diff options
| -rw-r--r-- | README | 4 | ||||
| -rw-r--r-- | TODO | 22 | ||||
| -rw-r--r-- | man/sd_notify.xml | 9 | ||||
| -rw-r--r-- | man/systemd-notify.xml | 22 | ||||
| -rw-r--r-- | man/systemd-run.xml | 4 | ||||
| -rw-r--r-- | man/systemd-socket-proxyd.xml | 6 | ||||
| -rw-r--r-- | man/systemd.exec.xml | 55 | ||||
| -rw-r--r-- | man/systemd.service.xml | 45 | ||||
| -rw-r--r-- | po/cs.po | 185 | ||||
| -rw-r--r--[-rwxr-xr-x] | po/id.po | 0 | ||||
| -rw-r--r-- | src/shared/seccomp-util.c | 3 | ||||
| -rw-r--r-- | src/shared/seccomp-util.h | 8 | ||||
| -rw-r--r-- | src/test/test-seccomp.c | 16 |
13 files changed, 207 insertions, 172 deletions
@@ -67,13 +67,13 @@ REQUIREMENTS: create additional symlinks in /dev/disk/ and /dev/tape: CONFIG_BLK_DEV_BSG - Required for PrivateNetwork and PrivateDevices in service units: + Required for PrivateNetwork= and PrivateDevices= in service units: CONFIG_NET_NS CONFIG_DEVPTS_MULTIPLE_INSTANCES Note that systemd-localed.service and other systemd units use PrivateNetwork and PrivateDevices so this is effectively required. - Required for PrivateUsers in service units: + Required for PrivateUsers= in service units: CONFIG_USER_NS Optional but strongly recommended: @@ -24,6 +24,11 @@ Janitorial Clean-ups: Features: +* maybe add call sd_journal_set_block_timeout() or so to set SO_SNDTIMEO for + the sd-journal logging socket, and, if the timeout is set to 0, sets + O_NONBLOCK on it. That way people can control if and when to block for + logging. + * journald: when we recv a log datagram via the native or syslog transports, search for the PID in the active stream connections, and let's make sure to always process the datagrams before the streams. Then, cache client metadata @@ -35,6 +40,11 @@ Features: partitions automatically, to be used when the media used is actually larger than the image written onto it is. +* Maybe add PrivatePIDs= as new unit setting, and do minimal PID namespacing + after all. Be strict however, only support the equivalent of nspawn's + --as-pid2 switch, and sanely proxy sd_notify() messages dropping stuff such + as MAINPID. + * change the dependency Set* objects in Unit structures to become Hashmap*, and then store a bit mask who created a specific dependency: the source unit via fragment configuration, the destination unit via fragment configuration, or @@ -48,6 +58,15 @@ Features: the service cgroup, which is supposed to monitor the service, and when it exits the service is considered failed by its monitor. +* track the per-service PAM process properly (i.e. as an additional control + process), so that it may be queried on the bus and everything. + +* add a new "debug" job mode, that is propagated to unit_start() and for + services results in two things: we raise SIGSTOP right before invoking + execve() and turn off watchdog support. Then, use that to implement + "systemd-gdb" for attaching to the start-up of any system service in its + natural habitat. + * replace all canonicalize_file_name() invocations by chase_symlinks(), in particulr those where a rootdir is relevant. @@ -55,6 +74,9 @@ Features: * set ProtectSystem=strict for all our usual services. +* fix PrivateNetwork= so that we fall back gracefully on kernels lacking + namespacing support (similar for the other namespacing options) + * maybe add gpt-partition-based user management: each user gets his own LUKS-encrypted GPT partition with a new GPT type. A small nss module enumerates users via udev partition enumeration. UIDs are assigned in a fixed diff --git a/man/sd_notify.xml b/man/sd_notify.xml index 6e98041912..4dcefc4baf 100644 --- a/man/sd_notify.xml +++ b/man/sd_notify.xml @@ -268,6 +268,15 @@ <citerefentry><refentrytitle>systemd.service</refentrytitle><manvolnum>5</manvolnum></citerefentry> for details.</para> + <para>Note that <function>sd_notify()</function> notifications may be attributed to units correctly only if either + the sending process is still around at the time PID 1 processes the message, or if the sending process is + explicitly runtime-tracked by the service manager. The latter is the case if the service manager originally forked + off the process, i.e. on all processes that match <varname>NotifyAccess=</varname><option>main</option> or + <varname>NotifyAccess=</varname><option>exec</option>. Conversely, if an auxiliary process of the unit sends an + <function>sd_notify()</function> message and immediately exits, the service manager might not be able to properly + attribute the message to the unit, and thus will ignore it, even if + <varname>NotifyAccess=</varname><option>all</option> is set for it.