IF YOU WOULD LIKE TO GET AN ACCOUNT, please write an
email to Administrator. User accounts are meant only to access repo
and report issues and/or generate pull requests.
This is a purpose-specific Git hosting for
BaseALT
projects. Thank you for your understanding!
Только зарегистрированные пользователи имеют доступ к сервису!
Для получения аккаунта, обратитесь к администратору.
This downgrades errors from setting file attributes via tmpfiles to
warnings and makes them non-fatal.
Also, as a special case, if a file system does not support file
attributes at all, then the message is downgraded to debug, so that it
is not seen at all.
With this change reiserfs should not see any messages at all anymore
(since it apparently does not implement file attributes at all), but XFS
will still get a warning but no failure. The warning is something the
XFS kernel folks should fix though, by adjusting their file attributes
behaviour to be identical to ext234's.
Fixes#560.
Making the array static allows gcc -O2 to generate smaller code:
"size systemd" before:
text data bss dec hex filename
1377286 128608 2632 1508526 1704ae systemd
After:
text data bss dec hex filename
1374326 128572 2664 1505562 16f91a systemd
(IN_SET still results in worse generated code than using
"x == FOO || x == BAR || ...". I don't think we'll be able to match
that with the C preprocessor.)
This change limits the use of IN_SET to sets with constant elements. All
present callers use constants. The compiler would report an "initializer
element is not constant" error otherwise.
Putting the set elements in an array variable and using ELEMENTSOF makes
it clearer what's going on.
Incidentally, it also makes gcc -O2 generate slightly smaller code:
"size systemd", before:
text data bss dec hex filename
1378318 128608 2632 1509558 1708b6 systemd
After:
text data bss dec hex filename
1377286 128608 2632 1508526 1704ae systemd
We do not print all non-OK job completion status messages to the console
in red, because not all of them are plain errors. We do however log the
same messages as LOG_ERR.
Differentiate the log levels by deducing them from the job result in a
way that more or less matches the color of the console message.
This is similar to "core: always try harder to get unit status
message format string", but for job completion status messages.
It makes generic status messages applicable for printing to the console.
And it rewrites the functions in a more table-based style.
unit_get_status_message_format() is used only with one of JOB_START,
JOB_STOP, JOB_RELOAD, all of which have fallback message strings
defined, so the function may never return NULL.
WRITE_STRING_FILE_ATOMIC is only valid if WRITE_STRING_FILE_CREATE is also
given. IOW, an atomic file write operation is only possible when creating a
file is also being asked for.
This is a regression from the recent write_string_file() rework.
WRITE_STRING_FILE_ATOMIC is only valid if WRITE_STRING_FILE_CREATE is also
given. IOW, an atomic file write operation is only possible when creating a
file is also being asked for.
This is a regression from the recent write_string_file() rework.
The starting/stopping messages are printed to the console only if the
corresponding format string is defined in the unit's vtable. To avoid
excessive messages on the console, the unit types whose start/stop
jobs are instantaneous had the format strings intentionally undefined.
When logging the same event to the journal, a fallback to generic
Starting/Stopping/Reloading messages is used.
The problem of excessive console messages with instantaneous jobs
is already resolved in a nicer way ("core: fix confusing logging of
instantaneous jobs"), so there's no longer a need to have two ways of
getting the format strings. Let's fold them into one function with
the fallback to generic message strings.
Return 1 from *_reload() methods to signify "we did something", just
like in *_start(). This causes "Reloading foo..." messages to be logged.
"Reloaded foo." messages are already logged.
For instantaneous jobs (e.g. starting of targets, sockets, slices, or
Type=simple services) the log shows the job completion
before starting:
systemd[1]: Created slice -.slice.
systemd[1]: Starting -.slice.
systemd[1]: Created slice System Slice.
systemd[1]: Starting System Slice.
systemd[1]: Listening on Journal Audit Socket.
systemd[1]: Starting Journal Audit Socket.
systemd[1]: Reached target Timers.
systemd[1]: Starting Timers.
...
The reason is that the job completes before the ->start() method returns
and only then does unit_start() print the "Starting ..." message.
The same thing happens when stopping units.
Rather than fixing the order of the messages, let's just not emit the
Starting/Stopping message at all when the job completes instantaneously.
The job completion message is sufficient in this case.
If Linux efi stub is used, embedded cmdline in efi stub is
not shown. As a result, it is required to rewrite all the
line, if is only required to modify it. This behavior only
happen using Linux efi stub.
This patch allows boot loader to show embedded cmdline when
'e' key is pressed to edit boot loader options.
If a session is in closing state (and already got rid of its VT), then
never re-select it for that VT. There is no reason why we should grant
something to a session that is already going away *AND* already got rid
of exactly that.
Our seat->positions[] array keeps track of the 'preferred' session on a
VT. The only situation this is used, is to select the session to activate
when a VT is activated. In the normal case, there's only one session per
VT so the selection is trivial.
Older greeters, however, implement take-overs when they start sessions on
the same VT that the greeter ran on. We recently limited such take-overs
to VTs where a greeter is running on, to force people to never share VTs
in new code that is written.
For legacy reasons, we need to be compatible to old greeters, though.
Hence, we allow those greeters to implement take-over. In such take-overs,
however, we should really make sure that the new sessions gets preferred
over the old one under all circumstances. Hence, make sure we override
the previous preferred session with a new session.
The lovely libvirtd goes into crazy mode if it receives broadcasts that
it didn't subscribe to. With bus-proxyd, this might happen in 2 cases:
1) The kernel passes us an unmatched signal due to a false-positive
bloom-match.
2) We generate NameOwnerChanged/NameAcquired/NameLost locally even
though the peer didn't subscribe to it.
dbus-daemon is reliable in what signals it passes on. So make sure we
follow that style. Never ever send a signal to a local peer if it doesn't
match an installed filter of that peer.
This adds test-bus-proxy which should be used to test correct behavior of
systemd-bus-proxyd. The first test that was added is to verify we actually
receive NameAcquired signals for ourselves on bus-connect.
If the caller does not specify arg1 for NameOwnerChanged matches, we
really must take the ID from arg2 or arg3, if provided. They are
guaranteed to be identical to arg1 if either is supplied, but there is no
strict requiredment that arg1 is supplied. Hence, make sure to always
take the more restrictive match. Otherwise, we install rather wide
matches without anyone requiring them.
Make sure we don't install NameOwnerChanged matches if the caller passed
a destination='' match (except if it is the broadcast address). Per spec,
all NameOwnerChanged signals are broadcasts.
Only the NameLost/NameAcquired signals are unicasts, but those are never
received through sd-bus. Instead, the bus-proxy synthesizes them and it
already installs proper matches for them.
