summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--.gitignore4
-rw-r--r--Makefile.am121
-rw-r--r--src/basic/af-list.c2
-rw-r--r--src/basic/alloc-util.c4
-rw-r--r--src/basic/alloc-util.h1
-rw-r--r--src/basic/arphrd-list.c2
-rw-r--r--src/basic/async.c3
-rw-r--r--src/basic/audit-util.c3
-rw-r--r--src/basic/barrier.c1
-rw-r--r--src/basic/barrier.h2
-rw-r--r--src/basic/bitmap.c9
-rw-r--r--src/basic/bitmap.h2
-rw-r--r--src/basic/btrfs-util.c15
-rw-r--r--src/basic/btrfs-util.h3
-rw-r--r--src/basic/bus-label.c1
-rw-r--r--src/basic/bus-label.h1
-rw-r--r--src/basic/c-rbtree.c679
-rw-r--r--src/basic/c-rbtree.h297
-rw-r--r--src/basic/calendarspec.c6
-rw-r--r--src/basic/calendarspec.h1
-rw-r--r--src/basic/cap-list.c2
-rw-r--r--src/basic/capability-util.c1
-rw-r--r--src/basic/capability-util.h3
-rw-r--r--src/basic/cgroup-util.c9
-rw-r--r--src/basic/cgroup-util.h4
-rw-r--r--src/basic/chattr-util.c4
-rw-r--r--src/basic/clock-util.c4
-rw-r--r--src/basic/conf-files.c1
-rw-r--r--src/basic/copy.c13
-rw-r--r--src/basic/copy.h1
-rw-r--r--src/basic/cpu-set-util.c7
-rw-r--r--src/basic/device-nodes.c2
-rw-r--r--src/basic/device-nodes.h1
-rw-r--r--src/basic/dirent-util.c3
-rw-r--r--src/basic/dirent-util.h3
-rw-r--r--src/basic/env-util.c8
-rw-r--r--src/basic/env-util.h1
-rw-r--r--src/basic/errno-list.c2
-rw-r--r--src/basic/escape.c7
-rw-r--r--src/basic/escape.h4
-rw-r--r--src/basic/ether-addr-util.c2
-rw-r--r--src/basic/exit-status.h2
-rw-r--r--src/basic/extract-word.c12
-rw-r--r--src/basic/fd-util.c11
-rw-r--r--src/basic/fdset.c6
-rw-r--r--src/basic/fdset.h4
-rw-r--r--src/basic/fileio-label.c4
-rw-r--r--src/basic/fileio.c13
-rw-r--r--src/basic/fs-util.c14
-rw-r--r--src/basic/fs-util.h2
-rw-r--r--src/basic/glob-util.c4
-rw-r--r--src/basic/glob-util.h1
-rw-r--r--src/basic/gunicode.c2
-rw-r--r--src/basic/hashmap.c3
-rw-r--r--src/basic/hashmap.h2
-rw-r--r--src/basic/hexdecoct.c6
-rw-r--r--src/basic/hexdecoct.h1
-rw-r--r--src/basic/hostname-util.c9
-rw-r--r--src/basic/in-addr-util.c6
-rw-r--r--src/basic/in-addr-util.h2
-rw-r--r--src/basic/io-util.c5
-rw-r--r--src/basic/io-util.h3
-rw-r--r--src/basic/json.c3
-rw-r--r--src/basic/json.h3
-rw-r--r--src/basic/label.c6
-rw-r--r--src/basic/locale-util.c11
-rw-r--r--src/basic/lockfile-util.c8
-rw-r--r--src/basic/lockfile-util.h2
-rw-r--r--src/basic/log.c9
-rw-r--r--src/basic/login-util.c3
-rw-r--r--src/basic/memfd-util.c5
-rw-r--r--src/basic/memfd-util.h2
-rw-r--r--src/basic/mempool.c3
-rw-r--r--src/basic/mkdir-label.c1
-rw-r--r--src/basic/mkdir.c4
-rw-r--r--src/basic/mount-util.c6
-rw-r--r--src/basic/mount-util.h2
-rw-r--r--src/basic/parse-util.c10
-rw-r--r--src/basic/parse-util.h3
-rw-r--r--src/basic/path-util.c10
-rw-r--r--src/basic/path-util.h2
-rw-r--r--src/basic/prioq.c5
-rw-r--r--src/basic/prioq.h3
-rw-r--r--src/basic/proc-cmdline.c4
-rw-r--r--src/basic/process-util.c7
-rw-r--r--src/basic/process-util.h1
-rw-r--r--src/basic/random-util.c9
-rw-r--r--src/basic/random-util.h1
-rw-r--r--src/basic/ratelimit.c3
-rw-r--r--src/basic/ratelimit.h3
-rw-r--r--src/basic/replace-var.c4
-rw-r--r--src/basic/rlimit-util.c5
-rw-r--r--src/basic/rm-rf.c12
-rw-r--r--src/basic/selinux-util.c30
-rw-r--r--src/basic/selinux-util.h2
-rw-r--r--src/basic/sigbus.c2
-rw-r--r--src/basic/signal-util.c6
-rw-r--r--src/basic/siphash24.c3
-rw-r--r--src/basic/siphash24.h2
-rw-r--r--src/basic/smack-util.c7
-rw-r--r--src/basic/smack-util.h1
-rw-r--r--src/basic/socket-label.c6
-rw-r--r--src/basic/socket-util.c17
-rw-r--r--src/basic/socket-util.h9
-rw-r--r--src/basic/stat-util.c4
-rw-r--r--src/basic/stat-util.h2
-rw-r--r--src/basic/strbuf.c2
-rw-r--r--src/basic/strbuf.h2
-rw-r--r--src/basic/string-table.c1
-rw-r--r--src/basic/string-table.h1
-rw-r--r--src/basic/string-util.c7
-rw-r--r--src/basic/string-util.h2
-rw-r--r--src/basic/strv.c3
-rw-r--r--src/basic/strv.h3
-rw-r--r--src/basic/strxcpyx.c1
-rw-r--r--src/basic/strxcpyx.h2
-rw-r--r--src/basic/syslog-util.c3
-rw-r--r--src/basic/terminal-util.c16
-rw-r--r--src/basic/terminal-util.h1
-rw-r--r--src/basic/time-util.c10
-rw-r--r--src/basic/time-util.h3
-rw-r--r--src/basic/unit-name.c6
-rw-r--r--src/basic/user-util.c12
-rw-r--r--src/basic/utf8.c3
-rw-r--r--src/basic/utf8.h2
-rw-r--r--src/basic/util.c55
-rw-r--r--src/basic/util.h3
-rw-r--r--src/basic/verbs.c8
-rw-r--r--src/basic/virt.c4
-rw-r--r--src/basic/xattr-util.c9
-rw-r--r--src/basic/xattr-util.h1
-rw-r--r--src/basic/xml.c4
-rw-r--r--src/cgls/cgls.c4
-rw-r--r--src/core/selinux-access.c75
-rw-r--r--src/hostname/hostnamed.c8
-rw-r--r--src/journal/compress.c2
-rw-r--r--src/journal/journal-send.c10
-rw-r--r--src/journal/journald-native.c2
-rw-r--r--src/journal/journald-server.c59
-rw-r--r--src/journal/journald-server.h1
-rw-r--r--src/journal/journald-stream.c2
-rw-r--r--src/journal/journald-syslog.c2
-rw-r--r--src/journal/test-journal-send.c89
-rw-r--r--src/libsystemd-network/sd-dhcp-client.c2
-rw-r--r--src/libsystemd/sd-bus/bus-socket.c2
-rw-r--r--src/libsystemd/sd-bus/test-bus-creds.c2
-rw-r--r--src/libudev/libudev-device-private.c8
-rw-r--r--src/login/logind-dbus.c2
-rw-r--r--src/machine/machined-dbus.c4
-rw-r--r--src/nspawn/nspawn-register.c4
-rw-r--r--src/resolve-host/resolve-host.c2
-rw-r--r--src/resolve/resolved-bus.c20
-rw-r--r--src/resolve/resolved-conf.c35
-rw-r--r--src/resolve/resolved-conf.h1
-rw-r--r--src/resolve/resolved-def.h7
-rw-r--r--src/resolve/resolved-dns-answer.h25
-rw-r--r--src/resolve/resolved-dns-cache.c144
-rw-r--r--src/resolve/resolved-dns-cache.h8
-rw-r--r--src/resolve/resolved-dns-dnssec.c719
-rw-r--r--src/resolve/resolved-dns-dnssec.h67
-rw-r--r--src/resolve/resolved-dns-packet.c209
-rw-r--r--src/resolve/resolved-dns-packet.h54
-rw-r--r--src/resolve/resolved-dns-query.c26
-rw-r--r--src/resolve/resolved-dns-query.h1
-rw-r--r--src/resolve/resolved-dns-question.h13
-rw-r--r--src/resolve/resolved-dns-rr.c97
-rw-r--r--src/resolve/resolved-dns-rr.h73
-rw-r--r--src/resolve/resolved-dns-scope.c164
-rw-r--r--src/resolve/resolved-dns-scope.h4
-rw-r--r--src/resolve/resolved-dns-server.h3
-rw-r--r--src/resolve/resolved-dns-transaction.c346
-rw-r--r--src/resolve/resolved-dns-transaction.h10
-rw-r--r--src/resolve/resolved-dns-trust-anchor.c101
-rw-r--r--src/resolve/resolved-dns-trust-anchor.h39
-rw-r--r--src/resolve/resolved-dns-zone.c13
-rw-r--r--src/resolve/resolved-gperf.gperf1
-rw-r--r--src/resolve/resolved-link.c24
-rw-r--r--src/resolve/resolved-link.h3
-rw-r--r--src/resolve/resolved-llmnr.c4
-rw-r--r--src/resolve/resolved-manager.c29
-rw-r--r--src/resolve/resolved-manager.h11
-rw-r--r--src/resolve/resolved-mdns.c286
-rw-r--r--src/resolve/resolved-mdns.h32
-rw-r--r--src/resolve/resolved.conf.in1
-rw-r--r--src/resolve/test-dnssec.c217
-rw-r--r--src/shared/acl-util.c45
-rw-r--r--src/shared/acl-util.h1
-rw-r--r--src/shared/acpi-fpdt.c4
-rw-r--r--src/shared/apparmor-util.c3
-rw-r--r--src/shared/architecture.c1
-rw-r--r--src/shared/architecture.h1
-rw-r--r--src/shared/ask-password-api.c12
-rw-r--r--src/shared/base-filesystem.c3
-rw-r--r--src/shared/boot-timestamps.c2
-rw-r--r--src/shared/bus-util.c18
-rw-r--r--src/shared/bus-util.h7
-rw-r--r--src/shared/cgroup-show.c4
-rw-r--r--src/shared/cgroup-show.h1
-rw-r--r--src/shared/clean-ipc.c9
-rw-r--r--src/shared/condition.c8
-rw-r--r--src/shared/conf-parser.c8
-rw-r--r--src/shared/conf-parser.h5
-rw-r--r--src/shared/dev-setup.c1
-rw-r--r--src/shared/dns-domain.c211
-rw-r--r--src/shared/dns-domain.h16
-rw-r--r--src/shared/dropin.c12
-rw-r--r--src/shared/dropin.h1
-rw-r--r--src/shared/efivars.c10
-rw-r--r--src/shared/efivars.h2
-rw-r--r--src/shared/firewall-util.c10
-rw-r--r--src/shared/firewall-util.h3
-rw-r--r--src/shared/fstab-util.c7
-rw-r--r--src/shared/generator.c5
-rw-r--r--src/shared/import-util.c5
-rw-r--r--src/shared/install-printf.c9
-rw-r--r--src/shared/install.c10
-rw-r--r--src/shared/install.h3
-rw-r--r--src/shared/logs-show.c12
-rw-r--r--src/shared/logs-show.h4
-rw-r--r--src/shared/machine-image.c15
-rw-r--r--src/shared/machine-image.h4
-rw-r--r--src/shared/machine-pool.c19
-rw-r--r--src/shared/machine-pool.h2
-rw-r--r--src/shared/pager.c8
-rw-r--r--src/shared/path-lookup.c2
-rw-r--r--src/shared/path-lookup.h1
-rw-r--r--src/shared/ptyfwd.c14
-rw-r--r--src/shared/ptyfwd.h2
-rw-r--r--src/shared/seccomp-util.c4
-rw-r--r--src/shared/seccomp-util.h1
-rw-r--r--src/shared/sleep-config.c8
-rw-r--r--src/shared/spawn-polkit-agent.c2
-rw-r--r--src/shared/specifier.c7
-rw-r--r--src/shared/switch-root.c4
-rw-r--r--src/shared/switch-root.h1
-rw-r--r--src/shared/sysctl-util.c7
-rw-r--r--src/shared/uid-range.c6
-rw-r--r--src/shared/utmp-wtmp.c6
-rw-r--r--src/shared/utmp-wtmp.h4
-rw-r--r--src/shared/watchdog.c2
-rw-r--r--src/shared/watchdog.h3
-rw-r--r--src/systemd/_sd-common.h10
-rw-r--r--src/test/test-acl-util.c87
-rw-r--r--src/test/test-condition.c2
-rw-r--r--src/test/test-dns-domain.c66
-rw-r--r--src/test/test-engine.c5
-rw-r--r--src/test/test-execute.c5
-rw-r--r--src/test/test-helper.h12
-rw-r--r--src/test/test-path.c5
-rw-r--r--src/test/test-rbtree.c362
-rw-r--r--src/test/test-rlimit-util.c69
-rw-r--r--src/test/test-sched-prio.c5
-rw-r--r--src/udev/scsi_id/scsi.h64
-rw-r--r--src/udev/scsi_id/scsi_id.c2
-rw-r--r--src/udev/scsi_id/scsi_id.h2
-rw-r--r--src/udev/scsi_id/scsi_serial.c77
-rw-r--r--src/udev/udev-builtin-blkid.c2
-rw-r--r--src/udev/udev-builtin-btrfs.c2
-rw-r--r--src/udev/udev-builtin-hwdb.c2
-rw-r--r--src/udev/udev-builtin-input_id.c2
-rw-r--r--src/udev/udev-builtin-keyboard.c2
-rw-r--r--src/udev/udev-builtin-kmod.c2
-rw-r--r--src/udev/udev-builtin-net_id.c2
-rw-r--r--src/udev/udev-builtin-path_id.c2
-rw-r--r--src/udev/udev-builtin-uaccess.c2
-rw-r--r--src/udev/udev-builtin-usb_id.c2
-rw-r--r--src/udev/udev-builtin.c2
-rw-r--r--src/udev/udev-ctrl.c2
-rw-r--r--src/udev/udev-event.c10
-rw-r--r--src/udev/udev-node.c2
-rw-r--r--src/udev/udev-rules.c2
-rw-r--r--src/udev/udev-watch.c2
-rw-r--r--src/udev/udev.h2
-rw-r--r--src/udev/udevadm-control.c2
-rw-r--r--src/udev/udevadm-hwdb.c2
-rw-r--r--src/udev/udevadm-info.c2
-rw-r--r--src/udev/udevadm-monitor.c2
-rw-r--r--src/udev/udevadm-settle.c2
-rw-r--r--src/udev/udevadm-test-builtin.c2
-rw-r--r--src/udev/udevadm-test.c2
-rw-r--r--src/udev/udevadm-trigger.c2
-rw-r--r--src/udev/udevadm-util.c2
-rw-r--r--src/udev/udevadm-util.h2
-rw-r--r--src/udev/udevadm.c1
-rw-r--r--src/udev/udevd.c2
-rw-r--r--src/udev/v4l_id/v4l_id.c2
-rw-r--r--src/user-sessions/user-sessions.c8
-rwxr-xr-xtest/networkd-test.py371
-rw-r--r--tmpfiles.d/systemd.conf.m44
289 files changed, 5754 insertions, 867 deletions
diff --git a/.gitignore b/.gitignore
index 98eb29d657..4d9cbbe4a0 100644
--- a/.gitignore
+++ b/.gitignore
@@ -133,6 +133,7 @@
/systemd-vconsole-setup
/tags
/test-acd
+/test-acl-util
/test-af-list
/test-architecture
/test-arphrd-list
@@ -181,6 +182,7 @@
/test-dhcp-server
/test-dhcp6-client
/test-dns-domain
+/test-dnssec
/test-efi-disk.img
/test-ellipsize
/test-engine
@@ -244,9 +246,11 @@
/test-pty
/test-qcow2
/test-ratelimit
+/test-rbtree
/test-replace-var
/test-resolve
/test-ring
+/test-rlimit-util
/test-sched-prio
/test-set
/test-sigbus
diff --git a/Makefile.am b/Makefile.am
index 7880fe57ce..e99c937e61 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -147,6 +147,7 @@ tests=
manual_tests =
TEST_EXTENSIONS = .py
PY_LOG_COMPILER = $(PYTHON)
+DISABLE_HARD_ERRORS = yes
if ENABLE_TESTS
noinst_PROGRAMS = $(manual_tests) $(tests)
TESTS = $(tests)
@@ -744,8 +745,6 @@ CLEANFILES += \
man/systemd.index.xml \
man/systemd.directives.xml
-EXTRA_DIST += \
- tools/make-man-rules.py
endif
@@ -754,6 +753,7 @@ endif
EXTRA_DIST += \
$(filter-out man/systemd.directives.xml man/systemd.index.xml,$(XML_FILES)) \
tools/make-man-index.py \
+ tools/make-man-rules.py \
tools/make-directive-index.py \
tools/xml_helper.py \
man/glib-event-glue.c
@@ -766,6 +766,8 @@ libbasic_la_SOURCES = \
src/basic/missing.h \
src/basic/capability-util.c \
src/basic/capability-util.h \
+ src/basic/c-rbtree.c \
+ src/basic/c-rbtree.h \
src/basic/conf-files.c \
src/basic/conf-files.h \
src/basic/stdio-util.h \
@@ -1493,11 +1495,18 @@ tests += \
test-copy \
test-cap-list \
test-sigbus \
+ test-rbtree \
test-verbs \
test-af-list \
test-arphrd-list \
test-dns-domain \
- test-install-root
+ test-install-root \
+ test-rlimit-util
+
+if HAVE_ACL
+tests += \
+ test-acl-util
+endif
EXTRA_DIST += \
test/a.service \
@@ -1723,6 +1732,12 @@ test_sigbus_SOURCES = \
test_sigbus_LDADD = \
libshared.la
+test_rbtree_SOURCES = \
+ src/test/test-rbtree.c
+
+test_rbtree_LDADD = \
+ libshared.la
+
test_condition_SOURCES = \
src/test/test-condition.c
@@ -1846,9 +1861,21 @@ test_install_root_SOURCES = \
test_install_root_LDADD = \
libshared.la
+test_acl_util_SOURCES = \
+ src/test/test-acl-util.c
+
+test_acl_util_LDADD = \
+ libshared.la
+
test_namespace_LDADD = \
libcore.la
+test_rlimit_util_SOURCES = \
+ src/test/test-rlimit-util.c
+
+test_rlimit_util_LDADD = \
+ libshared.la
+
BUILT_SOURCES += \
src/test/test-hashmap-ordered.c
@@ -4805,9 +4832,6 @@ systemd_timesyncd_SOURCES = \
nodist_systemd_timesyncd_SOURCES = \
src/timesync/timesyncd-gperf.c
-gperf_gperf_sources += \
- src/timesync/timesyncd-gperf.gperf
-
systemd_timesyncd_LDADD = \
libsystemd-network.la \
libshared.la
@@ -4821,15 +4845,18 @@ nodist_systemunit_DATA += \
GENERAL_ALIASES += \
$(systemunitdir)/systemd-timesyncd.service $(pkgsysconfdir)/system/sysinit.target.wants/systemd-timesyncd.service
-EXTRA_DIST += \
- units/systemd-timesyncd.service.in
nodist_pkgsysconf_DATA += \
src/timesync/timesyncd.conf
+endif
+
+gperf_gperf_sources += \
+ src/timesync/timesyncd-gperf.gperf
+
EXTRA_DIST += \
+ units/systemd-timesyncd.service.in \
src/timesync/timesyncd.conf.in
-endif
# ------------------------------------------------------------------------------
if HAVE_MYHOSTNAME
@@ -5125,12 +5152,13 @@ polkitpolicy_in_files += \
src/import/org.freedesktop.import1.policy.in
EXTRA_DIST += \
- units/systemd-importd.service.in \
- src/resolve/resolved.conf.in
+ units/systemd-importd.service.in
# ------------------------------------------------------------------------------
if ENABLE_RESOLVED
+if HAVE_GCRYPT
+
systemd_resolved_SOURCES = \
src/resolve/resolved.c \
src/resolve/resolved-manager.c \
@@ -5145,6 +5173,8 @@ systemd_resolved_SOURCES = \
src/resolve/resolved-link.c \
src/resolve/resolved-llmnr.h \
src/resolve/resolved-llmnr.c \
+ src/resolve/resolved-mdns.h \
+ src/resolve/resolved-mdns.c \
src/resolve/resolved-def.h \
src/resolve/resolved-dns-rr.h \
src/resolve/resolved-dns-rr.c \
@@ -5170,6 +5200,10 @@ systemd_resolved_SOURCES = \
src/resolve/resolved-dns-zone.c \
src/resolve/resolved-dns-stream.h \
src/resolve/resolved-dns-stream.c \
+ src/resolve/resolved-dns-dnssec.h \
+ src/resolve/resolved-dns-dnssec.c \
+ src/resolve/resolved-dns-trust-anchor.h \
+ src/resolve/resolved-dns-trust-anchor.c \
src/resolve/dns-type.c \
src/resolve/dns-type.h
@@ -5178,12 +5212,6 @@ nodist_systemd_resolved_SOURCES = \
src/resolve/dns_type-to-name.h \
src/resolve/resolved-gperf.c
-gperf_gperf_sources += \
- src/resolve/resolved-gperf.gperf
-
-gperf_txt_sources += \
- src/resolve/dns_type-list.txt
-
systemd_resolved_LDADD = \
libsystemd-network.la \
libshared.la
@@ -5215,9 +5243,6 @@ GENERAL_ALIASES += \
nodist_pkgsysconf_DATA += \
src/resolve/resolved.conf
-tests += \
- test-dns-domain
-
libnss_resolve_la_SOURCES = \
src/nss-resolve/nss-resolve.sym \
src/nss-resolve/nss-resolve.c
@@ -5261,10 +5286,40 @@ systemd_resolve_host_LDADD = \
rootlibexec_PROGRAMS += \
systemd-resolve-host
+tests += \
+ test-dns-domain \
+ test-dnssec
+
+test_dnssec_SOURCES = \
+ src/resolve/test-dnssec.c \
+ src/resolve/resolved-dns-packet.c \
+ src/resolve/resolved-dns-packet.h \
+ src/resolve/resolved-dns-rr.c \
+ src/resolve/resolved-dns-rr.h \
+ src/resolve/resolved-dns-answer.c \
+ src/resolve/resolved-dns-answer.h \
+ src/resolve/resolved-dns-question.c \
+ src/resolve/resolved-dns-question.h \
+ src/resolve/resolved-dns-dnssec.c \
+ src/resolve/resolved-dns-dnssec.h \
+ src/resolve/dns-type.c \
+ src/resolve/dns-type.h
+
+test_dnssec_LDADD = \
+ libshared.la
+
+endif
endif
+gperf_txt_sources += \
+ src/resolve/dns_type-list.txt
+
+gperf_gperf_sources += \
+ src/resolve/resolved-gperf.gperf
+
EXTRA_DIST += \
- units/systemd-resolved.service.m4.in
+ units/systemd-resolved.service.m4.in \
+ src/resolve/resolved.conf.in
# ------------------------------------------------------------------------------
if ENABLE_NETWORKD
@@ -5432,14 +5487,16 @@ SYSTEM_UNIT_ALIASES += \
BUSNAMES_TARGET_WANTS += \
org.freedesktop.network1.busname
+endif
+
gperf_gperf_sources += \
src/network/networkd-network-gperf.gperf \
src/network/networkd-netdev-gperf.gperf
-endif
EXTRA_DIST += \
units/systemd-networkd.service.m4.in \
- units/systemd-networkd-wait-online.service.in
+ units/systemd-networkd-wait-online.service.in \
+ test/networkd-test.py
# ------------------------------------------------------------------------------
if ENABLE_LOGIND
@@ -6173,21 +6230,7 @@ DISTCHECK_CONFIGURE_FLAGS += \
--disable-split-usr
endif
-#
-# Require python when making dist
-#
-.PHONY: dist-check-python dist-check-compat-libs dist-check-help
-dist-check-python:
-if !HAVE_PYTHON
- @echo "*** python and python-lxml module must be installed and enabled in order to make dist"
- @false
-endif
-
-dist-check-compat-libs:
-if !ENABLE_COMPAT_LIBS
- @echo "*** compat-libs must be enabled in order to make dist"
- @false
-endif
+.PHONY: dist-check-help
dist-check-help: $(rootbin_PROGRAMS) $(bin_PROGRAMS)
for i in $(abspath $^); do \
@@ -6197,8 +6240,6 @@ dist-check-help: $(rootbin_PROGRAMS) $(bin_PROGRAMS)
exit 1; \
fi; done
-dist: dist-check-python dist-check-compat-libs
-
.PHONY: hwdb-update
hwdb-update:
( cd $(top_srcdir)/hwdb && \
diff --git a/src/basic/af-list.c b/src/basic/af-list.c
index 07dfff6ad4..606bb49a59 100644
--- a/src/basic/af-list.c
+++ b/src/basic/af-list.c
@@ -23,7 +23,7 @@
#include <sys/socket.h>
#include "af-list.h"
-#include "util.h"
+#include "macro.h"
static const struct af_name* lookup_af(register const char *str, register unsigned int len);
diff --git a/src/basic/alloc-util.c b/src/basic/alloc-util.c
index 48183e381f..0c6a15c958 100644
--- a/src/basic/alloc-util.c
+++ b/src/basic/alloc-util.c
@@ -19,7 +19,11 @@
along with systemd; If not, see <http://www.gnu.org/licenses/>.
***/
+#include <stdint.h>
+#include <string.h>
+
#include "alloc-util.h"
+#include "macro.h"
#include "util.h"
void* memdup(const void *p, size_t l) {
diff --git a/src/basic/alloc-util.h b/src/basic/alloc-util.h
index 12b602e185..f5097ea117 100644
--- a/src/basic/alloc-util.h
+++ b/src/basic/alloc-util.h
@@ -22,6 +22,7 @@
***/
#include <alloca.h>
+#include <stddef.h>
#include <stdlib.h>
#include <string.h>
diff --git a/src/basic/arphrd-list.c b/src/basic/arphrd-list.c
index 03d8ad7403..c1fdbbd905 100644
--- a/src/basic/arphrd-list.c
+++ b/src/basic/arphrd-list.c
@@ -23,7 +23,7 @@
#include <string.h>
#include "arphrd-list.h"
-#include "util.h"
+#include "macro.h"
static const struct arphrd_name* lookup_arphrd(register const char *str, register unsigned int len);
diff --git a/src/basic/async.c b/src/basic/async.c
index cfc5d224e1..42c66a762e 100644
--- a/src/basic/async.c
+++ b/src/basic/async.c
@@ -19,12 +19,15 @@
along with systemd; If not, see <http://www.gnu.org/licenses/>.
***/
+#include <errno.h>
#include <pthread.h>
+#include <stddef.h>
#include <unistd.h>
#include "async.h"
#include "fd-util.h"
#include "log.h"
+#include "macro.h"
#include "util.h"
int asynchronous_job(void* (*func)(void *p), void *arg) {
diff --git a/src/basic/audit-util.c b/src/basic/audit-util.c
index 4612297334..e52ee24c05 100644
--- a/src/basic/audit-util.c
+++ b/src/basic/audit-util.c
@@ -20,7 +20,9 @@
***/
#include <errno.h>
+#include <linux/netlink.h>
#include <stdio.h>
+#include <sys/socket.h>
#include "alloc-util.h"
#include "audit-util.h"
@@ -30,7 +32,6 @@
#include "parse-util.h"
#include "process-util.h"
#include "user-util.h"
-#include "util.h"
int audit_session_from_pid(pid_t pid, uint32_t *id) {
_cleanup_free_ char *s = NULL;
diff --git a/src/basic/barrier.c b/src/basic/barrier.c
index 2d55bab4ab..9a78a80eb2 100644
--- a/src/basic/barrier.c
+++ b/src/basic/barrier.c
@@ -32,7 +32,6 @@
#include "barrier.h"
#include "fd-util.h"
#include "macro.h"
-#include "util.h"
/**
* Barriers
diff --git a/src/basic/barrier.h b/src/basic/barrier.h
index b8954694d3..722effe834 100644
--- a/src/basic/barrier.h
+++ b/src/basic/barrier.h
@@ -21,6 +21,8 @@
along with systemd; If not, see <http://www.gnu.org/licenses/>.
***/
+#include <stdbool.h>
+#include <stdint.h>
#include <sys/types.h>
#include "macro.h"
diff --git a/src/basic/bitmap.c b/src/basic/bitmap.c
index 1449e2ea85..95f59e400a 100644
--- a/src/basic/bitmap.c
+++ b/src/basic/bitmap.c
@@ -19,9 +19,16 @@
along with systemd; If not, see <http://www.gnu.org/licenses/>.
***/
+#include <errno.h>
+#include <stddef.h>
+#include <stdint.h>
+#include <stdlib.h>
+#include <string.h>
+
#include "alloc-util.h"
#include "bitmap.h"
-#include "util.h"
+#include "hashmap.h"
+#include "macro.h"
struct Bitmap {
uint64_t *bitmaps;
diff --git a/src/basic/bitmap.h b/src/basic/bitmap.h
index 9ce7b42d00..d2726630f1 100644
--- a/src/basic/bitmap.h
+++ b/src/basic/bitmap.h
@@ -21,6 +21,8 @@
along with systemd; If not, see <http://www.gnu.org/licenses/>.
***/
+#include <stdbool.h>
+
#include "hashmap.h"
#include "macro.h"
diff --git a/src/basic/btrfs-util.c b/src/basic/btrfs-util.c
index be40dc5702..acd48f6954 100644
--- a/src/basic/btrfs-util.c
+++ b/src/basic/btrfs-util.c
@@ -19,9 +19,20 @@
along with systemd; If not, see <http://www.gnu.org/licenses/>.
***/
+#include <errno.h>
+#include <fcntl.h>
+#include <inttypes.h>
+#include <linux/loop.h>
+#include <stddef.h>
+#include <stdio.h>
#include <stdlib.h>
+#include <string.h>
+#include <sys/ioctl.h>
#include <sys/stat.h>
-#include <sys/vfs.h>
+#include <sys/statfs.h>
+#include <sys/sysmacros.h>
+#include <unistd.h>
+
#ifdef HAVE_LINUX_BTRFS_H
#include <linux/btrfs.h>
#endif
@@ -37,8 +48,10 @@
#include "path-util.h"
#include "selinux-util.h"
#include "smack-util.h"
+#include "sparse-endian.h"
#include "stat-util.h"
#include "string-util.h"
+#include "time-util.h"
#include "util.h"
/* WARNING: Be careful with file system ioctls! When we get an fd, we
diff --git a/src/basic/btrfs-util.h b/src/basic/btrfs-util.h
index 8c11ce35d2..31b9c02785 100644
--- a/src/basic/btrfs-util.h
+++ b/src/basic/btrfs-util.h
@@ -22,8 +22,11 @@
#pragma once
#include <stdbool.h>
+#include <stdint.h>
#include <sys/types.h>
+#include "sd-id128.h"
+
#include "time-util.h"
typedef struct BtrfsSubvolInfo {
diff --git a/src/basic/bus-label.c b/src/basic/bus-label.c
index c1534657ac..d8d5863b03 100644
--- a/src/basic/bus-label.c
+++ b/src/basic/bus-label.c
@@ -25,7 +25,6 @@
#include "bus-label.h"
#include "hexdecoct.h"
#include "macro.h"
-#include "util.h"
char *bus_label_escape(const char *s) {
char *r, *t;
diff --git a/src/basic/bus-label.h b/src/basic/bus-label.h
index ed1dc4e0a7..f51153ce6d 100644
--- a/src/basic/bus-label.h
+++ b/src/basic/bus-label.h
@@ -21,6 +21,7 @@
along with systemd; If not, see <http://www.gnu.org/licenses/>.
***/
+#include <stddef.h>
#include <stdlib.h>
#include <string.h>
diff --git a/src/basic/c-rbtree.c b/src/basic/c-rbtree.c
new file mode 100644
index 0000000000..914d7e5229
--- /dev/null
+++ b/src/basic/c-rbtree.c
@@ -0,0 +1,679 @@
+/***
+ This file is part of systemd. See COPYING for details.
+
+ systemd is free software; you can redistribute it and/or modify it
+ under the terms of the GNU Lesser General Public License as published by
+ the Free Software Foundation; either version 2.1 of the License, or
+ (at your option) any later version.
+
+ systemd is distributed in the hope that it will be useful, but
+ WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ Lesser General Public License for more details.
+
+ You should have received a copy of the GNU Lesser General Public License
+ along with systemd; If not, see <http://www.gnu.org/licenses/>.
+***/
+
+/*
+ * RB-Tree Implementation
+ * This implements the insertion/removal of elements in RB-Trees. You're highly
+ * recommended to have an RB-Tree documentation at hand when reading this. Both
+ * insertion and removal can be split into a handful of situations that can
+ * occur. Those situations are enumerated as "Case 1" to "Case n" here, and
+ * follow closely the cases described in most RB-Tree documentations. This file
+ * does not explain why it is enough to handle just those cases, nor does it
+ * provide a proof of correctness. Dig out your algorithm 101 handbook if
+ * you're interested.
+ *
+ * This implementation is *not* straightforward. Usually, a handful of
+ * rotation, reparent, swap and link helpers can be used to implement the
+ * rebalance operations. However, those often perform unnecessary writes.
+ * Therefore, this implementation hard-codes all the operations. You're highly
+ * recommended to look at the two basic helpers before reading the code:
+ * c_rbtree_swap_child()
+ * c_rbtree_set_parent_and_color()
+ * Those are the only helpers used, hence, you should really know what they do
+ * before digging into the code.
+ *
+ * For a highlevel documentation of the API, see the header file and docbook
+ * comments.
+ */
+
+#include <assert.h>
+#include <stddef.h>
+#include "c-rbtree.h"
+
+enum {
+ C_RBNODE_RED = 0,
+ C_RBNODE_BLACK = 1,
+};
+
+static inline unsigned long c_rbnode_color(CRBNode *n) {
+ return (unsigned long)n->__parent_and_color & 1UL;
+}
+
+static inline _Bool c_rbnode_is_red(CRBNode *n) {
+ return c_rbnode_color(n) == C_RBNODE_RED;
+}
+
+static inline _Bool c_rbnode_is_black(CRBNode *n) {
+ return c_rbnode_color(n) == C_RBNODE_BLACK;
+}
+
+/**
+ * c_rbnode_leftmost() - return leftmost child
+ * @n: current node, or NULL
+ *
+ * This returns the leftmost child of @n. If @n is NULL, this will return NULL.
+ * In all other cases, this function returns a valid pointer. That is, if @n
+ * does not have any left children, this returns @n.
+ *
+ * Worst case runtime (n: number of elements in tree): O(log(n))
+ *
+ * Return: Pointer to leftmost child, or NULL.
+ */
+CRBNode *c_rbnode_leftmost(CRBNode *n) {
+ if (n)
+ while (n->left)
+ n = n->left;
+ return n;
+}
+
+/**
+ * c_rbnode_rightmost() - return rightmost child
+ * @n: current node, or NULL
+ *
+ * This returns the rightmost child of @n. If @n is NULL, this will return
+ * NULL. In all other cases, this function returns a valid pointer. That is, if
+ * @n does not have any right children, this returns @n.
+ *
+ * Worst case runtime (n: number of elements in tree): O(log(n))
+ *
+ * Return: Pointer to rightmost child, or NULL.
+ */
+CRBNode *c_rbnode_rightmost(CRBNode *n) {
+ if (n)
+ while (n->right)
+ n = n->right;
+ return n;
+}
+
+/**
+ * c_rbnode_next() - return next node
+ * @n: current node, or NULL
+ *
+ * An RB-Tree always defines a linear order of its elements. This function
+ * returns the logically next node to @n. If @n is NULL, the last node or
+ * unlinked, this returns NULL.
+ *
+ * Worst case runtime (n: number of elements in tree): O(log(n))
+ *
+ * Return: Pointer to next node, or NULL.
+ */
+CRBNode *c_rbnode_next(CRBNode *n) {
+ CRBNode *p;
+
+ if (!c_rbnode_is_linked(n))
+ return NULL;
+ if (n->right)
+ return c_rbnode_leftmost(n->right);
+
+ while ((p = c_rbnode_parent(n)) && n == p->right)
+ n = p;
+
+ return p;
+}
+
+/**
+ * c_rbnode_prev() - return previous node
+ * @n: current node, or NULL
+ *
+ * An RB-Tree always defines a linear order of its elements. This function
+ * returns the logically previous node to @n. If @n is NULL, the first node or
+ * unlinked, this returns NULL.
+ *
+ * Worst case runtime (n: number of elements in tree): O(log(n))
+ *
+ * Return: Pointer to previous node, or NULL.
+ */
+CRBNode *c_rbnode_prev(CRBNode *n) {
+ CRBNode *p;
+
+ if (!c_rbnode_is_linked(n))
+ return NULL;
+ if (n->left)
+ return c_rbnode_rightmost(n->left);
+
+ while ((p = c_rbnode_parent(n)) && n == p->left)
+ n = p;
+
+ return p;
+}
+
+/**
+ * c_rbtree_first() - return first node
+ * @t: tree to operate on
+ *
+ * An RB-Tree always defines a linear order of its elements. This function
+ * returns the logically first node in @t. If @t is empty, NULL is returned.
+ *
+ * Fixed runtime (n: number of elements in tree): O(log(n))
+ *
+ * Return: Pointer to first node, or NULL.
+ */
+CRBNode *c_rbtree_first(CRBTree *t) {
+ assert(t);
+ return c_rbnode_leftmost(t->root);
+}
+
+/**
+ * c_rbtree_last() - return last node
+ * @t: tree to operate on
+ *
+ * An RB-Tree always defines a linear order of its elements. This function
+ * returns the logically last node in @t. If @t is empty, NULL is returned.
+ *
+ * Fixed runtime (n: number of elements in tree): O(log(n))
+ *
+ * Return: Pointer to last node, or NULL.
+ */
+CRBNode *c_rbtree_last(CRBTree *t) {
+ assert(t);
+ return c_rbnode_rightmost(t->root);
+}
+
+/*
+ * Set the color and parent of a node. This should be treated as a simple
+ * assignment of the 'color' and 'parent' fields of the node. No other magic is
+ * applied. But since both fields share its backing memory, this helper
+ * function is provided.
+ */
+static inline void c_rbnode_set_parent_and_color(CRBNode *n, CRBNode *p, unsigned long c) {
+ assert(!((unsigned long)p & 1));
+ assert(c < 2);
+ n->__parent_and_color = (CRBNode*)((unsigned long)p | c);
+}
+
+/* same as c_rbnode_set_parent_and_color(), but keeps the current parent */
+static inline void c_rbnode_set_color(CRBNode *n, unsigned long c) {
+ c_rbnode_set_parent_and_color(n, c_rbnode_parent(n), c);
+}
+
+/* same as c_rbnode_set_parent_and_color(), but keeps the current color */
+static inline void c_rbnode_set_parent(CRBNode *n, CRBNode *p) {
+ c_rbnode_set_parent_and_color(n, p, c_rbnode_color(n));
+}
+
+/*
+ * This function partially replaces an existing child pointer to a new one. The
+ * existing child must be given as @old, the new child as @new. @p must be the
+ * parent of @old (or NULL if it has no parent).
+ * This function ensures that the parent of @old now points to @new. However,
+ * it does *NOT* change the parent pointer of @new. The caller must ensure
+ * this.
+ * If @p is NULL, this function ensures that the root-pointer is adjusted
+ * instead (given as @t).
+ */
+static inline void c_rbtree_swap_child(CRBTree *t, CRBNode *p, CRBNode *old, CRBNode *new) {
+ if (p) {
+ if (p->left == old)
+ p->left = new;
+ else
+ p->right = new;
+ } else {
+ t->root = new;
+ }
+}
+
+static inline CRBNode *c_rbtree_paint_one(CRBTree *t, CRBNode *n) {
+ CRBNode *p, *g, *gg, *u, *x;
+
+ /*
+ * Paint a single node according to RB-Tree rules. The node must
+ * already be linked into the tree and painted red.
+ * We repaint the node or rotate the tree, if required. In case a
+ * recursive repaint is required, the next node to be re-painted
+ * is returned.
+ * p: parent
+ * g: grandparent
+ * gg: grandgrandparent
+ * u: uncle
+ * x: temporary
+ */
+
+ /* node is red, so we can access the parent directly */
+ p = n->__parent_and_color;
+
+ if (!p) {
+ /* Case 1:
+ * We reached the root. Mark it black and be done. As all
+ * leaf-paths share the root, the ratio of black nodes on each
+ * path stays the same. */
+ c_rbnode_set_parent_and_color(n, p, C_RBNODE_BLACK);
+ n = NULL;
+ } else if (c_rbnode_is_black(p)) {
+ /* Case 2:
+ * The parent is already black. As our node is red, we did not
+ * change the number of black nodes on any path, nor do we have
+ * multiple consecutive red nodes. */
+ n = NULL;
+ } else if (p == p->__parent_and_color->left) { /* parent is red, so grandparent exists */
+ g = p->__parent_and_color;
+ gg = c_rbnode_parent(g);
+ u = g->right;
+
+ if (u && c_rbnode_is_red(u)) {
+ /* Case 3:
+ * Parent and uncle are both red. We know the
+ * grandparent must be black then. Repaint parent and
+ * uncle black, the grandparent red and recurse into
+ * the grandparent. */
+ c_rbnode_set_parent_and_color(p, g, C_RBNODE_BLACK);
+ c_rbnode_set_parent_and_color(u, g, C_RBNODE_BLACK);
+ c_rbnode_set_parent_and_color(g, gg, C_RBNODE_RED);
+ n = g;
+ } else {
+ /* parent is red, uncle is black */
+
+ if (n == p->right) {
+ /* Case 4:
+ * We're the right child. Rotate on parent to
+ * become left child, so we can handle it the
+ * same as case 5. */
+ x = n->left;
+ p->right = n->left;
+ n->left = p;
+ if (x)
+ c_rbnode_set_parent_and_color(x, p, C_RBNODE_BLACK);
+ c_rbnode_set_parent_and_color(p, n, C_RBNODE_RED);
+ p = n;
+ }
+
+ /* 'n' is invalid from here on! */
+ n = NULL;
+
+ /* Case 5:
+ * We're the red left child or a red parent, black
+ * grandparent and uncle. Rotate on grandparent and
+ * switch color with parent. Number of black nodes on
+ * each path stays the same, but we got rid of the
+ * double red path. As the grandparent is still black,
+ * we're done. */
+ x = p->right;
+ g->left = x;
+ p->right = g;
+ if (x)
+ c_rbnode_set_parent_and_color(x, g, C_RBNODE_BLACK);
+ c_rbnode_set_parent_and_color(p, gg, C_RBNODE_BLACK);
+ c_rbnode_set_parent_and_color(g, p, C_RBNODE_RED);
+ c_rbtree_swap_child(t, gg, g, p);
+ }
+ } else /* if (p == p->__parent_and_color->left) */ { /* same as above, but mirrored */
+ g = p->__parent_and_color;
+ gg = c_rbnode_parent(g);
+ u = g->left;
+
+ if (u && c_rbnode_is_red(u)) {
+ c_rbnode_set_parent_and_color(p, g, C_RBNODE_BLACK);
+ c_rbnode_set_parent_and_color(u, g, C_RBNODE_BLACK);
+ c_rbnode_set_parent_and_color(g, gg, C_RBNODE_RED);
+ n = g;
+ } else {
+ if (n == p->left) {
+ x = n->right;
+ p->left = n->right;
+ n->right = p;
+ if (x)
+ c_rbnode_set_parent_and_color(x, p, C_RBNODE_BLACK);
+ c_rbnode_set_parent_and_color(p, n, C_RBNODE_RED);
+ p = n;
+ }
+
+ n = NULL;
+
+ x = p->left;
+ g->right = x;
+ p->left = g;
+ if (x)
+ c_rbnode_set_parent_and_color(x, g, C_RBNODE_BLACK);
+ c_rbnode_set_parent_and_color(p, gg, C_RBNODE_BLACK);
+ c_rbnode_set_parent_and_color(g, p, C_RBNODE_RED);
+ c_rbtree_swap_child(t, gg, g, p);
+ }
+ }
+
+ return n;
+}
+
+static inline void c_rbtree_paint(CRBTree *t, CRBNode *n) {
+ assert(t);
+ assert(n);
+
+ while (n)
+ n = c_rbtree_paint_one(t, n);
+}
+
+/**
+ * c_rbtree_add() - add node to tree
+ * @t: tree to operate one
+ * @p: parent node to link under, or NULL
+ * @l: left/right slot of @p (or root) to link at
+ * @n: node to add
+ *
+ * This links @n into the tree given as @t. The caller must provide the exact
+ * spot where to link the node. That is, the caller must traverse the tree
+ * based on their search order. Once they hit a leaf where to insert the node,
+ * call this function to link it and rebalance the tree.
