1
0
mirror of https://github.com/systemd/systemd.git synced 2024-10-29 21:55:36 +03:00
Commit Graph

27219 Commits

Author SHA1 Message Date
Jorge Niedbalski
531ac2b234 If the notification message length is 0, ignore the message (#4237)
Fixes #4234.

Signed-off-by: Jorge Niedbalski <jnr@metaklass.org>
2016-09-29 05:26:16 -04:00
Zbigniew Jędrzejewski-Szmek
73a99163a7 coredump,catalog: give better notice when a core file is truncated
coredump had code to check if copy_bytes() hit the max_bytes limit,
and refuse further processing in that case.
But in 84ee096044, the return convention for copy_bytes() was changed
from -EFBIG to 1 for the case when the limit is hit, so the condition
check in coredump couldn't ever trigger.
But it seems that *do* want to process such truncated cores [1].
So change the code to detect truncation properly, but instead of
returning an error, give a nice log entry.

[1] https://github.com/systemd/systemd/issues/3883#issuecomment-239106337

Should fix (or at least alleviate) #3883.
2016-09-28 23:50:29 +02:00
Zbigniew Jędrzejewski-Szmek
6e9ef6038f coredump: log if the core is too large to store or generate backtrace
Another fix for #4161.
2016-09-28 23:49:01 +02:00
Zbigniew Jędrzejewski-Szmek
bb7c5bad4a coredumpctl: delay the "on tty" refusal until as late as possible
For the user, if the core file is missing or inaccessible, it is
more interesting that the fact that they forgot to pipe to a file.
So delay the failure from the check until after we have verified
that the file or the COREDUMP field are present.

Partially fixes #4161.

Also, error reporting on failure was duplicated. save_core() now
always prints an error message (because it knows the paths involved,
so can the most useful message), and the callers don't have to.
2016-09-28 23:49:01 +02:00
Zbigniew Jędrzejewski-Szmek
062b99e8be coredumpctl: tighten print_field() code
Propagate errors properly, so that if we hit oom or an error in the
journal, the whole command will fail. This is important when using
the output in scripts.

Support the output of multiple values for the same field with -F.
The journal supports that, and our official commands should too, as
far as it makes sense. -F can be used to print user-defined fields
(e.g. somebody could use a TAG field with multiple occurences), so
we should support that too. That seems better than silently printing
the last value found as was done before.

We would iterate trying to match the same field with all possible
field names. Once we find something, cut the loop short, since we
know that nothing else can match.
2016-09-28 23:49:01 +02:00
Zbigniew Jędrzejewski-Szmek
04de587942 coredumpctl: rework presence reporting
The column for "present" was easy to miss, especially if somebody had no
coredumps present at all, in which case the column of spaces of width one
wasn't visually distinguished from the neighbouring columns. Replace this
with an explicit text, one of: "missing", "journal", "present", "error".

$ coredumpctl
TIME                            PID   UID   GID SIG COREFILE EXE
Mon 2016-09-26 22:46:31 CEST   8623     0     0  11 missing  /usr/bin/bash
Mon 2016-09-26 22:46:35 CEST   8639  1001  1001  11 missing  /usr/bin/bash
Tue 2016-09-27 01:10:46 CEST  16110  1001  1001  11 journal  /usr/bin/bash
Tue 2016-09-27 01:13:20 CEST  16290  1001  1001  11 journal  /usr/bin/bash
Tue 2016-09-27 01:33:48 CEST  17867  1001  1001  11 present  /usr/bin/bash
Tue 2016-09-27 01:37:55 CEST  18549     0     0  11 error    /usr/bin/bash

Also, use access(…, R_OK), so that we can report a present but inaccessible
file different than a missing one.
2016-09-28 23:49:01 +02:00
Zbigniew Jędrzejewski-Szmek
47f5064207 coredumpctl: report corefile presence properly
In 'list', show present also for coredumps stored in the journal.

In 'status', replace "File" with "Storage" line that is always present.
Possible values:
   Storage: none
   Storage: journal
   Storage: /path/to/file (inacessible)
   Storage: /path/to/file

Previously the File field be only present if the file was accessible, so users
had to manually extract the file name precisely in the cases where it was
needed, i.e. when coredumpctl couldn't access the file. It's much more friendly
to always show something. This output is designed for human consumption, so
it's better to be a bit verbose.

