1
0
mirror of https://github.com/systemd/systemd.git synced 2024-10-31 07:51:21 +03:00
Commit Graph

1142 Commits

Author SHA1 Message Date
Lennart Poettering
bf65b7e0c9 core: imply NNP and SUID/SGID restriction for DynamicUser=yes service
Let's be safe, rather than sorry. This way DynamicUser=yes services can
neither take benefit of, nor create SUID/SGID binaries.

Given that DynamicUser= is a recent addition only we should be able to
get away with turning this on, even though this is strictly speaking a
binary compatibility breakage.
2019-04-02 16:56:48 +02:00
Lennart Poettering
62aa29247c units: turn on RestrictSUIDSGID= in most of our long-running daemons 2019-04-02 16:56:48 +02:00
Zbigniew Jędrzejewski-Szmek
01d2041e41 meson: stop creating enablement symlinks in /etc during installation
This patch was initially prompted by a report on a Fedora update [1], that the
upgrade causes systemd-resolved.service and systemd-networkd.service to be
re-enabled. We generally want to preserve the enablement of all services during
upgrades, so a reset like this is not expected.

Both services declare two symlinks in their [Install] sections, for their dbus
names and for multi-user.target.wants/.  It turns out that both services were
only partially enabled, because their dbus unit symlinks
/etc/systemd/system/dbus-org.freedesktop.{resolve1,network1}.service were
created, by the symlinks in /etc/systemd/system/multi-user.target.wants/ were
not. This means that the units could be activated by dbus, but not in usual
fashion using systemctl start. Our tools make it rather hard to figure out when
something like this happens, and it is definitely an area for improvement on its
own. The symlink in .wants/ was filtered out by during packaging, but the dbus
symlink was left in (I assume by mistake).

Let's simplify things by not creating the symlinks statically during 'ninja
install'. This means that the units shipped by systemd have to be enabled in
the usual fashion, which in turns means that [Install] section and presets
become the "single source of truth" and we don't have two sets of conflicting
configuration.

Let's consider a few cases:
- developer: a developer installs systemd from git on a running system, and they
  don't want the installation to reset enablement of anything. So this change is
  either positive for them, or has no effect (if they have everything at
  defaults).

- package creation: we want to create symlinks using 'preset-all' and 'preset'
  on upgraded packages, we don't want to have any static symlinks. This change
  will remove the need to filter out symlinks in packaging and of course fix
  the original report.

- installation of systemd from scratch: this change means that without
  'preset-all' the system will not be functional. This case could be affected
  negatively by this change, but I think it's enough of a corner case to accept
  this. In practice I expect people to build a package, not installl directly
  into the file system, so this might not even matter in practice.

Creating those symlinks was probably the right thing in the beginning, but
nowadays the preset system is very well established and people expect it to
be honoured. Ignoring the presets and doing static configuration is not welcome
anymore.

Note: during package installation, either 'preset-all' or 'preset getty@.service
machines.target remote-cryptsetup.target remote-fs.target
systemd-networkd.service systemd-resolved.service
systemd-networkd-wait-online.service systemd-timesyncd.service' should be called.

[1] https://bodhi.fedoraproject.org/updates/FEDORA-2019-616045ca76
2019-04-01 14:24:44 +02:00
Zbigniew Jędrzejewski-Szmek
709b423f2f meson: indentation 2019-04-01 14:23:29 +02:00
Lennart Poettering
5cb02182fd units: set nodev,nosuid,noexec flags for various secondary API VFS
A couple of API VFS we mount via .mount units. Let's set the three flags
for those too, just in case.

This is just paranoia, nothing else, but shouldn't hurt.
2019-03-25 19:39:00 +01:00
Zbigniew Jędrzejewski-Szmek
11dce8e29b Revert "Revert "units: lock down logind with fs namespacing options""
This reverts commit 28f38a7634.

The revert was done because Ubuntu CI was completely broken with it. Let's see
if it fares better now.
2019-03-19 10:58:49 +01:00
Lennart Poettering
928df2c251 units: turn off keyring handling for user@.service
This service uses PAM anyway, hence let pam_keyring set things up for
us. Moreover, this way we ensure that the invocation ID is not set for
this service as key, and thus can't confuse the user service's
invocation ID.

Fixes: #11649
2019-03-19 10:58:20 +01:00
Zbigniew Jędrzejewski-Szmek
827f62c3f2 man,units: document what user "default.target" is a bit 2019-03-15 13:55:24 +01:00
Jonathan Lebon
8e729d511e units: update catalog after systemd-tmpfiles runs
`systemd-journal-catalog-update.service` writes to `/var`. However, it's
not explicitly ordered wrt `systemd-tmpfiles-setup.service`, which means
that it may run before or after.

