diff options
| -rw-r--r-- | DISTRO_PORTING | 1 | ||||
| -rw-r--r-- | hwdb/60-evdev.hwdb | 2 | ||||
| -rw-r--r-- | po/hu.po | 110 | ||||
| -rw-r--r-- | src/core/execute.c | 38 | ||||
| -rw-r--r-- | src/core/main.c | 6 | ||||
| -rw-r--r-- | src/core/selinux-access.h | 2 | ||||
| -rw-r--r-- | src/core/unit.h | 2 | ||||
| -rw-r--r-- | src/journal/journald-server.c | 15 | ||||
| -rw-r--r-- | src/network/networkd-link.h | 2 | ||||
| -rw-r--r-- | src/network/networkd-netdev.h | 2 | ||||
| -rw-r--r-- | src/nspawn/nspawn.c | 44 | ||||
| -rw-r--r-- | src/run/run.c | 8 | ||||
| -rw-r--r-- | src/shared/seccomp-util.c | 10 | ||||
| -rw-r--r-- | src/shared/seccomp-util.h | 2 | ||||
| -rw-r--r-- | src/test/test-execute.c | 11 | ||||
| -rw-r--r-- | src/udev/udevd.c | 16 | ||||
| -rw-r--r-- | units/systemd-udevd-control.socket | 1 |
17 files changed, 182 insertions, 90 deletions
diff --git a/DISTRO_PORTING b/DISTRO_PORTING index 07aea865be..a397d700c6 100644 --- a/DISTRO_PORTING +++ b/DISTRO_PORTING @@ -15,6 +15,7 @@ HOWTO: --with-kbd-setfont= --with-tty-gid= --with-ntp-servers= + --with-support-url= 2) Try it out. Play around (as an ordinary user) with '/usr/lib/systemd/systemd --test --system' for a test run diff --git a/hwdb/60-evdev.hwdb b/hwdb/60-evdev.hwdb index 1606c66bbe..a5eba52224 100644 --- a/hwdb/60-evdev.hwdb +++ b/hwdb/60-evdev.hwdb @@ -45,6 +45,8 @@ # Macbook2,1 (late 2006), single-button touchpad evdev:input:b0003v05ACp021B* +# Macbook4,1 +evdev:input:b0003v05ACp0229* EVDEV_ABS_00=256:1471:12 EVDEV_ABS_01=256:831:12 @@ -3,20 +3,21 @@ # This file is distributed under the same license as the systemd package. # # Gabor Kelemen <kelemeng at gnome dot hu>, 2015, 2016. +# Balázs Úr <urbalazs at gmail dot com>, 2016. msgid "" msgstr "" "Project-Id-Version: systemd master\n" -"Report-Msgid-Bugs-To: \n" -"POT-Creation-Date: 2016-01-02 13:41+0100\n" -"PO-Revision-Date: 2016-01-02 13:45+0100\n" -"Last-Translator: Gabor Kelemen <kelemeng at ubuntu dot com>\n" +"Report-Msgid-Bugs-To: https://github.com/systemd/systemd/issues\n" +"POT-Creation-Date: 2016-04-24 12:53+0000\n" +"PO-Revision-Date: 2016-08-23 18:03+0100\n" +"Last-Translator: Balázs Úr <urbalazs@gmail.com>\n" "Language-Team: Hungarian <openscope at googlegroups dot com>\n" "Language: hu\n" "MIME-Version: 1.0\n" "Content-Type: text/plain; charset=UTF-8\n" "Content-Transfer-Encoding: 8bit\n" "Plural-Forms: nplurals=2; plural=(n != 1);\n" -"X-Generator: Lokalize 1.5\n" +"X-Generator: Lokalize 2.0\n" #: ../src/core/org.freedesktop.systemd1.policy.in.in.h:1 msgid "Send passphrase back to system" @@ -241,50 +242,60 @@ msgstr "" "kezelésének meggátlásához." #: ../src/login/org.freedesktop.login1.policy.in.h:19 +msgid "Allow non-logged-in user to run programs" +msgstr "Programfuttatás engedélyezése be nem jelentkezett felhasználó számára" + +#: ../src/login/org.freedesktop.login1.policy.in.h:20 +msgid "Explicit request is required to run programs as a non-logged-in user." +msgstr "" +"Határozott kérés szükséges a programfuttatáshoz be nem jelentkezett " +"felhasználóként." + +#: ../src/login/org.freedesktop.login1.policy.in.h:21 msgid "Allow non-logged-in users to run programs" msgstr "Programfuttatás engedélyezése be nem jelentkezett felhasználók számára" -#: ../src/login/org.freedesktop.login1.policy.in.h:20 +#: ../src/login/org.freedesktop.login1.policy.in.h:22 msgid "Authentication is required to run programs as a non-logged-in user." msgstr "" "Hitelesítés szükséges a programfuttatáshoz be nem jelentkezett " "felhasználóként." -#: ../src/login/org.freedesktop.login1.policy.in.h:21 +#: ../src/login/org.freedesktop.login1.policy.in.h:23 msgid "Allow attaching devices to seats" msgstr "Eszközök csatolásának engedélyezése munkaállomásokhoz" -#: ../src/login/org.freedesktop.login1.policy.in.h:22 +#: ../src/login/org.freedesktop.login1.policy.in.h:24 msgid "Authentication is required for attaching a device to a seat." msgstr "" "Hitelesítés szükséges eszköz csatolásának engedélyezéséhez egy " "munkaállomáshoz" -#: ../src/login/org.freedesktop.login1.policy.in.h:23 +#: ../src/login/org.freedesktop.login1.policy.in.h:25 msgid "Flush device to seat attachments" msgstr "Eszközök és munkaállomások csatolásainak törlése" -#: ../src/login/org.freedesktop.login1.policy.in.h:24 +#: ../src/login/org.freedesktop.login1.policy.in.h:26 msgid "" "Authentication is required for resetting how devices are attached to seats." msgstr "" "Hitelesítés szükséges az eszközök munkaállomásokhoz csatolásainak " "alaphelyzetbe állításához." -#: ../src/login/org.freedesktop.login1.policy.in.h:25 +#: ../src/login/org.freedesktop.login1.policy.in.h:27 msgid "Power off the system" msgstr "A rendszer kikapcsolása" -#: ../src/login/org.freedesktop.login1.policy.in.h:26 +#: ../src/login/org.freedesktop.login1.policy.in.h:28 msgid "Authentication is required for powering off the system." msgstr "Hitelesítés szükséges a rendszer kikapcsolásához." -#: ../src/login/org.freedesktop.login1.policy.in.h:27 +#: ../src/login/org.freedesktop.login1.policy.in.h:29 msgid "Power off the system while other users are logged in" msgstr "" "A rendszer kikapcsolása miközben be vannak jelentkezve más felhasználók" -#: ../src/login/org.freedesktop.login1.policy.in.h:28 +#: ../src/login/org.freedesktop.login1.policy.in.h:30 msgid "" "Authentication is required for powering off the system while other users are " "logged in." @@ -292,12 +303,12 @@ msgstr "" "Hitelesítés szükséges a rendszer kikapcsolásához miközben be vannak " "jelentkezve más felhasználók." -#: ../src/login/org.freedesktop.login1.policy.in.h:29 +#: ../src/login/org.freedesktop.login1.policy.in.h:31 msgid "Power off the system while an application asked to inhibit it" msgstr "" "A rendszer kikapcsolása miközben egy alkalmazás ennek meggátlását kérte" -#: ../src/login/org.freedesktop.login1.policy.in.h:30 +#: ../src/login/org.freedesktop.login1.policy.in.h:32 msgid "" "Authentication is required for powering off the system while an application " "asked to inhibit it." @@ -305,19 +316,19 @@ msgstr "" "Hitelesítés szükséges a rendszer kikapcsolásához miközben egy alkalmazás " "ennek meggátlását kérte." -#: ../src/login/org.freedesktop.login1.policy.in.h:31 +#: ../src/login/org.freedesktop.login1.policy.in.h:33 msgid "Reboot the system" msgstr "A rendszer újraindítása" -#: ../src/login/org.freedesktop.login1.policy.in.h:32 +#: ../src/login/org.freedesktop.login1.policy.in.h:34 msgid "Authentication is required for rebooting the system." msgstr "Hitelesítés szükséges a rendszer újraindításához." -#: ../src/login/org.freedesktop.login1.policy.in.h:33 +#: ../src/login/org.freedesktop.login1.policy.in.h:35 msgid "Reboot the system while other users are logged in" msgstr "A rendszer újraindítása mialatt be vannak jelentkezve más felhasználók" -#: ../src/login/org.freedesktop.login1.policy.in.h:34 +#: ../src/login/org.freedesktop.login1.policy.in.h:36 msgid "" "Authentication is required for rebooting the system while other users are " "logged in." @@ -325,12 +336,12 @@ msgstr "" "Hitelesítés szükséges a rendszer újraindításához miközben be vannak " "jelentkezve más felhasználók." -#: ../src/login/org.freedesktop.login1.policy.in.h:35 +#: ../src/login/org.freedesktop.login1.policy.in.h:37 msgid "Reboot the system while an application asked to inhibit it" msgstr "" "A rendszer újraindítása miközben egy alkalmazás ennek meggátlását kérte" -#: ../src/login/org.freedesktop.login1.policy.in.h:36 +#: ../src/login/org.freedesktop.login1.policy.in.h:38 msgid "" "Authentication is required