1
1
mirror of https://github.com/systemd/systemd-stable.git synced 2025-01-12 09:17:44 +03:00
Commit Graph

58220 Commits

Author SHA1 Message Date
Jan Janssen
f747ca3ec3 boot: Drop use of LibOpenRoot 2022-06-09 12:50:13 +02:00
Jan Janssen
7ebce8145e boot: Drop use of LibGetSystemConfigurationTable 2022-06-09 12:50:13 +02:00
Jan Janssen
23742af522 boot: Drop use of MetaiMatch
A future commit will add support for unicode collation protocol that
allows case folding and comparing strings with locale awareness. But it
only operates on whole strings, so fnmatch cannot use those without a
heavy cost. Instead we just case fold the patterns instead (the IDs we
try to match are already lower case).
2022-06-09 12:50:13 +02:00
Jan Janssen
0e8ecba96e boot: Add efi_fnmatch
Unlike MetaiMatch from the UEFI spec/EDK2 this implementation is
intended to be compatible with POSIX fnmatch.
2022-06-09 12:50:08 +02:00
Zbigniew Jędrzejewski-Szmek
2299b1cae3 Resolve conflicts between #23616 and the recent NFT additions 2022-06-09 10:06:30 +02:00
Yu Watanabe
377157e6bd
Merge pull request #23616 from keszybz/in-addr-to-string-formatting
Add macros that allocate a fixed buffer for in_addr_to_string(), in_addr_prefix+to_string()
2022-06-09 15:21:57 +09:00
Jeremy Soller
295e0291bf hwdb: Add HP Dev One
This enables the microphone mute and programmable hotkey for the HP Dev
One.
2022-06-09 13:48:19 +09:00
Daan De Meyer
a22f518676 meson: Add nspawn-locale meson option
https://github.com/systemd/systemd/pull/23192 caused breakage in
Arch Linux's build tooling. Let's give users an opt-out aside from
reverting the patch. It's hardly any maintenance work on our side
and gives users an easy way to revert the locale change if needed.

Of course, by default we still pick C.UTF-8 if the option is not
specified.
2022-06-09 13:08:27 +09:00
Yu Watanabe
adf59bffe5
Merge pull request #23675 from enr0n/udev-available-cleanup
Use udev_available() where appropriate
2022-06-09 12:12:01 +09:00
Nick Rosbrook
c76b8751b3 nspawn: use udev_available() 2022-06-08 18:32:37 -04:00
Nick Rosbrook
bfe2e67f25 libsystemd-network: use udev_available() 2022-06-08 18:32:37 -04:00
Evgeny Vereshchagin
4f62dc3e92 cifuzz: build fuzzers on i386 as well
It's a follow-up to https://github.com/systemd/systemd/pull/23550.
2022-06-08 21:32:38 +00:00
H A
3c3d28088f po: Added translation using Weblate (Estonian)
Co-authored-by: H A <contact+fedora@hen.ee>
2022-06-08 21:30:53 +00:00
Topi Miettinen
46c3b1ff88 core: firewall integration with DynamicUserNFTSet=
New directive `DynamicUserNFTSet=` provides a method for integrating
configuration of dynamic users into firewall rules with NFT sets.

Example:
```
table inet filter {
        set u {
                typeof meta skuid
        }

        chain service_output {
                meta skuid != @u drop
                accept
        }
}
```

```
/etc/systemd/system/dunft.service
[Service]
DynamicUser=yes
DynamicUserNFTSet=inet:filter:u
ExecStart=/bin/sleep 1000

[Install]
WantedBy=multi-user.target
```

```
$ sudo nft list set inet filter u
table inet filter {
        set u {
                typeof meta skuid
                elements = { 64864 }
        }
}
$ ps -n --format user,group,pid,command -p `pgrep sleep`
    USER    GROUP     PID COMMAND
   64864    64864   55158 /bin/sleep 1000
```
2022-06-08 16:12:25 +00:00
Topi Miettinen
c0548df0a2 core: firewall integration with ControlGroupNFTSet=
New directive `ControlGroupNFTSet=` provides a method for integrating services
into firewall rules with NFT sets.

