1
1
mirror of https://github.com/systemd/systemd-stable.git synced 2024-12-22 13:33:56 +03:00
Commit Graph

24210 Commits

Author SHA1 Message Date
Lennart Poettering
e84750c905 editors: specify fill column
Let's be a bit more precise with the editor configuration and specify a higher fill column of 119. This isn't as emacs'
default of 70, but also not particularly high on today's screens.

While we are at it, also set a couple of other emacs C coding style variables.
2016-01-11 19:39:59 +01:00
Lennart Poettering
0c7bff0acc resolved: properly look for NSEC/NSEC3 RRs when getting a positive wildcard response
This implements RFC 5155, Section 8.8 and RFC 4035, Section 5.3.4:

When we receive a response with an RRset generated from a wildcard we
need to look for one NSEC/NSEC3 RR that proves that there's no explicit RR
around before we accept the wildcard RRset as response.

This patch does a couple of things: the validation calls will now
identify wildcard signatures for us, and let us know the RRSIG used (so
that the RRSIG's signer field let's us know what the wildcard was that
generate the entry). Moreover, when iterating trough the RRsets of a
response we now employ three phases instead of just two.

a) in the first phase we only look for DNSKEYs RRs
b) in the second phase we only look for NSEC RRs
c) in the third phase we look for all kinds of RRs

Phase a) is necessary, since DNSKEYs "unlock" more signatures for us,
hence we shouldn't assume a key is missing until all DNSKEY RRs have
been processed.

Phase b) is necessary since NSECs need to be validated before we can
validate wildcard RRs due to the logic explained above.

Phase c) validates everything else. This phase also handles RRsets that
cannot be fully validated and removes them or lets the transaction fail.
2016-01-11 19:39:59 +01:00
Lennart Poettering
cdbffec026 resolved: split up nsec3_hashed_domain() into two calls
There's now nsec3_hashed_domain_format() and nsec3_hashed_domain_make().
The former takes a hash value and formats it as domain, the latter takes
a domain name, hashes it and then invokes nsec3_hashed_domain_format().

This way we can reuse more code, as the formatting logic can be unified
between this call and another place.
2016-01-11 19:39:59 +01:00
Lennart Poettering
3f5ecaad3c resolved: drop flags unused parameter from nsec3_is_good 2016-01-11 19:39:59 +01:00
Lennart Poettering
c9c7206541 resolved: when validating, first strip revoked trust anchor keys from validated keys list
When validating a transaction we initially collect DNSKEY, DS, SOA RRs
in the "validated_keys" list, that we need for the proofs. This includes
DNSKEY and DS data from our trust anchor database. Quite possibly we
learn that some of these DNSKEY/DS RRs have been revoked between the
time we request and collect those additional RRs and we begin the
validation step. In this case we need to make sure that the respective
DS/DNSKEY RRs are removed again from our list. This patch adds that, and
strips known revoked trust anchor RRs from the validated list before we
begin the actual validation proof, and each time we add more DNSKEY
material to it while we are doing the proof.
2016-01-11 19:39:59 +01:00
Lennart Poettering
d12315a4c8 shared: simplify dns_name_hash_func() end of name detection 2016-01-11 19:39:59 +01:00
Lennart Poettering
509eddd202 resolved: make sure domain name hash function deals nicely with NUL embedded in labels 2016-01-11 19:39:59 +01:00
Lennart Poettering
b577e3d589 basic: introduce generic ascii_strlower_n() call and make use of it everywhere 2016-01-11 19:39:59 +01:00
Lennart Poettering
d424da2ae0 resolved: rework trust anchor revoke checking
Instead of first iterating through all DNSKEYs in the DnsAnswer in
dns_transaction_check_revoked_trust_anchors(), and
then doing that a second time in dns_trust_anchor_check_revoked(), do so
only once in the former, and pass the dnskey we found directly to the
latter.
2016-01-11 19:39:59 +01:00
Lennart Poettering
0f87f3e8e7 resolved: look for revoked trust anchors before validating a message
There's not reason to wait for checking for revoked trust anchors until
after validation, after all revoked DNSKEYs only need to be self-signed,
but not have a full trust chain.

