1
1
mirror of https://github.com/systemd/systemd-stable.git synced 2025-01-06 13:17:44 +03:00
Commit Graph

49643 Commits

Author SHA1 Message Date
Lennart Poettering
50fc7d7036
Merge pull request #18653 from yuwata/in-addr-prefix-nth
in-addr-util: fix in_addr_prefix_nth() and use the function to get ip address range in firewall-util
2021-02-17 18:52:24 +01:00
Lennart Poettering
1ed4e584f3 resolved: address DVE-2018-0001
This is an updated version of #8608 with more restrictive logic. To
quite the original bug:

    Some captive portals, lie and do not respond with the captive portal
    IP address, if the query is with EDNS0 enabled and D0 bit set to
    zero. Thus retry "secure" domain name look ups with less secure
    methods, upon NXDOMAIN.

https://github.com/dns-violations/dns-violations/blob/master/2018/DVE-2018-0001.md

Yes, this fix sucks hard, but I guess this is what we need to do to make
sure resolved works IRL.

Heavily based on the original patch from Dimitri John Ledkov, and I
copied the commentary verbatim.

Replaces: #8608
2021-02-17 18:06:13 +01:00
Frantisek Sumsal
98f6d5769f ci: enable DNS over TLS using OpenSSL in the build test
Prompted by:
    * https://github.com/systemd/systemd/pull/18641#issuecomment-780371055
    * https://github.com/systemd/systemd/issues/18639
2021-02-17 16:41:23 +01:00
Zbigniew Jędrzejewski-Szmek
faacac453d
Merge pull request #18632 from yuwata/network-nexthop-add-family
network: introduce Family= setting in [NextHop] section
2021-02-17 15:02:50 +01:00
Yu Watanabe
9997507421 firewall-util: replace nft_in6addr_to_range() with in_addr_prefix_range() 2021-02-17 22:57:37 +09:00
Yu Watanabe
1534c5791a in-addr-util: introduce in_addr_prefix_range()
This will replace nft_in6addr_to_range() in later commit.
2021-02-17 22:57:37 +09:00
Yu Watanabe
9164338b2e in-addr-util: make in_addr_prefix_nth() always return valid prefix
Previously, e.g. in_addr_prefix_nth(2400::1, prefixlen=32, nth=1)
does not return 2400:1:: but does 2400:1::1.
2021-02-17 22:57:37 +09:00
Yu Watanabe
7b6b05cff9 in-addr-util: make in_addr_prefix_nth() refuse prefixlen larger than maximum size 2021-02-17 22:57:37 +09:00
Yu Watanabe
518b6da5d3 in-addr-util: make in_addr_prefix_nth() returns 0 on success 2021-02-17 22:57:37 +09:00
Yu Watanabe
40785f53ba network: refuse IPv4 multipath route for IPv6 route 2021-02-17 22:08:15 +09:00
Yu Watanabe
35d39c94a9 network: Route::gw_family may be AF_UNSPEC 2021-02-17 21:11:13 +09:00
Vito Caputo
f82027042a logs-show: move show_journal_by_unit _BOOT_ID match
In scrutinizing the journal overhead of `systemctl status $service`
it became apparent that the matching engine was performing the unit
matches on every journal in my system, even ones containing nothing
relevant to the current boot.

This seemed strange and likely suboptimal to me, since there's likely
far more unit data to rifle through than boot IDs in any given
journal.  The _BOOT_ID match seemed like it should be serving as an
early exit match on irrelevant journals, but that wasn't what seemed
to be happening.

As a quick experiment to see if I could get the _BOOT_ID match to be
something along the lines of a higher priority when matching, and try
early exit on these unrelated journals, I moved add_match_this_boot()
to after the unit match adds, inserting a conjunction between them.

The end result seems to be a very substantial performance gain in my
simple uncached tests, and I still get the expected journal output
from the `systemctl status $service` command:

----------------------------------------------------------------------

Unmodified systemctl times:

 root@localhost:/# echo 2 > /proc/sys/vm/drop_caches
 root@localhost:/# time systemctl --no-pager status dbus
 ● dbus.service - D-Bus System Message Bus
    Loaded: loaded (/lib/systemd/system/dbus.service; static; vendor preset: enabled)
    Active: active (running) since Sun 2020-10-25 17:03:05 PDT; 1 day 6h ago
      Docs: man:dbus-daemon(1)
  Main PID: 572 (dbus-daemon)
    Memory: 2.8M
       CPU: 110ms
    CGroup: /system.slice/dbus.service
            └─572 /usr/bin/dbus-daemon --system --address=systemd: --nofork --nopidfile --systemd-activation

