1
0
mirror of https://github.com/systemd/systemd.git synced 2024-11-07 01:27:11 +03:00
Commit Graph

61 Commits

Author SHA1 Message Date
Kay Sievers
1b09f548c7 turn kdbus support into a runtime option
./configure --enable/disable-kdbus can be used to set the default
behavior regarding kdbus.

If no kdbus kernel support is available, dbus-dameon will be used.

With --enable-kdbus, the kernel command line option "kdbus=0" can
be used to disable kdbus.

With --disable-kdbus, the kernel command line option "kdbus=1" is
required to enable kdbus support.
2015-06-17 18:01:49 +02:00
Martin Pitt
e26d6ce517 path-util: Change path_is_mount_point() symlink arg from bool to flags
This makes path_is_mount_point() consistent with fd_is_mount_point() wrt.
flags.
2015-05-29 17:42:44 +02:00
Lennart Poettering
03cfe0d514 nspawn: finish user namespace support 2015-05-21 16:32:01 +02:00
David Herrmann
64f75d7a28 core: fix mount setup to work with non-existing mount points
We must not fail on ENOENT. We properly create the mount-point in
mount-setup, so there's really no reason to skip the mount. Make sure we
just skip the mount on unexpected failures or if it's already mounted.
2015-04-07 14:03:44 +02:00
Daniel Mack
b604cb9bf6 core: mount-setup: handle non-existing mountpoints gracefully
Commit e792e890f ("path-util: don't eat up ENOENT in
path_is_mount_point()") changed path_is_mount_point() so it doesn't hide
-ENOENT from its caller. This causes all boots to fail early in case
any of the mount points does not exist (for instance, when kdbus isn't
loaded, /sys/fs/kdbus is missing).

Fix this by returning 0 from mount_one() if path_is_mount_point()
returned -ENOENT.
2015-04-07 00:50:10 +02:00
Thomas Hindoe Paaboel Andersen
2eec67acbb remove unused includes
This patch removes includes that are not used. The removals were found with
include-what-you-use which checks if any of the symbols from a header is
in use.
2015-02-23 23:53:42 +01:00
Cristian Rodríguez
cb708b1c6d mount-setup: Do not bother with /proc/bus/usb
Current systemd requires kernel >= 3.7 per the README file
but CONFIG_USB_DEVICEFS disappeared from the kernel in
upstream commit fb28d58b72aa9215b26f1d5478462af394a4d253
(kernel 3.5-rc1)
2015-01-23 19:10:28 +01:00
Lennart Poettering
b4d5b78374 mount-setup: /selinux, /cgroup, /dev/cgroup are sooo old, don't bother with them anymore 2015-01-23 13:47:41 +01:00
Cristian Rodríguez
ecdacd4b2f remove unneeded libgen.h includes 2015-01-17 12:26:20 +01:00
Lennart Poettering
b12afc8c5c nspawn: mount most of the cgroup tree read-only in nspawn containers except for the container's own subtree in the name=systemd hierarchy
More specifically mount all other hierarchies in their entirety and the
name=systemd above the container's subtree read-only.
2015-01-05 01:40:51 +01:00
Michal Schmidt
4a62c710b6 treewide: another round of simplifications
Using the same scripts as in f647962d64 "treewide: yet more log_*_errno
+ return simplifications".
2014-11-28 19:57:32 +01:00
Michal Schmidt
56f64d9576 treewide: use log_*_errno whenever %m is in the format string
If the format string contains %m, clearly errno must have a meaningful
value, so we might as well use log_*_errno to have ERRNO= logged.