+ *
+ * A typical insertion would look like this (@t is your tree, @n is your node):
+ *
+ * CRBNode **i, *p;
+ *
+ * i = &t->root;
+ * p = NULL;
+ * while (*i) {
+ * p = *i;
+ * if (compare(n, *i) < 0)
+ * i = &(*i)->left;
+ * else
+ * i = &(*i)->right;
+ * }
+ *
+ * c_rbtree_add(t, p, i, n);
+ *
+ * Once the node is linked into the tree, a simple lookup on the same tree can
+ * be coded like this:
+ *
+ * CRBNode *i;
+ *
+ * i = t->root;
+ * while (i) {
+ * int v = compare(n, i);
+ * if (v < 0)
+ * i = (*i)->left;
+ * else if (v > 0)
+ * i = (*i)->right;
+ * else
+ * break;
+ * }
+ *
+ * When you add nodes to a tree, the memory contents of the node do not matter.
+ * That is, there is no need to initialize the node via c_rbnode_init().
+ * However, if you relink nodes multiple times during their lifetime, it is
+ * usually very convenient to use c_rbnode_init() and c_rbtree_remove_init().
+ * In those cases, you should validate that a node is unlinked before you call
+ * c_rbtree_add().
+ */
+void c_rbtree_add(CRBTree *t, CRBNode *p, CRBNode **l, CRBNode *n) {
+ assert(t);
+ assert(l);
+ assert(n);
+ assert(!p || l == &p->left || l == &p->right);
+ assert(p || l == &t->root);
+
+ c_rbnode_set_parent_and_color(n, p, C_RBNODE_RED);
+ n->left = n->right = NULL;
+ *l = n;
+
+ c_rbtree_paint(t, n);
+}
+
+static inline CRBNode *c_rbtree_rebalance_one(CRBTree *t, CRBNode *p, CRBNode *n) {
+ CRBNode *s, *x, *y, *g;
+
+ /*
+ * Rebalance tree after a node was removed. This happens only if you
+ * remove a black node and one path is now left with an unbalanced
+ * number or black nodes.
+ * This function assumes all paths through p and n have one black node
+ * less than all other paths. If recursive fixup is required, the
+ * current node is returned.
+ */
+
+ if (n == p->left) {
+ s = p->right;
+ if (c_rbnode_is_red(s)) {
+ /* Case 3:
+ * We have a red node as sibling. Rotate it onto our
+ * side so we can later on turn it black. This way, we
+ * gain the additional black node in our path. */
+ g = c_rbnode_parent(p);
+ x = s->left;
+ p->right = x;
+ s->left = p;
+ c_rbnode_set_parent_and_color(x, p, C_RBNODE_BLACK);
+ c_rbnode_set_parent_and_color(s, g, c_rbnode_color(p));
+ c_rbnode_set_parent_and_color(p, s, C_RBNODE_RED);
+ c_rbtree_swap_child(t, g, p, s);
+ s = x;
+ }
+
+ x = s->right;
+ if (!x || c_rbnode_is_black(x)) {
+ y = s->left;
+ if (!y || c_rbnode_is_black(y)) {
+ /* Case 4:
+ * Our sibling is black and has only black
+ * children. Flip it red and turn parent black.
+ * This way we gained a black node in our path,
+ * or we fix it recursively one layer up, which
+ * will rotate the red sibling as parent. */
+ c_rbnode_set_parent_and_color(s, p, C_RBNODE_RED);
+ if (c_rbnode_is_black(p))
+ return p;
+
+ c_rbnode_set_parent_and_color(p, c_rbnode_parent(p), C_RBNODE_BLACK);
+ return NULL;
+ }
+
+ /* Case 5:
+ * Left child of our sibling is red, right one is black.
+ * Rotate on parent so the right child of our sibling is
+ * now red, and we can fall through to case 6. */
+ x = y->right;
+ s->left = y->right;
+ y->right = s;
+ p->right = y;
+ if (x)
+ c_rbnode_set_parent_and_color(x, s, C_RBNODE_BLACK);
+ x = s;
+ s = y;
+ }
+
+ /* Case 6:
+ * The right child of our sibling is red. Rotate left and flip
+ * colors, which gains us an additional black node in our path,
+ * that was previously on our sibling. */
+ g = c_rbnode_parent(p);
+ y = s->left;
+ p->right = y;
+ s->left = p;
+ c_rbnode_set_parent_and_color(x, s, C_RBNODE_BLACK);
+ if (y)
+ c_rbnode_set_parent_and_color(y, p, c_rbnode_color(y));
+ c_rbnode_set_parent_and_color(s, g, c_rbnode_color(p));
+ c_rbnode_set_parent_and_color(p, s, C_RBNODE_BLACK);
+ c_rbtree_swap_child(t, g, p, s);
+ } else /* if (!n || n == p->right) */ { /* same as above, but mirrored */
+ s = p->left;
+ if (c_rbnode_is_red(s)) {
+ g = c_rbnode_parent(p);
+ x = s->right;
+ p->left = x;
+ s->right = p;
+ c_rbnode_set_parent_and_color(x, p, C_RBNODE_BLACK);
+ c_rbnode_set_parent_and_color(s, g, C_RBNODE_BLACK);
+ c_rbnode_set_parent_and_color(p, s, C_RBNODE_RED);
+ c_rbtree_swap_child(t, g, p, s);
+ s = x;
+ }
+
+ x = s->left;
+ if (!x || c_rbnode_is_black(x)) {
+ y = s->right;
+ if (!y || c_rbnode_is_black(y)) {
+ c_rbnode_set_parent_and_color(s, p, C_RBNODE_RED);
+ if (c_rbnode_is_black(p))
+ return p;
+
+ c_rbnode_set_parent_and_color(p, c_rbnode_parent(p), C_RBNODE_BLACK);
+ return NULL;
+ }
+
+ x = y->left;
+ s->right = y->left;
+ y->left = s;
+ p->left = y;
+ if (x)
+ c_rbnode_set_parent_and_color(x, s, C_RBNODE_BLACK);
+ x = s;
+ s = y;
+ }
+
+ g = c_rbnode_parent(p);
+ y = s->right;
+ p->left = y;
+ s->right = p;
+ c_rbnode_set_parent_and_color(x, s, C_RBNODE_BLACK);
+ if (y)
+ c_rbnode_set_parent_and_color(y, p, c_rbnode_color(y));
+ c_rbnode_set_parent_and_color(s, g, c_rbnode_color(p));
+ c_rbnode_set_parent_and_color(p, s, C_RBNODE_BLACK);
+ c_rbtree_swap_child(t, g, p, s);
+ }
+
+ return NULL;
+}
+
+static inline void c_rbtree_rebalance(CRBTree *t, CRBNode *p) {
+ CRBNode *n = NULL;
+
+ assert(t);
+ assert(p);
+
+ do {
+ n = c_rbtree_rebalance_one(t, p, n);
+ p = n ? c_rbnode_parent(n) : NULL;
+ } while (p);
+}
+
+/**
+ * c_rbtree_remove() - remove node from tree
+ * @t: tree to operate one
+ * @n: node to remove
+ *
+ * This removes the given node from its tree. Once unlinked, the tree is
+ * rebalanced.
+ * The caller *must* ensure that the given tree is actually the tree it is
+ * linked on. Otherwise, behavior is undefined.
+ *
+ * This does *NOT* reset @n to being unlinked (for performance reason, this
+ * function *never* modifies @n at all). If you need this, use
+ * c_rbtree_remove_init().
+ */
+void c_rbtree_remove(CRBTree *t, CRBNode *n) {
+ CRBNode *p, *s, *gc, *x, *next = NULL;
+ unsigned long c;
+
+ assert(t);
+ assert(n);
+ assert(c_rbnode_is_linked(n));
+
+ /*
+ * There are three distinct cases during node removal of a tree:
+ * * The node has no children, in which case it can simply be removed.
+ * * The node has exactly one child, in which case the child displaces
+ * its parent.
+ * * The node has two children, in which case there is guaranteed to
+ * be a successor to the node (successor being the node ordered
+ * directly after it). This successor cannot have two children by
+ * itself (two interior nodes can never be successive). Therefore,
+ * we can simply swap the node with its successor (including color)
+ * and have reduced this case to either of the first two.
+ *
+ * Whenever the node we removed was black, we have to rebalance the
+ * tree. Note that this affects the actual node we _remove_, not @n (in
+ * case we swap it).
+ *
+ * p: parent
+ * s: successor
+ * gc: grand-...-child
+ * x: temporary
+ * next: next node to rebalance on
+ */
+
+ if (!n->left) {
+ /*
+ * Case 1:
+ * The node has no left child. If it neither has a right child,
+ * it is a leaf-node and we can simply unlink it. If it also
+ * was black, we have to rebalance, as always if we remove a
+ * black node.
+ * But if the node has a right child, the child *must* be red
+ * (otherwise, the right path has more black nodes as the
+ * non-existing left path), and the node to be removed must
+ * hence be black. We simply replace the node with its child,
+ * turning the red child black, and thus no rebalancing is
+ * required.
+ */
+ p = c_rbnode_parent(n);
+ c = c_rbnode_color(n);
+ c_rbtree_swap_child(t, p, n, n->right);
+ if (n->right)
+ c_rbnode_set_parent_and_color(n->right, p, c);
+ else
+ next = (c == C_RBNODE_BLACK) ? p : NULL;
+ } else if (!n->right) {
+ /*
+ * Case 1.1:
+ * The node has exactly one child, and it is on the left. Treat
+ * it as mirrored case of Case 1 (i.e., replace the node by its
+ * child).
+ */
+ p = c_rbnode_parent(n);
+ c = c_rbnode_color(n);
+ c_rbtree_swap_child(t, p, n, n->left);
+ c_rbnode_set_parent_and_color(n->left, p, c);
+ } else {
+ /*
+ * Case 2:
+ * We are dealing with a full interior node with a child not on
+ * both sides. Find its successor and swap it. Then remove the
+ * node similar to Case 1. For performance reasons we don't
+ * perform the full swap, but skip links that are about to be
+ * removed, anyway.
+ */
+ s = n->right;
+ if (!s->left) {
+ /* right child is next, no need to touch grandchild */
+ p = s;
+ gc = s->right;
+ } else {
+ /* find successor and swap partially */
+ s = c_rbnode_leftmost(s);
+ p = c_rbnode_parent(s);
+
+ gc = s->right;
+ p->left = s->right;
+ s->right = n->right;
+ c_rbnode_set_parent(n->right, s);
+ }
+
+ /* node is partially swapped, now remove as in Case 1 */
+ s->left = n->left;
+ c_rbnode_set_parent(n->left, s);
+
+ x = c_rbnode_parent(n);
+ c = c_rbnode_color(n);
+ c_rbtree_swap_child(t, x, n, s);
+ if (gc)
+ c_rbnode_set_parent_and_color(gc, p, C_RBNODE_BLACK);
+ else
+ next = c_rbnode_is_black(s) ? p : NULL;
+ c_rbnode_set_parent_and_color(s, x, c);
+ }
+
+ if (next)
+ c_rbtree_rebalance(t, next);
+}
diff --git a/src/basic/c-rbtree.h b/src/basic/c-rbtree.h
new file mode 100644
index 0000000000..20c5515ca1
--- /dev/null
+++ b/src/basic/c-rbtree.h
@@ -0,0 +1,297 @@
+#pragma once
+
+/***
+ This file is part of systemd. See COPYING for details.
+
+ systemd is free software; you can redistribute it and/or modify it
+ under the terms of the GNU Lesser General Public License as published by
+ the Free Software Foundation; either version 2.1 of the License, or
+ (at your option) any later version.
+
+ systemd is distributed in the hope that it will be useful, but
+ WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ Lesser General Public License for more details.
+
+ You should have received a copy of the GNU Lesser General Public License
+ along with systemd; If not, see <http://www.gnu.org/licenses/>.
+***/
+
+/*
+ * Standalone Red-Black-Tree Implementation in Standard ISO-C11
+ *
+ * This header provides an RB-Tree API, that is fully implemented in ISO-C11
+ * and has no external dependencies. Furthermore, tree traversal, memory
+ * allocations, and key comparisons a fully in control of the API user. The
+ * implementation only provides the RB-Tree specific rebalancing and coloring.
+ *
+ * A tree is represented by the "CRBTree" structure. It contains a *singly*
+ * field, which is a pointer to the root node. If NULL, the tree is empty. If
+ * non-NULL, there is at least a single element in the tree.
+ *
+ * Each node of the tree is represented by the "CRBNode" structure. It has
+ * three fields. The @left and @right members can be accessed by the API user
+ * directly to traverse the tree. The third member is an implementation detail
+ * and encodes the parent pointer and color of the node.
+ * API users are required to embed the CRBNode object into their own objects
+ * and then use offsetof() (i.e., container_of() and friends) to turn CRBNode
+ * pointers into pointers to their own structure.
+ */
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+typedef struct CRBNode CRBNode;
+typedef struct CRBTree CRBTree;
+
+/**
+ * struct CRBNode - Node of a Red-Black Tree
+ * @__parent_and_color: internal state
+ * @left: left child, or NULL
+ * @right: right child, or NULL
+ *
+ * Each node in an RB-Tree must embed an CRBNode object. This object contains
+ * pointers to its left and right child, which can be freely accessed by the
+ * API user at any time. They are NULL, if the node does not have a left/right
+ * child.
+ *
+ * The @__parent_and_color field must never be accessed directly. It encodes
+ * the pointer to the parent node, and the color of the node. Use the accessor
+ * functions instead.
+ *
+ * There is no reason to initialize a CRBNode object before linking it.
+ * However, if you need a boolean state that tells you whether the node is
+ * linked or not, you should initialize the node via c_rbnode_init() or
+ * C_RBNODE_INIT.
+ */
+struct CRBNode {
+ CRBNode *__parent_and_color;
+ CRBNode *left;
+ CRBNode *right;
+};
+
+#define C_RBNODE_INIT(_var) { .__parent_and_color = &(_var) }
+
+CRBNode *c_rbnode_leftmost(CRBNode *n);
+CRBNode *c_rbnode_rightmost(CRBNode *n);
+CRBNode *c_rbnode_next(CRBNode *n);
+CRBNode *c_rbnode_prev(CRBNode *n);
+
+/**
+ * struct CRBTree - Red-Black Tree
+ * @root: pointer to the root node, or NULL
+ *
+ * Each Red-Black Tree is rooted in an CRBTree object. This object contains a
+ * pointer to the root node of the tree. The API user is free to access the
+ * @root member at any time, and use it to traverse the tree.
+ *
+ * To initialize an RB-Tree, set it to NULL / all zero.
+ */
+struct CRBTree {
+ CRBNode *root;
+};
+
+CRBNode *c_rbtree_first(CRBTree *t);
+CRBNode *c_rbtree_last(CRBTree *t);
+
+void c_rbtree_add(CRBTree *t, CRBNode *p, CRBNode **l, CRBNode *n);
+void c_rbtree_remove(CRBTree *t, CRBNode *n);
+
+/**
+ * c_rbnode_init() - mark a node as unlinked
+ * @n: node to operate on
+ *
+ * This marks the node @n as unlinked. The node will be set to a valid state
+ * that can never happen if the node is linked in a tree. Furthermore, this
+ * state is fully known to the implementation, and as such handled gracefully
+ * in all cases.
+ *
+ * You are *NOT* required to call this on your node. c_rbtree_add() can handle
+ * uninitialized nodes just fine. However, calling this allows to use
+ * c_rbnode_is_linked() to check for the state of a node. Furthermore,
+ * iterators and accessors can be called on initialized (yet unlinked) nodes.
+ *
+ * Use the C_RBNODE_INIT macro if you want to initialize static variables.
+ */
+static inline void c_rbnode_init(CRBNode *n) {
+ *n = (CRBNode)C_RBNODE_INIT(*n);
+}
+
+/**
+ * c_rbnode_is_linked() - check whether a node is linked
+ * @n: node to check, or NULL
+ *
+ * This checks whether the passed node is linked. If you pass NULL, or if the
+ * node is not linked into a tree, this will return false. Otherwise, this
+ * returns true.
+ *
+ * Note that you must have either linked the node or initialized it, before
+ * calling this function. Never call this function on uninitialized nodes.
+ * Furthermore, removing a node via c_rbtree_remove() does *NOT* mark the node
+ * as unlinked. You have to call c_rbnode_init() yourself after removal, or use
+ * the c_rbtree_remove_init() helper.
+ *
+ * Return: true if the node is linked, false if not.
+ */
+static inline _Bool c_rbnode_is_linked(CRBNode *n) {
+ return n && n->__parent_and_color != n;
+}
+
+/**
+ * c_rbnode_parent() - return parent pointer
+ * @n node to access
+ *
+ * This returns a pointer to the parent of the given node @n. If @n does not
+ * have a parent, NULL is returned. If @n is not linked, @n itself is returned.
+ *
+ * You should not call this on unlinked or uninitialized nodes! If you do, you
+ * better know how its semantics.
+ *
+ * Return: Pointer to parent.
+ */
+static inline CRBNode *c_rbnode_parent(CRBNode *n) {
+ return (CRBNode*)((unsigned long)n->__parent_and_color & ~1UL);
+}
+
+/**
+ * c_rbtree_remove_init() - safely remove node from tree and reinitialize it
+ * @t: tree to operate on
+ * @n: node to remove, or NULL
+ *
+ * This is almost the same as c_rbtree_remove(), but extends it slightly, to be
+ * more convenient to use in many cases:
+ * - if @n is unlinked or NULL, this is a no-op
+ * - @n is reinitialized after being removed
+ */
+static inline void c_rbtree_remove_init(CRBTree *t, CRBNode *n) {
+ if (c_rbnode_is_linked(n)) {
+ c_rbtree_remove(t, n);
+ c_rbnode_init(n);
+ }
+}
+
+/**
+ * CRBCompareFunc - compare a node to a key
+ * @t: tree where the node is linked to
+ * @k: key to compare
+ * @n: node to compare
+ *
+ * If you use the tree-traversal helpers (which are optional), you need to
+ * provide this callback so they can compare nodes in a tree to the key you
+ * look for.
+ *
+ * The tree @t is provided as optional context to this callback. The key you
+ * look for is provided as @k, the current node that should be compared to is
+ * provided as @n. This function should work like strcmp(), that is, return -1
+ * if @key orders before @n, 0 if both compare equal, and 1 if it orders after
+ * @n.
+ */
+typedef int (*CRBCompareFunc) (CRBTree *t, void *k, CRBNode *n);
+
+/**
+ * c_rbtree_find_node() - find node
+ * @t: tree to search through
+ * @f: comparison function
+ * @k: key to search for
+ *
+ * This searches through @t for a node that compares equal to @k. The function
+ * @f must be provided by the caller, which is used to compare nodes to @k. See
+ * the documentation of CRBCompareFunc for details.
+ *
+ * If there are multiple entries that compare equal to @k, this will return a
+ * pseudo-randomly picked node. If you need stable lookup functions for trees
+ * where duplicate entries are allowed, you better code your own lookup.
+ *
+ * Return: Pointer to matching node, or NULL.
+ */
+static inline CRBNode *c_rbtree_find_node(CRBTree *t, CRBCompareFunc f, const void *k) {
+ CRBNode *i;
+
+ assert(t);
+ assert(f);
+
+ i = t->root;
+ while (i) {
+ int v = f(t, (void *)k, i);
+ if (v < 0)
+ i = i->left;
+ else if (v > 0)
+ i = i->right;
+ else
+ return i;
+ }
+
+ return NULL;
+}
+
+/**
+ * c_rbtree_find_entry() - find entry
+ * @_t: tree to search through
+ * @_f: comparison function
+ * @_k: key to search for
+ * @_t: type of the structure that embeds the nodes
+ * @_o: name of the node-member in type @_t
+ *
+ * This is very similar to c_rbtree_find_node(), but instead of returning a
+ * pointer to the CRBNode, it returns a pointer to the surrounding object. This
+ * object must embed the CRBNode object. The type of the surrounding object
+ * must be given as @_t, and the name of the embedded CRBNode member as @_o.
+ *
+ * See c_rbtree_find_node() for more details.
+ *
+ * Return: Pointer to found entry, NULL if not found.
+ */
+#define c_rbtree_find_entry(_m, _f, _k, _t, _o) \
+ ((_t *)(((char *)c_rbtree_find_node((_m), (_f), (_k)) ?: \
+ (char *)NULL + offsetof(_t, _o)) - offsetof(_t, _o)))
+
+/**
+ * c_rbtree_find_slot() - find slot to insert new node
+ * @t: tree to search through
+ * @f: comparison function
+ * @k: key to search for
+ * @p: output storage for parent pointer
+ *
+ * This searches through @t just like c_rbtree_find_node() does. However,
+ * instead of returning a pointer to a node that compares equal to @k, this
+ * searches for a slot to insert a node with key @k. A pointer to the slot is
+ * returned, and a pointer to the parent of the slot is stored in @p. Both
+ * can be passed directly to c_rbtree_add(), together with your node to insert.
+ *
+ * If there already is a node in the tree, that compares equal to @k, this will
+ * return NULL and store the conflicting node in @p. In all other cases,
+ * this will return a pointer (non-NULL) to the empty slot to insert the node
+ * at. @p will point to the parent node of that slot.
+ *
+ * If you want trees that allow duplicate nodes, you better code your own
+ * insertion function.
+ *
+ * Return: Pointer to slot to insert node, or NULL on conflicts.
+ */
+static inline CRBNode **c_rbtree_find_slot(CRBTree *t, CRBCompareFunc f, const void *k, CRBNode **p) {
+ CRBNode **i;
+
+ assert(t);
+ assert(f);
+ assert(p);
+
+ i = &t->root;
+ *p = NULL;
+ while (*i) {
+ int v = f(t, (void *)k, *i);
+ *p = *i;
+ if (v < 0)
+ i = &(*i)->left;
+ else if (v > 0)
+ i = &(*i)->right;
+ else
+ return NULL;
+ }
+
+ return i;
+}
+
+#ifdef __cplusplus
+}
+#endif
diff --git a/src/basic/calendarspec.c b/src/basic/calendarspec.c
index 8f60561ede..8f83d9c142 100644
--- a/src/basic/calendarspec.c
+++ b/src/basic/calendarspec.c
@@ -19,12 +19,18 @@
along with systemd; If not, see <http://www.gnu.org/licenses/>.
***/
+#include <alloca.h>
+#include <errno.h>
+#include <stddef.h>
+#include <stdio.h>
#include <stdlib.h>
#include <string.h>
+#include <time.h>
#include "alloc-util.h"
#include "calendarspec.h"
#include "fileio.h"
+#include "macro.h"
#include "parse-util.h"
#include "string-util.h"
diff --git a/src/basic/calendarspec.h b/src/basic/calendarspec.h
index 75b699682a..4e3aa9e1d8 100644
--- a/src/basic/calendarspec.h
+++ b/src/basic/calendarspec.h
@@ -26,6 +26,7 @@
#include <stdbool.h>
+#include "time-util.h"
#include "util.h"
typedef struct CalendarComponent {
diff --git a/src/basic/cap-list.c b/src/basic/cap-list.c
index f0974900cd..0e5cc452b9 100644
--- a/src/basic/cap-list.c
+++ b/src/basic/cap-list.c
@@ -19,9 +19,11 @@
along with systemd; If not, see <http://www.gnu.org/licenses/>.
***/
+#include <errno.h>
#include <string.h>
#include "cap-list.h"
+#include "macro.h"
#include "missing.h"
#include "parse-util.h"
#include "util.h"
diff --git a/src/basic/capability-util.c b/src/basic/capability-util.c
index 0eb5c03d65..fef722b6f2 100644
--- a/src/basic/capability-util.c
+++ b/src/basic/capability-util.c
@@ -22,6 +22,7 @@
#include <errno.h>
#include <grp.h>
#include <stdio.h>
+#include <stdlib.h>
#include <sys/capability.h>
#include <sys/prctl.h>
#include <unistd.h>
diff --git a/src/basic/capability-util.h b/src/basic/capability-util.h
index 4eb5c2a835..6bbf7318fd 100644
--- a/src/basic/capability-util.h
+++ b/src/basic/capability-util.h
@@ -22,8 +22,11 @@
***/
#include <stdbool.h>
+#include <stdint.h>
#include <sys/capability.h>
+#include <sys/types.h>
+#include "macro.h"
#include "util.h"
unsigned long cap_last_cap(void);
diff --git a/src/basic/cgroup-util.c b/src/basic/cgroup-util.c
index f7fc2c2c97..639f9f3db1 100644
--- a/src/basic/cgroup-util.c
+++ b/src/basic/cgroup-util.c
@@ -22,23 +22,29 @@
#include <dirent.h>
#include <errno.h>
#include <ftw.h>
+#include <limits.h>
#include <signal.h>
+#include <stddef.h>
#include <stdlib.h>
#include <string.h>
#include <sys/stat.h>
+#include <sys/statfs.h>
#include <sys/types.h>
#include <unistd.h>
#include "alloc-util.h"
#include "cgroup-util.h"
+#include "def.h"
#include "dirent-util.h"
#include "extract-word.h"
#include "fd-util.h"
#include "fileio.h"
#include "formats-util.h"
#include "fs-util.h"
+#include "log.h"
#include "login-util.h"
#include "macro.h"
+#include "missing.h"
#include "mkdir.h"
#include "parse-util.h"
#include "path-util.h"
@@ -51,7 +57,6 @@
#include "string-util.h"
#include "unit-name.h"
#include "user-util.h"
-#include "util.h"
int cg_enumerate_processes(const char *controller, const char *path, FILE **_f) {
_cleanup_free_ char *fs = NULL;
@@ -2130,7 +2135,7 @@ int cg_unified(void) {
else if (F_TYPE_EQUAL(fs.f_type, TMPFS_MAGIC))
unified_cache = false;
else
- return -ENOEXEC;
+ return -ENOMEDIUM;
return unified_cache;
}
diff --git a/src/basic/cgroup-util.h b/src/basic/cgroup-util.h
index a80ee60bd3..661785784a 100644
--- a/src/basic/cgroup-util.h
+++ b/src/basic/cgroup-util.h
@@ -22,10 +22,14 @@
***/
#include <dirent.h>
+#include <stdbool.h>
+#include <stdint.h>
#include <stdio.h>
#include <sys/types.h>
#include "def.h"
+#include "hashmap.h"
+#include "macro.h"
#include "set.h"
/* An enum of well known cgroup controllers */
diff --git a/src/basic/chattr-util.c b/src/basic/chattr-util.c
index d49ca0537a..438fc63c5c 100644
--- a/src/basic/chattr-util.c
+++ b/src/basic/chattr-util.c
@@ -19,13 +19,15 @@
along with systemd; If not, see <http://www.gnu.org/licenses/>.
***/
+#include <errno.h>
+#include <fcntl.h>
#include <sys/ioctl.h>
#include <sys/stat.h>
#include <linux/fs.h>
#include "chattr-util.h"
#include "fd-util.h"
-#include "util.h"
+#include "macro.h"
int chattr_fd(int fd, unsigned value, unsigned mask) {
unsigned old_attr, new_attr;
diff --git a/src/basic/clock-util.c b/src/basic/clock-util.c
index 00ee4c2796..00f549c023 100644
--- a/src/basic/clock-util.c
+++ b/src/basic/clock-util.c
@@ -21,6 +21,9 @@
#include <errno.h>
#include <fcntl.h>
+#include <limits.h>
+#include <stdbool.h>
+#include <time.h>
#include <linux/rtc.h>
#include <stdio.h>
#include <sys/ioctl.h>
@@ -30,7 +33,6 @@
#include "fd-util.h"
#include "macro.h"
#include "string-util.h"
-#include "util.h"
int clock_get_hwclock(struct tm *tm) {
_cleanup_close_ int fd = -1;
diff --git a/src/basic/conf-files.c b/src/basic/conf-files.c
index be9972ffff..75dad228e3 100644
--- a/src/basic/conf-files.c
+++ b/src/basic/conf-files.c
@@ -21,6 +21,7 @@
#include <dirent.h>
#include <errno.h>
+#include <stdarg.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
diff --git a/src/basic/copy.c b/src/basic/copy.c
index a187ae08fe..024712d290 100644
--- a/src/basic/copy.c
+++ b/src/basic/copy.c
@@ -19,8 +19,18 @@
along with systemd; If not, see <http://www.gnu.org/licenses/>.
***/
+#include <dirent.h>
+#include <errno.h>
+#include <fcntl.h>
+#include <stddef.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
#include <sys/sendfile.h>
+#include <sys/stat.h>
#include <sys/xattr.h>
+#include <time.h>
+#include <unistd.h>
#include "alloc-util.h"
#include "btrfs-util.h"
@@ -31,10 +41,11 @@
#include "fileio.h"
#include "fs-util.h"
#include "io-util.h"
+#include "macro.h"
#include "string-util.h"
#include "strv.h"
+#include "time-util.h"
#include "umask-util.h"
-#include "util.h"
#include "xattr-util.h"
#define COPY_BUFFER_SIZE (16*1024)
diff --git a/src/basic/copy.h b/src/basic/copy.h
index ba0890b442..b3fc2bb709 100644
--- a/src/basic/copy.h
+++ b/src/basic/copy.h
@@ -23,6 +23,7 @@
#include <inttypes.h>
#include <stdbool.h>
+#include <stdint.h>
#include <sys/types.h>
int copy_file_fd(const char *from, int to, bool try_reflink);
diff --git a/src/basic/cpu-set-util.c b/src/basic/cpu-set-util.c
index e2ec4ca83f..85b7519953 100644
--- a/src/basic/cpu-set-util.c
+++ b/src/basic/cpu-set-util.c
@@ -20,12 +20,17 @@
along with systemd; If not, see <http://www.gnu.org/licenses/>.
***/
+#include <errno.h>
+#include <stddef.h>
+#include <syslog.h>
+
#include "alloc-util.h"
#include "cpu-set-util.h"
#include "extract-word.h"
+#include "log.h"
+#include "macro.h"
#include "parse-util.h"
#include "string-util.h"
-#include "util.h"
cpu_set_t* cpu_set_malloc(unsigned *ncpus) {
cpu_set_t *c;
diff --git a/src/basic/device-nodes.c b/src/basic/device-nodes.c
index 9d5af72d27..ec58cfdd4c 100644
--- a/src/basic/device-nodes.c
+++ b/src/basic/device-nodes.c
@@ -19,7 +19,9 @@
along with systemd; If not, see <http://www.gnu.org/licenses/>.
***/
+#include <errno.h>
#include <stdio.h>
+#include <string.h>
#include "device-nodes.h"
#include "utf8.h"
diff --git a/src/basic/device-nodes.h b/src/basic/device-nodes.h
index 7db81f3d52..9669c86970 100644
--- a/src/basic/device-nodes.h
+++ b/src/basic/device-nodes.h
@@ -21,6 +21,7 @@
along with systemd; If not, see <http://www.gnu.org/licenses/>.
***/
+#include <stddef.h>
#include <sys/types.h>
int encode_devnode_name(const char *str, char *str_enc, size_t len);
diff --git a/src/basic/dirent-util.c b/src/basic/dirent-util.c
index c433d5844a..4ef5aba5a8 100644
--- a/src/basic/dirent-util.c
+++ b/src/basic/dirent-util.c
@@ -21,10 +21,9 @@
#include <fcntl.h>
#include <sys/stat.h>
-#include <sys/types.h>
-#include <unistd.h>
#include "dirent-util.h"
+#include "path-util.h"
#include "string-util.h"
int dirent_ensure_type(DIR *d, struct dirent *de) {
diff --git a/src/basic/dirent-util.h b/src/basic/dirent-util.h
index 5866a755f4..1ad5e4715a 100644
--- a/src/basic/dirent-util.h
+++ b/src/basic/dirent-util.h
@@ -22,7 +22,10 @@
***/
#include <dirent.h>
+#include <errno.h>
+#include <stdbool.h>
+#include "macro.h"
#include "path-util.h"
int dirent_ensure_type(DIR *d, struct dirent *de);
diff --git a/src/basic/env-util.c b/src/basic/env-util.c
index 441169db31..dd56545f12 100644
--- a/src/basic/env-util.c
+++ b/src/basic/env-util.c
@@ -19,17 +19,21 @@
along with systemd; If not, see <http://www.gnu.org/licenses/>.
***/
+#include <errno.h>
#include <limits.h>
+#include <stdarg.h>
+#include <stdlib.h>
+#include <string.h>
#include <unistd.h>
#include "alloc-util.h"
-#include "def.h"
#include "env-util.h"
+#include "extract-word.h"
+#include "macro.h"
#include "parse-util.h"
#include "string-util.h"
#include "strv.h"
#include "utf8.h"
-#include "util.h"
#define VALID_CHARS_ENV_NAME \
DIGITS LETTERS \
diff --git a/src/basic/env-util.h b/src/basic/env-util.h
index 5efffa3dc7..3b83a63a78 100644
--- a/src/basic/env-util.h
+++ b/src/basic/env-util.h
@@ -22,6 +22,7 @@
***/
#include <stdbool.h>
+#include <stddef.h>
#include "macro.h"
diff --git a/src/basic/errno-list.c b/src/basic/errno-list.c
index 22869e4136..0a66902ac9 100644
--- a/src/basic/errno-list.c
+++ b/src/basic/errno-list.c
@@ -22,7 +22,7 @@
#include <string.h>
#include "errno-list.h"
-#include "util.h"
+#include "macro.h"
static const struct errno_name* lookup_errno(register const char *str,
register unsigned int len);
diff --git a/src/basic/escape.c b/src/basic/escape.c
index 42a84c9317..ab282efa3c 100644
--- a/src/basic/escape.c
+++ b/src/basic/escape.c
@@ -19,12 +19,15 @@
along with systemd; If not, see <http://www.gnu.org/licenses/>.
***/
+#include <errno.h>
+#include <stdlib.h>
+#include <string.h>
+
#include "alloc-util.h"
#include "escape.h"
#include "hexdecoct.h"
-#include "string-util.h"
+#include "macro.h"
#include "utf8.h"
-#include "util.h"
size_t cescape_char(char c, char *buf) {
char * buf_old = buf;
diff --git a/src/basic/escape.h b/src/basic/escape.h
index 52ebf11c4a..c710f01743 100644
--- a/src/basic/escape.h
+++ b/src/basic/escape.h
@@ -22,8 +22,12 @@
***/
#include <inttypes.h>
+#include <stddef.h>
+#include <stdint.h>
#include <sys/types.h>
+#include "string-util.h"
+
/* What characters are special in the shell? */
/* must be escaped outside and inside double-quotes */
#define SHELL_NEED_ESCAPE "\"\\`$"
diff --git a/src/basic/ether-addr-util.c b/src/basic/ether-addr-util.c
index 2bf3bfec1d..bc54f8f5f4 100644
--- a/src/basic/ether-addr-util.c
+++ b/src/basic/ether-addr-util.c
@@ -19,7 +19,9 @@
along with systemd; If not, see <http://www.gnu.org/licenses/>.
***/
+#include <net/ethernet.h>
#include <stdio.h>
+#include <sys/types.h>
#include "ether-addr-util.h"
#include "macro.h"
diff --git a/src/basic/exit-status.h b/src/basic/exit-status.h
index 7259cd1d18..664222c1d6 100644
--- a/src/basic/exit-status.h
+++ b/src/basic/exit-status.h
@@ -23,6 +23,8 @@
#include <stdbool.h>
+#include "hashmap.h"
+#include "macro.h"
#include "set.h"
typedef enum ExitStatus {
diff --git a/src/basic/extract-word.c b/src/basic/extract-word.c
index fd495692fa..7cc2a1de13 100644
--- a/src/basic/extract-word.c
+++ b/src/basic/extract-word.c
@@ -19,12 +19,22 @@
along with systemd; If not, see <http://www.gnu.org/licenses/>.
***/
+#include <errno.h>
+#include <stdarg.h>
+#include <stdbool.h>
+#include <stddef.h>
+#include <stdint.h>
+#include <stdlib.h>
+#include <string.h>
+#include <syslog.h>
+
#include "alloc-util.h"
#include "escape.h"
#include "extract-word.h"
+#include "log.h"
+#include "macro.h"
#include "string-util.h"
#include "utf8.h"
-#include "util.h"
int extract_first_word(const char **p, char **ret, const char *separators, ExtractFlags flags) {
_cleanup_free_ char *s = NULL;
diff --git a/src/basic/fd-util.c b/src/basic/fd-util.c
index d1b1db3a4d..9759cac23c 100644
--- a/src/basic/fd-util.c
+++ b/src/basic/fd-util.c
@@ -19,9 +19,18 @@
along with systemd; If not, see <http://www.gnu.org/licenses/>.
***/
-#include "dirent-util.h"
+#include <errno.h>
+#include <fcntl.h>
+#include <sys/resource.h>
+#include <sys/socket.h>
+#include <sys/stat.h>
+#include <unistd.h>
+
#include "fd-util.h"
+#include "macro.h"
+#include "missing.h"
#include "parse-util.h"
+#include "path-util.h"
#include "socket-util.h"
#include "util.h"
diff --git a/src/basic/fdset.c b/src/basic/fdset.c
index e5452f3bb0..de9b723ab8 100644
--- a/src/basic/fdset.c
+++ b/src/basic/fdset.c
@@ -19,19 +19,21 @@
along with systemd; If not, see <http://www.gnu.org/licenses/>.
***/
+#include <alloca.h>
#include <dirent.h>
#include <errno.h>
#include <fcntl.h>
+#include <stddef.h>
#include "sd-daemon.h"
-#include "dirent-util.h"
#include "fd-util.h"
#include "fdset.h"
+#include "log.h"
#include "macro.h"
#include "parse-util.h"
+#include "path-util.h"
#include "set.h"
-#include "util.h"
#define MAKE_SET(s) ((Set*) s)
#define MAKE_FDSET(s) ((FDSet*) s)
diff --git a/src/basic/fdset.h b/src/basic/fdset.h
index 70d8acbcff..615ba05661 100644
--- a/src/basic/fdset.h
+++ b/src/basic/fdset.h
@@ -21,6 +21,10 @@
along with systemd; If not, see <http://www.gnu.org/licenses/>.
***/
+#include <stdbool.h>
+
+#include "hashmap.h"
+#include "macro.h"
#include "set.h"
typedef struct FDSet FDSet;
diff --git a/src/basic/fileio-label.c b/src/basic/fileio-label.c
index 0405822ce0..1cee87c9cd 100644
--- a/src/basic/fileio-label.c
+++ b/src/basic/fileio-label.c
@@ -20,9 +20,11 @@
along with systemd; If not, see <http://www.gnu.org/licenses/>.
***/
+#include <sys/stat.h>
+
#include "fileio-label.h"
+#include "fileio.h"
#include "selinux-util.h"
-#include "util.h"
int write_string_file_atomic_label(const char *fn, const char *line) {
int r;
diff --git a/src/basic/fileio.c b/src/basic/fileio.c
index 10aacdc56d..3a237252b5 100644
--- a/src/basic/fileio.c
+++ b/src/basic/fileio.c
@@ -19,6 +19,15 @@
along with systemd; If not, see <http://www.gnu.org/licenses/>.
***/
+#include <errno.h>
+#include <fcntl.h>
+#include <limits.h>
+#include <stdarg.h>
+#include <stdint.h>
+#include <stdlib.h>
+#include <string.h>
+#include <sys/stat.h>
+#include <sys/types.h>
#include <unistd.h>
#include "alloc-util.h"
@@ -28,15 +37,17 @@
#include "fileio.h"
#include "fs-util.h"
#include "hexdecoct.h"
+#include "log.h"
+#include "macro.h"
#include "parse-util.h"
#include "path-util.h"
#include "random-util.h"
#include "stdio-util.h"
#include "string-util.h"
#include "strv.h"
+#include "time-util.h"
#include "umask-util.h"
#include "utf8.h"
-#include "util.h"
int write_string_stream(FILE *f, const char *line, bool enforce_newline) {
diff --git a/src/basic/fs-util.c b/src/basic/fs-util.c
index 2b6189ad90..fb760abe18 100644
--- a/src/basic/fs-util.c
+++ b/src/basic/fs-util.c
@@ -19,16 +19,30 @@
along with systemd; If not, see <http://www.gnu.org/licenses/>.
***/
+#include <dirent.h>
+#include <errno.h>
+#include <stddef.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <sys/stat.h>
+#include <time.h>
+#include <unistd.h>
+
#include "alloc-util.h"
#include "dirent-util.h"
#include "fd-util.h"
#include "fileio.h"
#include "fs-util.h"
+#include "log.h"
+#include "macro.h"
+#include "missing.h"
#include "mkdir.h"
#include "parse-util.h"
#include "path-util.h"
#include "string-util.h"
#include "strv.h"
+#include "time-util.h"
#include "user-util.h"
#include "util.h"
diff --git a/src/basic/fs-util.h b/src/basic/fs-util.h
index 5fbb7bc4c3..67ed214b51 100644
--- a/src/basic/fs-util.h
+++ b/src/basic/fs-util.h
@@ -23,6 +23,8 @@
#include <fcntl.h>
#include <limits.h>
+#include <stdbool.h>
+#include <stdint.h>
#include <sys/inotify.h>
#include <sys/types.h>
#include <unistd.h>
diff --git a/src/basic/glob-util.c b/src/basic/glob-util.c
index 0bfbcb1d37..a0be0efd40 100644
--- a/src/basic/glob-util.c
+++ b/src/basic/glob-util.c
@@ -19,12 +19,12 @@
along with systemd; If not, see <http://www.gnu.org/licenses/>.
***/
+#include <errno.h>
#include <glob.h>
#include "glob-util.h"
-#include "string-util.h"
+#include "macro.h"
#include "strv.h"
-#include "util.h"
int glob_exists(const char *path) {
_cleanup_globfree_ glob_t g = {};
diff --git a/src/basic/glob-util.h b/src/basic/glob-util.h
index 793adf4a6c..a0a5efe5b6 100644
--- a/src/basic/glob-util.h
+++ b/src/basic/glob-util.h
@@ -21,6 +21,7 @@
along with systemd; If not, see <http://www.gnu.org/licenses/>.
***/
+#include <stdbool.h>
#include <string.h>
#include "macro.h"
diff --git a/src/basic/gunicode.c b/src/basic/gunicode.c
index d89a2f3ed9..542110503f 100644
--- a/src/basic/gunicode.c
+++ b/src/basic/gunicode.c
@@ -4,6 +4,8 @@
* Copyright 2000, 2005 Red Hat, Inc.
