1
0
mirror of https://github.com/systemd/systemd.git synced 2025-01-12 13:18:14 +03:00
Commit Graph

50246 Commits

Author SHA1 Message Date
Luca Boccassi
ae43f2341c
Merge pull request #18918 from yuwata/man-no-new-priv-18914
man: update documents about NoNewPrivileges=
2021-03-08 20:57:32 +00:00
Lennart Poettering
794a579f29 dissect-image: don#t mix two forms of stack allocation in one expression
It's not necessarily safe to do this, hence don't.
2021-03-08 17:31:47 +01:00
Lennart Poettering
7533a33b0c dissect-image: remove unnecessary parens 2021-03-08 17:31:35 +01:00
Lennart Poettering
79d5f00ad1
Merge pull request #18925 from keszybz/hwdb-news-syscalls-update
Update of hwdb & news & syscalls for v248
2021-03-08 17:01:40 +01:00
Lennart Poettering
b9dec21409
Merge pull request #18921 from yuwata/seccomp-syscallfilter-18916
seccomp: fix issue in system call filter with errno
2021-03-08 17:01:23 +01:00
Lennart Poettering
00248fc4f7
Merge pull request #18924 from keszybz/homed-inotify-crash
Homed inotify crash
2021-03-08 15:12:30 +01:00
Frantisek Sumsal
c335b7c3f8 test: fix the last subtest of TEST-50-DISSECT under sanitizers
Follow-up to 9f6235e1b4.
2021-03-08 14:38:49 +01:00
Zbigniew Jędrzejewski-Szmek
a3fbf67180 hwdb: update for v248
Seems to be additions and corrections as usual.
Includes an update of the chromiumos autosuspend rules.
2021-03-08 14:27:48 +01:00
Zbigniew Jędrzejewski-Szmek
33e68cce51 NEWS: add items since -rc2 2021-03-08 14:27:48 +01:00
Yu Watanabe
0538d2a811 core/execute: sort conditions to make them match documentation 2021-03-08 21:42:06 +09:00
Yu Watanabe
266d0bb9e0 man: update document about NoNewPrivileges=
Fixes #18914.
2021-03-08 21:42:06 +09:00
Yu Watanabe
a62f651b32 test: add one more test for system call filter with errno 2021-03-08 21:28:42 +09:00
Yu Watanabe
68acc1afbe seccomp: do not ignore deny-listed syscalls with errno when list is allow-list
Previously, if the hashmap is allow-list and a new deny-listed syscall
is added, seccomp_parse_syscall_filter() simply drop the new syscall
from hashmap even if error number is specified.

This makes 'allow-list' hashmap store two types of entries:
- allow-listed syscalls, which are stored with negative value (-1).
- deny-listed syscalls, which are stored with specified errno.

Fixes #18916.
2021-03-08 21:28:42 +09:00
Yu Watanabe
9e29ee4072 seccomp: use FLAGS_SET() macro 2021-03-08 21:28:42 +09:00
Yu Watanabe
084a46d7c5 core,seccomp: refuse to specify errno for allow-listed syscalls 2021-03-08 21:28:38 +09:00
Yu Watanabe
696a13bab7 core: drop meaningless parse_syscall_and_errno() calls
parse_syscall_and_errno() does not check the validity of syscall name or
syscall group name, but it just split into syscall name and errno.
So, it is not necessary to call it for SystemCallLog=.
2021-03-08 21:26:13 +09:00
Yu Watanabe
1862b310c5 seccomp: fix comment and change variable name 2021-03-08 21:25:54 +09:00
Yu Watanabe
335171ca84 test: parse_syscall_and_errno() accepts zero errno 2021-03-08 21:22:24 +09:00
Yu Watanabe
17884f979a test: move test_parse_syscall_and_errno() to test-seccomp.c 2021-03-08 21:22:24 +09:00
Zbigniew Jędrzejewski-Szmek
1d73ffeae1 missing-syscalls: do not generate trailing empty line
The generated .h file was already like this, but what the generator generated
did not match. So we only need to update the generator.
2021-03-08 12:39:50 +01:00
Zbigniew Jędrzejewski-Szmek
36fd31f525 syscalls: update tables
bfin_spinlock and cache_sync are dropped from the table, but didn't have
numbers assigned.

mount_setattr was added in v5.11-rc4-35-g2a1867219c.
2021-03-08 12:31:46 +01:00
Zbigniew Jędrzejewski-Szmek
f76e564437 homed: unref the sd_event object after the sources
Shouldn't make any difference, but let's first flush any pending messages, then
unref the reference-counted stuff, and only at the end do the direct free calls.
2021-03-08 12:00:22 +01:00
Zbigniew Jędrzejewski-Szmek
cf5366387b homed: disable event sources before unreffing them
C.f. 9793530228.

