summaryrefslogtreecommitdiff
path: root/src/shared
Commit message (Collapse)AuthorAgeFilesLines
* mount-util: add umount_and_free() helperLennart Poettering2023-05-161-0/+8
|
* watchdog: always disarm watchdog properly before closing itLennart Poettering2023-05-151-5/+10
| | | | | | | If we change the watchdog device we should disarm the old one first. Similar, if we open the watchdog, but then fail setting it up, disarm it before closing it again.
* conf-parser: Add root argument to config_parse_many()Daan De Meyer2023-05-122-3/+6
|
* mkfs-util: Add quiet argument to make_filesystem()Daan De Meyer2023-05-122-12/+30
| | | | | | | | We default to quiet operation everywhere except for repart, where we disable quiet and have the mkfs tools write to stdout. We also make sure --quiet or equivalent is implemented for all mkfs tools.
* bus-util: drop unnecessary continueYu Watanabe2023-05-091-1/+1
|
* parse-util: make parse_fd() return -EBADFYu Watanabe2023-05-082-5/+0
| | | | | | | | The previous error code -ERANGE is slightly ambiguous, and use more specific one. This also drops unnecessary error handlings. Follow-up for 754d8b9c330150fdb3767491e24975f7dfe2a203 and e652663a043cb80936bb12ad5c87766fc5150c24.
* Merge pull request #26357 from ddstreet/tpm2_policy_sessionLuca Boccassi2023-05-062-87/+129
|\ | | | | Tpm2 policy session
| * tpm2: move policy building out of policy session creationDan Streetman2023-05-051-87/+112
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This retains the use of policy sessions instead of trial sessions in most cases, based on the code comment that some TPMs do not implement trial sessions correctly. However, it's likely that the issue was not the TPMs, but our code's incorrect use of PolicyPCR inside a trial session; we are not providing expected PCR values with our call to PolicyPCR inside a trial session, but the spec indicates that in a trial session, the TPM *may* return error if the expected PCR value(s) are not provided. That may have been the source of the original confusion about trial sessions. More details: https://github.com/systemd/systemd/pull/26357#pullrequestreview-1409983694 Also, future commits will replace the use of trial sessions with policy calculations, which avoids the problem entirely.
| * tpm2: add tpm2_is_encryption_session()Dan Streetman2023-05-052-0/+17
| |
* | shared: refuse fd == INT_MAXFrantisek Sumsal2023-05-051-0/+14
|/ | | | | | | Since we do `FD_TO_PTR(fd)` that expands to `INT_TO_PTR(fd) + 1` which triggers an integer overflow. Resolves: #27522
* Merge pull request #27536 from dtardon/checked-fd-parsingLuca Boccassi2023-05-052-9/+9
|\ | | | | Always check parsed fds for validity
| * tree-wide: use parse_fd()David Tardon2023-05-052-9/+9
| |
* | tpm2 PCRs: fix unchecked attempt to set PCR[24]OMOJOLA2023-05-051-1/+1
|/
* mount-util: simplify mount_switch_root() a bitLennart Poettering2023-05-032-37/+37
| | | | | | | | | | | | | There's no need to fchdir() out of the rootfs and back into it around the umount2(), hence don't. This brings the logic closer to what the pivot_root() man page suggests. While we are at it, always operate based on fds, once we opened the original dir, and pass the path string along only for generating messages (i.e. as "decoration"). Add tests for both code paths: the pivot_root() one and the MS_MOUNT.
* base-filesystem: unify common parts of base_filesystem_create_fd() branchesLennart Poettering2023-05-031-25/+13
| | | | | | | The error handling and fchmodat() invocation is pretty much the same in the directory and symlink branches, hence make them the same. No real change in behaviour. Just refactoring.
