1
0
mirror of https://github.com/systemd/systemd.git synced 2024-11-01 00:51:24 +03:00
Commit Graph

473 Commits

Author SHA1 Message Date
Lennart Poettering
82446c66cc
Merge pull request #18399 from keszybz/man-proofreading
Various man page cleanups
2021-01-29 20:04:07 +01:00
Zbigniew Jędrzejewski-Szmek
1d3a473b4a man: use ellipses for ranges in range descriptions
… and in few other places ;)
2021-01-29 17:02:23 +01:00
Topi Miettinen
ddc155b2fd New directives NoExecPaths= ExecPaths=
Implement directives `NoExecPaths=` and `ExecPaths=` to control `MS_NOEXEC`
mount flag for the file system tree. This can be used to implement file system
W^X policies, and for example with allow-listing mode (NoExecPaths=/) a
compromised service would not be able to execute a shell, if that was not
explicitly allowed.

Example:
[Service]
NoExecPaths=/
ExecPaths=/usr/bin/daemon /usr/lib64 /usr/lib

Closes: #17942.
2021-01-29 12:40:52 +00:00
Zbigniew Jędrzejewski-Szmek
75909cc7e4 man: various typos and other small issues
Fixes #18397.
2021-01-29 08:42:39 +01:00
Lennart Poettering
09872a6e1a man: document how get logging to work in a RootDirectory=/RootImage= environment
Fixes: #18051
2021-01-20 22:39:33 +01:00
Yu Watanabe
4c6dd238b8
Merge pull request #18267 from lucaswerkmeister/truncate
Two StandardOutput=truncate:file improvements
2021-01-19 08:47:39 +09:00
Lucas Werkmeister
e372584067 man: document effects of concurrent truncation
Co-authored-by: Lennart Poettering <lennart@poettering.net>
2021-01-18 21:59:19 +01:00
Luca Boccassi
5e8deb94c6 core: add DBUS method to bind mount new nodes without service restart
Allow to setup new bind mounts for a service at runtime (via either
DBUS or a new 'systemctl bind' verb) with a new helper that forks into
the unit's mount namespace.
Add a new integration test to cover this.

Useful for zero-downtime addition to services that are running inside
mount namespaces, especially when using RootImage/RootDirectory.

If a service runs with a read-only root, a tmpfs is added on /run
to ensure we can create the airlock directory for incoming mounts
under /run/host/incoming.
2021-01-18 17:24:05 +00:00
Luca Boccassi
94293d65cd MountAPIVFS: always mount a tmpfs on /run
We need a writable /run for most operations, but in case a read-only
RootImage (or similar) is used, by default there's no additional
tmpfs mount on /run. Change this behaviour and document it.
2021-01-18 17:24:05 +00:00
Lucas Werkmeister
d15b1a6c22 man: document that truncate:file happens per command line 2021-01-15 20:22:29 +01:00
Lucas Werkmeister
8d7dab1fda Add truncate: to StandardOutput= etc.
This adds the ability to specify truncate:PATH for StandardOutput= and
StandardError=, similar to the existing append:PATH. The code is mostly
copied from the related append: code. Fixes #8983.
2021-01-15 09:54:50 +01:00
Zbigniew Jędrzejewski-Szmek
32854f7044 systemctl: deprecate blanket import-environment
Importing the full environment is convenient, but it doesn't work too well in
practice, because we get a metric ton of shell-specific crap that should never
end up in the global environment block:

$ systemctl --user show-environment
...
SHELL=/bin/zsh
AUTOJUMP_ERROR_PATH=/home/zbyszek/.local/share/autojump/errors.log
AUTOJUMP_SOURCED=1
CONDA_SHLVL=0
CVS_RSH=ssh
DBUS_SESSION_BUS_ADDRESS=unix:path=/run/user/1000/bus
DESKTOP_SESSION=gnome
DISPLAY=:0
FPATH=/usr/share/Modules/init/zsh-functions:/usr/local/share/zsh/site-functions:/usr/share/zsh/site-functions:/usr/share/zsh/5.8/functions
GDMSESSION=gnome
GDM_LANG=en_US.UTF-8
GNOME_SETUP_DISPLAY=:1
GUESTFISH_INIT=$'\\e[1;34m'
GUESTFISH_OUTPUT=$'\\e[0m'
GUESTFISH_PS1=$'\\[\\e[1;32m\\]><fs>\\[\\e[0;31m\\] '
GUESTFISH_RESTORE=$'\\e[0m'
HISTCONTROL=ignoredups
HISTSIZE=1000
LOADEDMODULES=
OLDPWD=/home/zbyszek
PWD=/home/zbyszek
QTDIR=/usr/lib64/qt-3.3
QTINC=/usr/lib64/qt-3.3/include
QTLIB=/usr/lib64/qt-3.3/lib
QT_IM_MODULE=ibus
SDL_VIDEO_MINIMIZE_ON_FOCUS_LOSS=0
SESSION_MANAGER=local/unix:@/tmp/.ICE-unix/2612,unix/unix:/tmp/.ICE-unix/2612
SHLVL=0
STEAM_FRAME_FORCE_CLOSE=1
TERM=xterm-256color
USERNAME=zbyszek
WISECONFIGDIR=/usr/share/wise2/
...

Plenty of shell-specific and terminal-specific stuff that have no global
significance.

Let's start warning when this is used to push people towards importing only
specific variables.

Putative NEWS entry:
  * systemctl import-environment will now emit a warning when called without
    any arguments (i.e. to import the full environment block of the called
    program). This command will usually be invoked from a shell, which means
    that it'll inherit a bunch of variables which are specific to that shell,
    and usually to the tty the shell is connected to, and don't have any
    meaning in the global context of the system or user service manager.
    Instead, only specific variables should be imported into the manager
    environment block.

    Similarly, programs which update the manager environment block by directly
    calling the D-Bus API of the manager, should also push specific variables,
    and not the full inherited environment.
2021-01-08 20:01:40 +01:00
Zbigniew Jędrzejewski-Szmek
82651d5b6b man: improve description of environment block creation
This adds a general description of "philosphy" of keeping the environemnt
block small and hints about systemd-run -P env.

The list of generated variables is split out to a subsection. Viewing
the patch with ignoring whitespace changes is recommended.

We don't ignore invalid assignments (except in import-environment to some
extent), previous description was wrong.

For https://bugzilla.redhat.com/show_bug.cgi?id=1912046#c17.
2021-01-08 20:01:40 +01:00
Yu Watanabe
6b44ad0bf8 man: set constant tag to NUL or NULL 2020-11-12 17:10:36 +09:00
Yu Watanabe
725d9713a9 man: append parentheses for function name 2020-11-12 17:10:32 +09:00
Yu Watanabe
db9ecf0501 license: LGPL-2.1+ -> LGPL-2.1-or-later 2020-11-09 13:23:58 +09:00
Lennart Poettering
d3dcf4e3b9 fileio: beef up READ_FULL_FILE_CONNECT_SOCKET to allow setting sender socket name
This beefs up the READ_FULL_FILE_CONNECT_SOCKET logic of
read_full_file_full() a bit: when used a sender socket name may be
specified. If specified as NULL behaviour is as before: the client
socket name is picked by the kernel. But if specified as non-NULL the
client can pick a socket name to use when connecting. This is useful to
communicate a minimal amount of metainformation from client to server,
outside of the transport payload.

Specifically, these beefs up the service credential logic to pass an
abstract AF_UNIX socket name as client socket name when connecting via
READ_FULL_FILE_CONNECT_SOCKET, that includes the requesting unit name
and the eventual credential name. This allows servers implementing the
trivial credential socket logic to distinguish clients: via a simple
getpeername() it can be determined which unit is requesting a
credential, and which credential specifically.

Example: with this patch in place, in a unit file "waldo.service" a
configuration line like the following:

    LoadCredential=foo:/run/quux/creds.sock

will result in a connection to the AF_UNIX socket /run/quux/creds.sock,
originating from an abstract namespace AF_UNIX socket:

    @$RANDOM/unit/waldo.service/foo

(The $RANDOM is replaced by some randomized string. This is included in
the socket name order to avoid namespace squatting issues: the abstract
socket namespace is open to unprivileged users after all, and care needs
to be taken not to use guessable names)

The services listening on the /run/quux/creds.sock socket may thus
easily retrieve the name of the unit the credential is requested for
plus the credential name, via a simpler getpeername(), discarding the
random preifx and the /unit/ string.

