IF YOU WOULD LIKE TO GET AN ACCOUNT, please write an
email to Administrator. User accounts are meant only to access repo
and report issues and/or generate pull requests.
This is a purpose-specific Git hosting for
BaseALT
projects. Thank you for your understanding!
Только зарегистрированные пользователи имеют доступ к сервису!
Для получения аккаунта, обратитесь к администратору.
It's a sycall group of our own definition, and the output is erroneous
to claim otherwise. Let's hide it.
This adds syscall_set_add() which is nicely symmetric to the existing
syscall_set_remove().
Follow-up for: 6d6a08547c03f96dc798cda1ef4a8d3013d292d5
(cherry picked from commit 950c0ed38935198a67a57c645e499555eaf006eb)
-1 was used everywhere, but -EBADF or -EBADFD started being used in various
places. Let's make things consistent in the new style.
Note that there are two candidates:
EBADF 9 Bad file descriptor
EBADFD 77 File descriptor in bad state
Since we're initializating the fd, we're just assigning a value that means
"no fd yet", so it's just a bad file descriptor, and the first errno fits
better. If instead we had a valid file descriptor that became invalid because
of some operation or state change, the other errno would fit better.
In some places, initialization is dropped if unnecessary.
The name "def.h" originates from before the rule of "no needless abbreviations"
was established. Let's rename the file to clarify that it contains a collection
of various semi-related constants.
Similarly to DumpByFileDescriptor vs Dump,
DumpUnitsMatchingPatternsByFileDescriptor is used in preference. Dissimilarly,
a fallback to DumpUnitsMatchingPatterns is not done on error, because there is
no need for backwards compatibility.
The code is still more verbose than I'd like, but there are four different code
paths with slightly different rules in each case, so it's hard to make this all
very brief. Since we have a separate file dedicated to making those calls, the
verbose-but-easy-to-follow implementation should be OK.
Closes#24989.
I only did a quick test that all both variants works locally and over ssh.
The new function DumpPatterns() can be used to limit (drastically) the size of
the data returned by PID1. Hence the optimization of serializing data into a
file descriptor should be less relevant than having the possibility to limit
the data when communicating with the service manager remotely.
NB: when passing patterns, the dump command omits the version of the manager as
well as the features and the timestamps.
This reverts dd51e725df9aec2847482131ef601e0215b371a0 and fixes bugs
introduced by 1624114d74f55ad9791b7624b08d89d2339a68b3.
Previously,
- On online scan, the syscall filter was a string Hashmap, but it
might contain syscall name with errno or error action. Hence, we need
to drop the errno or error action in the string.
- On offline scan, the syscall filter was a Hashmap of syscall ID, so
hashmap_contains() with syscall name did not work. We need to convert
syscall IDs to syscall names.
- If hashmap_contains() in syscall_names_in_filter() is true, then
the syscall is allowed when the list is an allow-list, and vice versa.
Hence, the condition in syscall_names_in_filter() was errnously
inverted by dd51e725df9aec2847482131ef601e0215b371a0.
This makes syscalls are always stored with its name, instead of ID,
and also correct the condition.
Fixes#23663.
It looks like garbled output… I didn't use shell-escape, because the other
characters that are special for the shell that are used in versions should
not be escaped.
The interface, output, and exit status convention are all taken directly from
rpmdev-vercmp and dpkg --compare-versions. The implementation is different
though. See test-string-util for a list of known cases where we compare
strings incompatibly.
The idea is that this string comparison function will be declared as "the"
method to use for boot entry ordering in the specification and similar
uses. Thus it's nice to allow users to compare strings.
No functional change is intended. The verbs where it wasn't immediately
clear if the success exit status is 0 or >= 0 are changed to explicitly
return 0. (I think it's better to be explicit than to rely on some call
stack always returning 0 on success.)
Some other functions are cleaned up to be more idiomatic.
Many sandboxing options add implicit DeviceAllow rules, which might be confusing
for users running systemd-analyze security and not expecting it.
Print the list.
Fixes https://github.com/systemd/systemd/issues/23185
1449b0f8a96b27 fixed seccomp arch check for the offline case,
but broke it for the normal case, as when coming from D-Bus the
list of seccomp architectures is already converted to string.
Fixes https://github.com/systemd/systemd/issues/23224
Previously, systemd-analyze verify would return 0 even if warnings
were raised during analysis of the specified units or their
dependencies. With 3cc3dc7, verify was changed to return 1 when
warnings were raised.
This commit changes the default mode to _RECURSIVE_ERRORS_INVALID
so that verify returns zero again by default when warnings are
raised.
As suggested in
8b3ad3983f (r837345892)
The define is generalized and moved to path-lookup.h, where it seems to fit
better. This allows a recursive include to be removed and in general makes
things simpler.
Some calls to lookup_path_init() were not followed by any log emission.
E.g.:
$ SYSTEMD_LOG_LEVEL=debug systemctl --root=/missing enable unit; echo $?
1
Let's add a helper function and use it in various places.
$ SYSTEMD_LOG_LEVEL=debug build/systemctl --root=/missing enable unit; echo $?
Failed to initialize unit search paths for root directory /missing: No such file or directory
1
$ SYSTEMCTL_SKIP_SYSV=1 build/systemctl --root=/missing enable unit; echo $?
Failed to initialize unit search paths for root directory /missing: No such file or directory
Failed to enable: No such file or directory.
1
The repeated error in the second case is not very nice, but this is a niche
case and I don't think it's worth the trouble to trying to avoid it.
The approach to use '''…'''.split() instead of a list of strings was initially
used when converting from automake because it allowed identical blocks of lines
to be used for both, making the conversion easier.
But over the years we have been using normal lists more and more, especially
when there were just a few filenames listed. This converts the rest.
No functional change.
Some of the functions so far were named do_xyz(), others dump_xyz() and
even others test_xyz(). let's instead name them exactly like the verb
exposed in the command line, just prefixed with verb_
This renames the old analyze-verify.[ch] pair →
analyze-verify-util.[ch], because it's used by the test logic as well,
and by keeping it separate from the verify verb logic we don't have to
import the arg_xyz variables.
