1
0
mirror of https://github.com/systemd/systemd.git synced 2024-11-01 00:51:24 +03:00
Commit Graph

50526 Commits

Author SHA1 Message Date
Julia Kartseva
96734772a7 fuzz: add BPFProgram= to directives 2021-04-09 20:28:47 -07:00
Julia Kartseva
9e009a145d dbus-cgroup: add BPFProgram= dbus support
- Handle BPFProgram= property in string format
"<bpf_attach_type>:<bpffs_path>", e.g. egress:/sys/fs/bpf/egress-hook.
- Add dbus getter to list foreign bpf programs attached to a cgroup.
2021-04-09 20:28:47 -07:00
Julia Kartseva
ee08909059 man: add BPFProgram= documentation 2021-04-09 20:28:47 -07:00
Julia Kartseva
b57162aafb tests: add unit file tests for BPFProgram=
- Pin trivial bpf programs to bpf filesystem, compose BPFProgram= option
string and pass it to a unit. Programs store `0` in r0 BPF register for
denying action, e.g. drop a packet.
- Load trivial BPF programs
- Test is skipped if not run under root or if can not lock enough
memory.
- For egress and ingress hooks, test BPFProgram= option along with
with IP{Egress|Ingress}FilterPath=, expected result should not depend on
which rule is executed first.
Expected results for BPF_CGROUP_INET_INGRESS:
5 packets transmitted, 0 received, 100% packet loss, time 89ms

For BPF_CGROUP_INET_SOCK_CREATE:
ping: socket: Operation not permitted
2021-04-09 20:28:47 -07:00
Julia Kartseva
0879da98dc core: add bpf-foreign to fragment parser
- Parse a string for bpf attach type
- Simplify bpffs path
- Add foreign bpf program to cgroup context
2021-04-09 20:28:47 -07:00
Julia Kartseva
506ea51b48 core: add bpf-foreign cgroup mask and harness
Add CGROUP_MASK_BPF_FOREIGN to CGROUP_MASK_BPF and standard cgroup
context harness.
2021-04-09 20:28:47 -07:00
Julia Kartseva
5f8ba20d7f core: add bpf-foreign unit helpers
- Introduce support of cgroup-bpf programs managed (i.e. compiled,
loaded to and unloaded from kernel) externally. Systemd is only
responsible for attaching programs to unit cgroup hence the name
'foreign'.

Foreign BPF programs are identified by bpf program ID and attach type.

systemd:
- Gets kernel FD of BPF program;
- Makes a unique identifier of BPF program from BPF attach type and
program ID. Same program IDs mean the same program, i.e the same
chunk of kernel memory. Even if the same program is passed multiple
times, identical (program_id, attach_type) instances are collapsed
into one;
- Attaches programs to unit cgroup.
2021-04-09 20:28:47 -07:00
Julia Kartseva
b894ef1b71 cgroup: add foreign program to cgroup context
- Store foreign bpf programs in cgroup context. A program is considered
foreign if it was loaded to a kernel by an entity external to systemd,
so systemd is responsible only for attach and detach paths.
- Support the case of pinned bpf programs: pinning to bpffs so a program
is kept loaded to the kernel even when program fd is closed by a user
application is a common way to extend program's lifetime.
- Aadd linked list node struct with attach type and bpffs path
fields.
2021-04-09 20:28:47 -07:00
Julia Kartseva
9984f4933b shared: bpf_attach_type {from,to} string
Introduce bpf_cgroup_attach_type_table with accustomed attached type
names also used in bpftool.
Add bpf_cgroup_attach_type_{from|to}_string helpers to convert from|to
string representation of pinned bpf program, e.g.
"egress:/sys/fs/bpf/egress-hook" for
/sys/fs/bpf/egress-hook path and BPF_CGROUP_INET_EGRESS attach type.
2021-04-09 20:28:47 -07:00
Julia Kartseva
f23f0ead1f shared: add bpf-program helpers
Add helpers to:
- Create new BPFProgram instance from a path in bpf
filesystem and bpf attach type;
- Pin a program to bpf fs;
- Get BPF program ID by BPF program FD.
2021-04-09 20:28:47 -07:00
Julia Kartseva
a442ccb4eb bpf-firewall: attach with BPF_F_ALLOW_MULTI if kernel supports
Reduced version of [0].
Use BPF_F_ALLOW_MULTI attach flag for bpf-firewall if kernel supports
it.

Aside from addressing security issue in [0] attaching with 'multi'
allows further attaching of cgroup egress, ingress hooks specified by
BPFProgram=.

[0] 4e42210d40
2021-04-09 20:28:47 -07:00
Lennart Poettering
e2e40e9a9e sd-device: fix error code returned by sd_device_get_sysattr_value() for non-existing attributes
lstat() returns the error in errno, not as return value. Let's propagate
this correctly.

This broke the bolt test suite, as @gicmo discovered.

