1
0
mirror of https://github.com/systemd/systemd.git synced 2024-12-23 21:35:11 +03:00
Commit Graph

568 Commits

Author SHA1 Message Date
Frantisek Sumsal
86b52a3958 tree-wide: fix spelling errors
Based on a report from Fossies.org using Codespell.

Followup to #15436
2020-04-21 23:21:08 +02:00
Lennart Poettering
33b58dfb41 core: automatically add udev dependency for units using RootImage=
We use udev to wait for /dev/loopX devices to be fully proped hence we
need an implicit ordering dependency on it, for RootImage= to work
reliably in early boot, too.

Fixes: #14972
2020-04-21 16:31:06 +02:00
Lennart Poettering
9b3c65ed36
Merge pull request #15352 from poettering/user-group-name-valdity-rework
user/group name validity rework
2020-04-09 18:49:22 +02:00
Lennart Poettering
611cb82612
Merge pull request #15318 from fbuihuu/inherit-umask-for-user-units
pid1: by default make user units inherit their umask from the user ma…
2020-04-09 17:15:55 +02:00
Franck Bui
5e37d1930b pid1: by default make user units inherit their umask from the user manager
This patch changes the way user managers set the default umask for the units it
manages.

Indeed one can expect that if user manager's umask is redefined through PAM
(via /etc/login.defs or pam_umask), all its children including the units it
spawns have their umask set to the new value.

Hence make user units inherit their umask value from their parent instead of
the hard coded value 0022 but allow them to override this value via their unit
file.

Note that reexecuting managers with 'systemctl daemon-reexec' after changing
UMask= has no effect. To take effect managers need to be restarted with
'systemct restart' instead. This behavior was already present before this
patch.

Fixes #6077.
2020-04-09 14:17:07 +02:00
Zbigniew Jędrzejewski-Szmek
ad21e542b2 manager: add CoredumpFilter= setting
Fixes #6685.
2020-04-09 14:08:48 +02:00
Lennart Poettering
887a8fa341 docs: hook up the new USER_NAMES document everywhere
(Also correct the set of names we accept in User=, which was forgotten
to be updated in ae480f0b09.
2020-04-08 17:30:04 +02:00
Michal Sekletár
e2b2fb7f56 core: add support for setting CPUAffinity= to special "numa" value
systemd will automatically derive CPU affinity mask from NUMA node
mask.

Fixes #13248
2020-03-16 08:57:28 +01:00
Lennart Poettering
5b0a76d107 man: document LogNamespace= unit setting 2020-01-31 15:10:40 +01:00
Kevin Kuehler
022d334561 man: doc: Document ProtectClock= 2020-01-27 11:21:36 -08:00
Lennart Poettering
54ed193f8d man: clarify that user rlimits cannot go beyond limits set for service mgr
Fixes: #10758
2020-01-17 10:09:50 +01:00
Lennart Poettering
ba96a8a277 man: document that program invocation will fail if the User= does not exist
Fixes: #14565
2020-01-17 10:08:13 +01:00
Zbigniew Jędrzejewski-Szmek
ea7fe1d1c2
Merge pull request #14390 from poettering/gpt-var-tmp
introduce GPT partition types for /var and /var/tmp and support them for auto-discovery
2020-01-14 15:37:53 +01:00
Topi Miettinen
412a6c646c systemd.exec: document the file system for EnvironmentFile paths
Files specified with EnvironmentFile are read from PID1 mount namespace, before
any file system operations like RootImage or BindPaths are in effect.
2020-01-02 14:21:16 +01:00
Lennart Poettering
19ac32cdd6 docs: import discoverable partitions spec
This was previously available here:

https://www.freedesktop.org/wiki/Specifications/DiscoverablePartitionsSpec/

Let's pull it into our repository.
2019-12-23 14:44:33 +01:00
Anita Zhang
5749f855a7 core: PrivateUsers=true for (unprivileged) user managers
Let per-user service managers have user namespaces too.

For unprivileged users, user namespaces are set up much earlier
(before the mount, network, and UTS namespaces vs after) in
order to obtain capbilities in the new user namespace and enable use of
the other listed namespaces. However for privileged users (root), the
set up for the user namspace is still done at the end to avoid any
restrictions with combining namespaces inside a user namespace (see
inline comments).

Closes #10576
2019-12-18 11:09:30 -08:00
Lennart Poettering
d58b613bbb man: apparently we lowercased STDOUT/STDERR everywhere else in docs, do so here too 2019-11-28 14:25:38 +01:00
Zbigniew Jędrzejewski-Szmek
f8b68539d0 man: fix a few bogus entries in directives index
When wrong element types are used, directives are sometimes placed in the wrong
section. Also, strip part of text starting with "'", which is used in a few
places and which is displayed improperly in the index.
2019-11-21 22:06:30 +01:00
Lennart Poettering
8af381679d
Merge pull request #13940 from keur/protect_kernel_logs
Add ProtectKernelLogs to systemd.exec
2019-11-15 16:26:10 +01:00
Kevin Kuehler
d916e35b9f man: Add description for ProtectKernelLogs= 2019-11-14 13:31:06 -08:00
Zbigniew Jędrzejewski-Szmek
67f5b9e06e
Merge pull request #14003 from keszybz/user-path-configurable
meson: make user $PATH configurable
2019-11-14 10:08:40 +01:00
Zbigniew Jędrzejewski-Szmek
3602ca6f0c meson: make user $PATH configurable
This partially reverts db11487d10 (the logic to
calculate the correct value is removed, we always use the same setting as for
the system manager). Distributions have an easy mechanism to override this if
they wish.

I think making this configurable is better, because different distros clearly
want different defaults here, and making this configurable is nice and clean.
If we don't make it configurable, distros which either have to carry patches,
or what would be worse, rely on some other configuration mechanism, like
/etc/profile. Those other solutions do not apply everywhere (they usually
require the shell to be used at some point), so it is better if we provide
a nice way to override the default.

Fixes  #13469.
2019-11-13 22:34:14 +01:00
Zbigniew Jędrzejewski-Szmek
1f6597a84c man: mention $RUNTIME_DIRECTORY & friends in environment list 2019-11-13 22:05:11 +01:00
Anita Zhang
644ee25461
Merge pull request #13676 from ClydeByrdIII/service-result-patch
Update service result table
2019-10-29 11:35:41 -07:00
Mark Stosberg
69bdb3b150 man: document updated newline support
Since v239 newlines have been allowed for PassEnvironment=
and EnvironmentFile=, due to #8471.

This PR documents the behavior change.
2019-10-04 11:54:28 +02:00
ClydeByrdIII
b122296272
Update service result table
exec-condition and oom-kill were added without updating this table

Updated success to reflect the code, which also allows kills by signal in certain situations
2019-09-28 01:43:02 -07:00
Yu Watanabe
bd9014c360 man: move TimeoutCleanSec= entry from .service to .exec
Follow-up for 12213aed12.

