1
0
mirror of https://github.com/systemd/systemd.git synced 2024-12-23 21:35:11 +03:00
Commit Graph

23915 Commits

Author SHA1 Message Date
Daniel Mack
654d1b3350 Merge pull request #2165 from torstehu/fix-typo2
treewide: fix typos and indentation
2015-12-14 16:31:25 +01:00
Torstein Husebø
e5abebabb3 treewide: fix typos and indentation 2015-12-14 15:53:11 +01:00
Daniel Mack
dc0306aac4 Merge pull request #2152 from evverx/respect-disable-tests
build-sys: fix --disable-tests
2015-12-13 17:22:48 +01:00
Evgeny Vereshchagin
5433c3e1a3 build-sys: fix --disable-tests
Fixes:
$ ./configure ... --disable-tests
$ make
$ sudo make check
FAIL: test/udev-test.pl
PASS: test/rule-syntax-check.py
PASS: test/sysv-generator-test.py
...
2015-12-13 07:50:11 +00:00
Daniel Mack
afcaed0cad Merge pull request #2148 from evverx/fix-enable-smack
build-sys: fix ./configure --enable-smack
2015-12-12 14:03:52 +01:00
Evgeny Vereshchagin
c0957da3f4 build-sys: refactor have_smack detection 2015-12-12 06:08:25 +00:00
Evgeny Vereshchagin
566c9f5ad5 build-sys: fix ./configure --enable-smack
Fixes:

$ ./configure ... --enable-smack
$ make src/core/load-fragment-gperf.c
$ grep -i smack src/core/load-fragment-gperf.c
{"Swap.SmackProcessLabel", config_parse_warn_compat, DISABLED_CONFIGURATION, 0},
...

should be
{"Swap.SmackProcessLabel", config_parse_exec_smack_process_label, 0, offsetof(Swap, exec_context)},
...
2015-12-12 03:53:22 +00:00
Tom Gundersen
a036133175 Merge pull request #2143 from poettering/dnssec4
Another batch of DNSSEC fixes
2015-12-11 18:38:14 +01:00
Lennart Poettering
29c1519ed4 resolved: don't eat up errors
dns_resource_key_match_soa() and dns_resource_key_match_cname_or_dname()
may return errors as negative return values. Make sure to propagate
those.
2015-12-11 15:10:56 +01:00
Lennart Poettering
56352fe92d resolved: refactor DNSSEC answer validation
This changes answer validation to be more accepting to unordered RRs in
responses. The agorithm we now implement goes something like this:

  1. populate validated keys list for this transaction from DS RRs
  2. as long as the following changes the unvalidated answer list:
    2a. try to validate the first RRset we find in unvalidated answer
        list
    2b. if that worked: add to validated answer; if DNSKEY also add to
        validated keys list; remove from unvalidated answer.
    2c. continue at 2a, with the next RRset, or restart from the
        beginning when we hit the end
  3. as long as the following changes the unvalidated answer list:
    3a. try to validate the first RRset again. This will necessarily
        fail, but we learn the precise error
    3b. If this was a "primary" response to the question, fail the
        entire transaction. "Primary" in this context means that it is
        directly a response to the query, or a CNAME/DNAME for it.
    3c. Otherwise, remove the RRset from the unvalidated answer list.

Note that we the too loops in 2 + 3 are actually coded as a single one,
but the dnskeys_finalized bool indicates which loop we are currently
processing.

Note that loop 2 does not drop any invalidated RRsets yet, that's
something only loop 3 does. This is because loop 2 might still encounter
additional DNSKEYS which might validate more stuff, and if we'd already
have dropped those RRsets we couldn't validate those anymore. The first
loop is hence a "constructive" loop, the second loop a "destructive"
one: the first one validates whatever is possible, the second one then
deletes whatever still isn't.
2015-12-11 14:15:27 +01:00
Lennart Poettering
203f1b35d9 resolved: rework dnssec validation results
This adds a new validation result DNSSEC_UNSUPPORTED_ALGORITHM which is
returned when we encounter an unsupported crypto algorithm when trying
to validate RRSIG/DNSKEY combinations. Previously we'd return ENOTSUPP
in this case, but it's better to consider this a non-error DNSSEC
validation result, since our reaction to this case needs to be more like
in cases such as expired or missing keys: we need to keep continue
validation looking for another RRSIG/DNSKEY combination that works
better for us.