Reuse the Iterator object from hashmap.h and expose a similar API.
This allows us to do
{
Iterator i;
unsigned n;
BITMAP_FOREACH(n, b, i) {
Iterator j;
unsigned m;
BITMAP_FOREACH(m, b, j) {
...
}
}
}
without getting confused. Requested by David.
In gvariant, all fixed-size objects need to be sized a multiple of their
alignment. If a structure has only fixed-size members, it is required to
be fixed size itself. If you imagine a structure like (ty), you have an
8-byte member followed by an 1-byte member. Hence, the overall inner-size
is 9. The alignment of the object is 8, though. Therefore, the specs
mandates final padding after fixed-size structures, to make sure it's
sized a multiple of its alignment (=> 16).
On the gvariant decoder side, we already account for this in
bus_gvariant_get_size(), as we apply overall padding to the size of the
structure. Therefore, our decoder correctly skips such final padding when
parsing fixed-size structure.
On the gvariant encoder side, however, we don't account for this final
padding. This patch fixes the structure and dict-entry encoders to
properly place such padding at the end of non-uniform fixed-size
structures.
The problem can be easily seen by running:
$ busctl --user monitor
and
$ busctl call --user org.freedesktop.systemd1 / org.foobar foobar "(ty)" 777 8
The monitor will fail to parse the message and print an error. With this
patch applied, everything works fine again.
This patch also adds a bunch of test-cases to force non-uniform
structures with non-pre-aligned positions.
Thanks to Jan Alexander Steffens <jan.steffens@gmail.com> for spotting
this and narrowing it down to non-uniform gvariant structures. Fixes#597.
So right now our object-tree is limited to 2 levels at most
('/' and '/foo/...../bar'). We never link any intermediate levels, even
though that was clearly the plan. Fix the bus_node_allocate() helper to
actually link all intermediate nodes, too, not just the root node.
This fixes a simple inverse ptr-diff bug.
The downside of this fix is that we clearly never tested (nor used) the
object tree in any way. The only reason that the introspection works is
that our enumerators shortcut the object tree.
Lets see whether that code actually works..
Thanks to: Nathaniel McCallum <nathaniel@themccallums.org>
..for reporting this. See #524 for an actual example code.
It is highly confusing if a getter function returns 0, but the value is
set to NULL. This, right now, triggers assertions as code relies on the
returned values to be non-NULL.
Like with sd-bus-creds and friends, return 0 only if a value is actually
available.
Discussed with Tom, and actually fixes real bugs as in #512.
If /etc/machine-id is missing (eg., gold images), we should not fail
installing sd-boot. This is a perfectly fine use-case and we should simply
skip installing the default loader config in that case.
sd-dhcp-lease: fix handling of multiple routers
We only support one router, but in case more than one is given, we now ignore subsequent ones, rather than fall over.
We used to have one global socket, use one per transaction instead. This
has the side-effect of giving us a random UDP port per transaction, and
hence increasing the entropy and making cache poisoining significantly
harder to achieve.
We still reuse the same port number for packets belonging to the same
transaction (resent packets).
This improves the resilience against cache poisoning by being stricter
about only accepting responses that match precisely the requst they
are in reply to.
It should be noted that we still only use one port (which is picked
at random), rather than one port for each transaction. Port
randomization would improve things further, but is not required by
the RFC.
This patch adds support to configure IFF_VNET_HDR flag
for a tap device. It allows whether sending and receiving
large pass larger (GSO) packets. This greatly increases the
achievable throughput.
Make all LLMNR related packet inspections conditional to p->protocol.
Use switch-case statements while at it, which will make future additions
more readable.
The C and T bits in the DNS packet header definitions are specific to LLMNR.
In regular DNS, they are called AA and RD instead. Reflect that by calling
the macros accordingly, and alias LLMNR specific macros.
While at it, define RA, AD and CD getters as well.
This adds support for option 43 (Vendor Specific Information) to
libsystemd-network DHCP code. The option carries an opaque object of n
octets, interpreted by vendor-specific code on the clients and
servers.
[@zonque: adopted to new unhexmem() API]
We were ignoring failures from unhexchar, which meant that invalid
hex characters were being turned into garbage rather than the string
rejected.
Fix this by making unhexmem return an error code, also change the API
slightly, to return the size of the returned memory, reflecting the
fact that the memory is a binary blob,and not a string.
For convenience, still append a trailing NULL byte to the returned
memory (not included in the returned size), allowing callers to
treat it as a string without doing a second copy.
currently if a dhcp server sends more than one router, sd-dhcp-lease
does not copy the ip because it assumes it will only ever be 4 bytes. a
dhcp server could send more than one ip in the router list, so we should
copy the first one and ignore the rest of the bytes.
A while back we opened up all of logind's bus calls to unprivileged
users, via PK. However, the dbus1 policy wasn't updated accordingly.
With this change, the dbus1 policy is opened up for all bus calls that
should be available to unprivileged clients.
(also rearranges some calls in the vtable, to make more sense, and be in
line with the order in the bus policy file)
Fixes#471.
Spell out the proper name. Use 'pos' over 'position', and also update the
logind state file to do the same. Note that this breaks live updates.
However, we only save 'POSITION' on non-seat0, so this shouldn't bother
anyone for real. If you run multi-seat setups, you better restart a
machine on updates, anyway.
Make sure a greeter can forcefully spawn a session on a VT that is
in-use. A recent patch prevented this (this used to be possible for all
session types) as it is highly fragile. However, as it turns out,
greeters seem to rely on that feature. Therefore, make sure we allow it
explicitly for greeters.
Given a container "foo", that maps user id $UID to container user, using
user namespaces, this NSS module extenstion will now map the $UID to a
name "vu-foo-$TUID" for the translated UID $UID.
Similar, userns groups are mapped to "vg-foo-$TGID" for translated GIDs
of $GID.
This simple change should make userns users more discoverable. Also,
given that many tools like "adduser" check NSS before allocating a UID,
should lower the chance of UID range conflicts between tools.
If GetManagedObjects is called on /foo/bar, then it should also include
the object /foo/bar, if it exists. Right now, we only include objects
underneath /foo/bar/.
This follows the behavior of existing dbus implementations.
Obsoletes #527 and fixes#525. Reported by: Nathaniel McCallum
According to os-release(5), VERSION_ID is not mandatory and BUILD_ID only
needs to be unique underneath VERSION_ID. Therefore, assuming a missing
VERSION_ID field means 'empty', we can rely on BUILD_ID to be unique.
Use BUILD_ID if VERSION_ID is not present. This way, rolling-release
distros can still provide a proper os-release entry without crafting
random VERSION_ID strings.
