1
0
mirror of https://github.com/systemd/systemd.git synced 2024-11-04 13:51:24 +03:00
Commit Graph

2164 Commits

Author SHA1 Message Date
Lennart Poettering
61ecb465b1 resolved: turn on DNSSEC by default, unless configured otherwise
Let's make sure DNSSEC gets more testing, by defaulting DNSSEC to
"allow-downgrade" mode. Since distros should probably not ship DNSSEC enabled
by default add a configure switch to disable this again.

DNSSEC in "allow-downgrade" mode should mostly work without affecting user
experience. There's one exception: some captive portal systems rewrite DNS in
order to redirect HTTP traffic to the captive portal. If these systems
implement DNS servers that are otherwise DNSSEC-capable (which in fact is
pretty unlikely, but still...), then this will result in the captive portal
being inaccessible. To fix this support in NetworkManager (or any other network
management solution that does captive portal detection) is required, which
simply turns off DNSSEC during the captive portal detection, and resets it back
to the default (i.e. on) after captive portal authentication is complete.
2016-02-16 15:22:05 +01:00
Lennart Poettering
8eff97a103 Merge pull request #2618 from zonque/busproxy-removal
remove bus-proxyd
2016-02-15 14:54:09 +01:00
Zbigniew Jędrzejewski-Szmek
7f6e804332 Promote systemd-activate to /usr/bin/systemd-socket-activate
It has fairly wide functionality now and the interface has been
stable for a while. It it a useful testing tool.

The name is changed to better indicate what it does.
2016-02-14 20:33:32 -05:00
Zbigniew Jędrzejewski-Szmek
06e948901a Merge pull request #2603 from poettering/drop-compat-libs
Some spring cleaning
2016-02-13 10:36:02 -05:00
Lennart Poettering
0655ef96fd build-sys: drop aufs-util.[ch]
Left over cruft from the dkr excercise.
2016-02-13 12:03:16 +01:00
Lennart Poettering
2621af5346 util-lib: drop json parser
This was used by the dkr logic, which is gone now, hence remove this too.
Should we need it one day again the git history never forgets...

Note that this only covers the JSON parser. The JSON generator used by
"journalctl -o json" remains, as its much much simpler and requires no
infrastructure except printf() and the most basic escaping.
2016-02-13 11:57:14 +01:00
Lennart Poettering
4de282cf93 build-sys: drop libsystemd-{id128,daemon,login,journal}.so compat libs
They have long been obsolete, and upstream distros and packages have mostly
switched over, let's get rid of it for good.
2016-02-13 11:57:14 +01:00
Lennart Poettering
91ba5ac7d0 Merge pull request #2589 from keszybz/resolve-tool-2
Better support of OPENPGPKEY, CAA, TLSA packets and tests
2016-02-13 11:15:41 +01:00
Zbigniew Jędrzejewski-Szmek
718af59e9a resolve: always align flags to 8th column and print CAA flags
Left-over unknown flags are printed numerically. Otherwise,
it wouldn't be known what bits are remaining without knowning
what the known bits are.

A test case is added to verify the flag printing code:
============== src/resolve/test-data/fake-caa.pkts ==============
google.com. IN CAA   0 issue "symantec.com"
google.com. IN CAA   128 issue "symantec.com"
        -- Flags: critical
google.com. IN CAA   129 issue "symantec.com"
        -- Flags: critical 1
google.com. IN CAA   22 issue "symantec.com"
        -- Flags: 22
2016-02-12 20:00:42 -05:00
Zbigniew Jędrzejewski-Szmek
fa45182ed6 Fix hashing of TLSA packets
Also add example files with TLSA and SSHFP records.
2016-02-12 20:00:42 -05:00
Zbigniew Jędrzejewski-Szmek
fff85dbe15 test-dns-packet: allow running without arguments 2016-02-12 20:00:42 -05:00
Zbigniew Jędrzejewski-Szmek
6d99904f5a test-dns-packet: add framework to read and dump packets
Packets are stored in a simple format:
<size> <packet-wire-format> <size> <packet-wire-format> ...