Closes #13546.
2019-09-13 15:06:40 +02:00
Zbigniew Jędrzejewski-Szmek
db11487d10 manager: put bin before sbin for user instances
Traditionally, user logins had a $PATH in which /bin was before /sbin, while
root logins had a $PATH with /sbin first. This allows the tricks that
consolehelper is doing to work. But even if we ignore consolehelper, having the
path in this order might have been used by admins for other purposes, and
keeping the order in user sessions will make it easier the adoption of systemd
user sessions a bit easier.

Fixes #733.
https://bugzilla.redhat.com/show_bug.cgi?id=1744059

OOM handling in manager_default_environment wasn't really correct.
Now the (theorertical) malloc failure in strv_new() is handled.

Please note that this has no effect on:
- systems with merged /bin-/sbin (e.g. arch)

- when there are no binaries that differ between the two locations.

  E.g. on my F30 laptop there is exactly one program that is affected:
  /usr/bin/setup -> consolehelper.

  There is less and less stuff that relies on consolehelper, but there's still
  some.

So for "clean" systems this makes no difference, but helps with legacy setups.

$ dnf repoquery --releasever=31 --qf %{name} --whatrequires usermode
anaconda-live
audit-viewer
beesu
chkrootkit
driftnet
drobo-utils-gui
hddtemp
mate-system-log
mock
pure-ftpd
setuptool
subscription-manager
system-config-httpd
system-config-rootpassword
system-switch-java
system-switch-mail
usermode-gtk
vpnc-consoleuser
wifi-radar
xawtv
2019-08-27 18:24:44 +02:00
Lennart Poettering
29a3d5caea man: remove trailing space in link in HTML output 2019-07-29 19:25:49 +02:00
Lennart Poettering
b042dd687c man: document that the supplementary groups list is initialized from User='s database entry
Fixes: #12936
2019-07-12 14:25:28 +02:00
Lennart Poettering
8c8208cb80 man: document new "systemctl clean…" operation 2019-07-11 12:18:51 +02:00
Philip Withnall
a9a50bd680 man: Add some notes about variable $prefix for StateDirectory=
tl;dr: It isn’t supported.

Wording by Zbigniew Jędrzejewski-Szmek.

See https://twitter.com/pid_eins/status/1102639279614906369 and
https://gitlab.freedesktop.org/libfprint/fprintd/merge_requests/5#note_125536
onwards.

Signed-off-by: Philip Withnall <withnall@endlessm.com>
2019-07-04 18:26:03 +02:00
Lennart Poettering
330703fb22 man: beef up systemd.exec(5)
Prompted by:

https://lists.freedesktop.org/archives/systemd-devel/2019-May/042773.html
2019-06-24 18:31:36 +02:00
Michal Sekletar
b070c7c0e1 core: introduce NUMAPolicy and NUMAMask options
Make possible to set NUMA allocation policy for manager. Manager's
policy is by default inherited to all forked off processes. However, it
is possible to override the policy on per-service basis. Currently we
support, these policies: default, prefer, bind, interleave, local.
See man 2 set_mempolicy for details on each policy.

Overall NUMA policy actually consists of two parts. Policy itself and
bitmask representing NUMA nodes where is policy effective. Node mask can
be specified using related option, NUMAMask. Default mask can be
overwritten on per-service level.
2019-06-24 16:58:54 +02:00
Lennart Poettering
eedaf7f322 man: drop references to "syslog" and "syslog+console" from man page
These options are pretty much equivalent to "journal" and
"journal+console" anyway, let's simplify things, and drop them from the
documentation hence.

For compat reasons let's keep them in the code.

(Note that they are not 100% identical to 'journal', but I doubt the
distinction in behaviour is really relevant to keep this in the docs.
And we should probably should drop 'syslog' entirely from our codebase
eventually, but it's problematic as long as we semi-support udev on
non-systemd systems still.)
2019-06-24 15:23:11 +02:00
Lennart Poettering
e0e65f7d09 man: document that DynamicUser=1 implied sandboxing cannot be turned off
Fixes: #12476
2019-06-24 14:20:36 +02:00
Zbigniew Jędrzejewski-Szmek
61fbbac1d5 pid1: parse CPUAffinity= in incremental fashion
This makes the handling of this option match what we do in unit files. I think
consistency is important here. (As it happens, it is the only option in
system.conf that is "non-atomic", i.e. where there's a list of things which can
be split over multiple assignments. All other options are single-valued, so
there's no issue of how to handle multiple assignments.)
2019-05-29 10:29:28 +02:00
Ben Boeckel
5238e95759 codespell: fix spelling errors 2019-04-29 16:47:18 +02:00
Zbigniew Jędrzejewski-Szmek
db8d154dc4 man: describe interaction with ProtectHome=/InaccessiblePaths= in BindMount=
https://github.com/systemd/systemd/issues/7153#issuecomment-485252308

Apparently this is still confusing for people.

Longer-term, I think we should just make BindMount= automatically "upgrade"
(or "downgrade", depending on how you look at this), any InaccessiblePath=
mountpoints to "tmpfs". I don't see much point in forcing users to remember
this interaction. But let's at least document the status quo, we can always
update the docs if the code changes.
2019-04-24 10:21:37 +02:00
Lennart Poettering
8e74bf7f9c man: document new OOMPolicy= setting 2019-04-09 11:17:58 +02:00
Lennart Poettering
bf65b7e0c9 core: imply NNP and SUID/SGID restriction for DynamicUser=yes service
Let's be safe, rather than sorry. This way DynamicUser=yes services can
neither take benefit of, nor create SUID/SGID binaries.

Given that DynamicUser= is a recent addition only we should be able to
get away with turning this on, even though this is strictly speaking a
binary compatibility breakage.
2019-04-02 16:56:48 +02:00
Lennart Poettering
7445db6eb7 man: document the new RestrictSUIDSGID= setting 2019-04-02 16:56:48 +02:00
Lennart Poettering
6d463b8aed man: refer to innermost directory as innermost, not as "lowest"
Let's avoid confusion whether the root is at the top or of the bottom of
the directory tree. Moreover we use "innermost" further down for the
same concept, so let's stick to the same terminology here.
2019-04-01 18:30:18 +02:00
Lennart Poettering
8601482cd8 man: tweak XyzDirectory= table a bit 2019-04-01 18:30:18 +02:00
Zbigniew Jędrzejewski-Szmek
de04bbdce1 tree-wide: spell "lifecycle" without hyphen everywhere
We had 10 instances of unhyphentated spelling, and 4 of the hyphenated one.
Consistency trumps ispell.
2019-03-14 22:47:44 +01:00
Lennart Poettering
b3f6c4531e
Merge pull request #12002 from keszybz/man-headers
Man headers
2019-03-14 15:55:04 +01:00
Lennart Poettering
c4d4b5a708 man: say explicitly which settings are not available in --user services
Fixes: #3944
2019-03-14 15:13:33 +01:00
Zbigniew Jędrzejewski-Szmek
3a54a15760 man: use same header for all files
The "include" files had type "book" for some raeason. I don't think this
is meaningful. Let's just use the same everywhere.

