summaryrefslogtreecommitdiff
path: root/src/coredump
Commit message (Collapse)AuthorAgeFilesLines
* dissect-image: port mount_image_privately_interactively() to use ↵Lennart Poettering2023-05-161-1/+1
| | | | | | | | | | /run/systemd/mount-rootfs/ too Let's use the same common directory as the unit logic uses. This means we have less to clean up, and opens the door to eventually allow unprivileged operation of the mount_image_privately_interactively() logic.
* Merge pull request #27254 from poettering/cmsg-align-checkYu Watanabe2023-04-141-1/+1
|\ | | | | socket-util: tighten CMSG_TYPED_DATA() alignment checks
| * tree-wide: port more code over to CMSG_TYPED_DATA()Lennart Poettering2023-04-131-1/+1
| |
* | image-policy: introduce parse_image_policy_argument() helperYu Watanabe2023-04-131-14/+8
|/ | | | | | | | | Addresses https://github.com/systemd/systemd/pull/25608/commits/84be0c710d9d562f6d2cf986cc2a8ff4c98a138b#r1060130312, https://github.com/systemd/systemd/pull/25608/commits/84be0c710d9d562f6d2cf986cc2a8ff4c98a138b#r1067927293, and https://github.com/systemd/systemd/pull/25608/commits/84be0c710d9d562f6d2cf986cc2a8ff4c98a138b#r1067926416. Follow-up for 84be0c710d9d562f6d2cf986cc2a8ff4c98a138b.
* tree-wide: hook up image dissection policy logic everywhereLennart Poettering2023-04-051-18/+36
|
* chase-symlinks: Rename chase_symlinks() to chase()Daan De Meyer2023-03-241-4/+4
| | | | | | | | | Chasing symlinks is a core function that's used in a lot of places so it deservers a less verbose names so let's rename it to chase() and chaseat(). We also slightly change the pattern used for the chaseat() helpers so we get chase_and_openat() and similar.
* coredump: split out parse_auxv() to src/shared/Zbigniew Jędrzejewski-Szmek2023-03-231-69/+5
| | | | | | No functional change. (We already checked for ELFCLASS32 or ELFCLASS64 before, so even though there's a new check for other architectures, the only caller only passes ELFCLASS32 or ELFCLASS64.)
* coredump: use unaligned_read_ne{32,64}() to parse auxvYu Watanabe2023-03-221-89/+60
| | | | | | | | | | | | | Fixes a bug introduced by 3e4d0f6cf99f8677edd6a237382a65bfe758de03. The auxv metadata is unaligned, as the length of the prefix "COREDUMP_PROC_AUXV=" is 19. Hence, parse_auxv{32,64}() may triger an undefined behavior (or at least cause slow down), which can be detected when running on an undefined behavior sanitizer. This also introduces a macro to define `parse_auxv{32,64}()`. Fixes #26912.
* tree-wide: simplify x ? x : y to x ?: y where applicableFrantisek Sumsal2023-03-181-1/+1
|
* Merge pull request #26784 from DaanDeMeyer/chase-fixDaan De Meyer2023-03-151-1/+1
|\ | | | | Allow creating files and directories with chase_symlinks_open() and further improvements
| * chase-symlinks: Remove unused ret_fd argumentsDaan De Meyer2023-03-141-1/+1
| |
* | conf: replace config_parse_many_nulstr() with config_parse_config_file()Franck Bui2023-03-141-8/+3
|/ | | | | | | | | | | | | | | | | All daemons use a similar scheme to read their main config files and theirs drop-ins. The main config files are always stored in /etc/systemd directory and it's easy enough to construct the name of the drop-in directories based on the name of the main config file. Hence the new helper does that internally, which allows to reduce and simplify the args passed previously to config_parse_many_nulstr(). Besides the overall code simplification it results: 16 files changed, 87 insertions(+), 159 deletions(-) it allows to identify clearly the locations in the code where configuration files are parsed.
* tmpfile-util: teach link_tmpfile() to optionally replace filesLennart Poettering2023-03-031-1/+1
|
* meson: Use dicts for test definitionsJan Janssen2023-02-211-3/+7
| | | | | | | Although this slightly more verbose it makes it much easier to reason about. The code that produces the tests heavily benefits from this. Test lists are also now sorted by test name.
* dissect-image: Return mount point fd if requestedDaan De Meyer2023-02-171-0/+1
|
* log: add common helper log_set_target_and_open()Lennart Poettering2023-02-161-6/+3
| | | | | quite often we want to set a log target and immediately open it. Add a common helper for that.
* meson: Do not include headers in source listsJan Janssen2023-01-241-3/+2
| | | | | | Meson+ninja+compiler do this for us and are better at it. https://mesonbuild.com/FAQ.html#do-i-need-to-add-my-headers-to-the-sources-list-like-in-autotools
* coredump: use fstatvfs to check the available spaceDmitry V. Levin2023-01-171-1/+1
| | | | | | Given that we already have the file descriptor opened for writing, it would make sense to call fstatvfs with that file descriptor rather than statvfs with the directory path that was used to open that descriptor.
