summaryrefslogtreecommitdiff
path: root/src
Commit message (Collapse)AuthorAgeFilesLines
* Merge pull request #7816 from poettering/chase-pidZbigniew Jędrzejewski-Szmek2018-01-1510-88/+324
|\ | | | | Make MAINPID= and PIDFile= handling more restrictive (and other stuff)
| * cocci: there's not ENOTSUP, there's only EOPNOTSUPPLennart Poettering2018-01-111-2/+2
| | | | | | | | | | | | On Linux the former is a compat alias to the latter, and that's really weird, as inside the kernel the two are distinct. Which means we really should stay away from it.
| * ethtool-util: don't pass fds as pointers if we don't have toLennart Poettering2018-01-111-17/+18
| | | | | | | | Passing them as pointers is just weird, hence don't do it
| * ethtool-util: fix weird whitespaceLennart Poettering2018-01-111-3/+1
| |
| * ethtool-util: order includes properlyLennart Poettering2018-01-111-2/+2
| |
| * ethtool-util: no need for memcpy() where normal assignment works tooLennart Poettering2018-01-111-2/+2
| |
| * core: be stricter when handling PID files and MAINPID sd_notify() messagesLennart Poettering2018-01-113-39/+117
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Let's be more restrictive when validating PID files and MAINPID= messages: don't accept PIDs that make no sense, and if the configuration source is not trusted, don't accept out-of-cgroup PIDs. A configuratin source is considered trusted when the PID file is owned by root, or the message was received from root. This should lock things down a bit, in case service authors write out PID files from unprivileged code or use NotifyAccess=all with unprivileged code. Note that doing so was always problematic, just now it's a bit less problematic. When we open the PID file we'll now use the CHASE_SAFE chase_symlinks() logic, to ensure that we won't follow an unpriviled-owned symlink to a privileged-owned file thinking this was a valid privileged PID file, even though it really isn't. Fixes: #6632
| * notify: add new --uid= commandLennart Poettering2018-01-111-2/+36
| | | | | | | | | | | | | | | | The new --uid= switch allows selecting the UID from which the notificaiton messages shall originate. This is primarily useful for testing purposes, but might have other uses.
| * sd-dameon: also sent ucred when our UID differs from EUIDLennart Poettering2018-01-111-10/+19
| | | | | | | | | | | | Let's be explicit, and always send the messages from our UID and never our EUID. Previously this behaviour was conditionalized only on whether the PID was specified, which made this non-obvious.
| * manager: make use of pid_is_valid() where appropriateLennart Poettering2018-01-111-1/+1
| |
| * manager: make use of NEWLINE macro where appropriateLennart Poettering2018-01-111-1/+1
| |
| * dbus-util: properly parse timeout valuesLennart Poettering2018-01-111-3/+3
| | | | | | | | | | This makes transient TimeoutStopSec= properties work. After all they are 64bit entitites, not 32bit ones.
| * manager: swap order in which we ellipsize/escape sd_notify() messages for ↵Lennart Poettering2018-01-111-2/+3
| | | | | | | | | | | | | | | | | | | | debugging If we have to chose between truncated escape sequences and strings exploded to 4 times the desried length by fully escaping, prefer the latter. It's for debug only, hence doesn't really matter much.
| * fs-util: add new chase_symlinks() flag CHASE_OPENLennart Poettering2018-01-113-1/+45
| | | | | | | | | | | | | | | | | | | | | | The new flag returns the O_PATH fd of the final component, which may be converted into a proper fd by open()ing it again through the /proc/self/fd/xyz path. Together with O_SAFE this provides us with a somewhat safe way to open() files in directories potentially owned by unprivileged code, where we want to refuse operation if any symlink tricks are played pointing to privileged files.
| * fs-util: add new CHASE_SAFE flag to chase_symlinks()Lennart Poettering2018-01-113-3/+74
| | | | | | | | | | | | | | | | | | When the flag is specified we won't transition to a privilege-owned file or directory from an unprivileged-owned one. This is useful when privileged code wants to load data from a file unprivileged users have write access to, and validates the ownership, but want's to make sure that no symlink games are played to read a root-owned system file belonging to a different context.
