1
0
mirror of https://github.com/systemd/systemd.git synced 2024-12-23 21:35:11 +03:00
Commit Graph

27320 Commits

Author SHA1 Message Date
Lennart Poettering
a3be2849b2 seccomp: add new helper call seccomp_load_filter_set()
This allows us to unify most of the code in apply_protect_kernel_modules() and
apply_private_devices().
2016-10-24 17:32:50 +02:00
Lennart Poettering
60f547cf68 seccomp: two fixes for the syscall set tables
"oldumount()" is not a syscall, but simply a wrapper for it, the actual syscall
nr is called "umount" (and the nr of umount() is called umount2 internally).

"sysctl()" is not a syscall, but "_syscall()" is. Fix this in the table.

Without these changes libseccomp cannot actually translate the tables in full.
This wasn't noticed before as the code was written defensively for this case.
2016-10-24 17:32:50 +02:00
Lennart Poettering
8d7b0c8fd7 seccomp: add new seccomp_init_conservative() helper
This adds a new seccomp_init_conservative() helper call that is mostly just a
wrapper around seccomp_init(), but turns off NNP and adds in all secondary
archs, for best compatibility with everything else.

Pretty much all of our code used the very same constructs for these three
steps, hence unifying this in one small function makes things a lot shorter.

This also changes incorrect usage of the "scmp_filter_ctx" type at various
places. libseccomp defines it as typedef to "void*", i.e. it is a pointer type
(pretty poor choice already!) that casts implicitly to and from all other
pointer types (even poorer choice: you defined a confusing type now, and don't
even gain any bit of type safety through it...). A lot of the code assumed the
type would refer to a structure, and hence aded additional "*" here and there.
Remove that.
2016-10-24 17:32:50 +02:00
Lennart Poettering
25a8d8a0cb core: rework apply_protect_kernel_modules() to use seccomp_add_syscall_filter_set()
Let's simplify this call, by making use of the new infrastructure.

This is actually more in line with Djalal's original patch but instead of
search the filter set in the array by its name we can now use the set index and
jump directly to it.
2016-10-24 17:32:50 +02:00
Lennart Poettering
8130926d32 core: rework syscall filter set handling
A variety of fixes:

- rename the SystemCallFilterSet structure to SyscallFilterSet. So far the main
  instance of it (the syscall_filter_sets[] array) used to abbreviate
  "SystemCall" as "Syscall". Let's stick to one of the two syntaxes, and not
  mix and match too wildly. Let's pick the shorter name in this case, as it is
  sufficiently well established to not confuse hackers reading this.

- Export explicit indexes into the syscall_filter_sets[] array via an enum.
  This way, code that wants to make use of a specific filter set, can index it
  directly via the enum, instead of having to search for it. This makes
  apply_private_devices() in particular a lot simpler.

- Provide two new helper calls in seccomp-util.c: syscall_filter_set_find() to
  find a set by its name, seccomp_add_syscall_filter_set() to add a set to a
  seccomp object.

- Update SystemCallFilter= parser to use extract_first_word().  Let's work on
  deprecating FOREACH_WORD_QUOTED().

- Simplify apply_private_devices() using this functionality
2016-10-24 17:32:50 +02:00
Lennart Poettering
e0f3720e39 core: move misplaced comment to the right place 2016-10-24 17:29:51 +02:00
Lennart Poettering
f673b62df6 core: simplify skip_seccomp_unavailable() a bit
Let's prefer early-exit over deep-indented if blocks. Not behavioural change.
2016-10-24 17:29:51 +02:00
Lennart Poettering
ec2ebfd524 update-done: minor clean-ups
This is a follow-up for fb8b0869a7, and makes a
couple of minor clean-up changes:

- The field name in the timestamp file is changed from "TimestampNSec=" to
  "TIMESTAMP_NSEC=". This is done simply to reflect the fact that we parse the
  file with the env var file parser, and hence the contents should better
  follow the usual capitalization of env vars, i.e. be all uppercase.