$ perl -i -0pe 's^..DOCTYPE (book|refentry) PUBLIC "-//OASIS//DTD DocBook XML V4.[25]//EN"\s+"http^<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"\n  "http^gms' man/*.xml
2019-03-14 14:42:05 +01:00
Zbigniew Jędrzejewski-Szmek
0307f79171 man: standarize on one-line license header
No need to waste space, and uniformity is good.

$ perl -i -0pe 's|\n+<!--\s*SPDX-License-Identifier: LGPL-2.1..\s*-->|\n<!-- SPDX-License-Identifier: LGPL-2.1+ -->|gms' man/*.xml
2019-03-14 14:29:37 +01:00
Lennart Poettering
c648d4d4c8 man: mention that DynamicUser= should not be mixed with ReadWriteDirectory= or AF_UNIX dir fd passing 2019-03-14 09:31:09 +01:00
Zbigniew Jędrzejewski-Szmek
fb6692ed33
Merge pull request #11927 from poettering/network-namespace-path
Add NetworkNamespacePath= to unit files
2019-03-12 14:29:14 +01:00
Lennart Poettering
8df87b4383 man: document that ProtectHostname= disables hostname change notifications 2019-03-08 15:49:10 +01:00
Lennart Poettering
4107452e51 man: document NetworkNamespacePath= 2019-03-07 21:27:02 +01:00
Lennart Poettering
eb5149ba74
Merge pull request #11682 from topimiettinen/private-utsname
core: ProtectHostname feature
2019-02-20 14:12:15 +01:00
Topi Miettinen
aecd5ac621 core: ProtectHostname= feature
Let services use a private UTS namespace. In addition, a seccomp filter is
installed on set{host,domain}name and a ro bind mounts on
/proc/sys/kernel/{host,domain}name.
2019-02-20 10:50:44 +02:00
Lennart Poettering
dcf3c3c3d9 core: export $PIDFILE env var for services, derived from PIDFile= 2019-02-15 11:32:19 +01:00
Zbigniew Jędrzejewski-Szmek
e0e2ecd5a8 man: move entries to the right section in systemd.directives
They were in "miscellaneuos" because of the missing class= assignment.
Probably introduced when the split into sections was done.
2019-02-13 11:17:41 +01:00
Yu Watanabe
d1698b82e6 man: add referecne to systemd-system.conf 2019-02-01 12:31:51 +01:00
Yu Watanabe
68d838f71d man: fix volume num of journalctl 2019-02-01 12:30:36 +01:00
Topi Miettinen
10d44e72ec Document weaknesses with MDWE and suggest hardening
Closes #11473
2019-01-21 11:37:46 +01:00
Philip Withnall
35f2c0ba6a man: Fix a typo in systemd.exec.xml
Signed-off-by: Philip Withnall <withnall@endlessm.com>
2019-01-16 21:33:38 +09:00
Alex Mayer
8d7fac92f0 Docs: Add Missing Space Between Words 2019-01-03 03:07:50 +09:00
Zbigniew Jędrzejewski-Szmek
0b57803630 man: add note about systemd-vconsole-setup.service and tty as input/output
Closes #10019.
2018-12-14 11:18:32 +01:00
Lennart Poettering
438311a518 man: document that env vars are not suitable for passing secrets
Prompted by the thread around:

https://lists.freedesktop.org/archives/systemd-devel/2018-November/041665.html
2018-11-14 09:12:49 +03:00
Lennart Poettering
0e18724eb1 man: emphasize the ReadOnlyPaths= mount propagation "hole"
This changes the ProtectSystem= documentation to refer in more explicit
words to the restrictions of ReadOnlyPath=, as sugegsted in #9857.

THis also extends the paragraph in ReadOnlyPath= that explains the hole.

Fixes: #9857
2018-10-30 15:30:18 +01:00
Lennart Poettering
d287820dec man: document that various sandboxing settings are not available in --user services
This is brief and doesn't go into detail, but should at least indicate
to those searching for it that some stuff is not available.

Fixes: #9870
2018-10-30 15:30:18 +01:00
Anita Zhang
90fc172e19 core: implement per unit journal rate limiting
Add LogRateLimitIntervalSec= and LogRateLimitBurst= options for
services. If provided, these values get passed to the journald
client context, and those values are used in the rate limiting
function in the journal over the the journald.conf values.

Part of #10230
2018-10-18 09:56:20 +02:00
Alan Jenkins
923f910115 man/systemd.exec: MountFlags=shared behaviour was changed (fixed?)
The behaviour described *was* observed on Fedora 28
(systemd-238-9.git0e0aa59), with and without SELinux.  I don't actually
know why though!  It contradicts my understanding of the code, including an
explicit comment in the code.

Testing in a VM upgraded to v239-792-g1327f272d, this behaviour goes away.


Test case:

# /etc/systemd/system/mount-test.service
[Service]
MountFlags=shared
Type=oneshot
ExecStart=/usr/bin/ls -l /proc/1/ns/mnt /proc/self/ns/mnt
ExecStart=/usr/bin/grep ext4 /proc/self/mountinfo


Weird old behaviour: new mount namespace but / is fully shared.

lrwxrwxrwx. 1 root root 0 Sep 14 11:18 /proc/1/ns/mnt -> mnt:[4026531840]
lrwxrwxrwx. 1 root root 0 Sep 14 11:48 /proc/self/ns/mnt ->
mnt:[4026532851]

968 967 253:0 / / rw,relatime shared:1 - ext4 /dev/mapper/alan_dell_2016...


Current behaviour: / is not fully shared

lrwxrwxrwx. 1 root root 0 Sep 14 11:39 /proc/1/ns/mnt -> mnt:[4026531840]
lrwxrwxrwx. 1 root root 0 Sep 14 11:41 /proc/self/ns/mnt ->
mnt:[4026532329]

591 558 8:3 / / rw,relatime shared:313 master:1 - ext4 /dev/sda3 rw,secl...
2018-10-05 17:38:38 +02:00
Yu Watanabe
d491e65e74 man: document RUNTIME_DIRECTORY= or friends 2018-09-13 17:02:58 +09:00
Lennart Poettering
2d2224e407 man: document that most sandboxing options are best effort only 2018-08-21 20:00:33 +02:00
Yu Watanabe
fe65e88ba6 namespace: implicitly adds DeviceAllow= when RootImage= is set
RootImage= may require the following settings
```
DeviceAllow=/dev/loop-control rw
DeviceAllow=block-loop rwm
DeviceAllow=block-blkext rwm
```
This adds the following settings implicitly when RootImage= is
specified.

Fixes #9737.
2018-08-06 14:02:31 +09:00
Zsolt Dollenstein
566b7d23eb Add support for opening files for appending
Addresses part of #8983
2018-07-20 03:54:22 -07:00
Lennart Poettering
9236cabf78 man: elaborate a bit on the effect of PrivateNetwork=
Triggered by this thread:

https://lists.freedesktop.org/archives/systemd-devel/2018-July/040992.html
2018-07-17 21:41:23 +02:00
Alexander Kurtz
1448dfa6bf man: Mention that paths in unit files must be fully normalized.
Related to issues #9107 and #9498 and PRs #9149 and #9157.
2018-07-05 22:55:26 +02:00
Zbigniew Jędrzejewski-Szmek
514094f933 man: drop mode line in file headers
This is already included in .dir-locals, so we don't need it
in the files themselves.
2018-07-03 01:32:25 +02:00
Lennart Poettering
705268414f seccomp: add new system call filter, suitable as default whitelist for system services
Currently we employ mostly system call blacklisting for our system
services. Let's add a new system call filter group @system-service that
helps turning this around into a whitelist by default.

