1
1
mirror of https://github.com/systemd/systemd-stable.git synced 2024-12-23 17:34:00 +03:00
Commit Graph

44862 Commits

Author SHA1 Message Date
Lennart Poettering
491ce16103 sd-bus: introduce new SD_BUS_VTABLE_ABSOLUTE_OFFSET vtable flag
When set, the offset specified for the vtable entry is passed to the
handler as-is, and is not added to the userdata pointer. This is useful
in case methods/properties are mixed on the same vtable, that expect to
operate relative to some object in memory and that expect pointers to
absolute memory, or that just want a number passed.
2020-05-13 16:57:44 +02:00
Lennart Poettering
61c12865f5 resolved: port to stat_inode_unmodified() 2020-05-13 16:57:44 +02:00
Lennart Poettering
fee5c52ac2 stat-util: add stat_inode_unmodified() helper that checks if an inode was modified 2020-05-13 16:57:44 +02:00
Дамјан Георгиевски
5a0173147b
docs: add some backticks and more formatting to PASSWORD_AGENTS.md (#15803)
docs: add some backticks and more formatting to PASSWORD_AGENTS.md
2020-05-13 14:52:09 +02:00
Zbigniew Jędrzejewski-Szmek
053fbf54fc
Merge pull request #15795 from gdamjan/master
docs: import password agents documentation
2020-05-13 08:32:57 +02:00
Lennart Poettering
266dd55505 systemctl: fix indentation of 'Active:' field in status output
Somehow two spaces got lost in d9e45bc3ab here, which made the status
output all unaligned. Let's put them back in.
2020-05-13 08:32:40 +02:00
Jeremy Cline
8284f81bf7 Tidy up the Fedora mkosi Package list
libzstd is a new dependency for systemd that's not in a stable release
yet, so it's not pulled in by the RPM package dependency. Manually
include it in the package section so the image mkosi produces works. It
can be removed when the RPM depends on it.

Additionally, a number of packages in the list appear to be pulled in
because they're dependencies in the systemd rpm, so remove them.
Finally, mkosi v5 adds the proper fs utilities for bootable images type
so drop that dependency as well.
2020-05-13 08:23:51 +02:00
Дамјан Георгиевски
8623836502 fix WikiWord not-links 2020-05-13 04:56:50 +02:00
Topi Miettinen
7d85383edb tree-wide: add size limits for tmpfs mounts
Limit size of various tmpfs mounts to 10% of RAM, except volatile root and /var
to 25%. Another exception is made for /dev (also /devs for PrivateDevices) and
/sys/fs/cgroup since no (or very few) regular files are expected to be used.

In addition, since directories, symbolic links, device specials and xattrs are
not counted towards the size= limit, number of inodes is also limited
correspondingly: 4MB size translates to 1k of inodes (assuming 4k each), 10% of
RAM (using 16GB of RAM as baseline) translates to 400k and 25% to 1M inodes.

Because nr_inodes option can't use ratios like size option, there's an
unfortunate side effect that with small memory systems the limit may be on the
too large side. Also, on an extremely small device with only 256MB of RAM, 10%
of RAM for /run may not be enough for re-exec of PID1 because 16MB of free
space is required.
2020-05-13 00:37:18 +02:00
Lennart Poettering
7cc8fb3ef0 update TODO 2020-05-12 23:56:26 +02:00
Lennart Poettering
08d50deaf8 core: don't bind varlink socket if running in test mode
Fixes: #15748
2020-05-12 22:10:49 +02:00
Дамјан Георгиевски
67a40f217c docs: import password agents documentation
imported from:
https://cgit.freedesktop.org/wiki/www/plain/Software/systemd/PasswordAgents.mdwn
2020-05-12 20:31:44 +02:00
Lennart Poettering
6c8428bb8b pam_systemd_home: also store acquirement fd per user
We might pin a home through authentication and a different one through a
session, all from the same PAM context, like sudo does. Hence also store
the referencing fd keyed by the user name.
2020-05-12 17:38:32 +02:00
Lennart Poettering
dbe7fff476 pam_systemd/pam_systemd_home: rework how we cache user records
Since acquiring user records involves plenty of IPC we try to cache user
records in the PAM context between our various hooks. Previously we'd
just cache whatever we acquired, and use it from the on, forever until
the context is destroyed.

