From 6fdabc83c227987c56de9bd80368b148fb93fa6f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= Date: Tue, 16 Nov 2021 10:25:22 +0100 Subject: analyze: fix memleak --- src/analyze/analyze.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/analyze/analyze.c b/src/analyze/analyze.c index 3801cf0ead..6d97e98f29 100644 --- a/src/analyze/analyze.c +++ b/src/analyze/analyze.c @@ -1800,8 +1800,8 @@ static int dump_syscall_filters(int argc, char *argv[], void *userdata) { static int load_available_kernel_filesystems(Set **ret) { _cleanup_set_free_ Set *filesystems = NULL; + _cleanup_free_ char *t = NULL; int r; - char *t; assert(ret); -- cgit v1.2.1 From ae568b15ec4abde3c71f3d1914832c4cc77672c9 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= Date: Tue, 16 Nov 2021 10:32:09 +0100 Subject: basic/generate-fs-switch-case: inline comments MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Let's keep the comments together with the lines they describe, this is easier to read and probably more maintainable in the long run. Also, () → {} for idiomaticity. --- src/basic/generate-filesystem-switch-case.py | 40 +++++++++++----------------- 1 file changed, 15 insertions(+), 25 deletions(-) diff --git a/src/basic/generate-filesystem-switch-case.py b/src/basic/generate-filesystem-switch-case.py index 73b1d65657..bbd09228e1 100755 --- a/src/basic/generate-filesystem-switch-case.py +++ b/src/basic/generate-filesystem-switch-case.py @@ -7,32 +7,22 @@ import sys def filter_fsname(name): # File system magics are sometimes not unique, because file systems got new # revisions or got renamed. Let's prefer newer over older here, and thus - # ignore the old names. Specifically: - # - # → cgroupfs took over the magic of cpuset - # → devtmpfs is not a file system of its own, but just a "named superblock" of tmpfs - # → ext4 is the newest revision of ext2 + ext3 - # → fuseblk is closely related to fuse, so close that they share a single magic, but the latter is more common - # → gfs2 is the newest revision of gfs - # → vfat is the newest revision of msdos - # → ncpfs (not ncp) was the last name of the netware `file_system_type` name before it was removed in 2018 - # → nfs4 is the newest revision of nfs - # → orangefs is the new name of pvfs2 - # → smb3 is an alias for cifs - - return name in ( - "cpuset", - "devtmpfs", - "ext2", + # ignore the old names. + + return name in { + "cpuset", # magic taken over by cgroupfs + "devtmpfs", # not a file system of its own, but just a "named superblock" of tmpfs + "ext2", # ext4 is the newest revision of ext2 + ext3 "ext3", - "fuseblk", - "gfs", - "msdos", - "ncp", - "nfs", - "pvfs2", - "smb3", - ) + "fuseblk", # closely related to fuse; they share a single magic, but the latter is more common + "gfs", # magic taken over by gfs2 + "msdos", # vfat is the newest revision of msdos + "ncp", # ncpfs (not ncp) was the last name of the netware `file_system_type` + # name before it was removed in 2018 + "nfs", # nfs4 is the newest revision of nfs + "pvfs2", # orangefs is the new name of pvfs2 + "smb3", # smb3 is an alias for cifs + } gperf_file = sys.argv[1] -- cgit v1.2.1 From 52117f5af831a816c47ceebb83c8244ee93b72fe Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= Date: Tue, 16 Nov 2021 12:19:42 +0100 Subject: analyze: add --quiet option This is useful for shell completion, but also for users who don't care about the extra output. --- man/systemd-analyze.xml | 6 ++++++ shell-completion/bash/systemd-analyze | 2 +- shell-completion/zsh/_systemd-analyze | 1 + src/analyze/analyze.c | 36 ++++++++++++++++++++++++----------- 4 files changed, 33 insertions(+), 12 deletions(-) diff --git a/man/systemd-analyze.xml b/man/systemd-analyze.xml index 4c3b6d173b..c0b6b477d6 100644 --- a/man/systemd-analyze.xml +++ b/man/systemd-analyze.xml @@ -1197,6 +1197,12 @@ $ systemd-analyze verify /tmp/source:alias.service + + + + Suppress hints and other non-essential output. + + diff --git a/shell-completion/bash/systemd-analyze b/shell-completion/bash/systemd-analyze index 3022d4058b..1972441386 100644 --- a/shell-completion/bash/systemd-analyze +++ b/shell-completion/bash/systemd-analyze @@ -50,7 +50,7 @@ _systemd_analyze() { local -A OPTS=( [STANDALONE]='-h --help --version --system --user --global --order --require --no-pager - --man=no --generators=yes' + --man=no --generators=yes --quiet' [ARG]='-H --host -M --machine --fuzz --from-pattern --to-pattern --root' ) diff --git a/shell-completion/zsh/_systemd-analyze b/shell-completion/zsh/_systemd-analyze index 75d35e115a..892813b49e 100644 --- a/shell-completion/zsh/_systemd-analyze +++ b/shell-completion/zsh/_systemd-analyze @@ -103,4 +103,5 @@ _arguments \ '--to-pattern=[When generating a dependency graph, filter only destinations]:GLOB' \ {-H+,--host=}'[Operate on remote host]:userathost:_sd_hosts_or_user_at_host' \ {-M+,--machine=}'[Operate on local container]:machine:_sd_machines' \ + '--quiet[Do not show hints]' \ '*::systemd-analyze commands:_systemd-analyze_commands' diff --git a/src/analyze/analyze.c b/src/analyze/analyze.c index 6d97e98f29..204193cb50 100644 --- a/src/analyze/analyze.c +++ b/src/analyze/analyze.c @@ -104,6 +104,7 @@ static unsigned arg_iterations = 1; static usec_t arg_base_time = USEC_INFINITY; static char *arg_unit = NULL; static JsonFormatFlags arg_json_format_flags = JSON_FORMAT_OFF; +static bool arg_quiet = false; STATIC_DESTRUCTOR_REGISTER(arg_dot_from_patterns, strv_freep); STATIC_DESTRUCTOR_REGISTER(arg_dot_to_patterns, strv_freep); @@ -1361,7 +1362,7 @@ static int dot(int argc, char *argv[], void *userdata) { " red = Conflicts\n" " green = After\n"); - if (on_tty()) + if (on_tty() && !arg_quiet) log_notice("-- You probably want to process this output with graphviz' dot tool.\n" "-- Try a shell pipeline like 'systemd-analyze dot | dot -Tsvg > systemd.svg'!\n"); @@ -1713,7 +1714,8 @@ static int dump_syscall_filters(int argc, char *argv[], void *userdata) { if (set_put_strdup(&known, sys) < 0) return log_oom(); - k = load_kernel_syscalls(&kernel); + if (!arg_quiet) + k = load_kernel_syscalls(&kernel); for (int i = 0; i < _SYSCALL_FILTER_SET_MAX; i++) { const SyscallFilterSet *set = syscall_filter_sets + i; @@ -1727,6 +1729,9 @@ static int dump_syscall_filters(int argc, char *argv[], void *userdata) { first = false; } + if (arg_quiet) /* Let's not show the extra stuff in quiet mode */ + return 0; + if (!set_isempty(known)) { _cleanup_free_ char **l = NULL; char **syscall; @@ -1748,7 +1753,8 @@ static int dump_syscall_filters(int argc, char *argv[], void *userdata) { if (k < 0) { fputc('\n', stdout); fflush(stdout); - log_notice_errno(k, "# Not showing unlisted system calls, couldn't retrieve kernel system call list: %m"); + if (!arg_quiet) + log_notice_errno(k, "# Not showing unlisted system calls, couldn't retrieve kernel system call list: %m"); } else if (!set_isempty(kernel)) { _cleanup_free_ char **l = NULL; char **syscall; @@ -1930,6 +1936,9 @@ static int dump_filesystems(int argc, char *argv[], void *userdata) { first = false; } + if (arg_quiet) /* Let's not show the extra stuff in quiet mode */ + return 0; + if (!set_isempty(known)) { _cleanup_free_ char **l = NULL; char **filesystem; @@ -2452,9 +2461,8 @@ static int help(int argc, char *argv[], void *userdata) { " unit-paths List load directories for units\n" " exit-status [STATUS...] List exit status definitions\n" " capability [CAP...] List capability definitions\n" - " syscall-filter [NAME...] Print list of syscalls in seccomp\n" - " filter\n" - " filesystems [NAME...] Print list of