* base-filesystem: add new helper base_filesystem_create_fd() that operates on ↵Lennart Poettering2023-05-033-6/+17
| | | | | | | | | | | | | | | | | | an fd, instead of a path This also changes the open flags from O_RDONLY|O_NONBLOCK|O_DIRECTORY|O_CLOEXEC|O_NOFOLLOW to O_DIRECTORY|O_CLOEXEC. O_RDONLY is redundant, since O_RDONLY is zero anyway, and O_DIRECTORY pins the acces mode enough: it doesn't allow read()/write() anyway when specified. O_NONBLOCK is also pointless given that O_DIRECTORY is specified, it has no meaning on directories. (It is useful if we don't know much about the inode we are opening, and could be a device node or fifo, but the O_DIRECTORY excludes that case.) O_NOFOLLOW is dropped since there's really no point in blocking out the initial entrypoint being a symlink. Once we pinned the the root of the tree it might make sense to restrict symlink use below it, but for the entrypoint itself it doesn't matter.
* switch-root: don't require /mnt/ when switching root into host OSLennart Poettering2023-05-032-40/+49
| | | | | | | | | | | | | | | | So far, we invoked pivot_root() specifying /mnt/ as second argument, which then unmounted right-after. We'd create /mnt/ if needed. This sucks, because it means /mnt/ must strictly be pre-created on immutable images. Remove this limitation, by using pivot_root() with "." as source and target, which will result in two stacked mounts afterwards: the new one underneath, the old one ontop. We can then simply unmount the top one, and have what we want without needing any extra /mnt/ dir. Since we don't need /mnt/ anymore we can get rid of the extra unmount_old_root parameter and simply specify it as NULL if we don't want the old mount to stick around.
* Merge pull request #27504 from mrc0mmand/fuzz-manager-serializeYu Watanabe2023-05-032-1/+6
|\ | | | | test: add a simple fuzzer for manager serialization
| * shared: reject empty attachment pathFrantisek Sumsal2023-05-031-0/+3
| |
| * shared: ignore invalid valink socket fd when deserializingFrantisek Sumsal2023-05-031-1/+3
| |
* | Merge pull request #27492 from poettering/base-filesystem-000Mike Yuan2023-05-022-6/+4
|\ \ | | | | | | base-filesystem: create /proc, /sys, /dev mount points as 555
| * | mount-setup: use size_t when iterating through array indexesLennart Poettering2023-05-021-3/+1
| | |
| * | base-filesystem: create /proc, /sys, /dev mount points as 0555Lennart Poettering2023-05-021-3/+3
| |/ | | | | | | | | | | | | | | | | | | | | | | | | | | | | These inodes are going to be overmounted anyway, hence let's create them with access mode 555, so that they are as close to being immutable as regular UNIX access modes allow them to be. In other words: this takes the "w" mode away for root. This of course usually has little effect -- unless CAP_DAC_OVERRIDE is dropped. But at the very least it makes the point clear that inodes should be considered immutable. (I intended to make this 0000 originally, but that doesn't work, as many tools – including our own – have fallback paths that when they see ENOENT in /proc/ they can handle this gracefully. But changing the mode to 000 would turn this to EACCES - something they usually have no fallback path for)
* | tree-wide: Handle EADDRNOTAVAIL as journal corruptionDaan De Meyer2023-05-021-6/+6
|/ | | | | Journal corruption is not only indicated by EBADMSG but also by EADDRNOTAVAIL so treat that as corruption in a few more cases.
* tpm2: move openssl-required ifdef code out of policy-building functionDan Streetman2023-05-011-40/+58
|
* copy: shortcut reflink_range() to reflink() in some casesLennart Poettering2023-04-281-0/+6
|
* copy: don't call clone ioctls twiceLennart Poettering2023-04-281-9/+5
| | | | | The btrfs name and the generic name have the same values, hence there's no point in bothering with the former.
* Merge pull request #27440 from yuwata/reflink-follow-upsLuca Boccassi2023-04-282-3/+3
|\ | | | | copy: follow ups for reflink()
| * copy: rename reflink_full() -> reflink_range()Yu Watanabe2023-04-282-3/+3
| | | | | | | | | | | | | | | | | | | | | | | | The commit b640e274a7c363a2b6394c9dce5671d9404d2e2a introduced reflink() and reflink_full(). We usually name function xyz_full() for fully parameterized version of xyz(), and xyz() is typically a inline alias of xyz_full(). But in this case, reflink() and reflink_full() call different ioctl(). Moreover, reflink_full() does partial reflink, while reflink() does full file reflink. That's super confusing. Let's rename reflink_full() to reflink_range(), the new name is consistent with ioctl name, and should be fine.
