IF YOU WOULD LIKE TO GET AN ACCOUNT, please write an
email to Administrator. User accounts are meant only to access repo
and report issues and/or generate pull requests.
This is a purpose-specific Git hosting for
BaseALT
projects. Thank you for your understanding!
Только зарегистрированные пользователи имеют доступ к сервису!
Для получения аккаунта, обратитесь к администратору.
Follow-up for 133b34f69a where this was
forgotten.
While we are at it, bring the parameters into the same order as we
declare them in the PullRaw/PullTar objects, i.e. match them to the
canonical order.
Implement directives `NoExecPaths=` and `ExecPaths=` to control `MS_NOEXEC`
mount flag for the file system tree. This can be used to implement file system
W^X policies, and for example with allow-listing mode (NoExecPaths=/) a
compromised service would not be able to execute a shell, if that was not
explicitly allowed.
Example:
[Service]
NoExecPaths=/
ExecPaths=/usr/bin/daemon /usr/lib64 /usr/lib
Closes: #17942.
Let's enable the Packit integration and see if it's a viable option for
us. This configuration builds systemd on Fedora (on x86_64, i386, and
aarch64) and runs the unit test suite. To do that, it uses the specfile
from Fedora Rawhide[0] with some minor modifications, thus dropping the
need to have a specfile in the upstream repository.
So far the builds took around 25 minutes each, so speed-wise it's pretty
good. The two remaining supported architectures (s390x and armhfp) are
excluded, for now, since they're emulated and build there takes a really
long time (~4 hours).
[0] https://src.fedoraproject.org/rpms/systemd/
The target is update-syscall-tables, so let's call the script
update-syscall-tables.sh to reduce the cognitive overhead when
trying to find the right file.
Upstream uses .text, but this is rather unusual. Let's use .txt as the usual
suffix for text files. This tells various editors and such that the file should
be treated as plain text. I also want to a script to summarize license status,
and having an easy-to-recognize suffix makes this easier.
We don't include a license header in .conf and similar files,
but we should include a header that tells the user that this is
our file and points to some docs.
Even though many of those scripts are very simple, it is easier to include
the header than to try to say whether each of those files is trivial enough
not to require one.
If the file was always generated on the fly, the header would be pointless.
But since we distribute it, it should be there. C.f.
a0e150b2f4.
This was forgotten in 35b42e5600.
Meson itself requires Python 3.6, which has f-strings. So I think it's fine to
use them here too. I wanted to use walrus for 'if m:= re.search(...)', but that'd
require 3.8.
We reject all openat2() calls because it is currently not possible to
inspect its flags parameter via seccomp.
Fallback code is more likely to look for ENOSYS than EPERM.
The script is renamed to match.
Now all targets are named uniformly in a tab-completion-friendly fashion, with
the exception of systemd-update-po which is generated by the i18n module
automatically:
$ ninja -C build -t targets | grep update
systemd-update-po: phony
update-syscall-tables: phony
update-syscall-header: phony
update-hwdb: phony
update-hwdb-autosuspend: phony
update-dbus-docs: CUSTOM_COMMAND
update-man-rules: CUSTOM_COMMAND
Very old versions of meson did not include the subdirectory name in the
target name, so we started adding various "top-level" custom targets in
subdirectories. This was nice because the main meson.build file wasn't
as cluttered. But then meson started including the subdir name in the
target name. So let's move the definition to the root so we can have all
targets named uniformly.
This test doesn't require the tests to be installed, so it must manually
install required test services and targets itself, including the default
target of testsuite.target
Also use $TEST_UNITS_DIR which is set by test-functions instead of
calculating the path
The script currently parses either 'clean' or 'clean-again' as wanting
to clean both before and after running tests. This fixes that to split
the action up; clean runs before tests, clean-again after; and also
verifies the parameter(s) before passing them to make.
Add NO_BUILD var to allow testing with no local build, by installing
local systemd files into the image.
This only works for debian-like distros currently, that use the
tools 'apt' and 'dpkg' for package management.
The $BUILD_DIR is only used in test-functions, and doesn't need to
be specified in any other scripts. Additionally, to be able to allow
the integration test suite to be run against locally installed binaries,
instead of built binaries, moving BUILD_DIR logic completely into
test-functions allows later patches to be simpler.
