1
0
mirror of https://github.com/systemd/systemd.git synced 2024-12-23 21:35:11 +03:00
Commit Graph

42256 Commits

Author SHA1 Message Date
Lennart Poettering
e41e9ba8bf machinectl: spawn ask password agent on "start"
We start units in the background, hence it is wise to also have the
ask pasword agent around.

Fixes: #13587
2019-11-15 11:12:34 +01:00
Lennart Poettering
c59e2ec696 ask-password-agent: introduce ask_password_agent_open_if_enabled()
This makes the ask-password agent handling more alike the polkit agent
handling again, and introduces ask_password_agent_open_if_enabled() that
works just like the already existing polkit_agent_open_if_enabled().
2019-11-15 11:11:52 +01:00
Lennart Poettering
385d581b74 polkit-agent: don't use an inline function
This is long enough to just be a regular function, and is never called
in inner loops, let's hence just make this a plain function.
2019-11-15 11:11:14 +01:00
Torsten Hilbrich
7be830c6e8 nspawn: Allow Capability= to overrule private network setting
The commit:

a3fc6b55ac nspawn: mask out CAP_NET_ADMIN again if settings file turns off private networking

turned off the CAP_NET_ADMIN capability whenever no private networking
feature was enabled. This broke configurations where the CAP_NET_ADMIN
capability was explicitly requested in the configuration.

Changing the order of evalution here to allow the Capability= setting
to overrule this implicit setting:

Order of evaluation:

1. if no private network setting is enabled, CAP_NET_ADMIN is removed
2. if a private network setting is enabled, CAP_NET_ADMIN is added
3. the settings of Capability= are added
4. the settings of DropCapability= are removed

This allows the fix for #11755 to be retained and to still allow the
admin to specify CAP_NET_ADMIN as additional capability.

Fixes: a3fc6b55ac
Fixes: #13995
2019-11-15 10:13:51 +01:00
Kevin Kuehler
82dce83b19 systemd-analyze: Add ProtectKernelLogs to security 2019-11-15 00:59:54 -08:00
Kevin Kuehler
6168ae5840 units: set ProtectKernelLogs=yes on relevant units
We set ProtectKernelLogs=yes on all long running services except for
udevd, since it accesses /dev/kmsg, and journald, since it calls syslog
and accesses /dev/kmsg.
2019-11-15 00:59:54 -08:00
Kevin Kuehler
806aea3879 test-namespace: Add test for ProtectKernelLogs= 2019-11-15 00:59:51 -08:00
Zbigniew Jędrzejewski-Szmek
7edd8fb198 core: do not propagate polkit error to caller
If we fail to start polkit, we get a message like
"org.freedesktop.DBus.Error.NameHasNoOwner: Could not activate remote peer.",
which has no meaning for the caller of our StartUnit method. Let's just
return -EACCES.

$ systemctl start apache
Failed to start apache.service: Could not activate remote peer. (before)
Failed to start apache.service: Access denied                   (after)

Fixes #13865.
2019-11-15 08:17:01 +01:00
Lennart Poettering
4df8fe8415 seccomp: more comprehensive protection against libseccomp's __NR_xyz namespace invasion
A follow-up for 59b657296a, adding the
same conditioning for all cases of our __NR_xyz use.

Fixes: #14031
2019-11-15 08:13:36 +01:00
Tommy J
48daf51026 PrefixDelegationHint-section: typo 2019-11-15 07:57:32 +01:00
Kevin Kuehler
d916e35b9f man: Add description for ProtectKernelLogs= 2019-11-14 13:31:06 -08:00
Kevin Kuehler
97d05f3b70 test/test-seccomp: add test_protect_syslog 2019-11-14 13:31:03 -08:00
Kevin Kuehler
94a7b2759d core: ProtectKernelLogs= mask kmsg in proc and sys
Block access to /dev/kmsg and /proc/kmsg when ProtectKernelLogs is set.
2019-11-14 12:58:43 -08:00
Zbigniew Jędrzejewski-Szmek
9161113652 logind: drop unused user_tasks_max field
We would only write to the field, and take the address. All *readers* were
removed in 2841493927. (The explanation for why
the field wasn't removed back then is that the patch underwent a few iterations,
with the initial version adding translation back and forth. Later versions of
the patch simply emit a warning and ignore the old value. Apparently nobody
noticed that the value became unused.)
2019-11-14 18:41:54 +01:00
Zbigniew Jędrzejewski-Szmek
0877d4e0cf core: write cgroup limits as permilles
We allow expressing configuration as a fraction with granularity of 0.001, but
when writing out the unit file, we'd round that up to 0.01.

