1
0
mirror of https://github.com/systemd/systemd.git synced 2024-12-23 21:35:11 +03:00
Commit Graph

33241 Commits

Author SHA1 Message Date
Lennart Poettering
cdde6ba6b6 nspawn: mount boot ID from temporary file in /tmp
Let's not make /run too special and let's make sure the source file is
not guessable: let's use our regular temporary file helper calls to
create the source node.
2018-05-03 17:45:42 +02:00
Lennart Poettering
d4b653c589 nspawn: lock down a few things in /proc by default
This tightens security on /proc: a couple of files exposed there are now
made inaccessible. These files might potentially leak kernel internals
or expose non-virtualized concepts, hence lock them down by default.
Moreover, a couple of dirs in /proc that expose stuff also exposed in
/sys are now marked read-only, similar to how we handle /sys.

The list is taken from what docker/runc based container managers
generally apply, but slightly extended.
2018-05-03 17:45:42 +02:00
Lennart Poettering
10af01a5ff nspawn: use free_and_replace() at more places 2018-05-03 17:19:46 +02:00
Lennart Poettering
88614c8a28 nspawn: size_t more stuff
A follow-up for #8840
2018-05-03 17:19:46 +02:00
Lennart Poettering
d11623e9c2 doc: document nore carefully that tmpfs within the cgroupfs setup shouldn't confuse statfs() checks 2018-05-03 17:19:46 +02:00
Yu Watanabe
3776f9cf00
Merge pull request #8859 from poettering/virt-xen-lying
Prefer DMI over CPUID when detecting Xen
2018-05-03 23:23:32 +09:00
Lennart Poettering
5d01f5dce4 locale-util: add comment with link to unicode chars supported by eurlatgr (#8894)
See: #6443
2018-05-03 23:15:04 +09:00
Lennart Poettering
fe80fcc7e8 mount-setup: add a comment that the character/block device nodes are "optional" (#8893)
if we lack privs to create device nodes that's fine, and creating
/run/systemd/inaccessible/chr or /run/systemd/inaccessible/blk won't
work then. Document this in longer comments.

Fixes: #4484
2018-05-03 23:10:35 +09:00
Yu Watanabe
3e692b58d0
Merge pull request #8887 from poettering/file-hier-efi
three improvements to the file-hierarchy(7) man page
2018-05-03 23:07:07 +09:00
Lennart Poettering
d225fedb66 man: docbook doesn't like line breaks within table cells (#8885)
It will pass them on as they are to the formatted man pages, which is
pretty uncool. Let's hence avoid line breaks with table cells.
2018-05-03 23:02:43 +09:00
Lennart Poettering
0ea21d9e88 test: don't send image building output to /dev/null (#8886)
Yes, the output is sometimes annyoing, but /dev/null is not the right
place...

I figure this redirection was left in from some debugging session, let's
fix it, and make the setup_basic_environment invocation like in all
other test scripts.
2018-05-03 16:47:42 +03:00
Evgeny Vereshchagin
1ab0a250c2
Merge pull request #8865 from yuwata/fix-signal
util: fix integer overflow
2018-05-03 16:35:38 +03:00
Lennart Poettering
4db688e0cc update TODO 2018-05-03 15:13:42 +02:00
Lennart Poettering
836f5c940c
Merge pull request #8892 from poettering/binfmt-misc-rst
binfmt_misc url fixes
2018-05-03 13:07:56 +02:00
Lennart Poettering
ec2b24f079 test: list more up-to-date urls in test-web-util
This is based on @jsynacek's patch from #8837, but adds the new URL in
two flavours instead of replacing the old, also making @keszybz happy.

Replaces: #8837
2018-05-03 10:55:16 +02:00
Yu Watanabe
022fa82a8b oss-fuzz: add the reproducer case by oss-fuzz #8064 2018-05-03 16:57:29 +09:00
Yu Watanabe
50fb3437cd test: add tests for signal_from_string() 2018-05-03 16:52:55 +09:00
Yu Watanabe
29a3db75fd util: rename signal_from_string_try_harder() to signal_from_string()
Also this makes the new `signal_from_string()` function reject
e.g, `SIG3` or `SIG+5`.
2018-05-03 16:52:49 +09:00
Yu Watanabe
08d3fdc37e util: make signal_from_string() accept RTMIN, RTMAX, and RTMAX-n
Before this, `signal_from_string()` accepts simple signal name
or RTMIN+n. This makes the function also accept RTMIN, RTMAX,
and RTMAX-n.
Note that RTMIN+0 is equivalent to RTMIN, and RTMAX-0 is to RTMAX.

