IF YOU WOULD LIKE TO GET AN ACCOUNT, please write an
email to Administrator. User accounts are meant only to access repo
and report issues and/or generate pull requests.
This is a purpose-specific Git hosting for
BaseALT
projects. Thank you for your understanding!
Только зарегистрированные пользователи имеют доступ к сервису!
Для получения аккаунта, обратитесь к администратору.
The concept of synthetic errnos is about logging, which
is irrelevant irt bus error and we don't do any special
treatment in sd-bus for them, meaning the value propagated
would be spurious.
This tries to get rid of most manual sigprocmask() changes, in favour
of:
1. The SD_EVENT_SIGNAL_PROCMASK flag to sd_event_add_signal()
2. The sd_event_set_signal_exit() call for handling SIGTERM/SIGINT
3. Move masking of SIGWINCH into ptyfwd, out of nspawn/vmspawn/run
And while we are at it get rid of a bunch of event source fields whose
lifetime is bound to the sd_event object they belong to anyway, and make
use of the "floating" event source feature of sd-event instead.
Force means force, we skip checks with PID1 for existing units, but
then bail out with EEXIST if the files are actually there. Overwrite
everything instead.
It is already implied by DynamicUser=yes if not set, but dropping it
allows users to instead define TemporaryFileSystem=/tmp/ /var/tmp/
in their portable services, which has fewer side effects.
It was a redundant wrapper around freecon.
test-selinux needs to be adjusted because it now needs to be linked to
libselinux, instead of pulling it in via libshared.
The portable profiles assume /etc/resolv.conf exists, which isn't
always the case. Let's mark the mounts as optional so we don't fail
to start the unit if /etc/resolv.conf doesn't exist.
Resolve at attach/detach/inspect time, so that the image is pinned and requires
re-attaching on update, given files are extracted from it so just passing
img.v/ to RootImage= is not enough to get a portable image updated
When listing images they are inspected one by one, so in case of a
portable with extensions they always resulted as not found.
Allow a partial match when listing, so that we can find the appropriate
unit that an image belongs to, and list the correct state as attached.
Currently app_1.0.raw is refused if it contains extension-release.d/extension-release.app,
which stops one from using versioned images without using the force flag to disable
the check. Relax it so that only the actual name, and not the version, is compared, like
it already happens in other places.
Useful information to have in the logs.
Mar 14 16:45:27 H systemd-portabled[510]: Successfully attached ephemeral '/usr/share/minimal_0.raw' and its extension(s) '/usr/share/app0.raw' using profile 'default'
let's make userspace verity signature checking optional. This adds a
dissection flag to enable the logic and patches through all our users to
enable it by default, thus effectively not changing anything from the
status quo ante. However, know we have a knob to turn this off in
certain scenarios.
Since we use varargs for sd_message_append() we need to make sure the
parameters we pass are actually 64bit wide, if "t" is used. Hence cast
appropriately if necessary.
I went through the whole tree, and in most cases we got it right, but
there are some cases we missed so far.
Inspired by: #31420
This new mode copies resources provided by the client, so that they
remain available for inspect/detach even if the original images are
deleted, but symlinks the profile as that is owned by the OS, so that
updates are automatically applied.
Currently portabled is completely silent (when not using debug level). But
when the system state is changed (ie: a portable is attached or detached)
there are no traces left in the journal. Log at info level when either of
those operations succeed, as they are effectively changing the state of
the system.
Create new MESSAGE_IDs for these logs, and also append PORTABLE_ROOT=
(and PORTABLE_EXTENSION= if any), like the units themselves are
configured to do via LogExtraFields=, so that the same metadata can
be found in the attach/detach messages and in logs from the units
themselves.
This simplifies bus_verify_polkit_async() and related calls quite a bit:
1. This removes any support for authentication-by-Linux-capability. This
is ultimately a kdbus leftover: with classic AF_UNIX transports we
cannot authenticate by capabilities securely (because we cannot
acquire it from the peer without races), hence we never actually did.
Since the necessary kernel work didn't materialize in the last 10y,
and is unlikely to be added, let's just kill this context. We cannot
quite remove the caps stuff from sd-bus for API compat, but for our
polkit logic let's kill it.
2. The "good_uid" and "interactive" params are only necessary in very
few cases, hence let's move them to a new call
bus_verify_polkit_async_full() and make bus_verify_polkit_async() a
wrapper around it without those two parameters.
This also fixes a bunch of wrong uses of the "interactive" bool. The
bool makes no sense today as the ALLOW_INTERACTIVE_AUTHORIZATION field
in the D-Bus message header replaces it fully. We only need it to
implement method calls we introduced prior to that header field becoming
available in D-Bus. And it should only be used on such old method calls,
and otherwise always be set to false.
This does not change behaviour in any way. Just simplifies stuff.
Fixes: #21586
Sometimes it makes sense to hard kill a client if we die. Let's hence
add a third FORK_DEATHSIG flag for this purpose: FORK_DEATHSIG_SIGKILL.
To make things less confusing this also renames FORK_DEATHSIG to
FORK_DEATHSIG_SIGTERM to make clear it sends SIGTERM. We already had
FORK_DEATHSIG_SIGINT, hence this makes things nicely symmetric.
A bunch of users are switched over for FORK_DEATHSIG_SIGKILL where we
know it's safe to abort things abruptly. This should make some kernel
cases more robust, since we cannot get confused by signal masks or such.
While we are at it, also fix a bunch of bugs where we didn't take
FORK_DEATHSIG_SIGINT into account in safe_fork()
We use it for more than just pipe() arrays. For example also for
socketpair(). Hence let's give it a generic name.
Also add EBADF_TRIPLET to mirror this for things like
stdin/stdout/stderr arrays, which we use a bunch of times.
This is preparation for #28891, which adds a bunch more helpers around
"struct iovec", at which point this really deserves its own .c/.h file.
The idea is that we sooner or later can consider "struct iovec" as an
entirely generic mechanism to reference some binary blob, and is the
go-to type for this purpose whenever we need one.
This adds support for the new fsmount() logic of the kernel: we'll first
create an unattached fsmount fd, and then in a second step attach this
to some real file system inode – as opposed to attaching file system
directly. The benefit of this is that we can pass the open fsmount fds
over some sockets if need be, to isolate the mounting code from the
attaching code.
path_simplify_full()/path_simplify() are changed to allow a NULL path, for
which a NULL is returned. Generally, callers have already asserted before that
the argument is nonnull. This way path_simplify_full()/path_simplify() and
path_simplify_alloc() behave consistently.
In sd-device.c, logging in device_set_syspath() is intentionally dropped: other
branches don't log.
In mount-tool.c, logging in parse_argv() is changed to log the user-specified
value, not the simplified string. In an error message, we should show the
actual argument we got, not some transformed version.
c18f4eb9e96836a made it possible to use --force with various verbs, by
going through the newer D-Bus methods. Except it didn't, as it regressed
during PR review refactorings, and nobody noticed because there were no
tests for it. Fix it, and add tests.
Follow-up for c18f4eb9e96836a6a8285ec42fd8a34c8909f6d9