*/
+#include <stdlib.h>
+
#include "gunicode.h"
#define unichar uint32_t
diff --git a/src/basic/hashmap.c b/src/basic/hashmap.c
index 6e501ef6ff..b3954e3223 100644
--- a/src/basic/hashmap.c
+++ b/src/basic/hashmap.c
@@ -21,8 +21,9 @@
***/
#include <errno.h>
-#include <pthread.h>
+#include <stdint.h>
#include <stdlib.h>
+#include <string.h>
#include "alloc-util.h"
#include "hashmap.h"
diff --git a/src/basic/hashmap.h b/src/basic/hashmap.h
index ed6a092d82..708811124b 100644
--- a/src/basic/hashmap.h
+++ b/src/basic/hashmap.h
@@ -22,7 +22,9 @@
along with systemd; If not, see <http://www.gnu.org/licenses/>.
***/
+#include <limits.h>
#include <stdbool.h>
+#include <stddef.h>
#include "macro.h"
#include "siphash24.h"
diff --git a/src/basic/hexdecoct.c b/src/basic/hexdecoct.c
index 4eb566b15a..1e907de228 100644
--- a/src/basic/hexdecoct.c
+++ b/src/basic/hexdecoct.c
@@ -20,11 +20,13 @@
***/
#include <ctype.h>
-#include <inttypes.h>
+#include <errno.h>
+#include <stdint.h>
+#include <stdlib.h>
#include "alloc-util.h"
#include "hexdecoct.h"
-#include "util.h"
+#include "macro.h"
char octchar(int x) {
return '0' + (x & 7);
diff --git a/src/basic/hexdecoct.h b/src/basic/hexdecoct.h
index 4aeb4c3bdc..d9eb54a8a1 100644
--- a/src/basic/hexdecoct.h
+++ b/src/basic/hexdecoct.h
@@ -22,6 +22,7 @@
***/
#include <stdbool.h>
+#include <stddef.h>
#include <stdio.h>
#include <sys/types.h>
diff --git a/src/basic/hostname-util.c b/src/basic/hostname-util.c
index c57a3cbd60..795afb6d00 100644
--- a/src/basic/hostname-util.c
+++ b/src/basic/hostname-util.c
@@ -19,14 +19,19 @@
along with systemd; If not, see <http://www.gnu.org/licenses/>.
***/
-#include <ctype.h>
+#include <bits/local_lim.h>
+#include <errno.h>
+#include <limits.h>
+#include <stdio.h>
+#include <string.h>
#include <sys/utsname.h>
+#include <unistd.h>
#include "fd-util.h"
#include "fileio.h"
#include "hostname-util.h"
+#include "macro.h"
#include "string-util.h"
-#include "util.h"
bool hostname_is_set(void) {
struct utsname u;
diff --git a/src/basic/in-addr-util.c b/src/basic/in-addr-util.c
index b75c39aac7..5143dddf8f 100644
--- a/src/basic/in-addr-util.c
+++ b/src/basic/in-addr-util.c
@@ -20,9 +20,15 @@
***/
#include <arpa/inet.h>
+#include <endian.h>
+#include <errno.h>
+#include <stdint.h>
+#include <stdlib.h>
#include "alloc-util.h"
#include "in-addr-util.h"
+#include "macro.h"
+#include "util.h"
int in_addr_is_null(int family, const union in_addr_union *u) {
assert(u);
diff --git a/src/basic/in-addr-util.h b/src/basic/in-addr-util.h
index 58f55b3418..bcc116c783 100644
--- a/src/basic/in-addr-util.h
+++ b/src/basic/in-addr-util.h
@@ -22,6 +22,8 @@
***/
#include <netinet/in.h>
+#include <stddef.h>
+#include <sys/socket.h>
#include "macro.h"
#include "util.h"
diff --git a/src/basic/io-util.c b/src/basic/io-util.c
index ac8f93ff57..e83e7cec72 100644
--- a/src/basic/io-util.c
+++ b/src/basic/io-util.c
@@ -19,10 +19,15 @@
along with systemd; If not, see <http://www.gnu.org/licenses/>.
***/
+#include <errno.h>
+#include <limits.h>
#include <poll.h>
+#include <stdio.h>
+#include <time.h>
#include <unistd.h>
#include "io-util.h"
+#include "time-util.h"
int flush_fd(int fd) {
struct pollfd pollfd = {
diff --git a/src/basic/io-util.h b/src/basic/io-util.h
index cd2aa75ad2..5f77a556c0 100644
--- a/src/basic/io-util.h
+++ b/src/basic/io-util.h
@@ -22,9 +22,12 @@
***/
#include <stdbool.h>
+#include <stddef.h>
+#include <stdint.h>
#include <sys/types.h>
#include <sys/uio.h>
+#include "macro.h"
#include "time-util.h"
int flush_fd(int fd);
diff --git a/src/basic/json.c b/src/basic/json.c
index 9d5dedb934..1523e9fb09 100644
--- a/src/basic/json.c
+++ b/src/basic/json.c
@@ -19,7 +19,10 @@
along with systemd; If not, see <http://www.gnu.org/licenses/>.
***/
+#include <errno.h>
#include <math.h>
+#include <stdlib.h>
+#include <string.h>
#include <sys/types.h>
#include "alloc-util.h"
diff --git a/src/basic/json.h b/src/basic/json.h
index 8a7d79cb17..df3f62f206 100644
--- a/src/basic/json.h
+++ b/src/basic/json.h
@@ -22,7 +22,10 @@
***/
#include <stdbool.h>
+#include <stddef.h>
+#include <stdint.h>
+#include "macro.h"
#include "util.h"
enum {
diff --git a/src/basic/label.c b/src/basic/label.c
index f33502f90f..f72a985967 100644
--- a/src/basic/label.c
+++ b/src/basic/label.c
@@ -19,10 +19,14 @@
along with systemd; If not, see <http://www.gnu.org/licenses/>.
***/
+#include <errno.h>
+#include <sys/stat.h>
+#include <unistd.h>
+
#include "label.h"
+#include "macro.h"
#include "selinux-util.h"
#include "smack-util.h"
-#include "util.h"
int label_fix(const char *path, bool ignore_enoent, bool ignore_erofs) {
int r, q;
diff --git a/src/basic/locale-util.c b/src/basic/locale-util.c
index b87fd7670b..7784d02168 100644
--- a/src/basic/locale-util.c
+++ b/src/basic/locale-util.c
@@ -19,12 +19,22 @@
along with systemd; If not, see <http://www.gnu.org/licenses/>.
***/
+#include <dirent.h>
+#include <errno.h>
+#include <fcntl.h>
#include <langinfo.h>
+#include <libintl.h>
#include <locale.h>
+#include <stddef.h>
+#include <stdint.h>
+#include <stdlib.h>
+#include <string.h>
#include <sys/mman.h>
+#include <sys/stat.h>
#include "dirent-util.h"
#include "fd-util.h"
+#include "hashmap.h"
#include "locale-util.h"
#include "path-util.h"
#include "set.h"
@@ -32,7 +42,6 @@
#include "string-util.h"
#include "strv.h"
#include "utf8.h"
-#include "util.h"
static int add_locales_from_archive(Set *locales) {
/* Stolen from glibc... */
diff --git a/src/basic/lockfile-util.c b/src/basic/lockfile-util.c
index 0bdbae480b..6ecfc2ec46 100644
--- a/src/basic/lockfile-util.c
+++ b/src/basic/lockfile-util.c
@@ -20,20 +20,18 @@
***/
#include <errno.h>
-#include <limits.h>
-#include <stdbool.h>
+#include <fcntl.h>
#include <stdio.h>
-#include <stdlib.h>
#include <string.h>
#include <sys/file.h>
+#include <sys/stat.h>
#include "alloc-util.h"
#include "fd-util.h"
-#include "fileio.h"
#include "fs-util.h"
#include "lockfile-util.h"
+#include "macro.h"
#include "path-util.h"
-#include "util.h"
int make_lock_file(const char *p, int operation, LockFile *ret) {
_cleanup_close_ int fd = -1;
diff --git a/src/basic/lockfile-util.h b/src/basic/lockfile-util.h
index 38d47094bd..3c514c9e62 100644
--- a/src/basic/lockfile-util.h
+++ b/src/basic/lockfile-util.h
@@ -21,6 +21,8 @@
along with systemd; If not, see <http://www.gnu.org/licenses/>.
***/
+#include <stddef.h>
+
#include "macro.h"
#include "missing.h"
diff --git a/src/basic/log.c b/src/basic/log.c
index fe29cacd9e..1a9e6bdb91 100644
--- a/src/basic/log.c
+++ b/src/basic/log.c
@@ -21,12 +21,18 @@
#include <errno.h>
#include <fcntl.h>
-#include <printf.h>
+#include <inttypes.h>
+#include <limits.h>
#include <stdarg.h>
#include <stddef.h>
#include <stdio.h>
+#include <string.h>
+#include <sys/signalfd.h>
#include <sys/socket.h>
+#include <sys/time.h>
+#include <sys/uio.h>
#include <sys/un.h>
+#include <time.h>
#include <unistd.h>
#include "sd-messages.h"
@@ -48,6 +54,7 @@
#include "string-util.h"
#include "syslog-util.h"
#include "terminal-util.h"
+#include "time-util.h"
#include "util.h"
#define SNDBUF_SIZE (8*1024*1024)
diff --git a/src/basic/login-util.c b/src/basic/login-util.c
index 41cef14e73..4e08fe3895 100644
--- a/src/basic/login-util.c
+++ b/src/basic/login-util.c
@@ -19,7 +19,8 @@
along with systemd; If not, see <http://www.gnu.org/licenses/>.
***/
-#include "def.h"
+#include <string.h>
+
#include "login-util.h"
#include "string-util.h"
diff --git a/src/basic/memfd-util.c b/src/basic/memfd-util.c
index 92630f6b25..789638f013 100644
--- a/src/basic/memfd-util.c
+++ b/src/basic/memfd-util.c
@@ -19,7 +19,10 @@
along with systemd; If not, see <http://www.gnu.org/licenses/>.
***/
+#include <errno.h>
#include <fcntl.h>
+#include <sys/stat.h>
+#include <unistd.h>
#ifdef HAVE_LINUX_MEMFD_H
#include <linux/memfd.h>
#endif
@@ -29,11 +32,11 @@
#include "alloc-util.h"
#include "fd-util.h"
+#include "macro.h"
#include "memfd-util.h"
#include "missing.h"
#include "string-util.h"
#include "utf8.h"
-#include "util.h"
int memfd_new(const char *name) {
_cleanup_free_ char *g = NULL;
diff --git a/src/basic/memfd-util.h b/src/basic/memfd-util.h
index 3e4de008a4..2a89361c4c 100644
--- a/src/basic/memfd-util.h
+++ b/src/basic/memfd-util.h
@@ -22,6 +22,8 @@
***/
#include <inttypes.h>
+#include <stddef.h>
+#include <stdint.h>
#include <sys/types.h>
int memfd_new(const char *name);
diff --git a/src/basic/mempool.c b/src/basic/mempool.c
index 9ee6e6a76d..1822d3956f 100644
--- a/src/basic/mempool.c
+++ b/src/basic/mempool.c
@@ -20,6 +20,9 @@
along with systemd; If not, see <http://www.gnu.org/licenses/>.
***/
+#include <stdint.h>
+#include <stdlib.h>
+
#include "macro.h"
#include "mempool.h"
#include "util.h"
diff --git a/src/basic/mkdir-label.c b/src/basic/mkdir-label.c
index c241ef6064..c9e17f7680 100644
--- a/src/basic/mkdir-label.c
+++ b/src/basic/mkdir-label.c
@@ -21,6 +21,7 @@
***/
#include <stdio.h>
+#include <sys/types.h>
#include <unistd.h>
#include "label.h"
diff --git a/src/basic/mkdir.c b/src/basic/mkdir.c
index 5d7fb9a12d..9f9d52b5df 100644
--- a/src/basic/mkdir.c
+++ b/src/basic/mkdir.c
@@ -20,14 +20,16 @@
***/
#include <errno.h>
+#include <stdbool.h>
#include <string.h>
+#include <sys/stat.h>
#include "fs-util.h"
+#include "macro.h"
#include "mkdir.h"
#include "path-util.h"
#include "stat-util.h"
#include "user-util.h"
-#include "util.h"
int mkdir_safe_internal(const char *path, mode_t mode, uid_t uid, gid_t gid, mkdir_func_t _mkdir) {
struct stat st;
diff --git a/src/basic/mount-util.c b/src/basic/mount-util.c
index 29997b1ce7..10a6536cfc 100644
--- a/src/basic/mount-util.c
+++ b/src/basic/mount-util.c
@@ -19,21 +19,25 @@
along with systemd; If not, see <http://www.gnu.org/licenses/>.
***/
+#include <errno.h>
+#include <stdlib.h>
#include <string.h>
#include <sys/mount.h>
+#include <sys/stat.h>
#include <sys/statvfs.h>
+#include <unistd.h>
#include "alloc-util.h"
#include "escape.h"
#include "fd-util.h"
#include "fileio.h"
+#include "hashmap.h"
#include "mount-util.h"
#include "parse-util.h"
#include "path-util.h"
#include "set.h"
#include "stdio-util.h"
#include "string-util.h"
-#include "util.h"
static int fd_fdinfo_mnt_id(int fd, const char *filename, int flags, int *mnt_id) {
char path[strlen("/proc/self/fdinfo/") + DECIMAL_STR_MAX(int)];
diff --git a/src/basic/mount-util.h b/src/basic/mount-util.h
index 48954c2d67..b37250f08e 100644
--- a/src/basic/mount-util.h
+++ b/src/basic/mount-util.h
@@ -24,9 +24,11 @@
#include <fcntl.h>
#include <mntent.h>
#include <stdbool.h>
+#include <stdio.h>
#include <sys/stat.h>
#include <sys/types.h>
+#include "macro.h"
#include "missing.h"
int fd_is_mount_point(int fd, const char *filename, int flags);
diff --git a/src/basic/parse-util.c b/src/basic/parse-util.c
index 3ae99d9334..618ef5d564 100644
--- a/src/basic/parse-util.c
+++ b/src/basic/parse-util.c
@@ -19,11 +19,19 @@
along with systemd; If not, see <http://www.gnu.org/licenses/>.
***/
+#include <errno.h>
+#include <inttypes.h>
+#include <locale.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <xlocale.h>
+
#include "alloc-util.h"
#include "extract-word.h"
+#include "macro.h"
#include "parse-util.h"
#include "string-util.h"
-#include "util.h"
int parse_boolean(const char *v) {
assert(v);
diff --git a/src/basic/parse-util.h b/src/basic/parse-util.h
index 125de53d7a..af439cfaa7 100644
--- a/src/basic/parse-util.h
+++ b/src/basic/parse-util.h
@@ -22,6 +22,9 @@
***/
#include <inttypes.h>
+#include <limits.h>
+#include <stddef.h>
+#include <stdint.h>
#include <sys/types.h>
#include "macro.h"
diff --git a/src/basic/path-util.c b/src/basic/path-util.c
index ec90c432a4..61fab0e087 100644
--- a/src/basic/path-util.c
+++ b/src/basic/path-util.c
@@ -20,11 +20,11 @@
***/
#include <errno.h>
-#include <fcntl.h>
+#include <limits.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
-#include <sys/statvfs.h>
+#include <sys/stat.h>
#include <unistd.h>
/* When we include libgen.h because we need dirname() we immediately
@@ -34,18 +34,16 @@
#undef basename
#include "alloc-util.h"
-#include "fd-util.h"
-#include "fileio.h"
+#include "extract-word.h"
#include "fs-util.h"
#include "log.h"
#include "macro.h"
#include "missing.h"
-#include "parse-util.h"
#include "path-util.h"
#include "stat-util.h"
#include "string-util.h"
#include "strv.h"
-#include "util.h"
+#include "time-util.h"
bool path_is_absolute(const char *p) {
return p[0] == '/';
diff --git a/src/basic/path-util.h b/src/basic/path-util.h
index 989e0f9004..84472d38c7 100644
--- a/src/basic/path-util.h
+++ b/src/basic/path-util.h
@@ -21,7 +21,9 @@
along with systemd; If not, see <http://www.gnu.org/licenses/>.
***/
+#include <alloca.h>
#include <stdbool.h>
+#include <stddef.h>
#include "macro.h"
#include "time-util.h"
diff --git a/src/basic/prioq.c b/src/basic/prioq.c
index 7590698911..86c5c0e9b4 100644
--- a/src/basic/prioq.c
+++ b/src/basic/prioq.c
@@ -29,9 +29,12 @@
* The underlying algorithm used in this implementation is a Heap.
*/
+#include <errno.h>
+#include <stdlib.h>
+
#include "alloc-util.h"
+#include "hashmap.h"
#include "prioq.h"
-#include "util.h"
struct prioq_item {
void *data;
diff --git a/src/basic/prioq.h b/src/basic/prioq.h
index 1c044b135c..6a2451387c 100644
--- a/src/basic/prioq.h
+++ b/src/basic/prioq.h
@@ -21,7 +21,10 @@
along with systemd; If not, see <http://www.gnu.org/licenses/>.
***/
+#include <stdbool.h>
+
#include "hashmap.h"
+#include "macro.h"
typedef struct Prioq Prioq;
diff --git a/src/basic/proc-cmdline.c b/src/basic/proc-cmdline.c
index 4464573c5b..4e8eba10ab 100644
--- a/src/basic/proc-cmdline.c
+++ b/src/basic/proc-cmdline.c
@@ -19,6 +19,10 @@
along with systemd; If not, see <http://www.gnu.org/licenses/>.
***/
+#include <stdbool.h>
+#include <stddef.h>
+#include <string.h>
+
#include "alloc-util.h"
#include "extract-word.h"
#include "fileio.h"
diff --git a/src/basic/process-util.c b/src/basic/process-util.c
index 7631928d5f..4cc54a51fb 100644
--- a/src/basic/process-util.c
+++ b/src/basic/process-util.c
@@ -17,18 +17,21 @@
along with systemd; If not, see <http://www.gnu.org/licenses/>.
***/
-#include <assert.h>
#include <ctype.h>
#include <errno.h>
+#include <limits.h>
+#include <linux/oom.h>
#include <sched.h>
#include <signal.h>
#include <stdbool.h>
#include <stdio.h>
+#include <stdlib.h>
#include <string.h>
#include <sys/personality.h>
#include <sys/prctl.h>
#include <sys/types.h>
#include <sys/wait.h>
+#include <syslog.h>
#include <unistd.h>
#include "alloc-util.h"
@@ -38,6 +41,8 @@
#include "fs-util.h"
#include "ioprio.h"
#include "log.h"
+#include "macro.h"
+#include "missing.h"
#include "process-util.h"
#include "signal-util.h"
#include "string-table.h"
diff --git a/src/basic/process-util.h b/src/basic/process-util.h
index fdc7e1bdef..f4c4437624 100644
--- a/src/basic/process-util.h
+++ b/src/basic/process-util.h
@@ -22,6 +22,7 @@
#include <alloca.h>
#include <signal.h>
#include <stdbool.h>
+#include <stddef.h>
#include <stdio.h>
#include <string.h>
#include <sys/types.h>
diff --git a/src/basic/random-util.c b/src/basic/random-util.c
index 2f5c16e2af..e1543da5a3 100644
--- a/src/basic/random-util.c
+++ b/src/basic/random-util.c
@@ -17,23 +17,24 @@
along with systemd; If not, see <http://www.gnu.org/licenses/>.
***/
+#include <elf.h>
#include <errno.h>
#include <fcntl.h>
+#include <stdbool.h>
+#include <stdlib.h>
+#include <sys/time.h>
#include <linux/random.h>
#include <stdint.h>
+
#ifdef HAVE_SYS_AUXV_H
#include <sys/auxv.h>
#endif
-#include <sys/stat.h>
-#include <sys/types.h>
-#include <time.h>
#include "fd-util.h"
#include "io-util.h"
#include "missing.h"
#include "random-util.h"
#include "time-util.h"
-#include "util.h"
int dev_urandom(void *p, size_t n) {
static int have_syscall = -1;
diff --git a/src/basic/random-util.h b/src/basic/random-util.h
index f7862c8c8b..3cee4c5014 100644
--- a/src/basic/random-util.h
+++ b/src/basic/random-util.h
@@ -19,6 +19,7 @@
along with systemd; If not, see <http://www.gnu.org/licenses/>.
***/
+#include <stddef.h>
#include <stdint.h>
int dev_urandom(void *p, size_t n);
diff --git a/src/basic/ratelimit.c b/src/basic/ratelimit.c
index 81fc9c19ff..b62f3da76b 100644
--- a/src/basic/ratelimit.c
+++ b/src/basic/ratelimit.c
@@ -20,6 +20,9 @@
***/
+#include <sys/time.h>
+
+#include "macro.h"
#include "ratelimit.h"
/* Modelled after Linux' lib/ratelimit.c by Dave Young
diff --git a/src/basic/ratelimit.h b/src/basic/ratelimit.h
index 58efca7df1..98c81f6b9e 100644
--- a/src/basic/ratelimit.h
+++ b/src/basic/ratelimit.h
@@ -21,6 +21,9 @@
along with systemd; If not, see <http://www.gnu.org/licenses/>.
***/
+#include <stdbool.h>
+
+#include "time-util.h"
#include "util.h"
typedef struct RateLimit {
diff --git a/src/basic/replace-var.c b/src/basic/replace-var.c
index bf757cbc48..8c3279b376 100644
--- a/src/basic/replace-var.c
+++ b/src/basic/replace-var.c
@@ -19,13 +19,15 @@
along with systemd; If not, see <http://www.gnu.org/licenses/>.
***/
+#include <errno.h>
+#include <stddef.h>
+#include <stdlib.h>
#include <string.h>
#include "alloc-util.h"
#include "macro.h"
#include "replace-var.h"
#include "string-util.h"
-#include "util.h"
/*
* Generic infrastructure for replacing @FOO@ style variables in
diff --git a/src/basic/rlimit-util.c b/src/basic/rlimit-util.c
index 2627c813fc..44f885db16 100644
--- a/src/basic/rlimit-util.c
+++ b/src/basic/rlimit-util.c
@@ -19,10 +19,13 @@
along with systemd; If not, see <http://www.gnu.org/licenses/>.
***/
+#include <errno.h>
+#include <sys/resource.h>
+
+#include "macro.h"
#include "missing.h"
#include "rlimit-util.h"
#include "string-table.h"
-#include "util.h"
int setrlimit_closest(int resource, const struct rlimit *rlim) {
struct rlimit highest, fixed;
diff --git a/src/basic/rm-rf.c b/src/basic/rm-rf.c
index 8ec7dd75ee..14f8474da0 100644
--- a/src/basic/rm-rf.c
+++ b/src/basic/rm-rf.c
@@ -19,14 +19,24 @@
along with systemd; If not, see <http://www.gnu.org/licenses/>.
***/
+#include <dirent.h>
+#include <errno.h>
+#include <fcntl.h>
+#include <stdbool.h>
+#include <stddef.h>
+#include <sys/stat.h>
+#include <sys/statfs.h>
+#include <unistd.h>
+
#include "btrfs-util.h"
#include "fd-util.h"
+#include "log.h"
+#include "macro.h"
#include "mount-util.h"
#include "path-util.h"
#include "rm-rf.h"
#include "stat-util.h"
#include "string-util.h"
-#include "util.h"
int rm_rf_children(int fd, RemoveFlags flags, struct stat *root_dev) {
_cleanup_closedir_ DIR *d = NULL;
diff --git a/src/basic/selinux-util.c b/src/basic/selinux-util.c
index e8ce5cfd96..5956c4fe43 100644
--- a/src/basic/selinux-util.c
+++ b/src/basic/selinux-util.c
@@ -21,7 +21,12 @@
#include <errno.h>
#include <malloc.h>
+#include <stddef.h>
+#include <string.h>
+#include <sys/stat.h>
+#include <sys/time.h>
#include <sys/un.h>
+#include <syslog.h>
#ifdef HAVE_SELINUX
#include <selinux/context.h>
@@ -30,9 +35,12 @@
#endif
#include "alloc-util.h"
+#include "log.h"
+#include "macro.h"
#include "path-util.h"
#include "selinux-util.h"
-#include "strv.h"
+#include "time-util.h"
+#include "util.h"
#ifdef HAVE_SELINUX
DEFINE_TRIVIAL_CLEANUP_FUNC(security_context_t, freecon);
@@ -47,7 +55,7 @@ static struct selabel_handle *label_hnd = NULL;
#define log_enforcing(...) log_full(security_getenforce() == 1 ? LOG_ERR : LOG_DEBUG, __VA_ARGS__)
#endif
-bool mac_selinux_use(void) {
+bool mac_selinux_have(void) {
#ifdef HAVE_SELINUX
if (cached_use < 0)
cached_use = is_selinux_enabled() > 0;
@@ -58,6 +66,16 @@ bool mac_selinux_use(void) {
#endif
}
+bool mac_selinux_use(void) {
+ if (!mac_selinux_have())
+ return false;
+
+ /* Never try to configure SELinux features if we aren't
+ * root */
+
+ return getuid() == 0;
+}
+
void mac_selinux_retest(void) {
#ifdef HAVE_SELINUX
cached_use = -1;
@@ -197,7 +215,7 @@ int mac_selinux_get_create_label_from_exe(const char *exe, char **label) {
assert(exe);
assert(label);
- if (!mac_selinux_use())
+ if (!mac_selinux_have())
return -EOPNOTSUPP;
r = getcon_raw(&mycon);
@@ -223,7 +241,7 @@ int mac_selinux_get_our_label(char **label) {
assert(label);
#ifdef HAVE_SELINUX
- if (!mac_selinux_use())
+ if (!mac_selinux_have())
return -EOPNOTSUPP;
r = getcon_raw(label);
@@ -247,7 +265,7 @@ int mac_selinux_get_child_mls_label(int socket_fd, const char *exe, const char *
assert(exe);
assert(label);
- if (!mac_selinux_use())
+ if (!mac_selinux_have())
return -EOPNOTSUPP;
r = getcon_raw(&mycon);
@@ -302,7 +320,7 @@ char* mac_selinux_free(char *label) {
if (!label)
return NULL;
- if (!mac_selinux_use())
+ if (!mac_selinux_have())
return NULL;
diff --git a/src/basic/selinux-util.h b/src/basic/selinux-util.h
index d19984c5fe..0111f4c858 100644
--- a/src/basic/selinux-util.h
+++ b/src/basic/selinux-util.h
@@ -23,10 +23,12 @@
#include <stdbool.h>
#include <sys/socket.h>
+#include <sys/types.h>
#include "macro.h"
bool mac_selinux_use(void);
+bool mac_selinux_have(void);
void mac_selinux_retest(void);
int mac_selinux_init(const char *prefix);
diff --git a/src/basic/sigbus.c b/src/basic/sigbus.c
index c535c89d52..fe2e2d1a28 100644
--- a/src/basic/sigbus.c
+++ b/src/basic/sigbus.c
@@ -19,7 +19,9 @@
along with systemd; If not, see <http://www.gnu.org/licenses/>.
***/
+#include <errno.h>
#include <signal.h>
+#include <stddef.h>
#include <sys/mman.h>
#include "macro.h"
diff --git a/src/basic/signal-util.c b/src/basic/signal-util.c
index 8038bc891d..7637fccb2f 100644
--- a/src/basic/signal-util.c
+++ b/src/basic/signal-util.c
@@ -19,11 +19,15 @@
along with systemd; If not, see <http://www.gnu.org/licenses/>.
***/
+#include <errno.h>
+#include <stdarg.h>
+#include <stdio.h>
+
+#include "macro.h"
#include "parse-util.h"
#include "signal-util.h"
#include "string-table.h"
#include "string-util.h"
-#include "util.h"
int reset_all_signal_handlers(void) {
static const struct sigaction sa = {
diff --git a/src/basic/siphash24.c b/src/basic/siphash24.c
index 10fc56da69..060e8ba387 100644
--- a/src/basic/siphash24.c
+++ b/src/basic/siphash24.c
@@ -17,10 +17,9 @@
coding style)
*/
+#include "macro.h"
#include "siphash24.h"
-#include "sparse-endian.h"
#include "unaligned.h"
-#include "util.h"
static inline uint64_t rotate_left(uint64_t x, uint8_t b) {
assert(b < 64);
diff --git a/src/basic/siphash24.h b/src/basic/siphash24.h
index ba4f7d01b6..3f7e20362b 100644
--- a/src/basic/siphash24.h
+++ b/src/basic/siphash24.h
@@ -1,6 +1,8 @@
#pragma once
#include <inttypes.h>
+#include <stddef.h>
+#include <stdint.h>
#include <sys/types.h>
struct siphash {
diff --git a/src/basic/smack-util.c b/src/basic/smack-util.c
index fcc046098d..b9e4ff87d8 100644
--- a/src/basic/smack-util.c
+++ b/src/basic/smack-util.c
@@ -21,15 +21,20 @@
along with systemd; If not, see <http://www.gnu.org/licenses/>.
***/
+#include <errno.h>
+#include <string.h>
+#include <sys/stat.h>
#include <sys/xattr.h>
+#include <unistd.h>
#include "alloc-util.h"
#include "fileio.h"
+#include "log.h"
+#include "macro.h"
#include "path-util.h"
#include "process-util.h"
#include "smack-util.h"
#include "string-table.h"
-#include "util.h"
#include "xattr-util.h"
#ifdef HAVE_SMACK
diff --git a/src/basic/smack-util.h b/src/basic/smack-util.h
index e756dc8c28..1d85b52a33 100644
--- a/src/basic/smack-util.h
+++ b/src/basic/smack-util.h
@@ -24,6 +24,7 @@
***/
#include <stdbool.h>
+#include <sys/types.h>
#include "macro.h"
diff --git a/src/basic/socket-label.c b/src/basic/socket-label.c
index e5d4efc719..e169439e04 100644
--- a/src/basic/socket-label.c
+++ b/src/basic/socket-label.c
@@ -20,19 +20,23 @@
***/
#include <errno.h>
+#include <netinet/in.h>
+#include <stdbool.h>
#include <stddef.h>
#include <string.h>
+#include <sys/socket.h>
#include <sys/stat.h>
+#include <sys/un.h>
#include <unistd.h>
#include "alloc-util.h"
#include "fd-util.h"
+#include "log.h"
#include "macro.h"
#include "missing.h"
#include "mkdir.h"
#include "selinux-util.h"
#include "socket-util.h"
-#include "util.h"
int socket_address_listen(
const SocketAddress *a,
diff --git a/src/basic/socket-util.c b/src/basic/socket-util.c
index 1acab1ef95..79901a6a06 100644
--- a/src/basic/socket-util.c
+++ b/src/basic/socket-util.c
@@ -21,19 +21,22 @@
#include <arpa/inet.h>
#include <errno.h>
+#include <limits.h>
#include <net/if.h>
#include <netdb.h>
#include <netinet/ip.h>
#include <stddef.h>
+#include <stdint.h>
#include <stdio.h>
+#include <stdlib.h>
#include <string.h>
-#include <sys/types.h>
#include <unistd.h>
#include "alloc-util.h"
#include "fd-util.h"
#include "fileio.h"
#include "formats-util.h"
+#include "log.h"
#include "macro.h"
#include "missing.h"
#include "parse-util.h"
@@ -867,16 +870,24 @@ int getpeersec(int fd, char **ret) {
return 0;
}
-int send_one_fd(int transport_fd, int fd, int flags) {
+int send_one_fd_sa(
+ int transport_fd,
+ int fd,
+ const struct sockaddr *sa, socklen_t len,
+ int flags) {
+
union {
struct cmsghdr cmsghdr;
uint8_t buf[CMSG_SPACE(sizeof(int))];
} control = {};
+ struct cmsghdr *cmsg;
+
struct msghdr mh = {
+ .msg_name = (struct sockaddr*) sa,
+ .msg_namelen = len,
.msg_control = &control,
.msg_controllen = sizeof(control),
};
- struct cmsghdr *cmsg;
assert(transport_fd >= 0);
assert(fd >= 0);
diff --git a/src/basic/socket-util.h b/src/basic/socket-util.h
index 129ffa811c..6da1df68d8 100644
--- a/src/basic/socket-util.h
+++ b/src/basic/socket-util.h
@@ -23,7 +23,10 @@
#include <netinet/ether.h>
#include <netinet/in.h>
+#include <stdbool.h>
+#include <stddef.h>
#include <sys/socket.h>
+#include <sys/types.h>
#include <sys/un.h>
#include <linux/netlink.h>
#include <linux/if_packet.h>
@@ -125,7 +128,11 @@ int ip_tos_from_string(const char *s);
int getpeercred(int fd, struct ucred *ucred);
int getpeersec(int fd, char **ret);
-int send_one_fd(int transport_fd, int fd, int flags);
+int send_one_fd_sa(int transport_fd,
+ int fd,
+ const struct sockaddr *sa, socklen_t len,
+ int flags);
+#define send_one_fd(transport_fd, fd, flags) send_one_fd_sa(transport_fd, fd, NULL, 0, flags)
int receive_one_fd(int transport_fd, int flags);
#define CMSG_FOREACH(cmsg, mh) \
diff --git a/src/basic/stat-util.c b/src/basic/stat-util.c
index 3bc66b3be7..21a8fb77a1 100644
--- a/src/basic/stat-util.c
+++ b/src/basic/stat-util.c
@@ -19,7 +19,11 @@
along with systemd; If not, see <http://www.gnu.org/licenses/>.
***/
+#include <dirent.h>
+#include <errno.h>
#include <fcntl.h>
+#include <sys/stat.h>
+#include <sys/types.h>
#include <linux/magic.h>
#include <sys/statvfs.h>
#include <unistd.h>
diff --git a/src/basic/stat-util.h b/src/basic/stat-util.h
index fb92464274..8e031e6155 100644
--- a/src/basic/stat-util.h
+++ b/src/basic/stat-util.h
@@ -22,7 +22,9 @@
***/
#include <stdbool.h>
+#include <stddef.h>
#include <sys/stat.h>
+#include <sys/statfs.h>
#include <sys/types.h>
#include <sys/vfs.h>
diff --git a/src/basic/strbuf.c b/src/basic/strbuf.c
index f4f702a05a..c9984bef08 100644
--- a/src/basic/strbuf.c
+++ b/src/basic/strbuf.c
@@ -19,12 +19,12 @@
along with systemd; If not, see <http://www.gnu.org/licenses/>.
***/
+#include <errno.h>
#include <stdlib.h>
#include <string.h>
#include "alloc-util.h"
#include "strbuf.h"
-#include "util.h"
/*
* Strbuf stores given strings in a single continuous allocated memory
diff --git a/src/basic/strbuf.h b/src/basic/strbuf.h
index fbc4e5f2a1..69565f7e2c 100644
--- a/src/basic/strbuf.h
+++ b/src/basic/strbuf.h
@@ -21,7 +21,9 @@
along with systemd; If not, see <http://www.gnu.org/licenses/>.
***/
+#include <stddef.h>
#include <stdint.h>
+#include <sys/types.h>
struct strbuf {
char *buf;
diff --git a/src/basic/string-table.c b/src/basic/string-table.c
index a860324fc9..4633a57f44 100644
--- a/src/basic/string-table.c
+++ b/src/basic/string-table.c
@@ -20,6 +20,7 @@
***/
#include "string-table.h"
+#include "string-util.h"
ssize_t string_table_lookup(const char * const *table, size_t len, const char *key) {
size_t i;
diff --git a/src/basic/string-table.h b/src/basic/string-table.h
index 51b6007214..2181a3a767 100644
--- a/src/basic/string-table.h
+++ b/src/basic/string-table.h
@@ -22,6 +22,7 @@
along with systemd; If not, see <http://www.gnu.org/licenses/>.
***/
+#include <errno.h>
#include <stddef.h>
#include <stdio.h>
#include <string.h>
diff --git a/src/basic/string-util.c b/src/basic/string-util.c
index 6006767daa..8178c7093f 100644
--- a/src/basic/string-util.c
+++ b/src/basic/string-util.c
@@ -19,8 +19,15 @@
along with systemd; If not, see <http://www.gnu.org/licenses/>.
***/
+#include <errno.h>
+#include <stdarg.h>
+#include <stdint.h>
+#include <stdio.h>
+#include <stdlib.h>
+
#include "alloc-util.h"
#include "gunicode.h"
+#include "macro.h"
#include "string-util.h"
#include "utf8.h"
#include "util.h"
diff --git a/src/basic/string-util.h b/src/basic/string-util.h
index 54f9d3058c..b59b9b5a71 100644
--- a/src/basic/string-util.h
+++ b/src/basic/string-util.h
@@ -21,7 +21,9 @@
along with systemd; If not, see <http://www.gnu.org/licenses/>.
***/
+#include <alloca.h>
#include <stdbool.h>
+#include <stddef.h>
#include <string.h>
#include "macro.h"
diff --git a/src/basic/strv.c b/src/basic/strv.c
index 771781f9fc..0a3d15706f 100644
--- a/src/basic/strv.c
+++ b/src/basic/strv.c
@@ -20,12 +20,15 @@
***/
#include <errno.h>
+#include <fnmatch.h>
#include <stdarg.h>
+#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include "alloc-util.h"
#include "escape.h"
+#include "extract-word.h"
#include "string-util.h"
#include "strv.h"
#include "util.h"
diff --git a/src/basic/strv.h b/src/basic/strv.h
index e66794fc34..bb61db2638 100644
--- a/src/basic/strv.h
+++ b/src/basic/strv.h
@@ -24,8 +24,11 @@
#include <fnmatch.h>
#include <stdarg.h>
#include <stdbool.h>
+#include <stddef.h>
+#include "alloc-util.h"
#include "extract-word.h"
+#include "macro.h"
#include "util.h"
char *strv_find(char **l, const char *name) _pure_;
diff --git a/src/basic/strxcpyx.c b/src/basic/strxcpyx.c
index 088ba53c29..c454171de1 100644
--- a/src/basic/strxcpyx.c
+++ b/src/basic/strxcpyx.c
@@ -25,6 +25,7 @@
* Returns the * remaining size, and 0 if the string was truncated.
*/
+#include <stdarg.h>
#include <stdio.h>
#include <string.h>
diff --git a/src/basic/strxcpyx.h b/src/basic/strxcpyx.h
index ccc7e52f37..02e22e6294 100644
--- a/src/basic/strxcpyx.h
+++ b/src/basic/strxcpyx.h
@@ -22,6 +22,8 @@
***/
+#include <stddef.h>
+
#include "macro.h"
size_t strpcpy(char **dest, size_t size, const char *src);
diff --git a/src/basic/syslog-util.c b/src/basic/syslog-util.c
index 01577941a0..7dc2761b6f 100644
--- a/src/basic/syslog-util.c
+++ b/src/basic/syslog-util.c
@@ -19,10 +19,11 @@
along with systemd; If not, see <http://www.gnu.org/licenses/>.
***/
+#include <string.h>
#include <syslog.h>
-#include "assert.h"
#include "hexdecoct.h"
+#include "macro.h"
#include "string-table.h"
#include "syslog-util.h"
diff --git a/src/basic/terminal-util.c b/src/basic/terminal-util.c
index 3931b03bc2..a39764472b 100644
--- a/src/basic/terminal-util.c
+++ b/src/basic/terminal-util.c
@@ -17,18 +17,25 @@
along with systemd; If not, see <http://www.gnu.org/licenses/>.
***/
-#include <assert.h>
+#include <errno.h>
#include <fcntl.h>
+#include <limits.h>
+#include <stdarg.h>
+#include <stddef.h>
+#include <stdlib.h>
+#include <string.h>
+#include <sys/inotify.h>
+#include <sys/socket.h>
+#include <sys/sysmacros.h>
+#include <sys/time.h>
#include <linux/kd.h>
#include <linux/tiocl.h>
#include <linux/vt.h>
#include <poll.h>
#include <signal.h>
#include <sys/ioctl.h>
-#include <sys/stat.h>
#include <sys/types.h>
#include <termios.h>
-#include <time.h>
#include <unistd.h>
#include "alloc-util.h"
@@ -36,8 +43,9 @@
#include "fileio.h"
#include "fs-util.h"
#include "io-util.h"
+#include "log.h"
+#include "macro.h"
#include "parse-util.h"
-#include "path-util.h"
#include "process-util.h"
#include "socket-util.h"
#include "stat-util.h"
diff --git a/src/basic/terminal-util.h b/src/basic/terminal-util.h
index b2c7a297ae..597a0060ad 100644
--- a/src/basic/terminal-util.h
+++ b/src/basic/terminal-util.h
@@ -22,6 +22,7 @@
#include <stdarg.h>
#include <stdbool.h>
#include <stdio.h>
+#include <sys/types.h>
#include "macro.h"
#include "time-util.h"
diff --git a/src/basic/time-util.c b/src/basic/time-util.c
index b9da6991da..bfc7cf870c 100644
--- a/src/basic/time-util.c
+++ b/src/basic/time-util.c
@@ -19,20 +19,28 @@
along with systemd; If not, see <http://www.gnu.org/licenses/>.
***/
+#include <errno.h>
+#include <limits.h>
+#include <stdlib.h>
#include <string.h>
+#include <sys/stat.h>
+#include <sys/time.h>
#include <sys/timerfd.h>
#include <sys/timex.h>
+#include <sys/types.h>
+#include <unistd.h>
#include "alloc-util.h"
#include "fd-util.h"
#include "fileio.h"
#include "fs-util.h"
+#include "log.h"
+#include "macro.h"
#include "parse-util.h"
#include "path-util.h"
#include "string-util.h"
#include "strv.h"
#include "time-util.h"
-#include "util.h"
usec_t now(clockid_t clock_id) {
struct timespec ts;
diff --git a/src/basic/time-util.h b/src/basic/time-util.h
index 0417c29cdd..7321e3c670 100644
--- a/src/basic/time-util.h
+++ b/src/basic/time-util.h
@@ -22,6 +22,9 @@
***/
#include <inttypes.h>
+#include <stdbool.h>
+#include <stddef.h>
+#include <stdint.h>
#include <stdio.h>
#include <time.h>
diff --git a/src/basic/unit-name.c b/src/basic/unit-name.c
index 9a55eacbfb..5fc3b9d6fd 100644
--- a/src/basic/unit-name.c
+++ b/src/basic/unit-name.c
@@ -20,18 +20,20 @@
***/
#include <errno.h>
+#include <stddef.h>
+#include <stdint.h>
+#include <stdlib.h>
#include <string.h>
#include "alloc-util.h"
#include "bus-label.h"
-#include "def.h"
#include "hexdecoct.h"
+#include "macro.h"
#include "path-util.h"
#include "string-table.h"
#include "string-util.h"
#include "strv.h"
#include "unit-name.h"
-#include "util.h"
#define VALID_CHARS \
DIGITS LETTERS \
diff --git a/src/basic/user-util.c b/src/basic/user-util.c
index 397880b0b1..56e1a3be48 100644
--- a/src/basic/user-util.c
+++ b/src/basic/user-util.c
@@ -19,17 +19,27 @@
along with systemd; If not, see <http://www.gnu.org/licenses/>.
***/
+#include <alloca.h>
+#include <errno.h>
+#include <fcntl.h>
#include <grp.h>
#include <pwd.h>
+#include <stddef.h>
+#include <stdint.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <sys/stat.h>
+#include <unistd.h>
#include "alloc-util.h"
#include "fd-util.h"
+#include "formats-util.h"
#include "macro.h"
#include "parse-util.h"
#include "path-util.h"
#include "string-util.h"
#include "user-util.h"
-#include "util.h"
bool uid_is_valid(uid_t uid) {
diff --git a/src/basic/utf8.c b/src/basic/utf8.c
index b4063a4cec..124effd6df 100644
--- a/src/basic/utf8.c
+++ b/src/basic/utf8.c
@@ -44,15 +44,14 @@
*/
#include <errno.h>
-#include <inttypes.h>
#include <stdbool.h>
#include <stdlib.h>
#include <string.h>
#include "alloc-util.h"
#include "hexdecoct.h"
+#include "macro.h"
#include "utf8.h"
-#include "util.h"
bool unichar_is_valid(uint32_t ch) {
diff --git a/src/basic/utf8.h b/src/basic/utf8.h
index e745649f06..16c4b5b55d 100644
--- a/src/basic/utf8.h
+++ b/src/basic/utf8.h
@@ -22,6 +22,8 @@
***/
#include <stdbool.h>
+#include <stddef.h>
+#include <stdint.h>
#include "macro.h"
diff --git a/src/basic/util.c b/src/basic/util.c
index 58617b354a..9e0b576283 100644
--- a/src/basic/util.c
+++ b/src/basic/util.c
@@ -19,91 +19,46 @@
along with systemd; If not, see <http://www.gnu.org/licenses/>.
