1
0
mirror of https://github.com/systemd/systemd.git synced 2024-11-08 11:27:32 +03:00
Commit Graph

18945 Commits

Author SHA1 Message Date
Lennart Poettering
66518acd40 journald: allow zero length datagrams again
This undoes a small part of 13790add4b
which was erroneously added, given that zero length datagrams are OK,
and hence zero length reads on a SOCK_DGRAM be no means mean EOF.
2015-01-13 20:17:06 +01:00
Lennart Poettering
0dfaa00607 nspawn: add "-n" shortcut for "--network-veth"
Now that networkd's IP masquerading support means that running
containers with "--network-veth" will provide network access out of the
box for the container, let's add a shortcut "-n" for it, to make it
easily accessible.
2015-01-13 20:17:06 +01:00
Jan Engelhardt
bd763d350c doc: add cross-references between systemd.{link, netdev, network} 2015-01-13 18:27:33 +01:00
Tom Gundersen
2f6379a9ac doc: network - add comment about default prefix size
Should hopefully make it clear that this is not some magic value, just the default we picked.

Suggested by Jan Engelhardt.
2015-01-13 18:23:59 +01:00
Daniel Mack
07bde8c0ff fw-util: fix errno typo for !HAVE_LIBIPTC 2015-01-13 15:50:36 +01:00
Patrik Flykt
ec767e6836 TODO: DHCPv6 Information Request has been implemented 2015-01-13 15:09:09 +02:00
Lennart Poettering
c14db9b32a update TODO 2015-01-13 13:55:15 +01:00
Lennart Poettering
b4d8ef7c99 machined: refuse certain operation on non-container machines, since they cannot work elsewhere 2015-01-13 13:55:15 +01:00
Lennart Poettering
6da023a048 import: make sure we don't mangle file ownerships with the local passwd database when untarring 2015-01-13 13:55:15 +01:00
Lennart Poettering
6d0b55c272 nspawn: add new option "--port=" for exposing container ports on the local host
This exposes an IP port on the container as local port using DNAT.
2015-01-13 13:55:15 +01:00
Lennart Poettering
5a8bcb674f networkd: add minimal IP forwarding and masquerading support to .network files
This adds two new settings to networkd's .network files:
IPForwarding=yes and IPMasquerade=yes. The former controls the
"forwarding" sysctl setting of the interface, thus controlling whether
IP forwarding shall be enabled on the specific interface. The latter
controls whether a firewall rule shall be installed that exposes traffic
coming from the interface as coming from the local host to all other
interfaces.

This also enables both options by default for container network
interfaces, thus making "systemd-nspawn --network-veth" have network
connectivity out of the box.
2015-01-13 13:55:15 +01:00
Lennart Poettering
76917807eb shared: add minimal firewall manipulation helpers for establishing NAT rules, using libiptc 2015-01-13 13:55:15 +01:00
Martin Pitt
6cb7fa17b3 core: Fix EACCES check for OOM adjustments
Commit 3bd5c3 added a check for EACCES, but missed the minus sign.
2015-01-13 07:06:31 +01:00
Zbigniew Jędrzejewski-Szmek
038cf33420 Remove some fixed items from TODO 2015-01-12 19:15:02 -05:00
Ronny Chevalier
ee14023fd5 zsh-completion: add missing completions for systemd-tmpfiles 2015-01-12 22:19:34 +01:00
Ronny Chevalier
a80cea6861 zsh-completion: add missing completions for systemd-run 2015-01-12 22:13:33 +01:00
Ronny Chevalier
26bd71f06c zsh-completion: add missing completions for systemd-analyze 2015-01-12 22:13:18 +01:00
Ronny Chevalier
c285cb5c55 zsh-completion: add missing -M completion for timedatectl 2015-01-12 21:31:45 +01:00
Ronny Chevalier
720e0be0f0 zsh-completion: add missing completions for coredumpctl 2015-01-12 21:26:27 +01:00
David Herrmann
40d6f6a35e TODO: update 2015-01-12 18:25:11 +01:00
Tom Gundersen
9a4b012e43 udev: link_config - modernize a bit and fix leakes
Not all of the link_config struct was getting freed.
2015-01-12 18:19:16 +01:00
Tom Gundersen
9c39eb5c88 network-intenal: user _cleanup_ macro in parse_ifname 2015-01-12 18:19:16 +01:00
Zbigniew Jędrzejewski-Szmek
76c37ab6d2 core/mount: remove "fail" again
deb6120920 'man: there's actually no "fail" fstab option, but only
"nofail" removed it from our documentation, which I missed.
fstab(5) only mentions "auto", "noauto", and "nofail". Stick to
those three.
2015-01-12 12:16:38 -05:00
Daniel Mack
a9c8343e83 sd-bus: sync kdbus.h (API break)
Just a simple variable rename, and a dropped flag that sd-bus didn't make
use of.
2015-01-12 18:15:45 +01:00
Daniel Mack
0c47569ac9 core/mount: use isempty() to check for empty strings
strempty() will return an empty string in case the input parameter is
a NULL pointer. The correct test to check for an empty string is
isempty(), so use that instead.

