| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
|
|
|
|
|
|
| |
/run/systemd/mount-rootfs/ too
Let's use the same common directory as the unit logic uses.
This means we have less to clean up, and opens the door to eventually
allow unprivileged operation of the
mount_image_privately_interactively() logic.
|
|
|
|
|
| |
If '+' is specified with 'C', let's merge the tree with any existing
tree.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
According to setfacl(1), "the character X stands for
the execute permission if the file is a directory
or already has execute permission for some user."
After this commit, parse_acl() would return 3 acl
objects. The newly-added acl_exec object contains
entries that are subject to conditionalized execute
bit mangling. In tmpfiles, we would iterate the acl_exec
object, check the permission of the target files,
and remove the execute bit if necessary.
Here's an example entry:
A /tmp/test - - - - u:test:rwX
Closes #25114
|
| |
|
|
|
|
|
|
|
|
|
| |
Addresses
https://github.com/systemd/systemd/pull/25608/commits/84be0c710d9d562f6d2cf986cc2a8ff4c98a138b#r1060130312,
https://github.com/systemd/systemd/pull/25608/commits/84be0c710d9d562f6d2cf986cc2a8ff4c98a138b#r1067927293, and
https://github.com/systemd/systemd/pull/25608/commits/84be0c710d9d562f6d2cf986cc2a8ff4c98a138b#r1067926416.
Follow-up for 84be0c710d9d562f6d2cf986cc2a8ff4c98a138b.
|
| |
|
|
|
|
|
|
| |
Similar to what we do for directories, just before we remove a file,
let's try to take a BSD lock on it. If that fails, skip removing the
file.
|
|
|
|
|
|
|
|
|
| |
Chasing symlinks is a core function that's used in a lot of places
so it deservers a less verbose names so let's rename it to chase()
and chaseat().
We also slightly change the pattern used for the chaseat() helpers
so we get chase_and_openat() and similar.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
In various tools and services we have a per-system and per-user concept.
So far we sometimes used a boolean indicating whether we are in system
mode, or a reversed boolean indicating whether we are in user mode, or
the LookupScope enum used by the lookup path logic.
Let's address that, in introduce a common enum for this, we can use all
across the board.
This is mostly just search/replace, no actual code changes.
|
|
|
|
|
|
|
| |
Although this slightly more verbose it makes it much easier to reason
about. The code that produces the tests heavily benefits from this.
Test lists are also now sorted by test name.
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Starting with commit 2f3b873a4973, when the path contains a specifier
and the argument is omitted, tmpfiles used to perform specifier
expansions twice: first specifier expansion was applied to the path
itself, and afterwards the result of the first expansion was used
in the constructed argument and expanded once again.
Resolves: #26244
Fixes: 2f3b873a4973 ("tmpfiles: copy/link /usr/share/factory/ files when the source argument is omitted")
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Make sure the argument of "C" type undergoes specifier expansion
before it's checked for validity. In particular, starting with
commit ce610af143b2, the check for path existence used to fail
in case of presence of any specifier in the argument.
Also, starting with commit 2f3b873a4973, when the path contains
a specifier and the argument is omitted, tmpfiles used to perform
specifier expansions twice: first specifier expansion was applied
to the path itself, and afterwards the result of the first expansion
was used in the constructed argument and expanded once again.
Finally, starting with commit 849958d1ba35, when the argument begins
with %h specifier, tmpfiles used to complain that the source path
is not absolute.
Resolves: #25381
Fixes: ce610af143b2 ('tmpfiles: in C lines, make missing source graceful error')
Fixes: 2f3b873a4973 ('tmpfiles: copy/link /usr/share/factory/ files when the source argument is omitted')
Fixes: 849958d1ba35 ('tmpfiles: add new "C" line for copying files or directories')
|
|
|
|
|
|
| |
Meson+ninja+compiler do this for us and are better at it.
https://mesonbuild.com/FAQ.html#do-i-need-to-add-my-headers-to-the-sources-list-like-in-autotools
|
| |
|
|
|
|
| |
Fixes CID#1501687.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When built with ACL support, we might be processing a tmpfiles
entry where there's no cause for us to call parse_acls_from_arg,
then we get to the end of parse_line without having ever populated
i.{acl_access, acl_default}.
Then we pass a null pointer into acl_free().
