1
1
mirror of https://github.com/systemd/systemd-stable.git synced 2024-12-24 21:34:08 +03:00
Commit Graph

531 Commits

Author SHA1 Message Date
Jan Janssen
6a1d8f1161 man: Miscellaneous fixes
Fixes: #24056
2022-07-19 10:41:13 +01:00
Lennart Poettering
8de7de462b pid1: import creds from SMBIOS too, not just qemu's fw_cfg
This imports credentials also via SMBIOS' "OEM vendor string" section,
similar to the existing import logic from fw_cfg.

Functionality-wise this is very similar to the existing fw_cfg logic,
both of which are easily settable on the qemu command line.

Pros and cons of each:

SMBIOS OEM vendor strings:
   - pro: fast, because memory mapped
   - pro: somewhat VMM independent, at least in theory
   - pro: qemu upstream sees this as the future
   - pro: no additional kernel module needed
   - con: strings only, thus binary data is base64 encoded

fw_cfg:
   - pro: has been supported for longer in qemu
   - pro: supports binary data
   - con: slow, because IO port based
   - con: only qemu
   - con: requires qemu_fw_cfg.ko kernel module
   - con: qemu upstream sees this as legacy
2022-07-15 08:31:34 +09:00
Lennart Poettering
8c88895772 man: explain why various resource limits don't make sense and should not be used. 2022-07-14 23:53:51 +02:00
nl6720
0e68582323 tree-wide: link to docs.kernel.org for kernel documentation
https://www.kernel.org/ links to https://docs.kernel.org/ for the documentation.
See https://git.kernel.org/pub/scm/docs/kernel/website.git/commit/?id=ebc1c372850f249dd143c6d942e66c88ec610520

These URLs are shorter and nicer looking.
2022-07-04 19:56:53 +02:00
Zbigniew Jędrzejewski-Szmek
2f8211c64a tree-wide: use html links for kernel docs
Instead of using "*.txt" as reference name, use the actual destination title.
2022-07-02 12:13:00 +02:00
Yu Watanabe
b48ed70c79 Revert NFTSet feature
This reverts PR #22587 and its follow-up commit. More specifically,
2299b1cae3 (partially),
e176f855278d5098d3fecc5aa24ba702147d42e0,
ceb46a31a01b3d3d1d6095d857e29ea214a2776b, and
51bb9076ab8c050bebb64db5035852385accda35.

The PR was merged without final approval, and has several issues:
- OSS fuzz reported issues in the conf parser,
- It calls synchrnous netlink call, it should not be especially in PID1,
- The importance of NFTSet for CGroup and DynamicUser may be
  questionable, at least, there was no justification PID1 should support
  it.
- For networkd, it should be implemented with Request object,
- There is no test for the feature.

Fixes #23711.
Fixes #23717.
Fixes #23719.
Fixes #23720.
Fixes #23721.
Fixes #23759.
2022-06-22 22:23:58 +09:00
adrian5
b105d41304 man: Add some punctuation; remove double spaces. 2022-06-15 03:22:15 +09:00
Topi Miettinen
46c3b1ff88 core: firewall integration with DynamicUserNFTSet=
New directive `DynamicUserNFTSet=` provides a method for integrating
configuration of dynamic users into firewall rules with NFT sets.

Example:
```
table inet filter {
        set u {
                typeof meta skuid
        }

        chain service_output {
                meta skuid != @u drop
                accept
        }
}
```

```
/etc/systemd/system/dunft.service
[Service]
DynamicUser=yes
DynamicUserNFTSet=inet:filter:u
ExecStart=/bin/sleep 1000

[Install]
WantedBy=multi-user.target
```

```
$ sudo nft list set inet filter u
table inet filter {
        set u {
                typeof meta skuid
                elements = { 64864 }
        }
}
$ ps -n --format user,group,pid,command -p `pgrep sleep`
    USER    GROUP     PID COMMAND
   64864    64864   55158 /bin/sleep 1000
```
2022-06-08 16:12:25 +00:00
Jakob Lell
14736ab6ff Amend documentation for LimitNPROC= 2022-05-05 18:04:54 +02:00
Lennart Poettering
4791083bce man: correct a major missed opportunity
I don't know why this didn't occur to me earlier, but of course, it
*has* to be this data.

