1
1
mirror of https://github.com/systemd/systemd-stable.git synced 2024-12-23 17:34:00 +03:00
Commit Graph

53523 Commits

Author SHA1 Message Date
Lennart Poettering
da3ab57cbc update TODO 2021-10-07 15:43:24 +02:00
Lennart Poettering
4c737f4ef1
Merge pull request #20948 from poettering/cgls-xattr
cgls: show cgroup id and xattr info in output
2021-10-07 15:25:03 +02:00
Lennart Poettering
d83a8ed002 bash-completion: add the two new switches to systemd-cgls
(completion hookup for zsh doesn't appear to exist, hence not adding
there.)
2021-10-07 11:51:10 +02:00
Lennart Poettering
bd3bfc8856 man: document the two new switches for systemd-cgls 2021-10-07 11:50:52 +02:00
Lennart Poettering
87843de48b cgls: enable cgroupid/xattr output by default (but make it configurable) 2021-10-07 11:50:47 +02:00
Lennart Poettering
5a5a5d2914 cgroups-show: optionally show cgroup xattrs + cgroup id in cgroup tree output 2021-10-07 11:50:42 +02:00
Lennart Poettering
aa13d38417 cgroups-show: use path_join() when concatenating cgroup paths 2021-10-07 11:50:02 +02:00
Lennart Poettering
40d4320dea cgroups-show: validate specified hostname before including it in fs path
let's make sure the specified hostname is really valid before we build
an fs path from it. Just as a safety future, so that people can't trick
us with hostnames including "/../" or so.
2021-10-07 11:49:57 +02:00
Lennart Poettering
a5edf95ec2 cgroup-util: add reusable union type for cgroupfs file_handle structs
That way we can easily call name_to_handle_at() on cgroupfs2 elsewhere.
2021-10-07 11:49:44 +02:00
Lennart Poettering
c53e07e249 xattr-util: merge various getxattr()/listxattr() helpers into getxattr_at_malloc() + listxattr_at_malloc()
Unfortunately fgetxattr() and flistxattr() don't work via O_PATH fds.
Let's thus add fallbacks to go via /proc/self/fd/ in these cases.

Also, let's merge all the various flavours we have here into singular
implementations that can do everything we need:

1. malloc() loop handling
2. by fd, by path, or combination (i.e. a proper openat() like API)
3. work on O_PATH
2021-10-07 11:49:22 +02:00
Luca Boccassi
c9d1c37c93 test: make OpenSSL checks optional in TEST-50-DISSECT
If the packages are built without libssl simply skip the signature
checks.

Oct 06 21:21:32 H systemd[1]: systemd 249.1249.gcc4df1f787.0 running in system mode (+PAM +AUDIT +SELINUX +APPARMOR +IMA +SMACK +SECCOMP +GCRYPT +GNUTLS -OPENSSL
...
Oct 06 21:22:21 H systemd[459]: Activation of signed Verity volume worked neither via the kernel nor in userspace, can't activate.

