1
0
mirror of https://github.com/systemd/systemd.git synced 2024-11-01 00:51:24 +03:00
Commit Graph

30604 Commits

Author SHA1 Message Date
Lennart Poettering
e65270ad12 Merge pull request #6992 from keszybz/fix-test-copy
test-copy: fix operation when test-copy is too small
2017-10-04 20:00:14 +02:00
Zbigniew Jędrzejewski-Szmek
57056020c5 hwdb: switch meson to use ids_parser.py (#6964)
Also drop the now-unused perl implementation (that doesn't do sorting),
so it's incompatible anyway.
2017-10-04 19:32:59 +02:00
Zbigniew Jędrzejewski-Szmek
5991ce44dc udevadm,basic: replace nulstr_contains with STR_IN_SET (#6965)
STR_IN_SET is a newer approach which is easier to write and read, and which
seems to result in space savings too:

before:
4949848 build/src/shared/libsystemd-shared-234.so
 350704 build/systemctl
4967184 build/systemd
 826216 build/udevadm

after:
4949848 build/src/shared/libsystemd-shared-234.so
 350704 build/systemctl
4966888 build/systemd
 826168 build/udevadm
2017-10-04 19:32:12 +02:00
Yu Watanabe
689ca202e7 nss-systemd: if cannot open bus, then try to read user info directly (#6971)
If sd_bus_open_system() fail, then try to read information about
dynamic users from /run/systemd/dynamic-uid.
This makes services can successfully call getpwuid() or their friends
even if dbus.service is not started yet.

Fixes #6967.
2017-10-04 19:29:36 +02:00
Lennart Poettering
4aa1d31c89 Merge pull request #6974 from keszybz/clean-up-defines
Clean up define definitions
2017-10-04 19:25:30 +02:00
Lennart Poettering
5ad90fe376 Merge pull request #6985 from yuwata/empty
load-fragment: do not create empty array
2017-10-04 17:54:35 +02:00
Alan Jenkins
6f876815c6 logind: use pid_is_valid() where appropriate
These two sites _do_ match the definition of pid_is_valid(); they don't
provide any special handling for the invalid PID value 0.  (They're used
by dbus methods, so the PID value 0 is handled with reference to the dbus
client creds, outside of these functions).
2017-10-04 15:40:20 +01:00
Alan Jenkins
72b3f82e17 systemctl: use pid_is_valid() where appropriate
This was the one valid site in commit
ee043777be.

The second part of this hunk, avoiding using `%m`
when we didn't actually have `errno` set, seems
like a nice enough cleanup to be worthwhile on
it's own.

Also use PID_FMT to improve the error message we print
(pid_t is signed).
2017-10-04 15:40:11 +01:00
Yu Watanabe
4c70109600 tree-wide: use IN_SET macro (#6977) 2017-10-04 16:01:32 +02:00
Zbigniew Jędrzejewski-Szmek
98d9319960 test-sizeof: add pid_t and gid_t
C.f. #6975.
2017-10-04 15:22:07 +02:00
Zbigniew Jędrzejewski-Szmek
6fbdf424b4 test-copy: fix operation when test-copy is too small
Fixes #6981.
2017-10-04 15:17:09 +02:00
Djalal Harouni
6d0aa4db7b Merge pull request #6986 from OpenDZ/tixxdz/seccomp-more-default-syscalls-v1
seccomp: add sched_yield syscall to the @default syscall set
2017-10-04 15:01:21 +02:00
Yu Watanabe
6b5bb2f9d0 man: fix that the same option is listed twice (#6991) 2017-10-04 14:43:00 +02:00
Lennart Poettering
0a9b166b43 units: prohibit all IP traffic on all our long-running services (#6921)
Let's lock things down further.
2017-10-04 14:16:28 +02:00
Zbigniew Jędrzejewski-Szmek
a9149d876b meson: generate ENABLE_* names automatically
After previous changes, the naming of configuration options and internal
defines is consistent.
2017-10-04 12:09:51 +02:00
Zbigniew Jędrzejewski-Szmek
1ec57f3394 build-sys: s/ENABLE_RESOLVED/ENABLE_RESOLVE/
The configuration option was called -Dresolve, but the internal define
was …RESOLVED. This options governs more than just resolved itself, so
let's settle on the version without "d".
2017-10-04 12:09:51 +02:00
Zbigniew Jędrzejewski-Szmek
08cf5b8dc3 build-sys: s/HAVE_MYHOSTNAME/ENABLE_MYHOSTNAME/
Same justification as for HAVE_UTMP. HAVE_MYHOSTNAME was used before mysthostname
was merged into systemd.
2017-10-04 12:09:51 +02:00
Zbigniew Jędrzejewski-Szmek
f9fa32f09c build-sys: s/HAVE_SMACK/ENABLE_SMACK/
Same justification as for HAVE_UTMP.
2017-10-04 12:09:50 +02:00
Zbigniew Jędrzejewski-Szmek
392fd235fd build-sys: s/HAVE_IMA/ENABLE_IMA/
Same justification as for HAVE_UTMP.
2017-10-04 12:09:50 +02:00
Zbigniew Jędrzejewski-Szmek
3211da4bcb build-sys: s/HAVE_UTMP/ENABLE_UTMP/
"Have" should be about the external environment and dependencies. Anything
which is a pure yes/no choice should be "enable".
2017-10-04 12:09:50 +02:00
Zbigniew Jędrzejewski-Szmek
70160ce891 build-sys: require all defines under #if to be present
This should help to catch any errors with typos and HAVE/ENABLE mismatches.
2017-10-04 12:09:50 +02:00
Zbigniew Jędrzejewski-Szmek
8e3e2f5f22 test-nss: fix names of two defines
That's another bug fixed (sys/auxv.h was the first).
2017-10-04 12:09:50 +02:00
Zbigniew Jędrzejewski-Szmek
349cc4a507 build-sys: use #if Y instead of #ifdef Y everywhere
The advantage is that is the name is mispellt, cpp will warn us.