This is problematic however, since some programs (notably sudo) use the
same PAM context for multiple different operations. Specifically, sudo
first authenticates the originating user before creating a session for
the destination user, all with the same PAM context. Thankfully, there
was a safety check for this case in place that re-validated that the
cached user record actually matched our current idea of the user to
operate on, but this just meant the hook would fail entirely.

Let's rework this: let's key the cache by the user name, so that we do
not confused by the changing of the user name during the context's
lifecycle and always, strictly use the cached user record of the user we
operate on.

Essentially this just means we now include the user name in the PAM data
field.

Secondly, this gets rid of the extra PAM data field that indicates
whether a user record is from homed or something else. To simplify
things we instead just cache the user record twice: once for consumption
by pam_systemd_home (which only wants homed records) and once shared by
pam_systemd and pam_systemd_home (and whoever else wants it). The cache
entries simply have different field names.
2020-05-12 17:38:32 +02:00
Lennart Poettering
0289b4ec69
Merge pull request #15785 from poettering/pam-sudo-fixes-part1
some simple PAM fixes split out of #15742
2020-05-12 15:54:42 +02:00
Zbigniew Jędrzejewski-Szmek
cd8fdc2c73
Merge pull request #15789 from poettering/homed-bus-api
man: document homed bus API
2020-05-12 11:42:40 +02:00
Lennart Poettering
3d9237d666 update TODO 2020-05-12 11:10:34 +02:00
Lennart Poettering
45c5fa253a pam_systemd: also print debug lines when ending a session 2020-05-12 11:10:30 +02:00
Lennart Poettering
3400bc866d pam_systemd: drop unused uid argument from export_legacy_dbus_address() 2020-05-12 11:10:27 +02:00
Lennart Poettering
da4340fd43 pam_systemd_home: use correct macro for converting ptr to fd 2020-05-12 11:10:10 +02:00
Lennart Poettering
2dffb32309 man: document homed D-Bus API 2020-05-12 11:07:01 +02:00
Lennart Poettering
55842c7326 homed: fix parameter names on D-Bus methods
These arguments contain UserRecord structures serialized to JSON,
however only the "secret" part of it, not a whole user record. We do
this since the secret part is conceptually part of the user record and
in some contexts we need a user record in full with both secret and
non-secret part, and in others just the secret and in other just the
non-secret part, but we want to keep this in memory in the same logic.

Hence, let's rename the arguments where we expect a user record
consisting only of the secret part to "secret".
2020-05-12 11:06:46 +02:00
Lennart Poettering
671fee1873 man: run man/update-dbus-docs again 2020-05-12 11:06:28 +02:00
Lennart Poettering
9e45fb09bf netlink: port to recvmsg_safe()
This also makes sure the control buffer is properly aligned. This
matters, as otherwise the control buffer might not be aligned and the
cmsg buffer counting might be off. The incorrect alignment is becoming
visible by using recvmsg_safe() as we suddenly notice the MSG_CTRUNC bit
set because of this.

That said, apparently this isn't enough to make this work on all
kernels. Since I couldn't figure this out, we now add 1K to the buffer
to be sure. We do this once already, also for a pktinfo structure
(though an IPv4/IPv6) one. I am puzzled by this, but this shouldn't
matter much. it works locally just fine, except for those ubuntu CI
kernels...