The new group is very similar to nspawn's default filter list, but in
some ways more restricted (as sethostname() and suchlike shouldn't be
available to most system services just like that) and in others more
relaxed (for example @keyring is blocked in nspawn since it's not
properly virtualized yet in the kernel, but is fine for regular system
services).
2018-06-14 17:44:20 +02:00
Zbigniew Jędrzejewski-Szmek
fdbbee37d5 man: drop unused <authorgroup> tags from man sources
Docbook styles required those to be present, even though the templates that we
use did not show those names anywhere. But something changed semi-recently (I
would suspect docbook templates, but there was only a minor version bump in
recent years, and the changelog does not suggest anything related), and builds
now work without those entries. Let's drop this dead weight.

Tested with F26-F29, debian unstable.

$ perl -i -0pe 's/\s*<authorgroup>.*<.authorgroup>//gms' man/*xml
2018-06-14 12:22:18 +02:00
Lennart Poettering
0c69794138 tree-wide: remove Lennart's copyright lines
These lines are generally out-of-date, incomplete and unnecessary. With
SPDX and git repository much more accurate and fine grained information
about licensing and authorship is available, hence let's drop the
per-file copyright notice. Of course, removing copyright lines of others
is problematic, hence this commit only removes my own lines and leaves
all others untouched. It might be nicer if sooner or later those could
go away too, making git the only and accurate source of authorship
information.
2018-06-14 10:20:20 +02:00
Lennart Poettering
818bf54632 tree-wide: drop 'This file is part of systemd' blurb
This part of the copyright blurb stems from the GPL use recommendations:

https://www.gnu.org/licenses/gpl-howto.en.html

The concept appears to originate in times where version control was per
file, instead of per tree, and was a way to glue the files together.
Ultimately, we nowadays don't live in that world anymore, and this
information is entirely useless anyway, as people are very welcome to
copy these files into any projects they like, and they shouldn't have to
change bits that are part of our copyright header for that.

hence, let's just get rid of this old cruft, and shorten our codebase a
bit.
2018-06-14 10:20:20 +02:00
Zbigniew Jędrzejewski-Szmek
70127be805
Merge pull request #9153 from poettering/private-mounts
introduce PrivateMounts= setting and clean up documentation for MountFlags=
2018-06-13 08:20:18 +02:00
Michael Biebl
1b2ad5d9a5 doc: more spelling fixes 2018-06-12 16:31:30 +02:00
Lennart Poettering
2f2e14b251 man: document the new PrivateMounts= setting
Also, extend the documentation on MountFlags= substantially, hopefully
addressing all the questions of #4393

Fixes: #4393
2018-06-12 16:27:37 +02:00
Lennart Poettering
f86fae61ec tree-wide: drop trailing whitespace 2018-06-12 13:05:38 +02:00
Bruno Vernay
8d00da49fb Table is easier to grasp
State goes in CONFIG for users

3rd review
2018-06-11 13:52:55 +02:00
Yu Watanabe
d3c8afd092 man: RuntimeDirectory= or friends accept dot contained paths 2018-06-04 01:44:04 +09:00
Yu Watanabe
617d253afa load-fragment: make IOScheduling{Class,Priority}= accept the empty string 2018-05-31 11:09:41 +09:00
Lennart Poettering
cdc0f9be92
Merge pull request #8817 from yuwata/cleanup-nsflags
core: allow to specify RestrictNamespaces= multiple times
2018-05-24 16:49:13 +02:00
Lucas Werkmeister
8d29bef6b5 man: fix reference in StandardOutput=
Since StandardOutput=file:path is more similar to StandardInput= than
StandardInputText=, and only StandardInput= is actually documented above
StandardOutput= whereas StandardInputText= is documented below it, I
assume the intention was to refer to the former.
2018-05-14 08:11:37 +02:00
Yu Watanabe
b086654c6a man: fix merging rule for CapabilityBoundingSet= 2018-05-05 11:07:37 +09:00
Yu Watanabe
53255e53ce man: mention that RestrictNamespaces= can be specified multiple times 2018-05-05 11:07:37 +09:00
Lennart Poettering
46b073298f man: don't claim we'd set XDG_SEAT and XDG_VTNR as part of service management
Previously, reading through systemd.exec(5) one might get the idea that
XDG_SEAT and XDG_VTNR are part of the service management logic, but they
are not, they are only set if pam_systemd is part of a PAM stack an
pam_systemd is used.

Hence, let's drop these env vars from the list of env vars, and instead
add a paragraph after the list mentioning that pam_systemd might add
more systemd-specific env vars if included in the PAM stack for a
service that uses PAMName=.
2018-04-27 17:32:01 +02:00
Lennart Poettering
3e0bff7d0b man: document BSD exit codes in systemd.exec(5) too
Our own tools use them now, and we probably should encourage that, hence
let's document them along with the other exit codes we use.
2018-04-27 17:32:01 +02:00
Lennart Poettering
5d13a15b1d tree-wide: drop spurious newlines (#8764)
Double newlines (i.e. one empty lines) are great to structure code. But
let's avoid triple newlines (i.e. two empty lines), quadruple newlines,
quintuple newlines, …, that's just spurious whitespace.

It's an easy way to drop 121 lines of code, and keeps the coding style
of our sources a bit tigther.
2018-04-19 12:13:23 +02:00
Zbigniew Jędrzejewski-Szmek
11a1589223 tree-wide: drop license boilerplate
Files which are installed as-is (any .service and other unit files, .conf
files, .policy files, etc), are left as is. My assumption is that SPDX
identifiers are not yet that well known, so it's better to retain the
extended header to avoid any doubt.

I also kept any copyright lines. We can probably remove them, but it'd nice to
obtain explicit acks from all involved authors before doing that.
2018-04-06 18:58:55 +02:00
Yu Watanabe
e568a92d99 man: suggests TemporaryFileSystem= when people want to nest bind mounts inside InaccessiblePaths= (#8288)
Suggested by @sourcejedi in #8242.
Closes #7895, #7153, and #2780.
2018-02-27 08:59:03 +01:00
Alan Jenkins
59e00b2a16
Merge pull request #7908 from yuwata/rfe-7895
core: add TemporaryFileSystem= setting and 'tmpfs' option to ProtectHome=
2018-02-21 08:57:11 +00:00
Yu Watanabe
e4da7d8c79 core: add new option 'tmpfs' to ProtectHome=
This make ProtectHome= setting can take 'tmpfs'. This is mostly
equivalent to `TemporaryFileSystem=/home /run/user /root`.
2018-02-21 09:18:17 +09:00
Yu Watanabe
c10b460b5a man: add documents for TemporaryFileSystem= 2018-02-21 09:18:11 +09:00
Yu Watanabe
4ca763a902 core/namespace: make '-' prefix in Bind{,ReadOnly}Paths= work
Each path in `Bind{ReadOnly}Paths=` accept '-' prefix. However,
the prefix is completely ignored.
This makes it work as expected.
2018-02-21 09:07:56 +09:00
Lennart Poettering
00f5ad93b5 core: change KeyringMode= to "shared" by default for non-service units in the system manager (#8172)
Before this change all unit types would default to "private" in the
system service manager and "inherit" to in the user service manager.

