summaryrefslogtreecommitdiff
Commit message (Collapse)AuthorAgeFilesLines
* ask-password: prevent buffer overrow when reading from keyringv239-18.2Thadeu Lima de Souza Cascardo2019-11-291-1/+1
| | | | | | | | | | | | | | | | | When we read from keyring, a temporary buffer is allocated in order to determine the size needed for the entire data. However, when zeroing that area, we use the data size returned by the read instead of the lesser size allocate for the buffer. That will cause memory corruption that causes systemd-cryptsetup to crash either when a single large password is used or when multiple passwords have already been pushed to the keyring. Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@canonical.com> (cherry picked from commit 59c55e73eaee345e1ee67c23eace8895ed499693) (cherry picked from commit c6c8e0d097d6ba12471c6112c3fd339ea40329d5) Resolves: #1777037
* resolved: query polkit only after parsing the datav239-18.1Zbigniew Jędrzejewski-Szmek2019-11-051-9/+9
| | | | | | That's what we do everywhere else because it leads to nicer user experience. Related: #1746857
* resolved: allow access to Set*Link and Revert methods through polkitZbigniew Jędrzejewski-Szmek2019-11-053-21/+197
| | | | | | | | | | | | | | | This matches what is done in networkd very closely. In fact even the policy descriptions are all identical (with s/network/resolve), except for the last one: resolved has org.freedesktop.resolve1.revert while networkd has org.freedesktop.network1.revert-ntp and org.freedesktop.network1.revert-dns so the description is a bit different. Conflicts: src/resolve/resolved-bus.c src/resolve/resolved-link-bus.c Related: #1746857
* resolved: do not run loop twiceZbigniew Jędrzejewski-Szmek2019-11-051-7/+6
| | | | | | | | This doesn't matter much, but let's just do the loop once and allocate the populate the result set on the fly. If we find an error, it'll get cleaned up automatically. Related: #1746857
* sd-bus: adjust indentation of commentsZbigniew Jędrzejewski-Szmek2019-11-052-5/+5
| | | | Related: #1746857
* shared/but-util: drop trusted annotation from ↵Zbigniew Jędrzejewski-Szmek2019-11-051-4/+0
| | | | | | | | | | | | | bus_open_system_watch_bind_with_description() https://bugzilla.redhat.com/show_bug.cgi?id=1746057 This only affects systemd-resolved. bus_open_system_watch_bind_with_description() is also used in timesyncd, but it has no methods, only read-only properties, and in networkd, but it annotates all methods with SD_BUS_VTABLE_UNPRIVILEGED and does polkit checks. Resolves: #1746857
* journal: rely on _cleanup_free_ to free a temporary string used in ↵Evgeny Vereshchagin2019-11-011-5/+2
| | | | | | | | | | | client_context_read_cgroup Closes https://github.com/systemd/systemd/issues/11253. (cherry picked from commit ef30f7cac18a810814ada7e6a68a31d48cc9fccd) (cherry picked from commit 3513426adcecc322937635c11ebb89f174f849ed) Resolves: #1767716
* analyze-security: fix potential division by zerov239-18v239-17Jan Synacek2019-08-071-0/+2
| | | | | | Upstream PR: https://github.com/systemd/systemd/pull/13238 Resolves: #1734400
* swap: scan /proc/swaps before processing waitid() resultsLennart Poettering2019-08-071-3/+15
| | | | | | | | | Similar to the previous commit, but for /proc/swaps, where the same logic and rationale applies. (cherry picked from commit bcce581d65de68cca01c73e1c890e261e72d20af) Related: #1696178
* mount: rescan /proc/self/mountinfo before processing waitid() resultsLennart Poettering2019-08-071-3/+27
| | | | | | | | | | | | | | (The interesting bits about the what and why are in a comment in the patch, please have a look there instead of looking here in the commit msg). Fixes: #10872 (cherry picked from commit 350804867dbcc9b7ccabae1187d730d37e2d8a21) Conflicts: src/core/mount.c Resolves: #1696178