This fixes a regression from commit 17a1c59 ("core/mount: filter out
noauto,auto,nofail,fail options").
2015-01-12 14:01:45 +01:00
Carlos Garnacho
b9e616cc22 udev: Add builtin/rule to export evdev information as udev properties
This rule is only run on tablet/touchscreen devices, and extracts their size
in millimeters, as it can be found out through their struct input_absinfo.

The first usecase is exporting device size from tablets/touchscreens. This
may be useful to separate policy and application at the time of mapping
these devices to the available outputs in windowing environments that don't
offer that information as readily (eg. Wayland). This way the compositor can
stay deterministic, and the mix-and-match heuristics are performed outside.

Conceivably, size/resolution information can be changed through EVIOCSABS
anywhere else, but we're only interested in values prior to any calibration,
this rule is thus only run on "add", and no tracking of changes is performed.
This should only remain a problem if calibration were automatically applied
by an earlier udev rule (read: don't).

  v2: Folded rationale into commit log, made a builtin, set properties
      on device nodes themselves
  v3: Use inline function instead of macro for mm. size calculation,
      use DECIMAL_STR_MAX, other code style issues
  v4: Made rule more selective
  v5: Minor style issues, renamed to a more generic builtin, refined
      rule further.
2015-01-11 23:41:42 -05:00
Rafael Ferreira
b3e486b819 catalog: add pt_BR translation
https://bugs.freedesktop.org/show_bug.cgi?id=88271
2015-01-11 23:41:42 -05:00
Rafael Ferreira
5701fbbbcf po: add Brazilian Portuguese translation
https://bugs.freedesktop.org/show_bug.cgi?id=88271
2015-01-11 23:41:42 -05:00
Zbigniew Jędrzejewski-Szmek
a75f4e2a02 fstab-util: fix priority parsing and add test 2015-01-11 23:41:42 -05:00
Zbigniew Jędrzejewski-Szmek
7f76961982 shared/util: respect buffer boundary on incomplete escape sequences
cunescape_length_with_prefix() is called with the length as an
argument, so it cannot rely on the buffer being NUL terminated.
Move the length check before accessing the memory.

When an incomplete escape sequence was given at the end of the
buffer, c_l_w_p() would read past the end of the buffer. Fix this
and add a test.
2015-01-11 23:41:42 -05:00
Zbigniew Jędrzejewski-Szmek
e01ff42899 core/load-fragment: avoid allocating 0 bytes when given an invalid command
With a command line like "@/something" we would allocate an array with
0 elements. Avoid that, and add a test too.
2015-01-11 23:41:42 -05:00
Zbigniew Jędrzejewski-Szmek
4d8629de8b test-unit-file: don't access out-of-bounds memory
Fixes an error introduced by me when the test was added.
2015-01-11 23:41:42 -05:00
Zbigniew Jędrzejewski-Szmek
17a1c597c5 core/mount: filter out noauto,auto,nofail,fail options
We passed the full option string from fstab to /bin/mount. It would in
turn pass the full option string to its helper, if it needed to invoke
one. Some helpers would ignore things like "nofail", but others would
be confused. We could try to get all helpers to ignore those
"meta-options", but it seems better to simply filter them out.

In our model, /bin/mount simply has no business in knowing whether the
mount was configured as fail or nofail, auto or noauto, in the
fstab. If systemd tells invokes a command to mount something, and it
fails, it should always return an error. It seems cleaner to filter
out the option, since then there's no doubt how the command should
behave.

https://bugzilla.redhat.com/show_bug.cgi?id=1177823
2015-01-11 23:41:42 -05:00
Zbigniew Jędrzejewski-Szmek
b9f111b93f Support negated fstab options
We would ignore options like "fail" and "auto", and for any option
which takes a value the first assignment would win. Repeated and
options equivalent to the default are rarely used, but they have been
documented forever, and people might use them. Especially on the
kernel command line it is easier to append a repeated or negated
option at the end.
2015-01-11 23:41:41 -05:00
Zbigniew Jędrzejewski-Szmek
a6dba97829 cryptsetup-generator: remove duplicated function 2015-01-11 23:41:41 -05:00
Zbigniew Jędrzejewski-Szmek
c5e04d5127 fstab-util: detect out-of-range pri= assignments
We would silently ignore them. One would have to be crazy
to do assign an out of range value, but simply ignoring it
bothers me.
2015-01-11 23:41:41 -05:00
Zbigniew Jędrzejewski-Szmek
266fd0eabc .gitignore: add new tests and sort tests alphabetically 2015-01-11 23:41:41 -05:00
Zbigniew Jędrzejewski-Szmek
d15d0333be Add new function to filter fstab options
This fixes parsing of options in shared/generator.c. Existing code
had some issues:

- it would treate whitespace and semicolons as seperators. fstab(5)
  is pretty clear that only commas matter. And the syntax does
  not allow for spaces to be inserted in the field in fstab.
  Whitespace might be escaped, but then it should not seperate
  options. Treat whitespace and semicolons as any other character.
- it assumed that x-systemd.device-timeout would always be followed
  by "=". But this is not guaranteed, hasmntopt will return this
  option even if there's no value. Uninitialized memory could be read.
- some error paths would log, and inconsistently, some would just
  return an error code.