filesystems\n" + " syscall-filter [NAME...] List syscalls in seccomp filters\n" + " filesystems [NAME...] List known filesystems\n" " condition CONDITION... Evaluate conditions and asserts\n" " verify FILE... Check unit files for correctness\n" " calendar SPEC... Validate repetitive calendar time\n" @@ -2463,12 +2471,10 @@ static int help(int argc, char *argv[], void *userdata) { " timespan SPAN... Validate a time span\n" " security [UNIT...] Analyze security of unit\n" "\nOptions:\n" - " -h --help Show this help\n" " --recursive-errors=MODE Control which units are verified\n" " --offline=BOOL Perform a security review on unit file(s)\n" " --threshold=N Exit with a non-zero status when overall\n" " exposure level is over threshold value\n" - " --version Show package version\n" " --security-policy=PATH Use custom JSON security policy instead\n" " of built-in one\n" " --json=pretty|short|off Generate JSON output of the security\n" @@ -2491,6 +2497,9 @@ static int help(int argc, char *argv[], void *userdata) { " --iterations=N Show the specified number of iterations\n" " --base-time=TIMESTAMP Calculate calendar times relative to\n" " specified time\n" + " -h --help Show this help\n" + " --version Show package version\n" + " -q --quiet Do not emit hints\n" "\nSee the %s for details.\n", program_invocation_short_name, ansi_highlight(), @@ -2532,6 +2541,7 @@ static int parse_argv(int argc, char *argv[]) { static const struct option options[] = { { "help", no_argument, NULL, 'h' }, { "version", no_argument, NULL, ARG_VERSION }, + { "quiet", no_argument, NULL, 'q' }, { "order", no_argument, NULL, ARG_ORDER }, { "require", no_argument, NULL, ARG_REQUIRE }, { "root", required_argument, NULL, ARG_ROOT }, @@ -2569,6 +2579,13 @@ static int parse_argv(int argc, char *argv[]) { case 'h': return help(0, NULL, NULL); + case ARG_VERSION: + return version(); + + case 'q': + arg_quiet = true; + break; + case ARG_RECURSIVE_ERRORS: if (streq(optarg, "help")) { DUMP_STRING_TABLE(recursive_errors, RecursiveErrors, _RECURSIVE_ERRORS_MAX); @@ -2581,9 +2598,6 @@ static int parse_argv(int argc, char *argv[]) { arg_recursive_errors = r; break; - case ARG_VERSION: - return version(); - case ARG_ROOT: r = parse_path_argument(optarg, /* suppress_root= */ true, &arg_root); if (r < 0) -- cgit v1.2.1 From b11b17f40833c2910300df74ddbd2266f466ff43 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= Date: Tue, 16 Nov 2021 12:20:17 +0100 Subject: analyze: clarify return value In this case, EXIT_SUCCESS is the same as 0, but we shouldn't use it in a function that returns negative on error. --- src/analyze/analyze.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/analyze/analyze.c b/src/analyze/analyze.c index 204193cb50..ce6f1e395d 100644 --- a/src/analyze/analyze.c +++ b/src/analyze/analyze.c @@ -2099,7 +2099,7 @@ static int dump_timespan(int argc, char *argv[], void *userdata) { putchar('\n'); } - return EXIT_SUCCESS; + return 0; } static int test_timestamp_one(const char *p) { -- cgit v1.2.1 From 07e8bdefdbd2a0a4fe59008b286303f053ba9509 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= Date: Tue, 16 Nov 2021 12:20:26 +0100 Subject: shell-completion: fix indentation --- shell-completion/zsh/_udevadm | 16 ++++++++-------- 1 file changed, 8 insertions(+), 8 deletions(-) diff --git a/shell-completion/zsh/_udevadm b/shell-completion/zsh/_udevadm index eac56c7048..14efe24808 100644 --- a/shell-completion/zsh/_udevadm +++ b/shell-completion/zsh/_udevadm @@ -103,20 +103,20 @@ _udevadm_test-builtin(){ (( $+functions[_udevadm_mounts] )) || _udevadm_mounts(){ - local dev_tmp dpath_tmp mp_tmp mline + local dev_tmp dpath_tmp mp_tmp mline tmp=( "${(@f)$(< /proc/self/mounts)}" ) dev_tmp=( "${(@)${(@)tmp%% *}:#none}" ) mp_tmp=( "${(@)${(@)tmp#* }%% *}" ) - local