Example:

```
table inet filter {
...
        set timesyncd {
                type cgroupsv2
        }

        chain ntp_output {
                socket cgroupv2 != @timesyncd counter drop
                accept
        }
...
}
```

/etc/systemd/system/systemd-timesyncd.service.d/override.conf
```
[Service]
ControlGroupNFTSet=inet:filter:timesyncd
```

```
$ sudo nft list set inet filter timesyncd
table inet filter {
        set timesyncd {
                type cgroupsv2
                elements = { "system.slice/systemd-timesyncd.service" }
        }
}
```
2022-06-08 16:12:25 +00:00
Topi Miettinen
ab51fd9dbd network: firewall integration with NFT sets
New directives `NFTSet=`, `IPv4NFTSet=` and `IPv6NFTSet=` provide a method for
integrating configuration of dynamic networks into firewall rules with NFT
sets.

/etc/systemd/network/eth.network
```
[DHCPv4]
...
NFTSet=netdev:filter:eth_ipv4_address
```

```
table netdev filter {
        set eth_ipv4_address {
                type ipv4_addr
                flags interval
        }
        chain eth_ingress {
                type filter hook ingress device "eth0" priority filter; policy drop;
                ip saddr != @eth_ipv4_address drop
                accept
        }
}
```
```
sudo nft list set netdev filter eth_ipv4_address
table netdev filter {
        set eth_ipv4_address {
                type ipv4_addr
                flags interval
                elements = { 10.0.0.0/24 }
        }
}
```
2022-06-08 16:12:25 +00:00
Luca Boccassi
e8f1b50f27
Merge pull request #23641 from keszybz/janitorials
Janitorial cleanups
2022-06-08 17:08:13 +01:00
Daan De Meyer
647475c7df basic: Propagate SIGBUS signal info when re-raising signals
raise() won't propagate the siginfo information of the signal that's
re-raised. rt_sigqueueinfo() allows us to provide the original siginfo
struct which makes sure it is propagated to the next signal handler
(or to the coredump).
2022-06-07 19:10:34 +01:00
Zbigniew Jędrzejewski-Szmek
0d7e34e3e6 basic/socket-util: align tables 2022-06-07 15:18:46 +02:00
Zbigniew Jędrzejewski-Szmek
76973becae activate: reduce scope of iterator variables 2022-06-07 15:18:46 +02:00
Zbigniew Jędrzejewski-Szmek
09f4d843ee core: wrap some long comments 2022-06-07 15:18:46 +02:00
Zbigniew Jędrzejewski-Szmek
066a6f0768 shared/condition: reduce scope of variables 2022-06-07 15:18:38 +02:00
Zbigniew Jędrzejewski-Szmek
da60e5b5c7 bootctl: inline iterator variable 2022-06-07 15:17:06 +02:00
Daan De Meyer
db6f9b02a7
Merge pull request #23645 from DaanDeMeyer/journalctl-static-destructor
journalctl: Use STATIC_DESTRUCTOR_REGISTER()
2022-06-07 12:28:37 +01:00
Frantisek Sumsal
27ce9f688c
Merge pull request #23643 from mrc0mmand/asan-tweaks
test: fix (not only) TEST-70 under sanitizers
2022-06-07 11:19:11 +00:00
Mike Gilbert
e91119c3a4 meson: adjust rootlibdir default for multiarch
On Debian, libdir is commonly something like 'lib/x86_64-linux-gnu'.

The result of get_option('libdir') is normalized to a prefix-relative
path by meson, so we can just append it to rootprefixdir.

Fixes https://github.com/systemd/systemd/issues/23648.
2022-06-07 12:26:38 +02:00
Michael Biebl
5fb225615b meson: install libsystemd-shared into rootpkglibdir
Introduce rootpkglibdir for installing libsystemd-{shared,core}.so.
The benefit over using rootlibexecdir is that this path can be
multiarch aware, i.e. this path can be architecture qualified.

This is something we'd like to make use of in Debian/Ubuntu to make
libsystemd-shared co-installable, e.g. for i386 the path would be
/usr/lib/i386-linux-gnu/systemd/libsystemd-shared-*.so and for amd64
/usr/lib/x86_64-linux-gnu/systemd/libsystemd-shared-*.so.
This will allow for example to install and run systemd-boot/i386 on an
amd64 host. It also simplifies/enables cross-building/bootstrapping.