</para> + <para><function>sd_notifyf()</function> is similar to <function>sd_notify()</function> but takes a <function>printf()</function>-like format string plus diff --git a/man/systemd-notify.xml b/man/systemd-notify.xml index 4a8e119eb6..8c56a6b8ed 100644 --- a/man/systemd-notify.xml +++ b/man/systemd-notify.xml @@ -72,10 +72,24 @@ <para>The command line may carry a list of environment variables to send as part of the status update.</para> - <para>Note that systemd will refuse reception of status updates - from this command unless <varname>NotifyAccess=all</varname> is - set for the service unit this command is called from.</para> - + <para>Note that systemd will refuse reception of status updates from this command unless + <varname>NotifyAccess=</varname> is set for the service unit this command is called from.</para> + + <para>Note that <function>sd_notify()</function> notifications may be attributed to units correctly only if either + the sending process is still around at the time PID 1 processes the message, or if the sending process is + explicitly runtime-tracked by the service manager. The latter is the case if the service manager originally forked + off the process, i.e. on all processes that match <varname>NotifyAccess=</varname><option>main</option> or + <varname>NotifyAccess=</varname><option>exec</option>. Conversely, if an auxiliary process of the unit sends an + <function>sd_notify()</function> message and immediately exits, the service manager might not be able to properly + attribute the message to the unit, and thus will ignore it, even if + <varname>NotifyAccess=</varname><option>all</option> is set for it.</para> + + <para><command>systemd-notify</command> will first attempt to invoke <function>sd_notify()</function> pretending to + have the PID of the invoking process. This will only succeed when invoked with sufficient privileges. On failure, + it will then fall back to invoking it under its own PID. This behaviour is useful in order that when the tool is + invoked from a shell script the shell process — and not the <command>systemd-notify</command> process — appears as + sender of the message, which in turn is helpful if the shell process is the main process of a service, due to the + limitations of <varname>NotifyAccess=</varname><option>all</option> described above.</para> </refsect1> <refsect1> diff --git a/man/systemd-run.xml b/man/systemd-run.xml index 1ac5124aa3..5e44b1523d 100644 --- a/man/systemd-run.xml +++ b/man/systemd-run.xml @@ -250,7 +250,7 @@ command. See <varname>OnActiveSec=</varname>, <varname>OnBootSec=</varname>, <varname>OnStartupSec=</varname>, <varname>OnUnitActiveSec=</varname> and <varname>OnUnitInactiveSec=</varname> in <citerefentry><refentrytitle>systemd.timer</refentrytitle><manvolnum>5</manvolnum></citerefentry> for - details. These options may not be combined with <option>--scope</option>.</para> + details. These options may not be combined with <option>--scope</option> or <option>--pty</option>.</para> </listitem> </varlistentry> @@ -259,7 +259,7 @@ <listitem><para>Defines a calendar timer for starting the specified command. See <varname>OnCalendar=</varname> in <citerefentry><refentrytitle>systemd.timer</refentrytitle><manvolnum>5</manvolnum></citerefentry>. This - option may not be combined with <option>--scope</option>.</para> + option may not be combined with <option>--scope</option> or <option>--pty</option>.</para> </listitem> </varlistentry> diff --git a/man/systemd-socket-proxyd.xml b/man/systemd-socket-proxyd.xml index a86b13daa8..b8a7800b82 100644 --- a/man/systemd-socket-proxyd.xml +++ b/man/systemd-socket-proxyd.xml @@ -135,8 +135,7 @@ server { </example> <example> <title>Enabling the proxy</title> - <programlisting><![CDATA[# systemctl enable proxy-to-nginx.socket -# systemctl start proxy-to-nginx.socket + <programlisting><![CDATA[# systemctl enable --now proxy-to-nginx.socket $ curl http://localhost:80/]]></programlisting> </example> </refsect2> @@ -176,8 +175,7 @@ server { </example> <example> <title>Enabling the proxy</title> - <programlisting><![CDATA[# systemctl enable proxy-to-nginx.socket -# systemctl start proxy-to-nginx.socket + <programlisting><![CDATA[# systemctl enable --now proxy-to-nginx.socket $ curl http://localhost:80/]]></programlisting> </example> </refsect2> diff --git a/man/systemd.exec.xml b/man/systemd.exec.xml index 8079b4b210..bb38ea2467 100644 --- a/man/systemd.exec.xml +++ b/man/systemd.exec.xml @@ -1508,40 +1508,29 @@ <varlistentry> <term><varname>RestrictAddressFamilies=</varname></term> - <listitem><para>Restricts the set of socket address families - accessible to the processes of this unit. Takes a - space-separated list of address family names to whitelist, - such as - <constant>AF_UNIX</constant>, - <constant>AF_INET</constant> or - <constant>AF_INET6</constant>. When - prefixed with <constant>~</constant> the listed address - families will be applied as blacklist, otherwise as whitelist. - Note that this restricts access to the - <citerefentry