 Oct 25 17:03:05 localhost systemd[1]: Started D-Bus System Message Bus.
 Oct 25 17:06:26 localhost dbus[572]: [system] Activating via systemd: service name='org.freedesktop.machine1' unit='dbus-org.freedesktop.machine1.service'
 Oct 25 17:06:26 localhost dbus[572]: [system] Successfully activated service 'org.freedesktop.machine1'

 real    0m0.695s
 user    0m0.005s
 sys     0m0.043s
 root@localhost:/# echo 2 > /proc/sys/vm/drop_caches
 root@localhost:/# time systemctl --no-pager status dbus
 ● dbus.service - D-Bus System Message Bus
    Loaded: loaded (/lib/systemd/system/dbus.service; static; vendor preset: enabled)
    Active: active (running) since Sun 2020-10-25 17:03:05 PDT; 1 day 6h ago
      Docs: man:dbus-daemon(1)
  Main PID: 572 (dbus-daemon)
    Memory: 2.8M
       CPU: 110ms
    CGroup: /system.slice/dbus.service
            └─572 /usr/bin/dbus-daemon --system --address=systemd: --nofork --nopidfile --systemd-activation

 Oct 25 17:03:05 localhost systemd[1]: Started D-Bus System Message Bus.
 Oct 25 17:06:26 localhost dbus[572]: [system] Activating via systemd: service name='org.freedesktop.machine1' unit='dbus-org.freedesktop.machine1.service'
 Oct 25 17:06:26 localhost dbus[572]: [system] Successfully activated service 'org.freedesktop.machine1'

 real    0m0.696s
 user    0m0.003s
 sys     0m0.046s
 root@localhost:/# echo 2 > /proc/sys/vm/drop_caches
 root@localhost:/# time systemctl --no-pager status dbus
 ● dbus.service - D-Bus System Message Bus
    Loaded: loaded (/lib/systemd/system/dbus.service; static; vendor preset: enabled)
    Active: active (running) since Sun 2020-10-25 17:03:05 PDT; 1 day 6h ago
      Docs: man:dbus-daemon(1)
  Main PID: 572 (dbus-daemon)
    Memory: 2.8M
       CPU: 110ms
    CGroup: /system.slice/dbus.service
            └─572 /usr/bin/dbus-daemon --system --address=systemd: --nofork --nopidfile --systemd-activation

 Oct 25 17:03:05 localhost systemd[1]: Started D-Bus System Message Bus.
 Oct 25 17:06:26 localhost dbus[572]: [system] Activating via systemd: service name='org.freedesktop.machine1' unit='dbus-org.freedesktop.machine1.service'
 Oct 25 17:06:26 localhost dbus[572]: [system] Successfully activated service 'org.freedesktop.machine1'

 real    0m0.694s
 user    0m0.006s
 sys     0m0.041s

----------------------------------------------------------------------

Modified systemctl including this commit:

 root@localhost:/home/vc/gh/systemd/build# echo 2 > /proc/sys/vm/drop_caches
 root@localhost:/home/vc/gh/systemd/build# time ./systemctl --no-pager status dbus
 ● dbus.service - D-Bus System Message Bus
      Loaded: loaded (/lib/systemd/system/dbus.service; static)
      Active: active (running) since Sun 2020-10-25 17:03:05 PDT; 1 day 6h ago
 TriggeredBy: ● dbus.socket
        Docs: man:dbus-daemon(1)
    Main PID: 572 (dbus-daemon)
      Memory: 2.8M
         CPU: 110ms
      CGroup: /system.slice/dbus.service
              └─572 /usr/bin/dbus-daemon --system --address=systemd: --nofork --nopidfile --systemd-activation

 Oct 25 17:03:05 localhost systemd[1]: Started D-Bus System Message Bus.
 Oct 25 17:06:26 localhost dbus[572]: [system] Activating via systemd: service name='org.freedesktop.machine1' unit='dbus-org.freedesktop.machine1.service'
 Oct 25 17:06:26 localhost dbus[572]: [system] Successfully activated service 'org.freedesktop.machine1'

 real    0m0.168s
 user    0m0.003s
 sys     0m0.016s
 root@localhost:/home/vc/gh/systemd/build# echo 2 > /proc/sys/vm/drop_caches
 root@localhost:/home/vc/gh/systemd/build# time ./systemctl --no-pager status dbus
 ● dbus.service - D-Bus System Message Bus
      Loaded: loaded (/lib/systemd/system/dbus.service; static)
      Active: active (running) since Sun 2020-10-25 17:03:05 PDT; 1 day 6h ago
 TriggeredBy: ● dbus.socket
        Docs: man:dbus-daemon(1)
    Main PID: 572 (dbus-daemon)
      Memory: 2.8M
         CPU: 110ms
      CGroup: /system.slice/dbus.service
              └─572 /usr/bin/dbus-daemon --system --address=systemd: --nofork --nopidfile --systemd-activation

