1
0
mirror of https://github.com/systemd/systemd.git synced 2024-11-04 22:21:55 +03:00
Commit Graph

38203 Commits

Author SHA1 Message Date
Zbigniew Jędrzejewski-Szmek
899072c0cd
Merge pull request #11196 from yuwata/udevd-tiny-cleanups
udev: tiny cleanups
2019-01-12 16:00:52 +01:00
Frantisek Sumsal
d7283fc157 test: limit environments for systemd-hwdb-update under ASan 2019-01-12 11:44:39 +01:00
Frantisek Sumsal
5b2172ee50 test: bump QEMU_SMP to 4 when running under ASan/UBSan 2019-01-12 11:38:21 +01:00
Frantisek Sumsal
670bec2b07 test: bump QEMU memory to 1536M when running under ASan/UBSan 2019-01-12 11:38:21 +01:00
Yu Watanabe
e0b7a5d151 udevd: refuse devices which do not have ACTION property 2019-01-12 09:32:20 +09:00
Yu Watanabe
33ad742a84 udevd: drop unnecessary brackets 2019-01-12 09:32:20 +09:00
Yu Watanabe
c0ff3d6cbc udevd: make worker also log ACTION property 2019-01-12 09:32:20 +09:00
Yu Watanabe
25d4f5b071 udevd: reject devices which do not have SEQNUM 2019-01-12 09:32:20 +09:00
Yu Watanabe
956833b417 udevd: provide worker_hash_ops and drop manager_workers_free() 2019-01-12 09:32:20 +09:00
Yu Watanabe
d40534643b udevd: use structured initializer at one more place 2019-01-12 09:32:20 +09:00
Yu Watanabe
1f3f6bd007 udevd: use worker_free() on failure in worker_new()
Otherwise, worker_monitor may not unrefed correctly.
2019-01-12 09:32:20 +09:00
Yu Watanabe
ee0b9e721a sd-device-monitor: fix ordering of setting buffer size
By b1c097af8d (#10239), the receive buffer
size for uevents was set by SO_RCVBUF at first, and fallback to
use SO_RCVBUFFORCE. So, as SO_RCVBUF limits to the buffer size
net.core.rmem_max, which is usually much smaller than 128MB udevd requests,
uevents buffer size was not sufficient.

This fixes the ordering of the request: SO_RCVBUFFORCE first, and
fallback to SO_RCVBUF. Then, udevd's uevent buffer size can be set to
128MB.

This also revert 903893237a.

Fixes #11314 and #10754.
2019-01-11 21:52:23 +01:00
Yu Watanabe
28daa1d10d
Merge pull request #11400 from ffontaine/master
Fix build with older kernels
2019-01-12 05:51:37 +09:00
Fabrice Fontaine
5269db454f lockfile-util.c: fix build without F_OFD_SETLK
systemd fails to build on kernel without F_OFD_SETLK since
9714c020fc

So put include missing_fcntl.h

Fixes:
 - http://autobuild.buildroot.org/results/699c078aa078240c6741da4dbd0871450ceeca92

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
2019-01-11 17:37:36 +01:00
Fabrice Fontaine
e2d94d0c16 missing_syscall.h: include errno.h
This include is needed for errno and ENOSYS

Fixes:
 - http://autobuild.buildroot.org/results/699c078aa078240c6741da4dbd0871450ceeca92

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
2019-01-11 17:37:36 +01:00
Fabrice Fontaine
6a9eb11b8a missing_if_link.h: add IFLA_BOND_MODE
systemd fails to build on kernel without IFLA_BOND_MODE (< 3.13) since
9714c020fc

So put back IFLA_BOND_MODE definition

Fixes:
 - http://autobuild.buildroot.org/results/699c078aa078240c6741da4dbd0871450ceeca92

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
2019-01-11 17:37:36 +01:00
Fabrice Fontaine
3ee57870d6 basic/tmpfile-util.c: fix build without O_TMPFILE
systemd fails to build on kernel without O_TMPFILE (< 3.11) since
dea72eda9c

To fix this error, include missing_fcntl.h

Fixes:
 - http://autobuild.buildroot.org/results/699c078aa078240c6741da4dbd0871450ceeca92

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
2019-01-11 17:37:36 +01:00
Fabrice Fontaine
a22692d718 capability: fix build without PR_CAP_AMBIENT
systemd fails to build on kernel without PR_CAP_AMBIENT (< 4.3) since
2a03bb3e65

To fix this error, include missing_prctl.h in all files using
PR_CAP_AMBIENT

Fixes:
 - http://autobuild.buildroot.org/results/699c078aa078240c6741da4dbd0871450ceeca92