Longer term, I think it'd be nicer to simply use floats and do away with
arbitrary restrictions on precision.
2019-11-14 18:41:54 +01:00
Zbigniew Jędrzejewski-Szmek
e617e2ccd7 core/dbus-cgroup: use %.*s instead of strndupa() 2019-11-14 18:41:54 +01:00
Zbigniew Jędrzejewski-Szmek
1454ab403e core/dbus-cgroup: drop unnecessary parens
'mask' is a macro parameter, so it cannot have commas. We don't need to
parenthesize.
2019-11-14 18:41:54 +01:00
Zbigniew Jędrzejewski-Szmek
3a0f06c41a core: make TasksMax a partially dynamic property
TasksMax= and DefaultTasksMax= can be specified as percentages. We don't
actually document of what the percentage is relative to, but the implementation
uses the smallest of /proc/sys/kernel/pid_max, /proc/sys/kernel/threads-max,
and /sys/fs/cgroup/pids.max (when present). When the value is a percentage,
we immediately convert it to an absolute value. If the limit later changes
(which can happen e.g. when systemd-sysctl runs), the absolute value becomes
outdated.

So let's store either the percentage or absolute value, whatever was specified,
and only convert to an absolute value when the value is used. For example, when
starting a unit, the absolute value will be calculated when the cgroup for
the unit is created.

Fixes #13419.
2019-11-14 18:41:54 +01:00
Zbigniew Jędrzejewski-Szmek
67f5b9e06e
Merge pull request #14003 from keszybz/user-path-configurable
meson: make user $PATH configurable
2019-11-14 10:08:40 +01:00
Lennart Poettering
e013e10d0e ask-password: don't hit assert() when we query pw which the user C-d and caching is enabled 2019-11-14 10:04:11 +01:00
Dimitri John Ledkov
07d5ed536e boot: Add ARM64 support to the EFI stub 2019-11-14 10:03:08 +01:00
Zbigniew Jędrzejewski-Szmek
a079077340
Merge pull request #14013 from keszybz/cryptsetup-keyfile-with-colons
Support cryptsetup keyfiles with colons agains
2019-11-14 10:02:20 +01:00
Dimitri John Ledkov
53a2045521 boot: Load LoadOptions cmdline, if none is available.
Fixes #13694
2019-11-14 10:01:20 +01:00
Filipe Brandenburger
14e0259b49 test: Disable LUKS devices from initramfs in QEMU tests
We currently use the host's kernel and initramfs in our QEMU tests.

If the host is running on an encrypted LUKS partition, then the initramfs
will have a crypttab setup looking for the particular root disk it needs to
encrypt before booting into the system.

However, this disk obviously doesn't exist in our QEMU VM, so it turns out
our tests end up waiting for this device to become available, which will
never actually happen, and boot hangs for 90s until that service times out.

[***   ] A start job is running for /dev/disk/by-uuid/01234567-abcd-1234-abcd-0123456789ab (20s / 1min 30s)

In order to prevent this issue, let's pass "rd.luks=0" to disable LUKS in
the initramfs only as part of our default kernel command-line in our QEMU
tests.

This is enough to disable this behavior and prevent the timeout, while at
the same time doesn't conflict with our tests that actually check for LUKS
behavior in the systemd running under test (such as TEST-02-CRYPTSETUP).

Tested: `sudo make -C TEST-02-CRYPTSETUP/ clean setup run`
2019-11-13 19:55:18 -08:00
Riccardo Schirone
2f2b28ab35 Be more specific in resolved.conf man page with regard to DNSOverTLS
DNSOverTLS in strict mode (value yes) does check the server, as it is said in
the first few lines of the option documentation. The check is not performed in
"opportunistic" mode, however, as that is allowed by RFC 7858, section "4.1.
Opportunistic Privacy Profile".

> With such a discovered DNS server, the client might or might not validate the
> resolver. These choices maximize availability and performance, but they leave
> the client vulnerable to on-path attacks that remove privacy.
2019-11-13 22:44:15 +01:00
Zbigniew Jędrzejewski-Szmek
5bc655cd20 meson: avoid ternary op in .format()
meson 0.49 can't parse that for some reason. I'm keeping this separate so it
can be reverted easily when we bump required meson version.
2019-11-13 22:34:33 +01:00
Zbigniew Jędrzejewski-Szmek
3602ca6f0c meson: make user $PATH configurable
This partially reverts db11487d10 (the logic to
calculate the correct value is removed, we always use the same setting as for
the system manager). Distributions have an easy mechanism to override this if
they wish.

I think making this configurable is better, because different distros clearly
want different defaults here, and making this configurable is nice and clean.
If we don't make it configurable, distros which either have to carry patches,
or what would be worse, rely on some other configuration mechanism, like
/etc/profile. Those other solutions do not apply everywhere (they usually
require the shell to be used at some point), so it is better if we provide
a nice way to override the default.

Fixes  #13469.
2019-11-13 22:34:14 +01:00
HATAYAMA Daisuke
fc9de36a3b verify: fix segmentation fault
systemd-analyze verify command now results in segmentation fault if two
consecutive non-existent unit file names are given:

    # ./build/systemd-analyze a.service b.service
    ...<snip irrelevant part>...
    Unit a.service not found.
    Unit b.service not found.
    Segmentation fault (core dumped)

The cause of this is a wrong handling of return value of
manager_load_startable_unit_or_warn() in verify_units() in failure case.

