1
0
mirror of https://github.com/systemd/systemd.git synced 2024-12-22 17:35:35 +03:00
Commit Graph

46275 Commits

Author SHA1 Message Date
Lennart Poettering
24da96a1bd units: turn on ProtectProc= wherever suitable 2020-08-24 20:11:14 +02:00
Lennart Poettering
ed125c936c analyze-security: check for ProtectProc=/ProcSubset= 2020-08-24 20:11:10 +02:00
Lennart Poettering
4e39995371 core: introduce ProtectProc= and ProcSubset= to expose hidepid= and subset= procfs mount options
Kernel 5.8 gained a hidepid= implementation that is truly per procfs,
which allows us to mount a distinct once into every unit, with
individual hidepid= settings. Let's expose this via two new settings:
ProtectProc= (wrapping hidpid=) and ProcSubset= (wrapping subset=).

Replaces: #11670
2020-08-24 20:11:02 +02:00
Lennart Poettering
df6b900a1b namespace: assert() first, use second 2020-08-24 20:10:58 +02:00
Lennart Poettering
52b3d6523f namespace: move protect_{home|system} into NamespaceInfo
it's not entirely clear what shall be passed via parameter and what via
struct, but these two definitely fit well with the other protect_xyz
fields, hence let's move them over.

We probably should move a lot more more fields into the structure
actuall (most? all even?).
2020-08-24 20:10:30 +02:00
Lennart Poettering
68dd195c1b man: drop reference to long gone .busname unit type
Seems we missed one occurence.
2020-08-24 20:08:52 +02:00
Jan Chren
be3f62faf5 man: fix a fix of a typo in systemd.service example
The fix from cb263973ac was made the other way around,
i.e. `SIGKILL` was changed to `SIGUSR1`, but the sentence is about a "termination signal", i.e. `SIGKILL`, not `SIGUSR1`.
2020-08-24 17:04:01 +02:00
Zbigniew Jędrzejewski-Szmek
e8767f0a1c
Merge pull request #16815 from weblate/weblate-systemd-master
Translations update from Weblate
2020-08-24 16:21:12 +02:00
Clemens Gruber
f594b5feab network: can: Fix CAN initialization
When introducing CAN-FD support, the .can_fd_mode was not initalized
with -1 and due to cm.mask containing the CAN_CTRLMODE_FD bit, it was
not ignored when FDMode was not configured but instead disabled.
The same thing happened when listen-only mode support was introduced.

On chips that do not support these features, this lead to an error:
can0: Failed to configure CAN link: Operation not supported

Fix it by intializing all the CAN related tristate variables
(.can_listen_only, .can_fd_mode and .can_non_iso) to -1.
2020-08-24 09:33:25 +02:00
Zbigniew Jędrzejewski-Szmek
69bb9f999c
Merge pull request #16817 from keszybz/update-bus-api-docs
Update bus api docs
2020-08-24 09:31:31 +02:00
Oğuz Ersen
3b0b5c379c Translated using Weblate (Turkish)
Currently translated at 100.0% (133 of 133 strings)

Co-authored-by: Oğuz Ersen <oguzersen@protonmail.com>
Translate-URL: https://translate.fedoraproject.org/projects/systemd/master/tr/
Translation: systemd/master
2020-08-24 09:29:20 +02:00
Adolfo Jayme Barrientos
61acb108e7 Translated using Weblate (Spanish)
Currently translated at 100.0% (113 of 113 strings)

Co-authored-by: Adolfo Jayme Barrientos <fitoschido@gmail.com>
Translate-URL: https://translate.fedoraproject.org/projects/systemd/master/es/
Translation: systemd/master
2020-08-24 09:29:19 +02:00
Weblate
78ed7aafa4 Update translation files
Updated by "Update PO files to match POT (msgmerge)" hook in Weblate.

Co-authored-by: Weblate <noreply@weblate.org>
Translate-URL: https://translate.fedoraproject.org/projects/systemd/master/
Translation: systemd/master
2020-08-24 09:29:19 +02:00
Zbigniew Jędrzejewski-Szmek
3c682b17ce docs: add man/update-dbus-docs step to release instructions 2020-08-22 12:39:37 +02:00
Zbigniew Jędrzejewski-Szmek
35f4e010da man: add RootImageOptions and associated bits to dbus api docs
Relevant commits:
b3d133148e,
18d7370587.
2020-08-22 12:39:01 +02:00
Zbigniew Jędrzejewski-Szmek
9653108f11 man: update autogenerated dbus api lists
We forgot to do this before the release :(
Relavant commits are:
4e11ddfdd3,
0bb007f7a2,
a3d19f5d99,
bf76080180,
4793c31083.