Signed-off-by: Fabrice Fontaine <fontaine.fabrice@gmail.com>
2019-01-11 17:37:20 +01:00
Frantisek Sumsal
3071b3ff6e test: introduce QEMU_MEM
Some tests (mainly under ASan/UBSan) require more than 512M of memory,
so let's make it configurable (but still default to 512M).
2019-01-11 16:23:53 +01:00
Frantisek Sumsal
e47df8232a test: drop service masking in TEST-01-BASIC
This test should ensure all systemd starts correctly, so masking them is
counter-productive in this case.
2019-01-11 13:45:08 +01:00
Zbigniew Jędrzejewski-Szmek
0192cbdb2c Revert "nss: prevent PROTECT_ERRNO from squashing changes to *errnop"
This reverts commit b26c904113.

I don't see anythign wrong, but Ubuntu autopkgtest CI started failing fairly
consistently since this was merged. Let's see if reverting fixes things.
2019-01-10 21:23:14 +01:00
Sam Morris
8e44f5710b docs: note that udev doesn't deal with binary attribute values (#11383)
Related to #5329.
2019-01-10 18:05:34 +01:00
Michael Biebl
4e4bbc439e meson: stop setting -fPIE globally
Setting -fPIE globally can lead to miscompilations on certain
architectures.
This is caused by both -fPIE and -fPIC options being added to various
compilation commands. Only -fPIC is being recorded in the LTO options
section of the object. The gcc-8 LTO plugin merges -fPIC + -fPIE to
nothing. So, the compilations done by the plugin are not
position-independent and fail to link with -pie.

The simplest solution is to stop setting -fPIE globally and instead
using meson's b_pie=true option. This requires meson 0.49 or later.

Since we don't set this option in meson.build but leave it up to the
distro maintainer to set this option, do not bump the meson version
requirement.

Fixes: #10548
2019-01-10 16:00:10 +01:00
Franck Bui
c0f34168d4 Revert "logind: become the controlling terminal process before restoring VT"
This reverts commit ad96887a12.

Commit adb8688 alone should be enough to fix issue #9754.

Fixes #11269
2019-01-10 15:59:13 +01:00
Zbigniew Jędrzejewski-Szmek
c7e93c4d15 pam_systemd: reword message about not creating a session
The message is changed from
  Cannot create session: Already running in a session...
to
  Not creating session: Already running in a session...

This is more neutral and avoids suggesting a problem.

"Will not create session: ..." was suggested, but it sounds like the action
would have yet to be performed. I think Using present continuous is better.

Fixes #10822 (for good now, I hope).
2019-01-10 15:56:02 +01:00
Sam Morris
b26c904113 nss: prevent PROTECT_ERRNO from squashing changes to *errnop
glibc passes in &errno for errnop, which means PROTECT_ERRNO ends up
squashing our intentional changes to *errnop.

Fixes #11321.
2019-01-10 11:08:42 +01:00
Zbigniew Jędrzejewski-Szmek
a1b939dfc7
Merge pull request #11376 from yuwata/11365-v2
udev: initialize sockets before fork()
2019-01-10 09:08:57 +01:00
Yu Watanabe
5497239f95
Merge pull request #11350 from yuwata/logind-inhibitwhat-cleanups
login: cleanups for enum InhibitWhat
2019-01-10 14:26:21 +09:00
Yu Watanabe
8f44e0f419
Merge pull request #11361 from yuwata/follow-up-11352
core/socket: two follow-ups for #11352
2019-01-10 14:25:58 +09:00
Yu Watanabe
943179fe2a
Merge pull request #11366 from keszybz/a-few-unrelated-cleanups
A few unrelated cleanups
2019-01-10 14:25:25 +09:00
Zbigniew Jędrzejewski-Szmek
65641b3cdc logind: do not pass negative number to strerror 2019-01-10 14:22:28 +09:00
Zbigniew Jędrzejewski-Szmek
b5af8c8cdf udev: open control and netlink sockets before daemonization
c4b69e990f effectively moved the initalization of socket.
Before that commit:
run → listen_fds → udev_ctrl_new → udev_ctrl_new_from_fd → socket()
After:
run → main_loop → manager_new → udev_ctrl_new_from_fd → socket()

The problem is that main_loop was called after daemonization. Move manager_new
out of main_loop and before daemonization.