(This replaces some German prose about Berlin, that i guess only very
few people will get. With the new blob I think we have a much broader
chance of delivering smiles.)
2022-05-02 17:58:51 +02:00
Lennart Poettering
fe672fe539 doc: add new markdown docs for credentials 2022-04-28 18:12:00 +02:00
Lennart Poettering
72267a55a1 man: document the new credentials features 2022-04-28 18:12:00 +02:00
Lennart Poettering
d43ea6c8ff man: make clear that encrypted credentials are also authenticated
We use authenticated encryption, and that deserves mention. This in
particular relevant as the fact they are authenticated makes the
credentials useful as initrd parameterization items.
2022-04-21 23:23:14 +02:00
Nishal Kulkarni
2e3591a4fd man: Mention systemd-oomd now follows OOMPolicy 2022-03-22 18:04:52 +05:30
Zbigniew Jędrzejewski-Szmek
f60b0813ea man/systemd.exec: tweak markup a bit 2022-03-18 10:22:20 +01:00
Luca Boccassi
1219bd4306 Add tests and documentation for all remaining sandboxing in user manager 2022-03-18 10:09:56 +01:00
Luca Boccassi
24759d8f08 core: support ExtensionDirectories in user manager
Unprivileged overlayfs is supported since Linux 5.11. The only
change needed to get ExtensionDirectories to work is to avoid
hard-coding the staging directory to the system manager runtime
directory, everything else just works (TM).
2022-03-10 20:38:10 +00:00
Luca Boccassi
95c81c55b2 core: split $MONITOR_METADATA and return it only if a single unit triggers OnFailure/OnSuccess
Remove the list logic, and simply skip passing metadata if more than one
unit triggered an OnFailure/OnSuccess handler.
Instead of a single env var to loop over, provide each separate item
as its own variable.

Fixes https://github.com/systemd/systemd/issues/22370
2022-03-10 14:43:14 +00:00
Luca Boccassi
ea63a260d4 core: support MountAPIVFS and RootDirectory in user manager
The only piece missing was to somehow make /proc appear in the
new user+mount namespace. It is not possible to mount a new
/proc instance, not even with hidepid=invisible,subset=pid, in
a user namespace unless a PID namespace is created too (and also
at the same time as the other namespaces, it is not possible to
mount a new /proc in a child process that creates a PID namespace
forked from a parent that created a user+mount namespace, it has
to happen at the same time).

Use the host's /proc with a bind-mount as a fallback for this
case. User session services would already run with it, so
nothing is lost.
2022-03-10 10:21:03 +00:00
Zbigniew Jędrzejewski-Szmek
fe003f02dd man: various issues reported in #22432
Fixes #22432.
2022-02-23 08:56:03 +01:00
Yonathan Randolph
4bbcde8498 man: clarify Environmentfile format
Remove incorrect claim that C escapes (such as \t and \n) are recognized and that control characters are disallowed. Specify the allowed characters and escapes with single quotes, with double quotes, and without quotes.
2022-01-23 14:37:07 +09:00
Luca Boccassi
a07b992606 core: add ExtensionDirectories= setting
Add a new setting that follows the same principle and implementation
as ExtensionImages, but using directories as sources.
It will be used to implement support for extending portable images
with directories, since portable services can already use a directory
as root.
2022-01-21 22:53:12 +09:00
Albert Brox
3989bdc1ad core: teach LoadCredential= to load from a directory 2022-01-08 13:17:51 +00:00
Peter Morrow
03e1b6664c man: document $MONITOR_METADATA usage
Decsribe when $MONITOR_METADATA will be set and how it's contents are
defined.
2021-12-13 14:44:06 +00:00
Yu Watanabe
a6f44d610c tree-wide: fix typo 2021-11-30 12:30:07 +00:00
Lennart Poettering
8880b2bab8 man: don't mention IOSchedulingClass=none anymore in the docs
Let's not mention a redundant setting of "none". Let's instead only
mention "best-effort", which is the same. Also mention the default
settings properly.