MATCH - mp_tmp=("${(@q)mp_tmp//(#m)\\[0-7](#c3)/${(#)$(( 8#${MATCH[2,-1]} ))}}") - dpath_tmp=( "${(@Mq)dev_tmp:#/*}" ) - dev_tmp=( "${(@q)dev_tmp:#/*}" ) + local MATCH + mp_tmp=("${(@q)mp_tmp//(#m)\\[0-7](#c3)/${(#)$(( 8#${MATCH[2,-1]} ))}}") + dpath_tmp=( "${(@Mq)dev_tmp:#/*}" ) + dev_tmp=( "${(@q)dev_tmp:#/*}" ) - _alternative \ - 'device-paths: device path:compadd -a dpath_tmp' \ - 'directories:mount point:compadd -a mp_tmp' + _alternative \ + 'device-paths: device path:compadd -a dpath_tmp' \ + 'directories:mount point:compadd -a mp_tmp' } (( $+functions[_udevadm_commands] )) || -- cgit v1.2.1 From 22375a271ed489704325e9a12fd054185fb72702 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= Date: Tue, 16 Nov 2021 12:23:11 +0100 Subject: zsh: add hints for more systemd-analyze verbs and options --- shell-completion/zsh/_systemd-analyze | 23 ++++++++++++++++++++--- 1 file changed, 20 insertions(+), 3 deletions(-) diff --git a/shell-completion/zsh/_systemd-analyze b/shell-completion/zsh/_systemd-analyze index 892813b49e..258db0340c 100644 --- a/shell-completion/zsh/_systemd-analyze +++ b/shell-completion/zsh/_systemd-analyze @@ -37,6 +37,20 @@ _sd_unit_files } +(( $+functions[_systemd-analyze_syscall-filter] )) || + _systemd-analyze_syscall-filter() { + local -a _groups + _groups=( $(systemd-analyze --quiet --no-pager syscall-filter | grep '^@') ) + _describe -t groups 'syscall groups' _groups || compadd "$@" + } + +(( $+functions[_systemd-analyze_filesystems] )) || + _systemd-analyze_filesystems() { + local -a _groups + _groups=( $(systemd-analyze --quiet --no-pager filesystems | grep '^@') ) + _describe -t groups 'file system groups' _groups || compadd "$@" + } + (( $+functions[_systemd-analyze_commands] )) || _systemd-analyze_commands(){ local -a _systemd_analyze_cmds @@ -52,7 +66,9 @@ 'unit-files:List files and symlinks for units' 'unit-paths:List unit load paths' 'exit-status:List known exit statuses' - 'syscall-filter:List syscalls in seccomp filter' + 'capability:List capability definitions' + 'syscall-filter:List syscalls in seccomp filters' + 'filesystems:List known filesystems' 'condition:Evaluate Condition*= and Assert*= assignments' 'verify:Check unit files for correctness' 'calendar:Validate repetitive calendar time events' @@ -90,12 +106,13 @@ _arguments \ '--root=[Add support for root argument]:PATH' \ '--image=[Add support for discrete images]:PATH' \ '--recursive-errors=[When verifying a unit, control dependency verification]:MODE' \ - '--offline=[Perform a security review of the specified unit file(s)]:BOOL' \ + '--offline=[Perform a security review of the specified unit files]:BOOL:(yes no)' \ '--threshold=[Set a value to compare the overall security exposure level with]: NUMBER' \ '--security-policy=[Allow user to use customized requirements to compare unit file(s) against]: PATH' \ '--json=[Generate a JSON output of the security analysis table]:MODE:(pretty short off)' \ '--no-pager[Do not pipe output into a pager]' \ - '--man=[Do (not) check for existence of man pages]:boolean:(1 0)' \ + '--man=[Do (not) check for existence of man pages]:BOOL:(yes no)' \ + '--generators=[Do (not) run unit generators]:BOOL:(yes no)' \ '--order[When generating graph for dot, show only order]' \ '--require[When generating graph for dot, show only requirement]' \ '--fuzz=[When printing the tree of the critical chain, print also services, which finished TIMESPAN earlier, than the latest in the branch]:TIMESPAN' \ -- cgit v1.2.1 From 5a87425c61d4e2e51c0abce20755462166c0479c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= Date: Tue, 16 Nov 2021 12:24:27 +0100 Subject: zsh: drop unused code The verbs were commented, so the completion functions wouldn't be invoked anyway. --- shell-completion/zsh/_systemd-analyze | 