This fixes#186.
There is no guarantee that the os-release section contains each key only
once, nor any guarantee that all keys are present. Make sure we properly
free memory in both cases.
Not that it matters much, as we're short-living, anyway. But correct code
is always nicer to read..
Right now, systemd-resolve-host fails if resolved is not running.
However, resolved supports bus-activation (at least on kdbus) just fine.
Enable this so we can use resolve-host at all times.
This was disabled right from the beginning, without any comment why.
All other *_get_description() functions use 'const char**', so make sure
sd_bus_slot_get_description() does the same.
This changes API, but ABI stays stable. I think this is fine, but I
wouldn't mind bumping SONAME.
Reported in #528.
It is no different to return 0 over 1 in the property
callback. It is confusing to return 1 which made me think
1 has a special purpose. This way code is consistent with
the rest of the tree.
Right now, if you're already in a session and call CreateSession, we
return information about the current session of yours. This is highy
confusing and a nasty hack. Avoid that, and instead return a commonly
known error, so the caller can detect that.
This has the side-effect, that we no longer override XDG_VTNR and XDG_SEAT
in pam_systemd, if you're already in a session. But this sounds like the
right thing to do, anyway.
Old gdm and lightdm start the user-session during login before they
destroy the greeter-session. Therefore, the user-session will take over
the VT from the greeter. We recently prevented this by never allowing
multiple sessions on the same VT. Fix this now, by explicitly allowing
this if the owning session is a GREETER.
Note that gdm no longer behaves like this. Instead, due to wayland, they
always use a different VT for each session. All other login-managers are
highly encouraged to destroy the greeter-session _before_ starting the
user-session. We now work around this, but this will probably not last
forever (and will already have nasty side-effects on the greeter-session).
The latest consolidation cleanup of write_string_file() revealed some users
of that helper which should have used write_string_file_no_create() in the
past but didn't. Basically, all existing users that write to files in /sys
and /proc should not expect to write to a file which is not yet existant.
Merge write_string_file(), write_string_file_no_create() and
write_string_file_atomic() into write_string_file() and provide a flags mask
that allows combinations of atomic writing, newline appending and automatic
file creation. Change all users accordingly.
- Make sure that the IPv6PrivacyExtensions=yes results in
prefer-temporary, not prefer-public.
- Introduce special enum value "kernel" to leave setting unset, similar
how we have it for the IP forwarding settings.
- Bring the enum values in sync with the the strings we parse for them,
to the level this makes sense (specifically, rename "disabled" to
"no", and "prefer-temporary" to "yes").
- Make sure we really set the value to to "no" by default, the way it is
already documented in the man page.
- Fix whitespace error.
- Make sure link_ipv6_privacy_extensions() actually returns the correct
enum type, rather than implicitly casting it to "bool".
- properly size formatting buffer for ipv6 sysctl value
- Don't complain if /proc/sys isn't writable
- Document that the enum follows the kernel's own values (0 = off, 1 =
prefer-public, 2 = prefer-temporary)
- Drop redundant negating of error code passed to log_syntax()
- Manpage fixes
This fixes a number of issues from PR #417
Right now, we never install destination matches on kdbus as the kernel did
not support MATCH rules on those. With the introduction of
KDBUS_ITEM_DST_ID we can now match on destination IDs, so add explicit
support for those.
This requires a recent kdbus module to work. However, there seems to be no
user-space that uses "Destination=''" matches, yet, so old kdbus modules
still work fine (we couldn't find any real user).
This is needed to match on unicast signals in bus-proxy. A followup will
add support for this.
There is logic to determine the UID shift from the file-system, rather
than having it be explicitly passed in.
However, this needs to happen in the child process that sets up the
mounts, as what's important is the UID of the mounted root, rather than
the mount-point.
Setting up the UID map needs to happen in the parent becuase the inner
child needs to have been started, and the outer child is no longer able
to access the uid_map file, since it lost access to it when setting up
the mounts for the inner child.
So we need to communicate the uid shift back out, along with the PID of
the inner child process.
Failing to communicate this means that the invalid UID shift, which is
the value used to specify "this needs to be determined from the file
system" is left invalid, so setting up the user namespace's UID shift
fails.
1) never bother with setting the flag for loopback devices
2) if we fail to write the flag due to EROFS (which is likely to happen
in containers where /proc/sys is read-only) or any other error, check
if the flag already has the right value. If so, don't complain.
Closes#469
Just like we conditionalize loading kdbus.ko, we should conditionalize
mounting kdbusfs. Otherwise, we might run with kdbus if it is builtin,
even though the user didn't want this.
This patch add support for ipv6 privacy extensions.
The variable /proc/sys/net/ipv6/conf/<if>/use_tempaddr
can be changed via the boolean
IPv6PrivacyExtensions=[yes/no/prefer-temporary]
When true enables privacy extensions, but prefer public addresses over
temporary addresses.
prefer-temporary prefers temporary adresses over public addresses.
Defaults to false.
[Match]
Name=enp0s25
[Network]
IPv6PrivacyExtensions=prefer-temporary
sdboot was renamed to systemd-boot
Fixes: e7dd673d1e ("gummiboot/sd-boot/systemd-boot: rename galore")
Signed-off-by: Miguel Bernal Marin <miguel.bernal.marin@linux.intel.com>
On dbus1, we receive systemd1.Agent signals via the private socket, hence
it's trusted. However, on kdbus we receive it on the system bus. We must
make sure it's sent by UID=0, otherwise unprivileged users can fake it.
Furthermore, never forward broadcasts we sent ourself. This might happen
on kdbus, as we forward the message on the same bus we received it on,
thus ending up in an endless loop.
Running `busctl monitor` currently buffers data for several seconds /
kilobytes before writing stdout. This is highly confusing if you dump in a
file, ^C busctl and then end up with a file with data of the last few
_seconds_ missing.
Fix this by explicitly flushing after each signal.
sd_bus_flush_close_unref() is a call that simply combines sd_bus_flush()
(which writes all unwritten messages out) + sd_bus_close() (which
terminates the connection, releasing all unread messages) +
sd_bus_unref() (which frees the connection).
The combination of this call is used pretty frequently in systemd tools
right before exiting, and should also be relevant for most external
clients, and is hence useful to cover in a call of its own.
Previously the combination of the three calls was already done in the
_cleanup_bus_close_unref_ macro, but this was only available internally.
Also see #327
systemd-journald races with systemd-tmpfiles-setup, and hence both are
started at about the same time. On a bare-bones system (e.g. with
empty /var, or even non-existent /var), systemd-tmpfiles will create
/var/log. But it can happen too late, that is systemd-journald already
attempted to mkdir /var/log/journal, ignoring the error. Thus failing
to create /var/log/journal. One option, without modifiying the
dependency graph is to create /var/log/journal directory with parents,
when persistent storage has been requested.