for rebooting the system while an application " "asked to inhibit it." @@ -338,20 +349,20 @@ msgstr "" "Hitelesítés szükséges a rendszer újraindításához miközben egy alkalmazás " "ennek meggátlását kérte." -#: ../src/login/org.freedesktop.login1.policy.in.h:37 +#: ../src/login/org.freedesktop.login1.policy.in.h:39 msgid "Suspend the system" msgstr "A rendszer felfüggesztése" -#: ../src/login/org.freedesktop.login1.policy.in.h:38 +#: ../src/login/org.freedesktop.login1.policy.in.h:40 msgid "Authentication is required for suspending the system." msgstr "Hitelesítés szükséges a rendszer felfüggesztéséhez." -#: ../src/login/org.freedesktop.login1.policy.in.h:39 +#: ../src/login/org.freedesktop.login1.policy.in.h:41 msgid "Suspend the system while other users are logged in" msgstr "" "A rendszer felfüggesztése mialatt be vannak jelentkezve más felhasználók" -#: ../src/login/org.freedesktop.login1.policy.in.h:40 +#: ../src/login/org.freedesktop.login1.policy.in.h:42 msgid "" "Authentication is required for suspending the system while other users are " "logged in." @@ -359,12 +370,12 @@ msgstr "" "Hitelesítés szükséges a rendszer felfüggesztéséhez miközben be vannak " "jelentkezve más felhasználók." -#: ../src/login/org.freedesktop.login1.policy.in.h:41 +#: ../src/login/org.freedesktop.login1.policy.in.h:43 msgid "Suspend the system while an application asked to inhibit it" msgstr "" "A rendszer felfüggesztése miközben egy alkalmazás ennek meggátlását kérte" -#: ../src/login/org.freedesktop.login1.policy.in.h:42 +#: ../src/login/org.freedesktop.login1.policy.in.h:44 msgid "" "Authentication is required for suspending the system while an application " "asked to inhibit it." @@ -372,19 +383,19 @@ msgstr "" "Hitelesítés szükséges a rendszer felfüggesztéséhez miközben egy alkalmazás " "ennek meggátlását kérte." -#: ../src/login/org.freedesktop.login1.policy.in.h:43 +#: ../src/login/org.freedesktop.login1.policy.in.h:45 msgid "Hibernate the system" msgstr "A rendszer hibernálása" -#: ../src/login/org.freedesktop.login1.policy.in.h:44 +#: ../src/login/org.freedesktop.login1.policy.in.h:46 msgid "Authentication is required for hibernating the system." msgstr "Hitelesítés szükséges a rendszer hibernálásához." -#: ../src/login/org.freedesktop.login1.policy.in.h:45 +#: ../src/login/org.freedesktop.login1.policy.in.h:47 msgid "Hibernate the system while other users are logged in" msgstr "A rendszer hibernálása mialatt be vannak jelentkezve más felhasználók" -#: ../src/login/org.freedesktop.login1.policy.in.h:46 +#: ../src/login/org.freedesktop.login1.policy.in.h:48 msgid "" "Authentication is required for hibernating the system while other users are " "logged in." @@ -392,11 +403,11 @@ msgstr "" "Hitelesítés szükséges a rendszer hibernálásához miközben be vannak " "jelentkezve más felhasználók." -#: ../src/login/org.freedesktop.login1.policy.in.h:47 +#: ../src/login/org.freedesktop.login1.policy.in.h:49 msgid "Hibernate the system while an application asked to inhibit it" msgstr "A rendszer hibernálása miközben egy alkalmazás ennek meggátlását kérte" -#: ../src/login/org.freedesktop.login1.policy.in.h:48 +#: ../src/login/org.freedesktop.login1.policy.in.h:50 msgid "" "Authentication is required for hibernating the system while an application " "asked to inhibit it." @@ -404,31 +415,31 @@ msgstr "" "Hitelesítés szükséges a rendszer hibernálásához miközben egy alkalmazás " "ennek meggátlását kérte." -#: ../src/login/org.freedesktop.login1.policy.in.h:49 +#: ../src/login/org.freedesktop.login1.policy.in.h:51 msgid "Manage active sessions, users and seats" msgstr "Aktív munkamenetek, felhasználók és munkaállomások kezelése" -#: ../src/login/org.freedesktop.login1.policy.in.h:50 +#: ../src/login/org.freedesktop.login1.policy.in.h:52 