While we are at it, make some other changes too, to simplify and
modernize the function.
2020-05-12 10:47:06 +02:00
Joel Shapiro
d423294394 Fix misuse of PAM_PROMPT_ECHO_OFF in systemd-homed
Previously pam_systemd_home.so was relying on `PAM_PROMPT_ECHO_OFF` to
display error messages to the user and also display the next prompt.
`PAM_PROMPT_ECHO_OFF` was never meant as a way to convey information to
the user, and following the example set in pam_unix.so you can see that
it's meant to _only_ display the prompt. Details about why the
authentication failed should be done in a `PAM_ERROR_MSG` before
displaying a short prompt as per usual using `PAM_PROMPT_ECHO_OFF`.
2020-05-12 00:27:08 +02:00
Zbigniew Jędrzejewski-Szmek
9b107000ab
Merge pull request #15762 from keszybz/gcc-10-build
Fix build with -O3 with gcc 10
2020-05-11 19:43:40 +02:00
Andrew Doran
e7d5fe17db DHCP client: make SendOption work for DHCPv6 too. 2020-05-11 16:31:08 +02:00
Lennart Poettering
2d5996c175
Merge pull request #15460 from elmarco/network-dhcp-resolve1
network: fallback on resolve1 DNS for DHCP
2020-05-11 16:16:06 +02:00
Zbigniew Jędrzejewski-Szmek
94c0c5b7ea shared/ethtool-util: hush gcc warnings about array bounds
[127/1355] Compiling C object 'src/shared/5afaae1@@systemd-shared-245@sta/ethtool-util.c.o'
../src/shared/ethtool-util.c: In function ‘ethtool_get_permanent_macaddr’:
../src/shared/ethtool-util.c:260:60: warning: array subscript 5 is outside the bounds of an interior zero-length array ‘__u8[0]’ {aka ‘unsigned char[]’} [-Wzero-length-bounds]
  260 |                 ret->ether_addr_octet[i] = epaddr.addr.data[i];
      |                                            ~~~~~~~~~~~~~~~~^~~
In file included from ../src/shared/ethtool-util.c:5:
../src/shared/linux/ethtool.h:704:7: note: while referencing ‘data’
  704 |  __u8 data[0];
      |       ^~~~
../src/shared/ethtool-util.c: In function ‘ethtool_set_features’:
../src/shared/ethtool-util.c:488:31: warning: array subscript 0 is outside the bounds of an interior zero-length array ‘__u32[0]’ {aka ‘unsigned int[]’} [-Wzero-length-bounds]
  488 |         len = buffer.info.data[0];
      |               ~~~~~~~~~~~~~~~~^~~
In file included from ../src/shared/ethtool-util.c:5:
../src/shared/linux/ethtool.h:631:8: note: while referencing ‘data’
  631 |  __u32 data[0];
      |        ^~~~

The kernel should not define the length of the array, but it does. We can't fix
that, so let's use a cast to avoid the warning.

For https://github.com/systemd/systemd/issues/6119#issuecomment-626073743.

v2:
- use #pragma instead of a cast. It seems the cast only works in some cases, and
  gcc is "smart" enough to see beyond the cast. Unfortunately clang does not support
  this warning, so we need to do a config check whether to try to suppress.
2020-05-11 13:57:11 +02:00
Zbigniew Jędrzejewski-Szmek
6b726e602e
Merge pull request #15768 from poettering/grnd-insecure
random-util: make use of GRND_INSECURE if we have it
2020-05-11 12:49:00 +02:00
Zbigniew Jędrzejewski-Szmek
f1f7b08805
Merge pull request #15769 from poettering/man-tmpfiles-boot-override
man: document how "!" and conflicting lines play together in tmpfiles.d
2020-05-11 12:46:36 +02:00
Lennart Poettering
1e0d5eebf1 man: clarify that exit status name mappings are unaffected by SuccessExitStatus=
Fixes: #15757