It looks that the current logic wants to assign the first error status
throughout verify_units() into variable r and count up variable count only when
a given unit file exists.

However, due to the wrong handling of the return value of
manager_load_startable_unit_or_warn() in verify_units(), the variable count is
unexpectedly incremented even when there is no such unit file because the
variable r already contains non-zero value in the 2nd failure, set by the 1st
failure, and then the condition k < 0 && r == 0 evaluates to false.

This commit fixes the wrong handling of return value of
manager_load_startable_unit_or_warn() in verify_units().
2019-11-13 22:20:01 +01:00
Zbigniew Jędrzejewski-Szmek
1f6597a84c man: mention $RUNTIME_DIRECTORY & friends in environment list 2019-11-13 22:05:11 +01:00
Zbigniew Jędrzejewski-Szmek
ed4ad48897 Allow overriding /etc/fstab with $SYSTEMD_FSTAB 2019-11-13 22:04:51 +01:00
Zbigniew Jędrzejewski-Szmek
32c6237a7c cryptsetup-generator: guess whether the keyfile argument is two items or one
Fixes #13615.

See the inline comment for documentation.
2019-11-13 22:04:45 +01:00
Zbigniew Jędrzejewski-Szmek
3f5ac3038e cryptsetup-generator: allow overriding /run/systemd/cryptsetup with $RUNTIME_DIRECTORY
I added a fairly vague entry to docs/ENVIRONMENT because I think it is worth
mentioning there (in case someone is looking for any environment variable that
might be relevant).
2019-11-13 22:04:38 +01:00
Lennart Poettering
a53c38f1a2
Merge pull request #14017 from poettering/analyze-calendar-tweaks
Add --base-time= for systemd-analyze calendar
2019-11-13 20:20:10 +01:00
Zbigniew Jędrzejewski-Szmek
a6c57e74c5 cryptsetup-generator: allow overriding crypttab path with $SYSTEMD_CRYPTAB 2019-11-13 17:55:51 +01:00
Lennart Poettering
a650e19820
Merge pull request #14010 from poettering/localtime-symlink
tweaks to /etc/localtime management
2019-11-13 16:38:41 +01:00
Lennart Poettering
c214e210c9
Merge pull request #13994 from keszybz/bpf-refactor
Refactor the bpf devices code and fix some bugs
2019-11-13 16:36:39 +01:00
Lennart Poettering
4f23a1847a
Merge pull request #13868 from keszybz/run-exit-code
run: propagate return code/status from the child
2019-11-13 16:36:11 +01:00
Lennart Poettering
d816a5fcea analyze: drop spurious newline 2019-11-13 12:58:15 +01:00
Lennart Poettering
f3e361c1dd update TODO 2019-11-13 12:58:12 +01:00
Lennart Poettering
92e6a99d1c man: document --base-time= for systemd-analyze 2019-11-13 12:57:58 +01:00
Lennart Poettering
985c18802d analyze: add --base-time= to specify base time for 'calendar' verb 2019-11-13 12:57:17 +01:00
Lennart Poettering
437f48a471 tree-wide: fix how we set $TZ
According to tzset(3) we need to prefix timezone names with ":". Let's
do so hence, to avoid any ambiguities and follow documented behaviour.
2019-11-13 12:30:22 +01:00
Zbigniew Jędrzejewski-Szmek
d5fc5b2f8d nspawn: do not emit any warning when $UNIFIED_CGROUP_HIERARCHY is used
Initially I thought this is a good idea, but when reviewing a different PR
(https://github.com/systemd/systemd/pull/13862#discussion_r340604313) I changed
my mind about this. At some point we probably should start warning about the
old option name, and yet later remove it. But it'll make it easier for people
to transition to the new option name if there's a period of support for both
names without any fuss. There's nothing particularly wrong about the old name,
and there is no support cost.

Fixes #13919 (by avoiding the issue completely).
2019-11-13 12:21:18 +01:00
Lennart Poettering
60c20e242c update TODO 2019-11-13 09:42:58 +00:00
Lennart Poettering
5322db0651 timedated: it might be that tzinfo files are just not installed 2019-11-13 10:39:14 +01:00
Lennart Poettering
9193af0f05 timedated: handle UTC specially, when generating /etc/localtime 2019-11-13 10:39:14 +01:00
Lennart Poettering
bc9ecd484f time-util: treat /etc/localtime missing as UTC 2019-11-13 10:39:14 +01:00
Zbigniew Jędrzejewski-Szmek
7b631898ef
Merge pull request #13961 from mwilck/udev-no-exit-timeout
udevd: wait for workers to finish when exiting
2019-11-13 08:56:49 +01:00
Anita Zhang
cee33a7ab3
Merge pull request #14001 from keszybz/test-unit-name-more
Test unit name more
2019-11-12 10:59:55 -08:00
Zbigniew Jędrzejewski-Szmek
d1be9a4380
Merge pull request #13984 from yuwata/udev-fix-13976
udev: fix issue #13976
2019-11-12 19:05:24 +01:00