- Needless negation of the errno parameter log_error_errno() and friends has
  been removed.

- Instead of manually calculating the nsec remainder of the timestamp, use
  timespec_store().

- We now check whether we were able to write the timestamp file in full with
  fflush_and_check() the way we usually do it.
2016-10-24 17:29:51 +02:00
Lennart Poettering
229ba9fd57 Merge pull request #4459 from keszybz/commandline-parsing
Commandline parsing simplification and udev fix
2016-10-24 17:20:37 +02:00
Djalal Harouni
9b3313d678 Merge pull request #4469 from endocode/djalal/groups-test
test: lets add more tests to cover SupplementaryGroups= cases.
2016-10-24 15:46:36 +02:00
Lennart Poettering
888067812c Merge pull request #4406 from jsynacek/jsynacek-is-enabled
shared, systemctl: teach is-enabled to show install targets
2016-10-24 14:19:18 +02:00
Patrik Flykt
6d7c761572 networkd-ndisc: Don't add NDisc route for local address (#4467)
When systemd-networkd is run on the same IPv6 enabled interface where
radvd is announcing prefixes, a route is being set up pointing to the
interface address. As this will fail with an invalid argument error,
the link is marked as failed and the following message like the
following will appear in in the logs:

systemd-networkd[21459]: eth1: Could not set NDisc route or address: Invalid argument
systemd-networkd[21459]: eth1: Failed

Should the interface be required by systemd-networkd-wait-online,
network-online.target will wait until its timeout hits thereby
significantly delaying system startup.

The fix is to check whether the gateway address obtained from NDisc
messages is equal to any of the interface addresses on the same link
and not set the NDisc route in that case.
2016-10-24 13:44:01 +02:00
Djalal Harouni
366ddd252e core: do not assert when sysconf(_SC_NGROUPS_MAX) fails (#4466)
Remove the assert and check the return code of sysconf(_SC_NGROUPS_MAX).

_SC_NGROUPS_MAX maps to NGROUPS_MAX which is defined in <limits.h> to
65536 these days. The value is a sysctl read-only
/proc/sys/kernel/ngroups_max and the kernel assumes that it is always
positive otherwise things may break. Follow this and support only
positive values for all other case return either -errno or -EOPNOTSUPP.

Now if there are systems that want to re-write NGROUPS_MAX then they
should not pass SupplementaryGroups= in units even if it is empty, in
this case nothing fails and we just ignore supplementary groups. However
if SupplementaryGroups= is passed even if it is empty we have to assume
that there will be groups manipulation from our side or the kernel and
since the kernel always assumes that NGROUPS_MAX is positive, then
follow that and support only positive values.
2016-10-24 13:13:06 +02:00
Djalal Harouni
50ca7a35a1 test: lets add more tests to cover SupplementaryGroups= cases. 2016-10-24 12:38:53 +02:00
Jan Synacek
3b3557c410 shared, systemctl: teach is-enabled to show installation targets
It may be desired by users to know what targets a particular service is
installed into. Improve user friendliness by teaching the is-enabled
command to show such information when used with --full.

This patch makes use of the newly added UnitFileFlags and adds
UNIT_FILE_DRY_RUN flag into it. Since the API had already been modified,
it's now easy to add the new dry-run feature for other commands as
well. As a next step, --dry-run could be added to systemctl, which in
turn might pave the way for a long requested dry-run feature when
running systemctl start.
2016-10-24 10:19:08 +02:00
Jan Synacek
b3796dd834 install: introduce UnitFileFlags
Introduce a new enum to get rid of some boolean arguments of unit_file_*
functions. It unifies the code, makes it a bit cleaner and extensible.
2016-10-24 10:19:08 +02:00
Zbigniew Jędrzejewski-Szmek
60f17f75d1 Merge pull request #4372 from evverx/fix-synced-cgroup-hierarchy-perms 2016-10-23 23:25:57 -04:00
Evgeny Vereshchagin
844da987ef tests/TEST-13-NSPAWN-SMOKE: remove an expected failure check
https://github.com/systemd/systemd/issues/4352 has been fixed
So, we don't need this workaround anymore
2016-10-23 23:23:43 -04:00
Evgeny Vereshchagin
6d66bd3b2a nspawn: become a new root early
036d523641