 Oct 25 17:03:05 localhost systemd[1]: Started D-Bus System Message Bus.
 Oct 25 17:06:26 localhost dbus[572]: [system] Activating via systemd: service name='org.freedesktop.machine1' unit='dbus-org.freedesktop.machine1.service'
 Oct 25 17:06:26 localhost dbus[572]: [system] Successfully activated service 'org.freedesktop.machine1'

 real    0m0.167s
 user    0m0.005s
 sys     0m0.013s
 root@localhost:/home/vc/gh/systemd/build# echo 2 > /proc/sys/vm/drop_caches
 root@localhost:/home/vc/gh/systemd/build# time ./systemctl --no-pager status dbus
 ● dbus.service - D-Bus System Message Bus
      Loaded: loaded (/lib/systemd/system/dbus.service; static)
      Active: active (running) since Sun 2020-10-25 17:03:05 PDT; 1 day 6h ago
 TriggeredBy: ● dbus.socket
        Docs: man:dbus-daemon(1)
    Main PID: 572 (dbus-daemon)
      Memory: 2.8M
         CPU: 110ms
      CGroup: /system.slice/dbus.service
              └─572 /usr/bin/dbus-daemon --system --address=systemd: --nofork --nopidfile --systemd-activation

 Oct 25 17:03:05 localhost systemd[1]: Started D-Bus System Message Bus.
 Oct 25 17:06:26 localhost dbus[572]: [system] Activating via systemd: service name='org.freedesktop.machine1' unit='dbus-org.freedesktop.machine1.service'
 Oct 25 17:06:26 localhost dbus[572]: [system] Successfully activated service 'org.freedesktop.machine1'

 real    0m0.170s
 user    0m0.005s
 sys     0m0.014s
2021-02-17 09:50:36 +01:00
Lennart Poettering
4a6eb82445 resolved: include NSID support to DNS stub
This adds minimal support for RFC5001 NSID to the stub resolver. This
useful to identify systemd-resolved when talking to the stub resolver,
and distuingishing the packets resolved answers itself (where NSID is
now set) from those which it proxies 1:1 upstream (where NSID will not
be set, or set to whatever the upstream server has it set to).

The NSID chosen consist of two parts:

1. The first part is derived from /etc/machine-id and identifies the
   resolved instance in a stable way.

2. The second part is the fixed string ".resolved.systemd.io".

This thus maybe used for a veriety of checks:

a. Am I talking to a resolved stub?
b. Am I talking to the same stub as last time?
c. Am I talking to the local resolved?

Given that the first part leaks the identity of the system in away two
protections are in place:

I) The NSID is only included on the main stub, not the extra stub. The
   main stub has with a TTL of 1 and other protections a lot of safety
   in place that the datagrams never leave the local system, thus the
   identifying info is only accessible to the local system — but
   /etc/machine-id is accessible to local software anyway.

II) The NSID is hashed from /etc/machine-id in a non-invertable way, so
    that the machine ID itself isn't leaked, but only an identifier
    derived from it.

