1
0
mirror of https://github.com/systemd/systemd.git synced 2024-11-06 08:26:52 +03:00
Commit Graph

33416 Commits

Author SHA1 Message Date
Lennart Poettering
4e2c0a227e namespace: extend list of masked files by ProtectKernelTunables=
This adds a number of entries nspawn already applies to regular service
namespacing too. Most importantly let's mask /proc/kcore and
/proc/kallsyms too.
2018-05-03 17:46:31 +02:00
Lennart Poettering
720f0a2f3c nspawn: move nspawn cgroup hierarchy one level down unconditionally
We need to do this in all cases, including on cgroupsv1 in order to
ensure the host systemd and any systemd in the payload won't fight for
the cgroup attributes of the top-level cgroup of the payload.

This is because systemd for Delegate=yes units will only delegate the
right to create children as well as their attributes. However, nspawn
expects that the cgroup delegated covers both the right to create
children and the attributes of the cgroup itself. Hence, to clear this
up, let's unconditionally insert a intermediary cgroup, on cgroupsv1 as
well as cgroupsv2, unconditionally.

This is also nice as it reduces the differences in the various setups
and exposes very close behaviour everywhere.
2018-05-03 17:45:42 +02:00
Lennart Poettering
910384c821 nspawn: let's make use of SPECIAL_MACHINE_SLICE macro, after all we already set it 2018-05-03 17:45:42 +02:00
Lennart Poettering
9ec5a93c98 nspawn: don't make /proc/kmsg node too special
Similar to the previous commit, let's just use our regular calls for
managing temporary nodes take care of this.
2018-05-03 17:45:42 +02:00
Lennart Poettering
cdde6ba6b6 nspawn: mount boot ID from temporary file in /tmp
Let's not make /run too special and let's make sure the source file is
not guessable: let's use our regular temporary file helper calls to
create the source node.
2018-05-03 17:45:42 +02:00
Lennart Poettering
d4b653c589 nspawn: lock down a few things in /proc by default
This tightens security on /proc: a couple of files exposed there are now
made inaccessible. These files might potentially leak kernel internals
or expose non-virtualized concepts, hence lock them down by default.
Moreover, a couple of dirs in /proc that expose stuff also exposed in
/sys are now marked read-only, similar to how we handle /sys.

The list is taken from what docker/runc based container managers
generally apply, but slightly extended.
2018-05-03 17:45:42 +02:00
Lennart Poettering
c69c7068ce
Merge pull request #8868 from yuwata/resolve-show-current-server
resolvectl: show current DNS server
2018-05-03 17:24:34 +02:00
Lennart Poettering
d0821d8839
Merge pull request #8644 from yuwata/rfe-1589
timesync: expose NTP response on DBus
2018-05-03 17:23:40 +02:00
Susant Sahani
801d2c9f5d ethtool: get_glinksettings Fix copy (#8889)
It should be other way around.
2018-05-03 17:20:56 +02:00
Lennart Poettering
10af01a5ff nspawn: use free_and_replace() at more places 2018-05-03 17:19:46 +02:00
Lennart Poettering
88614c8a28 nspawn: size_t more stuff
A follow-up for #8840
2018-05-03 17:19:46 +02:00
Lennart Poettering
d11623e9c2 doc: document nore carefully that tmpfs within the cgroupfs setup shouldn't confuse statfs() checks 2018-05-03 17:19:46 +02:00
Yu Watanabe
3776f9cf00
Merge pull request #8859 from poettering/virt-xen-lying
Prefer DMI over CPUID when detecting Xen
2018-05-03 23:23:32 +09:00
Lennart Poettering
5d01f5dce4 locale-util: add comment with link to unicode chars supported by eurlatgr (#8894)
See: #6443
2018-05-03 23:15:04 +09:00
Lennart Poettering
fe80fcc7e8 mount-setup: add a comment that the character/block device nodes are "optional" (#8893)
if we lack privs to create device nodes that's fine, and creating
/run/systemd/inaccessible/chr or /run/systemd/inaccessible/blk won't
work then. Document this in longer comments.