> vfs: Don't create inodes with a uid or gid unknown to the vfs
  It is expected that filesystems can not represent uids and gids from
  outside of their user namespace.  Keep things simple by not even
  trying to create filesystem nodes with non-sense uids and gids.

So, we actually should `reset_uid_gid` early to prevent https://github.com/systemd/systemd/pull/4223#issuecomment-252522955

$ sudo UNIFIED_CGROUP_HIERARCHY=no LD_LIBRARY_PATH=.libs .libs/systemd-nspawn -D /var/lib/machines/fedora-rawhide -U -b systemd.unit=multi-user.target

Spawning container fedora-rawhide on /var/lib/machines/fedora-rawhide.
Press ^] three times within 1s to kill container.
Child died too early.
Selected user namespace base 1073283072 and range 65536.
Failed to mount to /sys/fs/cgroup/systemd: No such file or directory

Details: https://github.com/systemd/systemd/pull/4223#issuecomment-253046519
Fixes: #4352
2016-10-23 23:23:42 -04:00
Evgeny Vereshchagin
63eae72312 nspawn: really lchown(uid/gid)
https://github.com/systemd/systemd/pull/4372#issuecomment-253723849:

* `mount_all (outer_child)` creates `container_dir/sys/fs/selinux`
* `mount_all (outer_child)` doesn't patch `container_dir/sys/fs` and so on.
* `mount_sysfs (inner_child)` tries to create `/sys/fs/cgroup`
* This fails

370   stat("/sys/fs", {st_dev=makedev(0, 28), st_ino=13880, st_mode=S_IFDIR|0755, st_nlink=3, st_uid=65534, st_gid=65534, st_blksize=4096, st_blocks=0, st_size=60, st_atime=2016/10/14-05:16:43.398665943, st_mtime=2016/10/14-05:16:43.399665943, st_ctime=2016/10/14-05:16:43.399665943}) = 0
370   mkdir("/sys/fs/cgroup", 0755)     = -1 EACCES (Permission denied)

* `mount_syfs (inner_child)` ignores that error and

mount(NULL, "/sys", NULL, MS_RDONLY|MS_NOSUID|MS_NODEV|MS_NOEXEC|MS_REMOUNT|MS_BIND, NULL) = 0

* `mount_cgroups` finally fails
2016-10-23 23:23:40 -04:00
Evgeny Vereshchagin
548bd57376 basic: fallback to the fstat if we don't have access to the /proc/self/fdinfo
https://github.com/systemd/systemd/pull/4372#discussion_r83354107:
I get `open("/proc/self/fdinfo/13", O_RDONLY|O_CLOEXEC) = -1 EACCES (Permission denied)`