***/
-#include <ctype.h>
+#include <alloca.h>
#include <dirent.h>
#include <errno.h>
#include <fcntl.h>
-#include <grp.h>
-#include <langinfo.h>
-#include <libintl.h>
-#include <limits.h>
-#include <linux/magic.h>
-#include <linux/oom.h>
-#include <linux/sched.h>
-#include <locale.h>
-#include <poll.h>
-#include <pwd.h>
#include <sched.h>
#include <signal.h>
#include <stdarg.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
-#include <sys/file.h>
-#include <sys/ioctl.h>
#include <sys/mman.h>
-#include <sys/mount.h>
-#include <sys/personality.h>
#include <sys/prctl.h>
-#include <sys/stat.h>
-#include <sys/statvfs.h>
-#include <sys/time.h>
+#include <sys/statfs.h>
+#include <sys/sysmacros.h>
#include <sys/types.h>
-#include <sys/utsname.h>
-#include <sys/vfs.h>
-#include <sys/wait.h>
-#include <syslog.h>
#include <unistd.h>
-/* When we include libgen.h because we need dirname() we immediately
- * undefine basename() since libgen.h defines it as a macro to the
- * POSIX version which is really broken. We prefer GNU basename(). */
-#include <libgen.h>
-#undef basename
-
-#ifdef HAVE_SYS_AUXV_H
-#include <sys/auxv.h>
-#endif
-
-/* We include linux/fs.h as last of the system headers, as it
- * otherwise conflicts with sys/mount.h. Yay, Linux is great! */
-#include <linux/fs.h>
-
#include "alloc-util.h"
#include "build.h"
#include "def.h"
-#include "device-nodes.h"
#include "dirent-util.h"
-#include "env-util.h"
-#include "escape.h"
-#include "exit-status.h"
#include "fd-util.h"
#include "fileio.h"
#include "formats-util.h"
-#include "gunicode.h"
#include "hashmap.h"
-#include "hexdecoct.h"
#include "hostname-util.h"
-#include "ioprio.h"
#include "log.h"
#include "macro.h"
#include "missing.h"
-#include "mkdir.h"
#include "parse-util.h"
#include "path-util.h"
#include "process-util.h"
-#include "random-util.h"
+#include "set.h"
#include "signal-util.h"
-#include "sparse-endian.h"
#include "stat-util.h"
-#include "string-table.h"
#include "string-util.h"
#include "strv.h"
-#include "terminal-util.h"
+#include "time-util.h"
#include "user-util.h"
-#include "utf8.h"
#include "util.h"
-#include "virt.h"
/* Put this test here for a lack of better place */
assert_cc(EAGAIN == EWOULDBLOCK);
diff --git a/src/basic/util.h b/src/basic/util.h
index d9d2f72b75..76a06822b7 100644
--- a/src/basic/util.h
+++ b/src/basic/util.h
@@ -22,6 +22,7 @@
***/
#include <alloca.h>
+#include <errno.h>
#include <fcntl.h>
#include <inttypes.h>
#include <limits.h>
@@ -29,8 +30,10 @@
#include <stdarg.h>
#include <stdbool.h>
#include <stddef.h>
+#include <stdint.h>
#include <stdio.h>
#include <stdlib.h>
+#include <string.h>
#include <sys/inotify.h>
#include <sys/socket.h>
#include <sys/stat.h>
diff --git a/src/basic/verbs.c b/src/basic/verbs.c
index d63062d39e..7feb47c48e 100644
--- a/src/basic/verbs.c
+++ b/src/basic/verbs.c
@@ -19,8 +19,14 @@
along with systemd; If not, see <http://www.gnu.org/licenses/>.
***/
+#include <errno.h>
+#include <getopt.h>
+#include <stdbool.h>
+#include <stddef.h>
+
+#include "log.h"
+#include "macro.h"
#include "string-util.h"
-#include "util.h"
#include "verbs.h"
int dispatch_verb(int argc, char *argv[], const Verb verbs[], void *userdata) {
diff --git a/src/basic/virt.c b/src/basic/virt.c
index b82680a54b..0ffc2769d2 100644
--- a/src/basic/virt.c
+++ b/src/basic/virt.c
@@ -20,6 +20,8 @@
***/
#include <errno.h>
+#include <stdint.h>
+#include <stdlib.h>
#include <string.h>
#include <unistd.h>
@@ -27,11 +29,11 @@
#include "dirent-util.h"
#include "fd-util.h"
#include "fileio.h"
+#include "macro.h"
#include "process-util.h"
#include "stat-util.h"
#include "string-table.h"
#include "string-util.h"
-#include "util.h"
#include "virt.h"
static int detect_vm_cpuid(void) {
diff --git a/src/basic/xattr-util.c b/src/basic/xattr-util.c
index 6abdaedc3e..960209282f 100644
--- a/src/basic/xattr-util.c
+++ b/src/basic/xattr-util.c
@@ -19,13 +19,20 @@
along with systemd; If not, see <http://www.gnu.org/licenses/>.
***/
+#include <errno.h>
+#include <fcntl.h>
+#include <stdint.h>
+#include <stdlib.h>
+#include <string.h>
+#include <sys/time.h>
#include <sys/xattr.h>
#include "alloc-util.h"
#include "fd-util.h"
+#include "macro.h"
#include "sparse-endian.h"
#include "stdio-util.h"
-#include "util.h"
+#include "time-util.h"
#include "xattr-util.h"
int getxattr_malloc(const char *path, const char *name, char **value, bool allow_symlink) {
diff --git a/src/basic/xattr-util.h b/src/basic/xattr-util.h
index cf4cb12a25..a5134cba89 100644
--- a/src/basic/xattr-util.h
+++ b/src/basic/xattr-util.h
@@ -22,6 +22,7 @@
***/
#include <stdbool.h>
+#include <stddef.h>
#include <sys/types.h>
#include "time-util.h"
diff --git a/src/basic/xml.c b/src/basic/xml.c
index 8126bce212..b9976cf5f1 100644
--- a/src/basic/xml.c
+++ b/src/basic/xml.c
@@ -19,10 +19,12 @@
along with systemd; If not, see <http://www.gnu.org/licenses/>.
***/
+#include <errno.h>
+#include <stddef.h>
#include <string.h>
+#include "macro.h"
#include "string-util.h"
-#include "util.h"
#include "xml.h"
enum {
diff --git a/src/cgls/cgls.c b/src/cgls/cgls.c
index 01140c73d8..12537ae85b 100644
--- a/src/cgls/cgls.c
+++ b/src/cgls/cgls.c
@@ -131,7 +131,9 @@ static int get_cgroup_root(char **ret) {
if (!arg_machine) {
r = cg_get_root_path(ret);
- if (r < 0)
+ if (r == -ENOMEDIUM)
+ return log_error_errno(r, "Failed to get root control group path: No cgroup filesystem mounted on /sys/fs/cgroup");
+ else if (r < 0)
return log_error_errno(r, "Failed to get root control group path: %m");
return 0;
diff --git a/src/core/selinux-access.c b/src/core/selinux-access.c
index 05655fc99a..3f3c5bf9fc 100644
--- a/src/core/selinux-access.c
+++ b/src/core/selinux-access.c
@@ -134,52 +134,45 @@ _printf_(2, 3) static int log_callback(int type, const char *fmt, ...) {
#endif
va_start(ap, fmt);
- log_internalv(LOG_AUTH | callback_type_to_priority(type),
- 0, __FILE__, __LINE__, __FUNCTION__, fmt, ap);
+ log_internalv(LOG_AUTH | callback_type_to_priority(type), 0, __FILE__, __LINE__, __FUNCTION__, fmt, ap);
va_end(ap);
return 0;
}
-/*
- Function must be called once to initialize the SELinux AVC environment.
- Sets up callbacks.
- If you want to cleanup memory you should need to call selinux_access_finish.
-*/
-static int access_init(void) {
- int r = 0;
+static int access_init(sd_bus_error *error) {
- if (avc_open(NULL, 0))
- return log_error_errno(errno, "avc_open() failed: %m");
-
- selinux_set_callback(SELINUX_CB_AUDIT, (union selinux_callback) audit_callback);
- selinux_set_callback(SELINUX_CB_LOG, (union selinux_callback) log_callback);
+ if (!mac_selinux_use())
+ return 0;
- if (security_getenforce() < 0){
- r = -errno;
- avc_destroy();
- }
+ if (initialized)
+ return 1;
- return r;
-}
+ if (avc_open(NULL, 0) != 0) {
+ int enforce, saved_errno = errno;
-static int mac_selinux_access_init(sd_bus_error *error) {
- int r;
+ enforce = security_getenforce();
+ log_full_errno(enforce != 0 ? LOG_ERR : LOG_WARNING, saved_errno, "Failed to open the SELinux AVC: %m");
- if (initialized)
- return 0;
+ /* If enforcement isn't on, then let's suppress this
+ * error, and just don't do any AVC checks. The
+ * warning we printed is hence all the admin will
+ * see. */
+ if (enforce == 0)
+ return 0;
- if (!mac_selinux_use())
- return 0;
+ /* Return an access denied error, if we couldn't load
+ * the AVC but enforcing mode was on, or we couldn't
+ * determine whether it is one. */
+ return sd_bus_error_setf(error, SD_BUS_ERROR_ACCESS_DENIED, "Failed to open the SELinux AVC: %s", strerror(saved_errno));
+ }
- r = access_init();
- if (r < 0)
- return sd_bus_error_set(error, SD_BUS_ERROR_ACCESS_DENIED, "Failed to initialize SELinux.");
+ selinux_set_callback(SELINUX_CB_AUDIT, (union selinux_callback) audit_callback);
+ selinux_set_callback(SELINUX_CB_LOG, (union selinux_callback) log_callback);
initialized = true;
- return 0;
+ return 1;
}
-#endif
/*
This function communicates with the kernel to check whether or not it should
@@ -193,7 +186,6 @@ int mac_selinux_generic_access_check(
const char *permission,
sd_bus_error *error) {
-#ifdef HAVE_SELINUX
_cleanup_(sd_bus_creds_unrefp) sd_bus_creds *creds = NULL;
const char *tclass = NULL, *scon = NULL;
struct audit_info audit_info = {};
@@ -206,11 +198,8 @@ int mac_selinux_generic_access_check(
assert(permission);
assert(error);
- if (!mac_selinux_use())
- return 0;
-
- r = mac_selinux_access_init(error);
- if (r < 0)
+ r = access_init(error);
+ if (r <= 0)
return r;
r = sd_bus_query_sender_creds(
@@ -277,7 +266,17 @@ finish:
}
return r;
+}
+
#else
+
+int mac_selinux_generic_access_check(
+ sd_bus_message *message,
+ const char *path,
+ const char *permission,
+ sd_bus_error *error) {
+
return 0;
-#endif
}
+
+#endif
diff --git a/src/hostname/hostnamed.c b/src/hostname/hostnamed.c
index e1fbacd11b..d383041d39 100644
--- a/src/hostname/hostnamed.c
+++ b/src/hostname/hostnamed.c
@@ -212,10 +212,10 @@ try_dmi:
unreliable enough, so let's not do any additional guesswork
on top of that.
- See the SMBIOS Specification 2.7.1 section 7.4.1 for
+ See the SMBIOS Specification 4.0 section 7.4.1 for
details about the values listed here:
- http://www.dmtf.org/sites/default/files/standards/documents/DSP0134_2.7.1.pdf
+ https://www.dmtf.org/sites/default/files/standards/documents/DSP0134_3.0.0.pdf
*/
switch (t) {
@@ -237,7 +237,11 @@ try_dmi:
case 0x11:
case 0x1C:
+ case 0x1D:
return "server";
+
+ case 0x1E:
+ return "tablet";
}
return NULL;
diff --git a/src/journal/compress.c b/src/journal/compress.c
index e1ca0a8818..1a3d2cdd80 100644
--- a/src/journal/compress.c
+++ b/src/journal/compress.c
@@ -201,7 +201,7 @@ int decompress_blob_lz4(const void *src, uint64_t src_size,
return -EBADMSG;
size = le64toh( *(le64_t*)src );
- if (size < 0 || (le64_t) size != *(le64_t*)src)
+ if (size < 0 || (unsigned) size != le64toh(*(le64_t*)src))
return -EFBIG;
if ((size_t) size > *dst_alloc_size) {
out = realloc(*dst, size);
diff --git a/src/journal/journal-send.c b/src/journal/journal-send.c
index fa5dee73c3..44fa11a00e 100644
--- a/src/journal/journal-send.c
+++ b/src/journal/journal-send.c
@@ -225,8 +225,8 @@ _public_ int sd_journal_sendv(const struct iovec *iov, int n) {
assert_return(iov, -EINVAL);
assert_return(n > 0, -EINVAL);
- w = alloca(sizeof(struct iovec) * n * 5 + 3);
- l = alloca(sizeof(uint64_t) * n);
+ w = newa(struct iovec, n * 5 + 3);
+ l = newa(uint64_t, n);
for (i = 0; i < n; i++) {
char *c, *nl;
@@ -337,7 +337,11 @@ _public_ int sd_journal_sendv(const struct iovec *iov, int n) {
return r;
}
- return send_one_fd(fd, buffer_fd, 0);
+ r = send_one_fd_sa(fd, buffer_fd, mh.msg_name, mh.msg_namelen, 0);
+ if (r == -ENOENT)
+ /* Fail silently if the journal is not available */
+ return 0;
+ return r;
}
static int fill_iovec_perror_and_send(const char *message, int skip, struct iovec iov[]) {
diff --git a/src/journal/journald-native.c b/src/journal/journald-native.c
index 69a685c06f..371df5b37f 100644
--- a/src/journal/journald-native.c
+++ b/src/journal/journald-native.c
@@ -480,7 +480,7 @@ int server_open_native_socket(Server*s) {
return log_error_errno(errno, "SO_PASSCRED failed: %m");
#ifdef HAVE_SELINUX
- if (mac_selinux_use()) {
+ if (mac_selinux_have()) {
r = setsockopt(s->native_fd, SOL_SOCKET, SO_PASSSEC, &one, sizeof(one));
if (r < 0)
log_warning_errno(errno, "SO_PASSSEC failed: %m");
diff --git a/src/journal/journald-server.c b/src/journal/journald-server.c
index 7d11a568aa..a8a9b72080 100644
--- a/src/journal/journald-server.c
+++ b/src/journal/journald-server.c
@@ -204,58 +204,19 @@ static int determine_space(Server *s, bool verbose, bool patch_min_use, uint64_t
return determine_space_for(s, metrics, path, name, verbose, patch_min_use, available, limit);
}
-void server_fix_perms(Server *s, JournalFile *f, uid_t uid) {
- int r;
+static void server_add_acls(JournalFile *f, uid_t uid) {
#ifdef HAVE_ACL
- _cleanup_(acl_freep) acl_t acl = NULL;
- acl_entry_t entry;
- acl_permset_t permset;
+ int r;
#endif
-
assert(f);
- r = fchmod(f->fd, 0640);
- if (r < 0)
- log_warning_errno(errno, "Failed to fix access mode on %s, ignoring: %m", f->path);
-
#ifdef HAVE_ACL
if (uid <= SYSTEM_UID_MAX)
return;
- acl = acl_get_fd(f->fd);
- if (!acl) {
- log_warning_errno(errno, "Failed to read ACL on %s, ignoring: %m", f->path);
- return;
- }
-
- r = acl_find_uid(acl, uid, &entry);
- if (r <= 0) {
-
- if (acl_create_entry(&acl, &entry) < 0 ||
- acl_set_tag_type(entry, ACL_USER) < 0 ||
- acl_set_qualifier(entry, &uid) < 0) {
- log_warning_errno(errno, "Failed to patch ACL on %s, ignoring: %m", f->path);
- return;
- }
- }
-
- /* We do not recalculate the mask unconditionally here,
- * so that the fchmod() mask above stays intact. */
- if (acl_get_permset(entry, &permset) < 0 ||
- acl_add_perm(permset, ACL_READ) < 0) {
- log_warning_errno(errno, "Failed to patch ACL on %s, ignoring: %m", f->path);
- return;
- }
-
- r = calc_acl_mask_if_needed(&acl);
- if (r < 0) {
- log_warning_errno(r, "Failed to patch ACL on %s, ignoring: %m", f->path);
- return;
- }
-
- if (acl_set_fd(f->fd, acl) < 0)
- log_warning_errno(errno, "Failed to set ACL on %s, ignoring: %m", f->path);
-
+ r = add_acls_for_user(f->fd, uid);
+ if (r < 0)
+ log_warning_errno(r, "Failed to set ACL on %s, ignoring: %m", f->path);
#endif
}
@@ -301,7 +262,7 @@ static JournalFile* find_journal(Server *s, uid_t uid) {
if (r < 0)
return s->system_journal;
- server_fix_perms(s, f, uid);
+ server_add_acls(f, uid);
r = ordered_hashmap_put(s->user_journals, UID_TO_PTR(uid), f);
if (r < 0) {
@@ -332,7 +293,7 @@ static int do_rotate(
else
log_error_errno(r, "Failed to create new %s journal: %m", name);
else
- server_fix_perms(s, *f, uid);
+ server_add_acls(*f, uid);
return r;
}
@@ -707,7 +668,7 @@ static void dispatch_message_real(
}
#ifdef HAVE_SELINUX
- if (mac_selinux_use()) {
+ if (mac_selinux_have()) {
if (label) {
x = alloca(strlen("_SELINUX_CONTEXT=") + label_len + 1);
@@ -971,7 +932,7 @@ static int system_journal_open(Server *s, bool flush_requested) {
fn = strjoina(fn, "/system.journal");
r = journal_file_open_reliably(fn, O_RDWR|O_CREAT, 0640, s->compress, s->seal, &s->system_metrics, s->mmap, NULL, &s->system_journal);
if (r >= 0) {
- server_fix_perms(s, s->system_journal, 0);
+ server_add_acls(s->system_journal, 0);
(void) determine_space_for(s, &s->system_metrics, "/var/log/journal/", "System journal", true, true, NULL, NULL);
} else if (r < 0) {
if (r != -ENOENT && r != -EROFS)
@@ -1015,7 +976,7 @@ static int system_journal_open(Server *s, bool flush_requested) {
}
if (s->runtime_journal) {
- server_fix_perms(s, s->runtime_journal, 0);
+ server_add_acls(s->runtime_journal, 0);
(void) determine_space_for(s, &s->runtime_metrics, "/run/log/journal/", "Runtime journal", true, true, NULL, NULL);
}
}
diff --git a/src/journal/journald-server.h b/src/journal/journald-server.h
index dcc21bb7c3..1822765228 100644
--- a/src/journal/journald-server.h
+++ b/src/journal/journald-server.h
@@ -174,7 +174,6 @@ int config_parse_split_mode(const char *unit, const char *filename, unsigned lin
const char *split_mode_to_string(SplitMode s) _const_;
SplitMode split_mode_from_string(const char *s) _pure_;
-void server_fix_perms(Server *s, JournalFile *f, uid_t uid);
int server_init(Server *s);
void server_done(Server *s);
void server_sync(Server *s);
diff --git a/src/journal/journald-stream.c b/src/journal/journald-stream.c
index 07a0f1bf41..131fcdac42 100644
--- a/src/journal/journald-stream.c
+++ b/src/journal/journald-stream.c
@@ -493,7 +493,7 @@ static int stdout_stream_install(Server *s, int fd, StdoutStream **ret) {
if (r < 0)
return log_error_errno(r, "Failed to determine peer credentials: %m");
- if (mac_selinux_use()) {
+ if (mac_selinux_have()) {
r = getpeersec(fd, &stream->label);
if (r < 0 && r != -EOPNOTSUPP)
(void) log_warning_errno(r, "Failed to determine peer security context: %m");
diff --git a/src/journal/journald-syslog.c b/src/journal/journald-syslog.c
index f3ac1a7ae0..cfc50d889b 100644
--- a/src/journal/journald-syslog.c
+++ b/src/journal/journald-syslog.c
@@ -415,7 +415,7 @@ int server_open_syslog_socket(Server *s) {
return log_error_errno(errno, "SO_PASSCRED failed: %m");
#ifdef HAVE_SELINUX
- if (mac_selinux_use()) {
+ if (mac_selinux_have()) {
r = setsockopt(s->syslog_fd, SOL_SOCKET, SO_PASSSEC, &one, sizeof(one));
if (r < 0)
log_warning_errno(errno, "SO_PASSSEC failed: %m");
diff --git a/src/journal/test-journal-send.c b/src/journal/test-journal-send.c
index 694376670d..e537c1fe5f 100644
--- a/src/journal/test-journal-send.c
+++ b/src/journal/test-journal-send.c
@@ -19,59 +19,84 @@
along with systemd; If not, see <http://www.gnu.org/licenses/>.
***/
+#include <errno.h>
#include <stdlib.h>
#include <unistd.h>
#include "sd-journal.h"
-#include "log.h"
+#include "macro.h"
int main(int argc, char *argv[]) {
char huge[4096*1024];
- log_set_max_level(LOG_DEBUG);
-
- sd_journal_print(LOG_INFO, "piepapo");
-
- sd_journal_send("MESSAGE=foobar",
- "VALUE=%i", 7,
- NULL);
+ /* utf-8 and non-utf-8, message-less and message-ful iovecs */
+ struct iovec graph1[] = {
+ {(char*) "GRAPH=graph", strlen("GRAPH=graph")}
+ };
+ struct iovec graph2[] = {
+ {(char*) "GRAPH=graph\n", strlen("GRAPH=graph\n")}
+ };
+ struct iovec message1[] = {
+ {(char*) "MESSAGE=graph", strlen("MESSAGE=graph")}
+ };
+ struct iovec message2[] = {
+ {(char*) "MESSAGE=graph\n", strlen("MESSAGE=graph\n")}
+ };
+
+ assert_se(sd_journal_print(LOG_INFO, "piepapo") == 0);
+
+ assert_se(sd_journal_send("MESSAGE=foobar",
+ "VALUE=%i", 7,
+ NULL) == 0);
errno = ENOENT;
- sd_journal_perror("Foobar");
+ assert_se(sd_journal_perror("Foobar") == 0);
- sd_journal_perror("");
+ assert_se(sd_journal_perror("") == 0);
memset(huge, 'x', sizeof(huge));
memcpy(huge, "HUGE=", 5);
char_array_0(huge);
- sd_journal_send("MESSAGE=Huge field attached",
- huge,
- NULL);
+ assert_se(sd_journal_send("MESSAGE=Huge field attached",
+ huge,
+ NULL) == 0);
- sd_journal_send("MESSAGE=uiui",
- "VALUE=A",
- "VALUE=B",
- "VALUE=C",
- "SINGLETON=1",
- "OTHERVALUE=X",
- "OTHERVALUE=Y",
- "WITH_BINARY=this is a binary value \a",
- NULL);
+ assert_se(sd_journal_send("MESSAGE=uiui",
+ "VALUE=A",
+ "VALUE=B",
+ "VALUE=C",
+ "SINGLETON=1",
+ "OTHERVALUE=X",
+ "OTHERVALUE=Y",
+ "WITH_BINARY=this is a binary value \a",
+ NULL) == 0);
syslog(LOG_NOTICE, "Hello World!");
- sd_journal_print(LOG_NOTICE, "Hello World");
-
- sd_journal_send("MESSAGE=Hello World!",
- "MESSAGE_ID=52fb62f99e2c49d89cfbf9d6de5e3555",
- "PRIORITY=5",
- "HOME=%s", getenv("HOME"),
- "TERM=%s", getenv("TERM"),
- "PAGE_SIZE=%li", sysconf(_SC_PAGESIZE),
- "N_CPUS=%li", sysconf(_SC_NPROCESSORS_ONLN),
- NULL);
+ assert_se(sd_journal_print(LOG_NOTICE, "Hello World") == 0);
+
+ assert_se(sd_journal_send("MESSAGE=Hello World!",
+ "MESSAGE_ID=52fb62f99e2c49d89cfbf9d6de5e3555",
+ "PRIORITY=5",
+ "HOME=%s", getenv("HOME"),
+ "TERM=%s", getenv("TERM"),
+ "PAGE_SIZE=%li", sysconf(_SC_PAGESIZE),
+ "N_CPUS=%li", sysconf(_SC_NPROCESSORS_ONLN),
+ NULL) == 0);
+
+ assert_se(sd_journal_sendv(graph1, 1) == 0);
+ assert_se(sd_journal_sendv(graph2, 1) == 0);
+ assert_se(sd_journal_sendv(message1, 1) == 0);
+ assert_se(sd_journal_sendv(message2, 1) == 0);
+
+ /* test without location fields */
+#undef sd_journal_sendv
+ assert_se(sd_journal_sendv(graph1, 1) == 0);
+ assert_se(sd_journal_sendv(graph2, 1) == 0);
+ assert_se(sd_journal_sendv(message1, 1) == 0);
+ assert_se(sd_journal_sendv(message2, 1) == 0);
sleep(1);
diff --git a/src/libsystemd-network/sd-dhcp-client.c b/src/libsystemd-network/sd-dhcp-client.c
index a03c8460a8..4521f8f0b1 100644
--- a/src/libsystemd-network/sd-dhcp-client.c
+++ b/src/libsystemd-network/sd-dhcp-client.c
@@ -554,7 +554,7 @@ static int client_append_fqdn_option(DHCPMessage *message, size_t optlen, size_t
buffer[1] = 0; /* RCODE1 (deprecated) */
buffer[2] = 0; /* RCODE2 (deprecated) */
- r = dns_name_to_wire_format(fqdn, buffer + 3, sizeof(buffer) - 3);
+ r = dns_name_to_wire_format(fqdn, buffer + 3, sizeof(buffer) - 3, false);
if (r > 0)
r = dhcp_option_append(message, optlen, optoffset, 0,
DHCP_OPTION_FQDN, 3 + r, buffer);
diff --git a/src/libsystemd/sd-bus/bus-socket.c b/src/libsystemd/sd-bus/bus-socket.c
index 25873dea1e..1df571ac92 100644
--- a/src/libsystemd/sd-bus/bus-socket.c
+++ b/src/libsystemd/sd-bus/bus-socket.c
@@ -609,7 +609,7 @@ static void bus_get_peercred(sd_bus *b) {
b->ucred_valid = getpeercred(b->input_fd, &b->ucred) >= 0;
/* Get the SELinux context of the peer */
- if (mac_selinux_use()) {
+ if (mac_selinux_have()) {
r = getpeersec(b->input_fd, &b->label);
if (r < 0 && r != -EOPNOTSUPP)
log_debug_errno(r, "Failed to determine peer security context: %m");
diff --git a/src/libsystemd/sd-bus/test-bus-creds.c b/src/libsystemd/sd-bus/test-bus-creds.c
index 500fffc5ce..8003501059 100644
--- a/src/libsystemd/sd-bus/test-bus-creds.c
+++ b/src/libsystemd/sd-bus/test-bus-creds.c
@@ -29,7 +29,7 @@ int main(int argc, char *argv[]) {
_cleanup_(sd_bus_creds_unrefp) sd_bus_creds *creds = NULL;
int r;
- if (cg_unified() == -ENOEXEC) {
+ if (cg_unified() == -ENOMEDIUM) {
puts("Skipping test: /sys/fs/cgroup/ not available");
return EXIT_TEST_SKIP;
}
diff --git a/src/libudev/libudev-device-private.c b/src/libudev/libudev-device-private.c
index 2d3e62410c..2aae0726c1 100644
--- a/src/libudev/libudev-device-private.c
+++ b/src/libudev/libudev-device-private.c
@@ -137,14 +137,10 @@ gid_t udev_device_get_devnode_gid(struct udev_device *udev_device) {
}
void udev_device_ensure_usec_initialized(struct udev_device *udev_device, struct udev_device *udev_device_old) {
- sd_device *device_old = NULL;
-
assert(udev_device);
- if (udev_device_old)
- device_old = udev_device_old->device;
-
- device_ensure_usec_initialized(udev_device->device, device_old);
+ device_ensure_usec_initialized(udev_device->device,
+ udev_device_old ? udev_device_old->device : NULL);
}
char **udev_device_get_properties_envp(struct udev_device *udev_device) {
diff --git a/src/login/logind-dbus.c b/src/login/logind-dbus.c
index d0875cf930..c1643cf41a 100644
--- a/src/login/logind-dbus.c
+++ b/src/login/logind-dbus.c
@@ -1820,7 +1820,7 @@ static int nologin_timeout_handler(
log_info("Creating /run/nologin, blocking further logins...");
- r = write_string_file("/run/nologin", "System is going down.", WRITE_STRING_FILE_CREATE|WRITE_STRING_FILE_ATOMIC);
+ r = write_string_file_atomic_label("/run/nologin", "System is going down.");
if (r < 0)
log_error_errno(r, "Failed to create /run/nologin: %m");
else
diff --git a/src/machine/machined-dbus.c b/src/machine/machined-dbus.c
index 49e574b6ca..c6b5b1ec44 100644
--- a/src/machine/machined-dbus.c
+++ b/src/machine/machined-dbus.c
@@ -1325,6 +1325,10 @@ int manager_start_scope(
if (r < 0)
return r;
+ r = sd_bus_message_append(m, "(sv)", "TasksMax", "t", 8192);
+ if (r < 0)
+ return bus_log_create_error(r);
+
if (more_properties) {
r = sd_bus_message_copy(m, more_properties, true);
if (r < 0)
diff --git a/src/nspawn/nspawn-register.c b/src/nspawn/nspawn-register.c
index d6c0200c0c..65ca9c762b 100644
--- a/src/nspawn/nspawn-register.c
+++ b/src/nspawn/nspawn-register.c
@@ -105,10 +105,6 @@ int register_machine(
return bus_log_create_error(r);
}
- r = sd_bus_message_append(m, "(sv)", "TasksMax", "t", 8192);
- if (r < 0)
- return bus_log_create_error(r);
-
r = sd_bus_message_append(m, "(sv)", "DevicePolicy", "s", "strict");
if (r < 0)
return bus_log_create_error(r);
diff --git a/src/resolve-host/resolve-host.c b/src/resolve-host/resolve-host.c
index 36dfc70e00..0f154d9798 100644
--- a/src/resolve-host/resolve-host.c
+++ b/src/resolve-host/resolve-host.c
@@ -67,6 +67,8 @@ static void print_source(uint64_t flags, usec_t rtt) {
fputc('.', stdout);
fputc('\n', stdout);
+
+ printf("-- Data is authenticated: %s\n", yes_no(flags & SD_RESOLVED_AUTHENTICATED));
}
static int resolve_host(sd_bus *bus, const char *name) {
diff --git a/src/resolve/resolved-bus.c b/src/resolve/resolved-bus.c
index f86c4ceb05..0ceca56371 100644
--- a/src/resolve/resolved-bus.c
+++ b/src/resolve/resolved-bus.c
@@ -197,7 +197,7 @@ static void bus_method_resolve_hostname_complete(DnsQuery *q) {
r = sd_bus_message_append(
reply, "st",
DNS_RESOURCE_KEY_NAME(canonical->key),
- SD_RESOLVED_FLAGS_MAKE(q->answer_protocol, q->answer_family));
+ SD_RESOLVED_FLAGS_MAKE(q->answer_protocol, q->answer_family, q->answer_authenticated));
if (r < 0)
goto finish;
@@ -344,7 +344,7 @@ static void bus_method_resolve_address_complete(DnsQuery *q) {
if (r < 0)
goto finish;
- r = sd_bus_message_append(reply, "t", SD_RESOLVED_FLAGS_MAKE(q->answer_protocol, q->answer_family));
+ r = sd_bus_message_append(reply, "t", SD_RESOLVED_FLAGS_MAKE(q->answer_protocol, q->answer_family, q->answer_authenticated));
if (r < 0)
goto finish;
@@ -425,8 +425,6 @@ fail:
}
static int bus_message_append_rr(sd_bus_message *m, DnsResourceRecord *rr, int ifindex) {
- _cleanup_(dns_packet_unrefp) DnsPacket *p = NULL;
- size_t start;
int r;
assert(m);
@@ -443,17 +441,11 @@ static int bus_message_append_rr(sd_bus_message *m, DnsResourceRecord *rr, int i
if (r < 0)
return r;
- r = dns_packet_new(&p, DNS_PROTOCOL_DNS, 0);
+ r = dns_resource_record_to_wire_format(rr, false);
if (r < 0)
return r;
- p->refuse_compression = true;
-
- r = dns_packet_append_rr(p, rr, &start);
- if (r < 0)
- return r;
-
- r = sd_bus_message_append_array(m, 'y', DNS_PACKET_DATA(p) + start, p->size - start);
+ r = sd_bus_message_append_array(m, 'y', rr->wire_format, rr->wire_format_size);
if (r < 0)
return r;
@@ -518,7 +510,7 @@ static void bus_method_resolve_record_complete(DnsQuery *q) {
if (r < 0)
goto finish;
- r = sd_bus_message_append(reply, "t", SD_RESOLVED_FLAGS_MAKE(q->answer_protocol, q->answer_family));
+ r = sd_bus_message_append(reply, "t", SD_RESOLVED_FLAGS_MAKE(q->answer_protocol, q->answer_family, q->answer_authenticated));
if (r < 0)
goto finish;
@@ -867,7 +859,7 @@ static void resolve_service_all_complete(DnsQuery *q) {
reply,
"ssst",
name, type, domain,
- SD_RESOLVED_FLAGS_MAKE(q->answer_protocol, q->answer_family));
+ SD_RESOLVED_FLAGS_MAKE(q->answer_protocol, q->answer_family, q->answer_authenticated));
if (r < 0)
goto finish;
diff --git a/src/resolve/resolved-conf.c b/src/resolve/resolved-conf.c
index 3fc7d9ae3d..1b2f3e336e 100644
--- a/src/resolve/resolved-conf.c
+++ b/src/resolve/resolved-conf.c
@@ -234,6 +234,41 @@ int config_parse_support(
return 0;
}
+int config_parse_dnssec(
+ const char *unit,
+ const char *filename,
+ unsigned line,
+ const char *section,
+ unsigned section_line,
+ const char *lvalue,
+ int ltype,
+ const char *rvalue,
+ void *data,
+ void *userdata) {
+
+ Manager *m = data;
+ DnssecMode mode;
+ int r;
+
+ assert(filename);
+ assert(lvalue);
+ assert(rvalue);
+
+ mode = dnssec_mode_from_string(rvalue);
+ if (mode < 0) {
+ r = parse_boolean(rvalue);
+ if (r < 0) {
+ log_syntax(unit, LOG_ERR, filename, line, r, "Failed to parse DNSSEC mode '%s'. Ignoring.", rvalue);
+ return 0;
+ }
+
+ mode = r ? DNSSEC_YES : DNSSEC_NO;
+ }
+
+ m->unicast_scope->dnssec_mode = mode;
+ return 0;
+}
+
int manager_parse_config_file(Manager *m) {
int r;
diff --git a/src/resolve/resolved-conf.h b/src/resolve/resolved-conf.h
index 28d2549d35..668ea02bba 100644
--- a/src/resolve/resolved-conf.h
+++ b/src/resolve/resolved-conf.h
@@ -36,3 +36,4 @@ const struct ConfigPerfItem* resolved_gperf_lookup(const char *key, unsigned len
int config_parse_dns_servers(const char *unit, const char *filename, unsigned line, const char *section, unsigned section_line, const char *lvalue, int ltype, const char *rvalue, void *data, void *userdata);
int config_parse_search_domains(const char *unit, const char *filename, unsigned line, const char *section, unsigned section_line, const char *lvalue, int ltype, const char *rvalue, void *data, void *userdata);
int config_parse_support(const char *unit, const char *filename, unsigned line, const char *section, unsigned section_line, const char *lvalue, int ltype, const char *rvalue, void *data, void *userdata);
+int config_parse_dnssec(const char *unit, const char *filename, unsigned line, const char *section, unsigned section_line, const char *lvalue, int ltype, const char *rvalue, void *data, void *userdata);
diff --git a/src/resolve/resolved-def.h b/src/resolve/resolved-def.h
index be29f51663..6014d345f3 100644
--- a/src/resolve/resolved-def.h
+++ b/src/resolve/resolved-def.h
@@ -24,10 +24,15 @@
#define SD_RESOLVED_DNS (UINT64_C(1) << 0)
#define SD_RESOLVED_LLMNR_IPV4 (UINT64_C(1) << 1)
#define SD_RESOLVED_LLMNR_IPV6 (UINT64_C(1) << 2)
+#define SD_RESOLVED_MDNS_IPV4 (UINT64_C(1) << 3)
+#define SD_RESOLVED_MDNS_IPV6 (UINT64_C(1) << 4)
#define SD_RESOLVED_NO_CNAME (UINT64_C(1) << 5)
#define SD_RESOLVED_NO_TXT (UINT64_C(1) << 6)
#define SD_RESOLVED_NO_ADDRESS (UINT64_C(1) << 7)
#define SD_RESOLVED_NO_SEARCH (UINT64_C(1) << 8)
+#define SD_RESOLVED_AUTHENTICATED (UINT64_C(1) << 9)
#define SD_RESOLVED_LLMNR (SD_RESOLVED_LLMNR_IPV4|SD_RESOLVED_LLMNR_IPV6)
-#define SD_RESOLVED_PROTOCOLS_ALL (SD_RESOLVED_LLMNR|SD_RESOLVED_DNS)
+#define SD_RESOLVED_MDNS (SD_RESOLVED_MDNS_IPV4|SD_RESOLVED_MDNS_IPV6)
+
+#define SD_RESOLVED_PROTOCOLS_ALL (SD_RESOLVED_MDNS|SD_RESOLVED_LLMNR|SD_RESOLVED_DNS)
diff --git a/src/resolve/resolved-dns-answer.h b/src/resolve/resolved-dns-answer.h
index 8814919deb..89c254b02e 100644
--- a/src/resolve/resolved-dns-answer.h
+++ b/src/resolve/resolved-dns-answer.h
@@ -24,6 +24,7 @@
typedef struct DnsAnswer DnsAnswer;
typedef struct DnsAnswerItem DnsAnswerItem;
+#include "macro.h"
#include "resolved-dns-rr.h"
/* A simple array of resource records. We keep track of the
@@ -59,19 +60,23 @@ int dns_answer_reserve(DnsAnswer **a, unsigned n_free);
DEFINE_TRIVIAL_CLEANUP_FUNC(DnsAnswer*, dns_answer_unref);
-#define DNS_ANSWER_FOREACH(kk, a) \
- for (unsigned _i = ({ \
+#define _DNS_ANSWER_FOREACH(q, kk, a) \
+ for (unsigned UNIQ_T(i, q) = ({ \
(kk) = ((a) && (a)->n_rrs > 0) ? (a)->items[0].rr : NULL; \
0; \
- }); \
- (a) && ((_i) < (a)->n_rrs); \
- _i++, (kk) = (_i < (a)->n_rrs ? (a)->items[_i].rr : NULL))
+ }); \
+ (a) && (UNIQ_T(i, q) < (a)->n_rrs); \
+ UNIQ_T(i, q)++, (kk) = (UNIQ_T(i, q) < (a)->n_rrs ? (a)->items[UNIQ_T(i, q)].rr : NULL))
-#define DNS_ANSWER_FOREACH_IFINDEX(kk, ifindex, a) \
- for (unsigned _i = ({ \
+#define DNS_ANSWER_FOREACH(kk, a) _DNS_ANSWER_FOREACH(UNIQ, kk, a)
+
+#define _DNS_ANSWER_FOREACH_IFINDEX(q, kk, ifindex, a) \
+ for (unsigned UNIQ_T(i, q) = ({ \
(kk) = ((a) && (a)->n_rrs > 0) ? (a)->items[0].rr : NULL; \
(ifindex) = ((a) && (a)->n_rrs > 0) ? (a)->items[0].ifindex : 0; \
0; \
- }); \
- (a) && ((_i) < (a)->n_rrs); \
- _i++, (kk) = ((_i < (a)->n_rrs) ? (a)->items[_i].rr : NULL), (ifindex) = ((_i < (a)->n_rrs) ? (a)->items[_i].ifindex : 0))
+ }); \
+ (a) && (UNIQ_T(i, q) < (a)->n_rrs); \
+ UNIQ_T(i, q)++, (kk) = ((UNIQ_T(i, q) < (a)->n_rrs) ? (a)->items[UNIQ_T(i, q)].rr : NULL), (ifindex) = ((UNIQ_T(i, q) < (a)->n_rrs) ? (a)->items[UNIQ_T(i, q)].ifindex : 0))
+
+#define DNS_ANSWER_FOREACH_IFINDEX(kk, ifindex, a) _DNS_ANSWER_FOREACH_IFINDEX(UNIQ, kk, ifindex, a)
diff --git a/src/resolve/resolved-dns-cache.c b/src/resolve/resolved-dns-cache.c
index d963ce6e00..1774ae6cb8 100644
--- a/src/resolve/resolved-dns-cache.c
+++ b/src/resolve/resolved-dns-cache.c
@@ -46,6 +46,7 @@ struct DnsCacheItem {
usec_t until;
DnsCacheItemType type;
unsigned prioq_idx;
+ bool authenticated;
int owner_family;
union in_addr_union owner_address;
LIST_FIELDS(DnsCacheItem, by_key);
@@ -237,7 +238,7 @@ static DnsCacheItem* dns_cache_get(DnsCache *c, DnsResourceRecord *rr) {
return NULL;
}
-static void dns_cache_item_update_positive(DnsCache *c, DnsCacheItem *i, DnsResourceRecord *rr, usec_t timestamp) {
+static void dns_cache_item_update_positive(DnsCache *c, DnsCacheItem *i, DnsResourceRecord *rr, bool authenticated, usec_t timestamp) {
assert(c);
assert(i);
assert(rr);
@@ -257,6 +258,7 @@ static void dns_cache_item_update_positive(DnsCache *c, DnsCacheItem *i, DnsReso
dns_resource_key_unref(i->key);
i->key = dns_resource_key_ref(rr->key);
+ i->authenticated = authenticated;
i->until = timestamp + MIN(rr->ttl * USEC_PER_SEC, CACHE_TTL_MAX_USEC);
prioq_reshuffle(c->by_expiry, i, &i->prioq_idx);
@@ -265,6 +267,7 @@ static void dns_cache_item_update_positive(DnsCache *c, DnsCacheItem *i, DnsReso
static int dns_cache_put_positive(
DnsCache *c,
DnsResourceRecord *rr,
+ bool authenticated,
usec_t timestamp,
int owner_family,
const union in_addr_union *owner_address) {
@@ -300,7 +303,7 @@ static int dns_cache_put_positive(
/* Entry exists already? Update TTL and timestamp */
existing = dns_cache_get(c, rr);
if (existing) {
- dns_cache_item_update_positive(c, existing, rr, timestamp);
+ dns_cache_item_update_positive(c, existing, rr, authenticated, timestamp);
return 0;
}
@@ -322,6 +325,7 @@ static int dns_cache_put_positive(
i->prioq_idx = PRIOQ_IDX_NULL;
i->owner_family = owner_family;
i->owner_address = *owner_address;
+ i->authenticated = authenticated;
r = dns_cache_link_item(c, i);
if (r < 0)
@@ -341,6 +345,7 @@ static int dns_cache_put_negative(
DnsCache *c,
DnsResourceKey *key,
int rcode,
+ bool authenticated,
usec_t timestamp,
uint32_t soa_ttl,
int owner_family,
@@ -389,6 +394,7 @@ static int dns_cache_put_negative(
i->prioq_idx = PRIOQ_IDX_NULL;
i->owner_family = owner_family;
i->owner_address = *owner_address;
+ i->authenticated = authenticated;
r = dns_cache_link_item(c, i);
if (r < 0)
@@ -410,6 +416,7 @@ int dns_cache_put(
int rcode,
DnsAnswer *answer,
unsigned max_rrs,
+ bool authenticated,
usec_t timestamp,
int owner_family,
const union in_addr_union *owner_address) {
@@ -452,7 +459,12 @@ int dns_cache_put(
/* Second, add in positive entries for all contained RRs */
for (i = 0; i < MIN(max_rrs, answer->n_rrs); i++) {
- r = dns_cache_put_positive(c, answer->items[i].rr, timestamp, owner_family, owner_address);
+ DnsResourceRecord *rr = answer->items[i].rr;
+
+ if (rr->key->cache_flush)
+ dns_cache_remove(c, rr->key);
+
+ r = dns_cache_put_positive(c, rr, authenticated, timestamp, owner_family, owner_address);
if (r < 0)
goto fail;
}
@@ -496,13 +508,13 @@ int dns_cache_put(
if (!dns_answer_match_soa(canonical_key, soa->key))
continue;
- r = dns_cache_put_negative(c, canonical_key, rcode, timestamp, MIN(soa->soa.minimum, soa->ttl), owner_family, owner_address);
+ r = dns_cache_put_negative(c, canonical_key, rcode, authenticated, timestamp, MIN(soa->soa.minimum, soa->ttl), owner_family, owner_address);
if (r < 0)
goto fail;
}
}
- r = dns_cache_put_negative(c, key, rcode, timestamp, MIN(soa->soa.minimum, soa->ttl), owner_family, owner_address);
+ r = dns_cache_put_negative(c, key, rcode, authenticated, timestamp, MIN(soa->soa.minimum, soa->ttl), owner_family, owner_address);
if (r < 0)
goto fail;
@@ -521,8 +533,7 @@ fail:
return r;
}
-static DnsCacheItem *dns_cache_get_by_key_follow_cname(DnsCache *c, DnsResourceKey *k) {
- _cleanup_(dns_resource_key_unrefp) DnsResourceKey *cname_key = NULL;
+static DnsCacheItem *dns_cache_get_by_key_follow_cname_dname_nsec(DnsCache *c, DnsResourceKey *k) {
DnsCacheItem *i;
const char *n;
int r;
@@ -534,32 +545,29 @@ static DnsCacheItem *dns_cache_get_by_key_follow_cname(DnsCache *c, DnsResourceK
* much, after all this is just a cache */
i = hashmap_get(c->by_key, k);
- if (i || k->type == DNS_TYPE_CNAME || k->type == DNS_TYPE_DNAME)
+ if (i || IN_SET(k->type, DNS_TYPE_CNAME, DNS_TYPE_DNAME, DNS_TYPE_NSEC))
return i;
- /* Check if we have a CNAME record instead */
- cname_key = dns_resource_key_new_cname(k);
- if (!cname_key)
- return NULL;
+ n = DNS_RESOURCE_KEY_NAME(k);
- i = hashmap_get(c->by_key, cname_key);
+ /* Check if we have an NSEC record instead for the name. */
+ i = hashmap_get(c->by_key, &DNS_RESOURCE_KEY_CONST(k->class, DNS_TYPE_NSEC, n));
+ if (i)
+ return i;
+
+ /* Check if we have a CNAME record instead */
+ i = hashmap_get(c->by_key, &DNS_RESOURCE_KEY_CONST(k->class, DNS_TYPE_CNAME, n));
if (i)
return i;
/* OK, let's look for cached DNAME records. */
- n = DNS_RESOURCE_KEY_NAME(k);
for (;;) {
- _cleanup_(dns_resource_key_unrefp) DnsResourceKey *dname_key = NULL;
char label[DNS_LABEL_MAX];
if (isempty(n))
return NULL;
- dname_key = dns_resource_key_new(k->class, DNS_TYPE_DNAME, n);
- if (!dname_key)
- return NULL;
-
- i = hashmap_get(c->by_key, dname_key);
+ i = hashmap_get(c->by_key, &DNS_RESOURCE_KEY_CONST(k->class, DNS_TYPE_DNAME, n));
if (i)
return i;
@@ -572,23 +580,26 @@ static DnsCacheItem *dns_cache_get_by_key_follow_cname(DnsCache *c, DnsResourceK
return NULL;
}
-int dns_cache_lookup(DnsCache *c, DnsResourceKey *key, int *rcode, DnsAnswer **ret) {
+int dns_cache_lookup(DnsCache *c, DnsResourceKey *key, int *rcode, DnsAnswer **ret, bool *authenticated) {
_cleanup_(dns_answer_unrefp) DnsAnswer *answer = NULL;
unsigned n = 0;
int r;
bool nxdomain = false;
_cleanup_free_ char *key_str = NULL;
- DnsCacheItem *j, *first;
+ DnsCacheItem *j, *first, *nsec = NULL;
+ bool have_authenticated = false, have_non_authenticated = false;
assert(c);
assert(key);
assert(rcode);
assert(ret);
+ assert(authenticated);
if (key->type == DNS_TYPE_ANY ||
key->class == DNS_CLASS_ANY) {
- /* If we have ANY lookups we simply refresh */
+ /* If we have ANY lookups we don't use the cache, so
+ * that the caller refreshes via the network. */
r = dns_resource_key_to_string(key, &key_str);
if (r < 0)
@@ -601,7 +612,7 @@ int dns_cache_lookup(DnsCache *c, DnsResourceKey *key, int *rcode, DnsAnswer **r
return 0;
}
- first = dns_cache_get_by_key_follow_cname(c, key);
+ first = dns_cache_get_by_key_follow_cname_dname_nsec(c, key);
if (!first) {
/* If one question cannot be answered we need to refresh */
@@ -617,24 +628,49 @@ int dns_cache_lookup(DnsCache *c, DnsResourceKey *key, int *rcode, DnsAnswer **r
}
LIST_FOREACH(by_key, j, first) {
- if (j->rr)
+ if (j->rr) {
+ if (j->rr->key->type == DNS_TYPE_NSEC)
+ nsec = j;
+
n++;
- else if (j->type == DNS_CACHE_NXDOMAIN)
+ } else if (j->type == DNS_CACHE_NXDOMAIN)
nxdomain = true;
+
+ if (j->authenticated)
+ have_authenticated = true;
+ else
+ have_non_authenticated = true;
}
r = dns_resource_key_to_string(key, &key_str);
if (r < 0)
return r;
+ if (nsec && key->type != DNS_TYPE_NSEC) {
+ log_debug("NSEC NODATA cache hit for %s", key_str);
+
+ /* We only found an NSEC record that matches our name.