Packets for some example domains are dumped, to test rr code for various
record types. Currently:
A
AAAA
CAA
DNSKEY
LOC
MX
NS
NSEC
OPENPGPKEY
SOA
SPF
TXT

The hashing code is executed, but results are not checked.

Also build other tests in src/resolve only with --enable-resolve.
2016-02-12 20:00:42 -05:00
Daniel Mack
798c486fbc remove bus-proxyd
As kdbus won't land in the anticipated way, the bus-proxy is not needed in
its current form. It can be resurrected at any time thanks to the history,
but for now, let's remove it from the sources. If we'll have a similar tool
in the future, it will look quite differently anyway.

Note that stdio-bridge is still available. It was restored from a version
prior to f252ff17, and refactored to make use of the current APIs.
2016-02-12 19:10:01 +01:00
Daniel Mack
9ca6ff50ab Remove kdbus custom endpoint support
This feature will not be used anytime soon, so remove a bit of cruft.

The BusPolicy= config directive will stay around as compat noop.
2016-02-11 22:12:04 +01:00
Lennart Poettering
c8b166b3ea Merge pull request #2587 from haraldh/tpmv3
sd-boot: put hashed kernel command line in a PCR of the TPM
2016-02-11 20:38:03 +01:00
Zbigniew Jędrzejewski-Szmek
4ac2ca1bdb systemd-resolve: allow easy querying of openpgp keys
$ systemd-resolve --openpgp zbyszek@fedoraproject.org
d08ee310438ca124a6149ea5cc21b6313b390dce485576eff96f8722._openpgpkey.fedoraproject.org. IN OPENPGPKEY
        mQINBFBHPMsBEACeInGYJCb+7TurKfb6wGyTottCDtiSJB310i37/6ZYoeIay/5soJjlM
        yfMFQ9T2XNT/0LM6gTa0MpC1st9LnzYTMsT6tzRly1D1UbVI6xw0g0vE5y2Cjk3xUwAyn
        ...
2016-02-11 13:12:41 -05:00
Zbigniew Jędrzejewski-Szmek
91e023d896 Move initialize_libgcrypt to separate file
It's annoying to have the exact same function in three places.
It's stored in src/shared, but it's not added to the library to
avoid the dependency on libgcrypt.
2016-02-11 13:12:40 -05:00
Harald Hoyer
92ed3bb49e sd-boot: put hashed kernel command line in a PCR of the TPM
The UEFI BIOS already hashes the contents of the loaded image, so the
initrd and the command line of the binary are recorded.

Because manually added LoadOptions are not taken into account, these
should be recorded also.

This patch logs and extends a TPM PCR register with the LoadOptions.

This feature can be enabled with configure --enable-tpm

The PCR register index can be specified with
configure --with-tpm-pcrindex=<NUM>
2016-02-11 17:48:09 +01:00
Lennart Poettering
cf92d86020 build-sys: bump so version 2016-02-11 13:16:39 +01:00
Evgeny Vereshchagin
586bedd41a build-sys: add TEST-06-SELINUX to dist
This is a follow-up to https://github.com/systemd/systemd/pull/2493
2016-02-10 18:20:45 +00:00
Evgeny Vereshchagin
09f6f45a29 tests: add test for https://github.com/systemd/systemd/issues/1981 2016-02-10 18:19:08 +00:00
Lennart Poettering
888e378da2 coredump: dump priviliges when processing system coredumps
Let's add an extra-safety net and change UID/GID to the "systemd-coredump" user when processing coredumps from system
user. For coredumps of normal users we keep the current logic of processing the coredumps from the user id the coredump
was created under.

Fixes: https://bugs.freedesktop.org/show_bug.cgi?id=87354
2016-02-10 16:09:24 +01:00
Lennart Poettering
3c171f0b1e coredump: rework coredumping logic
This reworks the coredumping logic so that the coredump handler invoked from the kernel only collects runtime data
about the crashed process, and then submits it for processing to a socket-activate coredump service, which extracts a
stacktrace and writes the coredump to disk.