* | Merge pull request #7855 from poettering/log-h-includesZbigniew Jędrzejewski-Szmek2018-01-1587-240/+171
|\ \ | | | | | | log.h #include cleanups
| * | unit: log when we cannot add a watch on a specific PIDLennart Poettering2018-01-111-1/+3
| | |
| * | log: assign the realm to a variable first in log_full_errno_realm()Lennart Poettering2018-01-111-3/+3
| | | | | | | | | | | | | | | Let's avoid duplicate evaluation (which might have side-effects) and assign the realm to an internal variable first, as we need it twice.
| * | log: rework log_syntax_invalid_utf8() a bitLennart Poettering2018-01-112-6/+35
| | | | | | | | | | | | | | | | | | | | | | | | | | | The macro used utf8.h functions without including that. Let's clean this up, by moving that code inside of log.c. Let's also make the call return -EINVAL in all cases. This is in line with log_oom() which also returns a well-defined error code even though it doesn#t take one.
| * | log: minor modernizations to log_received_signal()Lennart Poettering2018-01-111-2/+4
| | |
| * | tty-ask-password-agent: add (void) cast to mkdir/mkfifo calls we knowingly ↵Lennart Poettering2018-01-111-2/+2
| | | | | | | | | | | | ignore
| * | log: minimize includes in log.hLennart Poettering2018-01-1182-22/+124
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | log.h really should only include the bare minimum of other headers, as it is really pulled into pretty much everything else and already in itself one of the most basic pieces of code we have. Let's hence drop inclusion of: 1. sd-id128.h because it's entirely unneeded in current log.h 2. errno.h, dito. 3. sys/signalfd.h which we can replace by a simple struct forward declaration 4. process-util.h which was needed for getpid_cached() which we now hide in a funciton log_emergency_level() instead, which nicely abstracts the details away. 5. sys/socket.h which was needed for struct iovec, but a simple struct forward declaration suffices for that too. Ultimately this actually makes our source tree larger (since users of the functionality above must now include it themselves, log.h won't do that for them), but I think it helps to untangle our web of includes a tiny bit. (Background: I'd like to isolate the generic bits of src/basic/ enough so that we can do a git submodule import into casync for it)
| * | sd-bus: drop bloom stuff, it's not needed anymore since kdbus is goneLennart Poettering2018-01-114-204/+0
| | |
* | | core: prevent spurious retries of umountAlan Jenkins2018-01-131-2/+2
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Testing the previous commit with `systemctl stop tmp.mount` logged the reason for failure as expected, but unexpectedly the message was repeated 32 times. The retry is a special case for umount; it is only supposed to cover the case where the umount command was _successful_, but there was still some remaining mount(s) underneath. Fix it by making sure to test the first condition :). Re-tested with and without a preceding `mount --bind /mnt /tmp`, and using `findmnt` to check the end result.
* | | core: fix output (logging) for mount units (#7603)Alan Jenkins2018-01-131-0/+4
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Documentation - systemd.exec - strongly implies mount units get logging. It is safe for mounts to depend on systemd-journald.socket. There is no cyclic dependency generated. This is because the root, -.mount, was already deliberately set to EXEC_OUTPUT_NULL. See comment in mount_load_root_mount(). And /run is excluded from being a mount unit. Nor does systemd-journald depend on /var. It starts earlier, initially logging to /run. Tested before/after using `systemctl stop tmp.mount`.
* | | dbus-execute: define bus_set_transient_errno() only if HAVE_SECCOMP (#7869)0xAX2018-01-131-0/+2
| | | | | | | | | | | | | | | | | | | | | | | | in other way we will get a warning during build: ../src/core/dbus-util.h:55:13: warning: ‘bus_set_transient_errno’ defined but not used [-Wunused-function] int bus_set_transient_##function(
* | | process-util: make our freeze() routine do something usefulMichal Sekletar2018-01-121-0/+11
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | When we crash we freeze() our-self (or possibly we reboot the machine if that is configured). However, calling pause() is very unhelpful thing to do. We should at least continue to do what init systems being doing since 70's and that is reaping zombies. Otherwise zombies start to accumulate on the system which is a very bad thing. As that can prevent admin from taking manual steps to reboot the machine in somewhat graceful manner (e.g. manually stopping services, unmounting data volumes and calling reboot -f). Fixes #7783
* | | Comment the fact that some tools need to termintate their bus connect firstFranck Bui2018-01-126-2/+12
| | |
* | | mount: make sure we terminate the bus connection first, and then close the pagerFranck Bui2018-01-121-1/+1
| | | | | | | | | | | | See cf647b69baee4c478d3909c327e3d917e1563f44 commit message for details.