(Also, while we are at it, don#t document the numeric alias, that's
totally redundant and harder to use, so no need to push people towards
it.)
2021-11-24 16:14:51 +01:00
Topi Miettinen
006d1864fb execute: always log a warning when setting SELinux context fails
Update also manual page to explain how the transition can still fail.
2021-11-12 17:17:21 +01:00
ml
84b10e536c man: remove unintentionally repetitive words 2021-11-11 14:36:50 +01:00
Daan De Meyer
51462135fb exec: Add TTYRows and TTYColumns properties to set TTY dimensions 2021-11-05 21:32:14 +00:00
Luca Boccassi
211a3d87fb core: add [State|Runtime|Cache|Logs]Directory symlink as second parameter
When combined with a tmpfs on /run or /var/lib, allows to create
arbitrary and ephemeral symlinks for StateDirectory or RuntimeDirectory.
This is especially useful when sharing these directories between
different services, to make the same state/runtime directory 'backend'
appear as different names to each service, so that they can be added/removed
to a sharing agreement transparently, without code changes.

An example (simplified, but real) use case:

foo.service:
StateDirectory=foo

bar.service:
StateDirectory=bar

foo.service.d/shared.conf:
StateDirectory=
StateDirectory=shared:foo

bar.service.d/shared.conf:
StateDirectory=
StateDirectory=shared:bar

foo and bar use respectively /var/lib/foo and /var/lib/bar. Then
the orchestration layer decides to stop this sharing, the drop-in
can be removed. The services won't need any update and will keep
working and being able to store state, transparently.

To keep backward compatibility, new DBUS messages are added.
2021-10-28 10:47:46 +01:00
Iago López Galeiras
d6d6f55d8e man: document EXIT_BPF status 2021-10-06 10:52:14 +02:00
Iago López Galeiras
a6826f6b8e man: add RestrictFileSystems= documentation 2021-10-06 10:52:14 +02:00
alexlzhu
8c35c10d20 core: Add ExecSearchPath parameter to specify the directory relative to which binaries executed by Exec*= should be found
Currently there does not exist a way to specify a path relative to which
all binaries executed by Exec should be found. The only way is to
specify the absolute path.

This change implements the functionality to specify a path relative to which
binaries executed by Exec*= can be found.

Closes #6308
2021-09-28 14:52:27 +01:00
Zbigniew Jędrzejewski-Szmek
a14e028e86 man: cross-reference DeviceAllow= and PrivateDevices=
They are somewhat similar, but not easy to discover, esp. considering that
they are described in different pages.

For PrivateDevices=, split out the first paragraph that gives the high-level
overview. (The giant second paragraph could also use some heavy editing to break
it up into more digestible chunks, alas.)
2021-09-27 09:19:02 +02:00
Luca Boccassi
9c8b6eaa46 man: further document extension-release 2021-08-17 13:15:13 +01:00
Zbigniew Jędrzejewski-Szmek
d6029680df man: use title of docs/ pages when referring to them
There is some inconsistency, partially caused by the awkward naming
of the docs/ pages. But let's be consistent and use the "official" title.
If we ever change plural↔singular, we should use the same form everywhere.
2021-07-27 09:43:29 +02:00
Zbigniew Jędrzejewski-Szmek
be0d27ee0c man: fix assorted issues reported by the manpage-l10n project
Fixes #20297.
2021-07-27 09:43:29 +02:00
Lennart Poettering
8a6a781b58 man: document the new (Load|Set)CredentialEncrypted= settings 2021-07-08 09:31:43 +02:00
Yu Watanabe
3d62af7d23 tree-wide: fix "the the" and "a a" 2021-06-30 23:32:43 +09:00
dgcampea
e8f4bf33d8 man: fix incorrect description regarding DynamicUser= and StateDirectory= 2021-06-27 14:08:05 +01:00
Yu Watanabe
5181630f26 core: do not set nosuid mount option when SELinux is enabled
The mount option has special meaning when SELinux is enabled. To make
NoNewPrivileges=yes not break SELinux enabled systems, let's not set the
mount flag on such systems.
2021-06-25 15:37:35 +09:00
Yu Watanabe
6720e356c1 Revert "Revert "Mount all fs nosuid when NoNewPrivileges=yes""
This reverts commit 1753d30215.