With this change this is slightly altered: non-service units of the
system service manager are now run with KeyringMode=shared. This appears
to be the more appropriate choice as isolation is not as desirable for
mount tools, which regularly consume key material. After all mounts are
a shared resource themselves as they appear system-wide hence it makes a
lot of sense to share their key material too.

Fixes: #8159
2018-02-20 08:53:34 +01:00
Alan Jenkins
2428aaf8a2 seccomp: allow x86-64 syscalls on x32, used by the VDSO (fix #8060)
The VDSO provided by the kernel for x32, uses x86-64 syscalls instead of
x32 ones.

I think we can safely allow this; the set of x86-64 syscalls should be
very similar to the x32 ones.  The real point is not to allow *x86*
syscalls, because some of those are inconveniently multiplexed and we're
apparently not able to block the specific actions we want to.
2018-02-02 18:12:34 +00:00
Alan Jenkins
62a0680bf2 man: systemd.exec: cleanup "only X will be permitted" ... "but X=X+1"
> Only system calls of the *specified* architectures will be permitted to
> processes of this unit.

(my emphasis)

> Note that setting this option to a non-empty list implies that
> native is included too.

Attempting to use "implies" in the later sentence, in a way that
contradicts the very clear meaning of the earlier sentence... it's too
much.
2018-01-31 15:39:13 +00:00
Yu Watanabe
5af1644314 man: note that systemctl show does not overridden value
Fixes #7694.
2017-12-19 16:07:04 +09:00
Yu Watanabe
69b528832a man: LockPersonality= implies NoNewPrivileges= 2017-12-19 12:48:54 +09:00
Lennart Poettering
f95b0be742 man: "systemd" is to be written in all lower-case, even at beginnings of sentences
This very important commit is very important.
2017-12-13 17:42:04 +01:00
Yu Watanabe
bf2d3d7cae man: fix typo 2017-12-05 23:30:47 +09:00
Yu Watanabe
606df9a5a5 man: fix typo (#7511) 2017-11-30 12:02:20 +01:00
Lennart Poettering
b8afec2107 man: reorder/add sections to systemd.exec(5) (#7412)
The long long list of settings is getting too confusing, let's add some
sections and reorder things in them.

This makes no changes regarding contents, it only reorders things,
sometimes reindents them, and adds sections that made sense to me to
some degree.

Within each sections the settings are ordered by relevance (at least
according to how relevant I personally find them), and not
alphabetically.
2017-11-23 21:20:48 +01:00
Lennart Poettering
0133d5553a
Merge pull request #7198 from poettering/stdin-stdout
Add StandardInput=data, StandardInput=file:... and more
2017-11-19 19:49:11 +01:00
Zbigniew Jędrzejewski-Szmek
572eb058cf Add SPDX license identifiers to man pages 2017-11-19 19:08:15 +01:00
Zbigniew Jędrzejewski-Szmek
a6fabe384d man: add link to kernel docs about no_new_privs 2017-11-19 11:58:45 +01:00
Lennart Poettering
fc8d038130 man: document all the new options we acquired 2017-11-17 11:13:44 +01:00
Lennart Poettering
8b8de13d54 man: document LogFieldMax= and LogExtraFields= 2017-11-16 12:40:17 +01:00
Lennart Poettering
4d14b2bd35 man: update SyslogXYZ= documentation a bit
Let's clarify that these settings only apply to stdout/stderr logging.
Always mention the journal before syslog (as the latter is in most ways
just a legacy alias these days). Always mention the +console cases too.
2017-11-16 12:40:17 +01:00
Yu Watanabe
798499278a man: fix wrong tag (#7358) 2017-11-16 11:35:30 +01:00
Lennart Poettering
b0e8cec2dd man: document > /dev/stderr pitfalls (#7317)
Fixes: #7254
See: #2473
2017-11-14 10:51:09 +01:00
Zbigniew Jędrzejewski-Szmek
b835eeb4ec
shared/seccomp: disallow pkey_mprotect the same as mprotect for W^X mappings (#7295)
MemoryDenyWriteExecution policy could be be bypassed by using pkey_mprotect
instead of mprotect to create an executable writable mapping.

The impact is mitigated by the fact that the man page says "Note that this
feature is fully available on x86-64, and partially on x86", so hopefully
people do not rely on it as a sole security measure.

Found by Karin Hossen and Thomas Imbert from Sogeti ESEC R&D.

https://bugs.launchpad.net/bugs/1725348
2017-11-12 17:28:48 +01:00
Yu Watanabe
3df90f24cc core: allow to specify errno number in SystemCallErrorNumber= 2017-11-11 21:54:24 +09:00
Yu Watanabe
8cfa775f4f core: add support to specify errno in SystemCallFilter=
This makes each system call in SystemCallFilter= blacklist optionally
takes errno name or number after a colon. The errno takes precedence
over the one given by SystemCallErrorNumber=.

C.f. #7173.
Closes #7169.
2017-11-11 21:54:12 +09:00
Yu Watanabe
fdfcb94631 man: update documents for RuntimeDirectory= and friends 2017-11-08 15:52:08 +09:00
Zbigniew Jędrzejewski-Szmek
895265ad7d Merge pull request #7059 from yuwata/dynamic-user-7013
dynamic-user: permit the case static uid and gid are different
2017-10-18 08:37:12 +02:00
Yu Watanabe
3bd493dc93 man: comment a requirement about the static user or group when DynamicUser=yes 2017-10-18 15:30:00 +09:00
Jakub Wilk
dcfaecc70a man: fix typos (#7029) 2017-10-10 21:59:03 +02:00
Lennart Poettering
44898c5358 seccomp: add three more seccomp groups
@aio → asynchronous IO calls
@sync → msync/fsync/... and friends
@chown → changing file ownership

(Also, change @privileged to reference @chown now, instead of the
individual syscalls it contains)
2017-10-05 15:42:48 +02:00
Djalal Harouni
09d3020b0a seccomp: remove '@credentials' syscall set (#6958)
This removes the '@credentials' syscall set that was added in commit
v234-468-gcd0ddf6f75.

Most of these syscalls are so simple that we do not want to filter them.
They work on the current calling process, doing only read operations,
they do not have a deep kernel path.