* | | Revert "tree-wide: use _cleanup_(sd_bus_flush_close_unrefp) at various ↵Franck Bui2018-01-126-5/+13
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | appropriate places" This reverts commit 0b3c84eb7da3a8c28ac248a68228f6a7edbb2e19. The removal of _cleanup_() usages was done on purpose, see cf647b69baee4c478d3909c327e3d917e1563f44. Fixes: #3543
* | | support LZMA concatenated filesMatthew Thode2018-01-111-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | The xz format supports concatenated files, images are sometimes created and shipped with it to increase compression. https://bugs.launchpad.net/ubuntu/+source/systemd/+bug/1742744 is the source bug for this issue.
* | | Merge pull request #7851 from msekletar/dbus-error-loggingLennart Poettering2018-01-111-29/+17
|\ \ \ | | | | | | | | dbus: propagate errors from bus_init_system() and bus_init_api()
| * | | dbus: propagate errors from bus_init_system() and bus_init_api()Michal Sekletar2018-01-111-29/+17
| |/ / | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | The aim of this change is to make sure that we properly log about all D-Bus connection problems. After all, we only ever attempt to get on the bus if dbus-daemon is around, so any failure in the process should be treated as an error. bus_init_system() is only called from bus_init() and in bus_init() we have a bool flag which governs whether we should attempt to connect to the system bus or not. Hence if we are in bus_init_system() then it is clear we got called from a context where connection to the bus is actually required and therefore shouldn't be treated as the "best effort" type of operation. Same applies to bus_init_api(). We make use of those error codes in bus_init() and log high level message that informs admin about what is going on (and is easy to spot and makes sense to an end user). Also "retrying later" bit is actually a lie. We won't retry unless we are explicitly told to reconnect via SIGUSR1 or re-executed. This is because bus_init() is always called from the context where dbus-daemon is already around and hence bus_init() won't be called again from unit_notify(). Fixes #7782
* | | bootctl: add newline after printf (#7856)winnerman-pythian2018-01-111-1/+1
| | | | | | | | | | | | Upon error condition, a newline is not printed, leading to the shell prompt jamming against this line.
* | | Merge pull request #7833 from keszybz/netdev-relaxedLennart Poettering2018-01-112-7/+4
|\ \ \ | |_|/ |/| | Avoid spurious warnings about unknown sections in .netdev files
| * | bus-socket: slight simplification in bus_get_peercred()Zbigniew Jędrzejewski-Szmek2018-01-111-6/+3
| | |
| * | netdev: use "relaxed" parsingZbigniew Jędrzejewski-Szmek2018-01-111-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | We parse each netdev file twice: once to determine the type and match conditions, and then the second time properly. In bcde742e78ac3b8e8ea348cfb022c820c11800e2 the flags for the first parsing were (inadvertently I assume) were changed to emit warnings. But this first pass is called with only [Match] and [NetDev] sections, so we'd get warnings about all other section types. The obvious solution would be to remove CONFIG_PARSE_WARN again, but I think it's better to keep the warnings and set CONFIG_PARSE_RELAXED: we do want to get warnings about malformed lines and such, and _RELAXED is enough to kill warnings about unknown sections.