(Note there's quite some confusion regarding "exit status" vs. "exit
code" in the docs here. We should clean this up fully one day. This
change tries to fix some occasions of the wrong use, but not all.)
2020-05-11 12:37:32 +02:00
Benjamin Dahlhoff
13c829c1bd
Added Chuwi Hibook Pro (Model: CWI526) (#15770) 2020-05-11 10:25:02 +02:00
Lennart Poettering
8270e3d8ed seccomp-util: add new syscalls from kernel 5.6 to syscall filter table 2020-05-11 06:24:02 +00:00
Benjamin Robin
fcee2755ec core: Update prototype of notify_message, tags list is read only
Indicates that the tags list cannot be modified by notify_message function.
Since the tags list is created only once for multiple call to
notify_message functions.
2020-05-10 18:58:03 +02:00
Benjamin Robin
147d8fc1a7 basic: Allow to call STRV_FOREACH_BACKWARDS() with a char * const * strv 2020-05-10 18:57:56 +02:00
Lennart Poettering
ead2a4a231 tmpfiles: clarify that "!" lines are filtered before collisions are checked
Fixes: #15675
2020-05-10 11:45:52 +02:00
Lennart Poettering
f742f9d317 man: mention the exclamation mark and minus sign literally, to make things searchable
I was looking for the explanation for the exclamation mark in the text,
and couldn't find it, searching for "!". Let's make this easier, and
indicate the character meant.
2020-05-10 11:44:53 +02:00
Lennart Poettering
82c8bda1f1 update TODO 2020-05-10 11:20:01 +02:00
Lennart Poettering
0497c4c28a random-util: make use of GRND_INSECURE when it is defined
kernel 5.6 added support for a new flag for getrandom(): GRND_INSECURE.
If we set it we can get some random data out of the kernel random pool,
even if it is not yet initializated. This is great for us to initialize
hash table seeds and such, where it is OK if they are crap initially. We
used RDRAND for these cases so far, but RDRAND is only available on
newer CPUs and some archs. Let's now use GRND_INSECURE for these cases
as well, which means we won't needlessly delay boot anymore even on
archs/CPUs that do not have RDRAND.

Of course we never set this flag when generating crypto keys or uuids.
Which makes it different from RDRAND for us (and is the reason I think
we should keep explicit RDRAND support in): RDRAND we don't trust enough
for crypto keys. But we do trust it enough for UUIDs.
2020-05-10 11:15:16 +02:00
Lennart Poettering
e2b5546452 random-util: use ERRNO_IS_NOT_SUPPORTED() macro
Some container mgr or sandbox solution might block it with an unexpected
error code, hence let's be tolerant here.
2020-05-10 11:14:17 +02:00
Lennart Poettering
57ee010ff2 random-util: actually encode our expectations on RAND_MAX 2020-05-10 11:13:49 +02:00
Lennart Poettering
f1eb0ccd9e update TODO 2020-05-10 10:19:12 +02:00
Lennart Poettering
622e1cdb31 fs-util: beef up path_is_encrypted() to deal with LVM block devices
Let's iterate through the slaves/ directory to find backing devices of
the block devices we care about.
2020-05-10 09:23:30 +02:00
Benjamin Robin
20c3acfaad tree-wide: Replace assert() by assert_se() when there is side effect 2020-05-10 09:23:12 +02:00
Lennart Poettering
b2da95cfa1 update TODO 2020-05-09 11:10:56 +02:00
Lennart Poettering
15981c26e3 update TODO 2020-05-09 10:37:32 +02:00
Zbigniew Jędrzejewski-Szmek
23450c897d core: fix compilation with gcc -O3
../src/core/path.c: In function ‘path_serialize’:
../src/core/path.c:616:24: error: ‘%s’ directive argument is null [-Werror=format-overflow=]
  616 |                 (void) serialize_item_format(f, "path-spec", "%s %%i %%s",
      |                        ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  617 |                                              path_type_to_string(s->type) //,
      |                                              ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  618 |                                              //                                             s->previous_exists,
      |                                              ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  619 |                                              //                                             s->path
      |                                              ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  620 |                 );
      |                 ~
In function ‘path_spec_dump’,
    inlined from ‘path_dump’ at ../src/core/path.c:392:17:
../src/core/path.c:226:9: error: ‘%s’ directive argument is null [-Werror=format-overflow=]
  226 |         fprintf(f,
      |         ^~~~~~~~~~
  227 |                 "%s%s: %s\n",
      |                 ~~~~~~~~~~~~~
  228 |                 prefix,
      |                 ~~~~~~~
  229 |                 path_type_to_string(s->type),
      |                 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
  230 |                 s->path);
      |                 ~~~~~~~~

s->type should be valid here, so let's just add an assert.

