| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Bumps [github/super-linter](https://github.com/github/super-linter) from 4.8.1 to 4.8.3.
- [Release notes](https://github.com/github/super-linter/releases)
- [Changelog](https://github.com/github/super-linter/blob/main/docs/release-process.md)
- [Commits](https://github.com/github/super-linter/compare/fd9c4286d3de3fdd9258a395570cae287f13f974...7d5dc989c55aaba9d3b7194a7496cdfaa4866af3)
---
updated-dependencies:
- dependency-name: github/super-linter
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
|
|\
| |
| | |
homed: default to btrfs compression
|
| | |
|
| |
| |
| |
| |
| |
| |
| |
| | |
This adds an esay way to override the default mount options to use for
LUKS home dirs via the env vars SYSTEMD_HOME_MOUNT_OPTIONS_EXT4,
SYSTEMD_HOME_MOUNT_OPTIONS_BTRFS, SYSTEMD_HOME_MOUNT_OPTIONS_XFS.
See: #15120
|
| |
| |
| |
| |
| |
| |
| |
| | |
This follows what Fedora did with 34: enables compression by default,
lowering IO bandwidth and reducing disk space use, at the price of
slightly higher CPU use.
https://fedoraproject.org/wiki/Changes/BtrfsTransparentCompression
|
| | |
|
| | |
|
| |
| |
| |
| |
| |
| |
| |
| | |
This adds to new helpers: keyring_read() for reading a key data from a
keyring entry, and TAKE_KEY_SERIAL which is what TAKE_FD is for fds, but
for key_serial_t.
The former is immediately used by ask-password-api.c
|
|\ \
| | |
| | | |
Improve systemd-binfmt logging, fix exit value
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
In delete_rule(), we already checked that the rule name is a valid file name
(i.e. no slashes), so we can just trivially append.
Also, let's always reject rules that we would later fail to delete. It's
probably better to avoid such confusion.
And print the operations we do with file name and line number. I hope this
helps with cases like https://github.com/systemd/systemd/pull/21178. At least
we'll know what rule failed.
$ sudo SYSTEMD_LOG_LEVEL=debug build/systemd-binfmt
Flushed all binfmt_misc rules.
Applying /etc/binfmt.d/kshcomp.conf…
/etc/binfmt.d/kshcomp.conf:1: binary format 'kshcomp' registered.
|
| | | |
|
| | |
| | |
| | |
| | |
| | | |
Positive values are mapped to 0 by DEFINE_MAIN_FUNCTION(), so e.g.
systemd-binfmt --foobar would "succeed".
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
We need random access read/write files, and compression sucks for that,
hence disable it on the underlying files.
Compression in the home directory might be desirable, but if so it
should be done *inside* the home dir fs, not on the underlying fs.
|
| | |
| | |
| | |
| | |
| | |
| | | |
CID#1465793
CID#1465794
CID#1465795
|
|\ \ \
| | | |
| | | | |
make pid1 namespace code independent of umask
|
| | | |
| | | |
| | | |
| | | | |
Inspired by the test case described in #19899
|
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
Let's make all code in namespace.c robust towards weird umask. This
doesn't matter too much given that the parent dirs we deal here almost
certainly exist anyway, but let's clean this up anyway and make it fully
clean.
|
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
Let's reset the umask during the whole namespace_setup() logic, so that
all our mkdir() + mknod() are not subjected to whatever umask might
currently be set.
This mostly moves the umask save/restore logic out of
mount_private_dev() and into the stack frame of namespace_setup() that
is further out.
Fixes #19899
|
| | | | |
|
| | | | |
|
|\ \ \ \
| |_|_|/
|/| | | |
ci: pin labeler
|
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
to let Dependabot keep track of them using SHAs
codeql-actions doesn't point to SHAs because it isn't clear
whether Dependabot supports their release cycle mentioned
at https://github.com/github/codeql-action/issues/307
|
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
Turns out GHActions where `pull_request_target` is used are capable
of pwning repositories: https://securitylab.github.com/research/github-actions-preventing-pwn-requests/
labeler doesn't check out the source code or build anything so
it's safe in its current form but to avoid surprises let's just pin
it to the latest version. It's annoying to manage dependencies like this
manually so additionally dependabot.yml is introduced to make it
easier to keep GHActions up to date more or less automatically:
https://docs.github.com/en/code-security/supply-chain-security/keeping-your-dependencies-updated-automatically/keeping-your-actions-up-to-date-with-dependabot
|
| | | |
| | | |
| | | |
| | | | |
Update also manual page to explain how the transition can still fail.
|
|\ \ \ \
| |/ / /
|/| | | |
ether-addr-util: fix ether_addr_is_local()
|
| | | | |
|
| | | |
| | | |
| | | |
| | | | |
Follow-up for 1f86a3fe52c71af7f46381bf45c2efe580a19dcc.
|
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
https://github.com/github/codeql-action
Apparently to judge from a couple of warnings I haven't seen
before it's a bit different from LGTM.
|
| |/ /
|/| |
| | | |
Some typos are also fixed.
|
|/ /
| |
| |
| |
| |
| |
| |
| | |
We have two different places where we re-trigger the run queue now.
let's unify it under a common function, that is part of the Manager
code.