$ git grep -Ee "conf.set\('(HAVE|ENABLE)_" -l|xargs sed -r -i "s/conf.set\('(HAVE|ENABLE)_/conf.set10('\1_/"
$ git grep -Ee '#ifn?def (HAVE|ENABLE)' -l|xargs sed -r -i 's/#ifdef (HAVE|ENABLE)/#if \1/; s/#ifndef (HAVE|ENABLE)/#if ! \1/;'
$ git grep -Ee 'if.*defined\(HAVE' -l|xargs sed -i -r 's/defined\((HAVE_[A-Z0-9_]*)\)/\1/g'
$ git grep -Ee 'if.*defined\(ENABLE' -l|xargs sed -i -r 's/defined\((ENABLE_[A-Z0-9_]*)\)/\1/g'
+ manual changes to meson.build

squash! build-sys: use #if Y instead of #ifdef Y everywhere

v2:
- fix incorrect setting of HAVE_LIBIDN2
2017-10-04 12:09:29 +02:00
Djalal Harouni
8f44de08e9 seccomp: add sched_yield syscall to the @default syscall set 2017-10-04 10:41:42 +01:00
Zbigniew Jędrzejewski-Szmek
ac6e8be66e core: use strv_isempty to check if supplementary_groups is empty
With the previous commit, we know that it will be NULL if empty, but
it's safe to always use strv_isempty() in case the code changes
in the future.
2017-10-04 11:33:30 +02:00
Yu Watanabe
9f2d41a65f load-fragment: do not create empty array
Originally added in 4589f5bb0a.
C.f. 8249bb728d and #6746.
2017-10-04 11:23:42 +02:00
Yu Watanabe
07883f198d man: empty string resets the list of NTP servers (#6984) 2017-10-04 11:09:32 +02:00
Alan Jenkins
07b38ba51e Revert "tree-wide: use pid_is_valid() at more places"
This reverts commit ee043777be.

It broke almost everywhere it touched.  The places that
handn't been converted, were mostly followed by special
handling for the invalid PID `0`.  That explains why they
tested for `pid < 0` instead of `pid <= 0`.

I think that one was the first commit I reviewed, heh.
2017-10-03 12:43:24 +01:00
Zbigniew Jędrzejewski-Szmek
af8786b16a meson: check for sys/auxv.h
This check was present in configure.ac, but was never added under meson.
The code under HAVE_SYS_AUX_H has been dead ever since :(.
2017-10-03 13:19:51 +02:00
Zbigniew Jędrzejewski-Szmek
4b9545f19e build-sys: change all HAVE_DECL_ macros to HAVE_
This is a legacy of autotools, where one detection routine used a different
prefix then the others.

$ git grep -e HAVE_DECL_ -l|xargs sed -i s/HAVE_DECL_/HAVE_/g
2017-10-03 10:32:34 +02:00
Zbigniew Jędrzejewski-Szmek
8bdaf088ca Merge pull request #6946 from poettering/synthesize-dns
Some DNS RR synthesizing fixes
2017-10-03 10:26:53 +02:00
Djalal Harouni
09d3020b0a seccomp: remove '@credentials' syscall set (#6958)
This removes the '@credentials' syscall set that was added in commit
v234-468-gcd0ddf6f75.