Follow-up for #20691
2021-10-07 08:41:33 +02:00
Luca Boccassi
0cf250022c
Merge pull request #20926 from yuwata/udev-net-wol-sopass
udev/net: introduce WakeOnLanPassword=
2021-10-06 23:36:05 +01:00
Frantisek Sumsal
f415cdb372 test: test udev with a _very_ long device name
Let's attempt to provide some coverage for #16161, #6867, and similar.
2021-10-07 03:17:44 +09:00
Daan De Meyer
414bd2e786 coredump: Don't log an error if D-Bus isn't running
coredumpctl could be used in a chroot where D-Bus isn't running. If
that's the case, we shouldn't consider it an error if we can't connect
to the D-Bus daemon so let's reduce the severity of the error we log
when we can't connect to D-Bus because the socket doesn't exist.
2021-10-07 02:23:11 +09:00
Yu Watanabe
d489317f59
Merge pull request #20935 from unusual-thoughts/fix-empty-argv
Fix #20933
2021-10-07 01:53:51 +09:00
Yu Watanabe
d3867133f0 udev/net: introduce WakeOnLanPassword=
Closes #20913.
2021-10-07 01:50:37 +09:00
Lennart Poettering
9a1ddc8dee
Merge pull request #18145 from kinvolk/iaguis/lsm-bpf
Add RestrictFileSystems= property using LSM BPF
2021-10-06 16:23:27 +02:00
Lennart Poettering
8b4f88d136 user-record: disable two pbkdf fields that don't apply for pkbdf2
Fixes: #20830
2021-10-06 16:21:09 +02:00
Yu Watanabe
9bd3ecdd8d ethtool-util: make ethtool_set_wol() take password 2021-10-06 21:57:14 +09:00
Yu Watanabe
20274ab86a ethtool-util: do not try to enable unsupported WoL options 2021-10-06 21:44:02 +09:00
Yu Watanabe
b4b2a49287 ethtool-util: make wol_options_to_string() not return all flag strings 2021-10-06 21:33:06 +09:00
chlorophyll-zz
1d3d81cf01 Update 60-sensor.hwdb
#20287 was wrong. 
Y Axis was only reversed on Arch Linux because of a problem with iio-sensor-proxy
This restores before the patch.
2021-10-06 13:11:41 +01:00
Yu Watanabe
8688a389ca core/service: also check path in exec commands 2021-10-06 13:06:00 +02:00
Zbigniew Jędrzejewski-Szmek
e5f093bf99 man: add discussion of read-only filesystem support in daemons
This is inspired by https://bugzilla.redhat.com/show_bug.cgi?id=1853293.  Let's
mention that applications should be prepared for /var being read-only.
2021-10-06 09:54:17 +01:00
Iago López Galeiras
20080622de man: document systemd-analyze filesystems 2021-10-06 10:52:15 +02:00
Iago López Galeiras
b41711cd46 analyze: add filesystems command 2021-10-06 10:52:15 +02:00
Iago López Galeiras
ec31dd5a98 README: document LSM BPF requirements 2021-10-06 10:52:15 +02:00
Iago López Galeiras
8216741cf9 test: add test-bpf-lsm 2021-10-06 10:52:15 +02:00
Iago López Galeiras
d6d6f55d8e man: document EXIT_BPF status 2021-10-06 10:52:14 +02:00
Iago López Galeiras
a6826f6b8e man: add RestrictFileSystems= documentation 2021-10-06 10:52:14 +02:00
Iago López Galeiras
af11239196 mkosi: add libbpf dependency
For distros that ship libbpf >=0.2.0.
2021-10-06 10:52:14 +02:00
Iago López Galeiras
cc86a278de core: add dbus RestrictFileSystems= properties 2021-10-06 10:52:14 +02:00
Iago López Galeiras
e59ccd035c core: add RestrictFileSystems= fragment parser
It takes an allow or deny list of filesystems services should have
access to.
2021-10-06 10:52:14 +02:00
Iago Lopez Galeiras
b1994387d3 core: use LSM BPF functions to implement RestrictFileSystems=
It attaches the LSM BPF program when the system manager starts up.

It populates the hash of maps BPF map when services that have
RestrictFileSystems= set start.

It cleans up the hash of maps when the unit cgroup is pruned.

To pass the file descriptor of the BPF map we add it to the keep_fds
array.
2021-10-06 10:52:14 +02:00
Iago Lopez Galeiras
184b4f78cf core: add BPF LSM functions
This adds 6 functions to implement RestrictFileSystems=

