summaryrefslogtreecommitdiff
path: root/src/core/load-fragment.c
Commit message (Collapse)AuthorAgeFilesLines
* core: add DelegateSubgroup= settingLennart Poettering2023-04-271-0/+36
| | | | | | | | | | | | | | | This implements a minimal subset of #24961, but in a lot more restrictive way: we only allow one level of subcgroup (as that's enough to address the no-processes in inner cgroups rule), and does not change anything about threaded cgroup logic or similar, or make any of this new behaviour mandatory. All this does is this: all non-control processes we invoke for a unit we'll invoke in a subgroup by the specified name. We'll later port all our current services that use cgroup delegation over to this, i.e. user@.service, systemd-nspawn@.service and systemd-udevd.service.
* image-policy: introduce parse_image_policy_argument() helperYu Watanabe2023-04-131-39/+0
| | | | | | | | | Addresses https://github.com/systemd/systemd/pull/25608/commits/84be0c710d9d562f6d2cf986cc2a8ff4c98a138b#r1060130312, https://github.com/systemd/systemd/pull/25608/commits/84be0c710d9d562f6d2cf986cc2a8ff4c98a138b#r1067927293, and https://github.com/systemd/systemd/pull/25608/commits/84be0c710d9d562f6d2cf986cc2a8ff4c98a138b#r1067926416. Follow-up for 84be0c710d9d562f6d2cf986cc2a8ff4c98a138b.
* service: add ability to pin fd storeLennart Poettering2023-04-131-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | Oftentimes it is useful to allow the per-service fd store to survive longer than for a restart. This is useful in various scenarios: 1. An fd to some security relevant object needs to be stashed somewhere, that should not be cleaned automatically, because the security enforcement would be dropped then. 2. A user namespace fd should be allocated on first invocation and be kept around until the user logs out (i.e. systemd --user ends), á la #16328 (This does not implement what #16318 asks for, but should solve the use-case discussed there.) 3. There's interest in allow a concept of "userspace reboots" where the kernel stays running, and userspace is swapped out (i.e. all services exit, and the rootfs transitioned into a new version of it) while keeping some select resources pinned, very similar to how we implement a switch root. Thus it is useful to allow services to exit, while leaving their fds around till the very end. This is exposed through a new FileDescriptorStorePreserve= setting that is closely modelled after RuntimeDirectoryPreserve= (in fact it reused the same internal type), since we want similar behaviour in the end, and quite often they probably want to be used together.
* pid1: fix coredump_filter settingDavid Schroeder2023-04-131-1/+1
| | | Correct what appears to be a copy/paste error in config_parse_exec_coredump_filter that is preventing the coredump_filter setting from working correctly.
* tree-wide: hook up image dissection policy logic everywhereLennart Poettering2023-04-051-0/+39
|
* Merge pull request #26825 from keszybz/log-message-fixLuca Boccassi2023-03-151-6/+3
|\ | | | | Log message fix
| * core: reduce scope of variableZbigniew Jędrzejewski-Szmek2023-03-151-6/+3
| |
* | Merge pull request #26808 from keszybz/no-controllers-followupLuca Boccassi2023-03-151-4/+4
|\ \ | | | | | | Docs and dump output follow-up for the case of delegation with no controllers
| * | man: document "Delegate=" a bit moreZbigniew Jędrzejewski-Szmek2023-03-141-4/+4
| |/ | | | | | | | | | | | | This case is a bit surprising, even if logical if one understands how the parser works. Let's be more explicit. Follow-up for 7b3693e4e4c9cae50fca65136278a62fae11327e.
* | core: fix mount flag help output, it only takes one argumentLennart Poettering2023-03-141-1/+1
|/
* core: rename "mount_flags" → "mount_propagation_flag" internally where ↵Lennart Poettering2023-03-141-3/+5
| | | | | | | | | | | | | | | | | | appropriate ExecContext has a field that controls the mount propagation flag of the mounts in the resulting namespace. This is exposed as "MountFlags=" which is super confusing, as it suggests one could control more than propagation, and that it was actually a flags field. It's an enum though only, and nothing else. We might want to rename this externally one day, but given the compat kludges this requires and the fact this is somewhat nichey it might not be worth it. But internally let's rename it, as it makes things much easier to grok, in particular as part of the codebase already exposed the concept as mount_propagation_flag. No actual code flow changes, just some renaming.