327   mkdir("/proc", 0755 <unfinished ...>
327   <... mkdir resumed> )             = -1 EEXIST (File exists)
327   stat("/proc",  <unfinished ...>
327   <... stat resumed> {st_dev=makedev(8, 1), st_ino=28585, st_mode=S_IFDIR|0755, st_nlink=2, st_uid=0, st_gid=0, st_blksize=1024, st_blocks=4, st_size=1024, st_atime=2016/10/14-02:55:32, st_mtime=2016/
327   mount("proc", "/proc", "proc", MS_NOSUID|MS_NODEV|MS_NOEXEC, NULL <unfinished ...>
327   <... mount resumed> )             = 0
327   lstat("/proc",  <unfinished ...>
327   <... lstat resumed> {st_dev=makedev(0, 34), st_ino=1, st_mode=S_IFDIR|0555, st_nlink=75, st_uid=65534, st_gid=65534, st_blksize=1024, st_blocks=0, st_size=0, st_atime=2016/10/14-03:13:35.971031263,
327   lstat("/proc/sys", {st_dev=makedev(0, 34), st_ino=4026531855, st_mode=S_IFDIR|0555, st_nlink=1, st_uid=65534, st_gid=65534, st_blksize=1024, st_blocks=0, st_size=0, st_atime=2016/10/14-03:13:39.1630
327   openat(AT_FDCWD, "/proc", O_RDONLY|O_DIRECTORY|O_CLOEXEC|O_PATH) = 11</proc>
327   name_to_handle_at(11</proc>, "sys", {handle_bytes=128}, 0x7ffe3a238604, AT_SYMLINK_FOLLOW) = -1 EOPNOTSUPP (Operation not supported)
327   name_to_handle_at(11</proc>, "", {handle_bytes=128}, 0x7ffe3a238608, AT_EMPTY_PATH) = -1 EOPNOTSUPP (Operation not supported)
327   openat(11</proc>, "sys", O_RDONLY|O_CLOEXEC|O_PATH) = 13</proc/sys>
327   open("/proc/self/fdinfo/13", O_RDONLY|O_CLOEXEC) = -1 EACCES (Permission denied)
327   close(13</proc/sys> <unfinished ...>
327   <... close resumed> )             = 0
327   close(11</proc> <unfinished ...>
327   <... close resumed> )             = 0

-bash-4.3# ls -ld /proc/
dr-xr-xr-x 76 65534 65534 0 Oct 14 02:57 /proc/

-bash-4.3# ls -ld /proc/1
dr-xr-xr-x 9 root root 0 Oct 14 02:57 /proc/1

-bash-4.3# ls -ld /proc/1/fdinfo
dr-x------ 2 65534 65534 0 Oct 14 03:00 /proc/1/fdinfo
2016-10-23 23:15:46 -04:00
Zbigniew Jędrzejewski-Szmek
4e5a239fb8 Merge pull request #4373 from endocode/djalal/fix-mountflags 2016-10-23 18:54:20 -04:00
Djalal Harouni
8b6903ad4d core: lets move the setup of working directory before group enforce
This is minor but lets try to split and move bit by bit cgroups and
portable environment setup before applying the security context.
2016-10-23 23:27:20 +02:00
Djalal Harouni
bf9ace96fc test: add more tests for SupplementaryGroups= 2016-10-23 23:27:16 +02:00
Djalal Harouni
86b838eaa3 test: Add simple test for supplementary groups 2016-10-23 23:27:14 +02:00
Djalal Harouni
4d885bd326 core: first lookup and cache creds then apply them after namespace setup
This fixes: https://github.com/systemd/systemd/issues/4357

Let's lookup and cache creds then apply them. We also switch from
getgroups() to getgrouplist().
2016-10-23 23:24:14 +02:00
Zbigniew Jędrzejewski-Szmek
7d78f7cea8 Merge pull request #4428 from lnykryn/ctrl_v2
rename failure-action to emergency-action and use it for ctrl+alt+del burst
2016-10-22 23:16:11 -04:00
Zbigniew Jędrzejewski-Szmek
d7f69e16f1 tree-wide: make parse_proc_cmdline() strip "rd." prefix automatically
This stripping is contolled by a new boolean parameter. When the parameter
is true, it means that the caller does not care about the distinction between
initrd and real root, and wants to act on both rd-dot-prefixed and unprefixed
parameters in the initramfs, and only on the unprefixed parameters in real
root. If the parameter is false, behaviour is the same as before.

