1
0
mirror of https://github.com/systemd/systemd.git synced 2024-10-31 07:51:21 +03:00
Commit Graph

32359 Commits

Author SHA1 Message Date
Zbigniew Jędrzejewski-Szmek
a3bf71378e basic/log: make log_object_internalv static
It makes the code easier to read, because it's obvious that the function
cannot be called from elsewhere.
2018-02-23 00:13:52 +01:00
Zbigniew Jędrzejewski-Szmek
4ad2b562ce basic/log: voidify snprintf statements
The buffers are fixed size, so the message may not fit, but we don't
particularly care.
2018-02-23 00:13:52 +01:00
Zbigniew Jędrzejewski-Szmek
f810b631cd Revert "Replace use of snprintf with xsprintf"
This reverts commit a7419dbc59.

_All_ changes in that commit were wrong.

Fixes #8211.
2018-02-23 00:13:52 +01:00
Alan Jenkins
e8a3144ec4 login: fix user@.service case, so we don't allow nested sessions (#8051)
> logind sessions are mostly bound to the audit session concept, and audit
> sessions remain unaffected by "su", in fact they are defined to be
> "sealed off", i.e. in a way that if a process entered a session once, it
> will always stay with it, and so will its children, i.e. the only way to
> get a new session is by forking off something off PID 1 (or something
> similar) that never has been part of a session.

The code had a gap.  user@.service is a special case PAM session which does
not create a logind session.  Let's remember to check for it.

Fixes #8021
2018-02-22 21:38:44 +01:00
Patrick Uiterwijk
5547c12503 Fix format-truncation compile failure by typecasting USB IDs (#8250)
This patch adds safe_atoux16 for parsing an unsigned hexadecimal 16bit int, and
uses that for parsing USB device and vendor IDs.

This fixes a compile error with gcc-8 because while we know that USB IDs are 2 bytes,
the compiler does not know that.

../src/udev/udev-builtin-hwdb.c:80:38: error: '%04X' directive output may be
truncated writing between 4 and 8 bytes into a region of size between 2 and 6
[-Werror=format-truncation=]

Signed-off-by: Adam Williamson <awilliam@redhat.com>
Signed-off-by: Patrick Uiterwijk <puiterwijk@redhat.com>
2018-02-22 19:41:30 +01:00
Beniamino Galvani
6afe9046d5 libsystemd-network: fix endianness in ARP BPF filter (#8255)
Commit f11cba7479 ("libsystemd-network: fix unaligned loads (issue #7654)")
changed the way in which the MAC address is read to use native endiannes:

 htobe32(*((uint32_t *)x)  ->  unaligned_read_ne32(x)

This is wrong because loads done with BPF_LD + BPF_ABS are big-endian, as it
can be seen for the ethertype and arp-operation loads above in the
filter.  Also, the same commit changed:

 htobe32(*((unsigned int *)x) -> unaligned_read_be32(x)

in _bind_raw_socket(), which is the correct form.

The commit broke IPv4LL in presence of loops, as the sender now considers its
own packets as conflicting.

Fixes: f11cba7479
2018-02-22 18:09:33 +01:00
Zbigniew Jędrzejewski-Szmek
d156d1d2c9
Merge pull request #8251 from Shuangistan/pr_virt_qnx 2018-02-22 17:06:29 +01:00
Shuang Liu
9bfaf6ea1f man: add bhyve description for ConditionVirtualization=
The description in man is missing in #3840.
2018-02-22 15:29:34 +01:00
Shuang Liu
1fdf07f56c virt: detect QNX hypervisor
Detect QNX hypervisor based on the CPUID.