The problem may only be in 'capget' syscall since it can query arbitrary
processes, and used to discover processes, however sending signal 0 to
arbitrary processes can be used to discover if a process exists or not.
It is unfortunate that Linux allows to query processes of different
users. Lets put it now in '@process' syscall set, and later we may add
it to a new '@basic-process' set that allows most basic process
operations.
2017-10-03 07:20:05 +02:00
Lennart Poettering
4a62836033 man: document the new logic 2017-10-02 17:41:44 +02:00
Lennart Poettering
5aaeeffb5f man: document that PAMName= and NotifyAccess=all don't mix well.
See: #6045
2017-10-02 12:58:42 +02:00
Zbigniew Jędrzejewski-Szmek
3d7d3cbbda Merge pull request #6832 from poettering/keyring-mode
Add KeyringMode unit property to fix cryptsetup key caching
2017-09-15 21:24:48 +02:00
Lennart Poettering
b1edf4456e core: add new per-unit setting KeyringMode= for controlling kernel keyring setup
Usually, it's a good thing that we isolate the kernel session keyring
for the various services and disconnect them from the user keyring.
However, in case of the cryptsetup key caching we actually want that
multiple instances of the cryptsetup service can share the keys in the
root user's user keyring, hence we need to be able to disable this logic
for them.

This adds KeyringMode=inherit|private|shared:

    inherit: don't do any keyring magic (this is the default in systemd --user)
    private: a private keyring as before (default in systemd --system)
    shared: the new setting
2017-09-15 16:53:35 +02:00
Jan Synacek
91a8f867b6 doc: document service exit codes
(Heavily reworked by Lennart while rebasing)

Fixes: #3545
Replaces: #5159
2017-09-15 16:44:06 +02:00
Lennart Poettering
ab2116b140 core: make sure that $JOURNAL_STREAM prefers stderr over stdout information (#6824)
If two separate log streams are connected to stdout and stderr, let's
make sure $JOURNAL_STREAM points to the latter, as that's the preferred
log destination, and the environment variable has been created in order
to permit services to automatically upgrade from stderr based logging to
native journal logging.

Also, document this behaviour.

Fixes: #6800
2017-09-15 08:26:38 +02:00
Lennart Poettering
21f0669163 Merge pull request #6801 from johnlinp/master
man: explicitly distinguish "implicit dependencies" and "default dependencies"
2017-09-14 21:41:13 +02:00
Zbigniew Jędrzejewski-Szmek
8b5c528ce8 Merge pull request #6818 from poettering/nspawn-whitelist
convert nspawn syscall blacklist into a whitelist (and related stuff)
2017-09-14 19:47:59 +02:00
Lennart Poettering
cd0ddf6f75 seccomp: add four new syscall groups
These groups should be useful shortcuts for sets of closely related
syscalls where it usually makes more sense to allow them altogether or
not at all.
2017-09-14 15:45:21 +02:00
Lennart Poettering
00819cc151 core: add new UnsetEnvironment= setting for unit files
With this setting we can explicitly unset specific variables for
processes of a unit, as last step of assembling the environment block
for them. This is useful to fix #6407.

While we are at it, greatly expand the documentation on how the
environment block for forked off processes is assembled.
2017-09-14 15:17:40 +02:00
Zbigniew Jędrzejewski-Szmek
e124ccdf5b man: rework grammatical form of sentences in a table in systemd.exec(5)
"Currently, the following values are defined: xxx: in case <condition>" is
awkward because "xxx" is always defined unconditionally. It is _used_ in case
<condition> is true. Correct this and a bunch of other places where the
sentence structure makes it unclear what is the subject of the sentence.
2017-09-13 23:06:20 +02:00
John Lin
45f09f939b man: explicitly distinguish "implicit dependencies" and "default dependencies"
Fixes: #6793
2017-09-13 11:39:09 +08:00
Lennart Poettering
38a7c3c0bd man: complete and rework $SERVICE_RESULT documentation
This reworks the paragraph describing $SERVICE_RESULT into a table, and
adds two missing entries: "success" and "start-limit-hit".

These two entries are then also added to the table explaining the
$EXIT_CODE + $EXIT_STATUS variables.

Fixes: #6597
2017-09-12 18:04:26 +02:00
Yu Watanabe
de7070b49a man: add examples for CapabilityBoundingSet=
Follow-up for c792ec2e35.
2017-09-04 16:20:55 +09:00
Yu Watanabe
e8d85bc062 man: LockPersonality= takes a boolean argument (#6718)
Follow-up for 78e864e5b3.
2017-09-01 09:38:41 +02:00
Yu Watanabe
ada5e27657 core: StateDirectory= and friends imply RequiresMountsFor= 2017-08-31 18:19:35 +09:00
Topi Miettinen
78e864e5b3 seccomp: LockPersonality boolean (#6193)
Add LockPersonality boolean to allow locking down personality(2)
system call so that the execution domain can't be changed.
This may be useful to improve security because odd emulations
may be poorly tested and source of vulnerabilities, while
system services shouldn't need any weird personalities.
2017-08-29 15:54:50 +02:00
Diogo Pereira
c29ebc1a10 Fix typo in man/systemd.exec.xml (#6683) 2017-08-28 18:38:29 +02:00
Lennart Poettering
6eaaeee93a seccomp: add new @setuid seccomp group
This new group lists all UID/GID credential changing syscalls (which are
quite a number these days). This will become particularly useful in a
later commit, which uses this group to optionally permit user credential
changing to daemons in case ambient capabilities are not available.
2017-08-10 15:02:50 +02:00
Yu Watanabe
2d35b79cdc man: DynamicUser= does not imply PrivateDevices= (#6510)
Follow-up for effbd6d2ea.
2017-08-07 11:02:47 +02:00
Yu Watanabe
3536f49e8f core: add {State,Cache,Log,Configuration}Directory= (#6384)
This introduces {State,Cache,Log,Configuration}Directory= those are
similar to RuntimeDirectory=. They create the directories under
/var/lib, /var/cache/, /var/log, or /etc, respectively, with the mode
specified in {State,Cache,Log,Configuration}DirectoryMode=.

This also fixes #6391.
2017-07-18 14:34:52 +02:00
Lennart Poettering
7398320f9a Merge pull request #6328 from yuwata/runtime-preserve
core: Allow preserving contents of RuntimeDirectory over process restart
2017-07-17 10:02:19 +02:00
Yu Watanabe
23a7448efa core: support subdirectories in RuntimeDirectory= option 2017-07-17 16:30:53 +09:00
Yu Watanabe
53f47dfc7b core: allow preserving contents of RuntimeDirectory= over process restart
This introduces RuntimeDirectoryPreserve= option which takes a boolean
argument or 'restart'.