This is an issue for Fedora CoreOS, which uses Ignition. We want to be
able to prepare `/var` on first boot from the initrd, where the SELinux
policy is not loaded yet. This means that the hierarchy under `/var` is
not correctly labeled. We add a `Z /var - - -` tmpfiles entry so that it
gets relabeled once `/var` gets mounted post-switchroot.

So any service that tries to access `/var` before `systemd-tmpfiles`
relabels it is likely to hit `EACCES`.

Fix this by simply ordering `systemd-journal-catalog-update.service`
after `systemd-tmpfiles-setup.service`. This is also clearer since the
tmpfiles entries are the canonical source of how `/var` should be
populated.

For more context on this, see:
https://github.com/coreos/ignition/issues/635#issuecomment-446620297
2019-03-14 11:28:19 +01:00
Lennart Poettering
a18449b5bd units: turn of ProtectHostname= again for services hat need to know about system hostname changes
ProtectHostname= turns off hostname change propagation from host to
service. This means for services that care about the hostname and need
to be able to notice changes to it it's not suitable (though it is
useful for most other cases still).

Let's turn it off hence for journald (which logs the current hostname)
for networkd (which optionally sends the current hostname to dhcp
servers) and resolved (which announces the current hostname via
llmnr/mdns).
2019-03-08 15:49:10 +01:00
Michael Biebl
faab72d16b units: fix systemd.special man page reference in system-update-cleanup.service 2019-03-07 14:42:43 +01:00
Lennart Poettering
31b221cf5e logind: add support for booting into the boot menu or a specific boot menu entry
This behaves similar to the "boot into firmware" logic, and also allows
either direct EFI operation (which sd-boot supports and others might
support eventually too) or override through env var.
2019-03-05 16:52:46 +01:00
Martin Pitt
95a32e9750
units: re-drop ProtectHostname from systemd-hostnamed.service (#11792)
This was an overzealous setting from commit 99894b867f. Without this,
`hostnamectl set-hostname` fails with

    Could not set property: Access denied

as `sethostname()` fails with `EPERM`.
2019-02-22 08:04:37 +01:00
Lennart Poettering
25f77a4ba2 man,units: link up new documentation about temporary directories 2019-02-20 18:31:18 +01:00
Lennart Poettering
eb5149ba74
Merge pull request #11682 from topimiettinen/private-utsname
core: ProtectHostname feature
2019-02-20 14:12:15 +01:00
Topi Miettinen
99894b867f units: enable ProtectHostname=yes 2019-02-20 10:50:44 +02:00
Lennart Poettering
4d422d1f9e
Merge pull request #11226 from keszybz/enable-remount-fs-dynamically
Enable systemd-remount-fs.service dynamically
2019-02-18 12:46:31 +01:00
Andrzej Pietrasiewicz
2c633a821e units: add usb-gadget target
Linux can be run on a device meant to act as a USB peripheral. In order
for a machine to act as such a USB device it has to be equipped with
a UDC - USB Device Controller.

This patch adds a target reached when UDC becomes available. It can be used
for activating e.g. a service unit which composes a USB gadget with
configfs and activates it.
2019-02-15 18:16:27 +01:00
Franck Bui
e2c7c94ea3 units: make sure initrd-cleanup.service terminates before switching to rootfs
A follow-up for commit a8cb1dc3e0.

Commit a8cb1dc3e0 made sure that initrd-cleanup.service won't be stopped
when initrd-switch-root.target is isolated.

However even with this change, it might happen that initrd-cleanup.service
survives the switch to rootfs (since it has no ordering constraints against
initrd-switch-root.target) and is stopped right after when default.target is
isolated. This led to initrd-cleanup.service entering in failed state as it
happens when oneshot services are stopped.

This patch along with a8cb1dc3e0 should fix issue #4343.

Fixes: #4343
2019-01-28 13:41:28 +01:00
Lennart Poettering
e4bbc5fb74 units: drop conditionalization of systemd-tmpfiles-setup-dev.service
Currently, tmpfiles runs in two separate services at boot. /dev is
populated by systemd-tmpfiles-setup-dev.service and everything else by
systemd-tmpfiles-setup.service. The former was so far conditionalized by
CAP_SYS_MODULES. The reasoning was that the primary purpose of
populating /dev was to create device nodes based on the static device
node info exported in kernel modules through MODALIAS. And without the
privs to load kernel modules doing so is unnecessary. That thinking is
incomplete however, as there might be reason to create stuff in /dev
outside of the static modalias usecase. Thus, let's drop the
conditionalization to ensure that tmpfiles.d rules are always executed
at least once under all conditions.