Using:
find . -name '*.[ch]' | xargs sed -r -i -e \
's/log_(debug|info|notice|warning|error|emergency)\((".*%m.*")/log_\1_errno(errno, \2/'

Plus some whitespace, linewrap, and indent adjustments.
2014-11-28 19:49:27 +01:00
Lennart Poettering
68d4c45263 core: reindent mount/kmod tables 2014-11-26 15:43:20 +01:00
Daniel Mack
2e75e2a8f5 mount-setup: remove mount_setup_late()
Turns out we can just do kmod_setup() earlier, before we do mount_setup(),
so there's no need for mount_setup_late() anymore. Instead, put kdbusfs in
mount_table[].
2014-11-14 15:18:56 +01:00
Daniel Mack
63cc4c3138 sd-bus: sync with kdbus upstream (ABI break)
kdbus has seen a larger update than expected lately, most notably with
kdbusfs, a file system to expose the kdbus control files:

 * Each time a file system of this type is mounted, a new kdbus
   domain is created.

 * The layout inside each mount point is the same as before, except
   that domains are not hierarchically nested anymore.

 * Domains are therefore also unnamed now.

 * Unmounting a kdbusfs will automatically also detroy the
   associated domain.

 * Hence, the action of creating a kdbus domain is now as
   privileged as mounting a filesystem.

 * This way, we can get around creating dev nodes for everything,
   which is last but not least something that is not limited by
   20-bit minor numbers.

The kdbus specific bits in nspawn have all been dropped now, as nspawn
can rely on the container OS to set up its own kdbus domain, simply by
mounting a new instance.

A new set of mounts has been added to mount things *after* the kernel
modules have been loaded. For now, only kdbus is in this set, which is
invoked with mount_setup_late().
2014-11-13 20:41:52 +01:00
Lennart Poettering
6baa7db008 mac: also rename use_{smack,selinux,apparmor}() calls so that they share the new mac_{smack,selinux,apparmor}_xyz() convention 2014-10-23 17:34:30 +02:00
Emil Renner Berthing
0fff82e5f8 mount-setup: skip relabelling when SELinux and SMACK not supported
This is also the only place where FTW_ACTIONRETVAL is used, so
this makes systemd compile without SELinux or SMACK support
when the standard library doesn't support this extension.
2014-10-10 13:00:47 +02:00
Michal Schmidt
d5099efc47 hashmap: introduce hash_ops to make struct Hashmap smaller
It is redundant to store 'hash' and 'compare' function pointers in
struct Hashmap separately. The functions always comprise a pair.
Store a single pointer to struct hash_ops instead.

systemd keeps hundreds of hashmaps, so this saves a little bit of
memory.
2014-09-15 16:08:50 +02:00
Lennart Poettering
7c96ab1d24 mount-setup: fix counting of early mounts without SMACK
http://lists.freedesktop.org/archives/systemd-devel/2014-August/021772.html
2014-08-13 20:01:21 +02:00
Tom Hirst
908f8b9cbb core: Don't require cgroups xattr support
Failure to mount cgroups with xattr should not be fatal
2014-06-26 01:41:05 -04:00
Ronan Le Martret
d1d8e5d49f core: You can not put the cached result of use_smack fct, as we are not sure the "/sys" is mounted. So we should mount "sys" before "/proc"
https://bugs.freedesktop.org/show_bug.cgi?id=77646
2014-06-23 18:59:28 +02:00
Kay Sievers
d2edfae0f9 build-sys: use glibc's xattr support instead of requiring libattr 2014-05-28 17:36:40 +08:00
Kay Sievers
99a17ada9c core: require cgroups filesystem to be available
We should no longer pretend that we can run in any sensible way
without the kernel supporting us with cgroups functionality.
2014-05-05 18:52:36 +02:00
Lennart Poettering
c4bfd1691f core: don't try to relabel mounts before we loaded the policy 2014-03-24 21:04:02 +01:00
Lennart Poettering
679142ce4a core: remount /sys/fs/cgroup/ read-only after we mounted all controllers
Given that glibc searches for /dev/shm by just looking for any tmpfs we
should be more careful with providing tmpfs instances arbitrary code
might end up writing to.
2014-03-18 04:48:26 +01:00
Lennart Poettering
a641dcd9bf cgroup: it's not OK to invoke alloca() in loops 2014-03-18 04:48:26 +01:00
Lennart Poettering
7f112f50fe exec: introduce PrivateDevices= switch to provide services with a private /dev
Similar to PrivateNetwork=, PrivateTmp= introduce PrivateDevices= that
sets up a private /dev with only the API pseudo-devices like /dev/null,
/dev/zero, /dev/random, but not any physical devices in them.
2014-01-20 21:28:37 +01:00
Daniel Buch
f5f6d0e255 tree-wide usage of %m specifier instead of strerror(errno)
Also for log_error() except where a specific error is specified

