcserverd -1 --\n" \
 S6_EXTBINPREFIX "s6-ipcserver-access -v0 -E -l0 -i data/rules --\n" \
-S6_EXTBINPREFIX "s6-sudod -t 2000 --\n"
+EXECLINE_EXTBINPREFIX "getcwd WD\n" \
+EXECLINE_EXTBINPREFIX "import -u WD\n" \
+S6_EXTBINPREFIX "s6-sudod -t 2000 --\n" \
+S6RC_LIBEXECPREFIX "s6-rc-oneshot-run -l ${WD}/../.. --\n"
 
 static unsigned int verbosity = 1 ;
 static stralloc keep = STRALLOC_ZERO ;
diff --git a/src/s6-rc/s6-rc.c b/src/s6-rc/s6-rc.c
index ca504e2..0229466 100644
--- a/src/s6-rc/s6-rc.c
+++ b/src/s6-rc/s6-rc.c
@@ -86,17 +86,17 @@ static unsigned int compute_timeout (unsigned int i, int h)
 
 static pid_t start_oneshot (unsigned int i, int h)
 {
-  unsigned int argc = db->services[i].x.oneshot.argc[h] ;
-  char const *const *argv = db->argvs + db->services[i].x.oneshot.argv[h] ;
   unsigned int m = 0 ;
-  char const *newargv[9 + argc + !!dryrun[0] * 6] ;
-  char fmt[UINT32_FMT] ;
+  char const *newargv[11 + !!dryrun[0] * 6] ;
+  char tfmt[UINT32_FMT] ;
   char vfmt[UINT_FMT] ;
+  char ifmt[UINT_FMT] ;
   char socketfn[livelen + S6RC_ONESHOT_RUNNER_LEN + 12] ;
   byte_copy(socketfn, livelen, live) ;
   byte_copy(socketfn + livelen, 12 + S6RC_ONESHOT_RUNNER_LEN, "/scandir/" S6RC_ONESHOT_RUNNER "/s") ;
-  fmt[uint32_fmt(fmt, compute_timeout(i, h))] = 0 ;
+  tfmt[uint32_fmt(tfmt, compute_timeout(i, h))] = 0 ;
   vfmt[uint_fmt(vfmt, verbosity)] = 0 ;
+  ifmt[uint_fmt(ifmt, i)] = 0 ;
   if (dryrun[0])
   {
     newargv[m++] = S6RC_BINPREFIX "s6-rc-dryrun" ;
@@ -111,10 +111,11 @@ static pid_t start_oneshot (unsigned int i, int h)
   newargv[m++] = "-t" ;
   newargv[m++] = "2000" ;
   newargv[m++] = "-T" ;
-  newargv[m++] = fmt ;
+  newargv[m++] = tfmt ;
   newargv[m++] = "--" ;
   newargv[m++] = socketfn ;
-  while (argc--) newargv[m++] = *argv++ ;
+  newargv[m++] = h ? "up" : "down" ;
+  newargv[m++] = ifmt ;
   newargv[m++] = 0 ;
   return child_spawn0(newargv[0], newargv, (char const *const *)environ) ;
 }
-- 
cgit v1.2.3