Example dig run:

```
$ dig +nsid localhost @127.0.0.53

; <<>> DiG 9.11.23-RedHat-9.11.23-1.fc33 <<>> +nsid localhost @127.0.0.53
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 46917
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 65494
; NSID: 35 33 64 34 61 34 66 63 32 31 32 65 34 31 61 30 39 66 30 39 65 33 32 34 63 64 64 38 30 36 32 33 2e 72 65 73 6f 6c 76 65 64 2e 73 79 73 74 65 6d 64 2e 69 6f ("53d4a4fc212e41a09f09e324cdd80623.resolved.systemd.io")
;; QUESTION SECTION:
;localhost.			IN	A

;; ANSWER SECTION:
localhost.		0	IN	A	127.0.0.1

;; Query time: 0 msec
;; SERVER: 127.0.0.53#53(127.0.0.53)
;; WHEN: Do Nov 12 20:57:16 CET 2020
;; MSG SIZE  rcvd: 110
```
2021-02-17 09:42:07 +01:00
Hans de Goede
9628ba7c6b hwdb: Add accel orientation quirk for the Trekstor Surftab Wintron 10.1 ST10432-3 tablet
Add a quirk to fix the accelerometer orientation on the
Trekstor Surftab Wintron 10.1 ST10432-3 tablet.
2021-02-17 08:47:15 +01:00
Zbigniew Jędrzejewski-Szmek
4c1ff29052
Merge pull request #18641 from benjarobin/fix-enum-invalid-val
Various follow-up: Fix build and EINVAL for _INVALID enum value
2021-02-17 08:46:09 +01:00
Yu Watanabe
6cd8f9b5f2 test-network: add tests for Family= in [NextHop] 2021-02-17 15:55:37 +09:00
Yu Watanabe
26ff450550 man: update explanations of settings in [NextHop] section 2021-02-17 15:55:37 +09:00
Yu Watanabe
acfd8491fb network: nexthop: refuse 0 id
We usually do not accept values which will be handled as unspecified.
Instead, this makes config_parse_nexthop_id() accept an empty string.
2021-02-17 15:55:37 +09:00
Yu Watanabe
f1923efccb network: nexthop: introduce Family= setting in [NextHop] section
This is an alias of `Gateway=0.0.0.0` or `Gateway=::`.
2021-02-17 15:55:37 +09:00
Yu Watanabe
e9c4253d47 network: allow to configure nexthop with null address
Closes #18446.
2021-02-17 15:55:37 +09:00
Yu Watanabe
0008b5aee2 network: nexthop: unset gateway when an empty string is assigned 2021-02-17 15:55:37 +09:00
Giedrius Statkevičius
68337e55f6 condition: add CPUFeature
Taking a stab at implementing #14479.

Add {Condition,Assert}CPUFeature to `systemd-analyze` & friends. Implement it
by executing the CPUID instruction. Add tables for common x86/i386
features.

Tested via unit tests + checked that commands such as:

```bash
systemd-analyze condition 'AssertCPUFeature = rdrand'
```

Succeed as expected and that commands such as

```bash
systemd-analyze condition 'AssertCPUFeature = foobar'
```

Fail as expected. Finally, I have amended the `systemd.unit` manual page
with the new condition and the list of all currently supported flags.
2021-02-17 15:31:29 +09:00
Benjamin Robin
0e2d092d43 resolve: Fix build for cleanup function (SSL_free + BIO_free)
Follow-up of #18616
2021-02-16 23:57:29 +01:00
Lennart Poettering
b1b4e9204c
Merge pull request #18007 from fw-strlen/ipv6_masq_and_dnat
Support ipv6 for masquerade and dnat in nspawn and networkd
2021-02-16 23:41:35 +01:00
Benjamin Robin
62875895fa shared: use -EINVAL for _NETDEV_BRIDGE_STATE_INVALID
Follow-up of #11484
2021-02-16 23:40:30 +01:00
Benjamin Robin
3de56f4712 portable: use -EINVAL for _PORTABLE_CHANGE_TYPE_INVALID
Follow-up of #11484
2021-02-16 23:40:30 +01:00
Benjamin Robin
0979e4adb5 libsystemd-network: use -EINVAL for _DUID_TYPE_INVALID
Follow-up of #11484
2021-02-16 23:40:30 +01:00
Benjamin Robin
7a563bb2bd basic: use -EINVAL for _DUID_TYPE_INVALID
Follow-up of #11484 and of #18481
2021-02-16 23:39:58 +01:00
Benjamin Robin
bbb697fe02 shared: Fix _DNS_CACHE_MODE_INVALID value: use -EINVAL
Follow-up of #11484
2021-02-16 23:38:16 +01:00
Benjamin Robin
c1b48a7f5b shared: use -EINVAL for _UNIT_FILE_CHANGE_TYPE_INVALID
Follow-up of #11484
2021-02-16 23:35:25 +01:00
Benjamin Robin
9de42a6a5f shared: use -EINVAL for _EXEC_COMMAND_FLAGS_INVALID
Follow-up of #11484
2021-02-16 23:34:58 +01:00
Benjamin Robin
925484aacb basic: use -EINVAL for _MANAGED_OOM_PREFERENCE_INVALID
Follow-up of #11484
2021-02-16 23:33:01 +01:00
Vito Caputo
bb1296b55a journal-file: fix archiving offline journals
The existing set_offline() short-circuit erroneously included
when f->archive was true and header->state was STATE_OFFLINE.

This commit makes the short-circuit f->archive aware, so it will
only catch scenarios where there's not an offlining in progress
and the header state matches the target state of either archived
or offline.