* coredump: re-document raised default dump sizesJan Engelhardt2023-01-111-2/+3
| | | | | Commit v250-767-ge677041e7a updated the built-in configuration, but missed the accompanying documentation.
* Merge pull request #25789 from yuwata/EBADFLennart Poettering2022-12-201-1/+1
|\ | | | | tree-wide: use -EBADF more
| * tree-wide: use -EBADF moreYu Watanabe2022-12-211-1/+1
| |
* | Merge branch 'systemd-security/coredump-capabilities'Zbigniew Jędrzejewski-Szmek2022-12-201-41/+211
|\ \ | |/ |/| | | | | | | | | | | | | CVE-2022-4415: systemd: coredump not respecting fs.suid_dumpable kernel setting Affects systemd >= 247 with libacl support enabled. This is a merge of https://github.com/systemd/systemd-security/pull/12/. I'm doing the merge locally because github doesn't support merging directly from systemd/systemd-security to systemd/systemd.
| * coredump: do not allow user to access coredumps with changed ↵Zbigniew Jędrzejewski-Szmek2022-12-071-13/+183
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | uid/gid/capabilities When the user starts a program which elevates its permissions via setuid, setgid, or capabilities set on the file, it may access additional information which would then be visible in the coredump. We shouldn't make the the coredump visible to the user in such cases. Reported-by: Matthias Gerstner <mgerstner@suse.de> This reads the /proc/<pid>/auxv file and attaches it to the process metadata as PROC_AUXV. Before the coredump is submitted, it is parsed and if either at_secure was set (which the kernel will do for processes that are setuid, setgid, or setcap), or if the effective uid/gid don't match uid/gid, the file is not made accessible to the user. If we can't access this data, we assume the file should not be made accessible either. In principle we could also access the auxv data from a note in the core file, but that is much more complex and it seems better to use the stand-alone file that is provided by the kernel. Attaching auxv is both convient for this patch (because this way it's passed between the stages along with other fields), but I think it makes sense to save it in general. We use the information early in the core file to figure out if the program was 32-bit or 64-bit and its endianness. This way we don't need heuristics to guess whether the format of the auxv structure. This test might reject some cases on fringe architecutes. But the impact would be limited: we just won't grant the user permissions to view the coredump file. If people report that we're missing some cases, we can always enhance this to support more architectures. I tested auxv parsing on amd64, 32-bit program on amd64, arm64, arm32, and ppc64el, but not the whole coredump handling.
| * coredump: adjust whitespaceZbigniew Jędrzejewski-Szmek2022-12-021-28/+28
| |
* | tree-wide: use -EBADF for fd initializationZbigniew Jędrzejewski-Szmek2022-12-192-11/+11
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | -1 was used everywhere, but -EBADF or -EBADFD started being used in various places. Let's make things consistent in the new style. Note that there are two candidates: EBADF 9 Bad file descriptor EBADFD 77 File descriptor in bad state Since we're initializating the fd, we're just assigning a value that means "no fd yet", so it's just a bad file descriptor, and the first errno fits better. If instead we had a valid file descriptor that became invalid because of some operation or state change, the other errno would fit better. In some places, initialization is dropped if unnecessary.
* | coredump: cescape invalid json data before loggingZbigniew Jędrzejewski-Szmek2022-12-141-3/+5
|/ | | | | | | | | | | In both cases, the json string is short, so we can print it, which is useful for diagnosing invalid data in packages. But we need escape non-printable characters. https://bugzilla.redhat.com/show_bug.cgi?id=2152685 I went over the rest of the codebase, and it seems that other calls to json_parse() don't have this problem.
* Rename def.h to constants.hZbigniew Jędrzejewski-Szmek2022-11-081-1/+1
| | | | | | The name "def.h" originates from before the rule of "no needless abbreviations" was established. Let's rename the file to clarify that it contains a collection of various semi-related constants.
* basic: move version() to build.h+cZbigniew Jędrzejewski-Szmek2022-11-081-1/+1
|
* basic,shared: move disable_coredumps() to coredump-util.[ch]Zbigniew Jędrzejewski-Szmek2022-11-081-0/+1
|
* coredumpctl: add --root= + --image= to --help textLennart Poettering2022-10-251-0/+2
|
* coredumpctl: Add support for the --root option (after merge fixes)Richard Phibel2022-10-101-10/+9
|
* coredumpctl: Add support for the --image optionRichard Phibel2022-10-031-2/+34
|
* coredumpctl: Add support for the --root optionRichard Phibel2022-10-031-4/+76
| | | | | With this option, coredumpctl looks for journal files under the specified root directory
* shared/format-table: use enum instead of Table.empty_stringZbigniew Jędrzejewski-Szmek2022-09-221-1/+1
| | | | | | | | | | | | All users were setting this to some static string (usually "-"), so let's simplify things by not doing strdup, but instead limiting callers to a fixed set of values. In preparation for the next commit, the function is renamed from "empty" to "replacement", because it'll be used for more than empty fields. I didn't do the whole string-table setup, because it's all used internally in one file and this way we can immediately assert if an invalid value is passed in. Some callers were (void)ing the error, others were ignoring it, and others propagating. It's nicer to remove the boilerplate.