25 +------------------------ 1 file changed, 1 insertion(+), 24 deletions(-) diff --git a/shell-completion/zsh/_systemd-analyze b/shell-completion/zsh/_systemd-analyze index 258db0340c..468fd0e582 100644 --- a/shell-completion/zsh/_systemd-analyze +++ b/shell-completion/zsh/_systemd-analyze @@ -1,32 +1,11 @@ #compdef systemd-analyze # SPDX-License-Identifier: LGPL-2.1-or-later -(( $+functions[_systemd-analyze_log-level] )) || - _systemd-analyze_log-level() { - local -a _levels - _levels=(debug info notice warning err crit alert emerg) - _describe -t level 'logging level' _levels || compadd "$@" - } - -(( $+functions[_systemd-analyze_log-target] )) || - _systemd-analyze_log-target() { - local -a _targets - _targets=(console journal kmsg journal-or-kmsg null) - _describe -t target 'logging target' _targets || compadd "$@" - } - (( $+functions[_systemd-analyze_verify] )) || _systemd-analyze_verify() { _sd_unit_files } -(( $+functions[_systemd-analyze_service-watchdogs] )) || - _systemd-analyze_service-watchdogs() { - local -a _states - _states=(on off) - _describe -t state 'state' _states || compadd "$@" - } - (( $+functions[_systemd-analyze_cat-config] )) || _systemd-analyze_cat-config() { _files -W '(/run/systemd/ /etc/systemd/ /usr/lib/systemd/)' -P 'systemd/' @@ -75,9 +54,7 @@ 'timestamp:Parse a systemd syntax timestamp' 'timespan:Parse a systemd syntax timespan' 'security:Analyze security settings of a service' - # 'log-level:Get/set systemd log threshold' - # 'log-target:Get/set systemd log target' - # 'service-watchdogs:Get/set service watchdog status' + # log-level, log-target, service-watchdogs have been deprecated ) if (( CURRENT == 1 )); then -- cgit v1.2.1 From 30741d6cca1bc742492b4bbba1ef64d6b0e98bc3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= Date: Tue, 16 Nov 2021 12:31:57 +0100 Subject: basic: cramfs is also a read-only fs --- src/basic/mountpoint-util.c | 1 + 1 file changed, 1 insertion(+) diff --git a/src/basic/mountpoint-util.c b/src/basic/mountpoint-util.c index c813a4f56f..240df3782a 100644 --- a/src/basic/mountpoint-util.c +++ b/src/basic/mountpoint-util.c @@ -411,6 +411,7 @@ bool fstype_is_ro(const char *fstype) { /* All Linux file systems that are necessarily read-only */ return STR_IN_SET(fstype, "DM_verity_hash", + "cramfs", "erofs", "iso9660", "squashfs"); -- cgit v1.2.1 From fb40b13165acd795e5dd687fbc9c01623c91aa24 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= Date: Tue, 16 Nov 2021 12:32:07 +0100 Subject: basic: f2fs can do discard --- src/basic/mountpoint-util.c | 1 + 1 file changed, 1 insertion(+) diff --git a/src/basic/mountpoint-util.c b/src/basic/mountpoint-util.c index 240df3782a..82a33a6829 100644 --- a/src/basic/mountpoint-util.c +++ b/src/basic/mountpoint-util.c @@ -420,6 +420,7 @@ bool fstype_is_ro(const char *fstype) { bool fstype_can_discard(const char *fstype) { return STR_IN_SET(fstype, "btrfs", + "f2fs", "ext4", "vfat", "xfs"); -- cgit v1.2.1 From 76760f7b4fef47553107166672ccd80e34cdc45d Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Zbigniew=20J=C4=99drzejewski-Szmek?= Date: Tue, 16 Nov 2021 14:24:46 +0100 Subject: analyze: supress bogus compiler warning --- src/analyze/analyze.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/analyze/analyze.c b/src/analyze/analyze.c index ce6f1e395d..740faa507b 100644 --- a/src/analyze/analyze.c +++ b/src/analyze/analyze.c @@ -1708,7 +1708,7 @@ static int dump_syscall_filters(int argc, char *argv[], void *userdata) { if (strv_isempty(strv_skip(argv, 1))) { _cleanup_set_free_ Set *kernel = NULL, *known = NULL; const char *sys; - int k; + int k = 0; /* explicit initialization to appease gcc */ NULSTR_FOREACH(sys, syscall_filter_sets[SYSCALL_FILTER_SET_KNOWN].value) if (set_put_strdup(&known, sys) < 0) -- cgit v1.2.1