summaryrefslogtreecommitdiff
Commit message (Collapse)AuthorAgeFilesLines
* networkd,resolved: add a per-interface mdns configuration optionLennart Poettering2016-01-058-5/+67
|
* resolved,networkd: unify ResolveSupport enumLennart Poettering2016-01-0516-113/+108
| | | | | | | | networkd previously knew an enum "ResolveSupport" for configuring per-interface LLMNR support, resolved had a similar enum just called "Support", with the same value and similar pasers. Unify this, call the enum ResolveSupport, and port both daemons to it.
* basic: add string table macros for "extended boolean" enumsLennart Poettering2016-01-053-44/+21
| | | | | | | | | | In a couple of cases we maintain configuration settings that know an on and off state, like a boolean, plus some additional states. We generally parse them as booleans first, and if that fails check for specific additional values. This adds a generalized set of macros for parsing such settings, and ports one use in resolved and another in networkd over to it.
* sd-network: unify parsing of /run/systemd/netif/links/* string fieldsLennart Poettering2016-01-051-89/+14
|
* man: fix a few typosLennart Poettering2016-01-051-3/+3
|
* Merge pull request #2272 from kinvolk/alban/typosLennart Poettering2016-01-051-1/+1
|\ | | | | machine: fix typo: MS_MOUNT does not exist
| * machine: fix typo: MS_MOUNT does not existAlban Crequy2016-01-051-1/+1
|/
* Merge pull request #2269 from poettering/dnssec11Tom Gundersen2016-01-0521-83/+774
|\ | | | | Eleventh DNSSEC patch set
| * man: add documentation for dnssec-trust-anchors.d(5)Lennart Poettering2016-01-054-10/+216
| |
| * resolved: also skip built-in trust anchor addition of there's a DNSKEY RR ↵Lennart Poettering2016-01-051-0/+3
| | | | | | | | | | | | | | for the root domain defined We already skip this when the trust anchor files define a DS RR for the root domain, now also skip it if there's a DNSKEY RR.
| * resolved: move trust anchor files to /etc/dnssec-trust-anchors.d/Lennart Poettering2016-01-051-1/+1
| | | | | | | | | | These files are not specific to resolved really, and this is then more in-line with how /etc/sysctl.d and suchlike is handled.
| * resolved: when caching negative responses, honour NSEC/NSEC3 TTLsLennart Poettering2016-01-057-22/+42
| | | | | | | | | | | | | | | | | | | | When storing negative responses, clamp the SOA minimum TTL (as suggested by RFC2308) to the TTL of the NSEC/NSEC3 RRs we used to prove non-existance, if it there is any. This is necessary since otherwise an attacker might put together a faked negative response for one of our question including a high-ttl SOA RR for any parent zone, and we'd use trust the TTL.
| * man: add basic documentation for resolved.conf's DNSSEC= switchLennart Poettering2016-01-051-0/+55
| |
| * update DNSSEC TODOLennart Poettering2016-01-041-3/+1
| |
| * resolved: explicitly handle case when the trust anchor is emptyLennart Poettering2016-01-044-0/+41
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Since we honour RFC5011 revoked keys it might happen we end up with an empty trust anchor, or one where there's no entry for the root left. With this patch the logic is changed what to do in this case. Before this patch we'd end up requesting the root DS, which returns with NODATA but a signed NSEC we cannot verify, since the trust anchor is empty after all. Thus we'd return a DNSSEC result of "missing-key", as we lack a verified version of the key. With this patch in place, look-ups for the root DS are explicitly recognized, and not passed on to the DNS servers. Instead, if downgrade-ok mode is on an unsigned NODATA response is synthesized, so that the validator code continues under the assumption the root zone was unsigned. If downgrade-ok mode is off a new transaction failure is generated, that makes this case recognizable.
| * resolved: introduce a proper bus error for DNSSEC validation errorsLennart Poettering2016-01-042-1/+2
| |
| * resolved: explicitly avoid cyclic transaction dependenciesLennart Poettering2016-01-041-7/+37
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | We already try hard not to create cyclic transaction dependencies, where a transaction requires another one for DNSSEC validation purposes, which in turn (possibly indirectly) pulls in the original transaction again, thus resulting in a cyclic dependency and ultimately a deadlock since each transaction waits for another one forever. So far we wanted to avoid such cyclic dependencies by only going "up the tree" when requesting auxiliary RRs and only going from one RR type to another, but never back. However this turned out to be insufficient. Consider a domain that publishes one or more DNSKEY but which has no DS for it. A request for the domain's DNSKEY triggers a request for the domain's DS, which will then fail, but return an NSEC, signed by the DNSKEY. To validate that we'd request the DNSKEY again. Thus a DNSKEY request results in a DS request which results in the original DNSKEY request again. If the original lookup had been a DS lookup we'd end up in the same cyclic dependency, hence we cannot statically break one of them, since both requests are of course fully valid. Hence, do full cyclic dependency checking: each time we are about to add a dependency to a transaction, check if the transaction is already a dependency of the dependency (recursively down the tree).