Fixes #11314 (hopefully ;)).

v2: Yu Watanabe
sd_event is initialized in main_loop().
2019-01-10 14:09:15 +09:00
Zbigniew Jędrzejewski-Szmek
44dcf454b6 udevd: drop redundant call to sd_event_get_exit_code
sd_event_loop returns the same thing anyway.
2019-01-10 14:09:01 +09:00
Zbigniew Jędrzejewski-Szmek
a685c049c0
Merge pull request #11374 from keszybz/journal-fixes
Journal/journal-remote/coredump fixes
2019-01-10 01:12:22 +01:00
Daniel Axtens
6accfd3139 Move link_check_ready() to later in the file
We're about to need it to be later in the file for the next commit.
Moving it now means that when we change it in the next commit, it's
not intermingled with the move.

No functional change intended.

Signed-off-by: Daniel Axtens <dja@axtens.net>
2019-01-10 11:01:57 +11:00
Zbigniew Jędrzejewski-Szmek
ef4d6abe7c journal-remote: set a limit on the number of fields in a message
Existing use of E2BIG is replaced with ENOBUFS (entry too long), and E2BIG is
reused for the new error condition (too many fields).

This matches the change done for systemd-journald, hence forming the second
part of the fix for CVE-2018-16865
(https://bugzilla.redhat.com/show_bug.cgi?id=1653861).
2019-01-09 23:44:17 +01:00
Zbigniew Jędrzejewski-Szmek
7fdb237f54 journal-remote: verify entry length from header
Calling mhd_respond(), which ulimately calls MHD_queue_response() is
ineffective at point, becuase MHD_queue_response() immediately returns
MHD_NO signifying an error, because the connection is in state
MHD_CONNECTION_CONTINUE_SENT.

As Christian Grothoff kindly explained:
> You are likely calling MHD_queue_repsonse() too late: once you are
> receiving upload_data, HTTP forces you to process it all. At this time,
> MHD has already sent "100 continue" and cannot take it back (hence you
> get MHD_NO!).
>
> In your request handler, the first time when you are called for a
> connection (and when hence *upload_data_size == 0 and upload_data ==
> NULL) you must check the content-length header and react (with
> MHD_queue_response) based on this (to prevent MHD from automatically
> generating 100 continue).

If we ever encounter this kind of error, print a warning and immediately
abort the connection. (The alternative would be to keep reading the data,
but ignore it, and return an error after we get to the end of data.
That is possible, but of course puts additional load on both the
sender and reciever, and doesn't seem important enough just to return
a good error message.)

Note that sending of the error does not work (the connection is always aborted
when MHD_queue_response is used with MHD_RESPMEM_MUST_FREE, as in this case)
with libµhttpd 0.59, but works with 0.61:
https://src.fedoraproject.org/rpms/libmicrohttpd/pull-request/1
2019-01-09 23:44:17 +01:00
Zbigniew Jędrzejewski-Szmek
d101fb24eb µhttpd: use a cleanup function to call MHD_destroy_response 2019-01-09 23:44:17 +01:00
Zbigniew Jędrzejewski-Szmek
6670c9de19 journald: lower the maximum entry size limit to ½ for non-sealed fds
We immediately read the whole contents into memory, making thigs much more
expensive. Sealed fds should be used instead since they are more efficient
on our side.
2019-01-09 23:41:53 +01:00
Zbigniew Jędrzejewski-Szmek
964ef920ea journald: when processing a native message, bail more quickly on overbig messages
We'd first parse all or most of the message, and only then consider if it
is not too large. Also, when encountering a single field over the limit,
we'd still process the preceding part of the message. Let's be stricter,
and check size limits early, and let's refuse the whole message if it fails
any of the size limits.
2019-01-09 23:41:53 +01:00
Zbigniew Jędrzejewski-Szmek
052c57f132 journald: set a limit on the number of fields (1k)
We allocate a iovec entry for each field, so with many short entries,
our memory usage and processing time can be large, even with a relatively
small message size. Let's refuse overly long entries.

CVE-2018-16865
https://bugzilla.redhat.com/show_bug.cgi?id=1653861

What from I can see, the problem is not from an alloca, despite what the CVE
description says, but from the attack multiplication that comes from creating
many very small iovecs: (void* + size_t) for each three bytes of input message.
2019-01-09 23:41:53 +01:00
Zbigniew Jędrzejewski-Szmek
f0136e0922 coredump: fix message when we fail to save a journald coredump
If creation of the message failed, we'd write a bogus entry:
systemd-coredump[1400]: Cannot store coredump of 416 (systemd-journal): No space left on device
systemd-coredump[1400]: MESSAGE=Process 416 (systemd-journal) of user 0 dumped core.
systemd-coredump[1400]: Coredump diverted to
2019-01-09 23:41:53 +01:00
Zbigniew Jędrzejewski-Szmek
2d5d2e0cc5 basic/process-util: limit command line lengths to _SC_ARG_MAX
This affects systemd-journald and systemd-coredump.