Qemu provides a separate pci-bridge exclusively for multi-seat setups.
The normal pci-pci bridge ("-device pci-bridge") has 1b36:0001. The new
pci-bridge-seat was specifically added to simplify guest-side
multiseat configuration. It is identical to the normal pci-pci bridge,
except that it has a different id (1b36:000a) so we can match it and
configure multiseating automatically.
Make sure we always treat this as separate seat if we detect this, just
like other "Pluggable" devices.
(David: write commit-message)
According to README we only need 3.7, and while it may also make sense
to bump that requirement when appropriate, it's trivial to fall back
when renameat2 is not available.
When we get notifications from the kernel, we always turn them into
synthetic dbus1 messages. This means, we do *not* consume the kdbus
message, and as such have to free the offset.
Right now, the translation-helpers told the caller that they consumed the
message, which is wrong. Fix this by explicitly releasing all kernel
messages that are translated.
Due to our _cleanup_ usage for the udev manager, it will be destroyed
after the "exit:" label has finished. Therefore, it is the last
destruction done in main(). This has two side-effects:
- mac_selinux is destroyed before the udev manager is, possible causing
use-after-free if the manager-cleanup accesses selinux data
- log_close() is called *before* the manager is destroyed, possibly
re-opening the log if you use --debug (and thus not re-applying the
--debug option)
Avoid this by moving the manager-handling into a new function called
run(). This function will be left before we enter the "exit:" label in
main(), hence, the manager object will be destroyed early.
Unlike dbus-daemon, the bus-proxy does not know the receiver of a
broadcast (as the kernel has exclusive access on the bus connections).
Hence, and "destination=" matches in dbus1 policies cannot be applied.
But kdbus does not place any restrictions on *SENDING* broadcasts, anyway.
The kernel never returns EPERM to KDBUS_CMD_SEND if KDBUS_MSG_SIGNAL is
set. Instead, receiver policies are checked. Hence, stop checking sender
policies for signals in bus-proxy and leave it up to the kernel.
This fixes some network-manager bus-proxy issues where NM uses weird
dst-based matches against interface-based matches. As we cannot perform
dst-based matches, our bus-proxy cannot properly implement this policy.
Right now, if you start a session via 'su' or 'sudo' from within a
session, we make sure to re-use the existing session instead of creating a
new one. We detect this by reading the session of the requesting PID.
However, with gnome-terminal running as a busname-unit, and as such
running outside the session of the user, this will no longer work.
Therefore, this patch makes sure to return the existing session of a VT if
you start a new one.
This has the side-effect, that you will re-use a session which your PID is
not part of. This works fine, but will break assumptions if the parent
session dies (and as such close your session even though you think you're
part of it). However, this should be perfectly fine. If you run multiple
logins on the same session, you should really know what you're doing. The
current way of silently accepting it but choosing the last registered
session is just weird.
bind() fails if it is called before setting SO_REUSEPORT and another
process is already binded to the same addess.
A new reuse_port option has been introduced to socket_address_listen()
to set the option as part of socket initialization.
Fix weird coding-style:
- proper white-space
- no if (func() >= 0) bail-outs
- fix braces
- avoid 'r' for anything but errno
- init _cleanup_ variables unconditionally, even if not needed
Though currently unused by us, netlink attribute types support embedding flags to indicate
if the type is encoded in network byte-order and if it is a nested attribute. Read out
these flags when parsing the message.
We will now swap the byteorder in case it is non-native when reading out integers (though
this is not needed by any of the types we currently support). We do not enforce the NESTED
flag, as the kernel gets this wrong in many cases.
It is needed in one branch of the fork, but calculated in another
branch.
Failing to do this means using --private-users without specifying a uid
shift always fails because it tries to shift the uid to UID_INVALID.
When we do a MS_BIND mount, it inherits the flags of its parent mount.
When we do a remount, it sets the flags to exactly what is specified.
If we are in a user namespace then these mount points have their flags
locked, so you can't reduce the protection.
As a consequence, the default setup of mount_all doesn't work with user
namespaces. However if we ensure we add the mount flags of the parent
mount when remounting, then we aren't removing mount options, so we
aren't trying to unlock an option that we aren't allowed to.
Push the extraction of the envp + argv as close as possible to their use, to avoid code
duplication. As a sideeffect fix logging when delaing execution.
If a link is attempted t obe enslaved by a netdev that has already failed, we
must fail immediately and not save the callback for later, as it will then
never get triggered.
This only happens when something has gone wrong, so is not easy to hit. However,
if a bridge (say) is configured on a system without bridge support we will hit
this.
Fixes issue #299.
Until commit 1f2ecb0 ("bootchart: kill a bunch of global variables")
variable "head" was declared global and this action was performed by svg_header.
Now that "head" is local and passed to each function called by svg_do(...)
move the code at the beginning of svg_do(...) to restore the correct behaviour.
Instead of representing containers as several arrays, make a new
netlink_container struct and keep one array of these structs. We
also introduce netlink_attribute structs that in the future will
hold meta-information about each atribute.
Commit c0f32805 ("logind: use sd_event timer source for inhibitor
logic") reworked the main loop logic of logind so that it uses a
real timeout callback handler to execute delayed functions.
What the old code did, however, was to call those functions on
every iteration in the main loop, not only when the timeout
expired.
Restore that behavior by bringing back manager_dispatch_delayed(),
and call it from manager_run(). The internal event source callback
manager_inhibit_timeout_handler() was turned into a wrapper of
manager_dispatch_delayed() now.
Commit aedd401 introduced new unit file state, UNIT_FILE_INDIRECT. Unit file is
said to have indirect state if it contains [Install] section which has only
Also= directive. Thus, if enable of such unit file is requested then some other
unit file gets enabled.
Whether or not unit file is in indirect state can be determined by calling
unit_file_can_install. Function unit_file_get_list populates list of unit files
present in given lookup location. So far it did call unit_file_can_install in a
way that would prevent finding out about unit files in indirect state. Such unit
file would be incorrectly marked as static.
Fixes following assertion in test-install,
Assertion 'p->state == s' failed at src/test/test-install.c:59, function main(). Aborting.
[1] 26868 abort (core dumped) ./test-install
Maybe there is some left-over value stored in r from previous function
call. Let's make sure we always return consistent error code when we reach end of
the function body.
Fixes following crash of test-install,
Assertion 'r == 0' failed at src/test/test-install.c:52, function main(). Aborting.