| * resolved: block transaction GC'ing while ↵Lennart Poettering2016-01-042-4/+25
| | | | | | | | | | | | | | | | | | | | | | | | | | dns_transaction_request_dnssec_keys() is running If any of the transactions started by dns_transaction_request_dnssec_keys() finishes promptly without requiring asynchronous operation this is reported back to the issuing transaction from the same stackframe. This might ultimately result in this transaction to be freed while we are still in its _request_dnssec_keys() stack frame. To avoid memory corruption block the transaction GC while in the call, and manually issue a GC after it returned.
| * update RFCsLennart Poettering2016-01-041-5/+5
| |
| * resolved: partially implement RFC5011 Trust Anchor supportLennart Poettering2016-01-049-27/+307
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | With this patch resolved will properly handle revoked keys, but not augment the locally configured trust anchor database with newly learned keys. Specifically, resolved now refuses validating RRsets with revoked keys, and it will remove revoked keys from the configured trust anchors (only until reboot). This patch does not add logic for adding new keys to the set of trust anchors. This is a deliberate decision as this only can work with persistent disk storage, and would result in a different update logic for stateful and stateless systems. Since we have to support stateless systems anyway, and don't want to encourage two independent upgrade paths we focus on upgrading the trust anchor database via the usual OS upgrade logic. Whenever a trust anchor entry is found revoked and removed from the trust anchor a recognizable log message is written, encouraging the user to update the trust anchor or update his operating system.
| * resolved: fix DNSSEC canonical ordering logicLennart Poettering2016-01-042-8/+28
| | | | | | | | | | | | | | When applying canonical DNSSEC ordering for an RRset only order by the wire format of the RRs' RDATA, not by the full wire formatting. The RFC isn't particularly clear about this, but this is apparently how it is done. This fixes validation of pentagon.gov's DS RRset.
| * resolved: actually make use of message ID when logging about failed DNSSEC ↵Lennart Poettering2016-01-041-0/+3
| | | | | | | | validation
| * resolved: refuse revoked DNSKEYs in trust anchorLennart Poettering2016-01-031-0/+8
| |
| * resolved: never authenticate RRsets with revoked keysLennart Poettering2016-01-032-1/+4
| |
| * resolved: print a log message when we ignore an NSEC3 RR with an excessive ↵Lennart Poettering2016-01-032-4/+6
| | | | | | | | amount of iterations
* | Merge pull request #2205 from pohly/cgroup-smack-run-labelLennart Poettering2016-01-051-5/+10
|\ \ | | | | | | mount-setup.c: fix handling of symlink Smack labelling in cgroup setup
| * | mount-setup.c: fix handling of symlink Smack labelling in cgroup setupPatrick Ohly2016-01-051-5/+10
|/ / | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The code introduced in f8c1a81c51 (= systemd 227) failed for me with: Failed to copy smack label from net_cls to /sys/fs/cgroup/net_cls: No such file or directory There is no need for a symlink in this case because source and target are identical. The symlink() call is allowed to fail when the target already exists. When that happens, copying the Smack label must be skipped. But the code also failed when there is a symlink, like "cpu -> cpu,cpuacct", because mac_smack_copy() got called with src="cpu,cpuacct" which fails to find the entry because the current directory is not inside /sys/fs/cgroup. The absolute path to the existing entry must be used instead.