We'd crash when trying to access an already-deallocated object:

Thread no. 1 (7 frames)
 #2 log_assert_failed_realm at ../src/basic/log.c:844
 #3 event_inotify_data_drop at ../src/libsystemd/sd-event/sd-event.c:3035
 #4 source_dispatch at ../src/libsystemd/sd-event/sd-event.c:3250
 #5 sd_event_dispatch at ../src/libsystemd/sd-event/sd-event.c:3631
 #6 sd_event_run at ../src/libsystemd/sd-event/sd-event.c:3689
 #7 sd_event_loop at ../src/libsystemd/sd-event/sd-event.c:3711
 #8 run at ../src/home/homed.c:47

The source in question is an inotify source, and the messages are:

systemd-homed[1340]: /home/ moved or renamed, recreating watch and rescanning.
systemd-homed[1340]: Assertion '*_head == _item' failed at src/libsystemd/sd-event/sd-event.c:3035, function event_inotify_data_drop(). Aborting.

on_home_inotify() got called, then manager_watch_home(), which unrefs the
existing inotify_event_source. I assume that the source gets dispatched again
because it was still in the pending queue.

I can't reproduce the issue (timing?), but this should
fix #17824, https://bugzilla.redhat.com/show_bug.cgi?id=1899264.
2021-03-08 11:59:09 +01:00
Zbigniew Jędrzejewski-Szmek
23d24b76f3 homed: wrap some very long lines 2021-03-08 11:53:22 +01:00
Perry Yuan
9e04eb0d5f hwdb: 60-keyboard:: Update Dell Privacy Micmute Hotkey Map
Dell new Privacy feature provide new hardware level privacy
protect for users
This patch remaps scancode 0x120001 to key code F20 micmute
The old matching string cannot cover some other Dell products
which have the privacy feature,expand the string to all the system
that can load the privacy driver,privacy driver already detect the
system if it can support this feature. So here we can safely just
map the micmute key to scancode 0x120001

Signed-off-by: Perry Yuan <perry_yuan@dell.com>
2021-03-08 10:10:32 +01:00
Zbigniew Jędrzejewski-Szmek
f4929468eb
Merge pull request #18908 from mrc0mmand/fix-packit
ci: correctly drop patches with non four digit indexes
2021-03-07 21:31:31 +01:00
Luca Boccassi
e08c40417e
Merge pull request #18911 from keszybz/coverity-inspired-fixes
Coverity inspired fixes
2021-03-07 15:12:08 +00:00
Zbigniew Jędrzejewski-Szmek
a96a2591a1
Merge pull request #18907 from mrc0mmand/test-dissect-sanitizers
test: fix TEST-50-DISSECT under sanitizers
2021-03-07 12:46:15 +01:00
Zbigniew Jędrzejewski-Szmek
b903f16c2d TEST-15-DROPINS: improve check
https://github.com/systemd/systemd/pull/18579#discussion_r588983813
2021-03-07 12:27:55 +01:00
Zbigniew Jędrzejewski-Szmek
6bc352af1f basic/namespae-util: avoid one allocation 2021-03-07 12:22:28 +01:00
Zbigniew Jędrzejewski-Szmek
9e8a392a9a basic/os-util: adjust indentation 2021-03-07 12:15:42 +01:00
Zbigniew Jędrzejewski-Szmek
60d9c4f3b9 journal-remote: check return value from MHD_add_response_header
Sadly, the API does not allow us to distinguish oom from invalid settings.
If the call fails, let's assume oom happened.

Coverity CID#1444714.
2021-03-07 12:08:06 +01:00
Zbigniew Jędrzejewski-Szmek
e3790c1480 core: fix netns/ipcns socket confusion
Fixup for a70581ffb5. Coverity CID#1448383.
2021-03-07 11:56:13 +01:00
Frantisek Sumsal
faf00fd7e1 ci: revert back to --werror instead of -Dc_args=-Werror
-Dc_args=/-Dcpp_args= don't play well with the RPM hardening macros
using $CFLAGS/$CPPFLAGS, since they're mutually exclusive.
2021-03-07 11:07:50 +01:00
Anita Zhang
05e8862806
Merge pull request #18910 from yuwata/socket-util-initialize-variable
socket-util: initialize variable with cleanup attribute
2021-03-06 22:37:01 -08:00
Yu Watanabe
f96f5d54b8 socket-util: initialize variable with cleanup attribute
Follow-up for 83e03c4fc2.