This has a number of benefits: the disk IO and stack trace generation may take a substantial amount of resources, and
hence should better be managed by PID 1, so that resource management applies. This patch uses RuntimeMaxSec=, Nice=, OOMScoreAdjust=
and various sandboxing settings to ensure that the coredump handler doesn't take away unbounded resources from normally
priorized processes.

This logic is also nice since this makes sure the coredump processing and storage is delayed correctly until
/var/systemd/coredump is mounted and writable.

Fixes: #2286
2016-02-10 16:08:32 +01:00
Lennart Poettering
f50cd2b2f5 build-sys: move coredump logic into subdir of its own 2016-02-10 14:32:27 +01:00
Daniel Mack
684d3dabef Makefile.am: remove some relicts 2016-02-10 13:27:24 +01:00
Lennart Poettering
14f4532026 Merge pull request #2543 from keszybz/build-sys-and-man-fixes
Build sys and man fixes
2016-02-08 12:52:39 +01:00
Zbigniew Jędrzejewski-Szmek
17163897d4 build-sys: simplify conditionals around shell completion files
Repeating those conditionals for every program is
annoying. Use a helper variable to avoid conditionals.

Also always add generated completion files to CLEANFILES.
2016-02-06 17:54:48 -05:00
Zbigniew Jędrzejewski-Szmek
4c32f2c96b build-sys: move CLEANFILES additions out from under HAVE_GNUEFI
It's better to always include them in 'make clean'.
It is also easier to read Makefile.am when less stuff is conditional.
2016-02-06 17:54:47 -05:00
Lennart Poettering
7732f92bad nspawn: optionally run a stub init process as PID 1
This adds a new switch --as-pid2, which allows running commands as PID 2, while a stub init process is run as PID 1.
This is useful in order to run arbitrary commands in a container, as PID1's semantics are different from all other
processes regarding reaping of unknown children or signal handling.
2016-02-03 23:58:24 +01:00
Lennart Poettering
c5c41f1e57 Merge pull request #2510 from msekletar/journalctl-dev-sda-v4
journalctl: make "journalctl /dev/sda" work
2016-02-02 19:34:39 +01:00
Michal Sekletar
795ab08f78 journalctl: make "journalctl /dev/sda" work
Currently when journalctl is called with path to block device node we
add following match _KERNEL_DEVICE=b$MAJOR:$MINOR.

That is not sufficient to actually obtain logs about the disk because
dev_printk() kernel helper puts to /dev/kmsg information about the
device in following format, +$SUBSYSTEM:$ADDRESS,
e.g. "+pci:pci:0000:00:14.0".

Now we will walk upward the syspath and add match for every device in
format produced by dev_printk() as well as match for its device node if
it exists.
2016-02-02 16:46:28 +01:00
Michael Olbrich
4709152273 resolved: allow building without libgcrypt 2016-01-31 23:54:12 +01:00
Lennart Poettering
dcabda4155 Merge pull request #2469 from keszybz/resolved-2
Resolved 2
2016-01-30 15:04:56 +01:00
Zbigniew Jędrzejewski-Szmek
c7472ce088 test-resolve-tables: new "test", useful to print mappings 2016-01-29 12:13:08 -05:00
Zbigniew Jędrzejewski-Szmek
fc8eec10f6 resolved: calculate and print tags for DNSKEY records 2016-01-29 12:13:06 -05:00
Lennart Poettering
6c38b6c04e build-sys: install systemd-resolve in /usr/bin
The command has a man page now and is public, hence add it to /usr/bin.
2016-01-29 14:45:41 +01:00
Lennart Poettering
0c5eb0562a nss: block various signals while running NSS lookups
Let's make sure our poll() calls don't get interrupted where they shouldn't (SIGALRM, ...), but allow them to be
interrupted where they should (SIGINT, ...).