From UBSAN w/ GCC 13.0.0_pre20230101:
```
$ systemd-tmpfiles --clean
/var/tmp/portage/sys-apps/acl-2.3.1-r1/work/acl-2.3.1/libacl/acl_free.c:44:14: runtime error: applying non-zero offset 18446744073709551608 to null pointer
#0 0x7f65d868b482 in acl_free /var/tmp/portage/sys-apps/acl-2.3.1-r1/work/acl-2.3.1/libacl/acl_free.c:44
#1 0x55fe7e592249 in item_free_contents ../systemd-9999/src/tmpfiles/tmpfiles.c:2855
#2 0x55fe7e5a347a in parse_line ../systemd-9999/src/tmpfiles/tmpfiles.c:3158
#3 0x55fe7e5a347a in read_config_file ../systemd-9999/src/tmpfiles/tmpfiles.c:3897
#4 0x55fe7e590c61 in read_config_files ../systemd-9999/src/tmpfiles/tmpfiles.c:3985
#5 0x55fe7e590c61 in run ../systemd-9999/src/tmpfiles/tmpfiles.c:4157
#6 0x55fe7e590c61 in main ../systemd-9999/src/tmpfiles/tmpfiles.c:4218
#7 0x7f65d7ebe289 (/usr/lib64/libc.so.6+0x23289)
#8 0x7f65d7ebe344 in __libc_start_main (/usr/lib64/libc.so.6+0x23344)
#9 0x55fe7e591900 in _start (/usr/bin/systemd-tmpfiles+0x11900)
```
|
|
|
|
|
|
|
| |
If less than three parameters are passed a simple comparison is the
better choice.
Lo and behold this found two pretty bad typos.
|
| |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
-1 was used everywhere, but -EBADF or -EBADFD started being used in various
places. Let's make things consistent in the new style.
Note that there are two candidates:
EBADF 9 Bad file descriptor
EBADFD 77 File descriptor in bad state
Since we're initializating the fd, we're just assigning a value that means
"no fd yet", so it's just a bad file descriptor, and the first errno fits
better. If instead we had a valid file descriptor that became invalid because
of some operation or state change, the other errno would fit better.
In some places, initialization is dropped if unnecessary.
|
|
|
|
|
|
| |
RUN_WITH_UMASK was initially conceived for spawning externals progs with the
umask set. But nowadays we use it various syscalls and stuff that doesn't "run"
anything, so the "RUN_" prefix has outlived its usefulness.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
In provision.conf we ship:
d- /root :0700 root :root -
d- /root/.ssh :0700 root :root -
These are allowed to fail, for example on a read-only filesystem. But they still
log at error level, which is annoying and gets flagged. Tune those specific errors
down to info.
There are likely more that could be tuned down, but the important thing is to cover
the tmpfiles.d that we ship right now.
Before:
$ echo -e "d- /root :0700 root :root - \nd- /root/.ssh :0700 root :root -" | SYSTEMD_LOG_LEVEL=err build/systemd-tmpfiles --root=/tmp/img --create -
Failed to create directory or subvolume "/tmp/img/root": Read-only file system
Failed to open path '/tmp/img/root': No such file or directory
$
After:
$ echo -e "d- /root :0700 root :root - \nd- /root/.ssh :0700 root :root -" | SYSTEMD_LOG_LEVEL=err build/systemd-tmpfiles --root=/tmp/img --create -
$
|
|
|
|
|
|
|
| |
Let's move them out of the generic, already very long strv.[ch] module
into the more specific nulst-util.[ch]
No code changes.
|
| |
|
|
|
|
|
|
| |
The name "def.h" originates from before the rule of "no needless abbreviations"
was established. Let's rename the file to clarify that it contains a collection
of various semi-related constants.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When installing systemd 252 in debian:
Setting up systemd (252~rc3-2) ...
Installing new version of config file /etc/systemd/logind.conf ...
Installing new version of config file /etc/systemd/system.conf ...
Installing new version of config file /etc/systemd/user.conf ...
/usr/lib/tmpfiles.d/provision.conf:13: Credential 'login.motd' not specified, skipping line.
/usr/lib/tmpfiles.d/provision.conf:14: Credential 'login.issue' not specified, skipping line.
/usr/lib/tmpfiles.d/provision.conf:17: Credential 'network.hosts' not specified, skipping line.
/usr/lib/tmpfiles.d/provision.conf:22: Credential 'ssh.authorized_keys.root' not specified, skipping line.
/usr/lib/tmpfiles.d/systemd.conf:43: Copy source path '/.extra/tpm2-pcr-signature.json' does not exist, skipping line.