* basic: add RuntimeScope enumLennart Poettering2023-03-101-12/+12
| | | | | | | | | | | | In various tools and services we have a per-system and per-user concept. So far we sometimes used a boolean indicating whether we are in system mode, or a reversed boolean indicating whether we are in user mode, or the LookupScope enum used by the lookup path logic. Let's address that, in introduce a common enum for this, we can use all across the board. This is mostly just search/replace, no actual code changes.
* load-fragment: add user credential specifiers to user.confRonan Pigott2023-03-101-1/+11
| | | | | | This enables the ManagerEnvironment= settings in the user's user.conf to reference some user data like $HOME for the purpose of setting environment variables derived from these values.
* core: add missing MemoryPressureWatch= and MemoryPressureThresholdSec= settingYu Watanabe2023-03-091-1/+1
| | | | | | Follow-up for #26393. Addresses https://github.com/systemd/systemd/pull/26393#issuecomment-1458655798.
* pid1: add unit file settings to control memory pressure logicLennart Poettering2023-03-011-0/+1
|
* capability-util: add CAP_MASK_ALL + CAP_MASK_UNSET macrosLennart Poettering2023-02-201-5/+7
| | | | | | | | | We should be more careful with distinguishing the cases "all bits set in caps mask" from "cap mask invalid". We so far mostly used UINT64_MAX for both, which is not correct though (as it would mean AmbientCapabilities=~0 followed by AmbientCapabilities=0) would result in capability 63 to be set (which we don't really allow, since that means unset).
* core: add support for Startup memory limitsLuca Boccassi2023-02-151-5/+34
| | | | | We support separate Startup configurations for CPU and I/O, so add it for memory too. Only cover cgroupsv2 settings.
* pid1,sysusers: drop unused SYNTHETIC_ERRNOZbigniew Jędrzejewski-Szmek2023-01-311-1/+1
| | | | | The only function of SYNTHETIC_ERRNO is to set the return value. If we're ignoring the return value, it shouldn't be used.
* Merge pull request #23309 from DaanDeMeyer/log-contextLuca Boccassi2023-01-201-1/+1
|\ | | | | basic: Add log context
| * basic: Use statement expressions more in list.hDaan De Meyer2023-01-081-1/+1
| | | | | | | | | | Let's use statement expressions to return values instead of passing in return arguments to the LIST macros.
* | core: add OpenFile settingRichard Phibel2023-01-101-0/+37
|/
* load-fragment: config_parse_emergency_action() doesn't ever get a Manager ↵Lennart Poettering2023-01-061-5/+6
| | | | | | | | | | | | | | | | pointer passed in In 'data' we get the location passed in we write stuff, and that's not the Manager object. And we neither get the Manager passed in via 'userdata', because at the time we parse the emergency action for the manager the Manager is not actually allocated yet. hence, let's fix this differently, and pass in the user/system mode descriptor via the 'ltype' argument. Fixes: #25933
* load-fragment: remove EmergencyAction compat we were supposed to remove back ↵Lennart Poettering2023-01-061-10/+0
| | | | in v241
* journald: fix followup comments on regex featureQuentin Deslandes2023-01-061-2/+1
| | | | | | | Fix followup comments on PR #24058: - Use `mempcpy_safe()`. - Remove unused `pcre2_code` variable. - Use `static const` when relevant.
* tree-wide: use -EBADF for fd initializationZbigniew Jędrzejewski-Szmek2022-12-191-2/+2
| | | | | | | | | | | | | | | | -1 was used everywhere, but -EBADF or -EBADFD started being used in various places. Let's make things consistent in the new style. Note that there are two candidates: EBADF 9 Bad file descriptor EBADFD 77 File descriptor in bad state Since we're initializating the fd, we're just assigning a value that means "no fd yet", so it's just a bad file descriptor, and the first errno fits better. If instead we had a valid file descriptor that became invalid because of some operation or state change, the other errno would fit better. In some places, initialization is dropped if unnecessary.