Follow-up for acfc2a1d15.
2021-04-09 19:41:43 +01:00
gaoyi
5b1375035b gpt-auto-generator: don't generate systemd-cryptsetup@.service when --Dlibcryptsetup=false 2021-04-09 17:18:09 +02:00
Zbigniew Jędrzejewski-Szmek
22344fcfb9
Merge pull request #19243 from bluca/lgtm
Fix various issues reported by LGTM
2021-04-09 13:12:41 +02:00
Aakash Singh
d6bf675f0b hwdb: 60-keyboard:: Update MSI Modern backslash and hotkeys
fix typos
2021-04-09 12:03:13 +02:00
Jérôme Carretero
aba9c92896
login: logind-dbus: support scheduled kexec (#19162)
login: logind-dbus: support delayed kexec
2021-04-09 10:55:58 +02:00
Zbigniew Jędrzejewski-Szmek
5c91fdf3f8 man: document system-systemd\x2dcryptsetup.slice
As discussed in
1dc85eff1d (r606821495),
follow-up for commit 1dc85eff1d.
2021-04-09 10:38:09 +02:00
Zbigniew Jędrzejewski-Szmek
276dc7af74 docs: use new URL for package-notes 2021-04-09 10:27:36 +02:00
simmon
d1e6dec669 po: Translated using Weblate (Korean)
Currently translated at 100.0% (189 of 189 strings)

Co-authored-by: simmon <simmon@nplob.com>
Translate-URL: https://translate.fedoraproject.org/projects/systemd/master/ko/
Translation: systemd/main
2021-04-09 09:31:00 +02:00
Yu Watanabe
8cd37e4354 network: do not require DHCPv6 addresses when UseAddress=no
Follow-up for 1536b7b2d0.

Fixes #19196.
2021-04-09 08:15:34 +02:00
Zbigniew Jędrzejewski-Szmek
708b299203
Merge pull request #19254 from poettering/native-journal-proto-doc
document native journal protocol
2021-04-09 08:13:21 +02:00
Zbigniew Jędrzejewski-Szmek
33ea9e9c97
Merge pull request #19255 from poettering/glyph-love
some SpecialGlyph tweaks
2021-04-09 08:05:14 +02:00
Zbigniew Jędrzejewski-Szmek
8649ec4725
Merge pull request #19248 from keszybz/make-tests-test
Make tests test
2021-04-09 07:56:04 +02:00
Lennart Poettering
eeb6923d5a core: rework unit_active_state_to_glyph() to use a translation table
Let's make this a bit more readable by implementing this via a
translation table, indexed by the state.
2021-04-08 23:01:25 +02:00
Lennart Poettering
eff60d8cea locale-util: make SpecialGlyph more like our usual enums
Let's define both an enum and a typedef named SpecialGlyph, the way we
usually do it.

Also, introduce an "invalid" special glyph, assigned to -EINVAL, also
like we always do it. (And handle it somewhat sanely in special_glyph()
2021-04-08 23:00:43 +02:00
Lennart Poettering
8ee62e53e8 man: link up new journal protocol docs 2021-04-08 22:16:58 +02:00
Lennart Poettering
1a80f4e0d7 docs: document native journal protocol
Fixes: #17748
2021-04-08 22:16:58 +02:00
Zbigniew Jędrzejewski-Szmek
d0b3039837
Merge pull request #19226 from keszybz/reenable-maybe-unitialized-warning
meson: re-enable -Wmaybe-uninitialized
2021-04-08 20:29:05 +02:00
Zbigniew Jędrzejewski-Szmek
d8e4c59785
Merge pull request #19250 from keszybz/sd-bus-is-ready-simplification
Simplify how sd_bus_is_ready() is used
2021-04-08 20:26:30 +02:00
Zbigniew Jędrzejewski-Szmek
b1e1e5ac25 TEST-17: make the test test
'! grep -v' does *not* test that there are no matching lines.
Instead, it checks that whether there are any non-matching lines.

And of course, for the test to fail, '! grep' cannot be part of
an expression with &&.
2021-04-08 20:21:50 +02:00
Zbigniew Jędrzejewski-Szmek
68bb821e21 TEST-46: simplify lossy diff invocation 2021-04-08 20:21:50 +02:00
Zbigniew Jędrzejewski-Szmek
b9bfa250f2 homectl,TEST-46: fix test and fix homectl return value, update docs
The usual: the test wasn't testing, so we didn't notice that the
command wasn't returning as expected.
2021-04-08 20:21:50 +02:00
Zbigniew Jędrzejewski-Szmek
f49467b959 TEST-44: fix test
We were grepping for 'hello world', and in the namespace we would
match on 'hello world', and outside, on 'echo "hello world"'. When
the condition check was fixed, the test gave a false positive.
2021-04-08 20:21:50 +02:00
Zbigniew Jędrzejewski-Szmek
d933ccd30b TEST-43: fix exit condition testing
We were invoking 'systemd-run bash', but the test invoked by bash
was not effective. When the result of that check is propagated, the
outer command fails.
2021-04-08 20:21:50 +02:00
Zbigniew Jędrzejewski-Szmek
0ee994836c TEST-*: use spacing before redirection operator, but not after
<< EOF → <<EOF
> foo < bar → >foo <bar
2021-04-08 20:21:50 +02:00
Zbigniew Jędrzejewski-Szmek
4e20fe2795 TEST-*: make failure tests actually fail on failure
Here the intent was actually correct, and the tests still pass when the check
is made effective.
2021-04-08 20:21:50 +02:00
Zbigniew Jędrzejewski-Szmek
61494724ee TEST-42-EXECSTOPPOST: un-invert test
Since we test for the file right below, it seems we expected the
command to succeed.
2021-04-08 20:21:50 +02:00
Zbigniew Jędrzejewski-Szmek
b88ba6c761 tmpfiles: make handling of existing-but-different targets more consistent
create_fifo() was added in a2fc2f8dd3, and
would always ignore failure. The test was trying to fail in this case, but
we actually don't fail, which seems to be correct. We didn't notice before
because the test was ineffective.

