1
1
mirror of https://github.com/systemd/systemd-stable.git synced 2024-12-24 21:34:08 +03:00
Commit Graph

505 Commits

Author SHA1 Message Date
Topi Miettinen
006d1864fb execute: always log a warning when setting SELinux context fails
Update also manual page to explain how the transition can still fail.
2021-11-12 17:17:21 +01:00
ml
84b10e536c man: remove unintentionally repetitive words 2021-11-11 14:36:50 +01:00
Daan De Meyer
51462135fb exec: Add TTYRows and TTYColumns properties to set TTY dimensions 2021-11-05 21:32:14 +00:00
Luca Boccassi
211a3d87fb core: add [State|Runtime|Cache|Logs]Directory symlink as second parameter
When combined with a tmpfs on /run or /var/lib, allows to create
arbitrary and ephemeral symlinks for StateDirectory or RuntimeDirectory.
This is especially useful when sharing these directories between
different services, to make the same state/runtime directory 'backend'
appear as different names to each service, so that they can be added/removed
to a sharing agreement transparently, without code changes.

An example (simplified, but real) use case:

foo.service:
StateDirectory=foo

bar.service:
StateDirectory=bar

foo.service.d/shared.conf:
StateDirectory=
StateDirectory=shared:foo

bar.service.d/shared.conf:
StateDirectory=
StateDirectory=shared:bar

foo and bar use respectively /var/lib/foo and /var/lib/bar. Then
the orchestration layer decides to stop this sharing, the drop-in
can be removed. The services won't need any update and will keep
working and being able to store state, transparently.

To keep backward compatibility, new DBUS messages are added.
2021-10-28 10:47:46 +01:00
Iago López Galeiras
d6d6f55d8e man: document EXIT_BPF status 2021-10-06 10:52:14 +02:00
Iago López Galeiras
a6826f6b8e man: add RestrictFileSystems= documentation 2021-10-06 10:52:14 +02:00
alexlzhu
8c35c10d20 core: Add ExecSearchPath parameter to specify the directory relative to which binaries executed by Exec*= should be found
Currently there does not exist a way to specify a path relative to which
all binaries executed by Exec should be found. The only way is to
specify the absolute path.

This change implements the functionality to specify a path relative to which
binaries executed by Exec*= can be found.

Closes #6308
2021-09-28 14:52:27 +01:00
Zbigniew Jędrzejewski-Szmek
a14e028e86 man: cross-reference DeviceAllow= and PrivateDevices=
They are somewhat similar, but not easy to discover, esp. considering that
they are described in different pages.

For PrivateDevices=, split out the first paragraph that gives the high-level
overview. (The giant second paragraph could also use some heavy editing to break
it up into more digestible chunks, alas.)
2021-09-27 09:19:02 +02:00
Luca Boccassi
9c8b6eaa46 man: further document extension-release 2021-08-17 13:15:13 +01:00
Zbigniew Jędrzejewski-Szmek
d6029680df man: use title of docs/ pages when referring to them
There is some inconsistency, partially caused by the awkward naming
of the docs/ pages. But let's be consistent and use the "official" title.
If we ever change plural↔singular, we should use the same form everywhere.
2021-07-27 09:43:29 +02:00
Zbigniew Jędrzejewski-Szmek
be0d27ee0c man: fix assorted issues reported by the manpage-l10n project
Fixes #20297.
2021-07-27 09:43:29 +02:00
Lennart Poettering
8a6a781b58 man: document the new (Load|Set)CredentialEncrypted= settings 2021-07-08 09:31:43 +02:00
Yu Watanabe
3d62af7d23 tree-wide: fix "the the" and "a a" 2021-06-30 23:32:43 +09:00
dgcampea
e8f4bf33d8 man: fix incorrect description regarding DynamicUser= and StateDirectory= 2021-06-27 14:08:05 +01:00
Yu Watanabe
5181630f26 core: do not set nosuid mount option when SELinux is enabled
The mount option has special meaning when SELinux is enabled. To make
NoNewPrivileges=yes not break SELinux enabled systems, let's not set the
mount flag on such systems.
2021-06-25 15:37:35 +09:00
Yu Watanabe
6720e356c1 Revert "Revert "Mount all fs nosuid when NoNewPrivileges=yes""
This reverts commit 1753d30215.

Let's re-enable that feature now. As reported when the original commit
was merged, this causes some trouble on SELinux enabled systems. So,
in the subsequent commit, the feature will be disabled when SELinux is enabled.
But, anyway, this commit just re-enable that feature unconditionally.
2021-06-25 15:16:34 +09:00
Topi Miettinen
1753d30215 Revert "Mount all fs nosuid when NoNewPrivileges=yes"
This reverts commit d8e3c31bd8.