+ * If it says the type doesn't exit report
+ * NODATA. Otherwise report a cache miss. */
+
+ *ret = NULL;
+ *rcode = DNS_RCODE_SUCCESS;
+ *authenticated = nsec->authenticated;
+
+ return !bitmap_isset(nsec->rr->nsec.types, key->type) &&
+ !bitmap_isset(nsec->rr->nsec.types, DNS_TYPE_CNAME) &&
+ !bitmap_isset(nsec->rr->nsec.types, DNS_TYPE_DNAME);
+ }
+
log_debug("%s cache hit for %s",
- nxdomain ? "NXDOMAIN" :
- n > 0 ? "Positive" : "NODATA",
+ n > 0 ? "Positive" :
+ nxdomain ? "NXDOMAIN" : "NODATA",
key_str);
if (n <= 0) {
*ret = NULL;
*rcode = nxdomain ? DNS_RCODE_NXDOMAIN : DNS_RCODE_SUCCESS;
+ *authenticated = have_authenticated && !have_non_authenticated;
return 1;
}
@@ -653,6 +689,7 @@ int dns_cache_lookup(DnsCache *c, DnsResourceKey *key, int *rcode, DnsAnswer **r
*ret = answer;
*rcode = DNS_RCODE_SUCCESS;
+ *authenticated = have_authenticated && !have_non_authenticated;
answer = NULL;
return n;
@@ -694,6 +731,57 @@ int dns_cache_check_conflicts(DnsCache *cache, DnsResourceRecord *rr, int owner_
return 1;
}
+int dns_cache_export_shared_to_packet(DnsCache *cache, DnsPacket *p) {
+ unsigned ancount = 0;
+ Iterator iterator;
+ DnsCacheItem *i;
+ int r;
+
+ assert(cache);
+ assert(p);
+
+ HASHMAP_FOREACH(i, cache->by_key, iterator) {
+ DnsCacheItem *j;
+
+ LIST_FOREACH(by_key, j, i) {
+ _cleanup_free_ char *t = NULL;
+
+ if (!j->rr)
+ continue;
+
+ if (!dns_key_is_shared(j->rr->key))
+ continue;
+
+ r = dns_packet_append_rr(p, j->rr, NULL, NULL);
+ if (r == -EMSGSIZE && p->protocol == DNS_PROTOCOL_MDNS) {
+ /* For mDNS, if we're unable to stuff all known answers into the given packet,
+ * allocate a new one, push the RR into that one and link it to the current one.
+ */
+
+ DNS_PACKET_HEADER(p)->ancount = htobe16(ancount);
+ ancount = 0;
+
+ r = dns_packet_new_query(&p->more, p->protocol, 0, true);
+ if (r < 0)
+ return r;
+
+ /* continue with new packet */
+ p = p->more;
+ r = dns_packet_append_rr(p, j->rr, NULL, NULL);
+ }
+
+ if (r < 0)
+ return r;
+
+ ancount ++;
+ }
+ }
+
+ DNS_PACKET_HEADER(p)->ancount = htobe16(ancount);
+
+ return 0;
+}
+
void dns_cache_dump(DnsCache *cache, FILE *f) {
Iterator iterator;
DnsCacheItem *i;
diff --git a/src/resolve/resolved-dns-cache.h b/src/resolve/resolved-dns-cache.h
index 164435b4fb..0f28bbe543 100644
--- a/src/resolve/resolved-dns-cache.h
+++ b/src/resolve/resolved-dns-cache.h
@@ -21,7 +21,6 @@
along with systemd; If not, see <http://www.gnu.org/licenses/>.
***/
-
#include "hashmap.h"
#include "list.h"
#include "prioq.h"
@@ -33,16 +32,19 @@ typedef struct DnsCache {
} DnsCache;
#include "resolved-dns-answer.h"
+#include "resolved-dns-packet.h"
#include "resolved-dns-question.h"
#include "resolved-dns-rr.h"
void dns_cache_flush(DnsCache *c);
void dns_cache_prune(DnsCache *c);
-int dns_cache_put(DnsCache *c, DnsResourceKey *key, int rcode, DnsAnswer *answer, unsigned max_rrs, usec_t timestamp, int owner_family, const union in_addr_union *owner_address);
-int dns_cache_lookup(DnsCache *c, DnsResourceKey *key, int *rcode, DnsAnswer **answer);
+int dns_cache_put(DnsCache *c, DnsResourceKey *key, int rcode, DnsAnswer *answer, unsigned max_rrs, bool authenticated, usec_t timestamp, int owner_family, const union in_addr_union *owner_address);
+int dns_cache_lookup(DnsCache *c, DnsResourceKey *key, int *rcode, DnsAnswer **answer, bool *authenticated);
int dns_cache_check_conflicts(DnsCache *cache, DnsResourceRecord *rr, int owner_family, const union in_addr_union *owner_address);
void dns_cache_dump(DnsCache *cache, FILE *f);
bool dns_cache_is_empty(DnsCache *cache);
+
+int dns_cache_export_shared_to_packet(DnsCache *cache, DnsPacket *p);
diff --git a/src/resolve/resolved-dns-dnssec.c b/src/resolve/resolved-dns-dnssec.c
new file mode 100644
index 0000000000..2d06775dca
--- /dev/null
+++ b/src/resolve/resolved-dns-dnssec.c
@@ -0,0 +1,719 @@
+/*-*- Mode: C; c-basic-offset: 8; indent-tabs-mode: nil -*-*/
+
+/***
+ This file is part of systemd.
+
+ Copyright 2015 Lennart Poettering
+
+ systemd is free software; you can redistribute it and/or modify it
+ under the terms of the GNU Lesser General Public License as published by
+ the Free Software Foundation; either version 2.1 of the License, or
+ (at your option) any later version.
+
+ systemd is distributed in the hope that it will be useful, but
+ WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ Lesser General Public License for more details.
+
+ You should have received a copy of the GNU Lesser General Public License
+ along with systemd; If not, see <http://www.gnu.org/licenses/>.
+***/
+
+#include <gcrypt.h>
+
+#include "alloc-util.h"
+#include "dns-domain.h"
+#include "resolved-dns-dnssec.h"
+#include "resolved-dns-packet.h"
+#include "string-table.h"
+
+/* Open question:
+ *
+ * How does the DNSSEC canonical form of a hostname with a label
+ * containing a dot look like, the way DNS-SD does it?
+ *
+ * TODO:
+ *
+ * - Iterative validation
+ * - NSEC proof of non-existance
+ * - NSEC3 proof of non-existance
+ * - Make trust anchor store read additional DS+DNSKEY data from disk
+ * - wildcard zones compatibility
+ * - multi-label zone compatibility
+ * - DMSSEC cname/dname compatibility
+ * - per-interface DNSSEC setting
+ * - DSA support
+ * - EC support?
+ *
+ * */
+
+#define VERIFY_RRS_MAX 256
+#define MAX_KEY_SIZE (32*1024)
+
+/* Permit a maximum clock skew of 1h 10min. This should be enough to deal with DST confusion */
+#define SKEW_MAX (1*USEC_PER_HOUR + 10*USEC_PER_MINUTE)
+
+/*
+ * The DNSSEC Chain of trust:
+ *
+ * Normal RRs are protected via RRSIG RRs in combination with DNSKEY RRs, all in the same zone
+ * DNSKEY RRs are either protected like normal RRs, or via a DS from a zone "higher" up the tree
+ * DS RRs are protected like normal RRs
+ *
+ * Example chain:
+ * Normal RR → RRSIG/DNSKEY+ → DS → RRSIG/DNSKEY+ → DS → ... → DS → RRSIG/DNSKEY+ → DS
+ */
+
+static bool dnssec_algorithm_supported(int algorithm) {
+ return IN_SET(algorithm,
+ DNSSEC_ALGORITHM_RSASHA1,
+ DNSSEC_ALGORITHM_RSASHA1_NSEC3_SHA1,
+ DNSSEC_ALGORITHM_RSASHA256,
+ DNSSEC_ALGORITHM_RSASHA512);
+}
+
+static bool dnssec_digest_supported(int digest) {
+ return IN_SET(digest,
+ DNSSEC_DIGEST_SHA1,
+ DNSSEC_DIGEST_SHA256);
+}
+
+uint16_t dnssec_keytag(DnsResourceRecord *dnskey) {
+ const uint8_t *p;
+ uint32_t sum;
+ size_t i;
+
+ /* The algorithm from RFC 4034, Appendix B. */
+
+ assert(dnskey);
+ assert(dnskey->key->type == DNS_TYPE_DNSKEY);
+
+ sum = (uint32_t) dnskey->dnskey.flags +
+ ((((uint32_t) dnskey->dnskey.protocol) << 8) + (uint32_t) dnskey->dnskey.algorithm);
+
+ p = dnskey->dnskey.key;
+
+ for (i = 0; i < dnskey->dnskey.key_size; i++)
+ sum += (i & 1) == 0 ? (uint32_t) p[i] << 8 : (uint32_t) p[i];
+
+ sum += (sum >> 16) & UINT32_C(0xFFFF);
+
+ return sum & UINT32_C(0xFFFF);
+}
+
+static int rr_compare(const void *a, const void *b) {
+ DnsResourceRecord **x = (DnsResourceRecord**) a, **y = (DnsResourceRecord**) b;
+ size_t m;
+ int r;
+
+ /* Let's order the RRs according to RFC 4034, Section 6.3 */
+
+ assert(x);
+ assert(*x);
+ assert((*x)->wire_format);
+ assert(y);
+ assert(*y);
+ assert((*y)->wire_format);
+
+ m = MIN((*x)->wire_format_size, (*y)->wire_format_size);
+
+ r = memcmp((*x)->wire_format, (*y)->wire_format, m);
+ if (r != 0)
+ return r;
+
+ if ((*x)->wire_format_size < (*y)->wire_format_size)
+ return -1;
+ else if ((*x)->wire_format_size > (*y)->wire_format_size)
+ return 1;
+
+ return 0;
+}
+
+static int dnssec_rsa_verify(
+ const char *hash_algorithm,
+ const void *signature, size_t signature_size,
+ const void *data, size_t data_size,
+ const void *exponent, size_t exponent_size,
+ const void *modulus, size_t modulus_size) {
+
+ gcry_sexp_t public_key_sexp = NULL, data_sexp = NULL, signature_sexp = NULL;
+ gcry_mpi_t n = NULL, e = NULL, s = NULL;
+ gcry_error_t ge;
+ int r;
+
+ assert(hash_algorithm);
+
+ ge = gcry_mpi_scan(&s, GCRYMPI_FMT_USG, signature, signature_size, NULL);
+ if (ge != 0) {
+ r = -EIO;
+ goto finish;
+ }
+
+ ge = gcry_mpi_scan(&e, GCRYMPI_FMT_USG, exponent, exponent_size, NULL);
+ if (ge != 0) {
+ r = -EIO;
+ goto finish;
+ }
+
+ ge = gcry_mpi_scan(&n, GCRYMPI_FMT_USG, modulus, modulus_size, NULL);
+ if (ge != 0) {
+ r = -EIO;
+ goto finish;
+ }
+
+ ge = gcry_sexp_build(&signature_sexp,
+ NULL,
+ "(sig-val (rsa (s %m)))",
+ s);
+
+ if (ge != 0) {
+ r = -EIO;
+ goto finish;
+ }
+
+ ge = gcry_sexp_build(&data_sexp,
+ NULL,
+ "(data (flags pkcs1) (hash %s %b))",
+ hash_algorithm,
+ (int) data_size,
+ data);
+ if (ge != 0) {
+ r = -EIO;
+ goto finish;
+ }
+
+ ge = gcry_sexp_build(&public_key_sexp,
+ NULL,
+ "(public-key (rsa (n %m) (e %m)))",
+ n,
+ e);
+ if (ge != 0) {
+ r = -EIO;
+ goto finish;
+ }
+
+ ge = gcry_pk_verify(signature_sexp, data_sexp, public_key_sexp);
+ if (ge == GPG_ERR_BAD_SIGNATURE)
+ r = 0;
+ else if (ge != 0)
+ r = -EIO;
+ else
+ r = 1;
+
+finish:
+ if (e)
+ gcry_mpi_release(e);
+ if (n)
+ gcry_mpi_release(n);
+ if (s)
+ gcry_mpi_release(s);
+
+ if (public_key_sexp)
+ gcry_sexp_release(public_key_sexp);
+ if (signature_sexp)
+ gcry_sexp_release(signature_sexp);
+ if (data_sexp)
+ gcry_sexp_release(data_sexp);
+
+ return r;
+}
+
+static void md_add_uint8(gcry_md_hd_t md, uint8_t v) {
+ gcry_md_write(md, &v, sizeof(v));
+}
+
+static void md_add_uint16(gcry_md_hd_t md, uint16_t v) {
+ v = htobe16(v);
+ gcry_md_write(md, &v, sizeof(v));
+}
+
+static void md_add_uint32(gcry_md_hd_t md, uint32_t v) {
+ v = htobe32(v);
+ gcry_md_write(md, &v, sizeof(v));
+}
+
+static int dnssec_rrsig_expired(DnsResourceRecord *rrsig, usec_t realtime) {
+ usec_t expiration, inception, skew;
+
+ assert(rrsig);
+ assert(rrsig->key->type == DNS_TYPE_RRSIG);
+
+ if (realtime == USEC_INFINITY)
+ realtime = now(CLOCK_REALTIME);
+
+ expiration = rrsig->rrsig.expiration * USEC_PER_SEC;
+ inception = rrsig->rrsig.inception * USEC_PER_SEC;
+
+ if (inception > expiration)
+ return -EKEYREJECTED;
+
+ /* Permit a certain amount of clock skew of 10% of the valid
+ * time range. This takes inspiration from unbound's
+ * resolver. */
+ skew = (expiration - inception) / 10;
+ if (skew > SKEW_MAX)
+ skew = SKEW_MAX;
+
+ if (inception < skew)
+ inception = 0;
+ else
+ inception -= skew;
+
+ if (expiration + skew < expiration)
+ expiration = USEC_INFINITY;
+ else
+ expiration += skew;
+
+ return realtime < inception || realtime > expiration;
+}
+
+int dnssec_verify_rrset(
+ DnsAnswer *a,
+ DnsResourceKey *key,
+ DnsResourceRecord *rrsig,
+ DnsResourceRecord *dnskey,
+ usec_t realtime) {
+
+ uint8_t wire_format_name[DNS_WIRE_FOMAT_HOSTNAME_MAX];
+ size_t exponent_size, modulus_size, hash_size;
+ void *exponent, *modulus, *hash;
+ DnsResourceRecord **list, *rr;
+ gcry_md_hd_t md = NULL;
+ size_t k, n = 0;
+ int r;
+
+ assert(key);
+ assert(rrsig);
+ assert(dnskey);
+ assert(rrsig->key->type == DNS_TYPE_RRSIG);
+ assert(dnskey->key->type == DNS_TYPE_DNSKEY);
+
+ /* Verifies the the RRSet matching the specified "key" in "a",
+ * using the signature "rrsig" and the key "dnskey". It's
+ * assumed the RRSIG and DNSKEY match. */
+
+ if (!dnssec_algorithm_supported(rrsig->rrsig.algorithm))
+ return -EOPNOTSUPP;
+
+ if (a->n_rrs > VERIFY_RRS_MAX)
+ return -E2BIG;
+
+ r = dnssec_rrsig_expired(rrsig, realtime);
+ if (r < 0)
+ return r;
+ if (r > 0)
+ return DNSSEC_SIGNATURE_EXPIRED;
+
+ /* Collect all relevant RRs in a single array, so that we can look at the RRset */
+ list = newa(DnsResourceRecord *, a->n_rrs);
+
+ DNS_ANSWER_FOREACH(rr, a) {
+ r = dns_resource_key_equal(key, rr->key);
+ if (r < 0)
+ return r;
+ if (r == 0)
+ continue;
+
+ /* We need the wire format for ordering, and digest calculation */
+ r = dns_resource_record_to_wire_format(rr, true);
+ if (r < 0)
+ return r;
+
+ list[n++] = rr;
+ }
+
+ if (n <= 0)
+ return -ENODATA;
+
+ /* Bring the RRs into canonical order */
+ qsort_safe(list, n, sizeof(DnsResourceRecord), rr_compare);
+
+ /* OK, the RRs are now in canonical order. Let's calculate the digest */
+ switch (rrsig->rrsig.algorithm) {
+
+ case DNSSEC_ALGORITHM_RSASHA1:
+ case DNSSEC_ALGORITHM_RSASHA1_NSEC3_SHA1:
+ gcry_md_open(&md, GCRY_MD_SHA1, 0);
+ hash_size = 20;
+ break;
+
+ case DNSSEC_ALGORITHM_RSASHA256:
+ gcry_md_open(&md, GCRY_MD_SHA256, 0);
+ hash_size = 32;
+ break;
+
+ case DNSSEC_ALGORITHM_RSASHA512:
+ gcry_md_open(&md, GCRY_MD_SHA512, 0);
+ hash_size = 64;
+ break;
+
+ default:
+ assert_not_reached("Unknown digest");
+ }
+
+ if (!md)
+ return -EIO;
+
+ md_add_uint16(md, rrsig->rrsig.type_covered);
+ md_add_uint8(md, rrsig->rrsig.algorithm);
+ md_add_uint8(md, rrsig->rrsig.labels);
+ md_add_uint32(md, rrsig->rrsig.original_ttl);
+ md_add_uint32(md, rrsig->rrsig.expiration);
+ md_add_uint32(md, rrsig->rrsig.inception);
+ md_add_uint16(md, rrsig->rrsig.key_tag);
+
+ r = dns_name_to_wire_format(rrsig->rrsig.signer, wire_format_name, sizeof(wire_format_name), true);
+ if (r < 0)
+ goto finish;
+ gcry_md_write(md, wire_format_name, r);
+
+ for (k = 0; k < n; k++) {
+ size_t l;
+ rr = list[k];
+
+ r = dns_name_to_wire_format(DNS_RESOURCE_KEY_NAME(rr->key), wire_format_name, sizeof(wire_format_name), true);
+ if (r < 0)
+ goto finish;
+ gcry_md_write(md, wire_format_name, r);
+
+ md_add_uint16(md, rr->key->type);
+ md_add_uint16(md, rr->key->class);
+ md_add_uint32(md, rrsig->rrsig.original_ttl);
+
+ assert(rr->wire_format_rdata_offset <= rr->wire_format_size);
+ l = rr->wire_format_size - rr->wire_format_rdata_offset;
+ assert(l <= 0xFFFF);
+
+ md_add_uint16(md, (uint16_t) l);
+ gcry_md_write(md, (uint8_t*) rr->wire_format + rr->wire_format_rdata_offset, l);
+ }
+
+ hash = gcry_md_read(md, 0);
+ if (!hash) {
+ r = -EIO;
+ goto finish;
+ }
+
+ if (*(uint8_t*) dnskey->dnskey.key == 0) {
+ /* exponent is > 255 bytes long */
+
+ exponent = (uint8_t*) dnskey->dnskey.key + 3;
+ exponent_size =
+ ((size_t) (((uint8_t*) dnskey->dnskey.key)[0]) << 8) |
+ ((size_t) ((uint8_t*) dnskey->dnskey.key)[1]);
+
+ if (exponent_size < 256) {
+ r = -EINVAL;
+ goto finish;
+ }
+
+ if (3 + exponent_size >= dnskey->dnskey.key_size) {
+ r = -EINVAL;
+ goto finish;
+ }
+
+ modulus = (uint8_t*) dnskey->dnskey.key + 3 + exponent_size;
+ modulus_size = dnskey->dnskey.key_size - 3 - exponent_size;
+
+ } else {
+ /* exponent is <= 255 bytes long */
+
+ exponent = (uint8_t*) dnskey->dnskey.key + 1;
+ exponent_size = (size_t) ((uint8_t*) dnskey->dnskey.key)[0];
+
+ if (exponent_size <= 0) {
+ r = -EINVAL;
+ goto finish;
+ }
+
+ if (1 + exponent_size >= dnskey->dnskey.key_size) {
+ r = -EINVAL;
+ goto finish;
+ }
+
+ modulus = (uint8_t*) dnskey->dnskey.key + 1 + exponent_size;
+ modulus_size = dnskey->dnskey.key_size - 1 - exponent_size;
+ }
+
+ r = dnssec_rsa_verify(
+ gcry_md_algo_name(gcry_md_get_algo(md)),
+ rrsig->rrsig.signature, rrsig->rrsig.signature_size,
+ hash, hash_size,
+ exponent, exponent_size,
+ modulus, modulus_size);
+ if (r < 0)
+ goto finish;
+
+ r = r ? DNSSEC_VERIFIED : DNSSEC_INVALID;
+
+finish:
+ gcry_md_close(md);
+ return r;
+}
+
+int dnssec_rrsig_match_dnskey(DnsResourceRecord *rrsig, DnsResourceRecord *dnskey) {
+
+ assert(rrsig);
+ assert(dnskey);
+
+ /* Checks if the specified DNSKEY RR matches the key used for
+ * the signature in the specified RRSIG RR */
+
+ if (rrsig->key->type != DNS_TYPE_RRSIG)
+ return -EINVAL;
+
+ if (dnskey->key->type != DNS_TYPE_DNSKEY)
+ return 0;
+ if (dnskey->key->class != rrsig->key->class)
+ return 0;
+ if ((dnskey->dnskey.flags & DNSKEY_FLAG_ZONE_KEY) == 0)
+ return 0;
+ if (dnskey->dnskey.protocol != 3)
+ return 0;
+ if (dnskey->dnskey.algorithm != rrsig->rrsig.algorithm)
+ return 0;
+
+ if (dnssec_keytag(dnskey) != rrsig->rrsig.key_tag)
+ return 0;
+
+ return dns_name_equal(DNS_RESOURCE_KEY_NAME(dnskey->key), DNS_RESOURCE_KEY_NAME(rrsig->key));
+}
+
+int dnssec_key_match_rrsig(DnsResourceKey *key, DnsResourceRecord *rrsig) {
+ assert(key);
+ assert(rrsig);
+
+ /* Checks if the specified RRSIG RR protects the RRSet of the specified RR key. */
+
+ if (rrsig->key->type != DNS_TYPE_RRSIG)
+ return 0;
+ if (rrsig->key->class != key->class)
+ return 0;
+ if (rrsig->rrsig.type_covered != key->type)
+ return 0;
+
+ return dns_name_equal(DNS_RESOURCE_KEY_NAME(rrsig->key), DNS_RESOURCE_KEY_NAME(key));
+}
+
+int dnssec_verify_rrset_search(
+ DnsAnswer *a,
+ DnsResourceKey *key,
+ DnsAnswer *validated_dnskeys,
+ usec_t realtime) {
+
+ bool found_rrsig = false, found_dnskey = false;
+ DnsResourceRecord *rrsig;
+ int r;
+
+ assert(key);
+
+ /* Verifies all RRs from "a" that match the key "key", against DNSKEY RRs in "validated_dnskeys" */
+
+ if (!a || a->n_rrs <= 0)
+ return -ENODATA;
+
+ /* Iterate through each RRSIG RR. */
+ DNS_ANSWER_FOREACH(rrsig, a) {
+ DnsResourceRecord *dnskey;
+
+ r = dnssec_key_match_rrsig(key, rrsig);
+ if (r < 0)
+ return r;
+ if (r == 0)
+ continue;
+
+ found_rrsig = true;
+
+ DNS_ANSWER_FOREACH(dnskey, validated_dnskeys) {
+
+ r = dnssec_rrsig_match_dnskey(rrsig, dnskey);
+ if (r < 0)
+ return r;
+ if (r == 0)
+ continue;
+
+ found_dnskey = true;
+
+ /* Take the time here, if it isn't set yet, so
+ * that we do all validations with the same
+ * time. */
+ if (realtime == USEC_INFINITY)
+ realtime = now(CLOCK_REALTIME);
+
+ /* Yay, we found a matching RRSIG with a matching
+ * DNSKEY, awesome. Now let's verify all entries of
+ * the RRSet against the RRSIG and DNSKEY
+ * combination. */
+
+ r = dnssec_verify_rrset(a, key, rrsig, dnskey, realtime);
+ if (r < 0 && r != EOPNOTSUPP)
+ return r;
+ if (r == DNSSEC_VERIFIED)
+ return DNSSEC_VERIFIED;
+
+ /* If the signature is invalid, or done using
+ an unsupported algorithm, let's try another
+ key and/or signature. After all they
+ key_tags and stuff are not unique, and
+ might be shared by multiple keys. */
+ }
+ }
+
+ if (found_dnskey)
+ return DNSSEC_INVALID;
+
+ if (found_rrsig)
+ return DNSSEC_MISSING_KEY;
+
+ return DNSSEC_NO_SIGNATURE;
+}
+
+int dnssec_canonicalize(const char *n, char *buffer, size_t buffer_max) {
+ size_t c = 0;
+ int r;
+
+ /* Converts the specified hostname into DNSSEC canonicalized
+ * form. */
+
+ if (buffer_max < 2)
+ return -ENOBUFS;
+
+ for (;;) {
+ size_t i;
+
+ r = dns_label_unescape(&n, buffer, buffer_max);
+ if (r < 0)
+ return r;
+ if (r == 0)
+ break;
+ if (r > 0) {
+ int k;
+
+ /* DNSSEC validation is always done on the ASCII version of the label */
+ k = dns_label_apply_idna(buffer, r, buffer, buffer_max);
+ if (k < 0)
+ return k;
+ if (k > 0)
+ r = k;
+ }
+
+ if (buffer_max < (size_t) r + 2)
+ return -ENOBUFS;
+
+ /* The DNSSEC canonical form is not clear on what to
+ * do with dots appearing in labels, the way DNS-SD
+ * does it. Refuse it for now. */
+
+ if (memchr(buffer, '.', r))
+ return -EINVAL;
+
+ for (i = 0; i < (size_t) r; i ++) {
+ if (buffer[i] >= 'A' && buffer[i] <= 'Z')
+ buffer[i] = buffer[i] - 'A' + 'a';
+ }
+
+ buffer[r] = '.';
+
+ buffer += r + 1;
+ c += r + 1;
+
+ buffer_max -= r + 1;
+ }
+
+ if (c <= 0) {
+ /* Not even a single label: this is the root domain name */
+
+ assert(buffer_max > 2);
+ buffer[0] = '.';
+ buffer[1] = 0;
+
+ return 1;
+ }
+
+ return (int) c;
+}
+
+int dnssec_verify_dnskey(DnsResourceRecord *dnskey, DnsResourceRecord *ds) {
+ gcry_md_hd_t md = NULL;
+ char owner_name[DNSSEC_CANONICAL_HOSTNAME_MAX];
+ void *result;
+ int r;
+
+ assert(dnskey);
+ assert(ds);
+
+ /* Implements DNSKEY verification by a DS, according to RFC 4035, section 5.2 */
+
+ if (dnskey->key->type != DNS_TYPE_DNSKEY)
+ return -EINVAL;
+ if (ds->key->type != DNS_TYPE_DS)
+ return -EINVAL;
+ if ((dnskey->dnskey.flags & DNSKEY_FLAG_ZONE_KEY) == 0)
+ return -EKEYREJECTED;
+ if (dnskey->dnskey.protocol != 3)
+ return -EKEYREJECTED;
+
+ if (!dnssec_algorithm_supported(dnskey->dnskey.algorithm))
+ return -EOPNOTSUPP;
+ if (!dnssec_digest_supported(ds->ds.digest_type))
+ return -EOPNOTSUPP;
+
+ if (dnskey->dnskey.algorithm != ds->ds.algorithm)
+ return 0;
+ if (dnssec_keytag(dnskey) != ds->ds.key_tag)
+ return 0;
+
+ switch (ds->ds.digest_type) {
+
+ case DNSSEC_DIGEST_SHA1:
+
+ if (ds->ds.digest_size != 20)
+ return 0;
+
+ gcry_md_open(&md, GCRY_MD_SHA1, 0);
+ break;
+
+ case DNSSEC_DIGEST_SHA256:
+
+ if (ds->ds.digest_size != 32)
+ return 0;
+
+ gcry_md_open(&md, GCRY_MD_SHA256, 0);
+ break;
+
+ default:
+ assert_not_reached("Unknown digest");
+ }
+
+ if (!md)
+ return -EIO;
+
+ r = dnssec_canonicalize(DNS_RESOURCE_KEY_NAME(dnskey->key), owner_name, sizeof(owner_name));
+ if (r < 0)
+ goto finish;
+
+ gcry_md_write(md, owner_name, r);
+ md_add_uint16(md, dnskey->dnskey.flags);
+ md_add_uint8(md, dnskey->dnskey.protocol);
+ md_add_uint8(md, dnskey->dnskey.algorithm);
+ gcry_md_write(md, dnskey->dnskey.key, dnskey->dnskey.key_size);
+
+ result = gcry_md_read(md, 0);
+ if (!result) {
+ r = -EIO;
+ goto finish;
+ }
+
+ r = memcmp(result, ds->ds.digest, ds->ds.digest_size) != 0;
+
+finish:
+ gcry_md_close(md);
+ return r;
+}
+
+static const char* const dnssec_mode_table[_DNSSEC_MODE_MAX] = {
+ [DNSSEC_NO] = "no",
+ [DNSSEC_TRUST] = "trust",
+ [DNSSEC_YES] = "yes",
+};
+DEFINE_STRING_TABLE_LOOKUP(dnssec_mode, DnssecMode);
diff --git a/src/resolve/resolved-dns-dnssec.h b/src/resolve/resolved-dns-dnssec.h
new file mode 100644
index 0000000000..f4cb58988a
--- /dev/null
+++ b/src/resolve/resolved-dns-dnssec.h
@@ -0,0 +1,67 @@
+/*-*- Mode: C; c-basic-offset: 8; indent-tabs-mode: nil -*-*/
+
+#pragma once
+
+/***
+ This file is part of systemd.
+
+ Copyright 2015 Lennart Poettering
+
+ systemd is free software; you can redistribute it and/or modify it
+ under the terms of the GNU Lesser General Public License as published by
+ the Free Software Foundation; either version 2.1 of the License, or
+ (at your option) any later version.
+
+ systemd is distributed in the hope that it will be useful, but
+ WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ Lesser General Public License for more details.
+
+ You should have received a copy of the GNU Lesser General Public License
+ along with systemd; If not, see <http://www.gnu.org/licenses/>.
+***/
+
+typedef enum DnssecMode DnssecMode;
+
+#include "dns-domain.h"
+#include "resolved-dns-answer.h"
+#include "resolved-dns-rr.h"
+
+enum DnssecMode {
+ /* No DNSSEC validation is done */
+ DNSSEC_NO,
+
+ /* Trust the AD bit sent by the server. UNSAFE! */
+ DNSSEC_TRUST,
+
+ /* Validate locally, if the server knows DO, but if not, don't. Don't trust the AD bit */
+ DNSSEC_YES,
+
+ _DNSSEC_MODE_MAX,
+ _DNSSEC_MODE_INVALID = -1
+};
+
+enum {
+ DNSSEC_VERIFIED,
+ DNSSEC_INVALID,
+ DNSSEC_NO_SIGNATURE,
+ DNSSEC_MISSING_KEY,
+ DNSSEC_SIGNATURE_EXPIRED,
+};
+
+#define DNSSEC_CANONICAL_HOSTNAME_MAX (DNS_HOSTNAME_MAX + 2)
+
+int dnssec_rrsig_match_dnskey(DnsResourceRecord *rrsig, DnsResourceRecord *dnskey);
+int dnssec_key_match_rrsig(DnsResourceKey *key, DnsResourceRecord *rrsig);
+
+int dnssec_verify_rrset(DnsAnswer *answer, DnsResourceKey *key, DnsResourceRecord *rrsig, DnsResourceRecord *dnskey, usec_t realtime);
+int dnssec_verify_rrset_search(DnsAnswer *a, DnsResourceKey *key, DnsAnswer *validated_dnskeys, usec_t realtime);
+
+int dnssec_verify_dnskey(DnsResourceRecord *dnskey, DnsResourceRecord *ds);
+
+uint16_t dnssec_keytag(DnsResourceRecord *dnskey);
+
+int dnssec_canonicalize(const char *n, char *buffer, size_t buffer_max);
+
+const char* dnssec_mode_to_string(DnssecMode m) _const_;
+DnssecMode dnssec_mode_from_string(const char *s) _pure_;
diff --git a/src/resolve/resolved-dns-packet.c b/src/resolve/resolved-dns-packet.c
index 75ca23fd08..f753b3522f 100644
--- a/src/resolve/resolved-dns-packet.c
+++ b/src/resolve/resolved-dns-packet.c
@@ -65,30 +65,44 @@ int dns_packet_new(DnsPacket **ret, DnsProtocol protocol, size_t mtu) {
return 0;
}
-int dns_packet_new_query(DnsPacket **ret, DnsProtocol protocol, size_t mtu) {
- DnsPacket *p;
- DnsPacketHeader *h;
- int r;
+void dns_packet_set_flags(DnsPacket *p, bool dnssec_checking_disabled, bool truncated) {
- assert(ret);
+ DnsPacketHeader *h;
- r = dns_packet_new(&p, protocol, mtu);
- if (r < 0)
- return r;
+ assert(p);
h = DNS_PACKET_HEADER(p);
- if (protocol == DNS_PROTOCOL_LLMNR)
+ switch(p->protocol) {
+ case DNS_PROTOCOL_LLMNR:
+ assert(!truncated);
+
h->flags = htobe16(DNS_PACKET_MAKE_FLAGS(0 /* qr */,
0 /* opcode */,
0 /* c */,
- 0 /* tc */,
+ 0/* tc */,
0 /* t */,
0 /* ra */,
0 /* ad */,
0 /* cd */,
0 /* rcode */));
- else
+ break;
+
+ case DNS_PROTOCOL_MDNS:
+ h->flags = htobe16(DNS_PACKET_MAKE_FLAGS(0 /* qr */,
+ 0 /* opcode */,
+ 0 /* aa */,
+ truncated /* tc */,
+ 0 /* rd (ask for recursion) */,
+ 0 /* ra */,
+ 0 /* ad */,
+ 0 /* cd */,
+ 0 /* rcode */));
+ break;
+
+ default:
+ assert(!truncated);
+
h->flags = htobe16(DNS_PACKET_MAKE_FLAGS(0 /* qr */,
0 /* opcode */,
0 /* aa */,
@@ -96,8 +110,25 @@ int dns_packet_new_query(DnsPacket **ret, DnsProtocol protocol, size_t mtu) {
1 /* rd (ask for recursion) */,
0 /* ra */,
0 /* ad */,
- 0 /* cd */,
+ dnssec_checking_disabled /* cd */,
0 /* rcode */));
+ }
+}
+
+int dns_packet_new_query(DnsPacket **ret, DnsProtocol protocol, size_t mtu, bool dnssec_checking_disabled) {
+ DnsPacket *p;
+ int r;
+
+ assert(ret);
+
+ r = dns_packet_new(&p, protocol, mtu);
+ if (r < 0)
+ return r;
+
+ /* Always set the TC bit to 0 initially.
+ * If there are multiple packets later, we'll update the bit shortly before sending.