Changes by caller:
log.c (systemd.log_*):      changed to accept rd-dot-prefix params
pid1:                       no change, custom logic
cryptsetup-generator:       no change, still accepts rd-dot-prefix params
debug-generator:            no change, does not accept rd-dot-prefix params
fsck:                       changed to accept rd-dot-prefix params
fstab-generator:            no change, custom logic
gpt-auto-generator:         no change, custom logic
hibernate-resume-generator: no change, does not accept rd-dot-prefix params
journald:                   changed to accept rd-dot-prefix params
modules-load:               no change, still accepts rd-dot-prefix params
quote-check:                no change, does not accept rd-dot-prefix params
udevd:                      no change, still accepts rd-dot-prefix params

I added support for "rd." params in the three cases where I think it's
useful: logging, fsck options, journald forwarding options.
2016-10-22 16:08:55 -04:00
Zbigniew Jędrzejewski-Szmek
92e724670f udev: change kernel commandline option parsing
- do not crash if an option without value is specified on the kernel command
  line, e.g. "udev.log-priority" :P
- simplify the code a bit
- warn about unknown "udev.*" options — this should make it easier to spot
  typos and reduce user confusion
2016-10-22 14:42:12 -04:00
Zbigniew Jędrzejewski-Szmek
5707ecf300 journald: convert journald to use parse_proc_cmdline
This makes journald use the common option parsing functionality.
One behavioural change is implemented:
"systemd.journald.forward_to_syslog" is now equivalent to
"systemd.journald.forward_to_syslog=1".
I think it's nicer to use this way.
2016-10-22 14:38:10 -04:00
Zbigniew Jędrzejewski-Szmek
96287a4916 tree-wide: allow state to be passed through to parse_proc_cmdline_item
No functional change.
2016-10-22 14:24:52 -04:00
Daniel Mack
94fce754b1 Merge pull request #4455 from endocode/dongsu/l10n-catalog-korean
catalog: add more Korean translations
2016-10-22 20:01:02 +02:00
Dongsu Park
4cfa6da41f catalog: add more Korean translations
Add more Korean translations of journal and DNSSEC log messages.
2016-10-22 17:49:52 +02:00
Dongsu Park
a0282d9fa3 catalog: fix typo and make a clear sentence
Fix typo: s/ournald.conf/journald.conf/
Change also "시스템의 다음 위치에" to "시스템을 별도 위치에" to make
a clear sentence.
2016-10-22 17:29:33 +02:00
Thomas Hindoe Paaboel Andersen
b5331acc96 journal: remove unused variable 2016-10-22 16:00:11 +02:00
Michael Biebl
b51cb513ac Merge pull request #4452 from jwilk/spelling
NEWS: fix typos
2016-10-22 15:31:58 +02:00
Jakub Wilk
ce830873f0 NEWS: fix typos 2016-10-22 13:18:17 +02:00
Umut Tezduyar Lindskog
863a5610c7 journald: systemd.journald.max_level_* kernel command line options (#4427)
The log forward levels can be configured through kernel command line.
2016-10-21 19:40:55 -04:00
Djalal Harouni
e49e2c25f3 NEWS: option is ProtectKernelTunables not ProtectedKernelTunables (#4451) 2016-10-21 18:43:36 -04:00
Daniel Mack
5138a901b1 Merge pull request #4447 from poettering/oneshotassertfix
core: if the start command vanishes during runtime don't hit an assert
2016-10-21 16:22:15 +02:00
Lukas Nykryn
ae8c7939df core: use emergency_action for ctr+alt+del burst
Fixes #4306
2016-10-21 15:13:50 +02:00
Lukas Nykryn
87a47f99bc failure-action: generalize failure action to emergency action 2016-10-21 15:13:50 +02:00
Djalal Harouni
6fa441140e NEWS: update NEWS about ProtectKernelModules= option (#4445) 2016-10-21 13:25:23 +02:00
Lennart Poettering
e0972037fb Merge pull request #4419 from keszybz/install-specifiers
Fix expansion of %i, %u, %N, %n install specifiers
2016-10-21 13:24:09 +02:00
Peter Hutterer
9107a33777 hwdb: add MOUSE_WHEEL_CLICK_COUNT for non-integer click angles (#4440)
MOUSE_WHEEL_CLICK_ANGLE has been an integer, and at least libinput (probably
the only user) parses it as strict integer. For backwards compatibility, we
cannot change it to a decimal number now.