Closes #6087.
2017-07-17 16:22:25 +09:00
Lucas Werkmeister
ceabfb889d Fix spelling (#6378) 2017-07-15 12:29:09 -04:00
Lennart Poettering
6297d07b82 Merge pull request #6300 from keszybz/refuse-to-load-some-units
Refuse to load some units
2017-07-12 09:28:20 +02:00
Zbigniew Jędrzejewski-Szmek
b023856884 man: add warnings that Private*= settings are not always applied 2017-07-11 13:38:13 -04:00
Lennart Poettering
565dab8ef4 man: briefly document permitted user/group name syntax for User=/Group= and syusers.d (#6321)
As discussed here:

https://lists.freedesktop.org/archives/systemd-devel/2017-July/039237.html
2017-07-10 13:44:06 -04:00
Zbigniew Jędrzejewski-Szmek
189cd8c2ab man: describe RuntimeDirectoryMode=
Fixes #5509.
2017-06-17 15:23:02 -04:00
Zbigniew Jędrzejewski-Szmek
03c3c52040 man: update MemoryDenyWriteExecute description for executable stacks
Without going into details, mention that libraries are also covered by the
filters, and that executable stacks are a no no.

Closes #5970.
2017-05-30 16:44:48 -04:00
Zbigniew Jędrzejewski-Szmek
98e9d71022 man: fix links to external man pages
linkchecker ftw!
2017-05-07 11:29:40 -04:00
James Cowgill
a3645cc6dd seccomp: add clone syscall definitions for mips (#5880)
Also updates the documentation and adds a mention of ppc64 support
which was enabled by #5325.

Tested on Debian mipsel and mips64el. The other 4 mips architectures
should have an identical user <-> kernel ABI to one of the 2 tested
systems.
2017-05-03 18:35:45 +02:00
Mark Stosberg
b8e485faf1 man: document how to include an equals sign in a value provided to Environment= (#5710)
It wasn't clear before how an equals sign in an "Environment=" value might be
handled. Ref:
http://stackoverflow.com/questions/43278883/how-to-write-systemd-environment-variables-value-which-contains/43280157
2017-04-11 23:19:06 +02:00
Torstein Husebø
6cf5a96489 man: fix typo (#5556) 2017-03-08 07:54:22 -05:00
Lennart Poettering
525872bfab man: document that ProtectKernelTunables= and ProtectControlGroups= implies MountAPIVFS=
See: #5384
2017-02-21 21:55:43 +01:00
AsciiWolf
28a0ad81ee man: use https:// in URLs 2017-02-21 16:28:04 +01:00
Lennart Poettering
0b8fab97cf man: improve documentation on seccomp regarding alternative ABIs
Let's clarify that RestrictAddressFamilies= and MemoryDenyWriteExecute=
are only fully effective if non-native system call architectures are
disabled, since they otherwise may be used to circumvent the filters, as
the filters aren't equally effective on all ABIs.

Fixes: #5277
2017-02-09 18:42:17 +01:00
Lennart Poettering
23deef88b9 Revert "core/execute: set HOME, USER also for root users"
This reverts commit 8b89628a10.

This broke #5246
2017-02-09 11:43:44 +01:00
Zbigniew Jędrzejewski-Szmek
fc6149a6ce Merge pull request #4962 from poettering/root-directory-2
Add new MountAPIVFS= boolean unit file setting + RootImage=
2017-02-08 23:05:05 -05:00
Zbigniew Jędrzejewski-Szmek
ef3116b5d4 man: add more commas for clarify and reword a few sentences 2017-02-08 22:53:16 -05:00
Lennart Poettering
ae9d60ce4e seccomp: on s390 the clone() parameters are reversed
Add a bit of code that tries to get the right parameter order in place
for some of the better known architectures, and skips
restrict_namespaces for other archs.

This also bypasses the test on archs where we don't know the right
order.

In this case I didn't bother with testing the case where no filter is
applied, since that is hopefully just an issue for now, as there's
nothing stopping us from supporting more archs, we just need to know
which order is right.

Fixes: #5241
2017-02-08 22:21:27 +01:00
Lennart Poettering
8a50cf6957 seccomp: MemoryDenyWriteExecute= should affect both mmap() and mmap2() (#5254)
On i386 we block the old mmap() call entirely, since we cannot properly
filter it. Thankfully it hasn't been used by glibc since quite some
time.

Fixes: #5240
2017-02-08 15:14:02 +01:00
Lennart Poettering
915e6d1676 core: add RootImage= setting for using a specific image file as root directory for a service
This is similar to RootDirectory= but mounts the root file system from a
block device or loopback file instead of another directory.

This reuses the image dissector code now used by nspawn and
gpt-auto-discovery.
2017-02-07 12:19:42 +01:00
Lennart Poettering
5d997827e2 core: add a per-unit setting MountAPIVFS= for mounting /dev, /proc, /sys in conjunction with RootDirectory=
This adds a boolean unit file setting MountAPIVFS=. If set, the three
main API VFS mounts will be mounted for the service. This only has an
effect on RootDirectory=, which it makes a ton times more useful.

(This is basically the /dev + /proc + /sys mounting code posted in the
original #4727, but rebased on current git, and with the automatic logic
replaced by explicit logic controlled by a unit file setting)
2017-02-07 11:22:05 +01:00
Lennart Poettering
142bd808a1 man: Document that RestrictAddressFamilies= doesn't work on s390/s390x/...
We already say that it doesn't work on i386, but there are more archs
like that apparently.
2017-02-06 14:17:12 +01:00
Zbigniew Jędrzejewski-Szmek
8b89628a10 core/execute: set HOME, USER also for root users
This changes the environment for services running as root from:

LANG=C.utf8
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin
INVOCATION_ID=ffbdec203c69499a9b83199333e31555
JOURNAL_STREAM=8:1614518

to

LANG=C.utf8
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin
HOME=/root
LOGNAME=root
USER=root
SHELL=/bin/sh
INVOCATION_ID=15a077963d7b4ca0b82c91dc6519f87c
JOURNAL_STREAM=8:1616718

Making the environment special for the root user complicates things
unnecessarily. This change simplifies both our logic (by making the setting
of the variables unconditional), and should also simplify the logic in
services (particularly scripts).

Fixes #5124.
2017-02-03 11:49:22 -05:00
Brandon Philips
9806301614 man: fix spelling error parth -> path 2017-02-02 00:54:42 +01:00
Jakub Wilk
301a21a880 man: fix typos (#5109) 2017-01-19 16:54:22 +01:00
Zbigniew Jędrzejewski-Szmek
5b3637b44a Merge pull request #4991 from poettering/seccomp-fix 2017-01-17 23:10:46 -05:00
Zbigniew Jędrzejewski-Szmek
374e692252 Merge pull request #5009 from ian-kelling/ian-mnt-namespace-doc 2017-01-11 15:23:00 -05:00
Ian Kelling
fa2a396620 doc: MountFlags= don't reference container which may not exist (#5011) 2017-01-03 21:32:31 +01:00
Ian Kelling
7141028d30 doc: correct "or" to "and" in MountFlags= description (#5010) 2017-01-03 21:31:20 +01:00
Ian Kelling
4b957756b8 man: document mount deletion between commands 2017-01-03 02:17:50 -08:00
Martin Pitt
56a9366d7d Merge pull request #4994 from poettering/private-tmp-tmpfiles
automatically clean up PrivateTmp= left-overs in /var/tmp on next boot
2016-12-29 11:18:38 +01:00
Lennart Poettering
9eb484fa40 man: add brief documentation for the (sd-pam) processes created due to PAMName= (#4967)
A follow-up for #4942, adding a brief but more correct explanation of
the processes.
2016-12-29 10:55:27 +01:00
Lennart Poettering
d71f050599 core: implicitly order units with PrivateTmp= after systemd-tmpfiles-setup.service
Preparation for fixing #4401.
2016-12-27 23:25:24 +01:00
Lennart Poettering
bd2ab3f4f6 seccomp: add two new filter sets: @reboot and @swap
These groupe reboot()/kexec() and swapon()/swapoff() respectively
2016-12-27 18:09:37 +01:00
Lennart Poettering
d2d6c096f6 core: add ability to define arbitrary bind mounts for services
This adds two new settings BindPaths= and BindReadOnlyPaths=. They allow
defining arbitrary bind mounts specific to particular services. This is
particularly useful for services with RootDirectory= set as this permits making
specific bits of the host directory available to chrooted services.