This also fixes the integer overflow reported by oss-fuzz #8064.
https://oss-fuzz.com/v2/testcase-detail/5648573352902656
2018-05-03 16:51:41 +09:00
Lennart Poettering
f0b5686443 man: refer to the html version of binfmt-misc.rst
Yes, the kernel's file is called "binfmt-misc.rst", but let's link the
HTML version, after all HTML is much more appropriate for hyperlinking.
2018-05-02 22:03:24 +02:00
Susant Sahani
b296797f1c networkd: use ipv6_accept_ra_use_dns rather than dhcp_use_dns (#8836)
While Saving the DNS server use [IPv6AcceptRA] UseDNS= that is
ipv6_accept_ra_use_dns.

Closes #8420
2018-05-02 20:16:10 +02:00
Lennart Poettering
3e7aa2edcd
test-functions: don't nest KVM (#8883)
Nested KVM is very flaky as we learnt from our CI. Hence, let's avoid
KVM whenever we detect we are already running inside of KVM.

Maybe one day nested KVM is fixed, at which point we can turn this on
again, but for now let's simply avoid nested KVM, since reliable CI is
more important than quick CI, I guess.

And yes, avoiding KVM for our qemu runs does make things substantially
slower, but I think it's not a complete loss.

Inspired by @evverx' findings in:

https://github.com/systemd/systemd/pull/8701#issuecomment-380213302
2018-05-02 20:06:13 +02:00
Lennart Poettering
5eb5f35267 man: suffix all dir paths in file-hierarchy(7) with "/"
Our CODING_STYLE document suggests to suffix all paths referring to dirs
rather than regular files with a "/" in our docs and log messages.
Update file-hierarchy(7) to do just that.

No other changes.
2018-05-02 17:00:30 +02:00
Lennart Poettering
1dc7ca9912 man: document /efi in file-hiearchy(7)
We have been supporting the directory since a while in the gpt
generator, let's document it in file-hierarchy(7) too
2018-05-02 16:56:19 +02:00
Lennart Poettering
03f2b38e0c man: document the XDG specs as further sources of specifications for file-hierarchy(7)
We document this further down in the text, but let's also list this
early on, where we mention the FHS as major influence too, so that it is
clear we incorporate all that thinking.
2018-05-02 16:54:32 +02:00
Yu Watanabe
fb702dd7dd udev: do not mark ari_enabled true when its sysattr value is 0 (#8870)
Fixes #8869.
2018-05-02 16:21:30 +02:00
Lennart Poettering
c1c80f6c37
Merge pull request #8866 from yuwata/fix-8842
core: disable namespace sandboxing for '+' prefixed lines
2018-05-02 16:15:26 +02:00
Lennart Poettering
094fbe25bc
Merge pull request #8867 from yuwata/update-readme
doc: Update README
2018-05-02 14:32:00 +02:00
Yu Watanabe
76283e5fd4 set: drop unused set_make() function (#8879)
The function causes compiler error when built with '-Ddebug=hashmap',
and is not used anymore. Let's drop it.
2018-05-02 10:54:52 +02:00
Lennart Poettering
9fc0345551
Merge pull request #8815 from poettering/get-unit-by-cgroup
add new GetUnitByControlGroup API
2018-05-02 10:51:48 +02:00
Yu Watanabe
b0903bb585 meson: drop 'name' argument in cc.has_argument() (#8878) 2018-05-02 10:05:51 +02:00
Adam Duskett
773c84349d add __nr_statx defines for extra architectures (#8872)
This includes:
 - arm
 - arm64
 - alpha
 - powerpc64
 - sparc

Taken from kernel 4.16.6
2018-05-02 10:04:50 +02:00
Yu Watanabe
1e4f1671c2 nspawn: fix warning by -Wnonnull (#8877) 2018-05-02 10:03:31 +02:00
Filipe Brandenburger
a605e46f29 systemd-path: fix memory leak reported by ASAN (#8874)
The leak can be reproduced by running systemd-path --suffix .tmp under valgrind or asan:

    $ ./build/systemd-path --suffix .tmp search-binaries
    /usr/local/bin/.tmp:/usr/bin/.tmp:/usr/local/sbin/.tmp:/usr/sbin/.tmp:/home/vagrant/.local/bin/.tmp:/home/vagrant/bin/.tmp

    =================================================================
    ==19177==ERROR: LeakSanitizer: detected memory leaks

    Direct leak of 56 byte(s) in 1 object(s) allocated from:
        *0 0x7fd6adf72850 in malloc (/lib64/libasan.so.4+0xde850)
        *1 0x7fd6ad2b93d2 in malloc_multiply ../src/basic/alloc-util.h:69
        *2 0x7fd6ad2bafd2 in strv_split ../src/basic/strv.c:269
        *3 0x7fd6ad42ba67 in search_from_environment ../src/libsystemd/sd-path/sd-path.c:409
        *4 0x7fd6ad42bffe in get_search ../src/libsystemd/sd-path/sd-path.c:482
        *5 0x7fd6ad42c55b in sd_path_search ../src/libsystemd/sd-path/sd-path.c:607
        *6 0x7fd6ad42b3a2 in sd_path_home ../src/libsystemd/sd-path/sd-path.c:348
        *7 0x55f59c65ebea in print_home ../src/path/path.c:97
        *8 0x55f59c65f157 in main ../src/path/path.c:177
        *9 0x7fd6abaea009 in __libc_start_main (/lib64/libc.so.6+0x21009)