Fixes: #7239
2018-02-22 15:29:34 +01:00
Zbigniew Jędrzejewski-Szmek
94be6463bd
Merge pull request #8205 from poettering/bpf-multi
bpf/cgroup improvements
2018-02-22 14:52:48 +01:00
Sergey Ptashnick
e584b2cc45 Update Russian translation (#8248)
Used "in"-form here (i.e. "зарегистрировать службу *в* DNS-SD") because
simply "служба DNS-SD" may be confused with resolved itself (at least in
Russian).
2018-02-22 14:25:11 +01:00
Lennart Poettering
6e11e7e67d nologin: extend the /run/nologin descriptions a bit (#8244)
This is an attempt to improve #8228 a bit, by extending the /run/nologin
a bit, but still keeping it somewhat brief.

On purpose I used the vague wording "unprivileged user" rather than
"non-root user" so that pam_nologin can be updated to disable its
behaviour for members of the "wheel" group one day, and our messages
would still make sense.

See #8228.
2018-02-22 14:21:30 +01:00
Lennart Poettering
c5c07649c2
Merge pull request #8243 from poettering/statx-syscall-unfuck
statx() syscall macro fix + reboot() handling improvements
2018-02-22 13:15:41 +01:00
Lennart Poettering
de0e78f703
Merge pull request #8218 from keszybz/zanata
po: add basic fedora.zanata.org configuration
2018-02-22 11:56:24 +01:00
Zbigniew Jędrzejewski-Szmek
30c81ce2ce pid1: when creating service directories, don't chown existing files (#8181)
This partially reverts 3536f49e8f and
3536f49e8f.

When the user is dynamic, and we are setting up state, cache, or logs dirs,
behaviour is unchanged, we always do a recursive chown. This is necessary
because the user number might change between invocations.

But when setting up a directory for non-dynamic user, or a runtime directory
for a dynamic user, do any ownership or mode changes only when the directory
is initially created. Nothing says that the files under those directories have
to be all recursively owned by our user. This restores behaviour before
3536f49e8f, so modifications to the state of
the runtime directory persist between ExecStartPre's and ExecStart's, and even
longer in case the directory is persistent.

I think it _would_ be a nice property if setting a user would automatically
propagate to ownership of any Runtime/Logs/Cache directories. But this is
incompatible with another nice property, namely preserving changes to those
directories made by an admin, and with allowing change of ownership of files
in those directories by the service (e.g. to allow other users to access them).
Of the two, I think the second property is more important. Also, it's backwards
compatible.

https://bugzilla.redhat.com/show_bug.cgi?id=1508495

There is no need to chmod a directory we just created, so move that step
up into a branch. After that, 'effective' is only used once, so get rid of
it too.
2018-02-22 11:30:59 +01:00
Lennart Poettering
1f409a0cbb shutdown: let's not use exit() needlessly
Generally we prefer 'return' from main() over exit() so that automatic
cleanups and such work correct. Let's do that in shutdown.c too, becuase
there's not really any reason not to.

With this we are pretty good in consistently using return from main()
rather than exit() all across the codebase. Yay!
2018-02-22 10:46:26 +01:00
Lennart Poettering
c01dcddf80 reboot-util: unify reboot with parameter in a single implementation
So far, we had two implementations of reboot-with-parameter doing pretty
much the same. Let's unify that in a generic implementation used by
both.

This is particulary nice as it unifies all /run/systemd/reboot-param
handling in a single .c file.
2018-02-22 10:46:26 +01:00
Lennart Poettering
e3631d1c80 basic: split out update_reboot_parameter_and_warn() into its own .c/.h files
This is primarily preparation for a follow-up commit that adds a common
implementation of the other side of the reboot parameter file, i.e. the
code that reads the file and issues reboot() for it.
2018-02-22 10:46:12 +01:00
Lennart Poettering
118cf9523b tree-wide: voidify reboot() invocations
We use (void) in most cases for reboot() already, let's add it to the
others as well.
2018-02-22 10:42:06 +01:00
Lennart Poettering
c52a937b46 basic: add a common syscall wrapper around reboot()
This mimics the raw_clone() call we have in place already and
establishes a new syscall wrapper raw_reboot() that wraps the kernel's
reboot() system call in a bit more low-level fashion that glibc's
reboot() wrapper. The main difference is that the extra "arg" argument
is supported.