* | | networkd: initcwn/initwnd use the right parsersSusant Sahani2018-01-111-7/+7
| |/ |/| | | | | Closes #7765
* | test-dnssec: Allow builds without libgcrypt (#7850) (#7850)Michal Koutný2018-01-111-0/+2
|/ | | Fixes: #7845
* tmpfiles: consider /etc uninitialized also when /etc/machine-id is present ↵Franck Bui2018-01-101-3/+3
| | | | but empty (#7849)
* Merge pull request #7846 from poettering/nobody-getenvZbigniew Jędrzejewski-Szmek2018-01-1020-65/+123
|\ | | | | some assorted fixes and additions, in particular a way to turn off "nobody" synthesizing on a specific system
| * util: minor tweaks to disable_core_dumps()Lennart Poettering2018-01-105-8/+13
| | | | | | | | | | | | | | | | | | First, let's rename it to disable_coredumps(), as in the rest of our codebase we spell it "coredump" rather than "core_dump", so let's stick to that. However, also log about failures to turn off core dumpling on LOG_DEBUG, because debug logging is always a good idea.
| * manager: rework manager_clean_environment()Lennart Poettering2018-01-101-12/+18
| | | | | | | | | | | | | | | | | | | | Let's rename it manager_sanitize_environment() which is a more precise name. Moreover, sort the environment implicitly inside it, as all our callers do that anyway afterwards and we can save some code this way. Also, update the list of env vars to drop, i.e. the env vars we manage ourselves and don't want user code to interfear with. Also sort this list to make it easier to update later on.
| * nss-systemd,user-util: add a way how synthesizing "nobody" can be turned offLennart Poettering2018-01-103-10/+43
| | | | | | | | | | | | | | | | | | | | | | This is quite ugly, but provides us with an avenue for moving distributions to define the "nobody" user properly without breaking legacy systems that us the name for other stuff. The idea is basically, that the distribution adopts the new definition of "nobody" (and thus recompiles systemd with it) and then touches /etc/systemd/dont-synthesize-nobody on legacy systems to turn off possibly conflicting synthesizing of the nobody name by systemd.
| * tmpfiles: modernize load_unix_sockets() a bitLennart Poettering2018-01-101-15/+30
| | | | | | | | | | | | | | | | Let's log in case of error. Let's use read_line() instead of a fixed-size buffer Let's make use of set_free_free()'s return value.
| * util-lib: save/restore errno in cleanup callsLennart Poettering2018-01-103-1/+8
| | | | | | | | | | | | | | | | | | | | | | | | | | | | We should be careful with errno in cleanup functions, and not alter it under any circumstances. In the safe_close cleanup handlers we are already safe in that regard, but let's add similar protections on other cleanup handlers that invoke system calls. Why bother? Cleanup handlers insert code at function return in non-obvious ways. Hence, code that sets errno and returns should not be confused by us overrding the errno from a cleanup handler. This is a paranoia fix only, I am not aware where this actually mattered in real-life situations.
| * cocci: use strempty() at more placesLennart Poettering2018-01-107-19/+11
| | | | | | | | This shortens the code by a few lines.
* | sd-netlink: let's make things compile on certain old glibc's and kernel ↵Lennart Poettering2018-01-101-10/+6
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | headers again (#7848) Let's include netinet/in.h instead of linux/in6.h, as the former is the official libc location for these definitions, and the latter is a linux-specific version that conflicts. This hopefully makes systemd compile on current Semaphore again. This takes e410b07d2aa64a653bc0e93b77856af41297b84d into consideration, but makes us use glibc rather than kernel headers. While we are at it, let's also sort our #include lines. Since kernel headers are notoriously crappy we won't strictly order them globally, but first include non-kernel headers in a sorted way, and then include kernel headers in a somewhat sorted way (i.e. generic stuff first and somewhat alphabetical, and specific stuff last)
* | shutdown: make kill timeout configurable (#7835)Jan Klötzke2018-01-104-11/+26
| | | | | | | | | | | | By default systemd-shutdown will wait for 90s after SIGTERM was sent for all processes to exit. This is way too long and effectively defeats an emergency watchdog reboot via "reboot-force" actions. Instead now use DefaultTimeoutStopSec which is configurable.
* | Merge pull request #7843 from hbakken/work/old-kernel-supportLennart Poettering2018-01-102-1/+4
|\ \ | |/ |/| Work/old kernel support
View Lorry Controller Status