* | Merge pull request #2268 from whot/hwdb-updatesLennart Poettering2016-01-051-0/+7
|\ \ | | | | | | hwdb: add axis ranges and resolution for Dell Lattitude E6220
| * | hwdb: add axis ranges and resolution for Dell Lattitude E6220Peter Hutterer2016-01-051-0/+7
| |/ | | | | | | https://bugzilla.redhat.com/show_bug.cgi?id=1293576
* | Merge pull request #2259 from evverx/fix-test-executeZbigniew Jędrzejewski-Szmek2016-01-041-3/+3
|\ \ | | | | | | core: only skip setup of "special" signals in test mode
| * | core: don't enable special signals in test modeEvgeny Vereshchagin2016-01-041-0/+3
| | | | | | | | | | | | | | | | | | Fixes: $ systemd-analyze verify ... Failed to open /dev/tty0: Permission denied
| * | core: revert "manager: do not set up signals in test mode"Evgeny Vereshchagin2016-01-041-3/+0
| |/ | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This reverts commit 5aa1054521596c3d268db5f4aff9f2b69647ffc9. Fixes test-execute $ sudo make check TESTS=test-execute ... $ cat test-execute.log + test /tmp/test-exec_workingdirectory = /tmp/test-exec_workingdirectory Test timeout when testing exec-workingdirectory.service exec-workingdirectory.service UMask: 0022 WorkingDirectory: /tmp/test-exec_workingdirectory RootDirectory: / NonBlocking: no PrivateTmp: no PrivateNetwork: no PrivateDevices: no ProtectHome: no ProtectSystem: no IgnoreSIGPIPE: yes RuntimeDirectoryMode: 0755 StandardInput: null StandardOutput: inherit StandardError: inherit FAIL test-execute (exit status: 1)
* | Merge pull request #2263 from awilfox/add-discoverable-root-for-itaniumZbigniew Jędrzejewski-Szmek2016-01-041-1/+6
|\ \ | | | | | | Add GPT partition type GUID for Itanium root partition
| * | Add GPT partition type GUID for Itanium root partitionAndrew Wilcox2016-01-041-1/+6
|/ /
* | Merge pull request #2248 from APokorny/detect-touchscreens-with-btn-touchMartin Pitt2016-01-041-2/+2
|\ \ | |/ |/| udev: Fix touch screen detection
| * udev: Fix touch screen detectionAndreas Pokorny2016-01-011-2/+2
| | | | | | | | | | | | Use BTN_TOUCH or INPUT_PROP_DIRECT to detect touch screens. Signed-off-by: Andreas Pokorny <andreas.pokorny@canonical.com>
* | Merge pull request #2245 from ssahani/socket1Lennart Poettering2016-01-032-3/+13
|\ \ | | | | | | core: socket options fix SCTP_NODELAY
| * | core: socket options fix SCTP_NODELAYSusant Sahani2015-12-312-3/+13
| | | | | | | | | | | | | | | SCTP_NODELAY is diffrent to TCP_NODELAY. Apply proper options in case of SCTP.
* | | Merge pull request #2254 from kelemeng/masterLennart Poettering2016-01-032-78/+323
|\ \ \ | | | | | | | | Updated Hungarian translations
| * | | Add initial Hungarian message catalog translationGabor Kelemen2016-01-021-0/+262
| | | |
| * | | Update Hungarian translationGabor Kelemen2016-01-021-78/+61
| | |/ | |/|
* | | Merge pull request #2255 from teg/resolved-fixes-2Lennart Poettering2016-01-033-52/+169
|\ \ \ | | | | | | | | Fixes to NSEC3 proof v2
| * | | resolved: dnssec - properly take wildcards into account in NESC3 proofTom Gundersen2016-01-031-10/+97
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | For NXDOMAIN, it is not sufficient to prove that the next-closest enclosure does not exist, we must also prove that there is no wildcard domain directly below the closest enclosure which would synthesise the name that has been requested. For positive responses, in addition to exact matches, we should accept wildcard ones. In that case we must first prove that there is no precise match (i.e., that the closest encounter is not the record itself) and secondly that the source of synthesis exists.
| * | | resolved: dnssec - factor out hashed domain generationTom Gundersen2016-01-032-23/+34
| | | |
| * | | resolved: don't conclude NODATA if CNAME existsTom Gundersen2016-01-033-2/+16
| | | | | | | | | | | | | | | | | | | | Instead introduce the new return-code DNSSEC_NSEC_CNAME to indicate this condition. See RFC 6840, Section 4.3.
| * | | resolved: dnssec - add reference to the algorithm we implementTom Gundersen2016-01-011-0/+1
| | | |
| * | | resolved: dnssec - prepend hashed labels to zone nameTom Gundersen2016-01-011-2/+2
| | | | | | | | | | | | | | | | | | | | All hashed names consist of the hashed label prepended to the zone name, not to the closest enclosure.
| * | | resolved: dnssec - rename some variablesTom Gundersen2016-01-011-18/+22
| | | | | | | | | | | | | | | | Makes the NSEC3 proof somewhat simpler to follow.
| * | | resoled: dnssec - don't refuse to verify answer due to too many unrelated RRsTom Gundersen2016-01-011-3/+3
| | | | | | | | | | | | | | | | | | | | Let VERIFY_RRS_MAX be about the max number of RRs in an RRSet that we actually try to verify, not about the total number of RRs in the RRSet.
| * | | resolved: dnssec - fix off-by-one in RSA key parsingTom Gundersen2016-01-011-2/+2
| |/ / | | | | | | | | | | | | If the first byte of the key is zero, the key-length is stored in the second and third byte (not first and second).