The call to sd_j_set_data_threshold is moved, so that status is always printed
with the default of 64k, list uses 4k, and coredump retrieval is done with the
limit unset. This should make checking for the presence of the COREDUMP field
not too costly.
2016-09-28 23:49:01 +02:00
Zbigniew Jędrzejewski-Szmek
554ed50f90 coredumpctl: report user unit properly 2016-09-28 23:49:01 +02:00
Zbigniew Jędrzejewski-Szmek
cfeead6c77 coredumpctl: fix spurious "more than one entry matches" warning
sd_journal_previous() returns 0 if it didn't do any move, so the
warning was stupidly always printed.
2016-09-28 23:49:01 +02:00
Zbigniew Jędrzejewski-Szmek
954d3a51af coredumpctl: fix handling of files written to fd
Added in 9fe13294a9 (by me :[```), and later obfuscated in d0c8806d4a, if an
uncompressed external file or an internally stored coredump was supposed to be
written to a file descriptor, nothing would be written.
2016-09-28 23:49:01 +02:00
Zbigniew Jędrzejewski-Szmek
fc6cec8613 coredump: remove Storage=both option
Back when external storage was initially added in 34c10968cb, this mode of
storage was added. This could have made some sense back when XZ compression was
used, and an uncompressed core on disk could be used as short-lived cache file
which does require costly decompression. But now fast LZ4 compression is used
(by default) both internally and externally, so we have duplicated storage,
using the same compression and same default maximum core size in both cases,
but with different expiration lifetimes. Even the uncompressed-external,
compressed-internal mode is not very useful: for small files, decompression
with LZ4 is fast enough not to matter, and for large files, decompression is
still relatively fast, but the disk-usage penalty is very big.

An additional problem with the two modes of storage is that it complicates
the code and makes it much harder to return a useful error message to the user
if we cannot find the core file, since if we cannot find the file we have to
check the internal storage first.

This patch drops "both" storage mode. Effectively this means that if somebody
configured coredump this way, they will get a warning about an unsupported
value for Storage, and the default of "external" will be used.
I'm pretty sure that this mode is very rarely used anyway.
2016-09-28 23:49:01 +02:00
Alfie John
831d3dc8d7 man: remove duplicate "the" for systemctl --plain (#4230) 2016-09-28 11:10:26 +02:00
Vito Caputo
95cbb83c20 journal: add stdout_stream_scan() comment (#4102)
When s->length is zero this function doesn't do anything, note that in a
comment.
2016-09-28 07:35:48 +02:00
Evgeny Vereshchagin
cc238590e4 Merge pull request #4185 from endocode/djalal-sandbox-first-protection-v1
core:sandbox: Add new ProtectKernelTunables=, ProtectControlGroups=, ProtectSystem=strict and fixes
2016-09-28 04:50:30 +03:00
Martin Pitt
b8fafaf4a1 Merge pull request #4220 from keszybz/show-and-formatting-fixes
Show and formatting fixes
2016-09-27 16:25:27 +02:00
Susant Sahani
629abfc23f basic: fix for IPv6 status (#4224)
Even if
```
   cat /proc/sys/net/ipv6/conf/all/disable_ipv6
1
```

is disabled

cat /proc/net/sockstat6

```
TCP6: inuse 2
UDP6: inuse 1
UDPLITE6: inuse 0
RAW6: inuse 0
FRAG6: inuse 0 memory 0
 ```

Looking for /proc/net/if_inet6 is the right choice.
2016-09-27 15:55:13 +02:00
Djalal Harouni
cdfbd1fb26 test: make sure that {readonly|inaccessible|readwrite}paths disconnect mount propagation
Better safe.
2016-09-27 09:24:46 +02:00
Djalal Harouni
f78b36f016 test: add tests for simple ReadOnlyPaths= case 2016-09-27 09:24:43 +02:00
Zbigniew Jędrzejewski-Szmek
9aa8fa701b test-bus-creds: are more debugging info
This test sometimes fails in semaphore, but not when run interactively,
so it's hard to debug.
2016-09-26 22:22:28 +02:00
Keith Busch
b4c6f71b82 udev/path_id: introduce support for NVMe devices (#4169)
This appends the nvme name and namespace identifier attribute the the
PCI path for by-path links. Symlinks like the following are now present:

lrwxrwxrwx. 1 root root 13 Sep 16 12:12 pci-0000:01:00.0-nvme-1 -> ../../nvme0n1
lrwxrwxrwx. 1 root root 15 Sep 16 12:12 pci-0000:01:00.0-nvme-1-part1 -> ../../nvme0n1p1

Cc: Michal Sekletar <sekletar.m@gmail.com>
Signed-off-by: Keith Busch <keith.busch@intel.com>
2016-09-26 21:01:07 +02:00
Paweł Szewczyk
00bb64ecfa core: Fix USB functionfs activation and clarify its documentation (#4188)
There was no certainty about how the path in service file should look
like for usb functionfs activation. Because of this it was treated
differently in different places, which made this feature unusable.

