1
0
mirror of https://github.com/systemd/systemd.git synced 2024-10-31 16:21:26 +03:00
Commit Graph

32319 Commits

Author SHA1 Message Date
Lennart Poettering
9b3c189786 bpf-program: optionally take fd of program to detach
This is useful for BPF_F_ALLOW_MULTI programs, where the kernel requires
us to specify the fd.
2018-02-21 16:43:36 +01:00
Lennart Poettering
2ae7ee58fa bpf: beef up bpf detection, check if BPF_F_ALLOW_MULTI is supported
This improves the BPF/cgroup detection logic, and looks whether
BPF_ALLOW_MULTI is supported. This flag allows execution of multiple
BPF filters in a recursive fashion for a whole cgroup tree. It enables
us to properly report IP accounting for slice units, as well as
delegation of BPF support to units without breaking our own IP
accounting.
2018-02-21 16:43:36 +01:00
Lennart Poettering
8b15fca85b bpf: add new bpf.h header copy from 4.15 kernel 2018-02-21 16:43:36 +01:00
Yu Watanabe
9323298657 test: fix test for TemporaryFileSystem= (#8241)
This makes test-execute work on SELinux enabled systems.

Fixes the issue reported at
https://github.com/systemd/systemd/pull/7908#discussion_r169583540
2018-02-21 16:43:35 +01:00
Zbigniew Jędrzejewski-Szmek
5187dd2c40 missing_syscall: when adding syscall replacements, use different names (#8229)
In meson.build we check that functions are available using:
    meson.get_compiler('c').has_function('foo')
which checks the following:
- if __stub_foo or __stub___foo are defined, return false
- if foo is declared (a pointer to the function can be taken), return true
- otherwise check for __builtin_memfd_create

_stub is documented by glibc as
   It defines a symbol '__stub_FUNCTION' for each function
   in the C library which is a stub, meaning it will fail
   every time called, usually setting errno to ENOSYS.

So if __stub is defined, we know we don't want to use the glibc version, but
this doesn't tell us if the name itself is defined or not. If it _is_ defined,
and we define our replacement as an inline static function, we get an error:

In file included from ../src/basic/missing.h:1358:0,
                 from ../src/basic/util.h:47,
                 from ../src/basic/calendarspec.h:29,
                 from ../src/basic/calendarspec.c:34:
../src/basic/missing_syscall.h:65:19: error: static declaration of 'memfd_create' follows non-static declaration
 static inline int memfd_create(const char *name, unsigned int flags) {
                   ^~~~~~~~~~~~
.../usr/include/bits/mman-shared.h:46:5: note: previous declaration of 'memfd_create' was here
 int memfd_create (const char *__name, unsigned int __flags) __THROW;
     ^~~~~~~~~~~~

To avoid this problem, call our inline functions different than glibc,
and use a #define to map the official name to our replacement.

Fixes #8099.

v2:
- use "missing_" as the prefix instead of "_"

v3:
- rebase and update for statx()

  Unfortunately "statx" is also present in "struct statx", so the define
  causes issues. Work around this by using a typedef.

I checked that systemd compiles with current glibc
(glibc-devel-2.26-24.fc27.x86_64) if HAVE_MEMFD_CREATE, HAVE_GETTID,
HAVE_PIVOT_ROOT, HAVE_SETNS, HAVE_RENAMEAT2, HAVE_KCMP, HAVE_KEYCTL,
HAVE_COPY_FILE_RANGE, HAVE_BPF, HAVE_STATX are forced to 0.

Setting HAVE_NAME_TO_HANDLE_AT to 0 causes an issue, but it's not because of
the define, but because of struct file_handle.
2018-02-21 14:04:50 +01:00
Evgeny Vereshchagin
7b13a721f5
Merge pull request #8235 from keszybz/skip-nobody-test
Skip tests for nobody if necessary
2018-02-21 12:19:02 +03:00
Zbigniew Jędrzejewski-Szmek
7559b2da10 test-user-util: skip most tests for nobody if synthentization is off
When synthetisation is turned off, there's just too many ways those tests can
go wrong. We are not interested in verifying that the db on disk is correct,
let's just skip all checks.

