The passed attribute type will be used later.
This also
- rename conf parsers,
- sort gperf entries by the attr type.
No functional change, just refactoring and preparation for later commits.
This also split config_parse_route_boolean() into two:
for GatewayOnline= and boolean route metrics.
No functional change, just refactoring and preparation for later commits.
On Linux only the "w" access bit is necessary to connect to an AF_UNIX
socket, hence let's only set that and nothing else, to limit exposure.
Just paranoia.
Previously, there was no way to override the log level for test and
test-builtin commands. Let's re-parse environment after setting the log
level to debug. Then, we can control the log level through environment
variable.
Let's operate on fds rather than paths. Make some tweaks to the logic on
top:
1. Mark the resulting dir as read-only after we are done.
2. Use the new inode_type_to_string() calls to determine the inode
names.
3. If an inode already exists, try to adjust the access mode, just in
case.
4. Use FOREACH_ARRAY()
This patch adds a new parameter to parse_ip_port_range, giving callers
the option to allow ranges to have their min be 0 instead of 1.
This is then used by parse_ip_ports_token, intern used by
parse_socket_bind_item to allow port 0 when restricting bind system
calls with SocketBindDeny / SocketBindAllow.
With this, users running server software written using the golang
standard library will be able to effectively sandbox their software,
albeit with a small loss in security protections by allowing the
process to bind on a random port in the
/proc/sys/net/ipv4/ip_local_port_range.
