Merge branch 'notsystemd/postmove' into notsystemd/master

# Conflicts:
#	src/grp-journal/libjournal-core/.gitignore
#	src/grp-system/libcore/include/core/mount.h

3 files changed, 126 insertions, 8 deletions

diff --git a/src/grp-journal/grp-remote/systemd-journal-upload/journal-upload.c b/src/grp-journal/grp-remote/systemd-journal-upload/journal-upload.c
index 52964bd03a..418ff1b16f 100644
--- a/src/grp-journal/grp-remote/systemd-journal-upload/journal-upload.c
+++ b/src/grp-journal/grp-remote/systemd-journal-upload/journal-upload.c
@@ -528,9 +528,7 @@ static int perform_upload(Uploader *u) {
                 log_debug("Upload finished successfully with code %ld: %s",
                           status, strna(u->answer));
 
-        free(u->last_cursor);
-        u->last_cursor = u->current_cursor;
-        u->current_cursor = NULL;
+        free_and_replace(u->last_cursor, u->current_cursor);
 
         return update_cursor_state(u);
 }
@@ -543,7 +541,7 @@ static int parse_config(void) {
                 { "Upload",  "TrustedCertificateFile", config_parse_path,   0, &arg_trust  },
                 {}};
 
-        return config_parse_many(PKGSYSCONFDIR "/journal-upload.conf",
+        return config_parse_many_nulstr(PKGSYSCONFDIR "/journal-upload.conf",
                                  CONF_PATHS_NULSTR("systemd/journal-upload.conf.d"),
                                  "Upload\0", config_item_table_lookup, items,
                                  false, NULL);
diff --git a/src/grp-journal/grp-remote/systemd-journal-upload/journal-upload.conf.xml b/src/grp-journal/grp-remote/systemd-journal-upload/journal-upload.conf.xml
new file mode 100644
index 0000000000..e3be62dfd1
--- /dev/null
+++ b/src/grp-journal/grp-remote/systemd-journal-upload/journal-upload.conf.xml
@@ -0,0 +1,113 @@
+<?xml version='1.0'?> <!--*-nxml-*-->
+<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
+  "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd">
+
+<!--
+  This file is part of systemd.
+
+  Copyright 2016 Zbigniew Jędrzejewski-Szmek
+
+  systemd is free software; you can redistribute it and/or modify it
+  under the terms of the GNU Lesser General Public License as published by
+  the Free Software Foundation; either version 2.1 of the License, or
+  (at your option) any later version.
+
+  systemd is distributed in the hope that it will be useful, but
+  WITHOUT ANY WARRANTY; without even the implied warranty of
+  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+  Lesser General Public License for more details.
+
+  You should have received a copy of the GNU Lesser General Public License
+  along with systemd; If not, see <http://www.gnu.org/licenses/>.
+-->
+
+<refentry id="journal-upload.conf" conditional='HAVE_MICROHTTPD'
+          xmlns:xi="http://www.w3.org/2001/XInclude">
+  <refentryinfo>
+    <title>journal-upload.conf</title>
+    <productname>systemd</productname>
+
+    <authorgroup>
+      <author>
+        <contrib>Monkey with a keyboard</contrib>
+        <firstname>Zbigniew</firstname>
+        <surname>Jędrzejewski-Szmek</surname>
+        <email>zbyszek@in.waw.pl</email>
+      </author>
+    </authorgroup>
+  </refentryinfo>
+
+  <refmeta>
+    <refentrytitle>journal-upload.conf</refentrytitle>
+    <manvolnum>5</manvolnum>
+  </refmeta>
+
+  <refnamediv>
+    <refname>journal-upload.conf</refname>
+    <refname>journal-upload.conf.d</refname>
+    <refpurpose>Configuration files for the journal upload service</refpurpose>
+  </refnamediv>
+
+  <refsynopsisdiv>
+    <para><filename>/etc/systemd/journal-upload.conf</filename></para>
+    <para><filename>/etc/systemd/journal-upload.conf.d/*.conf</filename></para>
+    <para><filename>/run/systemd/journal-upload.conf.d/*.conf</filename></para>
+    <para><filename>/usr/lib/systemd/journal-upload.conf.d/*.conf</filename></para>
+  </refsynopsisdiv>
+
+  <refsect1>
+    <title>Description</title>
+
+    <para>These files configure various parameters of
+    <citerefentry><refentrytitle>systemd-journal-upload.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>.</para>
+  </refsect1>
+
+  <xi:include href="standard-conf.xml" xpointer="main-conf" />
+
+  <refsect1>
+    <title>Options</title>
+
+    <para>All options are configured in the <literal>[Upload]</literal> section:</para>
+
+    <variablelist>
+      <varlistentry>
+        <term><varname>URL=</varname></term>
+
+        <listitem><para>The URL to upload the journal entries to. See the description
+        of <varname>--url=</varname> option in
+        <citerefentry><refentrytitle>systemd-journal-upload</refentrytitle><manvolnum>8</manvolnum></citerefentry>
+        for the description of possible values.</para></listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term><varname>ServerKeyFile=</varname></term>
+
+        <listitem><para>SSL key in PEM format.</para></listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term><varname>ServerCertificateFile=</varname></term>
+
+        <listitem><para>SSL CA certificate in PEM format.</para></listitem>
+      </varlistentry>
+
+      <varlistentry>
+        <term><varname>TrustedCertificateFile=</varname></term>
+
+        <listitem><para>SSL CA certificate.</para></listitem>
+      </varlistentry>
+
+    </variablelist>
+
+  </refsect1>
+
+  <refsect1>
+      <title>See Also</title>
+      <para>
+        <citerefentry><refentrytitle>systemd-journal-upload</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
+        <citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
+        <citerefentry><refentrytitle>systemd-journald.service</refentrytitle><manvolnum>8</manvolnum></citerefentry>
+      </para>
+  </refsect1>
+
+</refentry>
diff --git a/src/grp-journal/grp-remote/systemd-journal-upload/systemd-journal-upload.service.in b/src/grp-journal/grp-remote/systemd-journal-upload/systemd-journal-upload.service.in
index 1f488ff425..d8fd243620 100644
--- a/src/grp-journal/grp-remote/systemd-journal-upload/systemd-journal-upload.service.in
+++ b/src/grp-journal/grp-remote/systemd-journal-upload/systemd-journal-upload.service.in
@@ -8,16 +8,23 @@
 [Unit]
 Description=Journal Remote Upload Service
 Documentation=man:systemd-journal-upload(8)
-After=network.target
+Wants=network-online.target
+After=network-online.target
 
 [Service]
-ExecStart=@rootlibexecdir@/systemd-journal-upload \
-          --save-state
+ExecStart=@rootlibexecdir@/systemd-journal-upload --save-state
 User=systemd-journal-upload
 SupplementaryGroups=systemd-journal
+WatchdogSec=3min
 PrivateTmp=yes
 PrivateDevices=yes
-WatchdogSec=3min
+ProtectSystem=full
+ProtectHome=yes
+ProtectControlGroups=yes
+ProtectKernelTunables=yes
+MemoryDenyWriteExecute=yes
+RestrictRealtime=yes
+RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
 
 # If there are many split up journal files we need a lot of fds to
 # access them all and combine