[1] 11703 abort (core dumped) ./test-install
Currently, SELinux unit access check is not performed if a given unit
file has not been registered in a hash table. This is because function
manager_get_unit() only tries to pick up a Unit object from a Unit
hash table. Instead, we use function manager_load_unit() searching
Unit file pathes for the given Unit file.
The kernel bonding layer allows passing an array of ARP IP targets as
bond-configuration. Due to the weird implementation of arrays in netlink
(which we haven't figure out a generic way to support, yet), we usually
hard-code the supported array-sizes. However, this should not be exported
from sd-netlink.
Instead, make sure the caller just uses it's current hack of enumerating
the types, and the sd-netlink core will have it's own list of supported
array-sizes (to be removed in future extensions, btw!). If either does not
match, we will just return a normal error.
Note that we provide 2 constants for ARP_IP_TARGETS_MAX now. However, both
have very different reasons:
- the constant in netdev-bond.c is used to warn the user that the given
number of targets might not be supported by the kernel (even though the
kernel might increase that number at _any_ time)
- the constant in sd-netlink is solely used due to us missing a proper
array implementation. Once that's supported in the type-system, it can
be removed without notice
Last but not least, this patch turns the log_error() into a log_warning().
Given that the previous condition was off-by-one, anyway, it never hit at
the right time. Thus, it was probably of no real use.
Explicitly export the root type-system to the type-system callers. This
avoids treating NULL as root, which for one really looks backwards (NULL
is usually a leaf, not root), and secondly prevents us from properly
debugging calling into non-nested types.
Also rename the root to "type_system_root". Once we support more than
rtnl, well will have to revisit that, anyway.
Empty type-systems are just fine. Avoid the nasty hack in
union-type-systems that treat empty type-systems as invalid. Instead check
for the actual types-array and make sure it's non-NULL (which is even true
for empty type-systems, due to "empty_types" array).
In sd-netlink-message, we always guarantee that the currently selected
type-system is non-NULL. Otherwise, we would be unable to parse any types
in the current container level. Hence, this assertion must be true:
message->container_type_system[m->n_containers] != NULL
During message_new() we currently do not verify that this assertion is
true. Instead, we blindly access nl_type->type_system and use it (which
might be NULL for basic types and unions). Fix this, by explicitly
checking that the root-level type is nested.
Note that this is *not* a strict requirement of netlink, but it's a strict
requirement for all message types we currently support. Furthermore, all
the callers of message_new() already verify that only supported types are
passed, therefore, this is a pure cosmetic check. However, it might be
needed on the future, so make sure we don't trap into this once we change
the type-system.
The NETLINK_TYPE_META pseudo-type is actually equivalent to an empty
nested type. Drop it and define an empty type-system instead.
This also has the nice side-effect that m->container_type_system[0] is
never NULL (which has really nasty side-effects if you try to read
attributes).
Right now we store the maximum type-ID of a type-system. This prevents us
from creating empty type-systems. Store the "count" instead, which should
be treated as max+1.
Note that type_system_union_protocol_get_type_system() currently has a
nasty hack to treat empty type-systems as invalid. This might need some
modification later on as well.
size_t is usually 64bit and int 32bit on a 64bit machine. This probably
does not matter for netlink message sizes, but nevertheless, avoid
hard-coding it anywhere.
Same as NLType, move NLTypeSystem into netlink-types.c and hide it from
the outside. Provide an accessor function for the 'max' field that is used
to allocate suitable array sizes.
Note that this will probably be removed later on, anyway. Once we support
bigger type-systems, it just seems impractical to allocate such big arrays
for each container entry. An RBTree would probably do just fine.
If we extend NLType to support arrays and further extended types, we
really want to avoid hard-coding the type-layout outside of
netlink-types.c. We already avoid accessing nl_type->type_system outside
of netlink-types.c, extend this to also avoid accessing any other fields.
Provide accessor functions for nl_type->type and nl_type->size and then
move NLType away from the type-system header.
With this in place, follow-up patches can safely turn "type_system" and
"type_system_union" into a real "union { }", and then add another type for
arrays.
Make sure we never access type->type_system or type->type_system_union
directly. This is an implementation detail of the type-system and we
should always use the accessors. Right now, they only exist for 2-level
accesses (type-system to type-system). This patch introduces the 1-level
accessors (type to type-system) and makes use of it.
This patch makes sure the proper assertions are in place, so we never
accidentally access sub-type-systems for non-nested/union types.
Note that this places hard-asserts on the accessors. This should be fine,
as we expect callers to only access sub type-systems if they *know*
they're dealing with nested types.
The NLA_ names are used to name real datatypes we extract out of netlink
messages. The kernel has an internal enum with the same names
(NLA_foobar), which is *NOT* binary compatible to our types. Furthermore,
we support a different set of types than the kernel (as we try to treat
some kernel peculiarities as our own types to simplify the API).
Rename NLA_ to NETLINK_TYPE_ to make clear that this is our own set of
types.
Commit v218-247-g11c6f69 broke the output of the utility. "%1$" PRIu64
"x" expands to "%1$lux", essentially "%lux", which shows the problem.
u and x cannot be combined, u wins as the type character, and x gets
emitted verbatim to stdout.
References: https://bugzilla.redhat.com/show_bug.cgi?id=1227503
Similar to SmackProcessLabel=, if this configuration is set, systemd
executes processes with given SMACK label. If unit has
SmackProcessLabel=, this config is overwritten.
But, do NOT be confused with SMACK64EXEC of execute file. This default
execute process label(and also label which is set by
SmackProcessLabel=) is set fork-ed process SMACK subject label and
used to access the execute file.
If the execution file has also SMACK64EXEC, finally executed process
has SMACK64EXEC subject.
While if the execution file has no SMACK64EXEC, the executed process
has label of this config(or label which is set by
SmackProcessLabel=). Because if execution file has no SMACK64EXEC then
excuted process inherits label from caller process(in this case, the
caller is systemd).
Smack is also able to have modification rules of existing rules. In
this case, the rule has additional argument to modify previous
rule. /sys/fs/smackfs/load2 node can only take three arguments:
subject object access. So if modification rules are written to
/sys/fs/smackfs/load2, EINVAL error is happen. Those modification
rules have to be written to /sys/fs/smackfs/change-rule.
To distinguish access with operation of cipso2, split write_rules()
for each operation. And, in write access rules, parse the rule and if
the rule has four argument then write into
/sys/fs/smackfs/change-rule.
https://lwn.net/Articles/532340/
fwrite() or fputs() are fancy functions to write byte stream such like
regular file. But special files on linux such like proc, sysfs are not
stream of bytes. Those special files on linux have to be written with
specific size.