Suitable for backporting.
2020-08-22 12:36:43 +02:00
Zbigniew Jędrzejewski-Szmek
d3fcecf3c9 man: import lxml formatting changes
lxml insists on this, see 4fb222c4b2.
2020-08-22 12:28:49 +02:00
Ronan Pigott
f3d97c0587 docs: fix gpt-auto-generator manpage link 2020-08-22 12:26:27 +02:00
Zbigniew Jędrzejewski-Szmek
eea63c03b9
Merge pull request #16808 from yuwata/test-network-reconfigure-routing-policy-rules
add a test case for [RoutingPolicyRule] and fix minor issue in man page
2020-08-21 14:20:52 +02:00
Zbigniew Jędrzejewski-Szmek
e2f116a54c
Merge pull request #16789 from keszybz/weblate
Import the .pot file into version control for weblate
2020-08-21 14:18:31 +02:00
Lennart Poettering
9aab8d7a98
Merge pull request #16804 from keszybz/conditionals-and-spelling-fixes
Conditionals and spelling fixes
2020-08-21 13:36:30 +02:00
Steve Dodd
44aaddad06 Request seccomp logging if SYSTEMD_LOG_SECCOMP environment variable is set. 2020-08-21 11:24:53 +02:00
Zbigniew Jędrzejewski-Szmek
3fb01017ee
Merge pull request #16686 from bluca/mount_images_opts
core: add mount options support for MountImages
2020-08-21 10:11:08 +02:00
Aurelien Jarno
f9252236c8 seccomp: add support for riscv64
This patch adds seccomp support to the riscv64 architecture. seccomp
support is available in the riscv64 kernel since version 5.5, and it
has just been added to the libseccomp library.

riscv64 uses generic syscalls like aarch64, so I used that architecture
as a reference to find which code has to be modified.

With this patch, the testsuite passes successfully, including the
test-seccomp test. The system boots and works fine with kernel 5.4 (i.e.
without seccomp support) and kernel 5.5 (i.e. with seccomp support). I
have also verified that the "SystemCallFilter=~socket" option prevents a
service to use the ping utility when running on kernel 5.5.
2020-08-21 10:10:29 +02:00
Yu Watanabe
d91b9bbce8 man: fix invalid tag place 2020-08-21 15:30:05 +09:00
Yu Watanabe
9dffe6fc27 test-network: add a test case for reconfiguring routing policy rules
C.f. #16784.
2020-08-21 15:27:38 +09:00
Zbigniew Jędrzejewski-Szmek
990307c3da
Merge pull request #16803 from poettering/analyze-condition-rework
support missing conditions/asserts everywhere
2020-08-20 18:18:13 +02:00
Lennart Poettering
cbed1dc8af mount-util: tweak how we find inaccessible device nodes
On new kernels (>= 5.8) unprivileged users may create the 0:0 character
device node. Which is great, as we can use that as inaccessible device
nodes if we run unprivileged. Hence, change how we find the right
inaccessible device inodes: when the user asks for a block device node,
but we have none, try the char device node first. If that doesn't exist,
fall back to the socket node as before.

This means that:

1. in the best case we'll return a node if the right device node type
2. otherwise we hopefully at least can return a device node if one asked
   for even if the type doesn't match (i.e. we return char instead of
   the requested block device node)
3. in the worst case (old kernels…) we'll return a socket node
2020-08-20 18:15:29 +02:00
Zbigniew Jędrzejewski-Szmek
2aed63f427 tree-wide: fix spelling of "fallback"
Similarly to "setup" vs. "set up", "fallback" is a noun, and "fall back"
is the verb. (This is pretty clear when we construct a sentence in the
present continous: "we are falling back" not "we are fallbacking").
2020-08-20 17:45:32 +02:00
Zbigniew Jędrzejewski-Szmek
bb5a34fb3e man: add conditionals to more man pages
Fixes #16701.
2020-08-20 17:42:13 +02:00
Zbigniew Jędrzejewski-Szmek
b3259a6e5f meson: add ENABLE_ANALYZE conditional 2020-08-20 17:42:13 +02:00
Zbigniew Jędrzejewski-Szmek
4338ab8163 meson: fix build/man/{man,html} to support page redirects
Commands like build/man/man journald.conf.d would show the installed
man page (or an error if the page cannot be found in the global search
path), and not the one in the build directory. If the man page is
a redirect, or the .html is a symlink, resolve it, build the target,
and show that.
2020-08-20 17:42:13 +02:00
Zbigniew Jędrzejewski-Szmek
7eac7b4c62 test-string-util: add a test for strjoin()
Strangely, we didn't have one so far. I mostly wanted to verify
that NULL can be used in any spot at behaves the same as "".
2020-08-20 17:42:13 +02:00
Zbigniew Jędrzejewski-Szmek
c32c4352b4 test-acl-util: output more debug info
For some reason this failed in koji build on s390x:
--- command ---
16:12:46 PATH='/builddir/build/BUILD/systemd-stable-246.1/s390x-redhat-linux-gnu:/usr/bin:/bin:/usr/sbin:/sbin:/usr/local/sbin' SYSTEMD_LANGUAGE_FALLBACK_MAP='/builddir/build/BUILD/systemd-stable-246.1/src/locale/language-fallback-map' SYSTEMD_KBD_MODEL_MAP='/builddir/build/BUILD/systemd-stable-246.1/src/locale/kbd-model-map' /builddir/build/BUILD/systemd-stable-246.1/s390x-redhat-linux-gnu/test-acl-util
--- stdout ---
-rw-r-----. 1 mockbuild mock 0 Aug  7 16:12 /tmp/test-empty.7RzmEc
other::---
--- stderr ---
Assertion 'r >= 0' failed at src/test/test-acl-util.c:42, function test_add_acls_for_user(). Aborting.
2020-08-20 17:42:13 +02:00
Lennart Poettering
5b14956385
Merge pull request #16543 from poettering/nspawn-run-host
nspawn: /run/host/ tweaks
2020-08-20 16:20:05 +02:00
Luca Boccassi
427353f668 core: add mount options support for MountImages
Follow the same model established for RootImage and RootImageOptions,
and allow to either append a single list of options or tuples of
partition_number:options.
2020-08-20 14:45:40 +01:00
Luca Boccassi
9ece644435 core: change RootImageOptions to use names instead of partition numbers
Follow the designations from the Discoverable Partitions Specification
2020-08-20 13:58:02 +01:00
Luca Boccassi
bc8d56d305 core: use strv_split_colon_pairs when parsing RootImageOptions 2020-08-20 13:24:32 +01:00
Luca Boccassi
c20acbb2bd core: cleanup unused variables
Leftovers from previous implementation of MountImages feature, unused now
2020-08-20 13:24:32 +01:00
Lennart Poettering
c1093c34d7 sd-bus: fix error handling on readv()
let's make sure we collect the right error code from errno, otherwise
we'll see EPERM (i.e. error 1) for all errors readv() returns (since it
returns -1 on error), including EAGAIN.

This is definitely backport material.

A fix-up for 3691bcf3c5.

Fixes: #16699
2020-08-20 14:14:36 +02:00
Lennart Poettering
476cfe626d core: remove support for ConditionNull=
The concept is flawed, and mostly useless. Let's finally remove it.

It has been deprecated since 90a2ec10f2 (6
years ago) and we started to warn since
55dadc5c57 (1.5 years ago).

Let's get rid of it altogether.
2020-08-20 14:01:25 +02:00
Lennart Poettering
4f55a5b0bf core: add missing conditions/asserts to unit file parsing 2020-08-20 13:56:14 +02:00
Lennart Poettering
625a164069 analyze: rework condition testing
Let's drop the private table and just use the generic concepts we have
in place already that make the same information available.

Fixes: #16781
2020-08-20 13:47:45 +02:00
Luca Boccassi
7489ccc350 coding style: document how to break a function declaration 2020-08-20 13:19:28 +02:00
Lennart Poettering
037857507a man: fix xml tags 2020-08-20 13:19:01 +02:00
Lennart Poettering
7b24e6e3fa
Merge pull request #16221 from bluca/show_microsec
systemctl: add --timestamp to change timestamp print format
2020-08-20 13:15:04 +02:00
Lennart Poettering
5d1e68b494 user-runtime-dir: deal gracefully with missing logind properties
Fixes: #16685
2020-08-20 13:12:02 +02:00
Zbigniew Jędrzejewski-Szmek
ec673ad4ab
Merge pull request #16559 from benzea/benzea/memory-recursiveprot
mount-setup: Enable memory_recursiveprot for cgroup2
2020-08-20 13:05:07 +02:00
Zbigniew Jędrzejewski-Szmek
0cd9ccb654
Merge pull request #16677 from poettering/statx-mntid
make use of new kernel 5.8 statx() mount id/mountpoint APIs
2020-08-20 10:58:14 +02:00
Zbigniew Jędrzejewski-Szmek
a4df0c004a
Merge pull request #16782 from keszybz/seccomp-use-cleanup
Use less iffedeffery around syscall names and _cleanup_ in one more place
2020-08-20 10:27:55 +02:00