Most of these syscalls are so simple that we do not want to filter them.
They work on the current calling process, doing only read operations,
they do not have a deep kernel path.

The problem may only be in 'capget' syscall since it can query arbitrary
processes, and used to discover processes, however sending signal 0 to
arbitrary processes can be used to discover if a process exists or not.
It is unfortunate that Linux allows to query processes of different
users. Lets put it now in '@process' syscall set, and later we may add
it to a new '@basic-process' set that allows most basic process
operations.
2017-10-03 07:20:05 +02:00
Yu Watanabe
8502cadd4c Merge pull request #6940 from poettering/magic-dirs
make sure StateDirectory= and friends play nicely with DynamicUser= and RootImage=/RootDirectory=
2017-10-03 13:28:48 +09:00
Zbigniew Jędrzejewski-Szmek
ebfa2c158e Merge pull request #6943 from poettering/dissect-ro
Automatically recognize that "squashfs" and "iso9660" area always read-only
2017-10-02 20:39:08 +02:00
Lennart Poettering
195c2c7fac update TODO 2017-10-02 17:41:44 +02:00
Lennart Poettering
c621849539 core: fix special directories for user services
The system paths were listed where the user paths should have been
listed. Correct that.
2017-10-02 17:41:44 +02:00
Lennart Poettering
2a5beb669f path-util: some updates to path_make_relative()
Don't miscount number of "../" to generate, if we "." is included in an
input path.

Also, refuse if we encounter "../" since we can't possibly follow that
up properly, without file system access.

Some other modernizations.
2017-10-02 17:41:44 +02:00
Lennart Poettering
091e9efed3 core: fix StateDirectory= (and friends) safety checks when decoding transient unit properties
Let's make sure relative directories such as "foo/bar" are accepted, by
using the same validation checks as in unit file parsing.
2017-10-02 17:41:44 +02:00
Lennart Poettering
8adb3d63e6 test: add test for DynamicUser= + StateDirectory=
Also, tests for DynamicUser= should really run for system mode, as we
allocate from a system resource.

(This also increases the test timeout to 2min. If one of our tests
really hangs then waiting for 2min longer doesn't hurt either. The old
2s is really short, given that we run in potentially slow VM
environments for this test. This becomes noticable when the slow "find"
command this adds is triggered)
2017-10-02 17:41:44 +02:00
Lennart Poettering
e53c42ca0a core: pass the correct error to the caller 2017-10-02 17:41:44 +02:00
Lennart Poettering
da50b85af7 core: when looking for a UID to use for a dynamic UID start with the current owner of the StateDirectory= and friends
Let's optimize dynamic UID allocation a bit: if a StateDirectory= (or
suchlike) is configured, we start our allocation loop from that UID and
use it if it currently isn't used otherwise. This is beneficial as it
saves us from having to expensively recursively chown() these
directories in the typical case (which StateDirectory= does when it
notices that the owner of the directory doesn't match the UID picked).

With this in place we now have the a three-phase logic for allocating a
dynamic UID:

a) first, we try to use the owning UID of StateDirectory=,
   CacheDirectory=, LogDirectory= if that exists and is currently
   otherwise unused.

b) if that didn't work out, we hash the UID from the service name

c) if that didn't yield an unused UID either, randomly pick new ones
   until we find a free one.
2017-10-02 17:41:44 +02:00
Lennart Poettering
4a62836033 man: document the new logic 2017-10-02 17:41:44 +02:00
Lennart Poettering
6c47cd7d3b execute: make StateDirectory= and friends compatible with DynamicUser=1 and RootDirectory=/RootImage=
Let's clean up the interaction of StateDirectory= (and friends) to
DynamicUser=1: instead of creating these directories directly below
/var/lib, place them in /var/lib/private instead if DynamicUser=1 is
set, making that directory 0700 and owned by root:root. This way, if a
dynamic UID is later reused, access to the old run's state directory is
prohibited for that user. Then, use file system namespacing inside the
service to make /var/lib/private a readable tmpfs, hiding all state
directories that are not listed in StateDirectory=, and making access to
the actual state directory possible. Mount all directories listed in
StateDirectory= to the same places inside the service (which means
they'll now be mounted into the tmpfs instance). Finally, add a symlink
from the state directory name in /var/lib/ to the one in
/var/lib/private, so that both the host and the service can access the
path under the same location.