In the first version of this patch, I recorded if we detected a mismatch during
configuration and only skipped tests in that case, but actually it is possible
to change the host configuration between our configuration phase and running
of the tests. It's just more robust to skip always. (This is particularly true
if tests are installed.)
2018-02-21 09:57:35 +01:00
Alan Jenkins
59e00b2a16
Merge pull request #7908 from yuwata/rfe-7895
core: add TemporaryFileSystem= setting and 'tmpfs' option to ProtectHome=
2018-02-21 08:57:11 +00:00
Evgeny Vereshchagin
24a01950a3 tests: stop using nobody in test-udev.pl (#8239)
`nobody` is a special user, whose credentials should be extracted with
`get_user_creds`. `getpwnam` called in `test-udev.pl` is a bit different,
which causes the test to fail with the following error:
```
device '/devices/pci0000:00/0000:00:1f.2/host0/target0:0:0/0:0:0:0/block/sda' expecting node/link 'node'
  expected permissions are: nobody::0600
  created permissions are : 65534:0:0600
permissions: error
add:         ok
remove:      ok
```
The ideal fix would probably be to implement `get_user_creds` in Perl, but in this
PR the issue is simply got around by using `daemon` instead of `nobody`.

Closes https://github.com/systemd/systemd/issues/8196.
2018-02-21 08:34:42 +01:00
Yu Watanabe
24743efe2d doc: update TRANSIENT-SETTINGS.md 2018-02-21 09:18:22 +09:00
Yu Watanabe
784ad252ea core: add DBus API for TemporaryFileSystem= 2018-02-21 09:18:20 +09:00
Yu Watanabe
e4da7d8c79 core: add new option 'tmpfs' to ProtectHome=
This make ProtectHome= setting can take 'tmpfs'. This is mostly
equivalent to `TemporaryFileSystem=/home /run/user /root`.
2018-02-21 09:18:17 +09:00
Yu Watanabe
4cac89bd7c test: add tests for TemporaryFileSystem= 2018-02-21 09:18:14 +09:00
Yu Watanabe
c10b460b5a man: add documents for TemporaryFileSystem= 2018-02-21 09:18:11 +09:00
Yu Watanabe
2abd4e388a core: add new setting TemporaryFileSystem=
This introduces a new setting TemporaryFileSystem=. This is useful
to hide files not relevant to the processes invoked by unit, while
necessary files or directories can be still accessed by combining
with Bind{,ReadOnly}Paths=.
2018-02-21 09:17:52 +09:00
Yu Watanabe
4ca763a902 core/namespace: make '-' prefix in Bind{,ReadOnly}Paths= work
Each path in `Bind{ReadOnly}Paths=` accept '-' prefix. However,
the prefix is completely ignored.
This makes it work as expected.
2018-02-21 09:07:56 +09:00
Yu Watanabe
72d967df3e nspawn: remove unnecessary mount option parsing logic 2018-02-21 09:06:55 +09:00
Yu Watanabe
6ef8df2ba8 mount-util: call mount_option_mangle() in mount_verbose() 2018-02-21 09:06:53 +09:00
Yu Watanabe
f27b437b4c test: add tests for mount_option_mangle() 2018-02-21 09:06:51 +09:00
Yu Watanabe
9e7f941acb mount-util: add mount_option_mangle()
This is used in the later commits.
2018-02-21 09:06:47 +09:00
Yu Watanabe
4ff4c98a39 core: simplify DBus API for BindPaths= 2018-02-21 09:06:32 +09:00
Yu Watanabe
280921f29e core: fix DBus API for AppArmorProfile= and SmackProcessLabel= 2018-02-21 09:05:40 +09:00
Yu Watanabe
8e06d57ccb core/execute: clear bind_mounts 2018-02-21 09:05:37 +09:00
Yu Watanabe
a635a7aec6 core/execute: simplify compile_bind_mounts()
It is not necessary to re-assign error code.
2018-02-21 09:05:35 +09:00
Yu Watanabe
30ffb010ff nspawn: fix indentation 2018-02-21 09:05:33 +09:00
Yu Watanabe
f5c52a7724 core/namespace: remove unused argument 2018-02-21 09:05:30 +09:00
Yu Watanabe
e282f51f57 core/namespace: use free_and_replace() 2018-02-21 09:05:21 +09:00
Yu Watanabe
55fe743273 core/namespace: fix comment 2018-02-21 09:05:18 +09:00
Yu Watanabe
89bd586cd3 core/namespace: merge PRIVATE_VAR_TMP into PRIVATE_TMP 2018-02-21 09:05:16 +09:00
Yu Watanabe
2a2969fd5d core/namespace: make arguments const if possible 2018-02-21 09:05:14 +09:00
Zbigniew Jędrzejewski-Szmek
e79d0b59c8 journalctl: improve hint about lack of access for --user-unit=...
When running journalctl --user-unit=foo as an unprivileged user we could get
the usual hint:
Hint: You are currently not seeing messages from the system and other users.
      Users in groups 'adm', 'systemd-journal', 'wheel' can see all messages.
      ...
But with --user-unit our filter is:
(((_UID=0 OR _UID=1000) AND OBJECT_SYSTEMD_USER_UNIT=foo.service) OR
 ((_UID=0 OR _UID=1000) AND COREDUMP_USER_UNIT=foo.service) OR
 (_UID=1000 AND USER_UNIT=foo.service) OR
 (_UID=1000 AND _SYSTEMD_USER_UNIT=foo.service))
so we would never see messages from other users.