This way, we can be sure that all trust anchor lookups we do during
validation already honour that some keys might have been revoked.
2016-01-11 19:39:59 +01:00
Lennart Poettering
0f23174c5c resolved: use dns_answer_size() where appropriate to handle NULL DnsAnswer 2016-01-11 19:39:58 +01:00
Lennart Poettering
f3cf586d56 resolved: remove one level of indentation in dns_transaction_validate_dnssec()
Invert an "if" check, so that we can use "continue" rather than another
code block indentation.
2016-01-11 19:39:58 +01:00
Lennart Poettering
35b011ed7c resolved: be less strict where the OPT pseudo-RR is placed
This increases compatibility with crappy Belkin routers.
2016-01-11 19:39:58 +01:00
Lennart Poettering
7e35195fe3 resolved: rename suffix_rr → zone_rr
The domain name for this NSEC3 RR was originally stored in a variable
called "suffix", which was then renamed to "zone" in
d1511b3338. Hence also rename the
RR variable accordingly.
2016-01-11 19:39:58 +01:00
Lennart Poettering
3a33c81bfe resolved: fix NSEC3 iterations limit to what RFC5155 suggests 2016-01-11 19:39:58 +01:00
Lennart Poettering
81c5eb5b3d Merge pull request #2262 from pohly/smack-network
smack: Handling network
2016-01-11 17:30:15 +01:00
Lennart Poettering
00fd1ac59f Merge pull request #2301 from martinpitt/kmod-static-condition
kmod-static-nodes: don't run if module list is empty
2016-01-11 17:26:30 +01:00
Daniel Mack
8565742559 Merge pull request #2302 from arthur-c/master
doc typo, src: systemd/src/journal-remote/journal-gatewayd.c
2016-01-11 16:56:22 +01:00
Lennart Poettering
d505ba8ec1 Merge pull request #2294 from zonque/in_set
macro.h: improve IN_SET helper macro
2016-01-11 16:45:26 +01:00
Arthur Clement
f81bae7599 doc typo, src: systemd/src/journal-remote/journal-gatewayd.c 2016-01-11 16:38:35 +01:00
Martin Pitt
6233c794b2 kmod-static-nodes: don't run if module list is empty
With this kmod commit, modules.devname will be empty by default instead of
containing just a comment:

  https://git.kernel.org/cgit/utils/kernel/kmod/kmod.git/commit/?id=4c30a11d5f

Refine the startup condition of kmod-static-nodes.service to not run needlessly
if the list is empty.
2016-01-11 16:26:17 +01:00
Tom Gundersen
cfa0537cc3 Merge pull request #2293 from zonque/issue-2292
sd-netlink: fix assert
2016-01-11 13:17:15 +01:00
Daniel Mack
5d354397ef Merge pull request #2296 from dankor/master
Updated Ukrainian translation
2016-01-11 13:13:25 +01:00
Daniel Korostil
7c1336b0d9 Updated Ukrainian translation 2016-01-11 13:55:48 +02:00
Daniel Mack
d5b26d50fc macro.h: provide a switch-case statement generator for IN_SET
Rather than walking a list of valid values one-by-one, generate a
switch-case statement for the IN_SET() macro. This allows the compiler to
further optimize its code output, possibly by generating jump tables.
This effectively decreases the binary size slightly.

The implementation is based on macro overloading depending on the number of
arguments. h/t to the following post:

  https://stackoverflow.com/questions/11761703/overloading-macro-on-number-of-arguments
2016-01-11 12:02:36 +01:00
Casey Schaufler
ae176752f9 smack: Handling network
- Set Smack ambient to match run label
- Set Smack netlabel host rules

Set Smack ambient to match run label
------------------------------------
Set the Smack networking ambient label to match the
run label of systemd. System services may expect to
communicate with external services over IP. Setting
the ambient label assigns that label to IP packets
that do not include CIPSO headers. This allows systemd
and the services it spawns access to unlabeled IP
packets, and hence external services.

A system may choose to restrict network access to
particular services later in the startup process.
This is easily done by resetting the ambient label
elsewhere.

Set Smack netlabel host rules
-----------------------------
If SMACK_RUN_LABEL is defined set all other hosts to be
single label hosts at the specified label. Set the loopback
address to be a CIPSO host.

If any netlabel host rules are defined in /etc/smack/netlabel.d
install them into the smackfs netlabel interface.

[Patrick Ohly: copied from https://review.tizen.org/git/?p=platform/upstream/systemd.git;a=commit;h=db4f6c9a074644aa2bf]
[Patrick Ohly: adapt to write_string_file() change in "fileio: consolidate write_string_file*()"]
[Patrick Ohly: create write_netlabel_rules() based on the original write_rules() that was removed in "smack: support smack access change-rule"]
[Patrick Ohly: adapted to upstream code review feedback: error logging, string constants]
2016-01-11 11:12:06 +01:00
Daniel Mack
201f0c916d tree-wide: unify argument lists of IN_SET()
The new implementation will not allow passing the same values more than
once, so clean up first.
2016-01-10 18:10:08 +01:00
Daniel Mack
f78bc916a6 sd-netlink: fix assert
nl->fd can be 0.
2016-01-10 15:36:03 +01:00
Daniel Mack
cf6c8c46fc Merge pull request #2287 from dandedrick/journal-gatewayd-timeout-fix
journal-gatewayd: timeout journal wait to allow thread cleanup
2016-01-08 09:25:21 +01:00
Daniel Mack
e056af1807 Merge pull request #2285 from evverx/fix-test-resolve
tests: test-resolve: wait until all queries are completed
2016-01-07 17:40:42 +01:00
Lennart Poettering
e67f68cc26 Merge pull request #2284 from teg/resolved-cname-2
resolved: query_process_cname - make fully recursive
2016-01-07 16:13:14 +01:00
Evgeny Vereshchagin
1e87f1f2a8 tests: test-resolve: wait until all queries are completed
This is a follow-up for 4a134c4903