Fixes CID#1448460.
2021-03-07 10:32:36 +09:00
Frantisek Sumsal
8615b1f292 ci: correctly drop patches with non four digit indexes 2021-03-06 22:53:09 +01:00
Frantisek Sumsal
9f6235e1b4 test: fix TEST-50-DISSECT under sanitizers
This test would normally get stuck when trying to mount the verity image
due to:

systemd-udevd[299]: dm-0: '/usr/sbin/dmsetup udevflags 6293812'(err) '==371==ASan runtime does not come first in initial library list; you should either link runtime to your application or manually preload it with LD_PRELOAD.'
systemd-udevd[299]: dm-0: Process '/usr/sbin/dmsetup udevflags 6293812' failed with exit code 1
...
systemd-udevd[299]: dm-0: '/usr/sbin/dmsetup udevcomplete 6293812'(err) '==372==ASan runtime does not come first in initial library list; you should either link runtime to your application or manually preload it with LD_PRELOAD.'
systemd-udevd[299]: dm-0: Process '/usr/sbin/dmsetup udevcomplete 6293812' failed with exit code 1.
systemd-udevd[299]: dm-0: Command "/usr/sbin/dmsetup udevcomplete 6293812" returned 1 (error), ignoring.

so let's add a simple udev rule which sets $LD_PRELOAD for the block
subsystem.

Also, install the ASan library along with necessary dependencies into
the verity minimal image, to get rid of the annoying (yet harmless)
errors about missing library from $LD_LIBRARY.
2021-03-06 22:44:00 +01:00
Frantisek Sumsal
648fd18924 test: tidy up the ASan-related stuff 2021-03-06 22:43:58 +01:00
Yu Watanabe
edf1b5ec92
Merge pull request #18892 from poettering/cname-tweaks
resolved: properly handle stub replies for chains of multiple CNAMEs
2021-03-07 03:03:27 +09:00
Yu Watanabe
f91861e49f dissect: fix memleak
Fixes #18903.
2021-03-07 03:02:47 +09:00
Carlo Wood
57f69536a8
Manual page fixes (#18906) 2021-03-07 02:54:33 +09:00
Lennart Poettering
47f9f84ca9
Merge pull request #18891 from keszybz/size_t-cast-removal
size_t cast removal
2021-03-06 14:32:46 +01:00
Lennart Poettering
5d7da51ee1 resolved: when synthesizing stub replies from multiple upstream packet, let's avoid RR duplicates
If we synthesize a stub reply from multiple upstream packet (i.e. a
series of CNAME/DNAME redirects), it might happen that we add the same
RR to a different reply section at a different CNAME/DNAME redirect
chain element. Let's clean this up once we are about to send the reply
message to the client: let's remove sections from "lower-priority"
sections when they are already listed in a "higher-priority" section.
2021-03-06 14:04:21 +01:00
Lennart Poettering
b97fc57178 resolved: fully follow CNAMEs in the DNS stub after all
In 2f4d8e577c I argued that following
CNAMEs in the stub is not necessary anymore. However, I think it' better
to revert to the status quo ante and follow it after all, given it is
easy for us and makes sure our D-Bus/varlink replies are more similar to
our DNS stub replies that way, and we save clients potential roundtrips.

Hence, whenever we hit a CNAME/DNAME redirect, let's restart the query
like we do for the D-Bus/Varlink case, and collect replies as we go.
2021-03-06 14:04:21 +01:00
Lennart Poettering
39005e1870 resolved: split out helper that checks whether we shall reply with EDNS0 DO
Just some refactoring, no actual code changes.
2021-03-06 14:04:21 +01:00
Lennart Poettering
4838dc4f2b resolved: handle multiple CNAME redirects in a single reply from upstream
www.netflix.com responds with a chain of CNAMEs in the same packet.
Let's handle that properly (so far we only followed CNAMEs a single step
when in the same packet)

Fixes: #18819
2021-03-06 14:04:10 +01:00
Lennart Poettering
d29958261a resolved: tighten checks in dns_resource_record_get_cname_target()
Let's refuse to consider CNAME/DNAME replies matching for RR types where
that is not really conceptually allow (i.e. on CNAME/DNAME lookups
themselves).

(And add a similar check to dns_resource_key_match_cname_or_dname() too,
which implements a smilar match)
2021-03-06 13:33:50 +01:00
Lennart Poettering
e0ae456a55 dns-query: export CNAME_MAX, so that we can use it in other files, too
Let's rename it a bit, to be more explanatory while exporting it.

(And let's bump the CNAME limit to 16 — 8 just sounded so little)
2021-03-06 13:33:50 +01:00
Yu Watanabe
2541462f1b
Merge pull request #18890 from keszybz/fuzz-bus-match
Add fuzzers for bus match parsing code
2021-03-06 20:35:38 +09:00