* mount: simplify /proc/self/mountinfo handlerLennart Poettering2019-08-071-22/+26
| | | | | | | | | | | | | | Our IO handler is only installed for one fd, hence there's no reason to conditionalize on it again. Also, split out the draining into a helper function of its own. (cherry picked from commit fcd8e119c28be19ffbc5227089cf4d3b8ba60238) Conflicts: src/core/mount.c Related: #1696178
* rules: skip memory hotplug on ppc64v239-16Jan Synacek2019-07-261-0/+1
| | | | Resolves (#1713159)
* man: note that journal does not validate syslog fieldsJan Synacek2019-07-261-0/+5
| | | | | | (cherry picked from commit 63ea8032f28052f7cda860e5324c0a83dee7ed23) Resolves: #1707175
* bash-completion: analyze: support 'security'Yu Watanabe2019-07-261-1/+19
| | | | | | (cherry picked from commit 83da42c3bf86e8787cfec2c7fb6ca379dfec3632) Resolves: #1733395
* Change job mode of manager triggered restarts to JOB_REPLACEJonathon Kowalski2019-07-261-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Fixes: #11305 Fixes: #3260 Related: #11456 So, here's what happens in the described scenario in #11305. A unit goes down, and that triggeres stop jobs for the other two units as they were bound to it. Now, the timer for manager triggered restarts kicks in and schedules a restart job with the JOB_FAIL job mode. This means there is a stop job installed on those units, and now due to them being bound to us they also get a restart job enqueued. This however is a conflicts, as neither stop can merge into restart, nor restart into stop. However, restart should be able to replace stop in any case. If the stop procedure is ongoing, it can cancel the stop job, install itself, and then after reaching dead finish and convert itself to a start job. However, if we increase the timer, then it can always take those units from inactive -> auto-restart. We change the job mode to JOB_REPLACE so the restart job cancels the stop job and installs itself. Also, the original bug could be worked around by bumping RestartSec= to avoid the conflicting. This doesn't seem to be something that is going to break uses. That is because for those who already had it working, there must have never been conflicting jobs, as that would result in a desctructive transaction by virtue of the job mode used. After this change, the test case is able to work nicely without issues. (cherry picked from commit 03ff2dc71ecb09272d728d458498b44f7f132f51) Resolves: #1712524
* udev/scsi_id: fix incorrect page length when get device identification VPD pageZhang Xianwei2019-07-261-1/+1
| | | | | | | | | | The length of device identification VPD page is filled with two bytes, but scsi_id only gets the low byte. Fix it. Signed-off-by: Zhang Xianwei <zhang.xianwei8@zte.com.cn> (cherry picked from commit 1f7b6872dbe8ccae1f3bda9aa6aeb87c9b42e01e) Resolves: #1713227
* cryptsetup: Add LUKS2 token support.Milan Broz2019-07-261-0/+12
| | | | | | | | | | | | | | | | LUKS2 supports so-called tokens. The libcryptsetup internally support keyring token (it tries to open device using specified keyring entry). Only if all token fails (or are not available), it uses a passphrase. This patch aligns the functionality with the cryptsetup utility (cryptsetup luksOpen tries tokens first) but does not replace the systemd native ask-password function (can be used the same in combination with this patch). (cherry picked from commit 894bb3ca4c730cc9e9d46ef5004ba4ca5e201d8d) Resolves: #1719153
* cryptsetup: call crypt_load() for LUKS only onceMilan Broz2019-07-261-16/+12
| | | | | | | | | | | | | The crypt_load() for LUKS2 can read a quite big area of disk (metadata area size is configurable and can increase up to megabytes). This initialization is not needed to be repeated, just use the existing context. (This patch is also required for the following change.) (cherry picked from commit ea9a9d49e4af31c49e5c216e7e5e2f533e727579) Related: #1719153
