IF YOU WOULD LIKE TO GET AN ACCOUNT, please write an
email to Administrator. User accounts are meant only to access repo
and report issues and/or generate pull requests.
This is a purpose-specific Git hosting for
BaseALT
projects. Thank you for your understanding!
Только зарегистрированные пользователи имеют доступ к сервису!
Для получения аккаунта, обратитесь к администратору.
Previously, if activation failed, link did not enter the failed state,
but still Link.activated flag not set. Hence, nothing processed even if
the interface is manually brought up later.
Partially fixes#23649.
For the system manager, /run/systemd/private is publicly accessible, because
/run/systemd is 0755, and /run/systemd/private is 0777. For the user manager,
/run/user/<uid> is 0700, and /run/user/<uid>/systemd/private is 0777. This
does not directly cause any security issue because we check the sender in
bus_check_peercred (ucred.uid != 0 && ucred.uid != geteuid()).
But it makes sense to limit access to the socket to avoid wasting time in PID1.
Somebody could send messages there that'd we'd reject anyway. It also makes
things more explicit.
This can be easily used to show that the issue described in
ceedbf8185 is still reproduced:
$ strace -e execveat build/test-execve /bin/grep Name /proc/self/status
execveat(3, "", ["/bin/grep", "Name", "/proc/self/status"], NULL, AT_EMPTY_PATH) = 0
Name: 3
libblkid gained new tags - FSSIZE, FSLASTBLOCK and FSBLOCKSIZE.
These tags are filesystem related properties probed from superblock.
All of them are enabled by BLKID_SUBLKS_FSINFO flag.
Set the flag to allow these tags to be cached in udev db.
While Type=file works because it seems to be the default, the line gets
ignored as printed on the stderr output.
Use the correct value "regular-file" for the target type.
A read-only /usr may ship a sysext image by default and the user wants
to opt out. Currently it's not clear how to do this.
Document that a /dev/null symlink in /etc/extensions/ works to "mask" a
sysext image in a folder with lower precedence.
While overlaying files with a sysext can be useful, it may lead to
unexpected problems depending on when a process got started and which
version of the file it gets.
Call out that overlaying files is possible but don't recommend to make
use of it.
Previous implementation of disabling rapid commit was broken, and
dropped by 308d01f3c4.
Let's re-introduce the option in the correct way, as some servers seem
to return borked message when the solicit message contain the rapid
commit option.
Closes#24065.
That's not necessary. Moreover, if the socket units are stopped in
`setUpModule()`, then there exists a short timespan that we cannot call
`udevadm control`, as the control socket may not be opened yet.
If we run whole tests, then the first test is
NetworkctlTests.test_altname, and it calls `udevadm control` in `setUp()`.
Hence, the test may fail.
Fixes https://github.com/systemd/systemd-centos-ci/pull/512#issuecomment-1191591008.
I had trouble finding the right paragraphs, so I guess others might have
too. Hence let's add a tiny bit more structure by separating these two
parts out.
Do not go back to disk on each selinux access, but instead cache the
label off the inode we are actually reading. That way unit file contents
and unit file label we use for access checks are always in sync.
Based on discussions here:
https://github.com/systemd/systemd/pull/10023#issuecomment-1179835586
Replaces:
https://github.com/systemd/systemd/pull/23910
This changes behaviour a bit, because we'll reach and cache the label at
the moment of loading the unit (i.e. usually on boot and reload), but
not after relabelling. Thus, users must refresh the cache explicitly via
a "systemctl daemon-reload" if they relabelled things.
This makes the SELinux story a bit more debuggable, as it adds an
AccessSELinuxContext bus property to units that will report the label we are
using for a unit (or the empty string if not known).
This also drops using the "source" path of a unit as label source. if
there's value in it, then generators should manually copy the selinux
label from the source files onto the generated unit files, so that the
rule that "access labels are read when we read the definition files" is
upheld. But I am not convinced this is really a necessary, good idea.
Estimated battery discharge rate per hour is stored in :
/var/lib/systemd/sleep/battery_discharge_percentage_rate_per_hour
This value is used to determine the initial suspend interval. In case
this file is not available or value is invalid, HibernateDelaySec
interval is used.
After wakeup from initial suspend, this value is again estimated and
written to file if value is in range of 1-199.
Logs for reference : HibernateDelaySec=15min
- Updated in /etc/systemd/sleep.conf
Jul 14 19:17:58 localhost systemd-sleep[567]: Current battery charge
percentage: 100%
Jul 14 19:17:58 localhost systemd-sleep[567]: Failed to read discharge
rate from /var/lib/systemd/sleep/batt
ery_discharge_percentage_rate_per_hour: No such file or directory
Jul 14 19:17:58 localhost systemd-sleep[567]: Set timerfd wake alarm
for 15min
Jul 14 19:33:00 localhost systemd-sleep[567]: Current battery charge
percentage after wakeup: 90%
Jul 14 19:33:00 localhost systemd-sleep[567]: Attempting to estimate
battery discharge rate after wakeup from 15min sleep
Jul 14 19:33:00 localhost systemd-sleep[567]: product_id does not
exist: No such file or directory
Jul 14 19:33:00 localhost systemd-sleep[567]: Estimated discharge rate
39 successfully updated to
/var/lib/systemd/sleep/battery_discharge_percentage_rate_per_hour
Jul 14 19:33:00 localhost systemd-sleep[567]: Current battery charge
percentage: 90%
Jul 14 19:33:00 localhost systemd-sleep[567]: product_id does not
exist: No such file or directory
Jul 14 19:33:00 localhost systemd-sleep[567]: Set timerfd wake alarm
for 1h 48min 27s
Jul 14 21:21:30 localhost systemd-sleep[567]: Current battery charge
percentage after wakeup: 90%
Jul 14 21:21:30 localhost systemd-sleep[567]: Battery was not
discharged during suspension
If battery current charge percentage is below 5% hibernate directly.
Else initial suspend interval is set for HibernateDelaySec. On wakeup
estimate battery discharge rate per hour and if battery charge
percentage is not below 5% system is suspended else hibernated.
- Extra memory because ASAN needs it
- The environment variables to make the sanitizers more useful
- LD_PRELOAD because the ASAN DSO needs to be the first in the list
- The sanitizer library packages
- Disable syscall filters because they interfere with ASAN
- Disable systemd-hwdb-update because it's super slow when systemd-hwdb
is built with sanitizers
- Take the value for meson's b_sanitize option from the SANITIZERS
environment variable
It is not clear what "unprivileged user namespaces are available" means.
It could mean either that they are only usable, that is, enabled in the kernel,
or they have been enabled for the specific service. Referring to the
`PrivateUsers=` options makes it clear that the latter is meant.