A poorly documented fact is that SELinux unfortunately uses nosuid mount flag
to specify that also a fundamental feature of SELinux, domain transitions, must
not be allowed either. While this could be mitigated case by case by changing
the SELinux policy to use `nosuid_transition`, such mitigations would probably
have to be added everywhere if systemd used automatic nosuid mount flags when
`NoNewPrivileges=yes` would be implied. This isn't very desirable from SELinux
policy point of view since also untrusted mounts in service's mount namespaces
could start triggering domain transitions.

Alternatively there could be directives to override this behavior globally or
for each service (for example, new directives `SUIDPaths=`/`NoSUIDPaths=` or
more generic mount flag applicators), but since there's little value of the
commit by itself (setting NNP already disables most setuid functionality), it's
simpler to revert the commit. Such new directives could be used to implement
the original goal.
2021-06-15 00:33:22 +09:00
Topi Miettinen
d8e3c31bd8 Mount all fs nosuid when NoNewPrivileges=yes
When `NoNewPrivileges=yes`, the service shouldn't have a need for any
setuid/setgid programs, so in case there will be a new mount namespace anyway,
mount the file systems with MS_NOSUID.
2021-05-26 17:42:39 +02:00
Lennart Poettering
7dbc38db50 man: explicit say for priority/weight values whether more is more or less
Fixes: #17523
2021-05-26 12:42:13 +01:00
Ryan Hendrickson
c2503e359a core: apply LogLevelMax to messages about units
This commit applies the filtering imposed by LogLevelMax on a unit's
processes to messages logged by PID1 about the unit as well.

The target use case for this feature is a service that runs on a timer
many times an hour, where the system administrator decides that writing
a generic success message to the journal every few minutes or seconds
adds no diagnostic value and isn't worth the clutter or disk I/O.
2021-05-03 17:48:41 +02:00
Yu Watanabe
4e6c50a5d4 core: add RestrictAddressFamilies=none to deny all address families
Closes #15753.
2021-04-19 11:47:08 +01:00
Lennart Poettering
8a29862e32 core: allow omitting second part of LoadCredentials= argument
This allows "LoadCredentials=foo" to be used as shortcut for
"LoadCredentials=foo:foo", i.e. it's a very short way to inherit a
credential under its original name from the service manager into a
service.
2021-03-26 12:20:29 +01:00
Luca Boccassi
301e7cd047 man: specify that ProtectProc= does not work with root/cap_sys_ptrace
When using hidepid=invisible on procfs, the kernel will check if the
gid of the process trying to access /proc is the same as the gid of
the process that mounted the /proc instance, or if it has the ptrace
capability:

https://github.com/torvalds/linux/blob/v5.10/fs/proc/base.c#L723
https://github.com/torvalds/linux/blob/v5.10/fs/proc/root.c#L155

Given we set up the /proc instance as root for system services,
The same restriction applies to CAP_SYS_PTRACE, if a process runs with
it then hidepid=invisible has no effect.

ProtectProc effectively can only be used with User= or DynamicUser=yes,
without CAP_SYS_PTRACE.
Update the documentation to explicitly state these limitations.

Fixes #18997
2021-03-15 16:53:16 +00:00
Zbigniew Jędrzejewski-Szmek
ba3dc45126 man: fix html links to two external man pages 2021-03-12 10:58:16 +01:00
Lennart Poettering
170c659338 man: shorten list of partition types a bit
Tables with only one column aren't really tables, they are lists. And if
each cell only consists of a single word, they are probably better
written in a single line. Hence, shorten the man page a bit, and list
boot loader spec partition types in a simple sentence.

Also, drop "root-secondary" from the list. When dissecting images we'll
upgrade "root-secondary" to "root" if we mount it, and do so only if
"root" doesn't exist. Hence never mention "root-secondary" as we never
will mount a partition under that id.
2021-03-11 12:04:13 +01:00
Yu Watanabe
266d0bb9e0 man: update document about NoNewPrivileges=
Fixes #18914.
2021-03-08 21:42:06 +09:00
Xℹ Ruoyao
a70581ffb5
New directives PrivateIPC and IPCNamespacePath 2021-03-04 00:04:36 +08:00
Zbigniew Jędrzejewski-Szmek
e531091ba0 man: describe quoting and specifiers in Environment=
Fixes #10604.
2021-03-01 13:40:52 +01:00
Luca Boccassi
93f597013a Add ExtensionImages directive to form overlays
Add support for overlaying images for services on top of their
root fs, using a read-only overlay.
2021-02-23 15:34:46 +00:00
Lennart Poettering
c6e33c293e man: correct documentaiton of StandardInput='s defaults in regards to "data"
Fixes: #18710
2021-02-22 17:52:20 +01:00
Дамјан Георгиевски
95aa3937da man: Rename duplicate Credentials section name
A "Credentials" section name in systemd.exec man page was used
both for User/Group and for actual credentials support in systemd.