* lsm_bpf_supported() checks if LSM BPF is supported. It checks that
  cgroupv2 is used, that BPF LSM is enabled, and tries to load the BPF
  LSM program which makes sure BTF and hash of maps are supported, and
  BPF LSM programs can be loaded.
* lsm_bpf_setup() loads and attaches the LSM BPF program.
* lsm_bpf_unit_restrict_filesystems() populates the hash of maps BPF map with the
  cgroupID and the set of allowed or denied filesystems.
* lsm_bpf_cleanup() removes a cgroupID entry from the hash of maps.
* lsm_bpf_map_restrict_fs_fd() is a helper function to get the file
  descriptor of the BPF map.
* lsm_bpf_destroy() is a wrapper around the destroy function of the BPF
  skeleton file.
2021-10-06 10:52:14 +02:00
Iago López Galeiras
510cdbeb5b shared/bpf-dlopen: expose more libbpf functions
They're needed for the LSM BPF feature.
2021-10-06 10:52:14 +02:00
Iago López Galeiras
d13b60d8af exit-status: add EXIT_BPF
It will be used later.
2021-10-06 10:52:14 +02:00
Iago López Galeiras
535e3dd091 cgroup-util: add cg_path_get_cgroupid()
It returns the cgroupID from a cgroup path.
2021-10-06 10:52:14 +02:00
Iago López Galeiras
021d1e9612 bpf: add restrict_fs BPF program
It hooks into the file_open LSM hook and allows only when the filesystem
where the open will take place is present in a BPF map for a particular
cgroup.

The BPF map used is a hash of maps with the following structure:

    cgroupID -> (s_magic -> uint32)

The inner map is effectively a set.

The entry at key 0 in the inner map encodes whether the program behaves
as an allow list or a deny list: if its value is 0 it is a deny list,
otherwise it is an allow list.

When the cgroupID is present in the map, the program checks the inner
map for the magic number of the filesystem associated with the file
that's being opened. When the program behaves as an allow list, if that
magic number is present it allows the open to succeed, when the program
behaves as a deny list, it only allows access if the that magic number
is NOT present. When access is denied the program returns -EPERM.

The BPF program uses CO-RE (Compile-Once Run-Everywhere) to access
internal kernel structures without needing kernel headers present at
runtime.
2021-10-06 10:52:14 +02:00
Iago López Galeiras
659d19243c basic: use filesystem database 2021-10-06 10:52:14 +02:00
Iago López Galeiras
1315ce3120 basic: add filesystem database
Stores filesystem_name -> magic_number(s).
2021-10-06 10:52:10 +02:00
Iago López Galeiras
3ef4e91abe missing_magic: add several filesystems
They were failing on CI.
2021-10-06 10:48:32 +02:00
Iago Lopez Galeiras
2ac5f90d59 basic: move CIFS magic number to missing_magic.h
It fits better there.
2021-10-06 10:48:32 +02:00
Lennart Poettering
95ef0eaf0d unit-file: tighten unit file discovery checks
Only accept DT_REG/DT_LNK/DT_DIR entries, ignore all others.

Only accpet DT_REG/DT_LNK for file names that are valid unit file names.

Only accept DT_DIR for filenames that are valid unit file names which
are suffixed by .d, .wants, .requires

This doesn't really fix any bugs, but tightens what we insert into the
lookup tables.
2021-10-06 12:28:19 +09:00
Yu Watanabe
1eb3ef78b4
Merge pull request #20937 from poettering/sync-split
split up a few files in src/basic/
2021-10-06 12:27:27 +09:00
Andrew Soutar
5ef97a7122
basic/env-util: correctly parse extended vars after non-extended vars (#20941) 2021-10-06 11:55:27 +09:00
Lennart Poettering
8ac04a6547 repart: use right error variable 2021-10-05 19:41:35 +01:00
Lennart Poettering
01bebba3de basic: move chase_symlinks_and_fopen_unlocked() → chase-symlinks.[ch] 2021-10-05 19:37:30 +01:00
Henri Chain
29500cf8c4 core: fix SIGABRT on empty exec command argv
This verifies that the argv part of any exec_command parameters that
are sent through dbus is not empty at deserialization time.

There is an additional check in service.c service_verify() that again
checks if all exec_commands are correctly populated, after the service
has been loaded, whether through dbus or otherwise.

Fixes #20933.
2021-10-06 00:16:47 +09:00
Lennart Poettering
f435195925 basic: spit out chase_symlinks() from fs-util.[ch] → chase-symlinks.[ch] 2021-10-05 16:14:37 +02:00