* cryptsetup: Do not fallback to PLAIN mapping if LUKS data device set fails.Milan Broz2019-07-261-5/+7
| | | | | | | | | | | | | | | | | If crypt_load() for LUKS succeeds, we know that it is a LUKS device. Failure of data device setting should fail in this case; remapping as a PLAIN device late could mean data corruption. (If a user wants to map PLAIN device over a device with LUKS header, it should be said explicitly with "plain" argument type.) Also, if there is no explicit PLAIN type requested and crypt device is already initialized (crypt_data_type() is set), do not run the initialization again. (cherry picked from commit 2e4beb875bcb24e7d7d4339cc202b0b3f2953f71) Related: #1719153
* journal: do not remove multiple spaces after identifier in syslog messageYu Watanabe2019-07-262-11/+17
| | | | | | | | | | | Single space is used as separator. C.f. discussions in #156. Fixes #9839 introduced by a6aadf4ae0bae185dc4c414d492a4a781c80ffe5. (cherry picked from commit 8595102d3ddde6d25c282f965573a6de34ab4421) Resolves: #1691817
* journal-remote: do not request Content-Length if Transfer-Encoding is chunkedYu Watanabe2019-07-261-14/+27
| | | | | | | | | | This fixes a bug introduced by 7fdb237f5473cb8fc2129e57e8a0039526dcb4fd. Closes #11571. (cherry picked from commit a289dfd69b3ff4bccdde93e84b67c947bafa27e1) Resolves: #1708849
* sd-bus: deal with cookie overrunsLennart Poettering2019-07-261-1/+46
| | | | | | | | | | | | | | | | Apparently this happens IRL. Let's carefully deal with issues like this: when we overrun, let's not go back to zero but instead leave the highest cookie bit set. We use that as indication that we are in "overrun territory", and then are particularly careful with checking cookies, i.e. that they haven't been used for still outstanding replies yet. This should retain the quick cookie generation behaviour we used to have, but permits dealing with overruns. Replaces: #11804 Fixes: #11809 (cherry picked from commit 1f82f5bb4237ed5f015daf93f818e9db95e764b8) Resolves: #1694999
* journal-gateway: use localStorage["cursor"] only when it has valid valuev239-15Yu Watanabe2019-05-031-4/+6
| | | | | | | | Discovered by LGTM. (cherry picked from commit 944072feddb73333023d0a98bf87fd2a17f894d3) Resolves: #1705971
* tools: drop unused variableYu Watanabe2019-05-031-1/+0
| | | | | | (cherry picked from commit 2f6c9b6f3fb0128cee7f74985c143b4850feff6d) Resolves: #1705971
* journal-gateway: explicitly declare local variablesYu Watanabe2019-05-031-5/+6
| | | | | | | | Suggested by LGTM. (cherry picked from commit c497e449f41774a36e01ae2cc2abade6133dffe1) Resolves: #1705971
* test: add test for Type=execLennart Poettering2019-05-033-0/+74
| | | | | | (cherry picked from commit 0e1f17561f5f6061ec5503de044298372ed7ca37) Resolves: #1683334
* sd-login: let's also make sd-login understand ".host"Lennart Poettering2019-05-031-10/+17
| | | | | | | | if sd-bus and machined grok it, then sd-login should grok it too. (cherry picked from commit a8c9b7a0fc0aa02666042543ff9a652aae3c9499) Resolves: #1683334
* sd-bus: allow connecting to the pseudo-container ".host"Lennart Poettering2019-05-032-2/+7
| | | | | | | | | | | | machined exposes the pseudo-container ".host" as a reference to the host system, and this means "machinectl login .host" and "machinectl shell .host" get your a login/shell on the host. systemd-run currently doesn't allow that. Let's fix that, and make sd-bus understand ".host" as an alias for connecting to the host system. (cherry picked from commit 1e5057b904473696ae0d591d7555233adcb51fa4) Resolves: #1683334
* man: document the new Type=exec typeLennart Poettering2019-05-032-71/+97