This patch fixes the path to be the *mount directory* of functionfs, not
ep0 file path and clarifies in the documentation that ListenUSBFunction should be
the location of functionfs mount point, not ep0 file itself.
2016-09-26 18:45:47 +02:00
Zbigniew Jędrzejewski-Szmek
bc3bb330b8 machinectl: prefer user@ to --uid=user for shell (#4006)
It seems to me that the explicit positional argument should have higher
priority than "an option".
2016-09-26 11:45:31 -04:00
HATAYAMA Daisuke
eeb084806b journald,ratelimit: fix wrong calculation of burst_modulate() (#4218)
This patch fixes wrong calculation of burst_modulate(), which now calculates
the values smaller than really expected ones if available disk space is
strictly more than 1MB.

In particular, if available disk space is strictly more than 1MB and strictly
less than 16MB, the resulted value becomes smaller than its original one.

>>> (math.log2(1*1024**2)-16) / 4
1.0
>>> (math.log2(16*1024**2)-16) / 4
2.0
>>> (math.log2(256*1024**2)-16) / 4
3.0
→ This matches the comment in the function.
2016-09-26 11:36:20 -04:00
Matej Habrnal
a5ca3649d3 coredump: initialize coredump_size in submit_coredump() (#4219)
If ulimit is smaller than page_size(), function save_external_coredump()
returns -EBADSLT and this causes skipping whole core dumping part in
submit_coredump(). Initializing coredump_size to UINT64_MAX prevents
evaluating a condition with uninitialized varialbe which leads to
calling allocate_journal_field() with coredump_fd = -1 which causes
aborting.

Signed-off-by: Matej Habrnal <mhabrnal@redhat.com>
2016-09-26 11:28:58 -04:00
Torstein Husebø
d23a0044a3 treewide: fix typos (#4217) 2016-09-26 11:32:47 +02:00
Djalal Harouni
615a1f4b26 test: add CAP_MKNOD tests for PrivateDevices= 2016-09-25 13:04:30 +02:00
Djalal Harouni
8f81a5f61b core: Use @raw-io syscall group to filter I/O syscalls when PrivateDevices= is set
Instead of having a local syscall list, use the @raw-io group which
contains the same set of syscalls to filter.
2016-09-25 12:52:27 +02:00
Djalal Harouni
b6c432ca7e core:namespace: simplify ProtectHome= implementation
As with previous patch simplify ProtectHome and don't care about
duplicates, they will be sorted by most restrictive mode and cleaned.
2016-09-25 12:41:16 +02:00
Djalal Harouni
f471b2afa1 core: simplify ProtectSystem= implementation
ProtectSystem= with all its different modes and other options like
PrivateDevices= + ProtectKernelTunables= + ProtectHome= are orthogonal,
however currently it's a bit hard to parse that from the implementation
view. Simplify it by giving each mode its own table with all paths and
references to other Protect options.

With this change some entries are duplicated, but we do not care since
duplicate mounts are first sorted by the most restrictive mode then
cleaned.
2016-09-25 12:21:25 +02:00
Djalal Harouni
49accde7bd core:sandbox: add more /proc/* entries to ProtectKernelTunables=
Make ALSA entries, latency interface, mtrr, apm/acpi, suspend interface,
filesystems configuration and IRQ tuning readonly.

Most of these interfaces now days should be in /sys but they are still
available through /proc, so just protect them. This patch does not touch
/proc/net/...
2016-09-25 11:30:11 +02:00
Djalal Harouni
9221aec8d0 doc: explicitly document that /dev/mem and /dev/port are blocked by PrivateDevices=true 2016-09-25 11:25:44 +02:00
Djalal Harouni
e778185bb5 doc: documentation fixes for ReadWritePaths= and ProtectKernelTunables=
Documentation fixes for ReadWritePaths= and ProtectKernelTunables=
as reported by Evgeny Vereshchagin.
2016-09-25 11:25:31 +02:00
Djalal Harouni
2652c6c103 core:namespace: simplify mount calculation
Move out mount calculation on its own function. Actually the logic is
smart enough to later drop nop and duplicates mounts, this change
improves code readability.
---
 src/core/namespace.c | 47 ++++++++++++++++++++++++++++++++++++-----------
 1 file changed, 36 insertions(+), 11 deletions(-)
2016-09-25 11:25:00 +02:00
Djalal Harouni
11a30cec2a core:namespace: put paths protected by ProtectKernelTunables= in
Instead of having all these paths everywhere, put the ones that are
protected by ProtectKernelTunables= into their own table. This way it
is easy to add paths and track which ones are protected.
2016-09-25 11:16:44 +02:00
Djalal Harouni
9c94d52e09 core:namespace: minor improvements to append_mounts() 2016-09-25 11:03:21 +02:00
Lennart Poettering
cefc33aee2 execute: move SMACK setup code into its own function
While we are at it, move PAM code #ifdeffery into setup_pam() to simplify the
main execution logic a bit.
2016-09-25 10:52:57 +02:00
Lennart Poettering
cd2902c954 namespace: drop all mounts outside of the new root directory
There's no point in mounting these, if they are outside of the root directory
we'll move to.
2016-09-25 10:52:57 +02:00
Lennart Poettering
54500613a4 main: minor simplification 2016-09-25 10:52:57 +02:00
Lennart Poettering
0439746492 Update TODO 2016-09-25 10:52:57 +02:00
Lennart Poettering
ba128bb809 execute: filter low-level I/O syscalls if PrivateDevices= is set
If device access is restricted via PrivateDevices=, let's also block the
various low-level I/O syscalls at the same time, so that we know that the
minimal set of devices in our virtualized /dev are really everything the unit
can access.
2016-09-25 10:52:57 +02:00
Lennart Poettering
1ecdba149b NEWS: update news about systemd-udevd.service 2016-09-25 10:52:57 +02:00
Lennart Poettering
0c28d51ac8 units: further lock down our long-running services
Let's make this an excercise in dogfooding: let's turn on more security
features for all our long-running services.