e.g. errno ? strerror(errno) : "Some user specified message"
2013-11-26 21:07:46 +10:00
Auke Kok
8552b17660 Smack: Test if smack is enabled before mounting
Since on most systems with xattr systemd will compile with Smack
support enabled, we still attempt to mount various fs's with
Smack-only options.

Before mounting any of these Smack-related filesystems with
Smack specific mount options, check if Smack is functionally
active on the running kernel.

If Smack is really enabled in the kernel, all these Smack mounts
are now *fatal*, as they should be.

We no longer mount smackfs if systemd was compiled without
Smack support. This makes it easier to make smackfs mount
failures a critical error when Smack is enabled.

We no longer mount these filesystems with their Smack specific
options inside containers. There these filesystems will be
mounted with there non-mount smack options for now.
2013-10-09 15:06:17 -07:00
Auke Kok
d407c94020 Mount /run, /dev/shm usable to tasks when using SMACK.
Once systemd itself is running in a security domain for SMACK,
it will fail to start countless tasks due to missing privileges
for mounted and created directory structures. For /run and shm
specifically, we grant all tasks access.

These 2 mounts are allowed to fail, which will happen if the
system is not running a SMACK enabled kernel or security=none is
passed to the kernel.
2013-10-07 10:23:20 -07:00
Harald Hoyer
956eaf2b8d remove /run/initramfs/root-fsck logic
dracut uses systemd in the initramfs and does not write these files
anymore.

The state of the root fsck is serialized.
2013-07-17 11:33:07 +02:00
Zbigniew Jędrzejewski-Szmek
a6b26d9011 Small cleanup 2013-04-24 00:25:04 -04:00
Zbigniew Jędrzejewski-Szmek
ef42202ac8 Add set_consume which always takes ownership
Freeing in error path is the common pattern with set_put().
2013-04-24 00:25:04 -04:00
Zbigniew Jędrzejewski-Szmek
c79bb9e4e2 Standarize on one spelling of symlink error message
It's polite to print the name of the link that wasn't created,
and it makes little sense to print the target.
2013-04-24 00:25:04 -04:00
Zbigniew Jędrzejewski-Szmek
0ee679580e systemd: fall back to mounting /sys/fs/cgroup sans xattr
xattrs on cgroup fs were added back in v3.6-rc3-3-g03b1cde. But we
support kernels >= 2.6.39, and we should also support kernels compiled
w/o xattr support, even if systemd is compiled with xattr support.
Fall back to mounting without xattr support.

Tested-by: Colin Walters <walters@verbum.org>
2013-04-24 00:25:04 -04:00
Zbigniew Jędrzejewski-Szmek
a383724e42 systemd,nspawn: use extended attributes to store metadata
All attributes are stored as text, since root_directory is already
text, and it seems easier to have all of them in text format.

Attributes are written in the trusted. namespace, because the kernel
currently does not allow user. attributes on cgroups. This is a PITA,
and CAP_SYS_ADMIN is required to *read* the attributes. Alas.

A second pipe is opened for the child to signal the parent that the
cgroup hierarchy has been set up.
2013-04-21 21:43:43 -04:00
Lennart Poettering
2fa4092c28 util: make time formatting a bit smarter
Instead of outputting "5h 55s 50ms 3us" we'll now output "5h
55.050003s". Also, while outputting the accuracy is configurable.

Basically we now try use "dot notation" for all time values > 1min. For
>= 1s we use 's' as unit, otherwise for >= 1ms we use 'ms' as unit, and
finally 'us'.