For more infos about Multi-Arch see https://wiki.debian.org/Multiarch.

See also https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=990547
2022-06-07 10:04:43 +02:00
Topi Miettinen
3cf63830ac networkd: NetLabel integration
New directive `NetLabel=` provides a method for integrating dynamic network
configuration into Linux NetLabel subsystem rules, used by Linux security
modules (LSMs) for network access control. The option expects a whitespace
separated list of NetLabel labels. The labels must conform to lexical
restrictions of LSM labels. When an interface is configured with IP addresses,
the addresses and subnetwork masks will be appended to the NetLabel Fallback
Peer Labeling rules. They will be removed when the interface is
deconfigured. Failures to manage the labels will be ignored.

Example:
```
[DHCP]
NetLabel=system_u:object_r:localnet_peer_t:s0
```

With the above rules for interface `eth0`, when the interface is configured with
an IPv4 address of 10.0.0.0/8, `systemd-networkd` performs the equivalent of
`netlabelctl` operation

```
$ sudo netlabelctl unlbl add interface eth0 address:10.0.0.0/8 label:system_u:object_r:localnet_peer_t:s0
```

Result:
```
$ sudo netlabelctl -p unlbl list
...
 interface: eth0
   address: 10.0.0.0/8
    label: "system_u:object_r:localnet_peer_t:s0"
...
```
2022-06-06 18:24:10 +00:00
Maccraft123
cc9e3a55d3 hwdb: Add accel orientation quirk for the Aya Neo Next 2022-06-06 16:35:17 +02:00
Shreenidhi Shedi
41abd7f6df execute: fix resource leak
CID#1431998
2022-06-06 16:34:37 +02:00
Daan De Meyer
2e64b27aeb journalctl: Use STATIC_DESTRUCTOR_REGISTER() 2022-06-06 16:04:53 +02:00
Daan De Meyer
e30c1d01b6 shared: Rename pcre2-dlopen.h/c to pcre2-util.h/c
We already store the dlopen() stuff for other libraries in util headers
as well so let's do the same for pcre2. We also move the definition of
some trivial cleanup functions from journalctl.c to pcre2-util.h
2022-06-06 16:01:20 +02:00
Frantisek Sumsal
47d81bc613 test: fix TEST-70 under sanitizers
Addresses:
  * https://github.com/systemd/systemd/issues/23578#issuecomment-1144089821
  * https://github.com/systemd/systemd-centos-ci/pull/496#issuecomment-1144640305
2022-06-06 14:48:27 +02:00
Frantisek Sumsal
3ea18a2e36 test: set $ASAN_RT_PATH along with $LD_PRELOAD to the ASan runtime DSO
Since we unset $LD_PRELOAD in the testsuite-* units (due to another
issue), let's store the path to the ASan DSO in another env variable, so
we can easily access it in the testsuite scripts when needed.
2022-06-06 14:45:11 +02:00
Zbigniew Jędrzejewski-Szmek
369151c9c7
Merge pull request #23621 from evverx/clang-release
ci: build systemd with clang with -Dmode=release --optimization=2
2022-06-06 12:17:48 +02:00
Zbigniew Jędrzejewski-Szmek
89eb3d7c95 various: use CONST_MAX for array allocation
IIUC, with MAX() we get a VLA and the size is "decided" at runtime,
even though the result is always the same, but with CONST_MAX() we
get a normal stack variable.
2022-06-06 09:52:52 +02:00
Zbigniew Jędrzejewski-Szmek
a5b28b7721 CODING_STYLE: say that inet_ntop() is a no no 2022-06-06 09:52:52 +02:00
Zbigniew Jędrzejewski-Szmek
071e522eec tree-wide: convert inet_ntop() calls to anonymous-buffer macros 2022-06-06 09:52:52 +02:00
Zbigniew Jędrzejewski-Szmek
c71384a9ee basic/in-addr-util: add IN_ADDR_PREFIX_TO_STRING 2022-06-06 09:52:52 +02:00
Zbigniew Jędrzejewski-Szmek
61af181344 basic/in-addr-util: drop check for prefix length in formatting function
The general rule should be to be strict when parsing data, but lenient
when printing it. Or in other words, we should verify data in verification
functions, but not when printing things. It doesn't make sense to refuse
to print a value that we are using internally.