project='man-pages'><refentrytitle>socket</refentrytitle><manvolnum>2</manvolnum></citerefentry> - system call only. Sockets passed into the process by other - means (for example, by using socket activation with socket - units, see - <citerefentry><refentrytitle>systemd.socket</refentrytitle><manvolnum>5</manvolnum></citerefentry>) - are unaffected. Also, sockets created with - <function>socketpair()</function> (which creates connected - AF_UNIX sockets only) are unaffected. Note that this option - has no effect on 32-bit x86 and is ignored (but works - correctly on x86-64). If running in user mode, or in system - mode, but without the <constant>CAP_SYS_ADMIN</constant> - capability (e.g. setting <varname>User=nobody</varname>), - <varname>NoNewPrivileges=yes</varname> is implied. By - default, no restriction applies, all address families are - accessible to processes. If assigned the empty string, any - previous list changes are undone.</para> - - <para>Use this option to limit exposure of processes to remote - systems, in particular via exotic network protocols. Note that - in most cases, the local <constant>AF_UNIX</constant> address - family should be included in the configured whitelist as it is - frequently used for local communication, including for + <listitem><para>Restricts the set of socket address families accessible to the processes of this unit. Takes a + space-separated list of address family names to whitelist, such as <constant>AF_UNIX</constant>, + <constant>AF_INET</constant> or <constant>AF_INET6</constant>. When prefixed with <constant>~</constant> the + listed address families will be applied as blacklist, otherwise as whitelist. Note that this restricts access + to the <citerefentry + project='man-pages'><refentrytitle>socket</refentrytitle><manvolnum>2</manvolnum></citerefentry> system call + only. Sockets passed into the process by other means (for example, by using socket activation with socket + units, see <citerefentry><refentrytitle>systemd.socket</refentrytitle><manvolnum>5</manvolnum></citerefentry>) + are unaffected. Also, sockets created with <function>socketpair()</function> (which creates connected AF_UNIX + sockets only) are unaffected. Note that this option has no effect on 32-bit x86, s390, s390x, mips, mips-le, + ppc, ppc-le, pcc64, ppc64-le and is ignored (but works correctly on other architectures, including x86-64). If + running in user mode, or in system mode, but without the <constant>CAP_SYS_ADMIN</constant> capability + (e.g. setting <varname>User=nobody</varname>), <varname>NoNewPrivileges=yes</varname> is implied. By default, + no restrictions apply, all address families are accessible to processes. If assigned the empty string, any + previous address familiy restriction changes are undone. This setting does not affect commands prefixed with + <literal>+</literal>.</para> + + <para>Use this option to limit exposure of processes to remote access, in particular via exotic and sensitive + network protocols, such as <constant>AF_PACKET</constant>. Note that in most cases, the local + <constant>AF_UNIX</constant> address family should be included in the configured whitelist as it is frequently + used for local communication, including for <citerefentry><refentrytitle>syslog</refentrytitle><manvolnum>2</manvolnum></citerefentry> - logging. This does not affect commands prefixed with <literal>+</literal>.</para></listitem> + logging.</para></listitem> </varlistentry> <varlistentry> diff --git a/man/systemd.service.xml b/man/systemd.service.xml index 522ed5e61e..627176750f 100644 --- a/man/systemd.service.xml +++ b/man/systemd.service.xml @@ -136,9 +136,10 @@ process it supervises. A number of options that may be used in this section are shared with other unit types. These options are documented in - <citerefentry><refentrytitle>systemd.exec</refentrytitle><manvolnum>5</manvolnum></citerefentry> + <citerefentry><refentrytitle>systemd.exec</refentrytitle><manvolnum>5</manvolnum></citerefentry>, + <citerefentry><refentrytitle>systemd.kill</refentrytitle><manvolnum>5</manvolnum></citerefentry> and - <citerefentry><refentrytitle>systemd.kill</refentrytitle><manvolnum>5</manvolnum></citerefentry>. + <citerefentry><refentrytitle>systemd.resource-control</refentrytitle><manvolnum>5</manvolnum></citerefentry>. The options specific to the <literal>[Service]</literal> section of service units are the following:</para> @@ -792,26 +793,26 @@ <varlistentry> <term><varname>NotifyAccess=</varname></term> - <listitem><para>Controls access to the service status - notification socket, as accessible via the - <citerefentry><refentrytitle>sd_notify</refentrytitle><manvolnum>3</manvolnum></citerefentry> - call. Takes one of <option>none</option> (the default), - <option>main</option>, <option>exec</option> or - <option>all</option>. If <option>none</option>, no daemon status - updates are accepted from the service processes, all status - update messages are ignored. If <option>main</option>, only - service updates sent from the main process of the service are - accepted. If <option>exec</option>, only service updates sent - from any of the control processes originating from one of the - <varname>Exec*=</varname> commands are accepted. If - <option>all</option>, all services updates from all members of - the service's control group are accepted. This option should - be set to open access to the notification socket when using - <varname>Type=notify</varname> or - <varname>WatchdogSec=</varname> (see above). If those options - are used but <varname>NotifyAccess=</varname> is not - configured, it will be implicitly set to - <option>main</option>.</para></listitem> + <listitem><para>Controls access to the service status notification socket, as accessible via the + <citerefentry><refentrytitle>sd_notify</refentrytitle><manvolnum>3</manvolnum></citerefentry> call. Takes one + of <option>none</option> (the default), <option>main</option>, <option>exec</option> or + <option>all</option>. If <option>none</option>, no daemon status updates are accepted from the service + processes, all status update messages are ignored. If <option>main</option>, only service updates sent from the + main process of the service are accepted. If <option>exec</option>, only service updates sent from any of the + main or control processes originating from one of the <varname>Exec*=</varname> commands are accepted. If + <option>all</option>, all services updates from all members of the service's control group are accepted. This + option should be set to open access to the notification socket when using <varname>Type=notify</varname> or + <varname>WatchdogSec=</varname> (see above). If those options are used but <varname>NotifyAccess=</varname> is + not configured, it will be implicitly set to <option>main</option>.</para> + + <para>Note that <function>sd_notify()</function> notifications may be attributed to units correctly only if + either the sending process is still around at the time PID 1 processes the message, or if the sending process + is explicitly runtime-tracked by the service manager. The latter is the case if the service manager originally + forked off the process, i.e. on all processes that match <option>main</option> or + <option>exec</option>. Conversely, if an auxiliary process of the unit sends an + <function>sd_notify()</function> message and immediately exits, the service manager might not be able to + properly attribute the message to the unit, and thus will ignore it, even if + <varname>NotifyAccess=</varname><option>all</option> is set for it.</para></listitem> </varlistentry> <varlistentry> @@ -9,24 +9,24 @@ msgstr "" "Project-Id-Version: systemd master\n" "Report-Msgid-Bugs-To: \n" "POT-Creation-Date: 2016-04-23 14:24+0200\n" -"PO-Revision-Date: 2016-11-30 16:00+0100\n" +"PO-Revision-Date: 2017-02-07 18:38+0100\n" "Last-Translator: Daniel Rusek <mail@asciiwolf.com>\n" "Language: cs\n" "MIME-Version: 1.0\n" "Content-Type: text/plain; charset=UTF-8\n" "Content-Transfer-Encoding: 8bit\n" -"Plural-Forms: nplurals=3; plural=(n==1 ? 0 : n%10>=2 && n%10<=4 && (n%100<10 " -"|| n%100>=20) ? 1 : 2);\n" +"Plural-Forms: nplurals=3; plural=(n==1 ? 0 : n%10>=2 && n%10<=4 && (n%100<10 || n" +"%100>=20) ? 1 : 2);\n" +"Language-Team: \n" +"X-Generator: Poedit 1.8.7.1\n" #: ../src/core/org.freedesktop.systemd1.policy.in.in.h:1 msgid "Send passphrase back to system" msgstr "Odeslat heslo zpět do systému" #: ../src/core/org.freedesktop.systemd1.policy.in.in.h:2 -msgid "" -"Authentication is required to send the entered passphrase back to the system." -msgstr "" -"Autentizace je vyžadována pro odeslání zadaného hesla do systému." +msgid "Authentication is required to send the entered passphrase back to the system." +msgstr "Autentizace je vyžadována pro odeslání zadaného hesla do systému." #: ../src/core/org.freedesktop.systemd1.policy.in.in.h:3 msgid "Manage system services or other units" @@ -35,8 +35,7 @@ msgstr "Správa systémových služeb nebo dalších jednotek" #: ../src/core/org.freedesktop.systemd1.policy.in.in.h:4 msgid "Authentication is required to manage system services or other units." msgstr "" -"Autentizace je vyžadována pro správu systémových služeb nebo dalších " -"jednotek." +"Autentizace je vyžadována pro správu systémových služeb nebo dalších jednotek." #: ../src/core/org.freedesktop.systemd1.policy.in.in.h:5 msgid "Manage system service or unit files" @@ -48,17 +47,15 @@ msgstr "Autentizace je vyžadována pro správu systémové služby nebo soubor #: ../src/core/org.freedesktop.systemd1.policy.in.in.h:7 msgid "Set or unset system and service manager environment variables" -msgstr "" -"Nastavení