+ */
+ dns_packet_set_flags(p, dnssec_checking_disabled, false);
*ret = p;
return 0;
@@ -108,6 +139,8 @@ DnsPacket *dns_packet_ref(DnsPacket *p) {
if (!p)
return NULL;
+ assert(!p->on_stack);
+
assert(p->n_ref > 0);
p->n_ref++;
return p;
@@ -126,7 +159,9 @@ static void dns_packet_free(DnsPacket *p) {
hashmap_free(p->names);
free(p->_data);
- free(p);
+
+ if (!p->on_stack)
+ free(p);
}
DnsPacket *dns_packet_unref(DnsPacket *p) {
@@ -135,6 +170,9 @@ DnsPacket *dns_packet_unref(DnsPacket *p) {
assert(p->n_ref > 0);
+ if (p->more)
+ dns_packet_unref(p->more);
+
if (p->n_ref == 1)
dns_packet_free(p);
else
@@ -178,6 +216,13 @@ int dns_packet_validate_reply(DnsPacket *p) {
break;
+ case DNS_PROTOCOL_MDNS:
+ /* RFC 6762, Section 18 */
+ if (DNS_PACKET_RCODE(p) != 0)
+ return -EBADMSG;
+
+ break;
+
default:
break;
}
@@ -219,6 +264,18 @@ int dns_packet_validate_query(DnsPacket *p) {
break;
+ case DNS_PROTOCOL_MDNS:
+ /* RFC 6762, Section 18 */
+ if (DNS_PACKET_AA(p) != 0 ||
+ DNS_PACKET_RD(p) != 0 ||
+ DNS_PACKET_RA(p) != 0 ||
+ DNS_PACKET_AD(p) != 0 ||
+ DNS_PACKET_CD(p) != 0 ||
+ DNS_PACKET_RCODE(p) != 0)
+ return -EBADMSG;
+
+ break;
+
default:
break;
}
@@ -351,25 +408,10 @@ int dns_packet_append_uint32(DnsPacket *p, uint32_t v, size_t *start) {
}
int dns_packet_append_string(DnsPacket *p, const char *s, size_t *start) {
- void *d;
- size_t l;
- int r;
-
assert(p);
assert(s);
- l = strlen(s);
- if (l > 255)
- return -E2BIG;
-
- r = dns_packet_extend(p, 1 + l, &d, start);
- if (r < 0)
- return r;
-
- ((uint8_t*) d)[0] = (uint8_t) l;
- memcpy(((uint8_t*) d) + 1, s, l);
-
- return 0;
+ return dns_packet_append_raw_string(p, s, strlen(s), start);
}
int dns_packet_append_raw_string(DnsPacket *p, const void *s, size_t size, size_t *start) {
@@ -395,7 +437,7 @@ int dns_packet_append_raw_string(DnsPacket *p, const void *s, size_t size, size_
}
int dns_packet_append_label(DnsPacket *p, const char *d, size_t l, size_t *start) {
- void *w;
+ uint8_t *w;
int r;
assert(p);
@@ -404,12 +446,29 @@ int dns_packet_append_label(DnsPacket *p, const char *d, size_t l, size_t *start
if (l > DNS_LABEL_MAX)
return -E2BIG;
- r = dns_packet_extend(p, 1 + l, &w, start);
+ r = dns_packet_extend(p, 1 + l, (void**) &w, start);
if (r < 0)
return r;
- ((uint8_t*) w)[0] = (uint8_t) l;
- memcpy(((uint8_t*) w) + 1, d, l);
+ *(w++) = (uint8_t) l;
+
+ if (p->canonical_form) {
+ size_t i;
+
+ /* Generate in canonical form, as defined by DNSSEC
+ * RFC 4034, Section 6.2, i.e. all lower-case. */
+
+ for (i = 0; i < l; i++) {
+ if (d[i] >= 'A' && d[i] <= 'Z')
+ w[i] = (uint8_t) (d[i] - 'A' + 'a');
+ else
+ w[i] = (uint8_t) d[i];
+ }
+ } else
+ /* Otherwise, just copy the string unaltered. This is
+ * essential for DNS-SD, where the casing of labels
+ * matters and needs to be retained. */
+ memcpy(w, d, l);
return 0;
}
@@ -662,8 +721,8 @@ fail:
return r;
}
-int dns_packet_append_rr(DnsPacket *p, const DnsResourceRecord *rr, size_t *start) {
- size_t saved_size, rdlength_offset, end, rdlength;
+int dns_packet_append_rr(DnsPacket *p, const DnsResourceRecord *rr, size_t *start, size_t *rdata_start) {
+ size_t saved_size, rdlength_offset, end, rdlength, rds;
int r;
assert(p);
@@ -684,6 +743,8 @@ int dns_packet_append_rr(DnsPacket *p, const DnsResourceRecord *rr, size_t *star
if (r < 0)
goto fail;
+ rds = p->size - saved_size;
+
switch (rr->unparseable ? _DNS_TYPE_INVALID : rr->key->type) {
case DNS_TYPE_SRV:
@@ -841,11 +902,11 @@ int dns_packet_append_rr(DnsPacket *p, const DnsResourceRecord *rr, size_t *star
break;
case DNS_TYPE_DNSKEY:
- r = dns_packet_append_uint16(p, dnskey_to_flags(rr), NULL);
+ r = dns_packet_append_uint16(p, rr->dnskey.flags, NULL);
if (r < 0)
goto fail;
- r = dns_packet_append_uint8(p, 3u, NULL);
+ r = dns_packet_append_uint8(p, rr->dnskey.protocol, NULL);
if (r < 0)
goto fail;
@@ -962,6 +1023,9 @@ int dns_packet_append_rr(DnsPacket *p, const DnsResourceRecord *rr, size_t *star
if (start)
*start = saved_size;
+ if (rdata_start)
+ *rdata_start = rds;
+
return 0;
fail:
@@ -1381,6 +1445,7 @@ fail:
int dns_packet_read_key(DnsPacket *p, DnsResourceKey **ret, size_t *start) {
_cleanup_free_ char *name = NULL;
+ bool cache_flush = false;
uint16_t class, type;
DnsResourceKey *key;
size_t saved_rindex;
@@ -1403,12 +1468,23 @@ int dns_packet_read_key(DnsPacket *p, DnsResourceKey **ret, size_t *start) {
if (r < 0)
goto fail;
+ if (p->protocol == DNS_PROTOCOL_MDNS) {
+ /* See RFC6762, Section 10.2 */
+
+ if (class & MDNS_RR_CACHE_FLUSH) {
+ class &= ~MDNS_RR_CACHE_FLUSH;
+ cache_flush = true;
+ }
+ }
+
key = dns_resource_key_new_consume(class, type, name);
if (!key) {
r = -ENOMEM;
goto fail;
}
+ key->cache_flush = cache_flush;
+
name = NULL;
*ret = key;
@@ -1427,17 +1503,6 @@ static bool loc_size_ok(uint8_t size) {
return m <= 9 && e <= 9 && (m > 0 || e == 0);
}
-static int dnskey_parse_flags(DnsResourceRecord *rr, uint16_t flags) {
- assert(rr);
-
- if (flags & ~(DNSKEY_FLAG_SEP | DNSKEY_FLAG_ZONE_KEY))
- return -EBADMSG;
-
- rr->dnskey.zone_key_flag = flags & DNSKEY_FLAG_ZONE_KEY;
- rr->dnskey.sep_flag = flags & DNSKEY_FLAG_SEP;
- return 0;
-}
-
int dns_packet_read_rr(DnsPacket *p, DnsResourceRecord **ret, size_t *start) {
_cleanup_(dns_resource_record_unrefp) DnsResourceRecord *rr = NULL;
_cleanup_(dns_resource_key_unrefp) DnsResourceKey *key = NULL;
@@ -1706,28 +1771,15 @@ int dns_packet_read_rr(DnsPacket *p, DnsResourceRecord **ret, size_t *start) {
break;
- case DNS_TYPE_DNSKEY: {
- uint16_t flags;
- uint8_t proto;
-
- r = dns_packet_read_uint16(p, &flags, NULL);
- if (r < 0)
- goto fail;
-
- r = dnskey_parse_flags(rr, flags);
+ case DNS_TYPE_DNSKEY:
+ r = dns_packet_read_uint16(p, &rr->dnskey.flags, NULL);
if (r < 0)
goto fail;
- r = dns_packet_read_uint8(p, &proto, NULL);
+ r = dns_packet_read_uint8(p, &rr->dnskey.protocol, NULL);
if (r < 0)
goto fail;
- /* protocol is required to be always 3 */
- if (proto != 3) {
- r = -EBADMSG;
- goto fail;
- }
-
r = dns_packet_read_uint8(p, &rr->dnskey.algorithm, NULL);
if (r < 0)
goto fail;
@@ -1744,7 +1796,6 @@ int dns_packet_read_rr(DnsPacket *p, DnsResourceRecord **ret, size_t *start) {
}
break;
- }
case DNS_TYPE_RRSIG:
r = dns_packet_read_uint16(p, &rr->rrsig.type_covered, NULL);
@@ -1792,8 +1843,16 @@ int dns_packet_read_rr(DnsPacket *p, DnsResourceRecord **ret, size_t *start) {
break;
- case DNS_TYPE_NSEC:
- r = dns_packet_read_name(p, &rr->nsec.next_domain_name, false, NULL);
+ case DNS_TYPE_NSEC: {
+
+ /*
+ * RFC6762, section 18.14 explicly states mDNS should use name compression.
+ * This contradicts RFC3845, section 2.1.1
+ */
+
+ bool allow_compressed = p->protocol == DNS_PROTOCOL_MDNS;
+
+ r = dns_packet_read_name(p, &rr->nsec.next_domain_name, allow_compressed, NULL);
if (r < 0)
goto fail;
@@ -1806,7 +1865,7 @@ int dns_packet_read_rr(DnsPacket *p, DnsResourceRecord **ret, size_t *start) {
* without the NSEC bit set. */
break;
-
+ }
case DNS_TYPE_NSEC3: {
uint8_t size;
@@ -1976,17 +2035,3 @@ static const char* const dns_protocol_table[_DNS_PROTOCOL_MAX] = {
[DNS_PROTOCOL_LLMNR] = "llmnr",
};
DEFINE_STRING_TABLE_LOOKUP(dns_protocol, DnsProtocol);
-
-static const char* const dnssec_algorithm_table[_DNSSEC_ALGORITHM_MAX_DEFINED] = {
- [DNSSEC_ALGORITHM_RSAMD5] = "RSAMD5",
- [DNSSEC_ALGORITHM_DH] = "DH",
- [DNSSEC_ALGORITHM_DSA] = "DSA",
- [DNSSEC_ALGORITHM_ECC] = "ECC",
- [DNSSEC_ALGORITHM_RSASHA1] = "RSASHA1",
- [DNSSEC_ALGORITHM_DSA_NSEC3_SHA1] = "DSA-NSEC3-SHA1",
- [DNSSEC_ALGORITHM_RSASHA1_NSEC3_SHA1] = "RSASHA1-NSEC3-SHA1",
- [DNSSEC_ALGORITHM_INDIRECT] = "INDIRECT",
- [DNSSEC_ALGORITHM_PRIVATEDNS] = "PRIVATEDNS",
- [DNSSEC_ALGORITHM_PRIVATEOID] = "PRIVATEOID",
-};
-DEFINE_STRING_TABLE_LOOKUP(dnssec_algorithm, int);
diff --git a/src/resolve/resolved-dns-packet.h b/src/resolve/resolved-dns-packet.h
index 25dfb2642f..3d84cb622b 100644
--- a/src/resolve/resolved-dns-packet.h
+++ b/src/resolve/resolved-dns-packet.h
@@ -88,8 +88,13 @@ struct DnsPacket {
uint16_t sender_port, destination_port;
uint32_t ttl;
- bool extracted;
- bool refuse_compression;
+ /* For support of truncated packets */
+ DnsPacket *more;
+
+ bool on_stack:1;
+ bool extracted:1;
+ bool refuse_compression:1;
+ bool canonical_form:1;
};
static inline uint8_t* DNS_PACKET_DATA(DnsPacket *p) {
@@ -142,7 +147,9 @@ static inline unsigned DNS_PACKET_RRCOUNT(DnsPacket *p) {
}
int dns_packet_new(DnsPacket **p, DnsProtocol protocol, size_t mtu);
-int dns_packet_new_query(DnsPacket **p, DnsProtocol protocol, size_t mtu);
+int dns_packet_new_query(DnsPacket **p, DnsProtocol protocol, size_t mtu, bool dnssec_checking_disabled);
+
+void dns_packet_set_flags(DnsPacket *p, bool dnssec_checking_disabled, bool truncated);
DnsPacket *dns_packet_ref(DnsPacket *p);
DnsPacket *dns_packet_unref(DnsPacket *p);
@@ -162,7 +169,7 @@ int dns_packet_append_raw_string(DnsPacket *p, const void *s, size_t size, size_
int dns_packet_append_label(DnsPacket *p, const char *s, size_t l, size_t *start);
int dns_packet_append_name(DnsPacket *p, const char *name, bool allow_compression, size_t *start);
int dns_packet_append_key(DnsPacket *p, const DnsResourceKey *key, size_t *start);
-int dns_packet_append_rr(DnsPacket *p, const DnsResourceRecord *rr, size_t *start);
+int dns_packet_append_rr(DnsPacket *p, const DnsResourceRecord *rr, size_t *start, size_t *rdata_start);
int dns_packet_append_opt_rr(DnsPacket *p, uint16_t max_udp_size, bool edns0_do, size_t *start);
void dns_packet_truncate(DnsPacket *p, size_t sz);
@@ -223,42 +230,25 @@ DnsProtocol dns_protocol_from_string(const char *s) _pure_;
#define LLMNR_MULTICAST_IPV4_ADDRESS ((struct in_addr) { .s_addr = htobe32(224U << 24 | 252U) })
#define LLMNR_MULTICAST_IPV6_ADDRESS ((struct in6_addr) { .s6_addr = { 0xFF, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x03 } })
-#define DNSKEY_FLAG_ZONE_KEY (1u << 8)
-#define DNSKEY_FLAG_SEP (1u << 0)
-
-static inline uint16_t dnskey_to_flags(const DnsResourceRecord *rr) {
- return (rr->dnskey.zone_key_flag * DNSKEY_FLAG_ZONE_KEY |
- rr->dnskey.sep_flag * DNSKEY_FLAG_SEP);
-}
-
-/* http://tools.ietf.org/html/rfc4034#appendix-A.1 */
-enum {
- DNSSEC_ALGORITHM_RSAMD5 = 1,
- DNSSEC_ALGORITHM_DH,
- DNSSEC_ALGORITHM_DSA,
- DNSSEC_ALGORITHM_ECC,
- DNSSEC_ALGORITHM_RSASHA1,
- DNSSEC_ALGORITHM_DSA_NSEC3_SHA1,
- DNSSEC_ALGORITHM_RSASHA1_NSEC3_SHA1,
- DNSSEC_ALGORITHM_INDIRECT = 252,
- DNSSEC_ALGORITHM_PRIVATEDNS,
- DNSSEC_ALGORITHM_PRIVATEOID,
- _DNSSEC_ALGORITHM_MAX_DEFINED
-};
+#define MDNS_MULTICAST_IPV4_ADDRESS ((struct in_addr) { .s_addr = htobe32(224U << 24 | 251U) })
+#define MDNS_MULTICAST_IPV6_ADDRESS ((struct in6_addr) { .s6_addr = { 0xFF, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0xfb } })
-const char* dnssec_algorithm_to_string(int i) _const_;
-int dnssec_algorithm_from_string(const char *s) _pure_;
+static inline uint64_t SD_RESOLVED_FLAGS_MAKE(DnsProtocol protocol, int family, bool authenticated) {
+ uint64_t f;
-static inline uint64_t SD_RESOLVED_FLAGS_MAKE(DnsProtocol protocol, int family) {
+ /* Converts a protocol + family into a flags field as used in queries and responses */
- /* Converts a protocol + family into a flags field as used in queries */
+ f = authenticated ? SD_RESOLVED_AUTHENTICATED : 0;
switch (protocol) {
case DNS_PROTOCOL_DNS:
- return SD_RESOLVED_DNS;
+ return f|SD_RESOLVED_DNS;
case DNS_PROTOCOL_LLMNR:
- return family == AF_INET6 ? SD_RESOLVED_LLMNR_IPV6 : SD_RESOLVED_LLMNR_IPV4;
+ return f|(family == AF_INET6 ? SD_RESOLVED_LLMNR_IPV6 : SD_RESOLVED_LLMNR_IPV4);
+
+ case DNS_PROTOCOL_MDNS:
+ return family == AF_INET6 ? SD_RESOLVED_MDNS_IPV6 : SD_RESOLVED_MDNS_IPV4;
default:
break;
diff --git a/src/resolve/resolved-dns-query.c b/src/resolve/resolved-dns-query.c
index a96cf439ad..089d9fb70d 100644
--- a/src/resolve/resolved-dns-query.c
+++ b/src/resolve/resolved-dns-query.c
@@ -86,7 +86,6 @@ DnsQueryCandidate* dns_query_candidate_free(DnsQueryCandidate *c) {
}
static int dns_query_candidate_next_search_domain(DnsQueryCandidate *c) {
- _cleanup_(dns_search_domain_unrefp) DnsSearchDomain *previous = NULL;
DnsSearchDomain *next = NULL;
assert(c);
@@ -431,15 +430,17 @@ static int dns_query_add_candidate(DnsQuery *q, DnsScope *s) {
return r;
/* If this a single-label domain on DNS, we might append a suitable search domain first. */
- r = dns_scope_name_needs_search_domain(s, dns_question_first_name(q->question));
- if (r < 0)
- goto fail;
- if (r > 0) {
- /* OK, we need a search domain now. Let's find one for this scope */
-
- r = dns_query_candidate_next_search_domain(c);
- if (r <= 0) /* if there's no search domain, then we won't add any transaction. */
+ if ((q->flags & SD_RESOLVED_NO_SEARCH) == 0) {
+ r = dns_scope_name_needs_search_domain(s, dns_question_first_name(q->question));
+ if (r < 0)
goto fail;
+ if (r > 0) {
+ /* OK, we need a search domain now. Let's find one for this scope */
+
+ r = dns_query_candidate_next_search_domain(c);
+ if (r <= 0) /* if there's no search domain, then we won't add any transaction. */
+ goto fail;
+ }
}
r = dns_query_candidate_setup_transactions(c);
@@ -971,6 +972,7 @@ static void dns_query_accept(DnsQuery *q, DnsQueryCandidate *c) {
DnsTransactionState state = DNS_TRANSACTION_NO_SERVERS;
DnsTransaction *t;
Iterator i;
+ bool has_authenticated = false, has_non_authenticated = false;
assert(q);
@@ -998,6 +1000,11 @@ static void dns_query_accept(DnsQuery *q, DnsQueryCandidate *c) {
q->answer = merged;
q->answer_rcode = t->answer_rcode;
+ if (t->answer_authenticated)
+ has_authenticated = true;
+ else
+ has_non_authenticated = true;
+
state = DNS_TRANSACTION_SUCCESS;
break;
}
@@ -1027,6 +1034,7 @@ static void dns_query_accept(DnsQuery *q, DnsQueryCandidate *c) {
q->answer_protocol = c->scope->protocol;
q->answer_family = c->scope->family;
+ q->answer_authenticated = has_authenticated && !has_non_authenticated;
dns_search_domain_unref(q->answer_search_domain);
q->answer_search_domain = dns_search_domain_ref(c->search_domain);
diff --git a/src/resolve/resolved-dns-query.h b/src/resolve/resolved-dns-query.h
index a9d7904a8d..b71bb2352b 100644
--- a/src/resolve/resolved-dns-query.h
+++ b/src/resolve/resolved-dns-query.h
@@ -75,6 +75,7 @@ struct DnsQuery {
DnsProtocol answer_protocol;
int answer_family;
DnsSearchDomain *answer_search_domain;
+ bool answer_authenticated;
/* Bus client information */
sd_bus_message *request;
diff --git a/src/resolve/resolved-dns-question.h b/src/resolve/resolved-dns-question.h
index e77116c03a..5ffb63e250 100644
--- a/src/resolve/resolved-dns-question.h
+++ b/src/resolve/resolved-dns-question.h
@@ -23,9 +23,10 @@
typedef struct DnsQuestion DnsQuestion;
+#include "macro.h"
#include "resolved-dns-rr.h"
-/* A simple array of resources keys */
+/* A simple array of resource keys */
struct DnsQuestion {
unsigned n_ref;
@@ -55,10 +56,12 @@ const char *dns_question_first_name(DnsQuestion *q);
DEFINE_TRIVIAL_CLEANUP_FUNC(DnsQuestion*, dns_question_unref);
-#define DNS_QUESTION_FOREACH(key, q) \
- for (unsigned _i = ({ \
+#define _DNS_QUESTION_FOREACH(u, key, q) \
+ for (unsigned UNIQ_T(i, u) = ({ \
(key) = ((q) && (q)->n_keys > 0) ? (q)->keys[0] : NULL; \
0; \
}); \
- (q) && ((_i) < (q)->n_keys); \
- _i++, (key) = (_i < (q)->n_keys ? (q)->keys[_i] : NULL))
+ (q) && (UNIQ_T(i, u) < (q)->n_keys); \
+ UNIQ_T(i, u)++, (key) = (UNIQ_T(i, u) < (q)->n_keys ? (q)->keys[UNIQ_T(i, u)] : NULL))
+
+#define DNS_QUESTION_FOREACH(key, q) _DNS_QUESTION_FOREACH(UNIQ, key, q)
diff --git a/src/resolve/resolved-dns-rr.c b/src/resolve/resolved-dns-rr.c
index 4a1abb0cdc..934a18334c 100644
--- a/src/resolve/resolved-dns-rr.c
+++ b/src/resolve/resolved-dns-rr.c
@@ -27,6 +27,7 @@
#include "hexdecoct.h"
#include "resolved-dns-packet.h"
#include "resolved-dns-rr.h"
+#include "string-table.h"
#include "string-util.h"
#include "strv.h"
@@ -50,12 +51,6 @@ DnsResourceKey* dns_resource_key_new(uint16_t class, uint16_t type, const char *
return k;
}
-DnsResourceKey* dns_resource_key_new_cname(const DnsResourceKey *key) {
- assert(key);
-
- return dns_resource_key_new(key->class, DNS_TYPE_CNAME, DNS_RESOURCE_KEY_NAME(key));
-}
-
DnsResourceKey* dns_resource_key_new_redirect(const DnsResourceKey *key, const DnsResourceRecord *cname) {
int r;
@@ -136,6 +131,10 @@ DnsResourceKey* dns_resource_key_ref(DnsResourceKey *k) {
if (!k)
return NULL;
+ /* Static/const keys created with DNS_RESOURCE_KEY_CONST will
+ * set this to -1, they should not be reffed/unreffed */
+ assert(k->n_ref != (unsigned) -1);
+
assert(k->n_ref > 0);
k->n_ref++;
@@ -146,6 +145,7 @@ DnsResourceKey* dns_resource_key_unref(DnsResourceKey *k) {
if (!k)
return NULL;
+ assert(k->n_ref != (unsigned) -1);
assert(k->n_ref > 0);
if (k->n_ref == 1) {
@@ -157,6 +157,14 @@ DnsResourceKey* dns_resource_key_unref(DnsResourceKey *k) {
return NULL;
}
+bool dns_resource_key_is_address(const DnsResourceKey *key) {
+ assert(key);
+
+ /* Check if this is an A or AAAA resource key */
+
+ return key->class == DNS_CLASS_IN && IN_SET(key->type, DNS_TYPE_A, DNS_TYPE_AAAA);
+}
+
int dns_resource_key_equal(const DnsResourceKey *a, const DnsResourceKey *b) {
int r;
@@ -416,6 +424,7 @@ DnsResourceRecord* dns_resource_record_unref(DnsResourceRecord *rr) {
free(rr->generic.data);
}
+ free(rr->wire_format);
dns_resource_key_unref(rr->key);
}
@@ -576,8 +585,8 @@ int dns_resource_record_equal(const DnsResourceRecord *a, const DnsResourceRecor
memcmp(a->sshfp.fingerprint, b->sshfp.fingerprint, a->sshfp.fingerprint_size) == 0;
case DNS_TYPE_DNSKEY:
- return a->dnskey.zone_key_flag == b->dnskey.zone_key_flag &&
- a->dnskey.sep_flag == b->dnskey.sep_flag &&
+ return a->dnskey.flags == b->dnskey.flags &&
+ a->dnskey.protocol == b->dnskey.protocol &&
a->dnskey.algorithm == b->dnskey.algorithm &&
a->dnskey.key_size == b->dnskey.key_size &&
memcmp(a->dnskey.key, b->dnskey.key, a->dnskey.key_size) == 0;
@@ -883,9 +892,10 @@ int dns_resource_record_to_string(const DnsResourceRecord *rr, char **ret) {
if (!t)
return -ENOMEM;
- r = asprintf(&s, "%s %u 3 %.*s%.*u %s",
+ r = asprintf(&s, "%s %u %u %.*s%.*u %s",
k,
- dnskey_to_flags(rr),
+ rr->dnskey.flags,
+ rr->dnskey.protocol,
alg ? -1 : 0, alg,
alg ? 0 : 1, alg ? 0u : (unsigned) rr->dnskey.algorithm,
t);
@@ -993,6 +1003,51 @@ int dns_resource_record_to_string(const DnsResourceRecord *rr, char **ret) {
return 0;
}
+int dns_resource_record_to_wire_format(DnsResourceRecord *rr, bool canonical) {
+
+ DnsPacket packet = {
+ .n_ref = 1,
+ .protocol = DNS_PROTOCOL_DNS,
+ .on_stack = true,
+ .refuse_compression = true,
+ .canonical_form = canonical,
+ };
+
+ size_t start, rds;
+ int r;
+
+ assert(rr);
+
+ /* Generates the RR in wire-format, optionally in the
+ * canonical form as discussed in the DNSSEC RFC 4034, Section
+ * 6.2. We allocate a throw-away DnsPacket object on the stack
+ * here, because we need some book-keeping for memory
+ * management, and can reuse the DnsPacket serializer, that
+ * can generate the canonical form, too, but also knows label
+ * compression and suchlike. */
+
+ if (rr->wire_format && rr->wire_format_canonical == canonical)
+ return 0;
+
+ r = dns_packet_append_rr(&packet, rr, &start, &rds);
+ if (r < 0)
+ return r;
+
+ assert(start == 0);
+ assert(packet._data);
+
+ free(rr->wire_format);
+ rr->wire_format = packet._data;
+ rr->wire_format_size = packet.size;
+ rr->wire_format_rdata_offset = rds;
+ rr->wire_format_canonical = canonical;
+
+ packet._data = NULL;
+ dns_packet_unref(&packet);
+
+ return 0;
+}
+
const char *dns_class_to_string(uint16_t class) {
switch (class) {
@@ -1049,3 +1104,25 @@ bool dns_txt_item_equal(DnsTxtItem *a, DnsTxtItem *b) {
return dns_txt_item_equal(a->items_next, b->items_next);
}
+
+static const char* const dnssec_algorithm_table[_DNSSEC_ALGORITHM_MAX_DEFINED] = {
+ [DNSSEC_ALGORITHM_RSAMD5] = "RSAMD5",
+ [DNSSEC_ALGORITHM_DH] = "DH",
+ [DNSSEC_ALGORITHM_DSA] = "DSA",
+ [DNSSEC_ALGORITHM_ECC] = "ECC",
+ [DNSSEC_ALGORITHM_RSASHA1] = "RSASHA1",
+ [DNSSEC_ALGORITHM_DSA_NSEC3_SHA1] = "DSA-NSEC3-SHA1",
+ [DNSSEC_ALGORITHM_RSASHA1_NSEC3_SHA1] = "RSASHA1-NSEC3-SHA1",
+ [DNSSEC_ALGORITHM_RSASHA256] = "RSASHA256",
+ [DNSSEC_ALGORITHM_RSASHA512] = "RSASHA512",
+ [DNSSEC_ALGORITHM_INDIRECT] = "INDIRECT",
+ [DNSSEC_ALGORITHM_PRIVATEDNS] = "PRIVATEDNS",
+ [DNSSEC_ALGORITHM_PRIVATEOID] = "PRIVATEOID",
+};
+DEFINE_STRING_TABLE_LOOKUP(dnssec_algorithm, int);
+
+static const char* const dnssec_digest_table[_DNSSEC_DIGEST_MAX_DEFINED] = {
+ [DNSSEC_DIGEST_SHA1] = "SHA1",
+ [DNSSEC_DIGEST_SHA256] = "SHA256",
+};
+DEFINE_STRING_TABLE_LOOKUP(dnssec_digest, int);
diff --git a/src/resolve/resolved-dns-rr.h b/src/resolve/resolved-dns-rr.h
index a092961823..5c2306ba96 100644
--- a/src/resolve/resolved-dns-rr.h
+++ b/src/resolve/resolved-dns-rr.h
@@ -41,12 +41,60 @@ enum {
_DNS_CLASS_INVALID = -1
};
+/* DNSKEY RR flags */
+#define DNSKEY_FLAG_ZONE_KEY (UINT16_C(1) << 8)
+#define DNSKEY_FLAG_SEP (UINT16_C(1) << 0)
+
+/* mDNS RR flags */
+#define MDNS_RR_CACHE_FLUSH (UINT16_C(1) << 15)
+
+/* DNSSEC algorithm identifiers, see
+ * http://tools.ietf.org/html/rfc4034#appendix-A.1 and
+ * https://www.iana.org/assignments/dns-sec-alg-numbers/dns-sec-alg-numbers.xhtml */
+enum {
+ DNSSEC_ALGORITHM_RSAMD5 = 1,
+ DNSSEC_ALGORITHM_DH,
+ DNSSEC_ALGORITHM_DSA,
+ DNSSEC_ALGORITHM_ECC,
+ DNSSEC_ALGORITHM_RSASHA1,
+ DNSSEC_ALGORITHM_DSA_NSEC3_SHA1,
+ DNSSEC_ALGORITHM_RSASHA1_NSEC3_SHA1,
+ DNSSEC_ALGORITHM_RSASHA256 = 8, /* RFC 5702 */
+ DNSSEC_ALGORITHM_RSASHA512 = 10, /* RFC 5702 */
+ DNSSEC_ALGORITHM_INDIRECT = 252,
+ DNSSEC_ALGORITHM_PRIVATEDNS,
+ DNSSEC_ALGORITHM_PRIVATEOID,
+ _DNSSEC_ALGORITHM_MAX_DEFINED
+};
+
+/* DNSSEC digest identifiers, see
+ * https://www.iana.org/assignments/ds-rr-types/ds-rr-types.xhtml */
+enum {
+ DNSSEC_DIGEST_SHA1 = 1,
+ DNSSEC_DIGEST_SHA256 = 2,
+ _DNSSEC_DIGEST_MAX_DEFINED
+};
+
struct DnsResourceKey {
unsigned n_ref;
uint16_t class, type;
char *_name; /* don't access directy, use DNS_RESOURCE_KEY_NAME()! */
+ bool cache_flush:1;
};
+/* Creates a temporary resource key. This is only useful to quickly
+ * look up something, without allocating a full DnsResourceKey object
+ * for it. Note that it is not OK to take references to this kind of
+ * resource key object. */
+#define DNS_RESOURCE_KEY_CONST(c, t, n) \
+ ((DnsResourceKey) { \
+ .n_ref = (unsigned) -1, \
+ .class = c, \
+ .type = t, \
+ ._name = (char*) n, \
+ })
+
+
struct DnsTxtItem {
size_t length;
LIST_FIELDS(DnsTxtItem, items);
@@ -57,7 +105,11 @@ struct DnsResourceRecord {
unsigned n_ref;
DnsResourceKey *key;
uint32_t ttl;
- bool unparseable;
+ bool unparseable:1;
+ bool wire_format_canonical:1;
+ void *wire_format;
+ size_t wire_format_size;
+ size_t wire_format_rdata_offset;
union {
struct {
void *data;
@@ -135,8 +187,8 @@ struct DnsResourceRecord {
/* http://tools.ietf.org/html/rfc4034#section-2.1 */
struct {
- bool zone_key_flag:1;
- bool sep_flag:1;
+ uint16_t flags;
+ uint8_t protocol;
uint8_t algorithm;
void* key;
size_t key_size;
@@ -186,19 +238,22 @@ static inline const char* DNS_RESOURCE_KEY_NAME(const DnsResourceKey *key) {
}
DnsResourceKey* dns_resource_key_new(uint16_t class, uint16_t type, const char *name);
-DnsResourceKey* dns_resource_key_new_cname(const DnsResourceKey *key);
-DnsResourceKey* dns_resource_key_new_dname(const DnsResourceKey *key);
DnsResourceKey* dns_resource_key_new_redirect(const DnsResourceKey *key, const DnsResourceRecord *cname);
int dns_resource_key_new_append_suffix(DnsResourceKey **ret, DnsResourceKey *key, char *name);
DnsResourceKey* dns_resource_key_new_consume(uint16_t class, uint16_t type, char *name);
DnsResourceKey* dns_resource_key_ref(DnsResourceKey *key);
DnsResourceKey* dns_resource_key_unref(DnsResourceKey *key);
+bool dns_resource_key_is_address(const DnsResourceKey *key);
int dns_resource_key_equal(const DnsResourceKey *a, const DnsResourceKey *b);
int dns_resource_key_match_rr(const DnsResourceKey *key, const DnsResourceRecord *rr, const char *search_domain);
int dns_resource_key_match_cname(const DnsResourceKey *key, const DnsResourceRecord *rr, const char *search_domain);
int dns_resource_key_to_string(const DnsResourceKey *key, char **ret);
DEFINE_TRIVIAL_CLEANUP_FUNC(DnsResourceKey*, dns_resource_key_unref);
+static inline bool dns_key_is_shared(const DnsResourceKey *key) {
+ return IN_SET(key->type, DNS_TYPE_PTR);
+}
+
DnsResourceRecord* dns_resource_record_new(DnsResourceKey *key);
DnsResourceRecord* dns_resource_record_new_full(uint16_t class, uint16_t type, const char *name);
DnsResourceRecord* dns_resource_record_ref(DnsResourceRecord *rr);
@@ -209,6 +264,8 @@ int dns_resource_record_equal(const DnsResourceRecord *a, const DnsResourceRecor
int dns_resource_record_to_string(const DnsResourceRecord *rr, char **ret);
DEFINE_TRIVIAL_CLEANUP_FUNC(DnsResourceRecord*, dns_resource_record_unref);
+int dns_resource_record_to_wire_format(DnsResourceRecord *rr, bool canonical);
+
DnsTxtItem *dns_txt_item_free_all(DnsTxtItem *i);
bool dns_txt_item_equal(DnsTxtItem *a, DnsTxtItem *b);
@@ -216,3 +273,9 @@ const char *dns_class_to_string(uint16_t type);
int dns_class_from_string(const char *name, uint16_t *class);
extern const struct hash_ops dns_resource_key_hash_ops;
+
+const char* dnssec_algorithm_to_string(int i) _const_;
+int dnssec_algorithm_from_string(const char *s) _pure_;
+
+const char *dnssec_digest_to_string(int i) _const_;
+int dnssec_digest_from_string(const char *s) _pure_;
diff --git a/src/resolve/resolved-dns-scope.c b/src/resolve/resolved-dns-scope.c
index 09e6872d26..4d83ac597c 100644
--- a/src/resolve/resolved-dns-scope.c
+++ b/src/resolve/resolved-dns-scope.c
@@ -30,6 +30,7 @@
#include "random-util.h"
#include "resolved-dns-scope.h"
#include "resolved-llmnr.h"
+#include "resolved-mdns.h"
#include "socket-util.h"
#include "strv.h"
@@ -59,6 +60,7 @@ int dns_scope_new(Manager *m, DnsScope **ret, Link *l, DnsProtocol protocol, int
LIST_PREPEND(scopes, m->dns_scopes, s);
dns_scope_llmnr_membership(s, true);
+ dns_scope_mdns_membership(s, true);
log_debug("New scope on link %s, protocol %s, family %s", l ? l->name : "*", dns_protocol_to_string(protocol), family == AF_UNSPEC ? "*" : af_to_name(family));
@@ -95,6 +97,7 @@ DnsScope* dns_scope_free(DnsScope *s) {
log_debug("Removing scope on link %s, protocol %s, family %s", s->link ? s->link->name : "*", dns_protocol_to_string(s->protocol), s->family == AF_UNSPEC ? "*" : af_to_name(s->family));
dns_scope_llmnr_membership(s, false);
+ dns_scope_mdns_membership(s, false);
dns_scope_abort_transactions(s);
while (s->query_candidates)
@@ -158,11 +161,10 @@ void dns_scope_packet_lost(DnsScope *s, usec_t usec) {
s->resend_timeout = MIN(s->resend_timeout * 2, MULTICAST_RESEND_TIMEOUT_MAX_USEC);
}
-int dns_scope_emit(DnsScope *s, int fd, DnsServer *server, DnsPacket *p) {
+static int dns_scope_emit_one(DnsScope *s, int fd, DnsServer *server, DnsPacket *p) {
union in_addr_union addr;
int ifindex = 0, r;
int family;
- uint16_t port;
uint32_t mtu;
size_t saved_size = 0;
@@ -228,7 +230,6 @@ int dns_scope_emit(DnsScope *s, int fd, DnsServer *server, DnsPacket *p) {
return -EBUSY;
family = s->family;
- port = LLMNR_PORT;
if (family == AF_INET) {
addr.in = LLMNR_MULTICAST_IPV4_ADDRESS;
@@ -241,7 +242,30 @@ int dns_scope_emit(DnsScope *s, int fd, DnsServer *server, DnsPacket *p) {
if (fd < 0)
return fd;
- r = manager_send(s->manager, fd, ifindex, family, &addr, port, p);
+ r = manager_send(s->manager, fd, ifindex, family, &addr, LLMNR_PORT, p);
+ if (r < 0)
+ return r;
+
+ break;
+
+ case DNS_PROTOCOL_MDNS:
+ if (!ratelimit_test(&s->ratelimit))
+ return -EBUSY;
+
+ family = s->family;
+
+ if (family == AF_INET) {
+ addr.in = MDNS_MULTICAST_IPV4_ADDRESS;
+ fd = manager_mdns_ipv4_fd(s->manager);
+ } else if (family == AF_INET6) {
+ addr.in6 = MDNS_MULTICAST_IPV6_ADDRESS;
+ fd = manager_mdns_ipv6_fd(s->manager);
+ } else
+ return -EAFNOSUPPORT;
+ if (fd < 0)
+ return fd;
+
+ r = manager_send(s->manager, fd, ifindex, family, &addr, MDNS_PORT, p);
if (r < 0)
return r;
@@ -254,6 +278,31 @@ int dns_scope_emit(DnsScope *s, int fd, DnsServer *server, DnsPacket *p) {
return 1;
}
+int dns_scope_emit(DnsScope *s, int fd, DnsServer *server, DnsPacket *p) {
+ int r;
+
+ assert(s);
+ assert(p);
+ assert(p->protocol == s->protocol);
+ assert((s->protocol == DNS_PROTOCOL_DNS) != (fd < 0));
+
+ do {
+ /* If there are multiple linked packets, set the TC bit in all but the last of them */
+ if (p->more) {
+ assert(p->protocol == DNS_PROTOCOL_MDNS);
+ dns_packet_set_flags(p, true, true);
+ }
+
+ r = dns_scope_emit_one(s, fd, server, p);
+ if (r < 0)
+ return r;
+
+ p = p->more;
+ } while(p);
+
+ return 0;
+}
+
static int dns_scope_socket(DnsScope *s, int type, int family, const union in_addr_union *address, uint16_t port, DnsServer **server) {
DnsServer *srv = NULL;
_cleanup_close_ int fd = -1;
@@ -368,13 +417,14 @@ DnsScopeMatch dns_scope_good_domain(DnsScope *s, int ifindex, uint64_t flags, co
assert(s);
assert(domain);
- if (ifindex != 0 && (!s->link || s->link->ifindex != ifindex))
- return DNS_SCOPE_NO;
+ /* Checks if the specified domain is something to look up on
+ * this scope. Note that this accepts non-qualified hostnames,
+ * i.e. those without any search path prefixed yet. */
- if ((SD_RESOLVED_FLAGS_MAKE(s->protocol, s->family) & flags) == 0)
+ if (ifindex != 0 && (!s->link || s->link->ifindex != ifindex))
return DNS_SCOPE_NO;
- if (dns_name_is_root(domain))
+ if ((SD_RESOLVED_FLAGS_MAKE(s->protocol, s->family, 0) & flags) == 0)
return DNS_SCOPE_NO;
/* Never resolve any loopback hostname or IP address via DNS,
@@ -385,6 +435,12 @@ DnsScopeMatch dns_scope_good_domain(DnsScope *s, int ifindex, uint64_t flags, co
dns_name_equal(domain, "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa") > 0)
return DNS_SCOPE_NO;
+ /* Never respond to some of the domains listed in RFC6303 */
+ if (dns_name_endswith(domain, "0.in-addr.arpa") > 0 ||
+ dns_name_equal(domain, "255.255.255.255.in-addr.arpa") > 0 ||
+ dns_name_equal(domain, "0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa") > 0)
+ return DNS_SCOPE_NO;
+
/* Always honour search domains for routing queries. Note that
* we return DNS_SCOPE_YES here, rather than just
* DNS_SCOPE_MAYBE, which means wildcard scopes won't be
@@ -397,10 +453,16 @@ DnsScopeMatch dns_scope_good_domain(DnsScope *s, int ifindex, uint64_t flags, co
case DNS_PROTOCOL_DNS:
- if ((!dns_name_is_single_label(domain) ||
- (!(flags & SD_RESOLVED_NO_SEARCH) && dns_scope_has_search_domains(s))) &&
- dns_name_endswith(domain, "254.169.in-addr.arpa") == 0 &&
- dns_name_endswith(domain, "0.8.e.f.ip6.arpa") == 0)
+ /* Exclude link-local IP ranges */
+ if (dns_name_endswith(domain, "254.169.in-addr.arpa") == 0 &&
+ dns_name_endswith(domain, "8.e.f.ip6.arpa") == 0 &&
+ dns_name_endswith(domain, "9.e.f.ip6.arpa") == 0 &&
+ dns_name_endswith(domain, "a.e.f.ip6.arpa") == 0 &&
+ dns_name_endswith(domain, "b.e.f.ip6.arpa") == 0 &&
+ /* If networks use .local in their private setups, they are supposed to also add .local to their search
+ * domains, which we already checked above. Otherwise, we consider .local specific to mDNS and won't
+ * send such queries ordinary DNS servers. */
+ dns_name_endswith(domain, "local") == 0)
return DNS_SCOPE_MAYBE;
return DNS_SCOPE_NO;
@@ -434,8 +496,27 @@ int dns_scope_good_key(DnsScope *s, DnsResourceKey *key) {
assert(s);
assert(key);
- if (s->protocol == DNS_PROTOCOL_DNS)
- return true;
+ /* Check if it makes sense to resolve the specified key on
+ * this scope. Note that this call assumes as fully qualified
+ * name, i.e. the search suffixes already appended. */
+
+ if (s->protocol == DNS_PROTOCOL_DNS) {
+
+ /* On classic DNS, lookin up non-address RRs is always
+ * fine. (Specifically, we want to permit looking up
+ * DNSKEY and DS records on the root and top-level
+ * domains.) */
+ if (!dns_resource_key_is_address(key))
+ return true;
+
+ /* However, we refuse to look up A and AAAA RRs on the
+ * root and single-label domains, under the assumption
+ * that those should be resolved via LLMNR or search
+ * path only, and should not be leaked onto the
+ * internet. */
+ return !(dns_name_is_single_label(DNS_RESOURCE_KEY_NAME(key)) ||
+ dns_name_is_root(DNS_RESOURCE_KEY_NAME(key)));
+ }
/* On mDNS and LLMNR, send A and AAAA queries only on the
* respective scopes */
@@ -449,19 +530,15 @@ int dns_scope_good_key(DnsScope *s, DnsResourceKey *key) {
return true;
}
-int dns_scope_llmnr_membership(DnsScope *s, bool b) {
+static int dns_scope_multicast_membership(DnsScope *s, bool b, struct in_addr in, struct in6_addr in6) {
int fd;
assert(s);
-
- if (s->protocol != DNS_PROTOCOL_LLMNR)
- return 0;
-
assert(s->link);
if (s->family == AF_INET) {
struct ip_mreqn mreqn = {
- .imr_multiaddr = LLMNR_MULTICAST_IPV4_ADDRESS,
+ .imr_multiaddr = in,
.imr_ifindex = s->link->ifindex,
};
@@ -480,7 +557,7 @@ int dns_scope_llmnr_membership(DnsScope *s, bool b) {
} else if (s->family == AF_INET6) {
struct ipv6_mreq mreq = {
- .ipv6mr_multiaddr = LLMNR_MULTICAST_IPV6_ADDRESS,
+ .ipv6mr_multiaddr = in6,
.ipv6mr_interface = s->link->ifindex,
};
@@ -499,6 +576,22 @@ int dns_scope_llmnr_membership(DnsScope *s, bool b) {
return 0;
}
+int dns_scope_llmnr_membership(DnsScope *s, bool b) {