We were tripping ourselves in some of the print functions:
we want to report than an address was configured with too-long prefix, but
the log line would use "n/a" if the prefix was too long. This is not useful.

Most of the time, the removal of the check doesn't make any difference,
because we verified the prefix length on input.
2022-06-06 09:52:52 +02:00
Zbigniew Jędrzejewski-Szmek
dd6d433a4f libsystemd-network: minor simplification 2022-06-06 09:52:52 +02:00
Zbigniew Jędrzejewski-Szmek
f69ea167eb resolved: use TAKE_PTR() in one more place 2022-06-06 09:52:52 +02:00
Zbigniew Jędrzejewski-Szmek
94a779628a networkctl: assume that we can always print local networking addresses
IN6_ADDR_TO_STRING(…) always returns something, so we can simplify the code a
lot. Also, let's not do step-wise concatenation, but instead handle everything
with one str_extendf() call.
2022-06-06 09:52:52 +02:00
Zbigniew Jędrzejewski-Szmek
84dbb3fd83 basic/in-addr-util: add IN_ADDR_TO_STRING
Since we don't need the error value, and the buffer is allocated with a fixed
size, the whole logic provided by in_addr_to_string() becomes unnecessary, so
it's enough to wrap inet_ntop() directly.

inet_ntop() can only fail with ENOSPC. But we specify a buffer that is supposed
to be large enough, so this should never fail. A bunch of tests of this are added.
This allows all the wrappers like strna(), strnull(), strempty() to be dropped.

The guard of 'if (DEBUG_LOGGING)' can be dropped from around log_debug(),
because log_debug() implements the check outside of the function call. But
log_link_debug() does not, so it we need it to avoid unnecessary evaluation of
the formatting.
2022-06-06 09:52:52 +02:00
Zbigniew Jędrzejewski-Szmek
789431f9f4
Merge pull request #23626 from sshedi/retval-fixes
Retval fixes
2022-06-06 09:41:12 +02:00
Evgeny Vereshchagin
2cfb790391 Revert "Support -D_FORTIFY_SOURCE=3 by using __builtin_dynamic_object_size."
This reverts commit 0bd292567a.

It isn't guaranteed anywhere that __builtin_dynamic_object_size can
always deduce the size of every object passed to it so systemd
can end up using either malloc_usable_size or
__builtin_dynamic_object_size when pointers are passed around,
which in turn can lead to actual segfaults like the one mentioned in
https://github.com/systemd/systemd/issues/23619.

Apparently __builtin_object_size can return different results for
pointers referring to the same memory as well but somehow it hasn't
caused any issues yet. Looks like this whole
malloc_usable_size/FORTIFY_SOURCE stuff should be revisited.

Closes https://github.com/systemd/systemd/issues/23619 and
https://github.com/systemd/systemd/issues/23150.

Reopens https://github.com/systemd/systemd/issues/22801
2022-06-05 19:13:17 +00:00
Shreenidhi Shedi
5c95eb2888 manager: ignore return value of unit_watch_pid()
Also, explicitly ignore return value of service_set_main_pid() calls in
few places.

Fixes: CID#1474975
2022-06-05 22:58:01 +05:30
Shreenidhi Shedi
8d862fd39d machinectl: ignore return value of get_process_comm()
Fixes: CID#1469720
2022-06-05 22:58:01 +05:30
Shreenidhi Shedi
a30c9e7176 polkit: explicitly ignore fd_wait_for_event()'s return value
Fixes: CID#1469718
2022-06-05 22:58:01 +05:30
Evgeny Vereshchagin
36cb69fc43 ci: build systemd with clang with -Dmode=release --optimization=2
This is what's most likely used to build systemd with clang in
practice so let's test it as well.

Preparation for reverting 0bd292567a
(which replaced bogus buffer overflow found with _FORTIFY_SOURCE=3
with actual segfaults).
2022-06-05 16:26:54 +00:00