nebo rušení proměnných správce systému a služeb" - +msgstr "Nastavení nebo rušení proměnných správce systému a služeb" #: ../src/core/org.freedesktop.systemd1.policy.in.in.h:8 msgid "" -"Authentication is required to set or unset system and service manager " -"environment variables." +"Authentication is required to set or unset system and service manager environment " +"variables." msgstr "" -"Autentizace je vyžadována pro nastavení nebo rušení proměnných správce " -"systému a služeb." +"Autentizace je vyžadována pro nastavení nebo rušení proměnných správce systému a " +"služeb." #: ../src/core/org.freedesktop.systemd1.policy.in.in.h:9 msgid "Reload the systemd state" @@ -82,11 +79,11 @@ msgstr "Nastavení statického názvu stoje" #: ../src/hostname/org.freedesktop.hostname1.policy.in.h:4 msgid "" -"Authentication is required to set the statically configured local host name, " -"as well as the pretty host name." +"Authentication is required to set the statically configured local host name, as " +"well as the pretty host name." msgstr "" -"Autentizace je vyžadována pro nastavení staticky konfigurovaného názvu " -"lokálního stroje, stejně tak pro změnu uživatelsky přívětivého jména." +"Autentizace je vyžadována pro nastavení staticky konfigurovaného názvu lokálního " +"stroje, stejně tak pro změnu uživatelsky přívětivého jména." #: ../src/hostname/org.freedesktop.hostname1.policy.in.h:5 msgid "Set machine information" @@ -137,18 +134,15 @@ msgstr "Nastavení systémové konfigurace klávesnice" #: ../src/locale/org.freedesktop.locale1.policy.in.h:4 msgid "Authentication is required to set the system keyboard settings." -msgstr "" -"Autentizace je vyžadována pro nastavení systémové konfigurace klávesnice." +msgstr "Autentizace je vyžadována pro nastavení systémové konfigurace klávesnice." #: ../src/login/org.freedesktop.login1.policy.in.h:1 msgid "Allow applications to inhibit system shutdown" msgstr "Povolit aplikacím zakázat vypnutí systému" #: ../src/login/org.freedesktop.login1.policy.in.h:2 -msgid "" -"Authentication is required for an application to inhibit system shutdown." -msgstr "" -"Autentizace je vyžadována pro povolení aplikacím zakázat vypnutí systému." +msgid "Authentication is required for an application to inhibit system shutdown." +msgstr "Autentizace je vyžadována pro povolení aplikacím zakázat vypnutí systému." #: ../src/login/org.freedesktop.login1.policy.in.h:3 msgid "Allow applications to delay system shutdown" @@ -156,8 +150,7 @@ msgstr "Povolit aplikacím odložit vypnutí systému" #: ../src/login/org.freedesktop.login1.policy.in.h:4 msgid "Authentication is required for an application to delay system shutdown." -msgstr "" -"Autentizace je vyžadována pro povolení aplikacím odložit vypnutí systému." +msgstr "Autentizace je vyžadována pro povolení aplikacím odložit vypnutí systému." #: ../src/login/org.freedesktop.login1.policy.in.h:5 msgid "Allow applications to inhibit system sleep" @@ -165,8 +158,7 @@ msgstr "Povolit aplikacím zakázat uspání systému" #: ../src/login/org.freedesktop.login1.policy.in.h:6 msgid "Authentication is required for an application to inhibit system sleep." -msgstr "" -"Autentizace je vyžadována pro povolení aplikacím zakázat uspání systému." +msgstr "Autentizace je vyžadována pro povolení aplikacím zakázat uspání systému." #: ../src/login/org.freedesktop.login1.policy.in.h:7 msgid "Allow applications to delay system sleep" @@ -174,8 +166,7 @@ msgstr "Povolit aplikacím odložit uspání systému" #: ../src/login/org.freedesktop.login1.policy.in.h:8 msgid "Authentication is required for an application to delay system sleep." -msgstr "" -"Autentizace je vyžadována pro povolení aplikacím odložit uspání systému." +msgstr "Autentizace je vyžadována pro povolení aplikacím odložit uspání systému." #: ../src/login/org.freedesktop.login1.policy.in.h:9 msgid "Allow applications to inhibit automatic system suspend" @@ -183,47 +174,43 @@ msgstr "Povolit aplikacím zakázat automatické vypnutí systému" #: ../src/login/org.freedesktop.login1.policy.in.h:10 msgid "" -"Authentication is required for an application to inhibit automatic system " -"suspend." +"Authentication is required for an application to inhibit automatic system suspend." msgstr "" -"Autentizace je vyžadována pro povolení aplikacím zakázat automatické " -"vypnutí systému." +"Autentizace je vyžadována pro povolení aplikacím zakázat automatické vypnutí " +"systému." #: ../src/login/org.freedesktop.login1.policy.in.h:11 msgid "Allow applications to inhibit system handling of the power key" -msgstr "" -"Povolit aplikacím zakázat chovaní systému na stisknutí vypínacího tlačítka" +msgstr "Povolit aplikacím zakázat chovaní systému na stisknutí vypínacího tlačítka" #: ../src/login/org.freedesktop.login1.policy.in.h:12 msgid "" -"Authentication is required for an