Fixes https://github.com/systemd/systemd/issues/17770
2021-02-16 23:09:41 +01:00
Lennart Poettering
356b7a58f3
Merge pull request #18601 from keszybz/env-assign-cleanup
Envvar assignment cleanup
2021-02-16 22:36:48 +01:00
Yu Watanabe
3b4e3ebb51 netlink: introduce sd_netlink_message_has_flag() 2021-02-16 22:36:24 +01:00
Lennart Poettering
0a5393ad68
Merge pull request #18631 from yuwata/sd-netlink-fix-assertions
sd-netlink: update assertions and drop unused functions
2021-02-16 22:36:06 +01:00
Zbigniew Jędrzejewski-Szmek
9a9ca40803 systemd: don't try to run as user manager when called without any arguments
It's better for users if programs don't do "significant" things too easily, and
should be especially conservative when called without any arguments whatsoever.
So far systemd would would try to launch itself as a user manager and fail on
some cgroup permission stuff. systemd --user is run execlusively from user@.service
and there we call it with --user. Calls to the binary without any arguments as
non-pid1 are almost always a mistake.

https://github.com/systemd/systemd/issues/18419#issuecomment-779422571
2021-02-16 22:35:49 +01:00
Lennart Poettering
696e5a8a73 man: make clear that sd-journal notifications always come with extra latency
Replaces: #17699
2021-02-16 22:16:17 +01:00
Lennart Poettering
386059e119 network: make use of SD_ENUM_FORCE_S64() for all public enums 2021-02-16 20:36:52 +01:00
Lennart Poettering
9823703ae6 sd-common: add new macro for forcing 64bit size for public enums
That's the only way we can retain type-safe enums while being able to
guarantee for stable enum sizes.
2021-02-16 20:36:30 +01:00
Lennart Poettering
d385d54638 test-tables: make sure we can test tables of either int or int64_t base type
To support both types, we unfortunately need to go down the macro rabbit
hole a bit more. But it works.
2021-02-16 20:35:07 +01:00
Lennart Poettering
a9a43d8aa2
Merge pull request #18636 from poettering/resolved-different-server
resolved: tweaks for switching to different DNS servers
2021-02-16 20:27:09 +01:00
Lennart Poettering
23220d8a00
Merge pull request #18620 from bluca/mount_images_fixes
MountImages and core tmpfs fixes
2021-02-16 20:26:06 +01:00
Lennart Poettering
0addd9ba9c
Merge pull request #18616 from keszybz/argv-fuzzer-quick-fix
fuzz-systemctl-parse-argv: avoid "leak" of bus object
2021-02-16 20:25:37 +01:00
Joshua Watt
7820a56ccb logind: Restore chvt as non-root user without polkit
4acf0cfd2f ("logind: check PolicyKit before allowing VT switch") broke
the ability to write user sessions that run graphical sessions (e.g.
weston/X11). This was partially amended in 19bb87fbfa ("login: allow
non-console sessions to change vt") by changing the default PolicyKit
policy so that non-root users with a session are again allowed to switch
the VT. This makes the policy when PolKit is not enabled (as on many
embedded systems) closer the default PolKit policy and allows launching
graphical sessions as a non-root user.

Closes #17473

Signed-off-by: Joshua Watt <JPEWhacker@gmail.com>
2021-02-16 20:24:53 +01:00
Luca Boccassi
b8f762f2fe stat-util: fix dir_is_empty_at without path
Use the right FD, and do a fd_reopen instead of a dup, since the
latter will still share the internal pointer which then gets
moved by FOREACH_DIRENT, affecting the caller's FD.
2021-02-16 20:24:27 +01:00
Lennart Poettering
42b23010b9
Merge pull request #18624 from poettering/resolved-feature-level-tweak
resolved: three tweaks to server feature level tracking
2021-02-16 20:24:05 +01:00
Yu Watanabe
955b11ffd3
Merge pull request #18629 from yuwata/sd-netlink-nexthop-types
sd-netlink: add nexthop related types
2021-02-17 04:06:15 +09:00
Lennart Poettering
9147b591a1 resolved: unify code for trying a different DNS server
Let's unify some code, and add a common implementation of a function
that checks whether we have tried all DNS servers yet, and retries the
transaction if we don't. We already use this same code twice. Let's use
it at some other places too now — basically all cases where we switch to
a new server — with the one case of packet loss, where we too switch
servers, but don#t care how many times we already tried to switch.
2021-02-16 18:54:33 +01:00
Lennart Poettering
7ef863a76a resolved: improve log message when retrying a transaction with a different server 2021-02-16 18:53:33 +01:00