This also reworks how dnssec_validate_rrsig_search() propagates errors
from dnssec_validate_rrsig(). Previously, errors such as unsupported
algorithms or expired signatures would not be propagated, but simply be
returned as "missing-key".
2015-12-11 14:14:27 +01:00
Lennart Poettering
79e2493138 resolved: rework how and when the number of answer RRs to cache is determined
Instead of figuring out how many RRs to cache right before we do so,
determine this at the time we install the answer RRs, so that we can
still alter this as we manipulate the answer during validation.

The primary purpose of this is to pave the way so that we can drop
unsigned RRsets from the answer and invalidate the number of RRs to
cache at the same time.
2015-12-11 14:14:27 +01:00
Lennart Poettering
c463eb783e resolved: generalize DNS RR type validity checks
Check the validity of RR types as we parse or receive data from IPC
clients, and use the same code for all of them.
2015-12-11 14:14:27 +01:00
Lennart Poettering
e6b57b3787 resolved: refuse OPT RRs in incoming packets that are not in the additional section
We later rely that the DnsAnswer object contains all RRs from the
original packet, at least when it comes to the answer and authorization
sections, hence we better make sure we don#t silently end up removing an
OPT RR from these two sections.
2015-12-11 14:14:27 +01:00
Lennart Poettering
c33be4a6f2 resolved: refuse to cache ANY kind of pseudo-RR-type 2015-12-11 14:14:27 +01:00
Lennart Poettering
6728a58d10 resolved: no need to check for NULL explicitly before invoking dns_packet_unref() 2015-12-11 14:13:31 +01:00
Lennart Poettering
bea4c76fa0 resolved: extend list of pseudo RR types
Also, explain the situation with a longer comment.
2015-12-11 14:13:31 +01:00
Daniel Mack
c57d67f718 Merge pull request #2096 from teg/resolved-cache
Misc resolved cache fixes
2015-12-10 20:48:42 +01:00
Tom Gundersen
a257f9d4a5 resolved: cache - only stringify RR keys when in debug mode
This is in the fast path, so let's not do all this work unneccessarily.
2015-12-10 20:17:49 +01:00
Tom Gundersen
02c2857b8d resolved: cache - don't flush the cache of mDNS records unneccesarily
When the DNS_RESOURCE_KEY_CACHE_FLUSH flag is not set for an mDNS packet, we should not flush
the cache for RRs with matching keys. However, we were unconditionally flushing the cache
also for these packets.

Now mark all packets as cache_flush by default, except for these mDNS packets, and respect
that flag in the cache handling.

This fixes 90325e8c2e.
2015-12-10 20:15:58 +01:00
Tom Gundersen
2250592422 TODO 2015-12-10 19:47:47 +01:00
Daniel Mack
7b56301a88 Merge pull request #2133 from poettering/import-drop-dkr
importd: drop dkr support
2015-12-10 17:40:39 +01:00
Tom Gundersen
d7ce6c9464 resolved: cache - rework which RR types we apply redirection to
The logic of dns_cache_get() is now:
 - look up the precise key;
 - look up NXDOMAIN item;
 - if an RR type that may be redirected
   (i.e., not CNAME, DNAME, RRSIG, NSEC, NSEC3, SIG, KEY, or
   NXT) look up a correpsonding CNAME or DNAME record;
 - look up a corresponding NSEC record;