application to inhibit system handling of " -"the power key." +"Authentication is required for an application to inhibit system handling of the " +"power key." msgstr "" "Autentizace je vyžadována pro povolení aplikacím zakázat chovaní systému na " "stisknutí vypínacího tlačítka." #: ../src/login/org.freedesktop.login1.policy.in.h:13 msgid "Allow applications to inhibit system handling of the suspend key" -msgstr "" -"Povolit aplikacím zakázat chovaní systému na stisknutí uspávacího tlačítka" +msgstr "Povolit aplikacím zakázat chovaní systému na stisknutí uspávacího tlačítka" #: ../src/login/org.freedesktop.login1.policy.in.h:14 msgid "" -"Authentication is required for an application to inhibit system handling of " -"the suspend key." +"Authentication is required for an application to inhibit system handling of the " +"suspend key." msgstr "" "Autentizace je vyžadována pro povolení aplikacím zakázat chovaní systému na " "stisknutí uspávacího tlačítka." #: ../src/login/org.freedesktop.login1.policy.in.h:15 msgid "Allow applications to inhibit system handling of the hibernate key" -msgstr "" -"Povolit aplikacím zakázat chovaní systému na stisknutí tlačítka hibernace" +msgstr "Povolit aplikacím zakázat chovaní systému na stisknutí tlačítka hibernace" #: ../src/login/org.freedesktop.login1.policy.in.h:16 msgid "" -"Authentication is required for an application to inhibit system handling of " -"the hibernate key." +"Authentication is required for an application to inhibit system handling of the " +"hibernate key." msgstr "" "Autentizace je vyžadována pro povolení aplikacím zakázat chovaní systému na " "stisknutí tlačítka hibernace." @@ -234,8 +221,8 @@ msgstr "Povolit aplikacím zakázat chovaní systému na zavření víka" #: ../src/login/org.freedesktop.login1.policy.in.h:18 msgid "" -"Authentication is required for an application to inhibit system handling of " -"the lid switch." +"Authentication is required for an application to inhibit system handling of the " +"lid switch." msgstr "" "Autentizace je vyžadována pro povolení aplikacím zakázat chovaní systému na " "zavření víka." @@ -255,8 +242,7 @@ msgstr "Povolit nepřihlášeným uživatelům spouštět programy" #: ../src/login/org.freedesktop.login1.policy.in.h:22 msgid "Authentication is required to run programs as a non-logged-in user." -msgstr "" -"Autentizace je vyžadována ke spuštění programů jako nepřihlášený uživatel." +msgstr "Autentizace je vyžadována ke spuštění programů jako nepřihlášený uživatel." #: ../src/login/org.freedesktop.login1.policy.in.h:23 msgid "Allow attaching devices to seats" @@ -271,8 +257,7 @@ msgid "Flush device to seat attachments" msgstr "Odstranění přiřazení zařízení ke stanovištím" #: ../src/login/org.freedesktop.login1.policy.in.h:26 -msgid "" -"Authentication is required for resetting how devices are attached to seats." +msgid "Authentication is required for resetting how devices are attached to seats." msgstr "" "Autentizace je vyžadována pro reset způsobu jak jsou zařízení přiřazována ke " "stanovištím." @@ -294,8 +279,8 @@ msgid "" "Authentication is required for powering off the system while other users are " "logged in." msgstr "" -"Autentizace je vyžadována pro vypnutí systému, když jsou přihlášeni " -"další uživatelé." +"Autentizace je vyžadována pro vypnutí systému, když jsou přihlášeni další " +"uživatelé." #: ../src/login/org.freedesktop.login1.policy.in.h:31 msgid "Power off the system while an application asked to inhibit it" @@ -303,11 +288,11 @@ msgstr "Vypnout systém, i když aplikace požádala o zákaz vypnutí" #: ../src/login/org.freedesktop.login1.policy.in.h:32 msgid "" -"Authentication is required for powering off the system while an application " -"asked to inhibit it." +"Authentication is required for powering off the system while an application asked " +"to inhibit it." msgstr "" -"Autentizace je vyžadována pro vypnutí systému, když aplikace požádala o " -"zákaz vypnutí." +"Autentizace je vyžadována pro vypnutí systému, když aplikace požádala o zákaz " +"vypnutí." #: ../src/login/org.freedesktop.login1.policy.in.h:33 msgid "Reboot the system" @@ -323,11 +308,11 @@ msgstr "Restartovat systém, i když jsou přihlášeni další uživatelé" #: ../src/login/org.freedesktop.login1.policy.in.h:36 msgid "" -"Authentication is required for rebooting the system while other users are " -"logged in." +"Authentication is required for rebooting the system while other users are logged " +"in." msgstr "" -"Autentizace je vyžadována pro restart systému, když jsou přihlášeni " -"další uživatelé." +"Autentizace je vyžadována pro restart systému, když jsou přihlášeni další " +"uživatelé." #: ../src/login/org.freedesktop.login1.policy.in.h:37 msgid "Reboot the system while an application asked to inhibit it" @@ -335,11 +320,11 @@ msgstr "Restartovat systém, i když aplikace požádala