Fixes: #11544
2019-01-26 13:55:18 +01:00
Zbigniew Jędrzejewski-Szmek
9b69569d2c Pull in systemd-remount-fs.service only when required
Instead of enabling it unconditionally and then using ConditionPathExists=/etc/fstab,
and possibly masking this condition if it should be enabled for auto gpt stuff,
just pull it in explicitly when required.
2019-01-03 15:30:28 +01:00
Zbigniew Jędrzejewski-Szmek
634cc94f47 units: replace symlinks in units/user/ by real files
We already *install* those as real files since de78fa9ba0.
Meson will start to copy symlinks as-is, so we would get dangling symlinks in
/usr/lib/systemd/user/.

I considered the layout in our sources to match the layout in the installation
filesystem (i.e. creating units/system/ and moving all files from units/ to
units/system/), but that seems overkill. By using normal files for both we get
some duplication, but those files change rarely, so it's not a big downside in
practice.

Fixes #9906.
2018-12-13 20:23:43 +01:00
Zbigniew Jędrzejewski-Szmek
df13444339 units: drop units/user/busnames.target
It seems this was missed in 0ba8987337.
2018-12-13 20:23:43 +01:00
Zbigniew Jędrzejewski-Szmek
401faa3533
Merge pull request #10357 from poettering/import-fs
machinectl import-fs command and other fixes
2018-11-29 16:38:46 +01:00
Lennart Poettering
ff9bf8d012 units: make fsck/grows/makefs/makeswap units conflict against shutdown.target
They are the only units we shipped/generated where this was missing really. Let's fix these.

Follow-up for: #10933
2018-11-26 22:18:16 +01:00
Lennart Poettering
5f7ecd610c import: drop logic of setting up /var/lib/machines as btrfs loopback mount
Let's simplify things and drop the logic that /var/lib/machines is setup
as auto-growing btrfs loopback file /var/lib/machines.raw.

THis was done in order to make quota available for machine management,
but quite frankly never really worked properly, as we couldn't grow the
file system in sync with its use properly. Moreover philosophically it's
problematic overriding the admin's choice of file system like this.

Let's hence drop this, and simplify things. Deleting code is a good
feeling.

Now that regular file systems provide project quota we could probably
add per-machine quota support based on that, hence the btrfs quota
argument is not that interesting anymore (though btrfs quota is a bit
more powerful as it allows recursive quota, i.e. that the machine pool
gets an overall quota in addition to per-machine quota).
2018-11-26 18:09:01 +01:00
Lennart Poettering
7af002f71d units: order systemd-rfkill.socket after /var/lib/systemd/rfkill (#10904)
Otherwise we might install the socket unit early, but the service
backing it late, and then end up in strange loops when we enter rescue
mode, because we saw an event on /dev/rfkill but really can't dispatch
it nor flush it.

Fixes: #9171
2018-11-24 23:59:37 +09:00
Lennart Poettering
3f547ca5a6 units: fix Description= of systemd-exit.service
This file was probably copied from the --user version, let's use some
more appropriate wording for the --system version.
2018-11-16 12:25:35 +01:00
Lennart Poettering
9f782b3e1b units: use correct command to exit
Otherwise we'll end a cyclic loop.
2018-11-16 12:25:35 +01:00
Lennart Poettering
1795457f50 units: add the same ordering deps for systemd-exit.service as for systemd-poweroff.service and friends
This stuff runs in containers, and should really behave the same
everywhere.
2018-11-16 12:25:35 +01:00
Zbigniew Jędrzejewski-Szmek
28f38a7634 Revert "units: lock down logind with fs namespacing options" 2018-11-15 17:48:01 +03:00
Lennart Poettering
53a3e8fc7a
Merge pull request #10744 from poettering/logind-lock-down
units: lock down logind with fs namespacing options
2018-11-13 10:38:47 +01:00
Lennart Poettering
99cd001d4c units: also change portabled's syscall filter to a whitelist 2018-11-13 10:38:17 +01:00
Lennart Poettering
45ae3f6117 units: lock down systemd-logind.service with various fs namespacing options
now that logind doesn't mount $XDG_RUNTIME_DIR anymore we can lock down
the service using fs namespacing (as we don't need the mount to
propagate to the host namespace anymore).
2018-11-12 19:14:33 +01:00
Lennart Poettering
1bded6b28f logind: drop CAP_KILL from caps bounding set
logind doesn't kill any processes anymore, hence let's drop the
capability.
2018-11-12 19:05:36 +01:00
Lennart Poettering
3ca9940cb9 units: set NoNewPrivileges= for all long-running services
Previously, setting this option by default was problematic due to
SELinux (as this would also prohibit the transition from PID1's label to
the service's label). However, this restriction has since been lifted,
hence let's start making use of this universally in our services.

On SELinux system this change should be synchronized with a policy
update that ensures that NNP-ful transitions from init_t to service
labels is permitted.

An while we are at it: sort the settings in the unit files this touches.
This might increase the size of the change in this case, but hopefully
should result in stabler patches later on.