msgid "" "Authentication is required for managing active sessions, users and seats." msgstr "" "Hitelesítés szükséges az aktív munkamenetek, felhasználók és munkaállomások " "kezeléséhez." -#: ../src/login/org.freedesktop.login1.policy.in.h:51 +#: ../src/login/org.freedesktop.login1.policy.in.h:53 msgid "Lock or unlock active sessions" msgstr "Aktív munkamenetek zárolása vagy feloldása" -#: ../src/login/org.freedesktop.login1.policy.in.h:52 +#: ../src/login/org.freedesktop.login1.policy.in.h:54 msgid "Authentication is required to lock or unlock active sessions." msgstr "" "Hitelesítés szükséges az aktív munkamenetek zárolásához vagy feloldásához." -#: ../src/login/org.freedesktop.login1.policy.in.h:53 +#: ../src/login/org.freedesktop.login1.policy.in.h:55 msgid "Allow indication to the firmware to boot to setup interface" msgstr "A firmware-nek jelezhető, hogy a beállítófelületet bootolja" -#: ../src/login/org.freedesktop.login1.policy.in.h:54 +#: ../src/login/org.freedesktop.login1.policy.in.h:56 msgid "" "Authentication is required to indicate to the firmware to boot to setup " "interface." @@ -436,11 +447,11 @@ msgstr "" "Hitelesítés szükséges a firmware-nek jelzéshez, hogy a beállítófelületet " "bootolja" -#: ../src/login/org.freedesktop.login1.policy.in.h:55 +#: ../src/login/org.freedesktop.login1.policy.in.h:57 msgid "Set a wall message" msgstr "Falüzenet beállítása" -#: ../src/login/org.freedesktop.login1.policy.in.h:56 +#: ../src/login/org.freedesktop.login1.policy.in.h:58 msgid "Authentication is required to set a wall message" msgstr "Hitelesítés szükséges a falüzenet beállításához" @@ -552,33 +563,34 @@ msgid "" "shall be enabled." msgstr "Hitelesítés szükséges a hálózati időszinkronizáció engedélyezéséhez." -#: ../src/core/dbus-unit.c:449 +#: ../src/core/dbus-unit.c:450 msgid "Authentication is required to start '$(unit)'." msgstr "Hitelesítés szükséges a következő elindításához: „$(unit)”." -#: ../src/core/dbus-unit.c:450 +#: ../src/core/dbus-unit.c:451 msgid "Authentication is required to stop '$(unit)'." msgstr "Hitelesítés szükséges a következő leállításához: „$(unit)”." -#: ../src/core/dbus-unit.c:451 +#: ../src/core/dbus-unit.c:452 msgid "Authentication is required to reload '$(unit)'." msgstr "Hitelesítés szükséges a következő újratöltéséhez: „$(unit)”." -#: ../src/core/dbus-unit.c:452 ../src/core/dbus-unit.c:453 +#: ../src/core/dbus-unit.c:453 ../src/core/dbus-unit.c:454 msgid "Authentication is required to restart '$(unit)'." msgstr "Hitelesítés szükséges a következő újraindításához: „$(unit)”." -#: ../src/core/dbus-unit.c:556 +#: ../src/core/dbus-unit.c:560 msgid "Authentication is required to kill '$(unit)'." msgstr "Hitelesítés szükséges a következő kilövéséhez: „$(unit)”." -#: ../src/core/dbus-unit.c:586 +#: ../src/core/dbus-unit.c:590 msgid "Authentication is required to reset the \"failed\" state of '$(unit)'." msgstr "" "Hitelesítés szükséges a következő „sikertelen” állapotának törléséhez: " "„$(unit)”." -#: ../src/core/dbus-unit.c:618 +#: ../src/core/dbus-unit.c:622 msgid "Authentication is required to set properties on '$(unit)'." msgstr "" "Hitelesítés szükséges a következő tulajdonságainak beállításához: „$(unit)”." + diff --git a/src/core/execute.c b/src/core/execute.c index 0af8eb5a02..55f15d7e49 100644 --- a/src/core/execute.c +++ b/src/core/execute.c @@ -1074,7 +1074,17 @@ static void rename_process_from_path(const char *path) { #ifdef HAVE_SECCOMP -static int apply_seccomp(const ExecContext *c) { +static bool skip_seccomp_unavailable(const Unit* u, const char* msg) { + if (!is_seccomp_available()) { + log_open(); + log_unit_debug(u, "SECCOMP not detected in the kernel, skipping %s", msg); + log_close(); + return true; + } + return false; +} + +static int apply_seccomp(const