Fixes #1965
2016-01-27 02:22:58 +01:00
Lennart Poettering
47889a8367 Merge pull request #2446 from keszybz/ask-password
Ask password unicode fix
2016-01-26 23:42:38 +01:00
Zbigniew Jędrzejewski-Szmek
8a1baa3ad1 test-ask-password-api: add a manual test for password reading 2016-01-26 17:07:14 -05:00
Lennart Poettering
0061695507 networkd: use an OrderedSet instead of Set to collect link domains
For the search domain logic the order is highly relevant, hence make sure when collecting the various search domains to
add them to an ordered set, so that the order between search domains of a specific link is retained.
2016-01-26 14:42:03 +01:00
Zbigniew Jędrzejewski-Szmek
ce245c842b build-sys: provide fallback value for xsltproc
Commit ab6f56debf made the change to allow building man pages even when disabled
with ./configure --disable-manpages. This works fine, as long as xsltproc is
present. If xsltproc is not present, the command to build a man page (obviously)
fails. Unfortnately it fails with a cryptic message '-o not found', because
$(XSLTPROC) is empty. Add a fallback, to use 'xsltproc' is $(XSLTPROC) is not
defined. This way we get a nice message:

make: xsltproc: Command not found
2016-01-25 19:10:46 -05:00
Lennart Poettering
dd0bc0f141 resolved: synthesize RRs for data from /etc/hosts
This way the difference between lookups via NSS and our native bus API should become minimal.
2016-01-25 17:19:19 +01:00
Lennart Poettering
b5eb973b39 resolve: rename "systemd-resolve-host" tool to simply "systemd-resolve"
The tool resolves way more than just hosts, hence give it a more generic name. This should be safe, as the tool is
currently undocumented. Before we add documentation for it, let's get the name right.

This also moves the C source into src/resolve/ (from src/resolve-host/), since the old name is a misnomer now. Also,
since it links directly to many of the C files of resolved it really belongs into resolved's directory anyway.
2016-01-25 16:00:28 +01:00
Lennart Poettering
839a4a20d8 resolved: split out RR synthesis logic into its own C file
Also, while we are at it, set the "authenticated" bit for everything we synthesize
2016-01-25 15:59:40 +01:00
Lennart Poettering
d90833c93c Merge pull request #2054 from keszybz/nss-link-less-2
Nss link less 2
2016-01-20 17:39:07 +01:00
Tom Gundersen
f7e29f72bf Merge pull request #2372 from poettering/dnssec17
resolved bus API improvements
2016-01-20 11:30:20 +01:00
Lennart Poettering
3abaabdab7 resolved: expose bus objects for each Link
The link objects expose as properties the current settings made with SetLinkDNS() and related calls, plus some more
information.
2016-01-19 21:56:54 +01:00
Daniel Mack
d619a0c4a5 Merge pull request #2373 from keszybz/man-api-build-3
Man page grammar and build tweaks v3
2016-01-19 20:44:58 +01:00
Zbigniew Jędrzejewski-Szmek
ab6f56debf build-sys: allow building man pages even if disabled in ./configure
This is purely for developer convenience: building man pages is slow
so people tend to disable them when not working on documentation. But
sometimes it is useful to build the man page to look something up,
especially when working on an older machine which has outdated
documentation, or to test some change to documentation. The rules to build
man pages are now outside of the ENABLE_MANPAGES conditional, but they
are not used unless manually invoked, and only the inclusion of man
pages in build and install targets is affected by the conditional.

Also, more generated files are removed in clean, which seems to be
good thing, and Makefile.am is simplified.
2016-01-18 16:19:13 -05:00
Lennart Poettering
412577e3c8 resolved: add complex test case
This new test case tries to resolve a couple of known domains, to verify the validation results. It talks to resolved
via the bus, thus comprehensively testing the whole shebang.

Of course, it requires network connectivity and a DNSSEC capable DNS server, hence this is a manual test.
2016-01-17 20:47:46 +01:00