| | | | | | | | | | And while we are at it, let's rearrange and extend the Type= documentation a bit. Let's make it an itemized list, and let's add a paragraph explaining which type best to use. (cherry picked from commit 79905a246d645d21633f09f564b3672d5085a85c) Resolves: #1683334
* core: introduce new Type=exec service typeLennart Poettering2019-05-037-28/+254
| | | | | | | | | | | | | | | | | | | | | | | | Users are often surprised that "systemd-run" command lines like "systemd-run -p User=idontexist /bin/true" will return successfully, even though the logs show that the process couldn't be invoked, as the user "idontexist" doesn't exist. This is because Type=simple will only wait until fork() succeeded before returning start-up success. This patch adds a new service type Type=exec, which is very similar to Type=simple, but waits until the child process completed the execve() before returning success. It uses a pipe that has O_CLOEXEC set for this logic, so that the kernel automatically sends POLLHUP on it when the execve() succeeded but leaves the pipe open if not. This means PID 1 waits exactly until the execve() succeeded in the child, and not longer and not shorter, which is the desired functionality. Making use of this new functionality, the command line "systemd-run -p User=idontexist -p Type=exec /bin/true" will now fail, as expected. (cherry picked from commit 5686391b006ee82d8a4559067ad9818e3e631247) Resolves: #1683334
* execute: use our usual syntax for defining bit masksLennart Poettering2019-05-031-4/+4
| | | | | | (cherry picked from commit ce0d60a7c4e07c5bdfed9f076bd48752287f0777) Resolves: #1683334
* core: swap order of "n_storage_fds" and "n_socket_fds" parametersLennart Poettering2019-05-033-19/+22
| | | | | | | | | | | | | | | | When process fd lists to pass to activated programs we always place the socket activation fds first, and the storage fds last. Irritatingly in almost all calls the "n_storage_fds" parameter (i.e. the number of storage fds to pass) came first so far, and the "n_socket_fds" parameter second. Let's clean this up, and specify the number of fds in the order the fds themselves are passed. (Also, let's fix one more case where "unsigned" was used to size an array, while we should use "size_t" instead.) (cherry picked from commit 25b583d7ffd699384435eba8e49f6ce927a83af0) Resolves: #1683334
* socket-util: Introduce send_one_fd_iov() and receive_one_fd_iov()Filipe Brandenburger2019-05-033-74/+90
| | | | | | | | | | | | | | These take a struct iovec to send data together with the passed FD. The receive function returns the FD through an output argument. In case data is received, but no FD is passed, the receive function will set the output argument to -1 explicitly. Update code in dynamic-user to use the new helpers. (cherry picked from commit d34673ecb825aa9ecf6958b0caab792f5061c56a) Resolves: #1683319
* test-socket-util: Add tests for receive_fd_iov() and friends.Filipe Brandenburger2019-05-031-0/+215
| | | | | | | | | | | | Test it when sending an FD without any contents, or an FD and some contents, or only contents and no FD (using a bare send().) Also fix the previous test which forked but was missing an _exit() at the end of the child execution code. (cherry picked from commit 8a3386ab4fea9c4efa9c72e7c149cf510a46f03e) Resolves: #1683319
* travis: switch from trusty to xenialFrantisek Sumsal2019-05-031-0/+1
| | | | | | | | This should fix the timeout in test-event Taken from: b635e4ef6b2f35f07111bb66a68fe850a2ccab72 Resolves: #1683319
* mount-point: honour AT_SYMLINK_FOLLOW correctlyLennart Poettering2019-05-031-1/+1
| | | | | | | Fixes: #11092 (cherry picked from commit be24321f3dae91a166166b239954032727439942) Resolves: #1683319
* sd-bus: call cap_last_cap() only once in has_cap()Lennart Poettering2019-05-031-2/+5