Fixes: #4484
2018-05-03 23:10:35 +09:00
Yu Watanabe
3e692b58d0
Merge pull request #8887 from poettering/file-hier-efi
three improvements to the file-hierarchy(7) man page
2018-05-03 23:07:07 +09:00
Lennart Poettering
d225fedb66 man: docbook doesn't like line breaks within table cells (#8885)
It will pass them on as they are to the formatted man pages, which is
pretty uncool. Let's hence avoid line breaks with table cells.
2018-05-03 23:02:43 +09:00
Lennart Poettering
0ea21d9e88 test: don't send image building output to /dev/null (#8886)
Yes, the output is sometimes annyoing, but /dev/null is not the right
place...

I figure this redirection was left in from some debugging session, let's
fix it, and make the setup_basic_environment invocation like in all
other test scripts.
2018-05-03 16:47:42 +03:00
Evgeny Vereshchagin
1ab0a250c2
Merge pull request #8865 from yuwata/fix-signal
util: fix integer overflow
2018-05-03 16:35:38 +03:00
Lennart Poettering
4db688e0cc update TODO 2018-05-03 15:13:42 +02:00
Lennart Poettering
836f5c940c
Merge pull request #8892 from poettering/binfmt-misc-rst
binfmt_misc url fixes
2018-05-03 13:07:56 +02:00
Yu Watanabe
1e4acc77b0 man: add explanations of show-timesync and timesync-status commands 2018-05-03 18:07:58 +09:00
Yu Watanabe
6129ec852e timedatectl: add timesync-status and show-timesync commands
Closes #1589.
2018-05-03 18:07:43 +09:00
Yu Watanabe
66086a4030 timesync: save and expose NTP responce on bus 2018-05-03 18:05:14 +09:00
Yu Watanabe
c583dd564c timesync: try to reload DBus configuration when RequestName() fails
If dbus.service starts earlier than the dynamic user systemd-timesync
is realized, then the dbus policy file for timesyncd does not loaded
and timesyncd fails to request name.
To support such case, try to reload dbus configuration when requesting
name fails.
2018-05-03 18:05:14 +09:00
Yu Watanabe
e7dd394767 timesync: expose manager properties on bus 2018-05-03 18:05:14 +09:00
Lennart Poettering
ec2b24f079 test: list more up-to-date urls in test-web-util
This is based on @jsynacek's patch from #8837, but adds the new URL in
two flavours instead of replacing the old, also making @keszybz happy.

Replaces: #8837
2018-05-03 10:55:16 +02:00
Yu Watanabe
c513bb6ea4 resolvectl: simplify map_{link,global}_domains() 2018-05-03 17:10:15 +09:00
Yu Watanabe
5bc53feeac resolve: update comments to mention resolvectl 2018-05-03 17:10:15 +09:00
Yu Watanabe
446c641516 resolvectl: show current DNS server
`systemd-resolved` rotate the DNS servers. So, it may by useful to
show the current DNS server for diagnosing `systemd-resolved`.
2018-05-03 17:10:15 +09:00
Yu Watanabe
58f48a568a resolvectl: simplify map_{link,global}_dns_servers() 2018-05-03 17:10:15 +09:00
Yu Watanabe
b7ac92cd43 resolve: expose CurrentDNSServer= property on Bus 2018-05-03 17:10:15 +09:00
Yu Watanabe
022fa82a8b oss-fuzz: add the reproducer case by oss-fuzz #8064 2018-05-03 16:57:29 +09:00
Yu Watanabe
50fb3437cd test: add tests for signal_from_string() 2018-05-03 16:52:55 +09:00
Yu Watanabe
29a3db75fd util: rename signal_from_string_try_harder() to signal_from_string()
Also this makes the new `signal_from_string()` function reject
e.g, `SIG3` or `SIG+5`.
2018-05-03 16:52:49 +09:00
Yu Watanabe
08d3fdc37e util: make signal_from_string() accept RTMIN, RTMAX, and RTMAX-n
Before this, `signal_from_string()` accepts simple signal name
or RTMIN+n. This makes the function also accept RTMIN, RTMAX,
and RTMAX-n.
Note that RTMIN+0 is equivalent to RTMIN, and RTMAX-0 is to RTMAX.