* | Merge pull request #27424 from dtardon/auto-cleanupYu Watanabe2023-04-281-5/+4
|\ \ | |/ |/| More automatic cleanup
| * specifier: use _cleanup_David Tardon2023-04-271-5/+4
| |
* | copy: Introduce reflink() and reflink_full()Daan De Meyer2023-04-284-39/+54
| | | | | | | | | | | | The kernel has had filesystem independent reflink ioctls for a while now, let's try to use them and fall back to the btrfs specific ones if they're not supported.
* | pam-systemd: disconnect bus connection when leaving session hook, even on errorLennart Poettering2023-04-272-24/+90
| | | | | | | | | | | | | | | | | | | | | | | | | | | | This adds support for systematically destroying connections in pam_sm_session_open() even on failure, so that under no circumstances unserved dbus connection are around while the invoking process waits for the session to end. Previously we'd only do this on success, now do it in all cases. This matters since so far we suggested people hook pam_systemd into their pam stacks prefixed with "-", so that login proceeds even if pam_systemd fails. This however means that in an error case our cached connection doesn't get disconnected even if the session then is invoked. This fixes that.
* | pam-util: include PID in PAM data field idLennart Poettering2023-04-271-2/+19
| | | | | | | | | | | | | | | | | | | | | | | | Let's systematically avoid sharing cached busses between processes (i.e. from parent and child after fork()), by including the PID in the field name. With that we're never tempted to use a bus object the parent created in the child. (Note this is about *use*, not about *destruction*. Destruction needs to be checked by other means.)
* | Merge pull request #25622 from YHNdnzj/tmpfiles-X-bit-supportMike Yuan2023-04-272-12/+63
|\ \ | | | | | | tmpfiles: add conditionalized execute permission (X) support
| * | tmpfiles: add conditionalized execute bit (X) supportMike Yuan2023-04-272-12/+63
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | According to setfacl(1), "the character X stands for the execute permission if the file is a directory or already has execute permission for some user." After this commit, parse_acl() would return 3 acl objects. The newly-added acl_exec object contains entries that are subject to conditionalized execute bit mangling. In tmpfiles, we would iterate the acl_exec object, check the permission of the target files, and remove the execute bit if necessary. Here's an example entry: A /tmp/test - - - - u:test:rwX Closes #25114
* | | core: change ownership of subcgroup we create recursively, it shall be owned ↵Lennart Poettering2023-04-272-0/+77
| | | | | | | | | | | | | | | | | | | | | | | | | | | by the user delegated to If we create a subcroup (regardless if the '.control' subgroup we always created or one configured via DelegateSubgroup=) it's inside of the delegated territory of the cgroup tree, hence it should be owned fully by the unit's users. Hence do so.
* | | core: add DelegateSubgroup= settingLennart Poettering2023-04-271-1/+2
|/ / | | | | | | | | | | | | | | | | | | | | | | | | | | | | This implements a minimal subset of #24961, but in a lot more restrictive way: we only allow one level of subcgroup (as that's enough to address the no-processes in inner cgroups rule), and does not change anything about threaded cgroup logic or similar, or make any of this new behaviour mandatory. All this does is this: all non-control processes we invoke for a unit we'll invoke in a subgroup by the specified name. We'll later port all our current services that use cgroup delegation over to this, i.e. user@.service, systemd-nspawn@.service and systemd-udevd.service.