/usr/lib/tmpfiles.d/systemd.conf:44: Copy source path '/.extra/tpm2-pcr-public-key.pem' does not exist, skipping line.
Downgrade to debug level
|
|
|
|
|
|
|
| |
Oct 03 17:33:20 systemd-tmpfiles[872]: Assertion 'IN_SET(i->type, CREATE_BLOCK_DEVICE|CREATE_CHAR_DEVICE)' failed at src/tmpfiles/tmpfiles.c:1837, function create_device(). Aborting.
I think this is caused by the line:
b! /dev/private/smartmontools-dev/sda 0660 root disk - 8:0
|
|
|
|
|
|
|
|
|
|
| |
If we're running with --root, or in a chroot (*), it's expected that machine-id
and other specifiers will be unresolvable, so downgrade the warning to debug.
Fixes #24655.
(*) sd_booted() in principle means more than that, but nowadays systemd
dominates and those others things are infrequently seen.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
In 6ec4c852c910b1aca649e87ba3143841334f01fa I changed specifier_machine_id() to
return EUNATCH, but the code catching in tmpfiles wasn't adjusted.
Instead of translating errors at various levels, let the "original" errno value
(whatever was returned by the low-level reading function) propagate all the way
to the logging function, and only check which errnos to suppress there. This
makes it easier to follow the flow of data through all the layers. Also, we
don't need to provide wrapper functions for each place where we want to do the
supression.
The common set of errnos that have similar meaning are are caught using
ERRNO_IS_NOINFO(). It is more managable to use a wider net than to figure out
which errors could be returned in specific cases.
|
|
|
|
| |
Follow-up for 27f6aa0b7112024c1236957abd909071b06869a8.
|
| |
|
|
|
|
|
| |
Let's ensure it also operates based on O_PATH, like fifo/device node/…
creation.
|
|
|
|
|
|
| |
let's make things a bit less racy: whenever we create an inode,
immediately open it via O_PATH, compare type and continue operations
with the acquired fd.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
In some cases it is useful to specify the access mode/uid/gid for inodes
we create without also enforcing them on existing inodes. Let's add a
new flag for that: if the uid/gid/mode specificaitons are prefixed with
":", then they only apply to creation, not otherwise.
This is specifically useful for provisioning SSH keys later. Those we'd
like to provision like this:
<snip>
d /root :0700 root root -
d /root/.ssh :0700 root root -
f^ /root/.ssh/authorized_keys - - - - ssh.authorized_keys
</snip>
While /root/ + /root/.ssh/ being owned by root is pretty uncontroversial
the access mode of /root/ and /root/.ssh/ might not be. Hence we should
only have a default mode defined that is used when we create the dir,
but not otherwise.
|
|
|
|
|
|
|
| |
For some purposes we had CreationMode which indicates whether an inode
was created by us, or is pre-existing. Let's generalize that for *all*
operations. This is later useful to conditionalize certain operations on
that (and makes the codebase more systematic)
|
| |
|
| |
|
|
|
|
|
|
|
|
| |
We have free_and_replace() and friends, they are all named with lower
letters, even they are macros, not functions.
For consistency, let's rename CLOSE_AND_REPLACE() with lower letters.
This also mekes the macro used more places.
|
| |
|
| |
|
| |
|
|
|
|
|
|
|
|
| |
We need to normalize/validate the path (i.e. first column) of
tmpfiles.d/ lines before we start using the path, otherwise we'll use it
before it's known to be good. This matters since for some line types the
path is mangled into the argument column (i.e. sevents column), and we
should only do that once we know it's in a good state.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
I don't see where it would ever be a good thing that file copies done
via tmpfiles.d/ C lines cause the tmpfiles operation to fail if their
source happens to be missing. It's a problem if we can't set up the
destination properly (which is the job of systemd-tmpfiles after all),
but if the source is simply missing (NB: setting up the source is the job of
of the rules writer) this shouldn't be a problem.
This is useful for copying stuff into place if it happens to exist. For
example, if systemd-stub passes additional data into the initrd's
/.extra/ directory, we can copy it into a better place (e.g. /run/) with
this, where it will survive the initrd→host transition.
This mirrors behaviour of the recently added "^" line modifier which may
be used source "w" lines from credentials – there two the behaviour is
to simply skip the line if the source is missing.
|
| |
|
| |
|
| |
|