1
1
mirror of https://github.com/systemd/systemd-stable.git synced 2024-12-23 17:34:00 +03:00
Commit Graph

27374 Commits

Author SHA1 Message Date
Zbigniew Jędrzejewski-Szmek
1258f08898 parse_hwdb: add import fallback for python2 2016-11-02 22:48:43 -04:00
Zbigniew Jędrzejewski-Szmek
3e2161153c test-compression: allow the file to compress to be specified
I'm seeing strange decompression errors with lz4, which
might be content-dependent. Extend test-compression to allow
testing specific content.

(Edit: PEBKAC: lzcat and lz4cat are not the same beast.
Nevertheless, the test might still be useful in the future.)
2016-10-31 13:23:16 -04:00
Jakub Wilk
b17649ee5e man: fix typos (#4527) 2016-10-31 08:08:08 -04:00
George Hilliard
52028838a1 Implement VeraCrypt volume handling in crypttab (#4501)
This introduces a new option, `tcrypt-veracrypt`, that sets the
corresponding VeraCrypt flag in the flags passed to cryptsetup.
2016-10-30 10:25:31 -04:00
Zbigniew Jędrzejewski-Szmek
0470289b6e tests: clarify test_path_startswith return value (#4508)
A pendant for #4481.
2016-10-30 10:21:29 -04:00
Zbigniew Jędrzejewski-Szmek
87b6ba21b5 Merge pull request #4520 from lucaswerkmeister/systemd-escape-man
systemd-escape manpage improvements
2016-10-29 21:11:05 -04:00
Lucas Werkmeister
8bb36a1122 man: make systemd-escape examples more consistent
The first example wasn't phrased with "To ..." as the other three are,
and the last example was lacking the colon.
2016-10-30 02:44:07 +02:00
Lucas Werkmeister
918737f365 man: add missing period 2016-10-30 02:43:17 +02:00
Lucas Werkmeister
c7a7f78bb0 man: improve systemd-escape --path description
The option does more than the documentation gave it credit for.
2016-10-30 02:42:22 +02:00
Daniel Mack
e50e60b474 .gitignore: ignore precompiled GCC headers (#4516)
Not sure since when this is the default behavior, but my local tree is full
of such files. Let's ignore them for clarity.
2016-10-28 13:03:01 -04:00
Djalal Harouni
fa1f250d6f Merge pull request #4495 from topimiettinen/block-shmat-exec
seccomp: also block shmat(..., SHM_EXEC) for MemoryDenyWriteExecute
2016-10-28 15:41:07 +02:00
Martin Pitt
1740c5a807 Merge pull request #4458 from keszybz/man-nonewprivileges
Document NoNewPrivileges default value
2016-10-28 15:35:29 +02:00
Michal Sekletar
4f985bd802 udev: allow substitutions for SECLABEL key (#4505) 2016-10-28 12:09:14 +02:00
Lucas Werkmeister
e100155dcc systemctl: warn when cat shows changed unit files (#4493)
Suggested by @keszybz in #4488.
2016-10-27 09:28:10 -04:00
Zbigniew Jędrzejewski-Szmek
ed06fa6203 Merge pull request #4485 from endocode/djalal/portable-branch-v1
core: improve mount namespace and working directory setup
2016-10-27 09:17:14 -04:00
Evgeny Vereshchagin
492466c1b5 Merge pull request #4442 from keszybz/detect-virt-userns
detect-virt: add --private-users switch to check if a userns is active; add Condition=private-users
2016-10-27 13:16:16 +03:00
Djalal Harouni
59e856c7d3 core: make unit argument const for apply seccomp functions 2016-10-27 09:40:22 +02:00
Djalal Harouni
50b3dfb9d6 core: lets apply working directory just after mount namespaces
This makes applying groups after applying the working directory, this
may allow some flexibility but at same it is not a big deal since we
don't execute or do anything between applying working directory and
droping groups.
2016-10-27 09:40:21 +02:00
Djalal Harouni
2b3c1b9e9d core: get the working directory value inside apply_working_directory()
Improve apply_working_directory() and lets get the current working directory
inside of it.
2016-10-27 09:40:21 +02:00
Djalal Harouni
e7f1e7c6e2 core: move apply working directory code into its own apply_working_directory() 2016-10-27 09:40:21 +02:00
Djalal Harouni
93c6bb51b6 core: move the code that setups namespaces on its own function 2016-10-27 09:40:21 +02:00
Thomas H. P. Andersen
342d3ac165 hwdb: fix error check of wrong variable (#4499)
We updated 'fn' but checked 'v' instead.