* | image-policy: split out code that "extends" underspecified partition policy ↵Lennart Poettering2023-04-272-14/+28
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | flags When encoding partition policy flags we allow parts of the flags to be "unspecified" (i.e. entirely zeros), which when actually checking the policy we'll automatically consider equivalent to "any" (i.e. entirely ones). This "extension" of the flags was so far done as part of partition_policy_normalized_flags(). Let's split this logic out into a new function partition_policy_flags_extend() that simply sets all bits in a specific part of the flags field if they were entirely zeroes so far. When comparing policy objects for equivalence we so far used partition_policy_normalized_flags() to compare the per-designator flags, which thus meant that "underspecified" flags, and fully specified ones that are set to "any" were considered equivalent. Which is great. However, we forgot to do that for the fallback policy flags, the flags that apply to all partitions for which no explicit policy flags are specified. Let's use the new partition_policy_flags_extend() call to compare them in extended form, so that there two we can hide the difference between "underspecified" and "any" flags.
* | Merge pull request #27421 from bluca/coredump_filterLuca Boccassi2023-04-262-3/+6
|\ \ | | | | | | CoredumpFilter: fix stack overflow and invalid assignment with 'all'
| * | coredump filter: add mask for 'all' using UINT32_MAX, not UINT64_MAXLuca Boccassi2023-04-262-1/+4
| | | | | | | | | | | | | | | | | | The kernel returns ERANGE when UINT64_MAX is passed. Create a mask and use UINT32_max, which is accepted, so that future bits will also be set.
| * | coredump filter: fix stack overflow with =allLuca Boccassi2023-04-261-2/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | We translate 'all' to UNIT64_MAX, which has a lot more 'f's. Use the helper macro, since a decimal uint64_t will always be >> than a hex representation. root@image:~# systemd-run -t --property CoredumpFilter=all ls /tmp Running as unit: run-u13.service Press ^] three times within 1s to disconnect TTY. *** stack smashing detected ***: terminated [137256.320511] systemd[1]: run-u13.service: Main process exited, code=dumped, status=6/ABRT [137256.320850] systemd[1]: run-u13.service: Failed with result 'core-dump'.
* | | image-policy: correct two commentsLennart Poettering2023-04-261-2/+2
|/ /
* | Merge pull request #27408 from keszybz/creds-missing-messageZbigniew Jędrzejewski-Szmek2023-04-261-7/+11
|\ \ | | | | | | Adjust messages when credentials are missing
| * | shared/creds-util: return 0 for missing creds in read_credential_strings_manyZbigniew Jędrzejewski-Szmek2023-04-251-7/+11
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Realistically, the only thing that the caller can do is ignore failures related to missing credentials. If the caller requires some credentials to be present, they should just check which output variables are not NULL. One of the callers was already doing that, and the other wanted to, but missed -ENOENT. By suppressing -ENOENT and -ENXIO, both callers are simplified. Fixes a warning at boot: systemd-vconsole-setup[221]: Failed to import credentials, ignoring: No such file or directory
* | | Merge pull request #26944 from ↵Zbigniew Jędrzejewski-Szmek2023-04-262-20/+36
|\ \ \ | | | | | | | | | | | | | | | | aafeijoo-suse/systemd-network-generator-initrd-fix network-generator: do not parse kernel command line more than once
| * | | generator: add generator_open_unit_file_full to allow creating temporary unitsAntonio Alvarez Feijoo2023-04-102-20/+36
| | | | | | | | | | | | | | | | | | | | This function is like `generator_open_unit_file`, but if `ret_temp_path` is passed, a temporary unit is created instead.
* | | | mount-util: split remount_idmap() in twoLennart Poettering2023-04-252-15/+20
| |/ / |/| | | | | | | | | | | | | | | | | | | | This will make things a bit longer for now, but more powerful as we can reuse the userns fd between calls to remount_idmap() if we need to adjust multiple mounts. No change in behaviour, just some minor refactoring.
* | | pam: do not attempt to close sd-bus after fork in pam_end()Luca Boccassi2023-04-251-0/+11
| | | | | | | | | | | | | | | | | | | | | When pam_end() is called after a fork, and it cleans up caches, it sets PAM_DATA_SILENT in error_status. FDs will be shared with the parent, so we do not want to attempt to close them from a child process, or we'll hit assertions. Complain loudly and skip.
* | | user-record-nss: make return values optionalLennart Poettering2023-04-251-14/+12
| | | | | | | | | | | | | | | If we only want to know if some user ID/user name is already allocated, we don't care for the returned data.
View Lorry Controller Status