Fixes:

$ ./test-resolve
209.132.183.105:80
209.132.183.105:80
canonical name: n/a
193.99.144.85:0
[2a02:2e0:3fe:1001:7777:772e:2:85]:0
canonical name: www.heise.de
Host: web.heise.de -- Serv: http

$ ./test-resolve
193.99.144.85:0
[2a02:2e0:3fe:1001:7777:772e:2:85]:0
canonical name: www.heise.de
Host: web.heise.de -- Serv: http

$ ./test-resolve
...
2016-01-07 14:12:03 +00:00
Tom Gundersen
4b4310db94 Merge pull request #2276 from poettering/dnssec12
Twelfth DNSSEC PR
2016-01-07 15:05:58 +01:00
Tom Gundersen
7588460aaf resolved: query_process_cname - make fully recursive
This ensures we properly resolve the CNAME chain as far as we can, rather
than only CNAME chains of length one.
2016-01-07 14:43:24 +01:00
Daniel Mack
a2e9fd6233 Merge pull request #2283 from evverx/update-valgrind-tests
build-sys: valgrind-tests: exclude python scripts too
2016-01-07 12:02:38 +01:00
Evgeny Vereshchagin
70fd79177f build-sys: valgrind-tests: exclude python scripts too 2016-01-07 10:01:45 +00:00
Lennart Poettering
28bf03b526 update DNSSEC TODO 2016-01-06 18:39:08 +01:00
Lennart Poettering
8a516214c4 resolved: introduce support for per-interface negative trust anchors 2016-01-06 18:36:32 +01:00
Daniel Mack
d2b8497d3c nspawn: fix two typos in error messages
On errors, mention the functions that really failed.
2016-01-06 14:57:29 +01:00
Daniel Mack
e7c1446ee1 Merge pull request #2137 from fbuihuu/fstab-gen-fix-device-timeout
Fstab gen fix device timeout
2016-01-06 13:53:29 +01:00
Daniel Mack
e433ebd2ff Merge pull request #2261 from evverx/fix-test-rlimit-util
tests: don't change hard limit in test-rlimit-util
2016-01-06 13:36:15 +01:00
Daniel Mack
0b460d9681 Merge pull request #2243 from evverx/add-regression-test-for-journald-restart
tests: add regression test for `systemctl restart systemd-journald`
2016-01-06 12:56:56 +01:00
Daniel Mack
d108cffc22 Merge pull request #2273 from evverx/fix-possible-lost-in-test-bus-cleanup
tests: use sd_bus_flush_close_unref instead of sd_bus_unref in test-bus-cleanup
2016-01-06 12:10:22 +01:00
Daniel Mack
b784a402a2 Merge pull request #2278 from systemd-mailing-devs/1452047873-6043-1-git-send-email-hui.wang@canonical.com
keymap: remap microphone mute keycode for Lenovo Thinkcentre M800z
2016-01-06 12:09:43 +01:00
Hui Wang
0319812234 keymap: remap microphone mute keycode for Lenovo Thinkcentre M800z
This Lenovo machine use codec Line2 to implement a microphone mute
button, it depends on the unsolicited interrupt to generate key event,
the scan code for this button is assigned to 0x00 in the linux kernel
driver, and the keycode is KEY_MICMUTE(248), we need to remap this
keycode to KEY_F20 to make this hotkey work in X11.

BugLink: https://bugs.launchpad.net/bugs/1531362
Signed-off-by: Hui Wang <hui.wang@canonical.com>
2016-01-06 04:02:32 +01:00
Lennart Poettering
bec690501e resolved: when dumping the NTA database, sort output
Now that we populate the trust database by default with a larger number
of entires, we better make sure to output a more readable version.
2016-01-06 01:04:23 +01:00
Lennart Poettering
30c778094b resolved: populate negative trust anchor by default
Let's increase compatibility with many private domains by default, and
ship a default NTA list of wel-known private domains, where it is
unlikely they will be deployed as official TLD anytime soon.
2016-01-06 01:04:23 +01:00
Lennart Poettering
b3331c3970 resolved: log all OOM errors 2016-01-06 00:59:32 +01:00
Lennart Poettering
86e9cbcaed resolved: reuse dns_trust_anchor_knows_domain() at another location 2016-01-06 00:58:26 +01:00
Lennart Poettering
e497292aba resolved: count unsupported dnssec algorithm as indeterminate RRset
After all, when we don't support the algorithm we cannot determine
validity.
2016-01-06 00:57:24 +01:00