By this reason, in some of many case, fputs() was failed to write
buffer to smack load2 node.
The write operation for the smack nodes should be performed with
write().
This may be used from multi-threaded programs (say through nss-resolve),
so we must protect the global list.
This is still only relevant for debug builds, so we do not try to handle
cases where the locking fail, but simply assert.
In such a case let's suppress the warning (downgrade to LOG_DEBUG),
under the assumption that the user has no config file to update in its
place, but a symlink that points to something like resolved's
automatically managed resolve.conf file.
While we are at it, also stop complaining if we cannot write /etc/resolv.conf
due to a read-only disk, given that there's little we could do about it.
We allow to specify a callback but then ignore the result. Looks like a trivial typo.
From 7b3fd6313c4b07b6f822a9f979d0c22350a401d9#diff-f010fa21ba7b659b519c122743e55604
Correctly support cases when the EDITOR environment variable and friends
also contain arguments. For example, to run emacs in terminal only, one
can say:
EDITOR="emacs -nw" systemctl edit myservice
When pulling by image digest the identifiers that
were produced by parsing image digest were later
overwritten by code parsing image tag.
This resulted in invalid identifiers being used
when contacting the remote endpoint, resulting in 404.
Reported here:
http://lists.freedesktop.org/archives/systemd-devel/2015-June/033039.html
The test-barrier binary uses real-time alarms and timeouts to test for
races in the thread-barrier implementation. Hence, if your system is under
high load and your scheduler decides to not run test-barrier for
>BASE_TIME, then the tests are likely to fail.
Two options:
1) Increase BASE_TIME. This will make the test take significantly longer
for no real good. Furthermore, it is still not guaranteed that the
task is scheduled.
2) Don't rely on real-time timers, but use explicit synchronization. This
would basically test one barrier implementation with another.. kinda
ironic.. but maybe something worth looking into.
3) Disable test-barrier by default.
This patch chooses option 3) and makes sure test-barrier only runs if you
pass any argument.
Side note:
test-barrier is written in a way that if it fails under load, but
does not on idle systems, then it is very _unlikely_ that the
barrier implementation is the culprit. Hence, it makes little
sense to run it under load, anyway. It will not improve the test
coverage of barrier.c, but rather the coverage of the test itself.
Let's work around crappy clocks in test-journal-interleaving.c too. This
does the same as 98d2a53417 but for
test-journal-interlaving.c rather than test-journal-stream.c.
- Make string parameter const
- Don't log some OOM errors, but not others
- Don't eat up errors generated by acl_from_text()
- Make sure check for success of every single strv_push() call
This ensures that we write strictly monotonic timestamps into the
journal files, to ensure that we can properly interleave everything
correctly.
See #175 for details.
This is consistent with how an empty string works in an ExecStart=
statement. We should not differentiate between an empty string and
whitespace only (since they look the same.)
Update the test case with whitespace only to reflect that the list is
reset.
Tested that `test-unit-file` passes and other test cases are not
affected. Installed the patched systemd binaries on a machine, booted
it, looked for out of the usual behavior but did not find any.
Convert config_parse_exec() from using FOREACH_WORD_QUOTED into a loop
of unquote_first_word.
Loop through the arguments only once (the FOREACH_WORD_QUOTED
implementation did it twice, once to count them and another time to
process and store them.)
Use newly introduced flag UNQUOTE_UNESCAPE_RELAX to preserve
unrecognized escape sequences such as regexps matches such as "\w",
"\d", etc. (Valid escape sequences such as "\s" or "\b" still need an
extra backslash if literals are desired for regexps.)
Differences in behavior:
- Handle ; (command separator) in special, so that only ; on its own is
valid for that purpose, an quoted semicolon ";" or ';' will now behave
as a literal semicolon. This is probably what was initially intended.
- Handle \; (to introduce a literal semicolon) in special, so that only \;
is turned into a semicolon but not \\; or "\\;" or "\;" which are kept
as a literal \; in the output. This is probably what was initially
intended.
Known issues:
- Using an empty string (for example, ExecStartPre=<empty>) will empty
the list and remove the existing commands, but using whitespace only
(for example, ExecStartPre=<spaces>) will not. This is a pre-existing
issue and will be dealt with in a follow up commit.
Tested:
- Unit tests passing. Also `make distcheck` still works as expected.
- Installed it on a local machine and booted with it, checked console
output, systemctl and journalctl output, did not notice any issues
running the patched systemd binaries.
Relevant bug: https://bugs.freedesktop.org/show_bug.cgi?id=90794
These tests will be useful to check the cases regarding quoted and
escaped semicolon when we switch to using unquote_first_word.
Additionally, convert some of the tests that have semicolons so that the
argument after the semicolon looks like a path (starts with /) so that
we can see the change of behavior when making config_parse_exec more
strict about what it accepts as a command separator.
It will try to unquot_first_word, but if it runs into escaping problems
it will retry it adding UNQUOTE_CUNESCAPE_RELAX to the flags. If it
succeeds on the second try, it will log a warning about it. If it fails
both times, it will log an error.
Add test cases to confirm it behaves as expected.
The new flag UNQUOTE_UNESCAPE_RELAX preserves unrecognized escape
sequences verbatim in unquote_first_word, either when it's a trailing
backslash (similar to UNQUOTE_RELAX, but in this case keep the extra
backslash in the output) or in the middle of a sequence string.
Add unit test cases to ensure the new flag works as expected and to
prevent regressions from being introduced.
Tested with a follow up commit converting config_parse_exec() to start
using unquote_first_word, in which case this flags makes it possible to
preserve unrecognized escape sequences.
Relevant bug: https://bugs.freedesktop.org/show_bug.cgi?id=90794
In kdbus we still have to support org.freedesktop.DBus matches even though
there is no real bus driver. The reason is that bus-control.c turns
NameOwnerChanged matches into proper kdbus matches. If we drop DRIVER
matches early, we will never match on name-changes for kdbus.
Two ways to fix this:
1) Install DRIVER matches on kdbus (which is the simple way our and which
is what this patch does).
2) Properly fix the scope-detection to let NameOwnerChanged matches
through (or better: block anything with Member!=NameOwnerChanged).
Not all watchdog drivers implement WDIOC_SETOPTIONS. Drivers which do
not implement it have their device always enabled. So it's fine to
report an error if WDIOS_DISABLECARD is passed and the ioctl is not
implemented, however failing when WDIOS_ENABLECARD is passed and the
ioctl is not implemented is not good: if the device was already
enabled then WDIOS_ENABLECARD was a no-op and wasn't needed in the
first place. So we can just ignore the error and continue.
Previously, this had a race condition during a user's first login.