We could still see messages from the system. In fact, on my machine the
only messages with OBJECT_SYSTEMD_USER_UNIT= are from the system:
journalctl  $(journalctl -F OBJECT_SYSTEMD_USER_UNIT|sed 's/.*/OBJECT_SYSTEMD_USER_UNIT=\0/')

Thus, a more correct hint is that we cannot see messages from the system.
Make it so.

Fixes #7887.
2018-02-20 22:36:01 +01:00
Zbigniew Jędrzejewski-Szmek
52c6e6a8a0 test-user-util: print function delimiters
This makes it easier to see what is going on. Crashes may happen in a
nested test_{uid,gid}_to_name_one() function, and the default backtrace
doesn't show the actual string being tested.
2018-02-20 22:10:45 +01:00
Zbigniew Jędrzejewski-Szmek
2e10cc5649
Merge pull request #8222 from poettering/journal-by-inode
make sure we detect journal rotation even on inotify q overrun
2018-02-20 21:36:25 +01:00
Zbigniew Jędrzejewski-Szmek
8f7cbe730a TODO: drop one item
C.f. 7cb609115c.
2018-02-20 17:25:05 +01:00
Lennart Poettering
4c2e1b399f xattr-util: use crtime/btime if statx() is available for implementation of fd_setcrtime() and friends
The Linux kernel exposes the birth time now for files through statx()
hence make use of it where available. We keep the xattr logic in place
for this however, since only a subset of file systems on Linux currently
expose the birth time. NFS and tmpfs for example do not support it. OTOH
there are other file systems that do support the birth time but might
not support xattrs (smb…), hence make the best of the two, in particular
in order to deal with journal files copied between file system types and
to maintain compatibility with older file systems that are updated to
newer version of the file system.
2018-02-20 15:41:49 +01:00
Lennart Poettering
1133dea477 xattr-util: support AT_EMPTY_PATH in fgetxattrat_fake()
Let's expose fstatat() like behaviour if AT_EMPTY_PATH is defined.