Ultimately this just replaces the syscall wrapper implementation we
currently have at three places in our codebase by a single one.

With this change this means that all our syscall() invocations are
neatly separated out in static inline system call wrappers in our header
functions.
2018-02-22 10:42:06 +01:00
Lennart Poettering
d06f3829cd missing: always use __NR_ as prefix for syscall numbers
Apparently, both __NR_ and SYS_ are useful, but we mostly use __NR_
hence use it for these two cases too, so that we settle on __NR_
exclusively.
2018-02-22 10:42:06 +01:00
Lennart Poettering
fd91e3ef49 missing: Fix statx syscall ifdeffery
Fix a copy/paste mistake.

Fixes: #8238
2018-02-22 10:42:06 +01:00
Zbigniew Jędrzejewski-Szmek
a4896a1f14
Merge pull request #8246 from poettering/wait-for-terminate-eproto
some shutdown logging fixes
2018-02-22 08:27:44 +01:00
Lennart Poettering
0b1f3c768c tree-wide: reopen log when we need to log in FORK_CLOSE_ALL_FDS children
In a number of occasions we use FORK_CLOSE_ALL_FDS when forking off a
child, since we don't want to pass fds to the processes spawned (either
because we later want to execve() some other process there, or because
our child might hang around for longer than expected, in which case it
shouldn't keep our fd pinned). This also closes any logging fds, and
thus means logging is turned off in the child. If we want to do proper
logging, explicitly reopen the logs hence in the child at the right
time.

This is particularly crucial in the umount/remount children we fork off
the shutdown binary, as otherwise the children can't log, which is
why #8155 is harder to debug than necessary: the log messages we
generate about failing mount() system calls aren't actually visible on
screen, as they done in the child processes where the log fds are
closed.
2018-02-22 00:35:00 +01:00
Lennart Poettering
e18805fbd0 shutdown: explicitly set a log target in shutdown.c
We used to set this, but this was dropped when shutdown got taught to
get the target passed in from the regular PID 1. Let's readd this to
make things more explanatory, and cover all grounds, since after all the
target passed is in theory an optional part of the protocol between the
regular PID 1 and the shutdown PID 1.
2018-02-22 00:33:12 +01:00
Lennart Poettering
d405394c5c shutdown: always pass errno to logging functions
We have them, let's propagate them.
2018-02-22 00:32:31 +01:00
Lennart Poettering
e38b8a407a log: only open kmsg on fallback if we actually want to use it
Previously, we'd try to open kmsg on failure of the journal/syslog even
if no automatic fallback to kmsg was requested — and we wouldn't even
use the open connection afterwards...
2018-02-22 00:31:36 +01:00
Lennart Poettering
00adeed99f umount: beef up logging when umount/remount child processes fail
Let's extend what we log if umount/remount doesn't work correctly as we
expect.

See #8155
2018-02-21 23:57:21 +01:00
Lennart Poettering
6079afa9b0 user-sessions: let's simplify our code paths a bit
Let's always go through mac_selinux_finish(), by making our
success/failure codepaths more alike.

This also saves a few lines of code. Yay!
2018-02-21 23:44:39 +01:00
Zbigniew Jędrzejewski-Szmek
ad383382c7 hwdb: drop bad definition for Cordless Wave Pro keyboard (#8230)
[I'm just submitting the solution originally suggested by @barzog.
Nevertheless, this looks pretty straightforward, we don't want to define
any keys on a universal receiver.

Note that this definition was added back in
aedc2eddd1, when we didn't yet have
support for figuring out what hardware is connected behind a logitech
receiver.]

In 60-keyboard.hwdb there is a definition of # Cordless Wave Pro
evdev:input:b0003v046DpC52[9B]*

which in fact not a cordless keyboard but an USB receiver to which different
types of keyboard can be connected. The solution is to completely clean
definition evdev:input:b0003v046DpC52B* from there.