From 698c5a17

Spotted with PVS
2016-10-26 21:22:26 -04:00
Zbigniew Jędrzejewski-Szmek
a5eebcff37 Merge pull request #4448 from msoltyspl/vcfix
Fix some formatting details in the merge.
2016-10-26 20:55:18 -04:00
Zbigniew Jędrzejewski-Szmek
4bb30aeaf8 units: disable /dev/hugepages in private user namespaces
The mount fails, even though CAP_SYS_ADMIN is granted.
2016-10-26 20:12:52 -04:00
Zbigniew Jędrzejewski-Szmek
0809d7740c condition: simplify condition_test_virtualization
Rewrite the function to be slightly simpler. In particular, if a specific
match is found (like ConditionVirtualization=yes), simply return an answer
immediately, instead of relying that "yes" will not be matched by any of
the virtualization names below.

No functional change.
2016-10-26 20:12:52 -04:00
Zbigniew Jędrzejewski-Szmek
d09f968657 test-tables: test ConditionVirtualization 2016-10-26 20:12:52 -04:00
Zbigniew Jędrzejewski-Szmek
239a5707e1 shared/condition: add ConditionVirtualization=[!]private-users
This can be useful to silence warnings about units which fail in userns
container.
2016-10-26 20:12:52 -04:00
Zbigniew Jędrzejewski-Szmek
299a34c11a detect-virt: add --private-users switch to check if a userns is active
Various things don't work when we're running in a user namespace, but it's
pretty hard to reliably detect if that is true.

A function is added which looks at /proc/self/uid_map and returns false
if the default "0 0 UINT32_MAX" is found, and true if it finds anything else.
This misses the case where an 1:1 mapping with the full range was used, but
I don't know how to distinguish this case.

'systemd-detect-virt --private-users' is very similar to
'systemd-detect-virt --chroot', but we check for a user namespace instead.
2016-10-26 20:12:51 -04:00
Thomas H. P. Andersen
6328c51a5d gitignore: add test-seccomp (#4498) 2016-10-26 19:40:25 -04:00
Susant Sahani
5325382440 networkd : verify dns ip address when parsing configuration (#4492)
Invalid IP addresses would be passed through as-is:
$ networkctl status wlp3s0:
● 2: wlp3s0
       Link File: /usr/lib/systemd/network/99-default.link
    Network File: /etc/systemd/network/wlp3s0.network
            Type: wlan
           State: routable (configured)
            Path: pci-0000:03:00.0
          Driver: iwlwifi
          Vendor: Intel Corporation
           Model: Centrino Advanced-N 6205 [Taylor Peak] (Centrino Advanced-N 6205 AGN)
      HW Address: XXXXXXXXXX (Intel Corporate)
         Address: 192.168.2.103
                  XXXXXXXXXXX
         Gateway: 192.168.2.1 (Arcadyan Technology Corporation)
             DNS: 127.0.0.5553

Instead verify that DNS= has a valid list of addresses when parsing configuration.

Fixes #4462.
2016-10-26 19:31:04 -04:00
Michal Soltys
808b95ef82 vconsole: manual update (#4021)
To more correctly reflect current behaviour as well as to provide
a few more details.
2016-10-26 19:21:02 -04:00
Topi Miettinen
d2ffa389b8 seccomp: also block shmat(..., SHM_EXEC) for MemoryDenyWriteExecute
shmat(..., SHM_EXEC) can be used to create writable and executable
memory, so let's block it when MemoryDenyWriteExecute is set.
2016-10-26 18:59:14 +03:00
Michal Soltys
5297577f27 vconsole: setup_remaining_vcs() - more sanity checks
Check if values filled up by KD_FONT_OP_GET ioctl make sense -
dummy driver for example doesn't implement required functionality
at all.
2016-10-26 11:34:43 +02:00
Lucas Werkmeister
d4a48671bc man: document that systemctl cat shows file content (#4488)
... and that that content might be outdated.
2016-10-25 20:40:21 -04:00
Evgeny Vereshchagin
2b7466a22b build-sys/autogen: don't use bashisms (#4489)
Fixes:
$ ls -l /bin/sh
lrwxrwxrwx 1 root root 4 Feb 17  2016 /bin/sh -> dash

$ ./autogen.sh c
./autogen.sh: 22: ./autogen.sh: [[: not found
...
checking whether make supports nested variables... (cached) yes
checking build system type... Invalid configuration `c': machine `c' not
recognized
configure: error: /bin/bash build-aux/config.sub c failed

this is a follow-up for a5e739a570
2016-10-25 19:39:48 -04:00
Martin Pitt
803467c46d Merge pull request #4476 from poettering/systemctl-free
two minor systemctl memleak fixes
2016-10-25 20:59:24 +02:00
Dongsu Park
6086d2daf3 test: skip exec tests when inaccessible dir is unavailable
In case of running test-execute on systems with systemd < v232, several
tests like privatedevices or protectkernelmodules fail because
/run/systemd/inaccessible/ doesn't exist. In these cases, we should skip
tests to avoid unnecessary errors.