Here's an example: let's say a service runs with StateDirectory=foo.
When DynamicUser=0 is set, it will get the following setup, and no
difference between what the unit and what the host sees:

        /var/lib/foo (created as directory)

Now, if DynamicUser=1 is set, we'll instead get this on the host:

        /var/lib/private (created as directory with mode 0700, root:root)
        /var/lib/private/foo (created as directory)
        /var/lib/foo → private/foo (created as symlink)

And from inside the unit:

        /var/lib/private (a tmpfs mount with mode 0755, root:root)
        /var/lib/private/foo (bind mounted from the host)
        /var/lib/foo → private/foo (the same symlink as above)

This takes inspiration from how container trees are protected below
/var/lib/machines: they generally reuse UIDs/GIDs of the host, but
because /var/lib/machines itself is set to 0700 host users cannot access
files in the container tree even if the UIDs/GIDs are reused. However,
for this commit we add one further trick: inside and outside of the unit
/var/lib/private is a different thing: outside it is a plain,
inaccessible directory, and inside it is a world-readable tmpfs mount
with only the whitelisted subdirs below it, bind mounte din.  This
means, from the outside the dir acts as an access barrier, but from the
inside it does not. And the symlink created in /var/lib/foo itself
points across the barrier in both cases, so that root and the unit's
user always have access to these dirs without knowing the details of
this mounting magic.

This logic resolves a major shortcoming of DynamicUser=1 units:
previously they couldn't safely store persistant data. With this change
they can have their own private state, log and data directories, which
they can write to, but which are protected from UID recycling.

With this change, if RootDirectory= or RootImage= are used it is ensured
that the specified state/log/cache directories are always mounted in
from the host. This change of semantics I think is much preferable since
this means the root directory/image logic can be used easily for
read-only resource bundling (as all writable data resides outside of the
image). Note that this is a change of behaviour, but given that we
haven't released any systemd version with StateDirectory= and friends
implemented this should be a safe change to make (in particular as
previously it wasn't clear what would actually happen when used in
combination). Moreover, by making this change we can later add a "+"
modifier to these setings too working similar to the same modifier in
ReadOnlyPaths= and friends, making specified paths relative to the
container itself.
2017-10-02 17:41:44 +02:00
Lennart Poettering
a227a4be48 namespace: if we can create the destination of bind and PrivateTmp= mounts
When putting together the namespace, always create the file or directory
we are supposed to bind mount on, the same way we do it for most other
stuff, for example mount units or systemd-nspawn's --bind= option.

This has the big benefit that we can use namespace bind mounts on dirs
in /tmp or /var/tmp even in conjunction with PrivateTmp=.
2017-10-02 17:41:43 +02:00
Lennart Poettering
e908468b5b namespace: properly handle bind mounts from the host
Before this patch we had an ordering problem: if we have no namespacing
enabled except for two bind mounts that intend to swap /a and /b via
bind mounts, then we'd execute the bind mount binding /b to /a, followed
by thebind mount from /a to /b, thus having the effect that /b is now
visible in both /a and /b, which was not intended.

With this change, as soon as any bind mount is configured we'll put
together the service mount namespace in a temporary directory instead of
operating directly in the root. This solves the problem in a
straightforward fashion: the source of bind mounts will always refer to
the host, and thus be unaffected from the bind mounts we already
created.
2017-10-02 17:41:43 +02:00
Lennart Poettering
645767d6b5 namespace: create /dev, /proc, /sys when needed
We already create /dev implicitly if PrivateTmp=yes is on, if it is
missing. Do so too for the other two API VFS, as well as for /dev if
PrivateTmp=yes is off but MountAPIVFS=yes is on (i.e. when /dev is bind
mounted from the host).
2017-10-02 17:41:43 +02:00
Lennart Poettering
72fd17682d core: usually our enum's _INVALID and _MAX special values are named after the full type
In most cases we followed the rule that the special _INVALID and _MAX
values we use in our enums use the full type name as prefix (in contrast
to regular values that we often make shorter), do so for
ExecDirectoryType as well.

No functional changes, just a little bit of renaming to make this code
more like the rest.
2017-10-02 17:41:43 +02:00
Lennart Poettering
a1164ae380 core: chown() StateDirectory= and friends recursively when starting a service
This is particularly useful when used in conjunction with DynamicUser=1,
where the UID might change for every invocation, but is useful in other
cases too, for example, when these directories are shared between
systems where the UID assignments differ slightly.
2017-10-02 17:41:43 +02:00
Lennart Poettering
64fbdc0f91 nspawn: properly report all kinds of changed UID/GID when patching things for userns
We forgot to propagate one chmod().
2017-10-02 17:41:43 +02:00
Lennart Poettering
fd68e0f58c Merge pull request #6960 from keszybz/hwdb-update
Hwdb update and sorting
2017-10-02 17:12:58 +02:00