For https://github.com/systemd/systemd/issues/6119#issuecomment-626073743.
2020-05-09 09:10:25 +02:00
наб
2f665f2437 networkctl: use uint64_t for link speed throughout
format-table used size_t/uint64_t interchangeably for TABLE_BPS,
and ethtool-util used SIZE_MAX to indicate SPEED_UNKNOWN,
which worked only on ABIs with 64-bit pointers.

For example, the tg3 driver returns SPEED_UNKNOWN with no link (cf.
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/drivers/net/ethernet/broadcom/tg3.c?id=3eb2efbea193789397c36f52b17d8692ac79bf68#n12190)
which on x32 (and other 32-bit ABIs, presumably) caused
"networkctl status" to mark it with "Speed: 4Gbps":

nabijaczleweli@szarotka:~$ networkctl --version
systemd 245 (245.5-2)
nabijaczleweli@szarotka:~$ file $(which networkctl)
/bin/networkctl: ELF 32-bit LSB shared object, x86-64, version 1 (SYSV),
dynamically linked, interpreter /libx32/ld-linux-x32.so.2,
BuildID[sha1]=36d684cb1fc8fb5060050d32b969e5aa172fa607, for GNU/Linux
3.4.0, stripped
nabijaczleweli@szarotka:~$ networkctl status onboard1
● 4: onboard1
                Driver: tg3
                 Model: NetXtreme BCM5755 Gigabit Ethernet PCI Express
                 Speed: 4Gbps

Whereas on 64-bit-pointer ABIs (here: amd64):

nabijaczleweli@szarotka:~$ networkctl --version
systemd 245 (245.5-2)
nabijaczleweli@szarotka:~$ file $(which networkctl)
/bin/networkctl: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV),
dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2,
BuildID[sha1]=7a3e406e54968d7774ad467fc3f6a9d35ff7aea2, for GNU/Linux
3.2.0, stripped
nabijaczleweli@szarotka:~$ networkctl status onboard1
● 4: onboard1
                Driver: tg3
                 Model: NetXtreme BCM5755 Gigabit Ethernet PCI Express
                 Speed: n/a

With this patch, networkctl returns, for x32:

nabijaczleweli@szarotka:~$ networkctl --version
systemd 245 (245.5-2.1~networkctl-4g-v2)
nabijaczleweli@szarotka:~$ file $(which networkctl)
/bin/networkctl: ELF 32-bit LSB shared object, x86-64, version 1 (SYSV),
dynamically linked, interpreter /libx32/ld-linux-x32.so.2,
BuildID[sha1]=36d684cb1fc8fb5060050d32b969e5aa172fa607, for GNU/Linux
3.4.0, stripped
nabijaczleweli@szarotka:~$ networkctl status onboard1
● 4: onboard1
                Driver: tg3
                 Model: NetXtreme BCM5755 Gigabit Ethernet PCI Express
                 Speed: n/a

And for amd64:

nabijaczleweli@szarotka:~$ file $(which networkctl)
/bin/networkctl: ELF 64-bit LSB shared object, x86-64, version 1 (SYSV),
dynamically linked, interpreter /lib64/ld-linux-x86-64.so.2,
BuildID[sha1]=7a3e406e54968d7774ad467fc3f6a9d35ff7aea2, for GNU/Linux
3.2.0, stripped
nabijaczleweli@szarotka:~$ networkctl status onboard1
● 4: onboard1
                Driver: tg3
                 Model: NetXtreme BCM5755 Gigabit Ethernet PCI Express
                 Speed: n/a
2020-05-09 08:49:31 +02:00
Frantisek Sumsal
a114ab6373 cifuzz: fuzz the master branch on push
Apart from running CIFuzz for each relevant PR, let's run it
unconditionally for each push to master to detect possible issues
(caused by ignored PRs, etc.).

Followup to 94f660a8fe.
2020-05-08 21:30:19 +03:00