I: Bus=0003 Vendor=046d Product=c52b Version=0111
N: Name="Logitech USB Receiver"
P: Phys=usb-0000:00:1d.0-1.8/input1
S: Sysfs=/devices/pci0000:00/0000:00:1d.0/usb4/4-1/4-1.8/4-1.8:1.1/0003:046D:C52B.0005/input/input20
U: Uniq=
H: Handlers=kbd mouse0 event8
B: PROP=0
B: EV=1f
B: KEY=3007f 0 0 83ffff17aff32d bf54444600000000 ffff0001 130f978b17c000 6773fad941dfed 9ed68000004400 10000002
B: REL=1c3
B: ABS=100000000
B: MSC=10

Fixed #8095.
2018-02-22 08:21:28 +10:00
Lennart Poettering
5128346127 bpf: reset "extra" IP accounting counters when turning off IP accounting for a unit
We maintain an "extra" set of IP accounting counters that are used when
we systemd is reloaded to carry over the counters from the previous run.
Let's reset these to zero whenever IP accounting is turned off. If we
don't do this then turning off IP accounting and back on later wouldn't
reset the counters, which is quite surprising and different from how our
CPU time counting works.
2018-02-21 16:43:36 +01:00
Lennart Poettering
aa2b6f1d2b bpf: rework how we keep track and attach cgroup bpf programs
So, the kernel's management of cgroup/BPF programs is a bit misdesigned:
if you attach a BPF program to a cgroup and close the fd for it it will
stay pinned to the cgroup with no chance of ever removing it again (or
otherwise getting ahold of it again), because the fd is used for
selecting which BPF program to detach. The only way to get rid of the
program again is to destroy the cgroup itself.

This is particularly bad for root the cgroup (and in fact any other
cgroup that we cannot realistically remove during runtime, such as
/system.slice, /init.scope or /system.slice/dbus.service) as getting rid
of the program only works by rebooting the system.

To counter this let's closely keep track to which cgroup a BPF program
is attached and let's implicitly detach the BPF program when we are
about to close the BPF fd.

This hence changes the bpf_program_cgroup_attach() function to track
where we attached the program and changes bpf_program_cgroup_detach() to
use this information. Moreover bpf_program_unref() will now implicitly
call bpf_program_cgroup_detach().

In order to simplify things, bpf_program_cgroup_attach() will now
implicitly invoke bpf_program_load_kernel() when necessary, simplifying
the caller's side.

Finally, this adds proper reference counting to BPF programs. This
is useful for working with two BPF programs in parallel: the BPF program
we are preparing for installation and the BPF program we so far
installed, shortening the window when we detach the old one and reattach
the new one.
2018-02-21 16:43:36 +01:00
Lennart Poettering
e0ad39fc52 bpf-program: make bpf_program_load_kernel() idempotent
Let's "seal" off the BPF program as soo as bpf_program_load_kernel() is
called, which allows us to make it idempotent: since the program can't
be modified anymore after being turned into a kernel object it's safe to
shortcut behaviour if called multiple times.
2018-02-21 16:43:36 +01:00
Lennart Poettering
72a1db0bb2 test: don't complain if bpffs is world-writable
Apparently, world-writable bpffs is intended by the kernel folks, hence
let's make sure we don't choke on it on our tests.
2018-02-21 16:43:36 +01:00
Lennart Poettering
13a141f046 namespace: protect bpf file system as part of ProtectKernelTunables=
It also exposes kernel objects, let's better include this in
ProtectKernelTunables=.
2018-02-21 16:43:36 +01:00
Lennart Poettering
6590080851 mount-setup: always use the same source as fstype for the API VFS we mount
So far, for all our API VFS mounts we used the fstype also as mount
source, let's do that for the cgroupsv2 mounts too. The kernel doesn't
really care about the source for API VFS, but it's visible to the user,
hence let's clean this up and follow the rule we otherwise follow.
2018-02-21 16:43:36 +01:00
Lennart Poettering
acf7f253de bpf: use BPF_F_ALLOW_MULTI flag if it is available
This new kernel 4.15 flag permits that multiple BPF programs can be
executed for each packet processed: multiple per cgroup plus all
programs defined up the tree on all parent cgroups.