* Merge pull request #24058 from qdeslandes/journald_regex_filteringYu Watanabe2022-12-151-0/+53
|\ | | | | Allow for journald logs filtering on a per-unit basis
| * journal: log filtering options support in PID1Quentin Deslandes2022-12-151-0/+53
| | | | | | | | | | | | | | | | | | Define new unit parameter (LogFilterPatterns) to filter logs processed by journald. This option is used to store a regular expression which is carried from PID1 to systemd-journald through a cgroup xattrs: `user.journald_log_filter_patterns`.
* | mountpoint-util: rename mount_propagation_flags_to_string() and friends as ↵Yu Watanabe2022-12-151-1/+1
|/ | | | singular
* MemoryZSwapMax directive to configure new memory.zswap.max cgroup filePasha Vorobyev2022-11-151-1/+3
|
* nulstr-util: Declare NULSTR_FOREACH() iterator inlineDaan De Meyer2022-11-111-1/+0
|
* service: do fine-grained validation of CPUSchedulingPriority= at execution timeLuca Boccassi2022-10-201-6/+4
| | | | | | | | | | | The precise bounds of the scheduling priority depend on the scheduling policy, so depending on the order in which the two settings are specified the validation might pass or fail. When checking the setting only validate the outer range (valid values in general are 0 to 99), and let the execution fail later if the priority does not match the specified policy (1 to 99 for RR/FIFO, 0 for the rest). Fixes https://github.com/systemd/systemd/issues/20320
* core: make exec_directory_add() extends existing symlinksYu Watanabe2022-10-031-8/+2
| | | | | | | Follow-up for 211a3d87fb1fe971dc42a47b4c5cc167def8ab4e. Previously, although ExecDirectoryItem.symlinks is strv, it always contains at most one symlink.
* tree-wide: use ASSERT_PTR moreDavid Tardon2022-09-131-162/+80
|
* Merge pull request #24242 from msekletar/terminate-idle-sessionsLennart Poettering2022-08-251-31/+0
|\ | | | | Add option to stop idle sessions after specified timeout
| * core/load-fragment: move config_parse_sec_fix_0 to src/sharedMichal Sekletar2022-08-231-31/+0
| |
* | pid1: shorten advice messageZbigniew Jędrzejewski-Szmek2022-08-231-2/+2
| |
* | pid1: generate warnings if old obsolete cgroupsv1 settings are usedLennart Poettering2022-08-231-3/+37
|/
* core/cgroup: CPUWeight/CPUShares support idle inputwineway2022-08-111-0/+2
| | | | Signed-off-by: wineway <wangyuweihx@gmail.com>
* core: cache unit file selinux label, and make decisions based on thatLennart Poettering2022-07-201-0/+19
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | Do not go back to disk on each selinux access, but instead cache the label off the inode we are actually reading. That way unit file contents and unit file label we use for access checks are always in sync. Based on discussions here: https://github.com/systemd/systemd/pull/10023#issuecomment-1179835586 Replaces: https://github.com/systemd/systemd/pull/23910 This changes behaviour a bit, because we'll reach and cache the label at the moment of loading the unit (i.e. usually on boot and reload), but not after relabelling. Thus, users must refresh the cache explicitly via a "systemctl daemon-reload" if they relabelled things. This makes the SELinux story a bit more debuggable, as it adds an AccessSELinuxContext bus property to units that will report the label we are using for a unit (or the empty string if not known). This also drops using the "source" path of a unit as label source. if there's value in it, then generators should manually copy the selinux label from the source files onto the generated unit files, so that the rule that "access labels are read when we read the definition files" is upheld. But I am not convinced this is really a necessary, good idea.
* core/load-fragment: fix error value in log_syntax()Yu Watanabe2022-07-091-12/+46
| | | | `extract_first_word()` may return positive value on success.
* basic/list: drop LIST_IS_EMPTYZbigniew Jędrzejewski-Szmek2022-07-021-4/+4
| | | | | | | | | | This was a trivial wrapper that didn't provide any added value. With more complicated structures like strvs, hashmaps, sets, and arrays, it is possible to have an empty container. But in case of a list, the list is empty only when the head is missing. Also, we generally want the positive condition, so we replace many if (!LIST_IS_EMPTY(x)) with just if (x).