+
+ if (s->protocol != DNS_PROTOCOL_LLMNR)
+ return 0;
+
+ return dns_scope_multicast_membership(s, b, LLMNR_MULTICAST_IPV4_ADDRESS, LLMNR_MULTICAST_IPV6_ADDRESS);
+}
+
+int dns_scope_mdns_membership(DnsScope *s, bool b) {
+
+ if (s->protocol != DNS_PROTOCOL_MDNS)
+ return 0;
+
+ return dns_scope_multicast_membership(s, b, MDNS_MULTICAST_IPV4_ADDRESS, MDNS_MULTICAST_IPV6_ADDRESS);
+}
+
static int dns_scope_make_reply_packet(
DnsScope *s,
uint16_t id,
@@ -549,7 +642,7 @@ static int dns_scope_make_reply_packet(
if (answer) {
for (i = 0; i < answer->n_rrs; i++) {
- r = dns_packet_append_rr(p, answer->items[i].rr, NULL);
+ r = dns_packet_append_rr(p, answer->items[i].rr, NULL, NULL);
if (r < 0)
return r;
}
@@ -559,7 +652,7 @@ static int dns_scope_make_reply_packet(
if (soa) {
for (i = 0; i < soa->n_rrs; i++) {
- r = dns_packet_append_rr(p, soa->items[i].rr, NULL);
+ r = dns_packet_append_rr(p, soa->items[i].rr, NULL, NULL);
if (r < 0)
return r;
}
@@ -733,7 +826,7 @@ static int dns_scope_make_conflict_packet(
if (r < 0)
return r;
- r = dns_packet_append_rr(p, rr, NULL);
+ r = dns_packet_append_rr(p, rr, NULL, NULL);
if (r < 0)
return r;
@@ -901,34 +994,13 @@ void dns_scope_dump(DnsScope *s, FILE *f) {
DnsSearchDomain *dns_scope_get_search_domains(DnsScope *s) {
assert(s);
- /* Returns the list of *local* search domains -- not the
- * global ones. */
-
if (s->protocol != DNS_PROTOCOL_DNS)
return NULL;
if (s->link)
return s->link->search_domains;
- return NULL;
-}
-
-bool dns_scope_has_search_domains(DnsScope *s) {
- assert(s);
-
- /* Tests if there are *any* search domains suitable for this
- * scope. This means either local or global ones */
-
- if (s->protocol != DNS_PROTOCOL_DNS)
- return false;
-
- if (s->manager->search_domains)
- return true;
-
- if (s->link && s->link->search_domains)
- return true;
-
- return false;
+ return s->manager->search_domains;
}
bool dns_scope_name_needs_search_domain(DnsScope *s, const char *name) {
diff --git a/src/resolve/resolved-dns-scope.h b/src/resolve/resolved-dns-scope.h
index 0480f702f8..2fc2e07deb 100644
--- a/src/resolve/resolved-dns-scope.h
+++ b/src/resolve/resolved-dns-scope.h
@@ -26,6 +26,7 @@
typedef struct DnsScope DnsScope;
#include "resolved-dns-cache.h"
+#include "resolved-dns-dnssec.h"
#include "resolved-dns-packet.h"
#include "resolved-dns-server.h"
#include "resolved-dns-zone.h"
@@ -44,6 +45,7 @@ struct DnsScope {
DnsProtocol protocol;
int family;
+ DnssecMode dnssec_mode;
Link *link;
@@ -91,6 +93,7 @@ DnsServer *dns_scope_get_dns_server(DnsScope *s);
void dns_scope_next_dns_server(DnsScope *s);
int dns_scope_llmnr_membership(DnsScope *s, bool b);
+int dns_scope_mdns_membership(DnsScope *s, bool b);
void dns_scope_process_query(DnsScope *s, DnsStream *stream, DnsPacket *p);
@@ -102,6 +105,5 @@ void dns_scope_check_conflicts(DnsScope *scope, DnsPacket *p);
void dns_scope_dump(DnsScope *s, FILE *f);
DnsSearchDomain *dns_scope_get_search_domains(DnsScope *s);
-bool dns_scope_has_search_domains(DnsScope *s);
bool dns_scope_name_needs_search_domain(DnsScope *s, const char *name);
diff --git a/src/resolve/resolved-dns-server.h b/src/resolve/resolved-dns-server.h
index 00366a48c9..b07fc3af3d 100644
--- a/src/resolve/resolved-dns-server.h
+++ b/src/resolve/resolved-dns-server.h
@@ -61,10 +61,11 @@ struct DnsServer {
int family;
union in_addr_union address;
+ bool marked:1;
+
usec_t resend_timeout;
usec_t max_rtt;
- bool marked:1;
DnsServerFeatureLevel verified_features;
DnsServerFeatureLevel possible_features;
size_t received_udp_packet_max;
diff --git a/src/resolve/resolved-dns-transaction.c b/src/resolve/resolved-dns-transaction.c
index 90133cb332..90f07e6c4b 100644
--- a/src/resolve/resolved-dns-transaction.c
+++ b/src/resolve/resolved-dns-transaction.c
@@ -24,6 +24,7 @@
#include "dns-domain.h"
#include "fd-util.h"
#include "random-util.h"
+#include "resolved-dns-cache.h"
#include "resolved-dns-transaction.h"
#include "resolved-llmnr.h"
#include "string-table.h"
@@ -243,7 +244,7 @@ static int on_stream_complete(DnsStream *s, int error) {
}
if (dns_packet_validate_reply(p) <= 0) {
- log_debug("Invalid LLMNR TCP packet.");
+ log_debug("Invalid TCP reply packet.");
dns_transaction_complete(t, DNS_TRANSACTION_INVALID_REPLY);
return 0;
}
@@ -384,6 +385,18 @@ void dns_transaction_process_reply(DnsTransaction *t, DnsPacket *p) {
break;
+ case DNS_PROTOCOL_MDNS:
+ assert(t->scope->link);
+
+ /* For mDNS we will not accept any packets from other interfaces */
+ if (p->ifindex != t->scope->link->ifindex)
+ return;
+
+ if (p->family != t->scope->family)
+ return;
+
+ break;
+
case DNS_PROTOCOL_DNS:
break;
@@ -446,6 +459,13 @@ void dns_transaction_process_reply(DnsTransaction *t, DnsPacket *p) {
}
if (DNS_PACKET_TC(p)) {
+
+ /* Truncated packets for mDNS are not allowed. Give up immediately. */
+ if (t->scope->protocol == DNS_PROTOCOL_MDNS) {
+ dns_transaction_complete(t, DNS_TRANSACTION_INVALID_REPLY);
+ return;
+ }
+
/* Response was truncated, let's try again with good old TCP */
r = dns_transaction_open_tcp(t);
if (r == -ESRCH) {
@@ -454,7 +474,7 @@ void dns_transaction_process_reply(DnsTransaction *t, DnsPacket *p) {
return;
}
if (r < 0) {
- /* On LLMNR, if we cannot connect to the host,
+ /* On LLMNR and mDNS, if we cannot connect to the host,
* we immediately give up */
if (t->scope->protocol == DNS_PROTOCOL_LLMNR) {
dns_transaction_complete(t, DNS_TRANSACTION_RESOURCES);
@@ -481,21 +501,32 @@ void dns_transaction_process_reply(DnsTransaction *t, DnsPacket *p) {
return;
}
- /* Install the answer as answer to the transaction */
- dns_answer_unref(t->answer);
- t->answer = dns_answer_ref(p->answer);
- t->answer_rcode = DNS_PACKET_RCODE(p);
+ if (t->scope->protocol == DNS_PROTOCOL_DNS) {
+ /* Only consider responses with equivalent query section to the request */
+ if (p->question->n_keys != 1 || dns_resource_key_equal(p->question->keys[0], t->key) <= 0) {
+ dns_transaction_complete(t, DNS_TRANSACTION_INVALID_REPLY);
+ return;
+ }
- /* Only consider responses with equivalent query section to the request */
- if (p->question->n_keys != 1 || dns_resource_key_equal(p->question->keys[0], t->key) <= 0) {
- dns_transaction_complete(t, DNS_TRANSACTION_INVALID_REPLY);
- return;
+ /* Install the answer as answer to the transaction */
+ dns_answer_unref(t->answer);
+ t->answer = dns_answer_ref(p->answer);
+ t->answer_rcode = DNS_PACKET_RCODE(p);
+ t->answer_authenticated = t->scope->dnssec_mode == DNSSEC_TRUST && DNS_PACKET_AD(p);
+
+ /* According to RFC 4795, section 2.9. only the RRs from the answer section shall be cached */
+ if (DNS_PACKET_SHALL_CACHE(p))
+ dns_cache_put(&t->scope->cache,
+ t->key,
+ DNS_PACKET_RCODE(p),
+ p->answer,
+ DNS_PACKET_ANCOUNT(p),
+ t->answer_authenticated,
+ 0,
+ p->family,
+ &p->sender);
}
- /* According to RFC 4795, section 2.9. only the RRs from the answer section shall be cached */
- if (DNS_PACKET_SHALL_CACHE(p))
- dns_cache_put(&t->scope->cache, t->key, DNS_PACKET_RCODE(p), p->answer, DNS_PACKET_ANCOUNT(p), 0, p->family, &p->sender);
-
if (DNS_PACKET_RCODE(p) == DNS_RCODE_SUCCESS)
dns_transaction_complete(t, DNS_TRANSACTION_SUCCESS);
else
@@ -562,21 +593,26 @@ static int on_transaction_timeout(sd_event_source *s, usec_t usec, void *userdat
assert(s);
assert(t);
- /* Timeout reached? Increase the timeout for the server used */
- switch (t->scope->protocol) {
- case DNS_PROTOCOL_DNS:
- assert(t->server);
+ if (!t->initial_jitter_scheduled || t->initial_jitter_elapsed) {
+ /* Timeout reached? Increase the timeout for the server used */
+ switch (t->scope->protocol) {
+ case DNS_PROTOCOL_DNS:
+ assert(t->server);
- dns_server_packet_lost(t->server, t->current_features, usec - t->start_usec);
+ dns_server_packet_lost(t->server, t->current_features, usec - t->start_usec);
- break;
- case DNS_PROTOCOL_LLMNR:
- case DNS_PROTOCOL_MDNS:
- dns_scope_packet_lost(t->scope, usec - t->start_usec);
+ break;
+ case DNS_PROTOCOL_LLMNR:
+ case DNS_PROTOCOL_MDNS:
+ dns_scope_packet_lost(t->scope, usec - t->start_usec);
- break;
- default:
- assert_not_reached("Invalid DNS protocol.");
+ break;
+ default:
+ assert_not_reached("Invalid DNS protocol.");
+ }
+
+ if (t->initial_jitter_scheduled)
+ t->initial_jitter_elapsed = true;
}
/* ...and try again with a new server */
@@ -589,38 +625,6 @@ static int on_transaction_timeout(sd_event_source *s, usec_t usec, void *userdat
return 0;
}
-static int dns_transaction_make_packet(DnsTransaction *t) {
- _cleanup_(dns_packet_unrefp) DnsPacket *p = NULL;
- int r;
-
- assert(t);
-
- if (t->sent)
- return 0;
-
- r = dns_packet_new_query(&p, t->scope->protocol, 0);
- if (r < 0)
- return r;
-
- r = dns_scope_good_key(t->scope, t->key);
- if (r < 0)
- return r;
- if (r == 0)
- return -EDOM;
-
- r = dns_packet_append_key(p, t->key, NULL);
- if (r < 0)
- return r;
-
- DNS_PACKET_HEADER(p)->qdcount = htobe16(1);
- DNS_PACKET_HEADER(p)->id = t->id;
-
- t->sent = p;
- p = NULL;
-
- return 0;
-}
-
static usec_t transaction_get_resend_timeout(DnsTransaction *t) {
assert(t);
assert(t->scope);
@@ -630,17 +634,18 @@ static usec_t transaction_get_resend_timeout(DnsTransaction *t) {
assert(t->server);
return t->server->resend_timeout;
- case DNS_PROTOCOL_LLMNR:
case DNS_PROTOCOL_MDNS:
+ assert(t->n_attempts > 0);
+ return (1 << (t->n_attempts - 1)) * USEC_PER_SEC;
+ case DNS_PROTOCOL_LLMNR:
return t->scope->resend_timeout;
default:
assert_not_reached("Invalid DNS protocol.");
}
}
-int dns_transaction_go(DnsTransaction *t) {
+static int dns_transaction_prepare_next_attempt(DnsTransaction *t, usec_t ts) {
bool had_stream;
- usec_t ts;
int r;
assert(t);
@@ -649,11 +654,6 @@ int dns_transaction_go(DnsTransaction *t) {
dns_transaction_stop(t);
- log_debug("Excercising transaction on scope %s on %s/%s",
- dns_protocol_to_string(t->scope->protocol),
- t->scope->link ? t->scope->link->name : "*",
- t->scope->family == AF_UNSPEC ? "*" : af_to_name(t->scope->family));
-
if (t->n_attempts >= TRANSACTION_ATTEMPTS_MAX(t->scope->protocol)) {
dns_transaction_complete(t, DNS_TRANSACTION_ATTEMPTS_MAX_REACHED);
return 0;
@@ -666,8 +666,6 @@ int dns_transaction_go(DnsTransaction *t) {
return 0;
}
- assert_se(sd_event_now(t->scope->manager->event, clock_boottime_or_monotonic(), &ts) >= 0);
-
t->n_attempts++;
t->start_usec = ts;
t->received = dns_packet_unref(t->received);
@@ -675,7 +673,21 @@ int dns_transaction_go(DnsTransaction *t) {
t->answer_rcode = 0;
t->answer_source = _DNS_TRANSACTION_SOURCE_INVALID;
- /* Check the zone, but obly if this transaction is not used
+ /* Check the trust anchor. Do so only on classic DNS, since DNSSEC does not apply otherwise. */
+ if (t->scope->protocol == DNS_PROTOCOL_DNS) {
+ r = dns_trust_anchor_lookup(&t->scope->manager->trust_anchor, t->key, &t->answer);
+ if (r < 0)
+ return r;
+ if (r > 0) {
+ t->answer_rcode = DNS_RCODE_SUCCESS;
+ t->answer_source = DNS_TRANSACTION_TRUST_ANCHOR;
+ t->answer_authenticated = true;
+ dns_transaction_complete(t, DNS_TRANSACTION_SUCCESS);
+ return 0;
+ }
+ }
+
+ /* Check the zone, but only if this transaction is not used
* for probing or verifying a zone item. */
if (set_isempty(t->zone_items)) {
@@ -685,6 +697,7 @@ int dns_transaction_go(DnsTransaction *t) {
if (r > 0) {
t->answer_rcode = DNS_RCODE_SUCCESS;
t->answer_source = DNS_TRANSACTION_ZONE;
+ t->answer_authenticated = true;
dns_transaction_complete(t, DNS_TRANSACTION_SUCCESS);
return 0;
}
@@ -702,7 +715,7 @@ int dns_transaction_go(DnsTransaction *t) {
/* Let's then prune all outdated entries */
dns_cache_prune(&t->scope->cache);
- r = dns_cache_lookup(&t->scope->cache, t->key, &t->answer_rcode, &t->answer);
+ r = dns_cache_lookup(&t->scope->cache, t->key, &t->answer_rcode, &t->answer, &t->answer_authenticated);
if (r < 0)
return r;
if (r > 0) {
@@ -715,31 +728,203 @@ int dns_transaction_go(DnsTransaction *t) {
}
}
- if (t->scope->protocol == DNS_PROTOCOL_LLMNR && !t->initial_jitter) {
- usec_t jitter;
+ return 1;
+}
+
+static int dns_transaction_make_packet_mdns(DnsTransaction *t) {
+
+ _cleanup_(dns_packet_unrefp) DnsPacket *p = NULL;
+ bool add_known_answers = false;
+ DnsTransaction *other;
+ unsigned qdcount;
+ usec_t ts;
+ int r;
+
+ assert(t);
+ assert(t->scope->protocol == DNS_PROTOCOL_MDNS);
+
+ /* Discard any previously prepared packet, so we can start over and coaleasce again */
+ t->sent = dns_packet_unref(t->sent);
+
+ r = dns_packet_new_query(&p, t->scope->protocol, 0, false);
+ if (r < 0)
+ return r;
+
+ r = dns_packet_append_key(p, t->key, NULL);
+ if (r < 0)
+ return r;
+
+ qdcount = 1;
+
+ if (dns_key_is_shared(t->key))
+ add_known_answers = true;
+
+ /*
+ * For mDNS, we want to coalesce as many open queries in pending transactions into one single
+ * query packet on the wire as possible. To achieve that, we iterate through all pending transactions
+ * in our current scope, and see whether their timing contraints allow them to be sent.
+ */
+
+ assert_se(sd_event_now(t->scope->manager->event, clock_boottime_or_monotonic(), &ts) >= 0);
+
+ LIST_FOREACH(transactions_by_scope, other, t->scope->transactions) {
+
+ /* Skip ourselves */
+ if (other == t)
+ continue;
+
+ if (other->state != DNS_TRANSACTION_PENDING)
+ continue;
+
+ if (other->next_attempt_after > ts)
+ continue;
+
+ if (qdcount >= UINT16_MAX)
+ break;
+
+ r = dns_packet_append_key(p, other->key, NULL);
+
+ /*
+ * If we can't stuff more questions into the packet, just give up.
+ * One of the 'other' transactions will fire later and take care of the rest.
+ */
+ if (r == -EMSGSIZE)
+ break;
+
+ if (r < 0)
+ return r;
+
+ r = dns_transaction_prepare_next_attempt(other, ts);
+ if (r <= 0)
+ continue;
+
+ ts += transaction_get_resend_timeout(other);
+
+ r = sd_event_add_time(
+ other->scope->manager->event,
+ &other->timeout_event_source,
+ clock_boottime_or_monotonic(),
+ ts, 0,
+ on_transaction_timeout, other);
+ if (r < 0)
+ return r;
+
+ other->state = DNS_TRANSACTION_PENDING;
+ other->next_attempt_after = ts;
+
+ qdcount ++;
+
+ if (dns_key_is_shared(other->key))
+ add_known_answers = true;
+ }
+
+ DNS_PACKET_HEADER(p)->qdcount = htobe16(qdcount);
+ DNS_PACKET_HEADER(p)->id = t->id;
+
+ /* Append known answer section if we're asking for any shared record */
+ if (add_known_answers) {
+ r = dns_cache_export_shared_to_packet(&t->scope->cache, p);
+ if (r < 0)
+ return r;
+ }
+
+ t->sent = p;
+ p = NULL;
+
+ return 0;
+}
+
+static int dns_transaction_make_packet(DnsTransaction *t) {
+ _cleanup_(dns_packet_unrefp) DnsPacket *p = NULL;
+ int r;
+
+ assert(t);
+
+ if (t->scope->protocol == DNS_PROTOCOL_MDNS)
+ return dns_transaction_make_packet_mdns(t);
+
+ if (t->sent)
+ return 0;
+
+ r = dns_packet_new_query(&p, t->scope->protocol, 0, t->scope->dnssec_mode == DNSSEC_YES);
+ if (r < 0)
+ return r;
+
+ r = dns_scope_good_key(t->scope, t->key);
+ if (r < 0)
+ return r;
+ if (r == 0)
+ return -EDOM;
+
+ r = dns_packet_append_key(p, t->key, NULL);
+ if (r < 0)
+ return r;
+
+ DNS_PACKET_HEADER(p)->qdcount = htobe16(1);
+ DNS_PACKET_HEADER(p)->id = t->id;
+
+ t->sent = p;
+ p = NULL;
+
+ return 0;
+}
+
+int dns_transaction_go(DnsTransaction *t) {
+ usec_t ts;
+ int r;
+
+ assert(t);
+
+ assert_se(sd_event_now(t->scope->manager->event, clock_boottime_or_monotonic(), &ts) >= 0);
+ r = dns_transaction_prepare_next_attempt(t, ts);
+ if (r <= 0)
+ return r;
+
+ log_debug("Excercising transaction on scope %s on %s/%s",
+ dns_protocol_to_string(t->scope->protocol),
+ t->scope->link ? t->scope->link->name : "*",
+ t->scope->family == AF_UNSPEC ? "*" : af_to_name(t->scope->family));
+
+ if (!t->initial_jitter_scheduled &&
+ (t->scope->protocol == DNS_PROTOCOL_LLMNR ||
+ t->scope->protocol == DNS_PROTOCOL_MDNS)) {
+ usec_t jitter, accuracy;
/* RFC 4795 Section 2.7 suggests all queries should be
* delayed by a random time from 0 to JITTER_INTERVAL. */
- t->initial_jitter = true;
+ t->initial_jitter_scheduled = true;
random_bytes(&jitter, sizeof(jitter));
- jitter %= LLMNR_JITTER_INTERVAL_USEC;
+
+ switch (t->scope->protocol) {
+ case DNS_PROTOCOL_LLMNR:
+ jitter %= LLMNR_JITTER_INTERVAL_USEC;
+ accuracy = LLMNR_JITTER_INTERVAL_USEC;
+ break;
+ case DNS_PROTOCOL_MDNS:
+ jitter %= MDNS_JITTER_RANGE_USEC;
+ jitter += MDNS_JITTER_MIN_USEC;
+ accuracy = MDNS_JITTER_RANGE_USEC;
+ break;
+ default:
+ assert_not_reached("bad protocol");
+ }
r = sd_event_add_time(
t->scope->manager->event,
&t->timeout_event_source,
clock_boottime_or_monotonic(),
- ts + jitter,
- LLMNR_JITTER_INTERVAL_USEC,
+ ts + jitter, accuracy,
on_transaction_timeout, t);
if (r < 0)
return r;
t->n_attempts = 0;
+ t->next_attempt_after = ts;
t->state = DNS_TRANSACTION_PENDING;
- log_debug("Delaying LLMNR transaction for " USEC_FMT "us.", jitter);
+ log_debug("Delaying %s transaction for " USEC_FMT "us.", dns_protocol_to_string(t->scope->protocol), jitter);
return 0;
}
@@ -786,16 +971,20 @@ int dns_transaction_go(DnsTransaction *t) {
return dns_transaction_go(t);
}
+ ts += transaction_get_resend_timeout(t);
+
r = sd_event_add_time(
t->scope->manager->event,
&t->timeout_event_source,
clock_boottime_or_monotonic(),
- ts + transaction_get_resend_timeout(t), 0,
+ ts, 0,
on_transaction_timeout, t);
if (r < 0)
return r;
t->state = DNS_TRANSACTION_PENDING;
+ t->next_attempt_after = ts;
+
return 1;
}
@@ -817,5 +1006,6 @@ static const char* const dns_transaction_source_table[_DNS_TRANSACTION_SOURCE_MA
[DNS_TRANSACTION_NETWORK] = "network",
[DNS_TRANSACTION_CACHE] = "cache",
[DNS_TRANSACTION_ZONE] = "zone",
+ [DNS_TRANSACTION_TRUST_ANCHOR] = "trust-anchor",
};
DEFINE_STRING_TABLE_LOOKUP(dns_transaction_source, DnsTransactionSource);
diff --git a/src/resolve/resolved-dns-transaction.h b/src/resolve/resolved-dns-transaction.h
index 5778913cc8..af08b20e44 100644
--- a/src/resolve/resolved-dns-transaction.h
+++ b/src/resolve/resolved-dns-transaction.h
@@ -44,6 +44,7 @@ enum DnsTransactionSource {
DNS_TRANSACTION_NETWORK,
DNS_TRANSACTION_CACHE,
DNS_TRANSACTION_ZONE,
+ DNS_TRANSACTION_TRUST_ANCHOR,
_DNS_TRANSACTION_SOURCE_MAX,
_DNS_TRANSACTION_SOURCE_INVALID = -1
};
@@ -61,15 +62,18 @@ struct DnsTransaction {
DnsTransactionState state;
uint16_t id;
- bool initial_jitter;
+ bool initial_jitter_scheduled;
+ bool initial_jitter_elapsed;
DnsPacket *sent, *received;
DnsAnswer *answer;
int answer_rcode;
DnsTransactionSource answer_source;
+ bool answer_authenticated;
usec_t start_usec;
+ usec_t next_attempt_after;
sd_event_source *timeout_event_source;
unsigned n_attempts;
@@ -117,6 +121,10 @@ DnsTransactionSource dns_transaction_source_from_string(const char *s) _pure_;
/* LLMNR Jitter interval, see RFC 4795 Section 7 */
#define LLMNR_JITTER_INTERVAL_USEC (100 * USEC_PER_MSEC)
+/* mDNS Jitter interval, see RFC 6762 Section 5.2 */
+#define MDNS_JITTER_MIN_USEC (20 * USEC_PER_MSEC)
+#define MDNS_JITTER_RANGE_USEC (100 * USEC_PER_MSEC)
+
/* Maximum attempts to send DNS requests, across all DNS servers */
#define DNS_TRANSACTION_ATTEMPTS_MAX 16
diff --git a/src/resolve/resolved-dns-trust-anchor.c b/src/resolve/resolved-dns-trust-anchor.c
new file mode 100644
index 0000000000..e55bdaa1ed
--- /dev/null
+++ b/src/resolve/resolved-dns-trust-anchor.c
@@ -0,0 +1,101 @@
+/*-*- Mode: C; c-basic-offset: 8; indent-tabs-mode: nil -*-*/
+
+/***
+ This file is part of systemd.
+
+ Copyright 2015 Lennart Poettering
+
+ systemd is free software; you can redistribute it and/or modify it
+ under the terms of the GNU Lesser General Public License as published by
+ the Free Software Foundation; either version 2.1 of the License, or
+ (at your option) any later version.
+
+ systemd is distributed in the hope that it will be useful, but
+ WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ Lesser General Public License for more details.
+
+ You should have received a copy of the GNU Lesser General Public License
+ along with systemd; If not, see <http://www.gnu.org/licenses/>.
+***/
+
+#include "alloc-util.h"
+#include "resolved-dns-trust-anchor.h"
+
+/* The DS RR from https://data.iana.org/root-anchors/root-anchors.xml */
+static const uint8_t root_digest[] =
+ { 0x49, 0xAA, 0xC1, 0x1D, 0x7B, 0x6F, 0x64, 0x46, 0x70, 0x2E, 0x54, 0xA1, 0x60, 0x73, 0x71, 0x60,
+ 0x7A, 0x1A, 0x41, 0x85, 0x52, 0x00, 0xFD, 0x2C, 0xE1, 0xCD, 0xDE, 0x32, 0xF2, 0x4E, 0x8F, 0xB5 };
+
+int dns_trust_anchor_load(DnsTrustAnchor *d) {
+ _cleanup_(dns_resource_record_unrefp) DnsResourceRecord *rr = NULL;
+ _cleanup_(dns_answer_unrefp) DnsAnswer *answer = NULL;
+ int r;
+
+ assert(d);
+
+ r = hashmap_ensure_allocated(&d->by_key, &dns_resource_key_hash_ops);
+ if (r < 0)
+ return r;
+
+ if (hashmap_get(d->by_key, &DNS_RESOURCE_KEY_CONST(DNS_CLASS_IN, DNS_TYPE_DS, ".")))
+ return 0;
+
+ /* Add the RR from https://data.iana.org/root-anchors/root-anchors.xml */
+ rr = dns_resource_record_new_full(DNS_CLASS_IN, DNS_TYPE_DS, "");
+ if (!rr)
+ return -ENOMEM;
+
+ rr->ds.key_tag = 19036;
+ rr->ds.algorithm = DNSSEC_ALGORITHM_RSASHA256;
+ rr->ds.digest_type = DNSSEC_DIGEST_SHA256;
+ rr->ds.digest_size = sizeof(root_digest);
+ rr->ds.digest = memdup(root_digest, rr->ds.digest_size);
+ if (!rr->ds.digest)
+ return -ENOMEM;
+
+ answer = dns_answer_new(1);
+ if (!answer)
+ return -ENOMEM;
+
+ r = dns_answer_add(answer, rr, 0);
+ if (r < 0)
+ return r;
+
+ r = hashmap_put(d->by_key, rr->key, answer);
+ if (r < 0)
+ return r;
+
+ answer = NULL;
+ return 0;
+}
+
+void dns_trust_anchor_flush(DnsTrustAnchor *d) {
+ DnsAnswer *a;
+
+ assert(d);
+
+ while ((a = hashmap_steal_first(d->by_key)))
+ dns_answer_unref(a);
+
+ d->by_key = hashmap_free(d->by_key);
+}
+
+int dns_trust_anchor_lookup(DnsTrustAnchor *d, DnsResourceKey *key, DnsAnswer **ret) {
+ DnsAnswer *a;
+
+ assert(d);
+ assert(key);
+ assert(ret);
+
+ /* We only serve DS and DNSKEY RRs. */
+ if (!IN_SET(key->type, DNS_TYPE_DS, DNS_TYPE_DNSKEY))
+ return 0;
+
+ a = hashmap_get(d->by_key, key);
+ if (!a)
+ return 0;
+
+ *ret = dns_answer_ref(a);
+ return 1;
+}
diff --git a/src/resolve/resolved-dns-trust-anchor.h b/src/resolve/resolved-dns-trust-anchor.h
new file mode 100644
index 0000000000..06f3723914
--- /dev/null
+++ b/src/resolve/resolved-dns-trust-anchor.h
@@ -0,0 +1,39 @@
+/*-*- Mode: C; c-basic-offset: 8; indent-tabs-mode: nil -*-*/
+
+#pragma once
+
+/***
+ This file is part of systemd.
+
+ Copyright 2015 Lennart Poettering
+
+ systemd is free software; you can redistribute it and/or modify it
+ under the terms of the GNU Lesser General Public License as published by
+ the Free Software Foundation; either version 2.1 of the License, or
+ (at your option) any later version.
+
+ systemd is distributed in the hope that it will be useful, but
+ WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ Lesser General Public License for more details.
+
+ You should have received a copy of the GNU Lesser General Public License
+ along with systemd; If not, see <http://www.gnu.org/licenses/>.
+***/
+
+typedef struct DnsTrustAnchor DnsTrustAnchor;
+
+#include "hashmap.h"
+#include "resolved-dns-answer.h"
+#include "resolved-dns-rr.h"
+
+/* This contains a fixed database mapping domain names to DS or DNSKEY records. */
+
+struct DnsTrustAnchor {
+ Hashmap *by_key;
+};
+
+int dns_trust_anchor_load(DnsTrustAnchor *d);
+void dns_trust_anchor_flush(DnsTrustAnchor *d);
+
+int dns_trust_anchor_lookup(DnsTrustAnchor *d, DnsResourceKey* key, DnsAnswer **answer);
diff --git a/src/resolve/resolved-dns-zone.c b/src/resolve/resolved-dns-zone.c
index 493d11dd14..78f44d51a2 100644
--- a/src/resolve/resolved-dns-zone.c
+++ b/src/resolve/resolved-dns-zone.c
@@ -163,7 +163,6 @@ static int dns_zone_link_item(DnsZone *z, DnsZoneItem *i) {
}
static int dns_zone_item_probe_start(DnsZoneItem *i) {
- _cleanup_(dns_resource_key_unrefp) DnsResourceKey *key = NULL;
DnsTransaction *t;
int r;
@@ -172,12 +171,14 @@ static int dns_zone_item_probe_start(DnsZoneItem *i) {
if (i->probe_transaction)
return 0;
- key = dns_resource_key_new(i->rr->key->class, DNS_TYPE_ANY, DNS_RESOURCE_KEY_NAME(i->rr->key));
- if (!key)
- return -ENOMEM;
-
- t = dns_scope_find_transaction(i->scope, key, false);
+ t = dns_scope_find_transaction(i->scope, &DNS_RESOURCE_KEY_CONST(i->rr->key->class, DNS_TYPE_ANY, DNS_RESOURCE_KEY_NAME(i->rr->key)), false);
if (!t) {
+ _cleanup_(dns_resource_key_unrefp) DnsResourceKey *key = NULL;
+
+ key = dns_resource_key_new(i->rr->key->class, DNS_TYPE_ANY, DNS_RESOURCE_KEY_NAME(i->rr->key));
+ if (!key)
+ return -ENOMEM;
+
r = dns_transaction_new(&t, i->scope, key);
if (r < 0)
return r;
diff --git a/src/resolve/resolved-gperf.gperf b/src/resolve/resolved-gperf.gperf
index 50662656d5..c815eae850 100644
--- a/src/resolve/resolved-gperf.gperf
+++ b/src/resolve/resolved-gperf.gperf
@@ -18,3 +18,4 @@ Resolve.DNS, config_parse_dns_servers, DNS_SERVER_SYSTEM, 0
Resolve.FallbackDNS, config_parse_dns_servers, DNS_SERVER_FALLBACK, 0
Resolve.Domains, config_parse_search_domains, 0, 0
Resolve.LLMNR, config_parse_support, 0, offsetof(Manager, llmnr_support)
+Resolve.DNSSEC, config_parse_dnssec, 0, 0
diff --git a/src/resolve/resolved-link.c b/src/resolve/resolved-link.c
index ddd9427dab..84100bd988 100644
--- a/src/resolve/resolved-link.c
+++ b/src/resolve/resolved-link.c
@@ -77,6 +77,8 @@ Link *link_free(Link *l) {
dns_scope_free(l->unicast_scope);
dns_scope_free(l->llmnr_ipv4_scope);
dns_scope_free(l->llmnr_ipv6_scope);
+ dns_scope_free(l->mdns_ipv4_scope);
+ dns_scope_free(l->mdns_ipv6_scope);
free(l);
return NULL;
@@ -118,6 +120,28 @@ static void link_allocate_scopes(Link *l) {
}
} else
l->llmnr_ipv6_scope = dns_scope_free(l->llmnr_ipv6_scope);
+
+ if (link_relevant(l, AF_INET) &&
+ l->mdns_support != SUPPORT_NO &&
+ l->manager->mdns_support != SUPPORT_NO) {
+ if (!l->mdns_ipv4_scope) {
+ r = dns_scope_new(l->manager, &l->mdns_ipv4_scope, l, DNS_PROTOCOL_MDNS, AF_INET);
+ if (r < 0)
+ log_warning_errno(r, "Failed to allocate mDNS IPv4 scope: %m");
+ }
+ } else
+ l->mdns_ipv4_scope = dns_scope_free(l->mdns_ipv4_scope);
+
+ if (link_relevant(l, AF_INET6) &&
+ l->mdns_support != SUPPORT_NO &&
+ l->manager->mdns_support != SUPPORT_NO) {
+ if (!l->mdns_ipv6_scope) {
+ r = dns_scope_new(l->manager, &l->mdns_ipv6_scope, l, DNS_PROTOCOL_MDNS, AF_INET6);
+ if (r < 0)
+ log_warning_errno(r, "Failed to allocate mDNS IPv6 scope: %m");
+ }
+ } else
+ l->mdns_ipv6_scope = dns_scope_free(l->mdns_ipv6_scope);
}
void link_add_rrs(Link *l, bool force_remove) {
diff --git a/src/resolve/resolved-link.h b/src/resolve/resolved-link.h
index eb00015bd5..a3b406bbc2 100644
--- a/src/resolve/resolved-link.h
+++ b/src/resolve/resolved-link.h
@@ -67,10 +67,13 @@ struct Link {
unsigned n_search_domains;
Support llmnr_support;
+ Support mdns_support;
DnsScope *unicast_scope;
DnsScope *llmnr_ipv4_scope;
DnsScope *llmnr_ipv6_scope;
+ DnsScope *mdns_ipv4_scope;
+ DnsScope *mdns_ipv6_scope;
char name[IF_NAMESIZE];
uint32_t mtu;
diff --git a/src/resolve/resolved-llmnr.c b/src/resolve/resolved-llmnr.c
index 6a7ff9d245..ed754c3899 100644
--- a/src/resolve/resolved-llmnr.c
+++ b/src/resolve/resolved-llmnr.c
@@ -461,10 +461,8 @@ int manager_llmnr_ipv6_tcp_fd(Manager *m) {
}
r = sd_event_add_io(m->event, &m->llmnr_ipv6_tcp_event_source, m->llmnr_ipv6_tcp_fd, EPOLLIN, on_llmnr_stream, m);
- if (r < 0) {
- r = -errno;
+ if (r < 0)
goto fail;
- }
return m->llmnr_ipv6_tcp_fd;
diff --git a/src/resolve/resolved-manager.c b/src/resolve/resolved-manager.c
index 62562f0d24..a2677f442a 100644
--- a/src/resolve/resolved-manager.c
+++ b/src/resolve/resolved-manager.c
@@ -40,6 +40,7 @@
#include "resolved-llmnr.h"
#include "resolved-manager.h"
#include "resolved-resolv-conf.h"
+#include "resolved-mdns.h"
#include "socket-util.h"
#include "string-table.h"
#include "string-util.h"
@@ -472,12 +473,17 @@ int manager_new(Manager **ret) {
m->llmnr_ipv4_udp_fd = m->llmnr_ipv6_udp_fd = -1;
m->llmnr_ipv4_tcp_fd = m->llmnr_ipv6_tcp_fd = -1;
+ m->mdns_ipv4_fd = m->mdns_ipv6_fd = -1;
m->hostname_fd = -1;
m->llmnr_support = SUPPORT_YES;
m->read_resolv_conf = true;
m->need_builtin_fallbacks = true;
+ r = dns_trust_anchor_load(&m->trust_anchor);
+ if (r < 0)
+ return r;
+
r = sd_event_default(&m->event);
if (r < 0)
return r;
@@ -524,6 +530,10 @@ int manager_start(Manager *m) {
if (r < 0)
return r;
+ r = manager_mdns_start(m);
+ if (r < 0)
+ return r;
+
return 0;
}
@@ -555,6 +565,7 @@ Manager *manager_free(Manager *m) {
sd_event_source_unref(m->rtnl_event_source);
manager_llmnr_stop(m);
+ manager_mdns_stop(m);
sd_bus_slot_unref(m->prepare_for_sleep_slot);
sd_event_source_unref(m->bus_retry_event_source);
@@ -572,6 +583,8 @@ Manager *manager_free(Manager *m) {
free(m->llmnr_hostname);
free(m->mdns_hostname);
+ dns_trust_anchor_flush(&m->trust_anchor);
+
free(m);
return NULL;
@@ -1018,11 +1031,25 @@ DnsScope* manager_find_scope(Manager *m, DnsPacket *p) {
if (!l)
return NULL;
- if (p->protocol == DNS_PROTOCOL_LLMNR) {
+ switch (p->protocol) {
+ case DNS_PROTOCOL_LLMNR:
if (p->family == AF_INET)
return l->llmnr_ipv4_scope;
else if (p->family == AF_INET6)
return l->llmnr_ipv6_scope;
+
+ break;
+
+ case DNS_PROTOCOL_MDNS:
+ if (p->family == AF_INET)
+ return l->mdns_ipv4_scope;
+ else if (p->family == AF_INET6)
+ return l->mdns_ipv6_scope;
+
+ break;
+
+ default:
+ break;
}
return NULL;
diff --git a/src/resolve/resolved-manager.h b/src/resolve/resolved-manager.h
index d00c444583..b52273403a 100644
--- a/src/resolve/resolved-manager.h
+++ b/src/resolve/resolved-manager.h
@@ -44,6 +44,7 @@ enum Support {
#include "resolved-dns-search-domain.h"
#include "resolved-dns-server.h"
#include "resolved-dns-stream.h"
+#include "resolved-dns-trust-anchor.h"
#include "resolved-link.h"
#define MANAGER_SEARCH_DOMAINS_MAX 32
@@ -53,6 +54,7 @@ struct Manager {
sd_event *event;
Support llmnr_support;
+ Support mdns_support;
/* Network */
Hashmap *links;
@@ -85,6 +87,8 @@ struct Manager {
bool read_resolv_conf:1;
usec_t resolv_conf_mtime;
+ DnsTrustAnchor trust_anchor;
+
LIST_HEAD(DnsScope, dns_scopes);
DnsScope *unicast_scope;
@@ -99,6 +103,13 @@ struct Manager {
sd_event_source *llmnr_ipv4_tcp_event_source;
sd_event_source *llmnr_ipv6_tcp_event_source;
+ /* mDNS */
+ int mdns_ipv4_fd;
+ int mdns_ipv6_fd;
+
+ sd_event_source *mdns_ipv4_event_source;
+ sd_event_source *mdns_ipv6_event_source;
+
/* dbus */
sd_bus *bus;
sd_event_source *bus_retry_event_source;
diff --git a/src/resolve/resolved-mdns.c b/src/resolve/resolved-mdns.c
new file mode 100644
index 0000000000..abe63d58c1
--- /dev/null
+++ b/src/resolve/resolved-mdns.c
@@ -0,0 +1,286 @@
+/*-*- Mode: C; c-basic-offset: 8; indent-tabs-mode: nil -*-*/
+
+/***
+ This file is part of systemd.
+
+ Copyright 2015 Daniel Mack
+
+ systemd is free software; you can redistribute it and/or modify it
+ under the terms of the GNU Lesser General Public License as published by
+ the Free Software Foundation; either version 2.1 of the License, or
+ (at your option) any later version.
+
+ systemd is distributed in the hope that it will be useful, but
+ WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ Lesser General Public License for more details.
+
+ You should have received a copy of the GNU Lesser General Public License
+ along with systemd; If not, see <http://www.gnu.org/licenses/>.
+ ***/
+
+#include <resolv.h>
+#include <netinet/in.h>
+#include <arpa/inet.h>
+
+#include "fd-util.h"
+#include "resolved-manager.h"
+#include "resolved-mdns.h"
+
+void manager_mdns_stop(Manager *m) {
+ assert(m);
+
+ m->mdns_ipv4_event_source = sd_event_source_unref(m->mdns_ipv4_event_source);
+ m->mdns_ipv4_fd = safe_close(m->mdns_ipv4_fd);
+
+ m->mdns_ipv6_event_source = sd_event_source_unref(m->mdns_ipv6_event_source);
+ m->mdns_ipv6_fd = safe_close(m->mdns_ipv6_fd);
+}
+
+int manager_mdns_start(Manager *m) {
+ int r;
+
+ assert(m);
+
+ if (m->mdns_support == SUPPORT_NO)
+ return 0;
+
+ r = manager_mdns_ipv4_fd(m);
+ if (r == -EADDRINUSE)
+ goto eaddrinuse;
+ if (r < 0)
+ return r;
+
+ if (socket_ipv6_is_supported()) {
+ r = manager_mdns_ipv6_fd(m);
+ if (r == -EADDRINUSE)
+ goto eaddrinuse;
+ if (r < 0)
+ return r;
+ }
+
+ return 0;
+
+eaddrinuse:
+ log_warning("There appears to be another mDNS responder running. Turning off mDNS support.");
+ m->mdns_support = SUPPORT_NO;
+ manager_mdns_stop(m);
+
+ return 0;
+}
+
+static int on_mdns_packet(sd_event_source *s, int fd, uint32_t revents, void *userdata) {
+ _cleanup_(dns_packet_unrefp) DnsPacket *p = NULL;
+ Manager *m = userdata;
+ DnsScope *scope;
+ int r;
+
+ r = manager_recv(m, fd, DNS_PROTOCOL_MDNS, &p);
+ if (r <= 0)
+ return r;
+
+ scope = manager_find_scope(m, p);
+ if (!scope) {
+ log_warning("Got mDNS UDP packet on unknown scope. Ignoring.");
+ return 0;
+ }
+
+ if (dns_packet_validate_reply(p) > 0) {
+ unsigned i;
+
+ log_debug("Got mDNS reply packet");
+
+ /*
+ * mDNS is different from regular DNS and LLMNR with regard to handling responses.
+ * While on other protocols, we can ignore every answer that doesn't match a question
+ * we broadcast earlier, RFC6762, section 18.1 recommends looking at and caching all
+ * incoming information, regardless of the DNS packet ID.
+ *
+ * Hence, extract the packet here, and try to find a transaction for answer the we got
+ * and complete it. Also store the new information in scope's cache.