Specifically:

- Turn on RestrictRealtime=yes for all of them

- Turn on ProtectKernelTunables=yes and ProtectControlGroups=yes for most of
  them

- Turn on RestrictAddressFamilies= for all of them, but different sets of
  address families for each

Also, always order settings in the unit files, that the various sandboxing
features are close together.

Add a couple of missing, older settings for a numbre of unit files.

Note that this change turns off AF_INET/AF_INET6 from udevd, thus effectively
turning of networking from udev rule commands. Since this might break stuff
(that is already broken I'd argue) this is documented in NEWS.
2016-09-25 10:52:57 +02:00
Lennart Poettering
f6eb19a474 units: permit importd to mount stuff
Fixes #3996
2016-09-25 10:52:57 +02:00
Lennart Poettering
6757c06a1a man: shorten the exit status table a bit
Let's merge a couple of columns, to make the table a bit shorter. This
effectively just drops whitespace, not contents, but makes the currently
humungous table much much more compact.
2016-09-25 10:52:57 +02:00
Lennart Poettering
81c8aceed4 man: the exit code/signal is stored in $EXIT_CODE, not $EXIT_STATUS 2016-09-25 10:52:57 +02:00
Lennart Poettering
effbd6d2ea man: rework documentation for ReadOnlyPaths= and related settings
This reworks the documentation for ReadOnlyPaths=, ReadWritePaths=,
InaccessiblePaths=. It no longer claims that we'd follow symlinks relative to
the host file system. (Which wasn't true actually, as we didn't follow symlinks
at all in the most recent releases, and we know do follow them, but relative to
RootDirectory=).

This also replaces all references to the fact that all fs namespacing options
can be undone with enough privileges and disable propagation by a single one in
the documentation of ReadOnlyPaths= and friends, and then directs the read to
this in all other places.

Moreover a hint is added to the documentation of SystemCallFilter=, suggesting
usage of ~@mount in case any of the fs namespacing related options are used.
2016-09-25 10:42:18 +02:00
Lennart Poettering
b2656f1b1c man: in user-facing documentaiton don't reference C function names
Let's drop the reference to the cap_from_name() function in the documentation
for the capabilities setting, as it is hardly helpful. Our readers are not
necessarily C hackers knowing the semantics of cap_from_name(). Moreover, the
strings we accept are just the plain capability names as listed in
capabilities(7) hence there's really no point in confusing the user with
anything else.
2016-09-25 10:42:18 +02:00
Lennart Poettering
8f1ad200f0 namespace: don't make the root directory of a namespace a mount if it already is one
Let's not stack mounts needlessly.
2016-09-25 10:42:18 +02:00
Lennart Poettering
d944dc9553 namespace: chase symlinks for mounts to set up in userspace
This adds logic to chase symlinks for all mount points that shall be created in
a namespace environment in userspace, instead of leaving this to the kernel.
This has the advantage that we can correctly handle absolute symlinks that
shall be taken relative to a specific root directory. Moreover, we can properly
handle mounts created on symlinked files or directories as we can merge their
mounts as necessary.

(This also drops the "done" flag in the namespace logic, which was never
actually working, but was supposed to permit a partial rollback of the
namespace logic, which however is only mildly useful as it wasn't clear in
which case it would or would not be able to roll back.)

Fixes: #3867
2016-09-25 10:42:18 +02:00
Lennart Poettering
1e4e94c881 namespace: invoke unshare() only after checking all parameters
Let's create the new namespace only after we validated and processed all
parameters, right before we start with actually mounting things.

This way, the window where we can roll back is larger (not that it matters
IRL...)
2016-09-25 10:42:18 +02:00