1
1
mirror of https://github.com/systemd/systemd-stable.git synced 2024-12-23 17:34:00 +03:00
Commit Graph

24183 Commits

Author SHA1 Message Date
Casey Schaufler
ae176752f9 smack: Handling network
- Set Smack ambient to match run label
- Set Smack netlabel host rules

Set Smack ambient to match run label
------------------------------------
Set the Smack networking ambient label to match the
run label of systemd. System services may expect to
communicate with external services over IP. Setting
the ambient label assigns that label to IP packets
that do not include CIPSO headers. This allows systemd
and the services it spawns access to unlabeled IP
packets, and hence external services.

A system may choose to restrict network access to
particular services later in the startup process.
This is easily done by resetting the ambient label
elsewhere.

Set Smack netlabel host rules
-----------------------------
If SMACK_RUN_LABEL is defined set all other hosts to be
single label hosts at the specified label. Set the loopback
address to be a CIPSO host.

If any netlabel host rules are defined in /etc/smack/netlabel.d
install them into the smackfs netlabel interface.

[Patrick Ohly: copied from https://review.tizen.org/git/?p=platform/upstream/systemd.git;a=commit;h=db4f6c9a074644aa2bf]
[Patrick Ohly: adapt to write_string_file() change in "fileio: consolidate write_string_file*()"]
[Patrick Ohly: create write_netlabel_rules() based on the original write_rules() that was removed in "smack: support smack access change-rule"]
[Patrick Ohly: adapted to upstream code review feedback: error logging, string constants]
2016-01-11 11:12:06 +01:00
Daniel Mack
cf6c8c46fc Merge pull request #2287 from dandedrick/journal-gatewayd-timeout-fix
journal-gatewayd: timeout journal wait to allow thread cleanup
2016-01-08 09:25:21 +01:00
Daniel Mack
e056af1807 Merge pull request #2285 from evverx/fix-test-resolve
tests: test-resolve: wait until all queries are completed
2016-01-07 17:40:42 +01:00
Lennart Poettering
e67f68cc26 Merge pull request #2284 from teg/resolved-cname-2
resolved: query_process_cname - make fully recursive
2016-01-07 16:13:14 +01:00
Evgeny Vereshchagin
1e87f1f2a8 tests: test-resolve: wait until all queries are completed
This is a follow-up for 4a134c4903

Fixes:

$ ./test-resolve
209.132.183.105:80
209.132.183.105:80
canonical name: n/a
193.99.144.85:0
[2a02:2e0:3fe:1001:7777:772e:2:85]:0
canonical name: www.heise.de
Host: web.heise.de -- Serv: http

$ ./test-resolve
193.99.144.85:0
[2a02:2e0:3fe:1001:7777:772e:2:85]:0
canonical name: www.heise.de
Host: web.heise.de -- Serv: http

$ ./test-resolve
...
2016-01-07 14:12:03 +00:00
Tom Gundersen
4b4310db94 Merge pull request #2276 from poettering/dnssec12
Twelfth DNSSEC PR
2016-01-07 15:05:58 +01:00
Tom Gundersen
7588460aaf resolved: query_process_cname - make fully recursive
This ensures we properly resolve the CNAME chain as far as we can, rather
than only CNAME chains of length one.
2016-01-07 14:43:24 +01:00
Daniel Mack
a2e9fd6233 Merge pull request #2283 from evverx/update-valgrind-tests
build-sys: valgrind-tests: exclude python scripts too
2016-01-07 12:02:38 +01:00
Evgeny Vereshchagin
70fd79177f build-sys: valgrind-tests: exclude python scripts too 2016-01-07 10:01:45 +00:00
Lennart Poettering
28bf03b526 update DNSSEC TODO 2016-01-06 18:39:08 +01:00
Lennart Poettering
8a516214c4 resolved: introduce support for per-interface negative trust anchors 2016-01-06 18:36:32 +01:00
Daniel Mack
d2b8497d3c nspawn: fix two typos in error messages
On errors, mention the functions that really failed.
2016-01-06 14:57:29 +01:00
Daniel Mack
e7c1446ee1 Merge pull request #2137 from fbuihuu/fstab-gen-fix-device-timeout
Fstab gen fix device timeout
2016-01-06 13:53:29 +01:00
Daniel Mack
e433ebd2ff Merge pull request #2261 from evverx/fix-test-rlimit-util
tests: don't change hard limit in test-rlimit-util
2016-01-06 13:36:15 +01:00
Daniel Mack
0b460d9681 Merge pull request #2243 from evverx/add-regression-test-for-journald-restart
tests: add regression test for `systemctl restart systemd-journald`
2016-01-06 12:56:56 +01:00
Daniel Mack
d108cffc22 Merge pull request #2273 from evverx/fix-possible-lost-in-test-bus-cleanup
tests: use sd_bus_flush_close_unref instead of sd_bus_unref in test-bus-cleanup
2016-01-06 12:10:22 +01:00
Daniel Mack
b784a402a2 Merge pull request #2278 from systemd-mailing-devs/1452047873-6043-1-git-send-email-hui.wang@canonical.com
keymap: remap microphone mute keycode for Lenovo Thinkcentre M800z
2016-01-06 12:09:43 +01:00
Hui Wang
0319812234 keymap: remap microphone mute keycode for Lenovo Thinkcentre M800z
This Lenovo machine use codec Line2 to implement a microphone mute
button, it depends on the unsolicited interrupt to generate key event,
the scan code for this button is assigned to 0x00 in the linux kernel
driver, and the keycode is KEY_MICMUTE(248), we need to remap this
keycode to KEY_F20 to make this hotkey work in X11.