We can use this for two features:

1. Finally provide per-slice IP accounting (which was previously
   unavailable)

2. Permit delegation of BPF programs to services (i.e. leaf nodes).

This patch beefs up PID1's handling of BPF to enable both.

Note two special items to keep in mind:

a. Our inner-node BPF programs (i.e. the ones we attach to slices) do
   not enforce IP access lists, that's done exclsuively in the leaf-node
   BPF programs. That's a good thing, since that way rules in leaf nodes
   can cancel out rules further up (i.e. for example to implement a
   logic of "disallow everything except httpd.service"). Inner node BPF
   programs to accounting however if that's requested. This is
   beneficial for performance reasons: it means in order to provide
   per-slice IP accounting we don't have to add up all child unit's
   data.

b. When this code is run on pre-4.15 kernel (i.e. where
   BPF_F_ALLOW_MULTI is not available) we'll make IP acocunting on slice
   units unavailable (i.e. revert to behaviour from before this commit).
   For leaf nodes we'll fallback to non-ALLOW_MULTI mode however, which
   means that BPF delegation is not available there at all, if IP
   fw/acct is turned on for the unit. This is a change from earlier
   behaviour, where we use the BPF_F_ALLOW_OVERRIDE flag, so that our
   fw/acct would lose its effect as soon as delegation was turned on and
   some client made use of that. I think the new behaviour is the safer
   choice in this case, as silent bypassing of our fw rules is not
   possible anymore. And if people want proper delegation then the way
   out is a more modern kernel or turning off IP firewalling/acct for
   the unit algother.
2018-02-21 16:43:36 +01:00
Lennart Poettering
43b7f24b5e bpf: mount bpffs by default on boot
We make heavy use of BPF functionality these days, hence expose the BPF
file system too by default now. (Note however, that we don't actually
make use bpf file systems object yet, but we might later on too.)
2018-02-21 16:43:36 +01:00
Lennart Poettering
9b3c189786 bpf-program: optionally take fd of program to detach
This is useful for BPF_F_ALLOW_MULTI programs, where the kernel requires
us to specify the fd.
2018-02-21 16:43:36 +01:00
Lennart Poettering
2ae7ee58fa bpf: beef up bpf detection, check if BPF_F_ALLOW_MULTI is supported
This improves the BPF/cgroup detection logic, and looks whether
BPF_ALLOW_MULTI is supported. This flag allows execution of multiple
BPF filters in a recursive fashion for a whole cgroup tree. It enables
us to properly report IP accounting for slice units, as well as
delegation of BPF support to units without breaking our own IP
accounting.
2018-02-21 16:43:36 +01:00
Lennart Poettering
8b15fca85b bpf: add new bpf.h header copy from 4.15 kernel 2018-02-21 16:43:36 +01:00
Yu Watanabe
9323298657 test: fix test for TemporaryFileSystem= (#8241)
This makes test-execute work on SELinux enabled systems.

Fixes the issue reported at
https://github.com/systemd/systemd/pull/7908#discussion_r169583540
2018-02-21 16:43:35 +01:00
Zbigniew Jędrzejewski-Szmek
5187dd2c40 missing_syscall: when adding syscall replacements, use different names (#8229)
In meson.build we check that functions are available using:
    meson.get_compiler('c').has_function('foo')
which checks the following:
- if __stub_foo or __stub___foo are defined, return false
- if foo is declared (a pointer to the function can be taken), return true
- otherwise check for __builtin_memfd_create

_stub is documented by glibc as
   It defines a symbol '__stub_FUNCTION' for each function
   in the C library which is a stub, meaning it will fail
   every time called, usually setting errno to ENOSYS.