This also fixes the integer overflow reported by oss-fuzz #8064.
https://oss-fuzz.com/v2/testcase-detail/5648573352902656
2018-05-03 16:51:41 +09:00
Lennart Poettering
f0b5686443 man: refer to the html version of binfmt-misc.rst
Yes, the kernel's file is called "binfmt-misc.rst", but let's link the
HTML version, after all HTML is much more appropriate for hyperlinking.
2018-05-02 22:03:24 +02:00
Susant Sahani
b296797f1c networkd: use ipv6_accept_ra_use_dns rather than dhcp_use_dns (#8836)
While Saving the DNS server use [IPv6AcceptRA] UseDNS= that is
ipv6_accept_ra_use_dns.

Closes #8420
2018-05-02 20:16:10 +02:00
Lennart Poettering
3e7aa2edcd
test-functions: don't nest KVM (#8883)
Nested KVM is very flaky as we learnt from our CI. Hence, let's avoid
KVM whenever we detect we are already running inside of KVM.

Maybe one day nested KVM is fixed, at which point we can turn this on
again, but for now let's simply avoid nested KVM, since reliable CI is
more important than quick CI, I guess.

And yes, avoiding KVM for our qemu runs does make things substantially
slower, but I think it's not a complete loss.

Inspired by @evverx' findings in:

https://github.com/systemd/systemd/pull/8701#issuecomment-380213302
2018-05-02 20:06:13 +02:00
Lennart Poettering
5eb5f35267 man: suffix all dir paths in file-hierarchy(7) with "/"
Our CODING_STYLE document suggests to suffix all paths referring to dirs
rather than regular files with a "/" in our docs and log messages.
Update file-hierarchy(7) to do just that.

No other changes.
2018-05-02 17:00:30 +02:00
Lennart Poettering
1dc7ca9912 man: document /efi in file-hiearchy(7)
We have been supporting the directory since a while in the gpt
generator, let's document it in file-hierarchy(7) too
2018-05-02 16:56:19 +02:00
Lennart Poettering
03f2b38e0c man: document the XDG specs as further sources of specifications for file-hierarchy(7)
We document this further down in the text, but let's also list this
early on, where we mention the FHS as major influence too, so that it is
clear we incorporate all that thinking.
2018-05-02 16:54:32 +02:00
Yu Watanabe
fb702dd7dd udev: do not mark ari_enabled true when its sysattr value is 0 (#8870)
Fixes #8869.
2018-05-02 16:21:30 +02:00
Lennart Poettering
c1c80f6c37
Merge pull request #8866 from yuwata/fix-8842
core: disable namespace sandboxing for '+' prefixed lines
2018-05-02 16:15:26 +02:00
Lennart Poettering
094fbe25bc
Merge pull request #8867 from yuwata/update-readme
doc: Update README
2018-05-02 14:32:00 +02:00
Yu Watanabe
76283e5fd4 set: drop unused set_make() function (#8879)
The function causes compiler error when built with '-Ddebug=hashmap',
and is not used anymore. Let's drop it.
2018-05-02 10:54:52 +02:00
Lennart Poettering
9fc0345551
Merge pull request #8815 from poettering/get-unit-by-cgroup
add new GetUnitByControlGroup API
2018-05-02 10:51:48 +02:00
Yu Watanabe
b0903bb585 meson: drop 'name' argument in cc.has_argument() (#8878) 2018-05-02 10:05:51 +02:00
Adam Duskett
773c84349d add __nr_statx defines for extra architectures (#8872)
This includes:
 - arm
 - arm64
 - alpha
 - powerpc64
 - sparc

Taken from kernel 4.16.6
2018-05-02 10:04:50 +02:00
Yu Watanabe
1e4f1671c2 nspawn: fix warning by -Wnonnull (#8877) 2018-05-02 10:03:31 +02:00