This logic uses "/" as separator between the fields, since both unit
names and credential names appear in the file system, and thus are
designed to use "/" as outer separators. Given that it's a good safe
choice to use as separators here, too avoid any conflicts.

This is a minimal patch only: the new logic is used only for the unit
file credential logic. For other places where we use
READ_FULL_FILE_CONNECT_SOCKET it is probably a good idea to use this
scheme too, but this should be done carefully in later patches, since
the socket names become API that way, and we should determine the right
amount of info to pass over.
2020-11-03 09:48:04 +01:00
Yu Watanabe
377a9545e9 tree-wide: fix typos found by Fossies codespell report 2020-10-24 13:29:31 +02:00
Zbigniew Jędrzejewski-Szmek
0dc9fd56a5 man: document what variables are allowed 2020-10-23 15:49:03 +02:00
Lennart Poettering
85585b767d
Merge pull request #17238 from keszybz/man-tmp-noexec
Say that noexec should not be used for /tmp
2020-10-07 09:45:58 +02:00
Zbigniew Jędrzejewski-Szmek
3b1211574b man: use trailing slash on directories in more places 2020-10-05 18:44:05 +02:00
Lennart Poettering
6f5cf88009 man: fix typo systmed → systemd 2020-10-05 11:40:48 +02:00
Samanta Navarro
5e2b0e1cfa man: fix typos 2020-10-03 11:56:50 +00:00
Zbigniew Jędrzejewski-Szmek
21556381ff man: correct various links
As usual, linkchecker ftw!
2020-09-30 14:57:21 +02:00
Zbigniew Jędrzejewski-Szmek
885a4e6ca7 man: assorted small fixes
This is almost all of #17177.
2020-09-30 10:31:21 +02:00
Zbigniew Jędrzejewski-Szmek
0b4d17c9a5 man: link to fork(2) more prominently
For #17177.
2020-09-30 10:30:03 +02:00
Zbigniew Jędrzejewski-Szmek
211c99c761 man: do not index various /foobar/ paths
For #17177.
2020-09-30 10:30:03 +02:00
Lennart Poettering
329cde79c4 doc: document the new GPT partition type UUIDs 2020-09-19 21:20:16 +02:00
Topi Miettinen
9df2cdd8ec exec: SystemCallLog= directive
With new directive SystemCallLog= it's possible to list system calls to be
logged. This can be used for auditing or temporarily when constructing system
call filters.

---
v5: drop intermediary, update HASHMAP_FOREACH_KEY() use
v4: skip useless debug messages, actually parse directive
v3: don't declare unused variables with old libseccomp
v2: fix build without seccomp or old libseccomp
2020-09-15 12:54:17 +03:00
Topi Miettinen
005bfaf118 exec: Add kill action to system call filters
Define explicit action "kill" for SystemCallErrorNumber=.

In addition to errno code, allow specifying "kill" as action for
SystemCallFilter=.

---
v7: seccomp_parse_errno_or_action() returns -EINVAL if !HAVE_SECCOMP
v6: use streq_ptr(), let errno_to_name() handle bad values, kill processes,
 init syscall_errno
v5: actually use seccomp_errno_or_action_to_string(), don't fail bus unit
parsing without seccomp
v4: fix build without seccomp
v3: drop log action
v2: action -> number
2020-09-15 12:54:17 +03:00
Lennart Poettering
60bcb45927 man: rework UMask= explanation
Mention the JSON user record stuff. Mention pam_umask explicitly.
Mention that UMask= of the per-user user@.service instance can be used
too.