Also, check the specified flags returning EINVAL on the flags we don't
emulate.
2018-02-20 15:39:31 +01:00
Lennart Poettering
8fc58f1ad3 journal-file: fix typo in log message 2018-02-20 15:39:31 +01:00
Lennart Poettering
7f7210c210 io-util: add an unlikely decorator for a test that should never hold 2018-02-20 15:39:31 +01:00
Lennart Poettering
8ac2f74fb6 tree-wide: make use of fsync_directory_of_file() all over the place
Let's make use this at various places we call fsync(), to make things
fully reliable, as the kernel devs suggest to first fsync() files and
then fsync() the directories they are located in.
2018-02-20 15:39:31 +01:00
Lennart Poettering
11b29a96e9 fs-util: move fsync_directory_of_file() into generic code
This function used by the journal code is pretty useful generically,
let's move it to fs-util.c to make it useful for other code too.
2018-02-20 15:39:31 +01:00
Lennart Poettering
3cc4411403 stat-util: unify code that checks whether something is a regular file
Let's add a common implementation for regular file checks, that are
careful to return the right error code (EISDIR/EISLNK/EBADFD) when we
are encountering a wrong file node.
2018-02-20 15:39:31 +01:00
Lennart Poettering
9c66f52813 sd-journal: when picking up a new file, compare inode/device info with previous open file by same name
Let's make sure we aren't confused if a journal file is replaced by a
different one (for example due to rotation) if we are in a q overflow:
let's compare the inode/device information, and if it changed replace
any open file object as needed.

Fixes: #8198
2018-02-20 15:39:31 +01:00
Lennart Poettering
fc1813c0fe sd-journal: rename add_file() → add_file_by_name()
Let's be more careful with the naming, and indicate that the function
is about *named* journal files, and will validate the name as needed.
(in opposition to add_any_file() which doesn't care about names)
2018-02-20 15:39:30 +01:00
Lennart Poettering
817b1c5b1e journal-file: add O_NONBLOCK for paranoia when opening journal files 2018-02-20 15:39:21 +01:00
Lennart Poettering
8d6a4d33e1 journal-file: refuse opening non-regular journal files
Let's check the file node type when we open/stat journal files: refuse
anything that is not a regular file...
2018-02-20 12:53:10 +01:00
Lennart Poettering
00f5ad93b5 core: change KeyringMode= to "shared" by default for non-service units in the system manager (#8172)
Before this change all unit types would default to "private" in the
system service manager and "inherit" to in the user service manager.

With this change this is slightly altered: non-service units of the
system service manager are now run with KeyringMode=shared. This appears
to be the more appropriate choice as isolation is not as desirable for
mount tools, which regularly consume key material. After all mounts are
a shared resource themselves as they appear system-wide hence it makes a
lot of sense to share their key material too.

Fixes: #8159
2018-02-20 08:53:34 +01:00
Peter Hutterer
6f58ff2325 hwdb: add axis override for Dell Inspiron MM061 touchpad (#8226)
https://bugzilla.redhat.com/show_bug.cgi?id=1545389
2018-02-20 16:27:48 +09:00
Alexis Jeandet
12873b6c80 meson: Multi-lines string should use ''' with meson (#8225)
This breaks with latest version of meson:
https://hephaistos.lpp.polytechnique.fr/teamcity/viewLog.html?buildId=11653&buildTypeId=mesonbuild_SystemdNightly&tab=buildLog&state=1059#_state=1059&guest=true
2018-02-20 10:36:41 +09:00
Yu Watanabe
2e536e6d1a
Merge pull request #8223 from jwrdegoede/hwdb-keyboard-touchpad-toggle
hwdb: 60-keyboard add mapping for the touchpad-toggle hotkey on 2 laptops
2018-02-20 10:34:53 +09:00
Daniel Mouritzen
cd44919cc4 hwdb: Logitech M305 Wireless Optical Mouse dpi data (#8217)
Closes #8208
2018-02-20 10:33:10 +09:00