Unit* u, const ExecContext *c) { uint32_t negative_action, action; scmp_filter_ctx *seccomp; Iterator i; @@ -1083,6 +1093,9 @@ static int apply_seccomp(const ExecContext *c) { assert(c); + if (skip_seccomp_unavailable(u, "syscall filtering")) + return 0; + negative_action = c->syscall_errno == 0 ? SCMP_ACT_KILL : SCMP_ACT_ERRNO(c->syscall_errno); seccomp = seccomp_init(c->syscall_whitelist ? negative_action : SCMP_ACT_ALLOW); @@ -1123,13 +1136,16 @@ finish: return r; } -static int apply_address_families(const ExecContext *c) { +static int apply_address_families(const Unit* u, const ExecContext *c) { scmp_filter_ctx *seccomp; Iterator i; int r; assert(c); + if (skip_seccomp_unavailable(u, "RestrictAddressFamilies=")) + return 0; + seccomp = seccomp_init(SCMP_ACT_ALLOW); if (!seccomp) return -ENOMEM; @@ -1244,12 +1260,15 @@ finish: return r; } -static int apply_memory_deny_write_execute(const ExecContext *c) { +static int apply_memory_deny_write_execute(const Unit* u, const ExecContext *c) { scmp_filter_ctx *seccomp; int r; assert(c); + if (skip_seccomp_unavailable(u, "MemoryDenyWriteExecute=")) + return 0; + seccomp = seccomp_init(SCMP_ACT_ALLOW); if (!seccomp) return -ENOMEM; @@ -1283,7 +1302,7 @@ finish: return r; } -static int apply_restrict_realtime(const ExecContext *c) { +static int apply_restrict_realtime(const Unit* u, const ExecContext *c) { static const int permitted_policies[] = { SCHED_OTHER, SCHED_BATCH, @@ -1296,6 +1315,9 @@ static int apply_restrict_realtime(const ExecContext *c) { assert(c); + if (skip_seccomp_unavailable(u, "RestrictRealtime=")) + return 0; + seccomp = seccomp_init(SCMP_ACT_ALLOW); if (!seccomp) return -ENOMEM; @@ -2403,7 +2425,7 @@ static int exec_child( #ifdef HAVE_SECCOMP if (use_address_families) { - r = apply_address_families(context); + r = apply_address_families(unit, context); if (r < 0) { *exit_status = EXIT_ADDRESS_FAMILIES; return r; @@ -2411,7 +2433,7 @@ static int exec_child( } if (context->memory_deny_write_execute) { - r = apply_memory_deny_write_execute(context); + r = apply_memory_deny_write_execute(unit, context); if (r < 0) { *exit_status = EXIT_SECCOMP; return r; @@ -2419,7 +2441,7 @@ static int exec_child( } if (context->restrict_realtime) { - r = apply_restrict_realtime(context); + r = apply_restrict_realtime(unit, context); if (r < 0) { *exit_status = EXIT_SECCOMP; return r; @@ -2427,7 +2449,7 @@ static int exec_child( } if (use_syscall_filter) { - r = apply_seccomp(context); + r = apply_seccomp(unit, context); if (r < 0) { *exit_status = EXIT_SECCOMP; return r; diff --git a/src/core/main.c b/src/core/main.c index 125cfb28f0..7d8322ebd8 100644 --- a/src/core/main.c +++ b/src/core/main.c @@ -72,6 +72,9 @@ #include "process-util.h" #include "raw-clone.h" #include "rlimit-util.h" +#ifdef HAVE_SECCOMP +#include "seccomp-util.h" +#endif #include "selinux-setup.h" #include "selinux-util.h" #include "signal-util.h" @@ -1186,6 +1189,9 @@ static int enforce_syscall_archs(Set *archs) { void *id; int r; + if (!is_seccomp_available()) + return 0; + seccomp = seccomp_init(SCMP_ACT_ALLOW); if (!seccomp) return log_oom(); diff --git a/src/core/selinux-access.h b/src/core/selinux-access.h index 8f1f058a32..f46370d020 100644 --- a/src/core/selinux-access.h +++ b/src/core/selinux-access.h @@ -33,7 +33,7 @@ int mac_selinux_generic_access_check(sd_bus_message *message, const char *path, #define mac_selinux_unit_access_check(unit, message, permission, error) \ ({ \ - Unit *_unit = (unit); \ + const Unit *_unit = (unit); \ mac_selinux_generic_access_check((message), _unit->source_path ?: _unit->fragment_path, (permission), (error)); \ }) diff --git a/src/core/unit.h b/src/core/unit.h index 31f0fef87b..3584c16d8c 100644 --- a/src/core/unit.h +++ b/src/core/unit.h @@ -647,7 +647,7 @@ void unit_notify_user_lookup(Unit *u, uid_t uid, gid_t gid); #define log_unit_full(unit, level, error, ...) \ ({ \ - Unit *_u = (unit); \ + const Unit *_u = (unit); \ _u ? log_object_internal(level, error, __FILE__, __LINE__, __func__, _u->manager->unit_log_field, _u->id, ##__VA_ARGS__) : \ log_internal(level, error, __FILE__, __LINE__, __func__, ##__VA_ARGS__); \ }) diff --git a/src/journal/journald-server.c b/src/journal/journald-server.c index 2a043a95b1..ca47d64fe0 100644 --- a/src/journal/journald-server.c +++ b/src/journal/journald-server.c @@ -268,13 +268,14 @@ static int open_journal( } static int system_journal_open(Server *s, bool flush_requested) { + bool flushed = false; const char *fn; int r = 0; if (!s->system_journal && (s->storage == STORAGE_PERSISTENT || s->storage == STORAGE_AUTO) && (flush_requested - || access("/run/systemd/journal/flushed", F_OK) >= 0)) { + || (flushed = (access("/run/systemd/journal/flushed", F_OK) >= 0)))) { /* If in auto mode: first try to create the machine * path, but not the prefix. @@ -299,6 +300,16 @@ static int system_journal_open(Server *s, bool flush_requested) { r = 0; } + + /* If the runtime journal is open, and we're post-flush, we're + * recovering from a failed system journal rotate (ENOSPC) + * for which the runtime journal was reopened. + * + * Perform an implicit flush to var, leaving the runtime + * journal closed, now that the system journal is back. + */ + if (s->runtime_journal && flushed) + (void) server_flush_to_var(s); } if (!s->runtime_journal && @@ -1294,7 +1305,7 @@ static int dispatch_sigusr1(sd_event_source *es, const struct signalfd_siginfo * log_info("Received request to flush runtime journal from PID " PID_FMT, si->ssi_pid); - server_flush_to_var(s); + (void) server_flush_to_var(s); server_sync(s); server_vacuum(s, false, false); diff --git a/src/network/networkd-link.h b/src/network/networkd-link.h index 2809b1fe0b..05b2a2b323 100644 --- a/src/network/networkd-link.h +++ b/src/network/networkd-link.h @@ -186,7 +186,7 @@ DEFINE_TRIVIAL_CLEANUP_FUNC(Link*, link_unref); #define log_link_full(link, level, error, ...) \ ({ \ - Link *_l = (link); \ + const Link *_l = (link); \ _l ? log_object_internal(level, error, __FILE__, __LINE__, __func__, "INTERFACE=", _l->ifname, ##__VA_ARGS__) : \ log_internal(level, error, __FILE__, __LINE__, __func__, ##__VA_ARGS__); \ }) \ diff --git a/src/network/networkd-netdev.h b/src/network/networkd-netdev.h index b92a973b85..09863e72b4 100644 --- a/src/network/networkd-netdev.h +++ b/src/network/networkd-netdev.h @@ -180,7 +180,7 @@ const struct ConfigPerfItem* network_netdev_gperf_lookup(const char *key, unsign #define log_netdev_full(netdev, level, error, ...) \ ({ \ - NetDev *_n = (netdev); \ + const NetDev *_n = (netdev); \ _n ? log_object_internal(level, error, __FILE__, __LINE__, __func__, "INTERFACE=", _n->ifname, ##__VA_ARGS__) : \ log_internal(level, error, __FILE__, __LINE__, __func__, ##__VA_ARGS__); \ }) diff --git a/src/nspawn/nspawn.c b/src/nspawn/nspawn.c index 24d243109a..6d0420965a 100644 --- a/src/nspawn/nspawn.c +++ b/src/nspawn/nspawn.c @@ -169,7 +169,6 @@ static CustomMount *arg_custom_mounts = NULL; static unsigned arg_n_custom_mounts = 0; static char **arg_setenv = NULL; static bool arg_quiet = false; -static bool arg_share_system = false; static bool arg_register = true; static bool arg_keep_unit = false; static char **arg_network_interfaces = NULL; @@ -195,6 +194,7 @@ static char **arg_parameters = NULL; static const char *arg_container_service_name = "systemd-nspawn"; static bool arg_notify_ready = false; static bool arg_use_cgns = true; +static unsigned long arg_clone_ns_flags = CLONE_NEWIPC|CLONE_NEWPID|CLONE_NEWUTS; static void help(void) { printf("%s [OPTIONS...] [PATH] [ARGUMENTS...]