Some component calls CreateSession (most likely by a PAM service
other than 'systemd-user' running pam_systemd), with the following
results:
- logind:
* create the user's XDG_RUNTIME_DIR
* tell pid 1 to create user-UID.slice
* tell pid 1 to start user@UID.service
Then these two processes race:
- logind:
* save information including XDG_RUNTIME_DIR to /run/systemd/users/UID
- the subprocess of pid 1 responsible for user@service:
* start a 'systemd-user' PAM session, which reads XDG_RUNTIME_DIR
and puts it in the environment
* run systemd --user, which requires XDG_RUNTIME_DIR in the
environment
If logind wins the race, which usually happens, everything is fine;
but if the subprocesses of pid 1 win the race, which can happen
under load, then systemd --user exits unsuccessfully.
To avoid this race, we have to write out /run/systemd/users/UID
even though the service has not "officially" started yet;
previously this did an early-return without saving anything.
Record its state as OPENING in this case.
Bug: https://github.com/systemd/systemd/issues/232
Reviewed-by: Philip Withnall <philip.withnall@collabora.co.uk>
./configure --enable/disable-kdbus can be used to set the default
behavior regarding kdbus.
If no kdbus kernel support is available, dbus-dameon will be used.
With --enable-kdbus, the kernel command line option "kdbus=0" can
be used to disable kdbus.
With --disable-kdbus, the kernel command line option "kdbus=1" is
required to enable kdbus support.
It is unused and rightly so. Users of the hashmap API should
not care about the idx values or any other Iterator internals.
_IDX_ITERATOR_FIRST in hashmap.h is an exception. It is needed
for ITERATOR_FIRST.
Previously, we'd just count connected displays, and if there was 2 or
more we assumed a "docked" state.
With this change we now:
- Only count external displays, ignore internal ones (which we detect by
checking the connector name against a whitelist of known external plug
types)
- We ignore connectors which are explicitly disabled
- We then compare the count with >= 1 rather than >= 2 as before
This new logic has the benefit that systems that disconnect the internal
display when the lid is closed are better supported. Also, explicitly
disabled ports do not confuse the algorithm anymore.
This new algorithm has been suggested here:
http://lists.freedesktop.org/archives/intel-gfx/2015-June/068821.html
This also makes two functions static, that are not used outside of their
.c files.
Commit 72c0a2c25 ("everywhere: port everything to sigprocmask_many()
and friends") reworked code tree-wide to use the new sigprocmask_many()
helper. In this, it caused a regression in pam_setup, because it
dropped a line to initialize the 'ss' signal mask which is later used
in sigwait().
While at it, move the variable declaration to an inner scope.
XDG refers to X Desktop Group, a former name for freedesktop.org.
This group is responsible for specifications like basedirs,
.desktop files and icon naming, but as far as I know, it has never
tried to redefine basename().
I think these references were meant to say XPG (X/Open Portability
Guide), a precursor of POSIX. POSIX is better-known and less easily
confused with XDG, and is how the basename(3) man page describes
the libgen.h version of basename().
The other version of basename() is glibc-specific and is described
in basename(3) as "the GNU version"; specifically mention that
version, to disambiguate.
Matches that can only match against messages from the
org.freedesktop.DBus.Local service (or the local interfaces or path)
should never be installed server side, suppress them hence.
Similar, on kdbus matches that can only match driver messages shouldn't
be passed to the kernel.
If we call EPOLL_CTL_DEL, we *REALLY* expect the file-descriptor to be
present in that given epoll-set. We actually track such state via our
s->io.registered flag, so it better be true.
Make sure if that's not true, we treat it similar to assert_return() (ie.,
print a loud warning).
Make sure we never close fds before we drop their related event-source.
This will cause horrible disruptions if the fd-num is re-used by someone
else. Under normal conditions, this should not cause any problems as the
close() will drop the fd from the epoll-set automatically. However, this
changes if you have any child processes with a copy of that fd.
This fixes issue #163.
Background:
If you create an epoll-set via epoll_create() (lets call it 'EFD')
you can add file-descriptors to it to watch for events. Whenever
you call EPOLL_CTL_ADD on a file-descriptor you want to watch, the
kernel looks up the attached "struct file" pointer, that this FD
refers to. This combination of the FD-number and the "struct file"
pointer is used as key to link it into the epoll-set (EFD).
This means, if you duplicate your file-descriptor, you can watch
this file-descriptor, too (because the duplicate will have a
different FD-number, hence, the combination of FD-number and
"struct file" is different as before).
If you want to stop watching an FD, you use EPOLL_CTL_DEL and pass
the FD to the kernel. The kernel again looks up your
file-descriptor in your FD-table to find the linked "struct file".
This FD-number and "struct file" combination is then dropped from
the epoll-set (EFD).
Last, but not least: If you close a file-descriptor that is linked
to an epoll-set, the kernel does *NOTHING* regarding the
epoll-set. This is a vital observation! Because this means, your
epoll_wait() calls will still return the metadata you used to
watch/subscribe your file-descriptor to events.
There is one exception to this rule: If the file-descriptor that
you just close()ed was the last FD that referred to the underlying
"struct file", then _all_ epoll-set watches/subscriptions are
destroyed. Hence, if you never dup()ed your FD, then a simple
close() will also unsubscribe it from any epoll-set.
With this in mind, lets look at fork():
Assume you have an epoll-set (EFD) and a bunch of FDs
subscribed to events on that EFD. If you now call fork(),
the new process gets a copy of your file-descriptor table.
This means, the whole table is copied and the "struct
file" reference of each FD is increased by 1. It is
important to notice that the FD-numbers in the child are
exactly the same as in the parent (eg., FD #5 in the child
refers to the same "struct file" as FD #5 in the parent).
This means, if the child calls EPOLL_CTL_DEL on an FD, the
kernel will look up the linked "struct file" and drop the
FD-number and "struct file" combination from the epoll-set
(EFD). However, this will effectively drop the
subscription that was installed by the parent.
To sum up: even though the child gets a duplicate of the
EFD and all FDs, the subscriptions in the EFD are *NOT*
duplicated!
Now, with this in mind, lets look at what udevd does:
Udevd has a bunch of file-descriptors that it watches in its
sd-event main-loop. Whenever a uevent is received, the event is
dispatched on its workers. If no suitable worker is present, a new
worker is fork()ed to handle the event. Inside of this worker, we
try to free all resources we inherited. However, the fork() call
is done from a call-stack that is never rewinded. Therefore, this
call stack might own references that it drops once it is left.
Those references we cannot deduce from the fork()'ed process;
effectively causing us to leak objects in the worker (eg., the
call to sd_event_dispatch() that dispatched our uevent owns a
reference to the sd_event object it used; and drops it again once
the function is left).