Let's re-enable that feature now. As reported when the original commit
was merged, this causes some trouble on SELinux enabled systems. So,
in the subsequent commit, the feature will be disabled when SELinux is enabled.
But, anyway, this commit just re-enable that feature unconditionally.
2021-06-25 15:16:34 +09:00
Topi Miettinen
1753d30215 Revert "Mount all fs nosuid when NoNewPrivileges=yes"
This reverts commit d8e3c31bd8.

A poorly documented fact is that SELinux unfortunately uses nosuid mount flag
to specify that also a fundamental feature of SELinux, domain transitions, must
not be allowed either. While this could be mitigated case by case by changing
the SELinux policy to use `nosuid_transition`, such mitigations would probably
have to be added everywhere if systemd used automatic nosuid mount flags when
`NoNewPrivileges=yes` would be implied. This isn't very desirable from SELinux
policy point of view since also untrusted mounts in service's mount namespaces
could start triggering domain transitions.

Alternatively there could be directives to override this behavior globally or
for each service (for example, new directives `SUIDPaths=`/`NoSUIDPaths=` or
more generic mount flag applicators), but since there's little value of the
commit by itself (setting NNP already disables most setuid functionality), it's
simpler to revert the commit. Such new directives could be used to implement
the original goal.
2021-06-15 00:33:22 +09:00
Topi Miettinen
d8e3c31bd8 Mount all fs nosuid when NoNewPrivileges=yes
When `NoNewPrivileges=yes`, the service shouldn't have a need for any
setuid/setgid programs, so in case there will be a new mount namespace anyway,
mount the file systems with MS_NOSUID.
2021-05-26 17:42:39 +02:00
Lennart Poettering
7dbc38db50 man: explicit say for priority/weight values whether more is more or less
Fixes: #17523
2021-05-26 12:42:13 +01:00
Ryan Hendrickson
c2503e359a core: apply LogLevelMax to messages about units
This commit applies the filtering imposed by LogLevelMax on a unit's
processes to messages logged by PID1 about the unit as well.

The target use case for this feature is a service that runs on a timer
many times an hour, where the system administrator decides that writing
a generic success message to the journal every few minutes or seconds
adds no diagnostic value and isn't worth the clutter or disk I/O.
2021-05-03 17:48:41 +02:00
Yu Watanabe
4e6c50a5d4 core: add RestrictAddressFamilies=none to deny all address families
Closes #15753.
2021-04-19 11:47:08 +01:00
Lennart Poettering
8a29862e32 core: allow omitting second part of LoadCredentials= argument
This allows "LoadCredentials=foo" to be used as shortcut for
"LoadCredentials=foo:foo", i.e. it's a very short way to inherit a
credential under its original name from the service manager into a
service.
2021-03-26 12:20:29 +01:00
Luca Boccassi
301e7cd047 man: specify that ProtectProc= does not work with root/cap_sys_ptrace
When using hidepid=invisible on procfs, the kernel will check if the
gid of the process trying to access /proc is the same as the gid of
the process that mounted the /proc instance, or if it has the ptrace
capability:

https://github.com/torvalds/linux/blob/v5.10/fs/proc/base.c#L723
https://github.com/torvalds/linux/blob/v5.10/fs/proc/root.c#L155

Given we set up the /proc instance as root for system services,
The same restriction applies to CAP_SYS_PTRACE, if a process runs with
it then hidepid=invisible has no effect.

ProtectProc effectively can only be used with User= or DynamicUser=yes,
without CAP_SYS_PTRACE.
Update the documentation to explicitly state these limitations.

Fixes #18997
2021-03-15 16:53:16 +00:00
Zbigniew Jędrzejewski-Szmek
ba3dc45126 man: fix html links to two external man pages 2021-03-12 10:58:16 +01:00