Rename the first instance to "User/Group Identity"
2021-02-18 15:40:47 +01:00
Yu Watanabe
dc4e2940e8 core: set $SYSTEMD_EXEC_PID= environment variable for executed commands
It may be useful to detect a command is directly executed by systemd
manager, or indirectly as a child of another process.
2021-02-01 01:13:44 +09:00
Lennart Poettering
82446c66cc
Merge pull request #18399 from keszybz/man-proofreading
Various man page cleanups
2021-01-29 20:04:07 +01:00
Zbigniew Jędrzejewski-Szmek
1d3a473b4a man: use ellipses for ranges in range descriptions
… and in few other places ;)
2021-01-29 17:02:23 +01:00
Topi Miettinen
ddc155b2fd New directives NoExecPaths= ExecPaths=
Implement directives `NoExecPaths=` and `ExecPaths=` to control `MS_NOEXEC`
mount flag for the file system tree. This can be used to implement file system
W^X policies, and for example with allow-listing mode (NoExecPaths=/) a
compromised service would not be able to execute a shell, if that was not
explicitly allowed.

Example:
[Service]
NoExecPaths=/
ExecPaths=/usr/bin/daemon /usr/lib64 /usr/lib

Closes: #17942.
2021-01-29 12:40:52 +00:00
Zbigniew Jędrzejewski-Szmek
75909cc7e4 man: various typos and other small issues
Fixes #18397.
2021-01-29 08:42:39 +01:00
Lennart Poettering
09872a6e1a man: document how get logging to work in a RootDirectory=/RootImage= environment
Fixes: #18051
2021-01-20 22:39:33 +01:00
Yu Watanabe
4c6dd238b8
Merge pull request #18267 from lucaswerkmeister/truncate
Two StandardOutput=truncate:file improvements
2021-01-19 08:47:39 +09:00
Lucas Werkmeister
e372584067 man: document effects of concurrent truncation
Co-authored-by: Lennart Poettering <lennart@poettering.net>
2021-01-18 21:59:19 +01:00
Luca Boccassi
5e8deb94c6 core: add DBUS method to bind mount new nodes without service restart
Allow to setup new bind mounts for a service at runtime (via either
DBUS or a new 'systemctl bind' verb) with a new helper that forks into
the unit's mount namespace.
Add a new integration test to cover this.

Useful for zero-downtime addition to services that are running inside
mount namespaces, especially when using RootImage/RootDirectory.

If a service runs with a read-only root, a tmpfs is added on /run
to ensure we can create the airlock directory for incoming mounts
under /run/host/incoming.
2021-01-18 17:24:05 +00:00
Luca Boccassi
94293d65cd MountAPIVFS: always mount a tmpfs on /run
We need a writable /run for most operations, but in case a read-only
RootImage (or similar) is used, by default there's no additional
tmpfs mount on /run. Change this behaviour and document it.
2021-01-18 17:24:05 +00:00
Lucas Werkmeister
d15b1a6c22 man: document that truncate:file happens per command line 2021-01-15 20:22:29 +01:00
Lucas Werkmeister
8d7dab1fda Add truncate: to StandardOutput= etc.
This adds the ability to specify truncate:PATH for StandardOutput= and
StandardError=, similar to the existing append:PATH. The code is mostly
copied from the related append: code. Fixes #8983.
2021-01-15 09:54:50 +01:00
Zbigniew Jędrzejewski-Szmek
32854f7044 systemctl: deprecate blanket import-environment
Importing the full environment is convenient, but it doesn't work too well in
practice, because we get a metric ton of shell-specific crap that should never
end up in the global environment block:

$ systemctl --user show-environment
...
SHELL=/bin/zsh
AUTOJUMP_ERROR_PATH=/home/zbyszek/.local/share/autojump/errors.log
AUTOJUMP_SOURCED=1
CONDA_SHLVL=0
CVS_RSH=ssh
DBUS_SESSION_BUS_ADDRESS=unix:path=/run/user/1000/bus
DESKTOP_SESSION=gnome
DISPLAY=:0
FPATH=/usr/share/Modules/init/zsh-functions:/usr/local/share/zsh/site-functions:/usr/share/zsh/site-functions:/usr/share/zsh/5.8/functions
GDMSESSION=gnome
GDM_LANG=en_US.UTF-8
GNOME_SETUP_DISPLAY=:1
GUESTFISH_INIT=$'\\e[1;34m'
GUESTFISH_OUTPUT=$'\\e[0m'
GUESTFISH_PS1=$'\\[\\e[1;32m\\]><fs>\\[\\e[0;31m\\] '
GUESTFISH_RESTORE=$'\\e[0m'
HISTCONTROL=ignoredups
HISTSIZE=1000
LOADEDMODULES=
OLDPWD=/home/zbyszek
PWD=/home/zbyszek
QTDIR=/usr/lib64/qt-3.3
QTINC=/usr/lib64/qt-3.3/include
QTLIB=/usr/lib64/qt-3.3/lib
QT_IM_MODULE=ibus
SDL_VIDEO_MINIMIZE_ON_FOCUS_LOSS=0
SESSION_MANAGER=local/unix:@/tmp/.ICE-unix/2612,unix/unix:/tmp/.ICE-unix/2612
SHLVL=0
STEAM_FRAME_FORCE_CLOSE=1
TERM=xterm-256color
USERNAME=zbyszek
WISECONFIGDIR=/usr/share/wise2/
...