* Revert NFTSet featureYu Watanabe2022-06-221-104/+0
| | | | | | | | | | | | | | | | | | | | | | | | This reverts PR #22587 and its follow-up commit. More specifically, 2299b1cae32c1fb8911da0ce26efced68032f4f8 (partially), e176f855278d5098d3fecc5aa24ba702147d42e0, ceb46a31a01b3d3d1d6095d857e29ea214a2776b, and 51bb9076ab8c050bebb64db5035852385accda35. The PR was merged without final approval, and has several issues: - OSS fuzz reported issues in the conf parser, - It calls synchrnous netlink call, it should not be especially in PID1, - The importance of NFTSet for CGroup and DynamicUser may be questionable, at least, there was no justification PID1 should support it. - For networkd, it should be implemented with Request object, - There is no test for the feature. Fixes #23711. Fixes #23717. Fixes #23719. Fixes #23720. Fixes #23721. Fixes #23759.
* core: firewall integration with DynamicUserNFTSet=Topi Miettinen2022-06-081-0/+17
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | New directive `DynamicUserNFTSet=` provides a method for integrating configuration of dynamic users into firewall rules with NFT sets. Example: ``` table inet filter { set u { typeof meta skuid } chain service_output { meta skuid != @u drop accept } } ``` ``` /etc/systemd/system/dunft.service [Service] DynamicUser=yes DynamicUserNFTSet=inet:filter:u ExecStart=/bin/sleep 1000 [Install] WantedBy=multi-user.target ``` ``` $ sudo nft list set inet filter u table inet filter { set u { typeof meta skuid elements = { 64864 } } } $ ps -n --format user,group,pid,command -p `pgrep sleep` USER GROUP PID COMMAND 64864 64864 55158 /bin/sleep 1000 ```
* core: firewall integration with ControlGroupNFTSet=Topi Miettinen2022-06-081-0/+87
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | New directive `ControlGroupNFTSet=` provides a method for integrating services into firewall rules with NFT sets. Example: ``` table inet filter { ... set timesyncd { type cgroupsv2 } chain ntp_output { socket cgroupv2 != @timesyncd counter drop accept } ... } ``` /etc/systemd/system/systemd-timesyncd.service.d/override.conf ``` [Service] ControlGroupNFTSet=inet:filter:timesyncd ``` ``` $ sudo nft list set inet filter timesyncd table inet filter { set timesyncd { type cgroupsv2 elements = { "system.slice/systemd-timesyncd.service" } } } ```
* core: fix commentYu Watanabe2022-05-161-1/+1
|
* tree-wide: replace AF_LOCAL with AF_UNIXYu Watanabe2022-05-141-1/+1
|
* Merge parse-socket-bind-item.? into parse-helpers.?Zbigniew Jędrzejewski-Szmek2022-04-071-1/+0
| | | | | | | That file only exported one function, and it fits nicely within the scope of "parse helpers". Let's move it there to reduce the file count a bit. No functional change.
* Move path_simplify_and_warn() to new shared/parse-helpers.cZbigniew Jędrzejewski-Szmek2022-04-071-0/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | This is a high-level function, and it belongs in libsystemd-shared. This way we don't end up linking a separate copy into various binaries. It would even end up in libsystemd, where it is not needed. (Maybe it'd be removed in some optimization phase, but it's better to not rely on that.) $ grep -l -r -a 'path is not absolute%s' build/ build/libnss_systemd.so.2 build/pam_systemd_home.so build/test-dlopen build/src/basic/libbasic.a.p/path-util.c.o build/src/basic/libbasic.a build/src/shared/libsystemd-shared-249.so build/test-bus-error build/libnss_mymachines.so.2 build/pam_systemd.so build/libnss_resolve.so.2 build/libnss_myhostname.so.2 build/libsystemd.so.0.32.0 build/libudev.so.1.7.2 $ grep -l -r -a 'path is not absolute%s' build/ build/src/shared/libsystemd-shared-251.a.p/parse-helpers.c.o build/src/shared/libsystemd-shared-251.a build/src/shared/libsystemd-shared-251.so No functional change.
* core: command argument can be longer than PATH_MAXYu Watanabe2022-04-061-1/+1
| | | | | | Fixes a bug introduced by 065364920281e1cf59cab989e17aff21790505c4. Fixes #22957.
* strv: make iterator in STRV_FOREACH() declaread in the loopYu Watanabe2022-03-191-1/+0
| | | | This also avoids multiple evaluations in STRV_FOREACH_BACKWARDS()
View Lorry Controller Status