    Indirect leak of 68 byte(s) in 5 object(s) allocated from:
        *0 0x7fd6adf72850 in malloc (/lib64/libasan.so.4+0xde850)
        *1 0x7fd6abb5f689 in strndup (/lib64/libc.so.6+0x96689)

    Indirect leak of 25 byte(s) in 1 object(s) allocated from:
        *0 0x7fd6adf72850 in malloc (/lib64/libasan.so.4+0xde850)
        *1 0x7fd6abb5f689 in strndup (/lib64/libc.so.6+0x96689)
        *2 0x6c2e2f746e617266  (<unknown module>)

    SUMMARY: AddressSanitizer: 149 byte(s) leaked in 7 allocation(s).
2018-05-02 09:47:04 +03:00
Yu Watanabe
a42d4f5741 doc: update hosts nsswitch setting to which consistent to man pages 2018-05-01 15:18:10 +09:00
Yu Watanabe
2a46c4b739 doc: drop static user systemd-timesync from README 2018-05-01 15:16:39 +09:00
Yu Watanabe
f959c5c66f doc: drop static user systemd-journal-gateway from README
and add systemd-journal-remote instead.
2018-05-01 15:15:48 +09:00
Yu Watanabe
9c6f2e5ab9 test: fix descriptions 2018-05-01 13:44:29 +09:00
Yu Watanabe
cfa24ca0e6 test: add tests for PrivateDevices= with '+' prefix 2018-05-01 13:44:24 +09:00
Yu Watanabe
b5a33299b0 core: disable namespace sandboxing for '+' prefixed lines
Fixes #8842.
2018-05-01 13:44:06 +09:00
Guillem Jover
2955e0d4dc systemctl: make sure legacy "reboot", "suspend" and friends are always asynchronous (#8848)
Currently, "reboot" behaves differently in setups with and without logind.
If logind is used (which is probably the more common case) the operation
is asynchronous, we should behave in the same way as "systemctl <verb>".
Let's clean this up, and always expose the same behaviour, regardless if
logind is used or not: let's always make it asynchronous.

See: #6479
Fixes: commit 130246d2e8
2018-04-30 18:21:27 +02:00
Lennart Poettering
c2b19b3cba virt: simplifications
Let's simplify the code a bit. Let's reduce the number of redundant if
checks a bit, (i.e. if we want to check for equality with
VIRTUALIZATION_VM_OTHER there's no need to check for non-equality with
VIRTUALIZATION_NONE first). As a very welcome side-effect this means we
lose some lines of code and our level of indentation is reduced.

No changes in behaviour.
2018-04-30 12:32:25 +02:00
Lennart Poettering
f2fe2865cd virt: if we detect Xen by DMI, trust that over CPUID
Apparently Xen sometimes lies about its identity when queried via CPUID.
Let's hence prefer DMI tests for CPUID

Fixes: #8844
2018-04-30 12:32:25 +02:00
Zbigniew Jędrzejewski-Szmek
2ff04e5b7f
Merge pull request #8847 from poettering/transient-once
enforce that scope units are started at most once
2018-04-30 09:50:03 +02:00
Hans de Goede
d5a21d85a5 hwdb: Add accelerometer orientation quirk for the Kazam Vision tablet (#8845)
Add accelerometer orientation quirk for the 8" Kazam Vision "gaming"
tablet.
2018-04-28 10:43:06 +02:00
Lennart Poettering
c46d15e398 update TODO 2018-04-27 21:52:45 +02:00
Lennart Poettering
d4fd1cf208 core: enforce that scope units can be started only once
Scope units are populated from PIDs specified by the bus client. We do
that when a scope is started. We really shouldn't allow scopes to be
started multiple times, as the PIDs then might be heavily out of date.
Moreover, clients should have the guarantee that any scope they allocate
has a clear runtime cycle which is not repetitive.
2018-04-27 21:52:45 +02:00
Lennart Poettering
c81ebd35f2
Merge pull request #8808 from poettering/logind-signal
logind: process SIGTERM + SIGINT properly
2018-04-27 20:22:35 +02:00
Zbigniew Jędrzejewski-Szmek
8455706729
Merge pull request #8799 from poettering/exit-status-string
add friendly string support for BSD EX_ exit statusses
2018-04-27 18:26:19 +02:00
Lennart Poettering
ee45b8d9ef update TODO 2018-04-27 18:13:51 +02:00