Before this change we would give up before potentially finding
negative cache entries for DNAME, CNAME and NSEC records, we
would return NSEC records for aliases where we had DNAME or CNAME
records available and we would incorrectly try to redirect DNSSEC RRs.
2015-12-10 17:06:26 +01:00
Tom Gundersen
c3cb6dc20b resolved: cache - improve logging
Some DNS servers will hand out negative answers without SOA records,
these can not be cached, so log about that fact.
2015-12-10 17:06:26 +01:00
Tom Gundersen
71e136699c resolved: cache - don't cache NXDOMAIN by TYPE
An NXDOMAIN entry means there are no RRs of any type for a name,
so only cache by CLASS + NAME, rather than CLASS + NAME + TYPE.
2015-12-10 17:06:26 +01:00
Tom Gundersen
5d27351f85 resolved: cache - do negative caching only on the canonical name
Apart from dropping redundant information, this fixes an issue
where, due to broken DNS servers, we can only be certain of whether
an apparent NODATA response is in fact an NXDOMAIN response after
explicitly resolving the canonical name. This issue is outlined in
RFC2308. Moreover, by caching NXDOMAIN for an existing name, we
would mistakenly return NXDOMAIN for types which should not be
redirected. I.e., a query for AAAA on test-nx-1.jklm.no correctly
returns NXDOMAIN, but a query for CNAME should return the record
and a query for DNAME should return NODATA.

Note that this means we will not cache an NXDOMAIN response in the
presence of redirection, meaning one redundant roundtrip in case the
name is queried again.
2015-12-10 17:04:42 +01:00
Daniel Mack
34130ea7aa Merge pull request #2134 from jorgenschaefer/detect-ipv6-with-sockstat6
Use /proc/net/sockstat6 to detect IPv6 support
2015-12-10 16:54:57 +01:00
Lennart Poettering
b43d75c378 importd: drop dkr support
The current code is not compatible with current dkr protocols anyway,
and dkr has a different focus ("microservices") than nspawn anyway
("whole machine containers"), hence drop support for it, we cannot
reasonably keep this up to date, and it creates the impression we'd
actually care for the microservices usecase.
2015-12-10 16:54:41 +01:00
Lennart Poettering
4d3f0f66e6 Merge pull request #2135 from zonque/resolved-mdns-3
resolved: more mDNS specific bits (3)
2015-12-10 16:49:31 +01:00
Daniel Mack
fe2dfc8b49 resolved: make sure the packet's transaction ID is always 0 for mDNS
RFC6762, 18.1:

   In multicast query messages, the Query Identifier SHOULD be set to
   zero on transmission.
2015-12-10 16:32:03 +01:00
Daniel Mack
40fa4728eb resolved: discard any reply packet that contains a bogus name
Only .in-addr.arpa and .local are considered local in mDNS, so discard the
packet if anything else is thrown at us.
2015-12-10 16:32:02 +01:00
Tom Gundersen
553947b77c Merge pull request #2129 from poettering/dnssec3
Third DNSSEC patch series
2015-12-10 15:22:18 +01:00
Jorgen Schaefer
7377964d4c Use /proc/net/sockstat6 to detect IPv6 support
The file /sys/module/ipv6 does not exist in all container
implementations (e.g. Virtuozzo). Using /proc/net/sockstat6
detects IPv6 support reliably in these environments, too.

This file does not exist when the kernel is not compiled with
IPv6 support, or if IPv6 support is disabled, so simply checking
for existence should be a suitable check.

Fixes #2059
2015-12-10 13:47:19 +01:00
Lennart Poettering
312501458d Merge pull request #2086 from evverx/fix-journal-upload-installation
build: fix systemd-journal-upload installation
2015-12-10 12:05:26 +01:00
Lennart Poettering
ada64a0cff README: Recommend kinvolk regarding engineering services
They are our friends, do systemd development, hence add them.
2015-12-10 11:57:08 +01:00
Lennart Poettering
e93af635c7 Merge pull request #2076 from keszybz/downgrade-masked-unit-message
core: do not warn about Wants depencencies on masked units
2015-12-10 11:40:23 +01:00
Lennart Poettering
c842ff2488 resolved: rename dns_transaction_prepare_next_attempt()
Let's simply call it dns_transaction_prepare(), so that we have the nice
cycle for prepare() → go() → emit() → process().

After all it's pretty clear that what we prepare there, and we dont call
the others go_next_attempt(), emit_next_attempt() or
process_next_attempt().
2015-12-10 11:35:52 +01:00
Lennart Poettering
f649045c10 journal: make mmap_cache_unref() a NOP when NULL is passed, like all other destructors 2015-12-10 11:35:52 +01:00
Lennart Poettering
9eae2bf318 resolved: don't accept doing queries for invalid RR types 2015-12-10 11:35:52 +01:00
Lennart Poettering
547973dea7 resolved: chase DNSKEY/DS RRs when doing look-ups with DNSSEC enabled
This adds initial support for validating RRSIG/DNSKEY/DS chains when
doing lookups. Proof-of-non-existance, or proof-of-unsigned-zones is not
implemented yet.