This should give reasonably values in most cases.
2013-04-04 02:56:56 +02:00
Lennart Poettering
3cbb76ee34 mount: mount all cgroup controllers in containers, too 2013-03-22 04:43:28 +01:00
Michal Sekletar
c17ec25e4d core: reuse the same /tmp, /var/tmp and inaccessible dir
All Execs within the service, will get mounted the same
/tmp and /var/tmp directories, if service is configured with
PrivateTmp=yes. Temporary directories are cleaned up by service
itself in addition to systemd-tmpfiles. Directory which is mounted
as inaccessible is created at runtime in /run/systemd.
2013-03-15 22:56:40 -04:00
Lennart Poettering
66e411811b sd-booted: update sd_booted() check a bit
Previously we were testing whether /sys/fs/cgroup/systemd/ was a mount
point. This might be problematic however, when the cgroup trees are bind
mounted into a container from the host (which should be absolutely
valid), which might create the impression that the container was running
systemd, but only the host actually is.

Replace this by a check for the existance of the directory
/run/systemd/system/, which should work unconditionally, since /run can
never be a bind mount but *must* be a tmpfs on systemd systems, which is
flushed at boots. This means that data in /run always reflects
information about the current boot, and only of the local container,
which makes it the perfect choice for a check like this.

(As side effect this is nice to Ubuntu people who now use logind with
the systemd cgroup hierarchy, where the old sd_booted() check misdetects
systemd, even though they still run legacy Upstart.)
2013-03-15 16:49:08 +01:00
Nathaniel Chen
ffbd2c4d45 core: mount and initialize Smack
SMACK is the Simple Mandatory Access Control Kernel, a minimal
approach to Access Control implemented as a kernel LSM.

The kernel exposes the smackfs filesystem API through which access
rules can be loaded. At boot time, we want to load the access rules
as early as possible to ensure all early boot steps are checked by Smack.

This patch mounts smackfs at the new location at /sys/fs/smackfs for
kernels 3.8 and above. The /smack mountpoint is not supported.
After mounting smackfs, rules are loaded from the usual location.

For more information about Smack see:
  http://www.kernel.org/doc/Documentation/security/Smack.txt
2013-03-07 20:53:14 +01:00
Kay Sievers
c06bf41404 mount-setup: mount pstore filesystem 2013-02-27 13:08:20 +01:00
Lennart Poettering
b872e9a059 build-sys: make EFI support build-time optional 2013-02-13 23:08:25 +01:00
Lennart Poettering
9cde64ff26 efi: various cleanups 2013-02-13 00:12:58 +01:00
Lennart Poettering
34e5a31ec5 util: move is_efiboot() to efivars.c 2013-01-21 01:04:16 +01:00
Kay Sievers
6aa220e019 mount-setup: try mounting 'efivarfs' only if the system bootet with EFI 2012-11-04 17:03:48 +01:00
Lee, Chun-Yi
f271dd9762 systemd: mount the EFI variable filesystem
Add efivarfs to the mount_table in mount-setup.c, so the EFI variable
filesystem will be mounted when systemd executed.

The EFI variable filesystem will merge in v3.7 or v3.8 linux kernel.

Cc: Kay Sievers <kay@vrfy.org>
Cc: Lennart Poettering <lennart@poettering.net>
Cc: Mantas Mikulėnas <grawity@gmail.com>
Cc: Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl>
Cc: Matt Fleming <matt.fleming@intel.com>
Cc: Jeremy Kerr <jeremy.kerr@canonical.com>
Cc: Matthew Garrett <mjg@redhat.com>
Signed-off-by: Lee, Chun-Yi <jlee@suse.com>
2012-10-30 03:40:42 +01:00
Lennart Poettering
c481f78be7 mount: don't mount securityfs in a container 2012-09-18 12:13:02 +02:00
Lennart Poettering
01ed0e2307 dev-setup: make NULL as parameter for dev_setup() equivalent to "" 2012-08-21 17:23:03 +02:00
Dave Reisner
8f0e73f250 dev-setup: allow a path prefix for use in chroots
With this adjustment, we can reuse this code elsewhere, such as in
nspawn.
2012-08-21 17:19:35 +02:00