Fixes: #16963
2020-09-14 21:44:06 +02:00
Michal Sekletár
332d387f47 core: introduce support for setting NUMAMask= to special "all" value
Fixes #14113
2020-09-08 08:16:03 +02:00
Lennart Poettering
b2af819b22 analyze: add 'capability' verb for dumping all known and unknown caps 2020-08-28 18:52:48 +02:00
Lennart Poettering
3220cf394c man: document pid1's new credentials logic 2020-08-25 19:45:57 +02:00
Zbigniew Jędrzejewski-Szmek
9f56c88aeb
Merge pull request #16819 from keszybz/seccomp-enosys
Return ENOSYS in nspawn for "unknown" syscalls
2020-08-25 09:18:46 +02:00
Lennart Poettering
a54342b371 man: document ProtectProc= and ProcSubset= 2020-08-24 20:11:24 +02:00
Zbigniew Jędrzejewski-Szmek
95aac01259 shared: add @known syscall list 2020-08-24 20:04:17 +02:00
Luca Boccassi
427353f668 core: add mount options support for MountImages
Follow the same model established for RootImage and RootImageOptions,
and allow to either append a single list of options or tuples of
partition_number:options.
2020-08-20 14:45:40 +01:00
Luca Boccassi
9ece644435 core: change RootImageOptions to use names instead of partition numbers
Follow the designations from the Discoverable Partitions Specification
2020-08-20 13:58:02 +01:00
Lennart Poettering
a6991726f8 man: clarify that LogNamespace= is for system services only
Fixes: #16638
2020-08-06 18:24:11 +02:00
Luca Boccassi
b3d133148e core: new feature MountImages
Follows the same pattern and features as RootImage, but allows an
arbitrary mount point under / to be specified by the user, and
multiple values - like BindPaths.

Original implementation by @topimiettinen at:
https://github.com/systemd/systemd/pull/14451
Reworked to use dissect's logic instead of bare libmount() calls
and other review comments.
Thanks Topi for the initial work to come up with and implement
this useful feature.
2020-08-05 21:34:55 +01:00
Luca Boccassi
18d7370587 service: add new RootImageOptions feature
Allows to specify mount options for RootImage.
In case of multi-partition images, the partition number can be prefixed
followed by colon. Eg:

RootImageOptions=1:ro,dev 2:nosuid nodev

In absence of a partition number, 0 is assumed.
2020-07-29 17:17:32 +01:00
Lennart Poettering
6b222c4b02 man: fix link markup 2020-07-30 00:51:41 +09:00
Zbigniew Jędrzejewski-Szmek
8fa2cd83c6 Revert "man: add note about systemd-vconsole-setup.service and tty as input/output"
This reverts commit 0b57803630.

From https://github.com/systemd/systemd/pull/16503#issuecomment-660212813:
systemd-vconsole-setup (the binary) is supposed to run asynchronously by udev
therefore ordering early interactive services after systemd-vconsole-setup.service
has basically no effect.

Let's remove this paragraph. It's better to say nothing than to give pointless
advice.
2020-07-22 10:43:52 +02:00
Zbigniew Jędrzejewski-Szmek
cd990847b9 tree-wide: more repeated words 2020-07-07 12:08:22 +02:00
Zbigniew Jędrzejewski-Szmek
e9dd698407 tree-wide: fixes for assorted grammar and spelling issues
Fixes #16363. Also includes some changes where I generalized the pattern.
2020-07-06 11:29:05 +02:00
Zbigniew Jędrzejewski-Szmek
0986bb9b95
Merge pull request #16278 from keszybz/fix-man-links
Fix html links
2020-06-25 18:38:37 +02:00
Zbigniew Jędrzejewski-Szmek
b7a4734551 man: fix links to various external man pages
In cases where we used both die-net and man-pages for the same reference,
I switched to use man-pages everywhere.
2020-06-25 14:41:44 +02:00
Luca Boccassi
d4d55b0d13 core: add RootHashSignature service parameter
Allow to explicitly pass root hash signature as a unit option. Takes precedence
over implicit checks.
2020-06-25 08:45:21 +01:00
Lennart Poettering
6b000af4f2 tree-wide: avoid some loaded terms
https://tools.ietf.org/html/draft-knodel-terminology-02
https://lwn.net/Articles/823224/

This gets rid of most but not occasions of these loaded terms:

1. scsi_id and friends are something that is supposed to be removed from
   our tree (see #7594)

2. The test suite defines an API used by the ubuntu CI. We can remove
   this too later, but this needs to be done in sync with the ubuntu CI.

3. In some cases the terms are part of APIs we call or where we expose
   concepts the kernel names the way it names them. (In particular all
   remaining uses of the word "slave" in our codebase are like this,
   it's used by the POSIX PTY layer, by the network subsystem, the mount
   API and the block device subsystem). Getting rid of the term in these
   contexts would mean doing some major fixes of the kernel ABI first.

Regarding the replacements: when whitelist/blacklist is used as noun we
replace with with allow list/deny list, and when used as verb with
allow-list/deny-list.
2020-06-25 09:00:19 +02:00