With this change DnsTransaction objects will generate additional
DnsTransaction objects when looking for DNSKEY or DS RRs to validate an
RRSIG on a response. DnsTransaction objects are thus created for three
reasons now:

1) Because a user asked for something to be resolved, i.e. requested by
   a DnsQuery/DnsQueryCandidate object.
2) As result of LLMNR RR probing, requested by a DnsZoneItem.
3) Because another DnsTransaction requires the requested RRs for
   validation of its own response.

DnsTransactions are shared between all these users, and are GC
automatically as soon as all of these users don't need a specific
transaction anymore.

To unify the handling of these three reasons for existance for a
DnsTransaction, a new common naming is introduced: each DnsTransaction
now tracks its "owners" via a Set* object named "notify_xyz", containing
all owners to notify on completion.

A new DnsTransaction state is introduced called "VALIDATING" that is
entered after a response has been receieved which needs to be validated,
as long as we are still waiting for the DNSKEY/DS RRs from other
DnsTransactions.

This patch will request the DNSKEY/DS RRs bottom-up, and then validate
them top-down.

Caching of RRs is now only done after verification, so that the cache is
not poisoned with known invalid data.

The "DnsAnswer" object gained a substantial number of new calls, since
we need to add/remove RRs to it dynamically now.
2015-12-10 11:35:52 +01:00
Lennart Poettering
aa89931749 resolved: when matching up DNSKEY and DS RRs, it's fine if we don't support the DNSKEY's algorithm
As long as we support the digest we are good.
2015-12-10 11:35:52 +01:00
Lennart Poettering
15accc2765 resolved: when matching up RRSIG and DNSKEY RRs, use the RRSIG's signer name, not the owner name
When the DNSKEY is in higher zone, then that's OK, and we need to check
the RRSIG's signer name against the DNSKEY hence.
2015-12-10 11:35:52 +01:00
Lennart Poettering
6c5e8fbf4e resolved: fix sorting of RRsets
We actually maintain an array of pointers to RRs, not of RRs themselves,
fix the qsort() invocation accordingly.
2015-12-10 11:35:52 +01:00
Lennart Poettering
2f763887b8 resolved: grow DnsAnswer exponentially
When increasing the DnsAnswer array, don't operate piecemeal, grow the
array exponentially.

This way, the default logic for DnsAnswer allocations matches the
behaviour for GREEDY_REALLOC and suchlike, and we can reduce the number
of necessary allocations.
2015-12-10 11:35:52 +01:00
Lennart Poettering
48d5616b92 resolved: log when we chase a CNAME RR 2015-12-10 11:35:52 +01:00
Lennart Poettering
b5efcf29d2 resolved: reenable caching for LLMNR
This got borked in 547493c5ad.
2015-12-10 11:35:52 +01:00
Lennart Poettering
8af5b88322 resolved: split out check whether reply matches our question
It's complicated enough, it deserves its own call.

(Also contains some unrelated whitespace, comment and assertion changes)
2015-12-10 11:35:52 +01:00
Lennart Poettering
8b5b564947 resolved: IXFR and AXFR cannot be the type of RRs, only of RR keys
Enforce this while parsing RRs.
2015-12-10 11:35:52 +01:00
Lennart Poettering
d75acfb059 resolved: when parsing DNS packets, handle OPT RR specially
As soon as we encounter the OPT RR while parsing, store it in a special
field in the DnsPacket structure. That way, we won't be confused if we
iterate through RRs, and can check that there's really only one of these
RRs around.
2015-12-10 11:35:52 +01:00
Lennart Poettering
c296dd2eea resolved: refuse modifying DnsAnswer objects that have more than one reference
DnsAnswer objects should be considered immutable after having passed to
more than one user, i.e. with a reference counter > 1. Enforce that in
code, so that we can track down misuses easier.
2015-12-10 11:28:02 +01:00