See also https://github.com/systemd/systemd/pull/4243#issuecomment-253665566
2016-10-25 13:27:45 +00:00
Lennart Poettering
6fa4160def systemctl: fix two minor memory leaks in --wait handling
(Also, let's not use the binary |= operator on "bool" variables).

Fix-up for 93a0884126.
2016-10-25 12:19:13 +02:00
Lennart Poettering
4c37970d77 update NEWS file a bit more 2016-10-25 12:19:13 +02:00
Martin Pitt
f70ebf1ce3 Merge pull request #4474 from poettering/nsswitch
various nss module/resolved fixes
2016-10-25 08:13:07 +02:00
Zbigniew Jędrzejewski-Szmek
74388c2d11 man: document the default value of NoNewPrivileges=
Fixes #4329.
2016-10-24 23:45:57 -04:00
Zbigniew Jędrzejewski-Szmek
8d3eafa161 Merge pull request #4450 from poettering/seccompfixes
Various seccomp fixes and NEWS update.
2016-10-24 20:23:21 -04:00
Martin Ejdestig
f2e5f466cb man: Fix event source priority enum names in synopsis (#4478) 2016-10-25 00:30:26 +02:00
Lennart Poettering
6980e31f25 Merge pull request #4477 from poettering/enumerate-load-fix
Properly synthesize -.slice and init.scope
2016-10-24 23:48:48 +02:00
Benjamin Richter
e59ace18a5 networkd: fix mixup of bond options (#4470) 2016-10-24 21:24:47 +02:00
Lennart Poettering
828d92acbc core: drop -.slice from shipped units
Since this unit is synthesized anyway there's no point in actually shipping it
on disk. This also has the benefit that "cd /usr/lib/systemd/system ; ls *"
won't be confused by the leading dash of the file name anymore.
2016-10-24 20:49:48 +02:00
Lennart Poettering
8e4e851f1d core: move initialization of -.slice and init.scope into the unit_load() callbacks
Previously, we'd synthesize the root slice unit and the init scope unit in the
enumerator callbacks for the unit type. This is problematic if either of them
is already referenced from a unit that is loaded as result of another unit
type's enumerator logic.

Let's clean this up and simply create the two objects from the enumerator
callbacks, if they are not around yet. Do the actual filling in of the settings
from the unit_load() callbacks, to match how other units are loaded.

Fixes: #4322
2016-10-24 20:46:30 +02:00
Lennart Poettering
75555c2824 man: sync up the suggested nsswitch.conf configuration for our four NSS modules
This unifies the suggested nsswitch.conf configuration for our four NSS modules to this:

    hosts: files mymachines resolve [!UNAVAIL=return] dns myhostname

Note that this restores "myhostname" to the suggested configuration of
nss-resolve for the time being, undoing 4484e1792b.

"myhostname" should probably be dropped eventually, but when we do this we
should do it in full, and not only drop it from the suggested nsswitch.conf
for one of the modules, but also drop it in source and stop referring to it
altogether.

Note that nss-resolve doesn't replace nss-myhostname in full: the former only
works if D-Bus/resolved is available for resolving the local hostname, the
latter works in all cases even if D-Bus or resolved are not in operation, hence
there's some value in keeping the line as it is right now. Note that neither
dns nor myhostname are considered at all with the above configuration unless
the resolve module actually returns UNAVAIL. Thus, even though handling of
local hostname resolving is implemented twice this way it is only executed once
for each lookup.
2016-10-24 19:04:43 +02:00
Lennart Poettering
344874fcd0 nss-resolve: be a bit more careful with returning NSS_STATUS_NOTFOUND
Let's tighten the cases when our module returns NSS_STATUS_NOTFOUND. Let's do
so only if we actually managed to talk to resolved. In all other cases stick to
NSS_STATUS_UNAVAIL as before, as it clearly indicates that our module or the
system is borked, and the "dns" fallback should really take place.

In particular this fixes the 2nd-level fallback from our own dlopen() based
fallback handling. In this case we really should return UNAVAIL so that the
caller can apply its own fallback still.

Fix-up for d7247512a9.

Note that our own dlopen() based fallback is pretty much redundant now if
nsswitch.conf is configured like this:

   hosts: files mymachines resolve [!UNAVAIL=return] dns myhostname

In a future release we should probably drop our internal fallback then, in
favour of this nsswitch.conf-based one.
2016-10-24 19:04:43 +02:00
Lennart Poettering
413b05ccac resolved: properly check for the root domain
Fix-up for #4164
2016-10-24 19:04:43 +02:00