Add a new property to list the number of clicks for a full 360 degree
rotation, to be specified in addition to the old click angle property. Clients
can prefer the new one where available and calculate the decimal value to
whatever precision they want.
2016-10-21 12:31:32 +02:00
Evgeny Vereshchagin
0a12bb1eaa sysusers: fix memleak (#4443)
Fixes:
Oct 20 09:10:49 systemd-sysusers[144]: Direct leak of 20 byte(s) in 1 object(s) allocated from:
Oct 20 09:10:49 systemd-sysusers[144]:     #0 0x7f3565a13e60 in malloc (/lib64/libasan.so.3+0xc6e60)
Oct 20 09:10:49 systemd-sysusers[144]:     #1 0x7f3565526bd0 in malloc_multiply src/basic/alloc-util.h:70
Oct 20 09:10:49 systemd-sysusers[144]:     #2 0x7f356552cb55 in tempfn_xxxxxx src/basic/fileio.c:1116
Oct 20 09:10:49 systemd-sysusers[144]:     #3 0x7f356552c4f0 in fopen_temporary src/basic/fileio.c:1042
Oct 20 09:10:49 systemd-sysusers[144]:     #4 0x7f356555e00e in fopen_temporary_label src/basic/fileio-label.c:63
Oct 20 09:10:49 systemd-sysusers[144]:     #5 0x56197c4a1766 in make_backup src/sysusers/sysusers.c:209
Oct 20 09:10:49 systemd-sysusers[144]:     #6 0x56197c4a6335 in write_files src/sysusers/sysusers.c:710
Oct 20 09:10:49 systemd-sysusers[144]:     #7 0x56197c4ae571 in main src/sysusers/sysusers.c:1817
Oct 20 09:10:49 systemd-sysusers[144]:     #8 0x7f3564dee730 in __libc_start_main (/lib64/libc.so.6+0x20730)
2016-10-21 12:30:45 +02:00
Lennart Poettering
47fffb3530 core: if the start command vanishes during runtime don't hit an assert
This can happen when the configuration is changed and reloaded while we are
executing a service. Let's not hit an assert in this case.

Fixes: #4444
2016-10-21 12:27:46 +02:00
Zbigniew Jędrzejewski-Szmek
75e2089581 Revert "add networkd dbus lease info" (#4435) 2016-10-21 08:17:16 +02:00
Zbigniew Jędrzejewski-Szmek
24597ee0e6 nspawn, NEWS: add missing "s" in --private-users-chown (#4438) 2016-10-21 06:03:26 +03:00
Evgeny Vereshchagin
d9b8ea5448 sysusers: fix memleak (#4430)
Fixes:
```
==28075== 64 bytes in 1 blocks are definitely lost in loss record 2 of 3
==28075==    at 0x4C2BAEE: malloc (vg_replace_malloc.c:298)
==28075==    by 0x4C2DCA1: realloc (vg_replace_malloc.c:785)
==28075==    by 0x4ED40A2: greedy_realloc (alloc-util.c:57)
==28075==    by 0x4E90F87: extract_first_word (extract-word.c:78)
==28075==    by 0x4E91813: extract_many_words (extract-word.c:270)
==28075==    by 0x10FE93: parse_line (sysusers.c:1325)
==28075==    by 0x11198B: read_config_file (sysusers.c:1640)
==28075==    by 0x111EB8: main (sysusers.c:1773)
==28075==
```
2016-10-20 14:23:32 -04:00