So if __stub is defined, we know we don't want to use the glibc version, but
this doesn't tell us if the name itself is defined or not. If it _is_ defined,
and we define our replacement as an inline static function, we get an error:

In file included from ../src/basic/missing.h:1358:0,
                 from ../src/basic/util.h:47,
                 from ../src/basic/calendarspec.h:29,
                 from ../src/basic/calendarspec.c:34:
../src/basic/missing_syscall.h:65:19: error: static declaration of 'memfd_create' follows non-static declaration
 static inline int memfd_create(const char *name, unsigned int flags) {
                   ^~~~~~~~~~~~
.../usr/include/bits/mman-shared.h:46:5: note: previous declaration of 'memfd_create' was here
 int memfd_create (const char *__name, unsigned int __flags) __THROW;
     ^~~~~~~~~~~~

To avoid this problem, call our inline functions different than glibc,
and use a #define to map the official name to our replacement.

Fixes #8099.

v2:
- use "missing_" as the prefix instead of "_"

v3:
- rebase and update for statx()

  Unfortunately "statx" is also present in "struct statx", so the define
  causes issues. Work around this by using a typedef.

I checked that systemd compiles with current glibc
(glibc-devel-2.26-24.fc27.x86_64) if HAVE_MEMFD_CREATE, HAVE_GETTID,
HAVE_PIVOT_ROOT, HAVE_SETNS, HAVE_RENAMEAT2, HAVE_KCMP, HAVE_KEYCTL,
HAVE_COPY_FILE_RANGE, HAVE_BPF, HAVE_STATX are forced to 0.

Setting HAVE_NAME_TO_HANDLE_AT to 0 causes an issue, but it's not because of
the define, but because of struct file_handle.
2018-02-21 14:04:50 +01:00
Evgeny Vereshchagin
7b13a721f5
Merge pull request #8235 from keszybz/skip-nobody-test
Skip tests for nobody if necessary
2018-02-21 12:19:02 +03:00
Zbigniew Jędrzejewski-Szmek
7559b2da10 test-user-util: skip most tests for nobody if synthentization is off
When synthetisation is turned off, there's just too many ways those tests can
go wrong. We are not interested in verifying that the db on disk is correct,
let's just skip all checks.

In the first version of this patch, I recorded if we detected a mismatch during
configuration and only skipped tests in that case, but actually it is possible
to change the host configuration between our configuration phase and running
of the tests. It's just more robust to skip always. (This is particularly true
if tests are installed.)
2018-02-21 09:57:35 +01:00
Alan Jenkins
59e00b2a16
Merge pull request #7908 from yuwata/rfe-7895
core: add TemporaryFileSystem= setting and 'tmpfs' option to ProtectHome=
2018-02-21 08:57:11 +00:00
Evgeny Vereshchagin
24a01950a3 tests: stop using nobody in test-udev.pl (#8239)
`nobody` is a special user, whose credentials should be extracted with
`get_user_creds`. `getpwnam` called in `test-udev.pl` is a bit different,
which causes the test to fail with the following error:
```
device '/devices/pci0000:00/0000:00:1f.2/host0/target0:0:0/0:0:0:0/block/sda' expecting node/link 'node'
  expected permissions are: nobody::0600
  created permissions are : 65534:0:0600
permissions: error
add:         ok
remove:      ok
```
The ideal fix would probably be to implement `get_user_creds` in Perl, but in this
PR the issue is simply got around by using `daemon` instead of `nobody`.

Closes https://github.com/systemd/systemd/issues/8196.
2018-02-21 08:34:42 +01:00
Yu Watanabe
24743efe2d doc: update TRANSIENT-SETTINGS.md 2018-02-21 09:18:22 +09:00
Yu Watanabe
784ad252ea core: add DBus API for TemporaryFileSystem= 2018-02-21 09:18:20 +09:00
Yu Watanabe
e4da7d8c79 core: add new option 'tmpfs' to ProtectHome=
This make ProtectHome= setting can take 'tmpfs'. This is mostly
equivalent to `TemporaryFileSystem=/home /run/user /root`.
2018-02-21 09:18:17 +09:00