* coredumpctl: rename table entryZbigniew Jędrzejewski-Szmek2022-09-171-1/+1
| | | | "Disk Size" could be mistaken for "Size of the Disk".
* coredump: drop an unused variableFrantisek Sumsal2022-08-201-2/+0
|
* coredumpctl: Use BusLocator functionsAlexander Wilson2022-07-211-7/+2
|
* coredump: Try to write journald coredump metadata to the journalDaan De Meyer2022-07-151-6/+26
| | | | | | | | | | | | | | | | | Currently, if journald coredumps, the coredump is written to /var/lib/systemd/coredump but the coredump metadata is not written to the journal meaning we can't find out about the coredump's existence via the journal. This means that coredumpctl can't be used to work with journald coredumps, as well as any other tools that rely on journald to know about coredumps. To solve the issue, let's have systemd-coredump try to write systemd-journald coredump metadata to the journal. We have to be careful though, since if journald coredumps, there's no active reader on the receive end of the journal socket, so we have to make sure we don't deadlock trying to write to the socket. To avoid the deadlock, we put the socket in nonblocking mode before trying to write to it.
* coredump: Connect stdout/stderr to /dev/null before doing anythingDaan De Meyer2022-07-151-0/+7
| | | | | | | | | | When invoked as the coredump handler by the kernel, systemd-coredump's stdout and stderr streams are closed. This is dangerous as this means the fd's can get reallocated, leading to hard to debug errors such as log messages ending up being appended to a compressed coredump file. To avoid such issues in the future, let's bind stdout/stderr to /dev/null so the file descriptors can't get used for anything else.
* coredump: Fix format string type mismatchDaan De Meyer2022-05-221-2/+2
| | | | Fixes #23471
* tree-wide: port various users over to connect_unix_path()Lennart Poettering2022-05-141-7/+3
| | | | Let's make use of our new helper, and thus allow longer paths.
* meson: use a single constant for default compression settingZbigniew Jędrzejewski-Szmek2022-04-221-1/+1
| | | | | | | | | | Suggested by Daniele Nicolodi: https://github.com/systemd/systemd/pull/23160#discussion_r855853716 This is possible only if the macro is never used in #if, but only in C code. This means that all places that use #if have to be refactored into C, but we reduce the duplication a bit, and C is nicer to read than preprocessor conditionals.
* tree-wide: add a space after if, switch, for, and whileYu Watanabe2022-04-011-1/+1
|
* strv: make iterator in STRV_FOREACH() declaread in the loopYu Watanabe2022-03-191-1/+0
| | | | This also avoids multiple evaluations in STRV_FOREACH_BACKWARDS()
* meson: do not use split() in file listsZbigniew Jędrzejewski-Szmek2022-03-021-5/+4
| | | | | | | | | | | The approach to use '''…'''.split() instead of a list of strings was initially used when converting from automake because it allowed identical blocks of lines to be used for both, making the conversion easier. But over the years we have been using normal lists more and more, especially when there were just a few filenames listed. This converts the rest. No functional change.
* coredump: fix inode checkLennart Poettering2022-02-141-1/+1
| | | | | | When checking if we look at the root directory we actually need to compare both st_dev *and* st_ino. The existing check only checked the latter. Fix that.
* tree-wide: port various places over to new stat_inode_same() helperLennart Poettering2022-02-141-3/+2
|
* coredump: raise the coredump save size on 64bit systems to 32G (and lower it ↵Lennart Poettering2022-02-081-2/+8
| | | | | | | | | | | | | | | | | to 1G on 32bit systems) Apparently 2G is too low for various real-life systems. But raising it universally above 2^32 sounds wrong to me, since that makes no sense on 32bit systems, that we still support. Hence, let's raise the limit to 32G on 64bit systems, and *lower* it to 1G on 32bit systems. 32G is 4 orders of magnitude higher then the old settings. Let's hope that's enough for now. Should this not be enough we can raise it further. Fixes: #22076
* meson: Use files() for testsJan Janssen2022-01-111-3/+3
| | | | | | Not having to provide the full path in the source tree is much nicer and the produced lists can also be used anywhere in the source tree.
* coredump: drop unnecessary initializationYu Watanabe2022-01-051-1/+2
|
View Lorry Controller Status