Filtering is split out to a separate function and tests are added.

Similar code paths in other places are adjusted to use the new function.
2015-01-11 23:41:41 -05:00
Zbigniew Jędrzejewski-Szmek
1e39ff926f network: apply static addresses in specified order
https://bugs.freedesktop.org/show_bug.cgi?id=83270
2015-01-11 18:17:33 -05:00
Zbigniew Jędrzejewski-Szmek
502f1733e3 shared/list: add LIST_APPEND 2015-01-11 18:17:33 -05:00
Zbigniew Jędrzejewski-Szmek
33e1e5a756 path-lookup: allow /run to override /etc in generator search
Generators are different than unit files: they are never automatically
generated, so there's no point in allowing /etc to override /run. On
the other hand, overriding /etc might be useful in some cases.
2015-01-11 18:17:33 -05:00
Zbigniew Jędrzejewski-Szmek
4f1a33dd0d test-path-lookup: add simple test for path lookup functions 2015-01-11 18:17:33 -05:00
Zbigniew Jędrzejewski-Szmek
aac7766c10 test-util: make sure that masking and overriding works 2015-01-11 18:17:33 -05:00
Zbigniew Jędrzejewski-Szmek
e801700e9a Implement masking and overriding of generators
Sometimes it is necessary to stop a generator from running. Either
because of a bug, or for testing, or some other reason. The only way
to do that would be to rename or chmod the generator binary, which is
inconvenient and does not survive upgrades. Allow masking and
overriding generators similarly to units and other configuration
files.

For the systemd instance, masking would be more common, rather than
overriding generators. For the user instances, it may also be useful
for users to have generators in $XDG_CONFIG_HOME to augment or
override system-wide generators.

Directories are searched according to the usual scheme (/usr/lib,
/usr/local/lib, /run, /etc), and files with the same name in higher
priority directories override files with the same name in lower
priority directories. Empty files and links to /dev/null mask a given
name.

https://bugs.freedesktop.org/show_bug.cgi?id=87230
2015-01-11 18:17:33 -05:00
Zbigniew Jędrzejewski-Szmek
4968105790 Simplify execute_directory()
Remove the optional sepearate opening of the directory,
it would be just too complicated with the change to
multiple directories.

Move the middle of execute_directory() to a seperate
function to make it easier to grok.
2015-01-11 18:17:33 -05:00
David Herrmann
87b934960a bus-proxy: implement 'at_console'
The 'at_console' policy-category allows to apply policy-items to clients
depending on whether they're run from within a valid user-session or not.
We use sd_uid_get_seats() to check whether a user has a valid seat (which
excludes remote-sessions like ssh).
2015-01-11 17:23:24 +01:00
David Herrmann
b49c7806a3 bus-proxy: print message direction in policy logs
Make sure to print "dbus-1 to kernel" or "kernel to dbus-1" in policy logs
to better diagnose the situation.
2015-01-11 15:27:18 +01:00
David Herrmann
b5cfc2b953 bus-proxy: fix receiver policy on dbus-1 to kdbus signals
If a dbus-1 client sends a broadcasted signal via the bus-proxy to kdbus,
the bus-proxy has no idea who the receiver is. Classic dbus-daemon has
bus-access and can perform policy checks for each receiver, but we cant.
Instead, we know the kernel will perform receiver policy checks for
broadcasts, so we can skip the policy check and just push it into the
kernel.

This fixes wpa_supplicant which has DENY rules on receive_type=signal for
non-root. As we never know the target, we always DENY all broadcasts from
wpa_supplicant.

Note that will still perform receiver-policy checks for signals that we
get from the kernel back to us. In those cases, we know the receiver
(which is us).
2015-01-11 15:14:14 +01:00
David Herrmann
fa188b9b24 bus-proxy: fix swapped path/interface debug messages
The policy debug messages swapped "path=" and "interface=", fix this.
2015-01-11 14:54:33 +01:00
David Herrmann
0042d824e3 bus-proxy: fix policy for expected/non-expected reply tags
dbus-1 distinguishes expected and non-expected replies. An expected reply
is a reply that is sent as answer to a previously forwarded method-call
before the timeout fires. Those replies are, by default, forwarded and
DENY policy tags are ignored on them (unless explicitly stated otherwise).

We don't track reply-windows in the bus-proxy as the kernel already does
this. Furthermore, the kernel prohibits any non-expected replies (which
breaks dbus-1, but it was an odd feature, anyway).

Therefore, skip policy checks on replies and always let the kernel deal
with it!

To be correct, we should still process DENY tags marked as
send_expected_reply=true (which is *NOT* the default!). However, so far we
don't parse those attributes, and no-one really uses it, so lets not
implement it for now. It's marked as TODO if anyone feels like fixing it.
2015-01-11 14:18:29 +01:00