| | | | | | | | Also, use the same type everywhere for dealing with it. (cherry picked from commit 92a40e20bf970c3ded8a50fbeeae882a7b970c9a) Resolves: #1683319
* sd-bus: use size_t when dealing with memory offsetsLennart Poettering2019-05-031-1/+1
| | | | | | (cherry picked from commit 3cae6c21e732fd46ff024d6625243d88ef6377ed) Resolves: #1683319
* capability: introduce CAP_TO_MASK_CORRECTED() macro replacing CAP_TO_MASK()Lennart Poettering2019-05-032-1/+5
| | | | | | | | | | | | | linux/capability.h's CAP_TO_MASK potentially shifts a signed int "1" (i.e. 32bit wide) left by 31 which means it becomes negative. That's just weird, and ubsan complains about it. Let's introduce our own macro CAP_TO_MASK_CORRECTED which doesn't fall into this trap, and make use of it. Fixes: #10347 (cherry picked from commit 5f00c5684f96c93a22840f7241ee444b9a632b1e) Resolves: #1683319
* sd-journal: escape binary data in match_make_string()Evgeny Vereshchagin2019-05-032-2/+5
| | | | | | | Fixes: #10383 (cherry picked from commit 9e8b1ec08e8eb0b4611b7caf6adb8828feb32312) Resolves: #1683319
* test-socket-util: avoid "memleak" reported by valgrindZbigniew Jędrzejewski-Szmek2019-05-031-6/+9
| | | | | | | | | valgrind reports the allocation done in the short-lived child as a leak. Let's restructure the code to avoid this. (cherry picked from commit 181c4ba750770b54a54b5abbe8ae8ff4f6db59b5) Resolves: #1683319
* util: introduce memcmp_safe()Yu Watanabe2019-05-031-3/+1
| | | | | | (cherry picked from commit f30faf854b9bf01da294547a1bc3660506d750db) Resolves: #1683319
* tree-wide: various ubsan zero size memory fixesLennart Poettering2019-05-033-3/+9
| | | | | | | Fixes: #10346 (cherry picked from commit 65f95765d05ddcd9e5849b68c379afa7e87d1248) Resolves: #1683319
* tests: keep SYS_PTRACE when running under ASanFrantisek Sumsal2019-05-031-1/+6
| | | | | | (cherry picked from commit 7a3025658836c536f81fdd742fa338545294f5bf) Resolves: #1683319
* travis: enable ASan and UBSan on RHEL8Frantisek Sumsal2019-05-032-56/+105
| | | | | Resolves: #1683319 rhel-only
* util: do not use stack frame for parsing arbitrary inputsYu Watanabe2019-05-031-4/+12
| | | | | | | | | | | | This replaces strndupa() by strndup() in socket_address_parse(), as input string may be too long. Fixes issue 10007 by ClusterFuzz-External: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=10007 (cherry picked from commit 8d30fcb9b51b1d102a589171b6e28f5f370236f6) Resolves: #1696224
* bus-message: avoid wrap-around when using length read from messageZbigniew Jędrzejewski-Szmek2019-05-032-0/+24
| | | | | | | | | | | | We would read (-1), and then add 1 to it, call message_peek_body(..., 0, ...), and when trying to make use of the data. The fuzzer test case is just for one site, but they all look similar. v2: fix two UINT8_MAX/UINT32_MAX mismatches founds by LGTM (cherry picked from commit 902000c19830f5e5a96e8948d691b42e91ecb1e7) Resolves: #1696224
* bus-message: return -EBADMSG not -EINVAL on invalid !gvariant messagesZbigniew Jędrzejewski-Szmek2019-05-032-1/+1
| | | | | | (cherry picked from commit d831fb6f2bde829f9309aea242f502587662d1cc) Resolves: #1696224
* fuzz-bus-message: add two test cases that pass nowZbigniew Jędrzejewski-Szmek2019-05-032-0/+0
| | | | | | | | | It seems that they got fixed by one of the patches. Let's add them just in case. (cherry picked from commit edde66ffc2404de58e8b19810951f376efb344da) Resolves: #1696224
* bus-message: also properly copy struct signature when skippingZbigniew Jędrzejewski-Szmek2019-05-031-3/+3
| | | | | | | | | The change is similar to that in the previous commit, but I don't have a reproducer / test case case for this one, so I'm keeping it seperate. (cherry picked from commit 3d338a302f56c0ef0445660d9856794abe1af8b5) Resolves: #1696224
View Lorry Controller Status