o zákaz restartu" #: ../src/login/org.freedesktop.login1.policy.in.h:38 msgid "" -"Authentication is required for rebooting the system while an application " -"asked to inhibit it." +"Authentication is required for rebooting the system while an application asked to " +"inhibit it." msgstr "" -"Autentizace je vyžadována pro restart systému, když aplikace požádala o " -"zákaz restartu." +"Autentizace je vyžadována pro restart systému, když aplikace požádala o zákaz " +"restartu." #: ../src/login/org.freedesktop.login1.policy.in.h:39 msgid "Suspend the system" @@ -355,11 +340,10 @@ msgstr "Uspat systém, i když jsou přihlášeni další uživatelé" #: ../src/login/org.freedesktop.login1.policy.in.h:42 msgid "" -"Authentication is required for suspending the system while other users are " -"logged in." +"Authentication is required for suspending the system while other users are logged " +"in." msgstr "" -"Autentizace je vyžadována pro uspání systému, když jsou přihlášeni " -"další uživatelé." +"Autentizace je vyžadována pro uspání systému, když jsou přihlášeni další uživatelé." #: ../src/login/org.freedesktop.login1.policy.in.h:43 msgid "Suspend the system while an application asked to inhibit it" @@ -367,11 +351,11 @@ msgstr "Uspat systém, i když aplikace požádala o zákaz uspání" #: ../src/login/org.freedesktop.login1.policy.in.h:44 msgid "" -"Authentication is required for suspending the system while an application " -"asked to inhibit it." +"Authentication is required for suspending the system while an application asked to " +"inhibit it." msgstr "" -"Autentizace je vyžadována pro uspání systému, když aplikace požádala o " -"zákaz uspání." +"Autentizace je vyžadována pro uspání systému, když aplikace požádala o zákaz " +"uspání." #: ../src/login/org.freedesktop.login1.policy.in.h:45 msgid "Hibernate the system" @@ -387,11 +371,11 @@ msgstr "Hibernovat systém, i když jsou přihlášeni další uživatelé" #: ../src/login/org.freedesktop.login1.policy.in.h:48 msgid "" -"Authentication is required for hibernating the system while other users are " -"logged in." +"Authentication is required for hibernating the system while other users are logged " +"in." msgstr "" -"Autentizace je vyžadována pro hibernaci systému, když jsou přihlášeni " -"další uživatelé." +"Autentizace je vyžadována pro hibernaci systému, když jsou přihlášeni další " +"uživatelé." #: ../src/login/org.freedesktop.login1.policy.in.h:49 msgid "Hibernate the system while an application asked to inhibit it" @@ -399,19 +383,18 @@ msgstr "Hibernace systému, i když aplikace požádala o zákaz hibernace" #: ../src/login/org.freedesktop.login1.policy.in.h:50 msgid "" -"Authentication is required for hibernating the system while an application " -"asked to inhibit it." +"Authentication is required for hibernating the system while an application asked " +"to inhibit it." msgstr "" -"Autentizace je vyžadována pro hibernaci systému, když aplikace požádala o " -"zákaz hibernace." +"Autentizace je vyžadována pro hibernaci systému, když aplikace požádala o zákaz " +"hibernace." #: ../src/login/org.freedesktop.login1.policy.in.h:51 msgid "Manage active sessions, users and seats" msgstr "Správa aktivních sezení, uživatelů a stanovišť" #: ../src/login/org.freedesktop.login1.policy.in.h:52 -msgid "" -"Authentication is required for managing active sessions, users and seats." +msgid "Authentication is required for managing active sessions, users and seats." msgstr "" "Autentizace je vyžadována pro správu aktivních sezení, uživatelů a stanovišť." @@ -429,8 +412,7 @@ msgstr "Povolit indikaci firmwaru bootovat instalační prostředí" #: ../src/login/org.freedesktop.login1.policy.in.h:56 msgid "" -"Authentication is required to indicate to the firmware to boot to setup " -"interface." +"Authentication is required to indicate to the firmware to boot to setup interface." msgstr "" "Autentizace je vyžadována k povolení indikace firmwaru bootovat instalační " "prostředí." @@ -480,8 +462,7 @@ msgid "Acquire a pseudo TTY in a local container" msgstr "Získání Pseudo TTY v lokálním kontejneru" #: ../src/machine/org.freedesktop.machine1.policy.in.h:10 -msgid "" -"Authentication is required to acquire a pseudo TTY in a local container." +msgid "Authentication is required to acquire a pseudo TTY in a local container." msgstr "Autentizace je vyžadována pro získání pseudo TTY v lokálním kontejneru." #: ../src/machine/org.freedesktop.machine1.policy.in.h:11 @@ -497,8 +478,7 @@ msgid "Manage local virtual machines and containers" msgstr "Spravovat lokální virtuální stroje a kontejnery" #: ../src/machine/org.freedesktop.machine1.policy.in.h:14 -msgid "" -"Authentication is required to manage local virtual machines and containers." +msgid "Authentication is required to manage local virtual machines and containers." msgstr "" "Autentizace je