BugLink: https://bugs.launchpad.net/bugs/1531362
Signed-off-by: Hui Wang <hui.wang@canonical.com>
2016-01-06 04:02:32 +01:00
Lennart Poettering
bec690501e resolved: when dumping the NTA database, sort output
Now that we populate the trust database by default with a larger number
of entires, we better make sure to output a more readable version.
2016-01-06 01:04:23 +01:00
Lennart Poettering
30c778094b resolved: populate negative trust anchor by default
Let's increase compatibility with many private domains by default, and
ship a default NTA list of wel-known private domains, where it is
unlikely they will be deployed as official TLD anytime soon.
2016-01-06 01:04:23 +01:00
Lennart Poettering
b3331c3970 resolved: log all OOM errors 2016-01-06 00:59:32 +01:00
Lennart Poettering
86e9cbcaed resolved: reuse dns_trust_anchor_knows_domain() at another location 2016-01-06 00:58:26 +01:00
Lennart Poettering
e497292aba resolved: count unsupported dnssec algorithm as indeterminate RRset
After all, when we don't support the algorithm we cannot determine
validity.
2016-01-06 00:57:24 +01:00
Lennart Poettering
d33b6cf343 resolved: try to detect fritz.box-style private DNS zones, and downgrade to non-DNSSEC mode for them
This adds logic to detect cases like the Fritz!Box routers which serve
a private DNS domain "fritz.box" under the TLD "box" that does not
exist in the root servers. If this is detected DNSSEC validation is
turned off for this private domain, thus improving compatibility with
such private DNS zones.

This should be fairly secure as we first rely on the proof that .box
does not exist before this logic is applied. Nevertheless the logic is
only enabled for DNSSEC=allow-downgrade mode.

This logic does not work for routers that set up a full DNS zone directly
under a non-existing TLD, as in that case we cannot prove
that the domain is truly non-existing according to the root servers.
2016-01-05 22:13:56 +01:00
Lennart Poettering
105f6c4bdc resolved: when dumping trust anchor contents, clarify when it is empty 2016-01-05 20:27:29 +01:00
Lennart Poettering
3eb6aa009d resolved: fix DNSSEC transaction dependency recursion check
We followed the wrong connection. This only worked sometimes at all, because we
also return the wrong error code.
2016-01-05 20:27:18 +01:00
Lennart Poettering
d1d1d4b807 update DNSSEC TODO 2016-01-05 20:10:31 +01:00
Lennart Poettering
ad6c047561 resolved,networkd: add a per-interface DNSSEC setting
This adds a DNSSEC= setting to .network files, and makes resolved honour
them.
2016-01-05 20:10:31 +01:00
Lennart Poettering
125ae29d1b resolved: log about per-interface setting parse errors 2016-01-05 20:00:59 +01:00
Lennart Poettering
00f0a16ab4 resolved: properly release all DnsServers that belong to a link 2016-01-05 20:00:59 +01:00
Lennart Poettering
1ed8c0fbb4 resolved: rename "downgrade-ok" mode to "allow-downgrade"
After discussing this with Tom, we figured out "allow-downgrade" sounds
nicer.
2016-01-05 20:00:53 +01:00
Lennart Poettering
f41b446a76 man: document that DNS= and Domains= is implemented by resolved 2016-01-05 17:41:41 +01:00
Lennart Poettering
b83d91c029 resolved: make MulticastDNS support configurable in resolved.conf
The option is already there, but wasn't exported in the configuration
file so far. Fix that.
2016-01-05 17:41:41 +01:00
Lennart Poettering
aaa297d4e5 networkd,resolved: add a per-interface mdns configuration option 2016-01-05 17:41:41 +01:00
Lennart Poettering
af49ca27ff resolved,networkd: unify ResolveSupport enum
networkd previously knew an enum "ResolveSupport" for configuring
per-interface LLMNR support, resolved had a similar enum just called
"Support", with the same value and similar pasers.

Unify this, call the enum ResolveSupport, and port both daemons to it.
2016-01-05 17:30:51 +01:00
Lennart Poettering
b18b866215 basic: add string table macros for "extended boolean" enums
In a couple of cases we maintain configuration settings that know an on
and off state, like a boolean, plus some additional states. We generally
parse them as booleans first, and if that fails check for specific
additional values.