(Another example is udev_monitor_ref() for each 'worker' that is
also inherited by all children; thus keeping the udev-monitor and
the uevent-fd alive in all children (which is the real cause for
bug #163))
(The extreme variant is sd_event_source_unref(), which explicitly
keeps event-sources alive, if they're currently dispatched,
knowing that the dispatcher will free the event once done. But
if the dispatcher is in the parent, the child will never ever
free that object, thus leaking it)
This is usually not an issue. However, if such an object has a
file-descriptor embedded, this FD is left open and never closed in
the child.
In manager_exit(), if we now destroy an object (i.e., close its embedded
file-descriptor) before we destroy its related sd_event_source, then
sd-event will not be able to drop the FD from the epoll-set (EFD). This
is, because the FD is no longer valid at the time we call EPOLL_CTL_DEL.
Hence, the kernel cannot figure out the linked "struct file" and thus
cannot remove the FD-number plus "struct file" combination; effectively
leaving the subscription in the epoll-set.
Since we leak the uevent-fd in the children, they retain a copy of the FD
pointing to the same "struct file". Thus, the EFD-subscription are not
automatically removed by close() (as described above). Therefore, the main
daemon will still get its metadata back on epoll_watch() whenever an event
occurs (even though it already freed the metadata). This then causes the
free-after-use bug described in #163.
This patch fixes the order in which we destruct objects and related
sd-event-sources. Some open questions remain:
* Why does source_io_unregister() not warn on EPOLL_CTL_DEL failures?
This really needs to be turned into an assert_return().
* udevd really should not leak file-descriptors into its children. Fixing
this would *not* have prevented this bug, though (since the child-setup
is still async).
It's non-trivial to fix this, though. The stack-context of the caller
cannot be rewinded, so we cannot figure out temporary refs. Maybe it's
time to exec() the udev-workers?
* Why does the kernel not copy FD-subscriptions across fork()?
Or at least drop subscriptions if you close() your FD (it uses the
FD-number as key, so it better subscribe to it)?
Or it better used
FD+"struct file_table*"+"struct file*"
as key to not allow the childen to share the subscription table..
*sigh*
Seems like we have to live with that API forever.
If the kernel do not support user namespace then one of the children
created by nspawn parent will fail at clone(CLONE_NEWUSER) with the
generic error EINVAL and without logging the error. At the same time
the parent may also try to setup the user namespace and will fail with
another error.
To improve this, check if the kernel supports user namespace as early
as possible.
This fixes:
Jun 16 16:00:20 tomegun-x2402 systemd-tmpfiles[233]: rm_rf(/var/lib/machines/.#fedora.lck): Not a directory
Jun 16 16:00:20 tomegun-x2402 systemd-tmpfiles[233]: rm_rf(/var/lib/machines/.#Fedora-Cloud-Base-20141203-21.x86_64.raw.lck): Not a directory
This ports a lot of manual code over to sigprocmask_many() and friends.
Also, we now consistly check for sigprocmask() failures with
assert_se(), since the call cannot realistically fail unless there's a
programming error.
Also encloses a few sd_event_add_signal() calls with (void) when we
ignore the return values for it knowingly.
Remove old temporary snapshots, but only at boot. Ideally we'd have
"self-destroying" btrfs snapshots that go away if the last last
reference to it does. To mimic a scheme like this at least remove the
old snapshots on fresh boots, where we know they cannot be referenced
anymore. Note that we actually remove all temporary files in
/var/lib/machines/ at boot, which should be safe since the directory has
defined semantics. In the root directory (where systemd-nspawn
--ephemeral places snapshots) we are more strict, to avoid removing
unrelated temporary files.
This also splits out nspawn/container related tmpfiles bits into a new
tmpfiles snippet to systemd-nspawn.conf
This adds a "char *extra" parameter to tempfn_xxxxxx(), tempfn_random(),
tempfn_ranomd_child(). If non-NULL this string is included in the middle
of the newly created file name. This is useful for being able to
distuingish the kind of temporary file when we see one.
This also adds tests for the three call.
For now, we don't make use of this at all, but port all users over.
We already had a safety check in place that we don't end up descending
to the original subvolume again, but we also should avoid descending in
the newly created one.
This is particularly important if we make a snapshot below its source,
like we do in "systemd-nspawn --ephemeral -D /".
Closes https://bugs.freedesktop.org/show_bug.cgi?id=90803
seccomp_load returns -EINVAL when seccomp support is not enabled in the
kernel [1]. This should be a debug log, not an error that interrupts nspawn.
If the seccomp filter can't be set and audit is enabled, the user will
get an error message anyway.
[1]: http://man7.org/linux/man-pages/man2/prctl.2.html
Fix CID 1304686: Dereference after null check (FORWARD_NULL)
However, this commit does not fix any bug in logind. It helps to keep
the elect_display_compare() function generic.
Currently, the HASHMAP iterators stop at the first NULL entry in a
hashmap. This is non-obvious and breaks users like sd-device, which
legitimately store NULL values in a hashmap.
Fix all the iterators by taking a pointer to the value storage, instead of
returning it. The iterators now return a boolean that tells whether the
end of the list was reached.
Current users of HASHMAP_FOREACH() are *NOT* changed to explicitly check
for NULL. If it turns out, there were users that inserted NULL into
hashmaps, but didn't properly check for it during iteration, then we
really want to find those and fix them.
If you use bus_map_all_properties(), you must be aware that it might
touch output variables even though it may fail. This is, because we parse
many different bus-properties and cannot tell how to clean them up, in
case we fail deep down in the parser.
Fix all callers of bus_map_all_properties() to correctly cleanup any
context structures at all times.
Rename sd_rtnl to sd_netlink to prepare for further netlink-protocol support. Anything rtnl specific still uses the sd_rtnl prefix, but the generic parts (including the bus and message objects) are now called sd_netlink.
The result of unit_get_sibling_mask returns bits for the sibling cgroups
even if they are not supported in the local system.
I caught this on a machine where my kernel was misconfigured with
CONFIG_MEMCG unset, but the rest of the cgroup infrastructure enabled.
Tested with `make check` on a host running a kernel where CONFIG_MEMCG
is not set.
In 5a8bcb674f, IPForwarding was introduced
to set forwarding flags on interfaces in .network files. networkd sets
forwarding options regardless of the previous setting, even if it was
set by e.g. sysctl. This commit creates a new option for IPForwarding,
"kernel", that preserves the sysctl settings rather than always setting
them.
See https://bugs.freedesktop.org/show_bug.cgi?id=89509 for the initial
bug report.