vyžadována pro správu lokálních virtuálních strojů a kontejnerů." @@ -508,10 +488,8 @@ msgstr "Spravovat lokální obrazy virtuálních strojů a kontejnerů" #: ../src/machine/org.freedesktop.machine1.policy.in.h:16 msgid "" -"Authentication is required to manage local virtual machine and container " -"images." -msgstr "" -"Autentizace je vyžadována ke správě obrazů virtuálních strojů a kontejnerů." +"Authentication is required to manage local virtual machine and container images." +msgstr "Autentizace je vyžadována ke správě obrazů virtuálních strojů a kontejnerů." #: ../src/timedate/org.freedesktop.timedate1.policy.in.h:1 msgid "Set system time" @@ -535,11 +513,10 @@ msgstr "Nastavit RTC na lokální časovou zónu nebo UTC" #: ../src/timedate/org.freedesktop.timedate1.policy.in.h:6 msgid "" -"Authentication is required to control whether the RTC stores the local or " -"UTC time." +"Authentication is required to control whether the RTC stores the local or UTC time." msgstr "" -"Autentizace je vyžadována pro kontrolu jestli RTC ukládá lokální časovou " -"zónu nebo UTC čas." +"Autentizace je vyžadována pro kontrolu jestli RTC ukládá lokální časovou zónu nebo " +"UTC čas." #: ../src/timedate/org.freedesktop.timedate1.policy.in.h:7 msgid "Turn network time synchronization on or off" @@ -547,8 +524,8 @@ msgstr "Zapnout nebo vypnout synchronizaci s časem ze sítě" #: ../src/timedate/org.freedesktop.timedate1.policy.in.h:8 msgid "" -"Authentication is required to control whether network time synchronization " -"shall be enabled." +"Authentication is required to control whether network time synchronization shall " +"be enabled." msgstr "Autentizace je vyžadována pro kontrolu synchronizace času ze sítě." #: ../src/core/dbus-unit.c:459 @@ -573,9 +550,7 @@ msgstr "Autentizace je vyžadována pro ukončení „$(unit)”." #: ../src/core/dbus-unit.c:601 msgid "Authentication is required to reset the \"failed\" state of '$(unit)'." -msgstr "" -"Autentizace je vyžadována pro resetování chybného stavu " -"„$(unit)”." +msgstr "Autentizace je vyžadována pro resetování chybného stavu „$(unit)”." #: ../src/core/dbus-unit.c:634 msgid "Authentication is required to set properties on '$(unit)'." diff --git a/po/id.po b/po/id.po index 72eb94c7ec..72eb94c7ec 100755..100644 --- a/po/id.po +++ b/po/id.po diff --git a/src/shared/seccomp-util.c b/src/shared/seccomp-util.c index bd9c0aac60..609e0619af 100644 --- a/src/shared/seccomp-util.c +++ b/src/shared/seccomp-util.c @@ -873,6 +873,8 @@ int seccomp_protect_sysctl(void) { } int seccomp_restrict_address_families(Set *address_families, bool whitelist) { + +#if !SECCOMP_RESTRICT_ADDRESS_FAMILIES_BROKEN uint32_t arch; int r; @@ -1001,6 +1003,7 @@ int seccomp_restrict_address_families(Set *address_families, bool whitelist) { if (r < 0) log_debug_errno(r, "Failed to install socket family rules for architecture %s, skipping: %m", seccomp_arch_to_string(arch)); } +#endif return 0; } diff --git a/src/shared/seccomp-util.h b/src/shared/seccomp-util.h index 4438e87fa6..2563fcd38a 100644 --- a/src/shared/seccomp-util.h +++ b/src/shared/seccomp-util.h @@ -76,6 +76,14 @@ int seccomp_restrict_address_families(Set *address_families, bool whitelist); int seccomp_restrict_realtime(void); int seccomp_memory_deny_write_execute(void); +#if defined(__i386__) || defined(__s390x__) || defined(__s390__) || defined(__powerpc64__) || defined(__powerpc__) || defined (__mips__) +/* On these archs, socket() is implemented via the socketcall() syscall multiplexer, and we can't restrict it hence via + * seccomp */ +#define SECCOMP_RESTRICT_ADDRESS_FAMILIES_BROKEN 1 +#else +#define SECCOMP_RESTRICT_ADDRESS_FAMILIES_BROKEN 0 +#endif + extern const uint32_t seccomp_local_archs[]; #define SECCOMP_FOREACH_LOCAL_ARCH(arch) \ diff --git a/src/test/test-seccomp.c b/src/test/test-seccomp.c index 6f15879c45..54e7947c2f 100644 --- a/src/test/test-seccomp.c +++ b/src/test/test-seccomp.c @@ -283,8 +283,14 @@ static void test_restrict_address_families(void) { assert_se(fd >= 0); safe_close(fd); +#if SECCOMP_RESTRICT_ADDRESS_FAMILIES_BROKEN + fd = socket(AF_UNIX, SOCK_DGRAM, 0); + assert_se(fd >= 0); + safe_close(fd); +#else assert_se(socket(AF_UNIX, SOCK_DGRAM, 0) < 0); assert_se(errno == EAFNOSUPPORT); +#endif fd = socket(AF_NETLINK, SOCK_DGRAM, 0); assert_se(fd >= 0); @@ -300,11 +306,21 @@ static void test_restrict_address_families(void) { assert_se(fd >= 0); safe_close(fd); +#if SECCOMP_RESTRICT_ADDRESS_FAMILIES_BROKEN + fd = socket(AF_UNIX, SOCK_DGRAM, 0); + assert_se(fd >= 0); + safe_close(fd); + + fd = socket(AF_NETLINK, SOCK_DGRAM, 0); + assert_se(fd >= 0); + safe_close(fd); +#else assert_se(socket(AF_UNIX, SOCK_DGRAM, 0) < 0); assert_se(errno == EAFNOSUPPORT); assert_se(socket(AF_NETLINK, SOCK_DGRAM, 0) < 0); assert_se(errno == EAFNOSUPPORT); +#endif _exit(EXIT_SUCCESS); } |