IF YOU WOULD LIKE TO GET AN ACCOUNT, please write an
email to Administrator. User accounts are meant only to access repo
and report issues and/or generate pull requests.
This is a purpose-specific Git hosting for
BaseALT
projects. Thank you for your understanding!
Только зарегистрированные пользователи имеют доступ к сервису!
Для получения аккаунта, обратитесь к администратору.
There are downsides to using fexecve:
when fexecve is used (for normal executables), /proc/pid/status shows Name: 3,
which means that ps -C foobar doesn't work. pidof works, because it checks
/proc/self/cmdline. /proc/self/exe also shows the correct link, but requires
privileges to read. /proc/self/comm also shows "3".
I think this can be considered a kernel deficiency: when O_CLOEXEC is used, this
"3" is completely meaningless. It could be any number. The kernel should use
argv[0] instead, which at least has *some* meaning.
I think the approach with fexecve/execveat is instersting, so let's provide it
as opt-in.
For scripts, when we call fexecve(), on new kernels glibc calls execveat(),
which fails with ENOENT, and then we fall back to execve() which succeeds:
[pid 63039] execveat(3, "", ["/home/zbyszek/src/systemd/test/test-path-util/script.sh", "--version"], 0x7ffefa3633f0 /* 0 vars */, AT_EMPTY_PATH) = -1 ENOENT (No such file or directory)
[pid 63039] execve("/home/zbyszek/src/systemd/test/test-path-util/script.sh", ["/home/zbyszek/src/systemd/test/test-path-util/script.sh", "--version"], 0x7ffefa3633f0 /* 0 vars */) = 0
But on older kernels glibc (some versions?) implement a fallback which falls
into the same trap with bash $0:
[pid 13534] execve("/proc/self/fd/3", ["/home/test/systemd/test/test-path-util/script.sh", "--version"], 0x7fff84995870 /* 0 vars */) = 0
We don't want that, so let's call execveat() ourselves. Then we can do the
execve() fallback as we want.
We close fds in two phases, first some and then the some more. When passing
a list of fds to exclude from closing to the closing function, we would
pass some in an array and the rest as separate arguments. For the fds which
should be excluded in both closing phases, let's always create the array
and put the relevant fds there. This has the advantage that if more fds to
exclude in both phases are added later, we don't need to add more positional
arguments.
The list passed to setup_pam() is not changed. I think we could pass more fds
to close there, but I'm leaving that unchanged.
The setting of FD_CLOEXEC on an already open fds is dropped. The fd is opened
in service_allocate_exec_fd() and there is no reason to suspect that it might
have been opened incorrectly. If some rogue code is unsetting our FD_CLOEXEC
bits, then it might flip any fd, no reason to single this one out.
The function link_acquire_conf() may make the link state 'configuring'
when DHCP6 PD is enabled. Previously link_acquire_conf() was called
before link_enter_join_netdev(), and thus the assertion in the function
might be triggered.
Fixes#17329.
This updates the "systemd-analyze syscall-filter" command to show a
special section of syscalls that are included in @known but in no other
group. Typically this should show syscalls we either should add to any
of the existing groups or where we unsure were they best fit in.
Right now, it mostly shows arch-specific compat syscalls, we probably
should move "@obsolete". This patch doesn't add thta however.
This fixes an issue caused by eb1c1dc029c91750e6255c3fd844b4f4bf238fab.
Before the commit, multiple values can be specified for the same
sysattr or property.
Fixes#17259.
When peer address is set, address_compare_func() (or address_equal())
does not work in link_is_static_address_configured(), as an Address object
stored in a Link does not contain peer addresses. So, we need to also
compare with in_addr element for IPv4 case.
Fixes#17304.
We need to make sure that our coredump pattern handler manages to read
process metadata from /proc/$PID/ before the kernel reaps the crashed
process. By default the kernel will reap the process as soon as it can.
By setting kernel.core_pipe_limit to a non-zero the kernel will wait for
userspace to finish before reaping.
We'll set the value to 16, which allows 16 crashes to be
processed in parallel. This matches the MaxConnections= setting in
systemd-coredump.socket.
See: #17301
(This doesn't close 17301, since we probably should also gracefully
handle if /proc/$PID/ vanished already while our coredump handler runs,
just in case people loclly set the sysctl back to zero. i.e. we should
collect what we can and rather issue an incomplete log record than
none.)
Latest glibc has deprecated mallinfo(), so it might become unavailable at some point
in the future. There is malloc_info(), but it returns XML, ffs. I think the information
that we get from mallinfo() is quite useful, so let's use mallinfo() if available, and
not otherwise.
It is expected for numerous autostart files to not be convertible to
corresponding units. The information is only useful for someone
debugging why a file might not be started, but it is not generally
useful for users in most situations.
As such, lower the warnings. Anyone wondering why an application is not
started will easily notice that the unit is not generated. From there it
will be somewhat harder to figure out why, but the overall trade-off is
still improved.
Fixes: #17305
We previously checked the QR bit to decide whether the RFC6975 algorithm
data in our packets. But that doesn't work in many cases, since we
initialize the QR flags along with the other flags usually only after
appending OPT (since success to do so propagates into flags). Hence,
let's add an explicit parameter that controls whether to include RFC6975
data in DNS packets, and set it to false for stub reply, and on true for
upstream queries.
Fixes: #17217