To make things consistent, generally log at warning level, but don't propagate
the error. For symlinks, log at debug level, as before.

For 'e', failure is not propagated now. The test is adjusted to match.

I think warning is appropriate in most cases: we do not expect a device node to
be replaced by a different device node or even a non-device file. This would
most likely be an error somewhere. An exception is made for symlinks, which are
mismatched on purpose, for example /etc/resolv.conf. With this patch, we don't
get any warnings with the any of the 74 tmpfiles.d files, which suggests that
increasing the warning levels will not cause too many unexpected warnings. If
it turns out that there are valid cases where people have expected mismatches
for non-symlink types, we can always decrease the log levels again.
2021-04-08 20:16:37 +02:00
Luca Boccassi
9f519e491f tests: allow for os-release quote variability in TEST-50-DISSECT
Quoting of values differs between distros: Fedora doesn't quote the ID_
fields, but CentOS does.
Adjust the test checks to account for this.

Fixes #19242
2021-04-08 16:16:55 +02:00
Zbigniew Jędrzejewski-Szmek
5dbec9bd32 networkd: simplify sd_bus_is_ready() checks
Also add "system" in the messages, because we set the internal value,
and are just skipping the setting of the external value, so the message
could be confusing without that clarification.
2021-04-08 15:04:18 +02:00
Zbigniew Jędrzejewski-Szmek
3bbb76f621 sd-bus: make sd_bus_is_{ready,open} accept NULL
We didn't document this behaviour one way or another, so I think it's
OK to change. All callers do the NULL check before callling this to avoid
the assert warning, so it seems reasonable to do it internally.

sd_bus_can_send() is similar, but there we expressly say that an
error is returned on NULL, so I didn't change it.
2021-04-08 14:59:10 +02:00
Yu Watanabe
a73f8e9f32 network: do not emit changed properties when bus connection is not ready
Prompted by #19212.
2021-04-08 14:48:46 +02:00
Yu Watanabe
ecb4b08c2e test: move check of nat table existence
As test_v4() with iptables backend will be called after nftables tests.

Follow-up for afbcd90552.
2021-04-08 14:39:53 +02:00
Zbigniew Jędrzejewski-Szmek
2fe2941646
Merge pull request #19237 from yuwata/udev-builtin-net-id-follow-ups-for-19017
udev: fix several issues around hotplug slot detection
2021-04-08 14:37:02 +02:00
Luca Boccassi
a0cc411724 in-addr-util: suppress LGTM warning about htobe32
We are not calling it directly, it's coming from a standard library
macro, so just suppress it.
2021-04-08 13:08:38 +01:00
Luca Boccassi
82cdb75b8d errno-util: suppress LGTM warning about strerror 2021-04-08 13:08:38 +01:00
Luca Boccassi
a9a49d2fea scsi_id: modernize and use extract_many_words instead of strsep
Also use standard error loggin/return pattern.

Only cursory tested, by checking that with a simple config file
the array is the same before/after. Not tested with actual scsi
rules and devices, due to missing hardware.
2021-04-08 13:07:31 +01:00
Luca Boccassi
b01339f74f test-extract-word: add a couple more corner cases 2021-04-08 13:07:31 +01:00
Luca Boccassi
dfc5c4f26d timedated: use format_timestamp instead of ctime
Some static analyzers (lgtm) warn against using non-re-entrant functions,
even though at the moment this code is not multi-threaded, just switch to
format_timestamp.
2021-04-08 13:07:31 +01:00
Zbigniew Jędrzejewski-Szmek
68c98a411d meson: re-enable -Wmaybe-uninitialized on -O[02] with recent gcc versions
The warning was disabled in 8794164fed to avoid
false positives. But it is useful in finding errors, even if it sometimes
results in untrue warnings (c.f. 77fac974fe, da46a1bc3c).

After #19168, #19169, and #19175, there are no warnings with
-Dbuildtype=debug-optimized/-O2 and gcc-11.0.1-0.3.fc34.x86_64. Warnings
are reenabled for -O[23]

-O0 is good for development, and -O2 is the default optimization level for
Fedora package builds. -Os, -O3, -O1, and -Og still generate some warnings. In
fact, with -Os the number of warnings seems completely hopeless. Dozens and
dozens.
2021-04-08 13:12:56 +02:00