\n\n" @@ -352,6 +352,17 @@ static int detect_unified_cgroup_hierarchy(void) { return 0; } +static void parse_share_ns_env(const char *name, unsigned long ns_flag) { + int r; + + r = getenv_bool(name); + if (r == -ENXIO) + return; + if (r < 0) + log_warning_errno(r, "Failed to parse %s from environment, defaulting to false.", name); + arg_clone_ns_flags = (arg_clone_ns_flags & ~ns_flag) | (r > 0 ? 0 : ns_flag); +} + static int parse_argv(int argc, char *argv[]) { enum { @@ -824,8 +835,8 @@ static int parse_argv(int argc, char *argv[]) { case ARG_SHARE_SYSTEM: /* We don't officially support this anymore, except for compat reasons. People should use the - * $SYSTEMD_NSPAWN_SHARE_SYSTEM environment variable instead. */ - arg_share_system = true; + * $SYSTEMD_NSPAWN_SHARE_* environment variables instead. */ + arg_clone_ns_flags = 0; break; case ARG_REGISTER: @@ -1029,20 +1040,22 @@ static int parse_argv(int argc, char *argv[]) { assert_not_reached("Unhandled option"); } - if (getenv_bool("SYSTEMD_NSPAWN_SHARE_SYSTEM") > 0) - arg_share_system = true; + parse_share_ns_env("SYSTEMD_NSPAWN_SHARE_NS_IPC", CLONE_NEWIPC); + parse_share_ns_env("SYSTEMD_NSPAWN_SHARE_NS_PID", CLONE_NEWPID); + parse_share_ns_env("SYSTEMD_NSPAWN_SHARE_NS_UTS", CLONE_NEWUTS); + parse_share_ns_env("SYSTEMD_NSPAWN_SHARE_SYSTEM", CLONE_NEWIPC|CLONE_NEWPID|CLONE_NEWUTS); - if (arg_share_system) + if (arg_clone_ns_flags != (CLONE_NEWIPC|CLONE_NEWPID|CLONE_NEWUTS)) { arg_register = false; + if (arg_start_mode != START_PID1) { + log_error("--boot cannot be used without namespacing."); + return -EINVAL; + } + } if (arg_userns_mode == USER_NAMESPACE_PICK) arg_userns_chown = true; - if (arg_start_mode != START_PID1 && arg_share_system) { - log_error("--boot and SYSTEMD_NSPAWN_SHARE_SYSTEM=1 may not be combined."); - return -EINVAL; - } - if (arg_keep_unit && cg_pid_get_owner_uid(0, NULL) >= 0) { log_error("--keep-unit may not be used when invoked from a user session."); return -EINVAL; @@ -1310,9 +1323,6 @@ static int setup_boot_id(const char *dest) { const char *from, *to; int r; - if (arg_share_system) - return 0; - /* Generate a new randomized boot ID, so that each boot-up of * the container gets a new one */ @@ -1530,7 +1540,7 @@ static int on_address_change(sd_netlink *rtnl, sd_netlink_message *m, void *user static int setup_hostname(void) { - if (arg_share_system) + if ((arg_clone_ns_flags & CLONE_NEWUTS) == 0) return 0; if (sethostname_idempotent(arg_machine) < 0) @@ -1681,7 +1691,7 @@ static int reset_audit_loginuid(void) { _cleanup_free_ char *p = NULL; int r; - if (arg_share_system) + if ((arg_clone_ns_flags & CLONE_NEWPID) == 0) return 0; r = read_one_line_file("/proc/self/loginuid", &p); @@ -3088,7 +3098,7 @@ static int outer_child( return fd; pid = raw_clone(SIGCHLD|CLONE_NEWNS| - (arg_share_system ? 0 : CLONE_NEWIPC|CLONE_NEWPID|CLONE_NEWUTS) | + arg_clone_ns_flags | (arg_private_network ? CLONE_NEWNET : 0) | (arg_userns_mode != USER_NAMESPACE_NO ? CLONE_NEWUSER : 0)); if (pid < 0) diff --git a/src/run/run.c b/src/run/run.c index 8db9f07158..2dd229868c 100644 --- a/src/run/run.c +++ b/src/run/run.c @@ -1361,9 +1361,11 @@ static int start_transient_timer( if (r < 0) return r; - log_info("Running timer as unit: %s", timer); - if (argv[0]) - log_info("Will run service as unit: %s", service); + if (!arg_quiet) { + log_info("Running timer as unit: %s", timer); + if (argv[0]) + log_info("Will run service as unit: %s", service); + } return 0; } diff --git a/src/shared/seccomp-util.c b/src/shared/seccomp-util.c index b549426e2b..6c489284d1 100644 --- a/src/shared/seccomp-util.c +++ b/src/shared/seccomp-util.c @@ -21,6 +21,8 @@ #include <seccomp.h> #include <stddef.h> +#include "alloc-util.h" +#include "fileio.h" #include "macro.h" #include "seccomp-util.h" #include "string-util.h" @@ -89,6 +91,14 @@ int seccomp_add_secondary_archs(scmp_filter_ctx *c) { } +bool is_seccomp_available(void) { + _cleanup_free_ char* field = NULL; + static int cached_enabled = -1; + if (cached_enabled < 0) + cached_enabled = get_proc_field("/proc/self/status", "Seccomp", "\n", &field) == 0; + return cached_enabled; +} + const SystemCallFilterSet syscall_filter_sets[] = { { /* Clock */ diff --git a/src/shared/seccomp-util.h b/src/shared/seccomp-util.h index be33eecb85..cca7c17912 100644 --- a/src/shared/seccomp-util.h +++ b/src/shared/seccomp-util.h @@ -27,6 +27,8 @@ int seccomp_arch_from_string(const char *n, uint32_t *ret); int seccomp_add_secondary_archs(scmp_filter_ctx *c); +bool is_seccomp_available(void); + typedef struct SystemCallFilterSet { const char *set_name; const char *value; diff --git a/src/test/test-execute.c b/src/test/test-execute.c index 1d24115b5c..05ec1d2eb1 100644 --- a/src/test/test-execute.c +++ b/src/test/test-execute.c @@ -30,6 +30,9 @@ #include "mkdir.h" #include "path-util.h" #include "rm-rf.h" +#ifdef HAVE_SECCOMP +#include "seccomp-util.h" +#endif #include "test-helper.h" #include "unit.h" #include "util.h" @@ -132,21 +135,27 @@ static void test_exec_privatedevices(Manager *m) { static void test_exec_systemcallfilter(Manager *m) { #ifdef HAVE_SECCOMP + if (!is_seccomp_available()) + return; test(m, "exec-systemcallfilter-not-failing.service", 0, CLD_EXITED); test(m, "exec-systemcallfilter-not-failing2.service", 0, CLD_EXITED); test(m, "exec-systemcallfilter-failing.service", SIGSYS, CLD_KILLED); test(m, "exec-systemcallfilter-failing2.service", SIGSYS, CLD_KILLED); + #endif } static void test_exec_systemcallerrornumber(Manager *m) { #ifdef HAVE_SECCOMP - test(m, "exec-systemcallerrornumber.service", 1, CLD_EXITED); + if (is_seccomp_available()) + test(m, "exec-systemcallerrornumber.service", 1, CLD_EXITED); #endif } static void test_exec_systemcall_system_mode_with_user(Manager *m) { #ifdef HAVE_SECCOMP + if (!is_seccomp_available()) + return; if (getpwnam("nobody")) test(m, "exec-systemcallfilter-system-user.service", 0, CLD_EXITED); else if (getpwnam("nfsnobody")) diff --git a/src/udev/udevd.c b/src/udev/udevd.c index a893a2b3d9..19f1c29198 100644 --- a/src/udev/udevd.c +++ b/src/udev/udevd.c @@ -776,9 +776,9 @@ static void manager_reload(Manager *manager) { manager->rules = udev_rules_unref(manager->rules); udev_builtin_exit(manager->udev); - sd_notify(false, - "READY=1\n" - "STATUS=Processing..."); + sd_notifyf(false, + "READY=1\n" + "STATUS=Processing with %u children at max", arg_children_max); } static void event_queue_start(Manager *manager) { @@ -1000,6 +1000,10 @@ static int on_ctrl_msg(sd_event_source *s, int fd, uint32_t revents, void *userd if (i >= 0) { log_debug("udevd message (SET_MAX_CHILDREN) received, children_max=%i", i); arg_children_max = i; + + (void) sd_notifyf(false, + "READY=1\n" + "STATUS=Processing with %u children at max", arg_children_max); } if (udev_ctrl_get_ping(ctrl_msg) > 0) @@ -1627,9 +1631,9 @@ static int run(int fd_ctrl, int fd_uevent, const char *cgroup) { if (r < 0) log_error_errno(r, "failed to apply permissions on static device nodes: %m"); - (void) sd_notify(false, - "READY=1\n" - "STATUS=Processing..."); + (void) sd_notifyf(false, + "READY=1\n" + "STATUS=Processing with %u children at max", arg_children_max); r = sd_event_loop(manager->event); if (r < 0) { diff --git a/units/systemd-udevd-control.socket b/units/systemd-udevd-control.socket index 8330a1c035..46f704ed79 100644 --- a/units/systemd-udevd-control.socket +++ b/units/systemd-udevd-control.socket @@ -17,3 +17,4 @@ Service=systemd-udevd.service ListenSequentialPacket=/run/udev/control SocketMode=0600 PassCredentials=yes +RemoveOnStop=yes |