This adds a generalized set of macros for parsing such settings, and
ports one use in resolved and another in networkd over to it.
2016-01-05 17:30:43 +01:00
Lennart Poettering
38e5900fc6 sd-network: unify parsing of /run/systemd/netif/links/* string fields 2016-01-05 17:30:43 +01:00
Lennart Poettering
d57d3973a7 man: fix a few typos 2016-01-05 17:30:43 +01:00
Lennart Poettering
79a4c0160a Merge pull request #2272 from kinvolk/alban/typos
machine: fix typo: MS_MOUNT does not exist
2016-01-05 16:40:29 +01:00
Evgeny Vereshchagin
a5fd31e66f tests: use sd_bus_flush_close_unref instead of sd_bus_unref in test-bus-cleanup
Fixes:
$ make valgrind-tests TESTS=test-bus-cleanup
==6363== 9 bytes in 1 blocks are possibly lost in loss record 1 of 28
==6363==    at 0x4C2BBCF: malloc (vg_replace_malloc.c:299)
==6363==    by 0x197D12: hexmem (hexdecoct.c:79)
==6363==    by 0x183083: bus_socket_start_auth_client (bus-socket.c:639)
==6363==    by 0x1832A0: bus_socket_start_auth (bus-socket.c:678)
==6363==    by 0x183438: bus_socket_connect (bus-socket.c:705)
==6363==    by 0x14B0F2: bus_start_address (sd-bus.c:1053)
==6363==    by 0x14B592: sd_bus_start (sd-bus.c:1134)
==6363==    by 0x14B95E: sd_bus_open_system (sd-bus.c:1235)
==6363==    by 0x1127E2: test_bus_open (test-bus-cleanup.c:42)
==6363==    by 0x112AAE: main (test-bus-cleanup.c:87)
==6363==
...
$ ./libtool --mode=execute valgrind ./test-bus-cleanup
==6584== LEAK SUMMARY:
...
==6584==      possibly lost: 10,566 bytes in 27 blocks
2016-01-05 15:40:25 +00:00
Alban Crequy
ecb0573db1 machine: fix typo: MS_MOUNT does not exist 2016-01-05 16:14:42 +01:00
Tom Gundersen
16b85c51ed Merge pull request #2269 from poettering/dnssec11
Eleventh DNSSEC patch set
2016-01-05 15:47:15 +01:00
Lennart Poettering
b5a8703fdb man: add documentation for dnssec-trust-anchors.d(5) 2016-01-05 14:20:27 +01:00
Lennart Poettering
d76f90f171 resolved: also skip built-in trust anchor addition of there's a DNSKEY RR for the root domain defined
We already skip this when the trust anchor files define a DS RR for the
root domain, now also skip it if there's a DNSKEY RR.
2016-01-05 14:19:05 +01:00
Lennart Poettering
e7d179acb9 resolved: move trust anchor files to /etc/dnssec-trust-anchors.d/
These files are not specific to resolved really, and this is then more
in-line with how /etc/sysctl.d and suchlike is handled.
2016-01-05 14:18:18 +01:00
Lennart Poettering
2135de9adb Merge pull request #2205 from pohly/cgroup-smack-run-label
mount-setup.c: fix handling of symlink Smack labelling in cgroup setup
2016-01-05 12:51:14 +01:00
Patrick Ohly
ea2b93a8ee mount-setup.c: fix handling of symlink Smack labelling in cgroup setup
The code introduced in f8c1a81c51 (= systemd 227) failed for me with:
  Failed to copy smack label from net_cls to /sys/fs/cgroup/net_cls: No such file or directory

There is no need for a symlink in this case because source and target
are identical. The symlink() call is allowed to fail when the target
already exists. When that happens, copying the Smack label must be
skipped.

But the code also failed when there is a symlink, like "cpu ->
cpu,cpuacct", because mac_smack_copy() got called with
src="cpu,cpuacct" which fails to find the entry because the current
directory is not inside /sys/fs/cgroup. The absolute path to the existing
entry must be used instead.
2016-01-05 12:49:48 +01:00
Lennart Poettering
d3eae7d8c4 Merge pull request #2268 from whot/hwdb-updates
hwdb: add axis ranges and resolution for Dell Lattitude E6220
2016-01-05 01:42:04 +01:00
Lennart Poettering
d3760be01b resolved: when caching negative responses, honour NSEC/NSEC3 TTLs
When storing negative responses, clamp the SOA minimum TTL (as suggested
by RFC2308) to the TTL of the NSEC/NSEC3 RRs we used to prove
non-existance, if it there is any.

This is necessary since otherwise an attacker might put together a faked
negative response for one of our question including a high-ttl SOA RR
for any parent zone, and we'd use trust the TTL.
2016-01-05 01:35:28 +01:00
Lennart Poettering
519d39deee man: add basic documentation for resolved.conf's DNSSEC= switch 2016-01-05 00:31:32 +01:00