Plenty of shell-specific and terminal-specific stuff that have no global
significance.

Let's start warning when this is used to push people towards importing only
specific variables.

Putative NEWS entry:
  * systemctl import-environment will now emit a warning when called without
    any arguments (i.e. to import the full environment block of the called
    program). This command will usually be invoked from a shell, which means
    that it'll inherit a bunch of variables which are specific to that shell,
    and usually to the tty the shell is connected to, and don't have any
    meaning in the global context of the system or user service manager.
    Instead, only specific variables should be imported into the manager
    environment block.

    Similarly, programs which update the manager environment block by directly
    calling the D-Bus API of the manager, should also push specific variables,
    and not the full inherited environment.
2021-01-08 20:01:40 +01:00
Zbigniew Jędrzejewski-Szmek
82651d5b6b man: improve description of environment block creation
This adds a general description of "philosphy" of keeping the environemnt
block small and hints about systemd-run -P env.

The list of generated variables is split out to a subsection. Viewing
the patch with ignoring whitespace changes is recommended.

We don't ignore invalid assignments (except in import-environment to some
extent), previous description was wrong.

For https://bugzilla.redhat.com/show_bug.cgi?id=1912046#c17.
2021-01-08 20:01:40 +01:00
Yu Watanabe
6b44ad0bf8 man: set constant tag to NUL or NULL 2020-11-12 17:10:36 +09:00
Yu Watanabe
725d9713a9 man: append parentheses for function name 2020-11-12 17:10:32 +09:00
Yu Watanabe
db9ecf0501 license: LGPL-2.1+ -> LGPL-2.1-or-later 2020-11-09 13:23:58 +09:00
Lennart Poettering
d3dcf4e3b9 fileio: beef up READ_FULL_FILE_CONNECT_SOCKET to allow setting sender socket name
This beefs up the READ_FULL_FILE_CONNECT_SOCKET logic of
read_full_file_full() a bit: when used a sender socket name may be
specified. If specified as NULL behaviour is as before: the client
socket name is picked by the kernel. But if specified as non-NULL the
client can pick a socket name to use when connecting. This is useful to
communicate a minimal amount of metainformation from client to server,
outside of the transport payload.

Specifically, these beefs up the service credential logic to pass an
abstract AF_UNIX socket name as client socket name when connecting via
READ_FULL_FILE_CONNECT_SOCKET, that includes the requesting unit name
and the eventual credential name. This allows servers implementing the
trivial credential socket logic to distinguish clients: via a simple
getpeername() it can be determined which unit is requesting a
credential, and which credential specifically.

Example: with this patch in place, in a unit file "waldo.service" a
configuration line like the following:

    LoadCredential=foo:/run/quux/creds.sock

will result in a connection to the AF_UNIX socket /run/quux/creds.sock,
originating from an abstract namespace AF_UNIX socket:

    @$RANDOM/unit/waldo.service/foo

(The $RANDOM is replaced by some randomized string. This is included in
the socket name order to avoid namespace squatting issues: the abstract
socket namespace is open to unprivileged users after all, and care needs
to be taken not to use guessable names)

The services listening on the /run/quux/creds.sock socket may thus
easily retrieve the name of the unit the credential is requested for
plus the credential name, via a simpler getpeername(), discarding the
random preifx and the /unit/ string.

This logic uses "/" as separator between the fields, since both unit
names and credential names appear in the file system, and thus are
designed to use "/" as outer separators. Given that it's a good safe
choice to use as separators here, too avoid any conflicts.

This is a minimal patch only: the new logic is used only for the unit
file credential logic. For other places where we use
READ_FULL_FILE_CONNECT_SOCKET it is probably a good idea to use this
scheme too, but this should be done carefully in later patches, since
the socket names become API that way, and we should determine the right
amount of info to pass over.
2020-11-03 09:48:04 +01:00
Yu Watanabe
377a9545e9 tree-wide: fix typos found by Fossies codespell report 2020-10-24 13:29:31 +02:00