Example entry:
$ journalctl -o export -n1 'MESSAGE=Something logged'
__CURSOR=s=976542d120c649f494471be317829ef9;i=34e;b=4871e4c474574ce4a462dfe3f1c37f06;m=c7d0c37dd2;t=57c4ac58f3b98;x=67598e942bd23dc0
__REALTIME_TIMESTAMP=1544035467475864
__MONOTONIC_TIMESTAMP=858200964562
_BOOT_ID=4871e4c474574ce4a462dfe3f1c37f06
PRIORITY=6
_UID=1000
_GID=1000
_CAP_EFFECTIVE=0
_SELINUX_CONTEXT=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
_AUDIT_SESSION=1
_AUDIT_LOGINUID=1000
_SYSTEMD_OWNER_UID=1000
_SYSTEMD_UNIT=user@1000.service
_SYSTEMD_SLICE=user-1000.slice
_SYSTEMD_USER_SLICE=-.slice
_SYSTEMD_INVOCATION_ID=1c4a469986d448719cb0f9141a10810e
_MACHINE_ID=08a5690a2eed47cf92ac0a5d2e3cf6b0
_HOSTNAME=krowka
_TRANSPORT=syslog
SYSLOG_FACILITY=17
SYSLOG_IDENTIFIER=syslog-caller
MESSAGE=Something logged
_COMM=poc
_EXE=/home/zbyszek/src/systemd-work3/poc
_SYSTEMD_CGROUP=/user.slice/user-1000.slice/user@1000.service/gnome-terminal-server.service
_SYSTEMD_USER_UNIT=gnome-terminal-server.service
SYSLOG_PID=4108
SYSLOG_TIMESTAMP=Dec  5 19:44:27
_PID=4108
_CMDLINE=./poc AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA>
_SOURCE_REALTIME_TIMESTAMP=1544035467475848

$ journalctl -o export -n1 'MESSAGE=Something logged' --output-fields=_CMDLINE|wc
      6    2053 2097410

2MB might be hard for some clients to use meaningfully, but OTOH, it is
important to log the full commandline sometimes. For example, when the program
is crashing, the exact argument list is useful.
2019-01-09 23:41:53 +01:00
Zbigniew Jędrzejewski-Szmek
084eeb865c journald: do not store the iovec entry for process commandline on stack
This fixes a crash where we would read the commandline, whose length is under
control of the sending program, and then crash when trying to create a stack
allocation for it.

CVE-2018-16864
https://bugzilla.redhat.com/show_bug.cgi?id=1653855

The message actually doesn't get written to disk, because
journal_file_append_entry() returns -E2BIG.
2019-01-09 23:41:53 +01:00
Zbigniew Jędrzejewski-Szmek
bc2762a309 journald: remove unnecessary {} 2019-01-09 23:41:53 +01:00
Zbigniew Jędrzejewski-Szmek
4f62556d71 coredump: remove duplicate MESSAGE= prefix from message
systemd-coredump[9982]: MESSAGE=Process 771 (systemd-journal) of user 0 dumped core.
systemd-coredump[9982]: Coredump diverted to /var/lib/systemd/coredump/core...

log_dispatch() calls log_dispatch_internal() which calls write_to_journal()
which appends MESSAGE= on its own.
2019-01-09 23:41:53 +01:00
Yu Watanabe
d253a45e1c core/mount: make mount_setup_existing_unit() not drop MOUNT_PROC_JUST_MOUNTED flag from units
This fixes a bug introduced by ec88d1ea05.

Fixes #11362.
2019-01-09 12:51:00 +01:00
Zbigniew Jędrzejewski-Szmek
690f02f4b8 timesyncd,resolved,machinectl: drop calls to sd_event_get_exit_code()
In all three cases, sd_event_loop() will return the exit code anyway.
If sd_event_loop() returns negative, failure is logged and results in an
immediate return. Otherwise, we don't care if sd_event_loop() returns 0
or positive, because the return value feeds into DEFINE_MAIN_FUNCTION(), which
doesn't make the distinction.
2019-01-08 23:26:07 +01:00
Zbigniew Jędrzejewski-Szmek
1b2a7d92af Fix a few comments 2019-01-08 23:11:26 +01:00
Zbigniew Jędrzejewski-Szmek
2cfb197890 sd-device: modernize code a bit
Empty line between setting the output parameter and return is removed. I like
to think about both steps as part of returning from the function, and there's
no need to separate them.

Similarly, if we need to unset a pointer after successfully passing ownership,
use TAKE_PTR and do it immediately after the ownership change, without an empty
line inbetween.
2019-01-08 22:14:06 +01:00