Follow-up for #20953
|
|\ \
| | |
| | | |
Delay running mount start jobs when we /p/s/mountinfo event source is rate limited
|
| | |
| | |
| | |
| | |
| | |
| | | |
start jobs
Fixes #20329
|
| | |
| | |
| | |
| | | |
is in effect
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
Up until now the main reason why we didn't proceed with starting the
unit was exceed start limit burst. However, for unit types like mounts
the other reason could be effective ratelimit on /proc/self/mountinfo
event source. That means our mount unit state may not reflect current
kernel state. Hence, we need to attempt to re-run the start job again
after ratelimit on event source expires.
As we will be introducing another reason than start limit let's rename
the virtual function that implements the check.
|
| | | |
|
| | |
| | |
| | |
| | |
| | |
| | | |
systemd-run --scope --user failed to run in system 249.6, cf. #21297. Add tests
for systemd-run --scope and systemd-run --scope --user to make sure this does
not regress again.
|
| | | |
|
|\ \ \
| | | |
| | | | |
sd-boot/bootspec: os-release parsing fixes
|
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
I think we should stick to the rule that stuff defined in
types-fundamental.h either:
1. adds a prefixed concept "sd_xyz" that maps differently in the two
environments
2. adds a non-prefixed concept "xyz" that adds a type otherwise missing
in one of the two environments but with the same definition as in the
other.
i.e. if have have some concept that might differ the way its set up in
the two environments it really should be prefixed by "sd_" to make clear
it has semantics we defined. Only drop the prefix if it really means the
exact same thin in all environments.
Now, sd_bool is defined prefixed, because its either mapped to "BOOLEAN"
(which is an integer) in UEFI or "bool" (which is C99 _Bool) in
userspace. size_t is not defined prefixed, because it's mapped to the
same thing ultimately (on the UEFI its mapped to UINTN, but that in turn
is defined as being the type for the size of memory objects, thus it's
really the same as userspace size_t).
So far "true" and "false" where defined unprefixed even though they map
to values of different types. typeof(true) in userspace would reveal
_Bool, but typeof(false) in UEFI would reveal BOOLEAN. The distinction
actually does matter in comparisons (i.e. (_Bool) 1 == (_Bool) 2 holds
while (BOOLEAN) 1 == (BOOLEAN) 2 does not hold).
Hence, let's add sd_true and sd_false, thus indicating we defined our
own concept here, and it has similar but different semantics in UEFI and
in userspace.
|
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
"type.h" is a very generic name, but this header is very specific to
making the "fundaemtnal" stuff work, it maps genric types in two
distinct ways. Hence let's make clear in the header name already what
this is about.
|
| | | | |
|
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
Let's parse the same fields and use them the same way as in sd-boot.
Fixes: #20093
|
| | | |
| | | |
| | | |
| | | | |
log message
|
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
Let's make sure IMAGE_ID/IMAGE_VERSION are properly honoured, and
explain in a long comment why.
Let's also use ID= field again, which was lost by accident.
(While we are at it do some minimal OOM checks wherever we touch
something)
|
| | | | |
|
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
Unfortunately they forgot the "const" decoration on the MetaiMatch()
prototype, but let that omission not leak into our code, let's hide it
away in the innermost use.
|
| | | | |
|
| |/ / |
|
|\ \ \
| | | |
| | | | |
core, bpf: fix bpf-foreign cgroup controller realization
|
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
Tests:
```
% stat --file-system --format="%T" /root/bpf/trivial/
bpf_fs
% systemd-nspawn -D/ --volatile=yes \
--property=BPFProgram=egress:/root/bpf/trivial/cgroup_skb_egress \
--quiet -- ping -c 5 -W 1 ::1
PING ::1(::1) 56 data bytes
--- ::1 ping statistics ---
5 packets transmitted, 0 received, 100% packet loss, time 4110ms
```
```
% stat --file-system --format='%T' /root/meh
btrfs
% systemd-nspawn -D/ --volatile=yes --property=BPFProgram=egress:/root/meh
--quiet -- ping -c 5 -W 1 ::1
```
sudo ./build/systemd-nspawn \
-D/ --volatile=yes --property=BPFProgram=egress:/home/hex --quiet -- \
ping -c 1 -W 1 ::1
PING ::1(::1) 56 data bytes
64 bytes from ::1: icmp_seq=1 ttl=64 time=0.017 ms
--- ::1 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
|