Fixes: #1219
2018-11-12 19:02:55 +01:00
Alan Jenkins
0ba8987337 units: remove unused busnames.target
I found zero references to busnames.target, using git grep "busnames".
(And we do not install using a wildcard units/*.*.  There is no
busnames.target installed on my Fedora 28 system).
2018-10-31 11:44:03 +01:00
Lennart Poettering
73f19ce1ae units: drop systemd-user-sessions.service ordering dep on systemd-journal-flush.service (#10502)
THis dep existed since the unit was introduced, but I cannot see what
good it would do. Hence in the interest of simplifying things, let's
drop it. If breakages appear later we can certainly revert this again.

Fixes: #10469
2018-10-25 04:41:02 +09:00
Lennart Poettering
f876f53789 units: add simple boot check unit
This is might be useful in some cases, but it's primarily an example for
a boot check service that can be plugged before boot-complete.target.

It's disabled by default.

All it does is check whether the failed unit count is zero
2018-10-19 22:34:50 +02:00
Lennart Poettering
36695e880a add new systemd-bless-boot.service that marks boots as successful
This is the counterpiece to the boot counting implemented in
systemd-boot: if a boot is detected as successful we mark drop the
counter again from the booted snippet or kernel image.
2018-10-19 22:34:50 +02:00
Lennart Poettering
329d20db3c units: add generic boot-complete.target 2018-10-19 22:34:50 +02:00
Lennart Poettering
a42984dbc7
Merge pull request #10428 from keszybz/failure-actions
Implement manager status changes using SuccessAction=
2018-10-17 21:29:10 +02:00
Zbigniew Jędrzejewski-Szmek
a400bd8c2a units: allow and use SuccessAction=exit-force in system systemd-exit.service
C.f. 287419c119: 'systemctl exit 42' can be
used to set an exit value and pulls in exit.target, which pulls in systemd-exit.service,
which calls org.fdo.Manager.Exit, which calls method_exit(), which sets the objective
to MANAGER_EXIT. Allow the same to happen through SuccessAction=exit.

v2: update for 'exit' and 'exit-force'
2018-10-17 19:32:07 +02:00
Zbigniew Jędrzejewski-Szmek
afa6206583 units: use SuccessAction=poweroff-force in systemd-poweroff.service
Explicit systemctl calls remain in systemd-halt.service and the system
systemd-exit.service. To convert systemd-halt, we'd need to add
SuccessAction=halt-force. Halting doesn't make much sense, so let's just
leave that is. systemd-exit.service will be converted in the next commit.
2018-10-17 19:31:50 +02:00
Zbigniew Jędrzejewski-Szmek
d85515edcf units: use SuccessAction=reboot-force in systemd-reboot.service 2018-10-17 19:31:50 +02:00
Zbigniew Jędrzejewski-Szmek
631c9b7bf2 units: use SuccessAction=exit-force in systemd-exit.service
Fixes #10414.

v2:
- rename .service.in to .service
- rename 'exit' to 'exit-force'
2018-10-17 19:31:50 +02:00
Zbigniew Jędrzejewski-Szmek
c02b6ee496 meson: define @HIGH_RLIMIT_NOFILE@ and use it everywhere 2018-10-17 14:54:48 +02:00
Lennart Poettering
c35ee02c61 units: bump the RLIMIT_NOFILE soft limit for all services that access the journal
This updates the unit files of all our serviecs that deal with journal
stuff to use a higher RLIMIT_NOFILE soft limit by default. The new value
is the same as used for the new HIGH_RLIMIT_NOFILE we just added.

With this we ensure all code that access the journal has higher
RLIMIT_NOFILE. The code that runs as daemon via the unit files, the code
that is run from the user's command line via C code internal to the
relevant tools. In some cases this means we'll redundantly bump the
limits as there are tools run both from the command line and as service.
2018-10-16 16:33:55 +02:00
Lennart Poettering
2d6718bf3d units: use =yes rather than =true everywhere
So far we always used "yes" instead of "true" in all our unit files,
except for one outlier. Let's do this here too. No change in behaviour
whatsoever, except that it looks prettier ;-)
2018-10-13 12:59:29 +02:00
Lennart Poettering
07ee5adb35 logind: change user-runtime-dir to query runtime dir size from logind via the bus
I think this is a slightly cleaner approach than parsing the
configuration file at multiple places, as this way there's only a single
reload cycle for logind.conf, and that's systemd-logind.service's
runtime.

This means that logind and dbus become a requirement of
user-runtime-dir, but given that XDG_RUNTIME_DIR is not set anyway
without logind and dbus around this isn't really any limitation.

This also simplifies linking a bit as this means user-runtime-dir
doesn't have to link against any code of logind itself.
2018-10-13 12:59:29 +02:00