The two new settings follow the concepts nspawn already possess in --bind= and
--bind-ro=, as well as the .nspawn settings Bind= and BindReadOnly= (and these
latter options should probably be renamed to BindPaths= and BindReadOnlyPaths=
too).

Fixes: #3439
2016-12-14 00:54:10 +01:00
Jouke Witteveen
a4e26faf33 man: fix $SERVICE_RESULT/$EXIT_CODE/$EXIT_STATUS documentation
Note that any exit code is available through $EXIT_STATUS and not through
$EXIT_CODE. This mimics siginfo.
2016-12-06 13:37:14 +01:00
Jouke Witteveen
7ed0a4c537 bus-util: add protocol error type explanation 2016-11-29 23:19:52 +01:00
Jouke Witteveen
e0c7d5f7be man: document protocol error type for service failures (#4724) 2016-11-23 22:51:33 +01:00
Lennart Poettering
1a1b13c957 seccomp: add @filesystem syscall group (#4537)
@filesystem groups various file system operations, such as opening files and
directories for read/write and stat()ing them, plus renaming, deleting,
symlinking, hardlinking.
2016-11-21 19:29:12 -05:00
Lennart Poettering
5327c910d2 namespace: simplify, optimize and extend handling of mounts for namespace
This changes a couple of things in the namespace handling:

It merges the BindMount and TargetMount structures. They are mostly the same,
hence let's just use the same structue, and rely on C's implicit zero
initialization of partially initialized structures for the unneeded fields.

This reworks memory management of each entry a bit. It now contains one "const"
and one "malloc" path. We use the former whenever we can, but use the latter
when we have to, which is the case when we have to chase symlinks or prefix a
root directory. This means in the common case we don't actually need to
allocate any dynamic memory. To make this easy to use we add an accessor
function bind_mount_path() which retrieves the right path string from a
BindMount structure.

While we are at it, also permit "+" as prefix for dirs configured with
ReadOnlyPaths= and friends: if specified the root directory of the unit is
implicited prefixed.

This also drops set_bind_mount() and uses C99 structure initialization instead,
which I think is more readable and clarifies what is being done.

This drops append_protect_kernel_tunables() and
append_protect_kernel_modules() as append_static_mounts() is now simple enough
to be called directly.

Prefixing with the root dir is now done in an explicit step in
prefix_where_needed(). It will prepend the root directory on each entry that
doesn't have it prefixed yet. The latter is determined depending on an extra
bit in the BindMount structure.
2016-11-17 18:08:32 +01:00
Djalal Harouni
8526555680 doc: move ProtectKernelModules= documentation near ProtectKernelTunalbes= 2016-11-15 15:04:41 +01:00
Djalal Harouni
a7db8614f3 doc: note when no new privileges is implied 2016-11-15 15:04:35 +01:00
Lennart Poettering
add005357d core: add new RestrictNamespaces= unit file setting
This new setting permits restricting whether namespaces may be created and
managed by processes started by a unit. It installs a seccomp filter blocking
certain invocations of unshare(), clone() and setns().

RestrictNamespaces=no is the default, and does not restrict namespaces in any
way. RestrictNamespaces=yes takes away the ability to create or manage any kind
of namspace. "RestrictNamespaces=mnt ipc" restricts the creation of namespaces
so that only mount and IPC namespaces may be created/managed, but no other
kind of namespaces.

This setting should be improve security quite a bit as in particular user
namespacing was a major source of CVEs in the kernel in the past, and is
accessible to unprivileged processes. With this setting the entire attack
surface may be removed for system services that do not make use of namespaces.
2016-11-04 07:40:13 -06:00
Zbigniew Jędrzejewski-Szmek
cf88547034 Merge pull request #4548 from keszybz/seccomp-help
systemd-analyze syscall-filter
2016-11-03 20:27:45 -04:00
Kees Cook
d974f949f1 doc: clarify NoNewPrivileges (#4562)
Setting no_new_privs does not stop UID changes, but rather blocks
gaining privileges through execve(). Also fixes a small typo.
2016-11-03 20:26:59 -04:00
Zbigniew Jędrzejewski-Szmek
d5efc18b60 seccomp-util, analyze: export comments as a help string
Just to make the whole thing easier for users.
2016-11-03 09:35:36 -04:00
Zbigniew Jędrzejewski-Szmek
869feb3388 analyze: add syscall-filter verb
This should make it easier for users to understand what each filter
means as the list of syscalls is updated in subsequent systemd versions.
2016-11-03 09:35:35 -04:00
Lennart Poettering
2ca8dc15f9 man: document that too strict system call filters may affect the service manager
If execve() or socket() is filtered the service manager might get into trouble
executing the service binary, or handling any failures when this fails. Mention
this in the documentation.

The other option would be to implicitly whitelist all system calls that are
required for these codepaths. However, that appears less than desirable as this
would mean socket() and many related calls have to be whitelisted
unconditionally. As writing system call filters requires a certain level of
expertise anyway it sounds like the better option to simply document these
issues and suggest that the user disables system call filters in the service
temporarily in order to debug any such failures.

See: #3993.
2016-11-02 08:55:24 -06:00
Lennart Poettering
133ddbbeae seccomp: add two new syscall groups
@resources contains various syscalls that alter resource limits and memory and
scheduling parameters of processes. As such they are good candidates to block
for most services.

@basic-io contains a number of basic syscalls for I/O, similar to the list
seccomp v1 permitted but slightly more complete. It should be useful for
building basic whitelisting for minimal sandboxes
2016-11-02 08:50:00 -06:00
Lennart Poettering
aa6b9cec88 man: two minor fixes 2016-11-02 08:50:00 -06:00
Lennart Poettering
cd5bfd7e60 seccomp: include pipes and memfd in @ipc
These system calls clearly fall in the @ipc category, hence should be listed
there, simply to avoid confusion and surprise by the user.
2016-11-02 08:50:00 -06:00
Lennart Poettering
a8c157ff30 seccomp: drop execve() from @process list
The system call is already part in @default hence implicitly allowed anyway.
Also, if it is actually blocked then systemd couldn't execute the service in
question anymore, since the application of seccomp is immediately followed by
it.
2016-11-02 08:49:59 -06:00