+ */
+ r = dns_packet_extract(p);
+ if (r < 0) {
+ log_debug("mDNS packet extraction failed.");
+ return 0;
+ }
+
+ dns_scope_check_conflicts(scope, p);
+
+ for (i = 0; i < p->answer->n_rrs; i++) {
+ DnsResourceRecord *rr;
+ DnsTransaction *t;
+
+ rr = p->answer->items[i].rr;
+
+ t = dns_scope_find_transaction(scope, rr->key, false);
+ if (t)
+ dns_transaction_process_reply(t, p);
+ }
+
+ dns_cache_put(&scope->cache, NULL, DNS_PACKET_RCODE(p), p->answer,
+ p->answer->n_rrs, false, 0, p->family, &p->sender);
+
+ } else if (dns_packet_validate_query(p) > 0) {
+ log_debug("Got mDNS query packet for id %u", DNS_PACKET_ID(p));
+
+ dns_scope_process_query(scope, NULL, p);
+ } else
+ log_debug("Invalid mDNS UDP packet.");
+
+ return 0;
+}
+
+int manager_mdns_ipv4_fd(Manager *m) {
+ union sockaddr_union sa = {
+ .in.sin_family = AF_INET,
+ .in.sin_port = htobe16(MDNS_PORT),
+ };
+ static const int one = 1, pmtu = IP_PMTUDISC_DONT, ttl = 255;
+ int r;
+
+ assert(m);
+
+ if (m->mdns_ipv4_fd >= 0)
+ return m->mdns_ipv4_fd;
+
+ m->mdns_ipv4_fd = socket(AF_INET, SOCK_DGRAM|SOCK_CLOEXEC|SOCK_NONBLOCK, 0);
+ if (m->mdns_ipv4_fd < 0)
+ return -errno;
+
+ r = setsockopt(m->mdns_ipv4_fd, IPPROTO_IP, IP_TTL, &ttl, sizeof(ttl));
+ if (r < 0) {
+ r = -errno;
+ goto fail;
+ }
+
+ r = setsockopt(m->mdns_ipv4_fd, IPPROTO_IP, IP_MULTICAST_TTL, &ttl, sizeof(ttl));
+ if (r < 0) {
+ r = -errno;
+ goto fail;
+ }
+
+ r = setsockopt(m->mdns_ipv4_fd, IPPROTO_IP, IP_MULTICAST_LOOP, &one, sizeof(one));
+ if (r < 0) {
+ r = -errno;
+ goto fail;
+ }
+
+ r = setsockopt(m->mdns_ipv4_fd, SOL_SOCKET, SO_REUSEADDR, &one, sizeof(one));
+ if (r < 0) {
+ r = -errno;
+ goto fail;
+ }
+
+ r = setsockopt(m->mdns_ipv4_fd, IPPROTO_IP, IP_PKTINFO, &one, sizeof(one));
+ if (r < 0) {
+ r = -errno;
+ goto fail;
+ }
+
+ r = setsockopt(m->mdns_ipv4_fd, IPPROTO_IP, IP_RECVTTL, &one, sizeof(one));
+ if (r < 0) {
+ r = -errno;
+ goto fail;
+ }
+
+ /* Disable Don't-Fragment bit in the IP header */
+ r = setsockopt(m->mdns_ipv4_fd, IPPROTO_IP, IP_MTU_DISCOVER, &pmtu, sizeof(pmtu));
+ if (r < 0) {
+ r = -errno;
+ goto fail;
+ }
+
+ r = bind(m->mdns_ipv4_fd, &sa.sa, sizeof(sa.in));
+ if (r < 0) {
+ r = -errno;
+ goto fail;
+ }
+
+ r = sd_event_add_io(m->event, &m->mdns_ipv4_event_source, m->mdns_ipv4_fd, EPOLLIN, on_mdns_packet, m);
+ if (r < 0)
+ goto fail;
+
+ return m->mdns_ipv4_fd;
+
+fail:
+ m->mdns_ipv4_fd = safe_close(m->mdns_ipv4_fd);
+ return r;
+}
+
+int manager_mdns_ipv6_fd(Manager *m) {
+ union sockaddr_union sa = {
+ .in6.sin6_family = AF_INET6,
+ .in6.sin6_port = htobe16(MDNS_PORT),
+ };
+ static const int one = 1, ttl = 255;
+ int r;
+
+ assert(m);
+
+ if (m->mdns_ipv6_fd >= 0)
+ return m->mdns_ipv6_fd;
+
+ m->mdns_ipv6_fd = socket(AF_INET6, SOCK_DGRAM|SOCK_CLOEXEC|SOCK_NONBLOCK, 0);
+ if (m->mdns_ipv6_fd < 0)
+ return -errno;
+
+ r = setsockopt(m->mdns_ipv6_fd, IPPROTO_IPV6, IPV6_UNICAST_HOPS, &ttl, sizeof(ttl));
+ if (r < 0) {
+ r = -errno;
+ goto fail;
+ }
+
+ /* RFC 4795, section 2.5 recommends setting the TTL of UDP packets to 255. */
+ r = setsockopt(m->mdns_ipv6_fd, IPPROTO_IPV6, IPV6_MULTICAST_HOPS, &ttl, sizeof(ttl));
+ if (r < 0) {
+ r = -errno;
+ goto fail;
+ }
+
+ r = setsockopt(m->mdns_ipv6_fd, IPPROTO_IPV6, IPV6_MULTICAST_LOOP, &one, sizeof(one));
+ if (r < 0) {
+ r = -errno;
+ goto fail;
+ }
+
+ r = setsockopt(m->mdns_ipv6_fd, IPPROTO_IPV6, IPV6_V6ONLY, &one, sizeof(one));
+ if (r < 0) {
+ r = -errno;
+ goto fail;
+ }
+
+ r = setsockopt(m->mdns_ipv6_fd, SOL_SOCKET, SO_REUSEADDR, &one, sizeof(one));
+ if (r < 0) {
+ r = -errno;
+ goto fail;
+ }
+
+ r = setsockopt(m->mdns_ipv6_fd, IPPROTO_IPV6, IPV6_RECVPKTINFO, &one, sizeof(one));
+ if (r < 0) {
+ r = -errno;
+ goto fail;
+ }
+
+ r = setsockopt(m->mdns_ipv6_fd, IPPROTO_IPV6, IPV6_RECVHOPLIMIT, &one, sizeof(one));
+ if (r < 0) {
+ r = -errno;
+ goto fail;
+ }
+
+ r = bind(m->mdns_ipv6_fd, &sa.sa, sizeof(sa.in6));
+ if (r < 0) {
+ r = -errno;
+ goto fail;
+ }
+
+ r = sd_event_add_io(m->event, &m->mdns_ipv6_event_source, m->mdns_ipv6_fd, EPOLLIN, on_mdns_packet, m);
+ if (r < 0)
+ goto fail;
+
+ return m->mdns_ipv6_fd;
+
+fail:
+ m->mdns_ipv6_fd = safe_close(m->mdns_ipv6_fd);
+ return r;
+}
diff --git a/src/resolve/resolved-mdns.h b/src/resolve/resolved-mdns.h
new file mode 100644
index 0000000000..8a84010615
--- /dev/null
+++ b/src/resolve/resolved-mdns.h
@@ -0,0 +1,32 @@
+/*-*- Mode: C; c-basic-offset: 8; indent-tabs-mode: nil -*-*/
+
+#pragma once
+
+/***
+ This file is part of systemd.
+
+ Copyright 2015 Daniel Mack
+
+ systemd is free software; you can redistribute it and/or modify it
+ under the terms of the GNU Lesser General Public License as published by
+ the Free Software Foundation; either version 2.1 of the License, or
+ (at your option) any later version.
+
+ systemd is distributed in the hope that it will be useful, but
+ WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ Lesser General Public License for more details.
+
+ You should have received a copy of the GNU Lesser General Public License
+ along with systemd; If not, see <http://www.gnu.org/licenses/>.
+***/
+
+#include "resolved-manager.h"
+
+#define MDNS_PORT 5353
+
+int manager_mdns_ipv4_fd(Manager *m);
+int manager_mdns_ipv6_fd(Manager *m);
+
+void manager_mdns_stop(Manager *m);
+int manager_mdns_start(Manager *m);
diff --git a/src/resolve/resolved.conf.in b/src/resolve/resolved.conf.in
index 39ecf83217..efc9c6733a 100644
--- a/src/resolve/resolved.conf.in
+++ b/src/resolve/resolved.conf.in
@@ -16,3 +16,4 @@
#FallbackDNS=@DNS_SERVERS@
#Domains=
#LLMNR=yes
+#DNSSEC=no
diff --git a/src/resolve/test-dnssec.c b/src/resolve/test-dnssec.c
new file mode 100644
index 0000000000..0b2ffeeddd
--- /dev/null
+++ b/src/resolve/test-dnssec.c
@@ -0,0 +1,217 @@
+/*-*- Mode: C; c-basic-offset: 8; indent-tabs-mode: nil -*-*/
+
+/***
+ This file is part of systemd.
+
+ Copyright 2015 Lennart Poettering
+
+ systemd is free software; you can redistribute it and/or modify it
+ under the terms of the GNU Lesser General Public License as published by
+ the Free Software Foundation; either version 2.1 of the License, or
+ (at your option) any later version.
+
+ systemd is distributed in the hope that it will be useful, but
+ WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ Lesser General Public License for more details.
+
+ You should have received a copy of the GNU Lesser General Public License
+ along with systemd; If not, see <http://www.gnu.org/licenses/>.
+***/
+
+#include <arpa/inet.h>
+#include <netinet/in.h>
+#include <sys/socket.h>
+
+#include "alloc-util.h"
+#include "resolved-dns-dnssec.h"
+#include "resolved-dns-rr.h"
+#include "string-util.h"
+
+static void test_dnssec_verify_rrset(void) {
+
+ static const uint8_t signature_blob[] = {
+ 0x7f, 0x79, 0xdd, 0x5e, 0x89, 0x79, 0x18, 0xd0, 0x34, 0x86, 0x8c, 0x72, 0x77, 0x75, 0x48, 0x4d,
+ 0xc3, 0x7d, 0x38, 0x04, 0xab, 0xcd, 0x9e, 0x4c, 0x82, 0xb0, 0x92, 0xca, 0xe9, 0x66, 0xe9, 0x6e,
+ 0x47, 0xc7, 0x68, 0x8c, 0x94, 0xf6, 0x69, 0xcb, 0x75, 0x94, 0xe6, 0x30, 0xa6, 0xfb, 0x68, 0x64,
+ 0x96, 0x1a, 0x84, 0xe1, 0xdc, 0x16, 0x4c, 0x83, 0x6c, 0x44, 0xf2, 0x74, 0x4d, 0x74, 0x79, 0x8f,
+ 0xf3, 0xf4, 0x63, 0x0d, 0xef, 0x5a, 0xe7, 0xe2, 0xfd, 0xf2, 0x2b, 0x38, 0x7c, 0x28, 0x96, 0x9d,
+ 0xb6, 0xcd, 0x5c, 0x3b, 0x57, 0xe2, 0x24, 0x78, 0x65, 0xd0, 0x9e, 0x77, 0x83, 0x09, 0x6c, 0xff,
+ 0x3d, 0x52, 0x3f, 0x6e, 0xd1, 0xed, 0x2e, 0xf9, 0xee, 0x8e, 0xa6, 0xbe, 0x9a, 0xa8, 0x87, 0x76,
+ 0xd8, 0x77, 0xcc, 0x96, 0xa0, 0x98, 0xa1, 0xd1, 0x68, 0x09, 0x43, 0xcf, 0x56, 0xd9, 0xd1, 0x66,
+ };
+
+ static const uint8_t dnskey_blob[] = {
+ 0x03, 0x01, 0x00, 0x01, 0x9b, 0x49, 0x9b, 0xc1, 0xf9, 0x9a, 0xe0, 0x4e, 0xcf, 0xcb, 0x14, 0x45,
+ 0x2e, 0xc9, 0xf9, 0x74, 0xa7, 0x18, 0xb5, 0xf3, 0xde, 0x39, 0x49, 0xdf, 0x63, 0x33, 0x97, 0x52,
+ 0xe0, 0x8e, 0xac, 0x50, 0x30, 0x8e, 0x09, 0xd5, 0x24, 0x3d, 0x26, 0xa4, 0x49, 0x37, 0x2b, 0xb0,
+ 0x6b, 0x1b, 0xdf, 0xde, 0x85, 0x83, 0xcb, 0x22, 0x4e, 0x60, 0x0a, 0x91, 0x1a, 0x1f, 0xc5, 0x40,
+ 0xb1, 0xc3, 0x15, 0xc1, 0x54, 0x77, 0x86, 0x65, 0x53, 0xec, 0x10, 0x90, 0x0c, 0x91, 0x00, 0x5e,
+ 0x15, 0xdc, 0x08, 0x02, 0x4c, 0x8c, 0x0d, 0xc0, 0xac, 0x6e, 0xc4, 0x3e, 0x1b, 0x80, 0x19, 0xe4,
+ 0xf7, 0x5f, 0x77, 0x51, 0x06, 0x87, 0x61, 0xde, 0xa2, 0x18, 0x0f, 0x40, 0x8b, 0x79, 0x72, 0xfa,
+ 0x8d, 0x1a, 0x44, 0x47, 0x0d, 0x8e, 0x3a, 0x2d, 0xc7, 0x39, 0xbf, 0x56, 0x28, 0x97, 0xd9, 0x20,
+ 0x4f, 0x00, 0x51, 0x3b,
+ };
+
+ _cleanup_(dns_resource_record_unrefp) DnsResourceRecord *a = NULL, *rrsig = NULL, *dnskey = NULL;
+ _cleanup_(dns_answer_unrefp) DnsAnswer *answer = NULL;
+ _cleanup_free_ char *x = NULL, *y = NULL, *z = NULL;
+
+ a = dns_resource_record_new_full(DNS_CLASS_IN, DNS_TYPE_A, "nAsA.gov");
+ assert_se(a);
+
+ a->a.in_addr.s_addr = inet_addr("52.0.14.116");
+
+ assert_se(dns_resource_record_to_string(a, &x) >= 0);
+ log_info("A: %s", x);
+
+ rrsig = dns_resource_record_new_full(DNS_CLASS_IN, DNS_TYPE_RRSIG, "NaSa.GOV.");
+ assert_se(rrsig);
+
+ rrsig->rrsig.type_covered = DNS_TYPE_A;
+ rrsig->rrsig.algorithm = DNSSEC_ALGORITHM_RSASHA256;
+ rrsig->rrsig.labels = 2;
+ rrsig->rrsig.original_ttl = 600;
+ rrsig->rrsig.expiration = 0x5683135c;
+ rrsig->rrsig.inception = 0x565b7da8;
+ rrsig->rrsig.key_tag = 63876;
+ rrsig->rrsig.signer = strdup("Nasa.Gov.");
+ assert_se(rrsig->rrsig.signer);
+ rrsig->rrsig.signature_size = sizeof(signature_blob);
+ rrsig->rrsig.signature = memdup(signature_blob, rrsig->rrsig.signature_size);
+ assert_se(rrsig->rrsig.signature);
+
+ assert_se(dns_resource_record_to_string(rrsig, &y) >= 0);
+ log_info("RRSIG: %s", y);
+
+ dnskey = dns_resource_record_new_full(DNS_CLASS_IN, DNS_TYPE_DNSKEY, "nASA.gOV");
+ assert_se(dnskey);
+
+ dnskey->dnskey.flags = 256;
+ dnskey->dnskey.protocol = 3;
+ dnskey->dnskey.algorithm = DNSSEC_ALGORITHM_RSASHA256;
+ dnskey->dnskey.key_size = sizeof(dnskey_blob);
+ dnskey->dnskey.key = memdup(dnskey_blob, sizeof(dnskey_blob));
+ assert_se(dnskey->dnskey.key);
+
+ assert_se(dns_resource_record_to_string(dnskey, &z) >= 0);
+ log_info("DNSKEY: %s", z);
+ log_info("DNSKEY keytag: %u", dnssec_keytag(dnskey));
+
+ assert_se(dnssec_key_match_rrsig(a->key, rrsig) > 0);
+ assert_se(dnssec_rrsig_match_dnskey(rrsig, dnskey) > 0);
+
+ answer = dns_answer_new(1);
+ assert_se(answer);
+ assert_se(dns_answer_add(answer, a, 0) >= 0);
+
+ /* Validate the RR as it if was 2015-12-2 today */
+ assert_se(dnssec_verify_rrset(answer, a->key, rrsig, dnskey, 1449092754*USEC_PER_SEC) == DNSSEC_VERIFIED);
+}
+
+static void test_dnssec_verify_dns_key(void) {
+
+ static const uint8_t ds1_fprint[] = {
+ 0x46, 0x8B, 0xC8, 0xDD, 0xC7, 0xE8, 0x27, 0x03, 0x40, 0xBB, 0x8A, 0x1F, 0x3B, 0x2E, 0x45, 0x9D,
+ 0x80, 0x67, 0x14, 0x01,
+ };
+ static const uint8_t ds2_fprint[] = {
+ 0x8A, 0xEE, 0x80, 0x47, 0x05, 0x5F, 0x83, 0xD1, 0x48, 0xBA, 0x8F, 0xF6, 0xDD, 0xA7, 0x60, 0xCE,
+ 0x94, 0xF7, 0xC7, 0x5E, 0x52, 0x4C, 0xF2, 0xE9, 0x50, 0xB9, 0x2E, 0xCB, 0xEF, 0x96, 0xB9, 0x98,
+ };
+ static const uint8_t dnskey_blob[] = {
+ 0x03, 0x01, 0x00, 0x01, 0xa8, 0x12, 0xda, 0x4f, 0xd2, 0x7d, 0x54, 0x14, 0x0e, 0xcc, 0x5b, 0x5e,
+ 0x45, 0x9c, 0x96, 0x98, 0xc0, 0xc0, 0x85, 0x81, 0xb1, 0x47, 0x8c, 0x7d, 0xe8, 0x39, 0x50, 0xcc,
+ 0xc5, 0xd0, 0xf2, 0x00, 0x81, 0x67, 0x79, 0xf6, 0xcc, 0x9d, 0xad, 0x6c, 0xbb, 0x7b, 0x6f, 0x48,
+ 0x97, 0x15, 0x1c, 0xfd, 0x0b, 0xfe, 0xd3, 0xd7, 0x7d, 0x9f, 0x81, 0x26, 0xd3, 0xc5, 0x65, 0x49,
+ 0xcf, 0x46, 0x62, 0xb0, 0x55, 0x6e, 0x47, 0xc7, 0x30, 0xef, 0x51, 0xfb, 0x3e, 0xc6, 0xef, 0xde,
+ 0x27, 0x3f, 0xfa, 0x57, 0x2d, 0xa7, 0x1d, 0x80, 0x46, 0x9a, 0x5f, 0x14, 0xb3, 0xb0, 0x2c, 0xbe,
+ 0x72, 0xca, 0xdf, 0xb2, 0xff, 0x36, 0x5b, 0x4f, 0xec, 0x58, 0x8e, 0x8d, 0x01, 0xe9, 0xa9, 0xdf,
+ 0xb5, 0x60, 0xad, 0x52, 0x4d, 0xfc, 0xa9, 0x3e, 0x8d, 0x35, 0x95, 0xb3, 0x4e, 0x0f, 0xca, 0x45,
+ 0x1b, 0xf7, 0xef, 0x3a, 0x88, 0x25, 0x08, 0xc7, 0x4e, 0x06, 0xc1, 0x62, 0x1a, 0xce, 0xd8, 0x77,
+ 0xbd, 0x02, 0x65, 0xf8, 0x49, 0xfb, 0xce, 0xf6, 0xa8, 0x09, 0xfc, 0xde, 0xb2, 0x09, 0x9d, 0x39,
+ 0xf8, 0x63, 0x9c, 0x32, 0x42, 0x7c, 0xa0, 0x30, 0x86, 0x72, 0x7a, 0x4a, 0xc6, 0xd4, 0xb3, 0x2d,
+ 0x24, 0xef, 0x96, 0x3f, 0xc2, 0xda, 0xd3, 0xf2, 0x15, 0x6f, 0xda, 0x65, 0x4b, 0x81, 0x28, 0x68,
+ 0xf4, 0xfe, 0x3e, 0x71, 0x4f, 0x50, 0x96, 0x72, 0x58, 0xa1, 0x89, 0xdd, 0x01, 0x61, 0x39, 0x39,
+ 0xc6, 0x76, 0xa4, 0xda, 0x02, 0x70, 0x3d, 0xc0, 0xdc, 0x8d, 0x70, 0x72, 0x04, 0x90, 0x79, 0xd4,
+ 0xec, 0x65, 0xcf, 0x49, 0x35, 0x25, 0x3a, 0x14, 0x1a, 0x45, 0x20, 0xeb, 0x31, 0xaf, 0x92, 0xba,
+ 0x20, 0xd3, 0xcd, 0xa7, 0x13, 0x44, 0xdc, 0xcf, 0xf0, 0x27, 0x34, 0xb9, 0xe7, 0x24, 0x6f, 0x73,
+ 0xe7, 0xea, 0x77, 0x03,
+ };
+
+ _cleanup_(dns_resource_record_unrefp) DnsResourceRecord *dnskey = NULL, *ds1 = NULL, *ds2 = NULL;
+ _cleanup_free_ char *a = NULL, *b = NULL, *c = NULL;
+
+ /* The two DS RRs in effect for nasa.gov on 2015-12-01. */
+ ds1 = dns_resource_record_new_full(DNS_CLASS_IN, DNS_TYPE_DS, "nasa.gov");
+ assert_se(ds1);
+
+ ds1->ds.key_tag = 47857;
+ ds1->ds.algorithm = DNSSEC_ALGORITHM_RSASHA256;
+ ds1->ds.digest_type = DNSSEC_DIGEST_SHA1;
+ ds1->ds.digest_size = sizeof(ds1_fprint);
+ ds1->ds.digest = memdup(ds1_fprint, ds1->ds.digest_size);
+ assert_se(ds1->ds.digest);
+
+ assert_se(dns_resource_record_to_string(ds1, &a) >= 0);
+ log_info("DS1: %s", a);
+
+ ds2 = dns_resource_record_new_full(DNS_CLASS_IN, DNS_TYPE_DS, "NASA.GOV");
+ assert_se(ds2);
+
+ ds2->ds.key_tag = 47857;
+ ds2->ds.algorithm = DNSSEC_ALGORITHM_RSASHA256;
+ ds2->ds.digest_type = DNSSEC_DIGEST_SHA256;
+ ds2->ds.digest_size = sizeof(ds2_fprint);
+ ds2->ds.digest = memdup(ds2_fprint, ds2->ds.digest_size);
+ assert_se(ds2->ds.digest);
+
+ assert_se(dns_resource_record_to_string(ds2, &b) >= 0);
+ log_info("DS2: %s", b);
+
+ dnskey = dns_resource_record_new_full(DNS_CLASS_IN, DNS_TYPE_DNSKEY, "nasa.GOV");
+ assert_se(dnskey);
+
+ dnskey->dnskey.flags = 257;
+ dnskey->dnskey.protocol = 3;
+ dnskey->dnskey.algorithm = DNSSEC_ALGORITHM_RSASHA256;
+ dnskey->dnskey.key_size = sizeof(dnskey_blob);
+ dnskey->dnskey.key = memdup(dnskey_blob, sizeof(dnskey_blob));
+ assert_se(dnskey->dnskey.key);
+
+ assert_se(dns_resource_record_to_string(dnskey, &c) >= 0);
+ log_info("DNSKEY: %s", c);
+ log_info("DNSKEY keytag: %u", dnssec_keytag(dnskey));
+
+ assert_se(dnssec_verify_dnskey(dnskey, ds1) > 0);
+ assert_se(dnssec_verify_dnskey(dnskey, ds2) > 0);
+}
+
+static void test_dnssec_canonicalize_one(const char *original, const char *canonical, int r) {
+ char canonicalized[DNSSEC_CANONICAL_HOSTNAME_MAX];
+
+ assert_se(dnssec_canonicalize(original, canonicalized, sizeof(canonicalized)) == r);
+ if (r < 0)
+ return;
+
+ assert_se(streq(canonicalized, canonical));
+}
+
+static void test_dnssec_canonicalize(void) {
+ test_dnssec_canonicalize_one("", ".", 1);
+ test_dnssec_canonicalize_one(".", ".", 1);
+ test_dnssec_canonicalize_one("foo", "foo.", 4);
+ test_dnssec_canonicalize_one("foo.", "foo.", 4);
+ test_dnssec_canonicalize_one("FOO.", "foo.", 4);
+ test_dnssec_canonicalize_one("FOO.bar.", "foo.bar.", 8);
+ test_dnssec_canonicalize_one("FOO..bar.", NULL, -EINVAL);
+}
+
+int main(int argc, char*argv[]) {
+
+ test_dnssec_canonicalize();
+ test_dnssec_verify_dns_key();
+ test_dnssec_verify_rrset();
+
+ return 0;
+}
diff --git a/src/shared/acl-util.c b/src/shared/acl-util.c
index 35f2e1b67d..b4028564c2 100644
--- a/src/shared/acl-util.c
+++ b/src/shared/acl-util.c
@@ -71,6 +71,7 @@ int acl_find_uid(acl_t acl, uid_t uid, acl_entry_t *entry) {
int calc_acl_mask_if_needed(acl_t *acl_p) {
acl_entry_t i;
int r;
+ bool need = false;
assert(acl_p);
@@ -85,17 +86,16 @@ int calc_acl_mask_if_needed(acl_t *acl_p) {
if (tag == ACL_MASK)
return 0;
- if (IN_SET(tag, ACL_USER, ACL_GROUP)) {
- if (acl_calc_mask(acl_p) < 0)
- return -errno;
-
- return 1;
- }
+ if (IN_SET(tag, ACL_USER, ACL_GROUP))
+ need = true;
}
if (r < 0)
return -errno;
- return 0;
+ if (need && acl_calc_mask(acl_p) < 0)
+ return -errno;
+
+ return need;
}
int add_base_acls_if_needed(acl_t *acl_p, const char *path) {
@@ -398,3 +398,34 @@ int acls_for_file(const char *path, acl_type_t type, acl_t new, acl_t *acl) {
old = NULL;
return 0;
}
+
+int add_acls_for_user(int fd, uid_t uid) {
+ _cleanup_(acl_freep) acl_t acl = NULL;
+ acl_entry_t entry;
+ acl_permset_t permset;
+ int r;
+
+ acl = acl_get_fd(fd);
+ if (!acl)
+ return -errno;
+
+ r = acl_find_uid(acl, uid, &entry);
+ if (r <= 0) {
+ if (acl_create_entry(&acl, &entry) < 0 ||
+ acl_set_tag_type(entry, ACL_USER) < 0 ||
+ acl_set_qualifier(entry, &uid) < 0)
+ return -errno;
+ }
+
+ /* We do not recalculate the mask unconditionally here,
+ * so that the fchmod() mask above stays intact. */
+ if (acl_get_permset(entry, &permset) < 0 ||
+ acl_add_perm(permset, ACL_READ) < 0)
+ return -errno;
+
+ r = calc_acl_mask_if_needed(&acl);
+ if (r < 0)
+ return r;
+
+ return acl_set_fd(fd, acl);
+}
diff --git a/src/shared/acl-util.h b/src/shared/acl-util.h
index 256a6a5900..1d7f45e2a8 100644
--- a/src/shared/acl-util.h
+++ b/src/shared/acl-util.h
@@ -35,6 +35,7 @@ int add_base_acls_if_needed(acl_t *acl_p, const char *path);
int acl_search_groups(const char* path, char ***ret_groups);
int parse_acl(const char *text, acl_t *acl_access, acl_t *acl_default, bool want_mask);
int acls_for_file(const char *path, acl_type_t type, acl_t new, acl_t *acl);
+int add_acls_for_user(int fd, uid_t uid);
/* acl_free takes multiple argument types.
* Multiple cleanup functions are necessary. */
diff --git a/src/shared/acpi-fpdt.c b/src/shared/acpi-fpdt.c
index 30e03c0652..dcdef50a18 100644
--- a/src/shared/acpi-fpdt.c
+++ b/src/shared/acpi-fpdt.c
@@ -19,9 +19,10 @@
along with systemd; If not, see <http://www.gnu.org/licenses/>.
***/
+#include <errno.h>
#include <fcntl.h>
+#include <stddef.h>
#include <stdint.h>
-#include <stdio.h>
#include <string.h>
#include <unistd.h>
@@ -30,7 +31,6 @@
#include "fd-util.h"
#include "fileio.h"
#include "time-util.h"
-#include "util.h"
struct acpi_table_header {
char signature[4];
diff --git a/src/shared/apparmor-util.c b/src/shared/apparmor-util.c
index f6ac43adfe..f8cbb333d5 100644
--- a/src/shared/apparmor-util.c
+++ b/src/shared/apparmor-util.c
@@ -19,11 +19,12 @@
along with systemd; If not, see <http://www.gnu.org/licenses/>.
***/
+#include <stddef.h>
+
#include "alloc-util.h"
#include "apparmor-util.h"
#include "fileio.h"
#include "parse-util.h"
-#include "util.h"
bool mac_apparmor_use(void) {
static int cached_use = -1;
diff --git a/src/shared/architecture.c b/src/shared/architecture.c
index 73937bd5a7..ca6821b4d8 100644
--- a/src/shared/architecture.c
+++ b/src/shared/architecture.c
@@ -22,6 +22,7 @@
#include <sys/utsname.h>
#include "architecture.h"
+#include "macro.h"
#include "string-table.h"
#include "string-util.h"
diff --git a/src/shared/architecture.h b/src/shared/architecture.h
index 61d067cad7..c6af4a5b33 100644
--- a/src/shared/architecture.h
+++ b/src/shared/architecture.h
@@ -23,6 +23,7 @@
#include <endian.h>
+#include "macro.h"
#include "util.h"
/* A cleaned up architecture definition. We don't want to get lost in
diff --git a/src/shared/ask-password-api.c b/src/shared/ask-password-api.c
index fbe2b6fecb..bc12f89f02 100644
--- a/src/shared/ask-password-api.c
+++ b/src/shared/ask-password-api.c
@@ -21,13 +21,22 @@
#include <errno.h>
#include <fcntl.h>
+#include <inttypes.h>
+#include <limits.h>
#include <poll.h>
+#include <signal.h>
#include <stdbool.h>
#include <stddef.h>
+#include <stdint.h>
+#include <stdio.h>
+#include <stdlib.h>
#include <string.h>
#include <sys/inotify.h>
#include <sys/signalfd.h>
#include <sys/socket.h>
+#include <sys/stat.h>
+#include <sys/time.h>
+#include <sys/uio.h>
#include <sys/un.h>
#include <termios.h>
#include <unistd.h>
@@ -38,6 +47,8 @@
#include "fileio.h"
#include "formats-util.h"
#include "io-util.h"
+#include "log.h"
+#include "macro.h"
#include "missing.h"
#include "mkdir.h"
#include "random-util.h"
@@ -46,6 +57,7 @@
#include "string-util.h"
#include "strv.h"
#include "terminal-util.h"
+#include "time-util.h"
#include "umask-util.h"
#include "util.h"
diff --git a/src/shared/base-filesystem.c b/src/shared/base-filesystem.c
index e605490c32..2a7a38dd14 100644
--- a/src/shared/base-filesystem.c
+++ b/src/shared/base-filesystem.c
@@ -20,8 +20,11 @@
***/
#include <errno.h>
+#include <fcntl.h>
+#include <stdbool.h>
#include <stdlib.h>
#include <sys/stat.h>
+#include <syslog.h>
#include <unistd.h>
#include "alloc-util.h"
diff --git a/src/shared/boot-timestamps.c b/src/shared/boot-timestamps.c
index 879aca9374..63daf932f0 100644
--- a/src/shared/boot-timestamps.c
+++ b/src/shared/boot-timestamps.c
@@ -23,6 +23,8 @@
#include "acpi-fpdt.h"
#include "boot-timestamps.h"
#include "efivars.h"
+#include "macro.h"
+#include "time-util.h"
int boot_timestamps(const dual_timestamp *n, dual_timestamp *firmware, dual_timestamp *loader) {
usec_t x = 0, y = 0, a;
diff --git a/src/shared/bus-util.c b/src/shared/bus-util.c
index de4c4367ca..5c6dc34700 100644
--- a/src/shared/bus-util.c
+++ b/src/shared/bus-util.c
@@ -19,14 +19,24 @@
along with systemd; If not, see <http://www.gnu.org/licenses/>.
***/
+#include <errno.h>
+#include <fcntl.h>
+#include <inttypes.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <sys/ioctl.h>
+#include <sys/resource.h>
#include <sys/socket.h>
+#include <unistd.h>
+#include "sd-bus-protocol.h"
#include "sd-bus.h"
#include "sd-daemon.h"
#include "sd-event.h"
+#include "sd-id128.h"
#include "alloc-util.h"
-#include "bus-error.h"
#include "bus-internal.h"
#include "bus-label.h"
#include "bus-message.h"
@@ -35,7 +45,12 @@
#include "def.h"
#include "env-util.h"
#include "escape.h"
+#include "extract-word.h"
#include "fd-util.h"
+#include "hashmap.h"
+#include "install.h"
+#include "kdbus.h"
+#include "log.h"
#include "macro.h"
#include "missing.h"
#include "parse-util.h"
@@ -49,6 +64,7 @@
#include "string-util.h"
#include "strv.h"
#include "syslog-util.h"
+#include "time-util.h"
#include "unit-name.h"
#include "user-util.h"
#include "utf8.h"
diff --git a/src/shared/bus-util.h b/src/shared/bus-util.h
index ec731d375e..a5e3b6a0b5 100644
--- a/src/shared/bus-util.h
+++ b/src/shared/bus-util.h
@@ -21,11 +21,18 @@
along with systemd; If not, see <http://www.gnu.org/licenses/>.
***/
+#include <stdbool.h>
+#include <stddef.h>
+#include <stdint.h>
+#include <sys/types.h>
+
+#include "sd-bus-vtable.h"
#include "sd-bus.h"
#include "sd-event.h"
#include "hashmap.h"
#include "install.h"
+#include "macro.h"
#include "string-util.h"
#include "time-util.h"
diff --git a/src/shared/cgroup-show.c b/src/shared/cgroup-show.c
index 129ffc7056..d256b5a7cc 100644
--- a/src/shared/cgroup-show.c
+++ b/src/shared/cgroup-show.c
@@ -21,7 +21,9 @@
#include <dirent.h>
#include <errno.h>
+#include <stddef.h>
#include <stdio.h>
+#include <stdlib.h>
#include <string.h>
#include "alloc-util.h"
@@ -31,11 +33,11 @@
#include "formats-util.h"
#include "locale-util.h"
#include "macro.h"
+#include "output-mode.h"
#include "path-util.h"
#include "process-util.h"
#include "string-util.h"
#include "terminal-util.h"
-#include "util.h"
static int compare(const void *a, const void *b) {
const pid_t *p = a, *q = b;
diff --git a/src/shared/cgroup-show.h b/src/shared/cgroup-show.h
index 5842bdd15e..24b758658d 100644
--- a/src/shared/cgroup-show.h
+++ b/src/shared/cgroup-show.h
@@ -25,6 +25,7 @@
#include <sys/types.h>
#include "logs-show.h"
+#include "output-mode.h"
int show_cgroup_by_path(const char *path, const char *prefix, unsigned columns, bool kernel_threads, OutputFlags flags);
int show_cgroup(const char *controller, const char *path, const char *prefix, unsigned columns, bool kernel_threads, OutputFlags flags);
diff --git a/src/shared/clean-ipc.c b/src/shared/clean-ipc.c
index 71cc613704..2c494d3a31 100644
--- a/src/shared/clean-ipc.c
+++ b/src/shared/clean-ipc.c
@@ -20,22 +20,29 @@
***/
#include <dirent.h>
+#include <errno.h>
#include <fcntl.h>
+#include <limits.h>
#include <mqueue.h>
+#include <stdbool.h>
+#include <stdio.h>
+#include <string.h>
#include <sys/ipc.h>
#include <sys/msg.h>
#include <sys/sem.h>
#include <sys/shm.h>
#include <sys/stat.h>
+#include <unistd.h>
#include "clean-ipc.h"
#include "dirent-util.h"
#include "fd-util.h"
#include "fileio.h"
#include "formats-util.h"
+#include "log.h"
+#include "macro.h"
#include "string-util.h"
#include "strv.h"
-#include "util.h"
static int clean_sysvipc_shm(uid_t delete_uid) {
_cleanup_fclose_ FILE *f = NULL;
diff --git a/src/shared/condition.c b/src/shared/condition.c
index a69719116c..dedaf2291f 100644
--- a/src/shared/condition.c
+++ b/src/shared/condition.c
@@ -20,9 +20,13 @@
***/
#include <errno.h>
+#include <fcntl.h>
#include <fnmatch.h>
+#include <limits.h>
#include <stdlib.h>
#include <string.h>
+#include <sys/stat.h>
+#include <time.h>
#include <unistd.h>
#include "sd-id128.h"
@@ -38,6 +42,8 @@
#include "glob-util.h"
#include "hostname-util.h"
#include "ima-util.h"
+#include "list.h"
+#include "macro.h"
#include "mount-util.h"
#include "parse-util.h"
#include "path-util.h"
@@ -231,7 +237,7 @@ static int condition_test_security(Condition *c) {
assert(c->type == CONDITION_SECURITY);
if (streq(c->parameter, "selinux"))
- return mac_selinux_use();
+ return mac_selinux_have();
if (streq(c->parameter, "smack"))
return mac_smack_use();
if (streq(c->parameter, "apparmor"))
diff --git a/src/shared/conf-parser.c b/src/shared/conf-parser.c
index 486122b0fd..2aae49fbce 100644
--- a/src/shared/conf-parser.c
+++ b/src/shared/conf-parser.c
@@ -20,15 +20,17 @@
***/
#include <errno.h>
+#include <limits.h>
+#include <stdint.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
-
-#include "sd-messages.h"
+#include <sys/types.h>
#include "alloc-util.h"
#include "conf-files.h"
#include "conf-parser.h"
+#include "extract-word.h"
#include "fd-util.h"
#include "fs-util.h"
#include "log.h"
@@ -40,8 +42,8 @@
#include "string-util.h"
#include "strv.h"
#include "syslog-util.h"
+#include "time-util.h"
#include "utf8.h"
-#include "util.h"
int config_item_table_lookup(
const void *table,
diff --git a/src/shared/conf-parser.h b/src/shared/conf-parser.h
index 2872b22d9d..027ed209d9 100644
--- a/src/shared/conf-parser.h
+++ b/src/shared/conf-parser.h
@@ -21,9 +21,14 @@
along with systemd; If not, see <http://www.gnu.org/licenses/>.
***/
+#include <errno.h>
#include <stdbool.h>
+#include <stddef.h>
#include <stdio.h>
+#include <syslog.h>
+#include "alloc-util.h"
+#include "log.h"
#include "macro.h"
/* An abstract parser for simple, line based, shallow configuration
diff --git a/src/shared/dev-setup.c b/src/shared/dev-setup.c
index ad3c17d5bd..ff583faa6e 100644
--- a/src/shared/dev-setup.c
+++ b/src/shared/dev-setup.c
@@ -26,6 +26,7 @@
#include "alloc-util.h"
#include "dev-setup.h"
#include "label.h"
+#include "log.h"
#include "path-util.h"
#include "user-util.h"
#include "util.h"
diff --git a/src/shared/dns-domain.c b/src/shared/dns-domain.c
index 4cf6355b71..0466857042 100644
--- a/src/shared/dns-domain.c
+++ b/src/shared/dns-domain.c
@@ -24,9 +24,18 @@
#include <stringprep.h>
#endif
+#include <endian.h>
+#include <netinet/in.h>
+#include <stdio.h>
+#include <string.h>
+#include <sys/socket.h>
+
#include "alloc-util.h"
#include "dns-domain.h"
+#include "hashmap.h"
#include "hexdecoct.h"
+#include "in-addr-util.h"
+#include "macro.h"
#include "parse-util.h"
#include "string-util.h"
#include "strv.h"
@@ -53,12 +62,12 @@ int dns_label_unescape(const char **name, char *dest, size_t sz) {
if (*n == 0)
break;
- if (sz <= 0)
- return -ENOSPC;
-
if (r >= DNS_LABEL_MAX)
return -EINVAL;
+ if (sz <= 0)
+ return -ENOBUFS;
+
if (*n == '\\') {
/* Escaped character */
@@ -185,10 +194,14 @@ int dns_label_unescape_suffix(const char *name, const char **label_terminal, cha
int dns_label_escape(const char *p, size_t l, char *dest, size_t sz) {
char *q;
- if (l > DNS_LABEL_MAX)
+ /* DNS labels must be between 1 and 63 characters long. A
+ * zero-length label does not exist. See RFC 2182, Section
+ * 11. */
+
+ if (l <= 0 || l > DNS_LABEL_MAX)
return -EINVAL;
if (sz < 1)
- return -ENOSPC;
+ return -ENOBUFS;
assert(p);
assert(dest);
@@ -198,10 +211,11 @@ int dns_label_escape(const char *p, size_t l, char *dest, size_t sz) {
if (*p == '.' || *p == '\\') {
+ /* Dot or backslash */
+
if (sz < 3)
- return -ENOSPC;
+ return -ENOBUFS;
- /* Dot or backslash */
*(q++) = '\\';
*(q++) = *p;
@@ -216,7 +230,7 @@ int dns_label_escape(const char *p, size_t l, char *dest, size_t sz) {
/* Proper character */
if (sz < 2)
- return -ENOSPC;
+ return -ENOBUFS;
*(q++) = *p;
sz -= 1;
@@ -226,7 +240,7 @@ int dns_label_escape(const char *p, size_t l, char *dest, size_t sz) {
/* Everything else */
if (sz < 5)
- return -ENOSPC;
+ return -ENOBUFS;
*(q++) = '\\';
*(q++) = '0' + (char) ((uint8_t) *p / 100);
@@ -253,7 +267,7 @@ int dns_label_escape_new(const char *p, size_t l, char **ret) {
assert(p);
assert(ret);
- if (l > DNS_LABEL_MAX)
+ if (l <= 0 || l > DNS_LABEL_MAX)
return -EINVAL;
s = new(char, DNS_LABEL_ESCAPED_MAX);
@@ -273,32 +287,52 @@ int dns_label_escape_new(const char *p, size_t l, char **ret) {
int dns_label_apply_idna(const char *encoded, size_t encoded_size, char *decoded, size_t decoded_max) {
#ifdef HAVE_LIBIDN
_cleanup_free_ uint32_t *input = NULL;
- size_t input_size;
+ size_t input_size, l;
const char *p;
bool contains_8bit = false;
+ char buffer[DNS_LABEL_MAX+1];
assert(encoded);
assert(decoded);
- assert(decoded_max >= DNS_LABEL_MAX);
+
+ /* Converts an U-label into an A-label */
if (encoded_size <= 0)
- return 0;
+ return -EINVAL;
for (p = encoded; p < encoded + encoded_size; p++)
if ((uint8_t) *p > 127)
contains_8bit = true;
- if (!contains_8bit)
+ if (!contains_8bit) {
+ if (encoded_size > DNS_LABEL_MAX)
+ return -EINVAL;
+
return 0;
+ }
input = stringprep_utf8_to_ucs4(encoded, encoded_size, &input_size);
if (!input)
return -ENOMEM;
- if (idna_to_ascii_4i(input, input_size, decoded, 0) != 0)
+ if (idna_to_ascii_4i(input, input_size, buffer, 0) != 0)
return -EINVAL;
- return strlen(decoded);
+ l = strlen(buffer);
+
+ /* Verify that the the result is not longer than one DNS label. */
+ if (l <= 0 || l > DNS_LABEL_MAX)
+ return -EINVAL;
+ if (l > decoded_max)
+ return -ENOBUFS;
+
+ memcpy(decoded, buffer, l);
+
+ /* If there's room, append a trailing NUL byte, but only then */
+ if (decoded_max > l)
+ decoded[l] = 0;
+
+ return (int) l;
#else
return 0;
#endif
@@ -312,11 +346,14 @@ int dns_label_undo_idna(const char *encoded, size_t encoded_size, char *decoded,
uint32_t *output = NULL;
size_t w;
- /* To be invoked after unescaping */
+ /* To be invoked after unescaping. Converts an A-label into an U-label. */
assert(encoded);
assert(decoded);
+ if (encoded_size <= 0 || encoded_size > DNS_LABEL_MAX)
+ return -EINVAL;
+
if (encoded_size < sizeof(IDNA_ACE_PREFIX)-1)
return 0;
@@ -336,11 +373,16 @@ int dns_label_undo_idna(const char *encoded, size_t encoded_size, char *decoded,
if (!result)
return -ENOMEM;
if (w <= 0)
- return 0;
- if (w+1 > decoded_max)
return -EINVAL;
+ if (w > decoded_max)
+ return -ENOBUFS;
+
+ memcpy(decoded, result, w);
+
+ /* Append trailing NUL byte if there's space, but only then. */
+ if (decoded_max > w)
+ decoded[w] = 0;
- memcpy(decoded, result, w+1);
return w;
#else
return 0;
@@ -357,7 +399,6 @@ int dns_name_concat(const char *a, const char *b, char **_ret) {
assert(a);
for (;;) {
- _cleanup_free_ char *t = NULL;
char label[DNS_LABEL_MAX];
int k;
@@ -410,6 +451,9 @@ int dns_name_concat(const char *a, const char *b, char **_ret) {
n += r;
}
+ if (n > DNS_HOSTNAME_MAX)
+ return -EINVAL;
+
if (_ret) {
if (!GREEDY_REALLOC(ret, allocated, n + 1))
return -ENOMEM;
@@ -512,24 +556,32 @@ int dns_name_equal(const char *x, const char *y) {
r = dns_label_unescape(&x, la, sizeof(la));
if (r < 0)
return r;
-
- k = dns_label_undo_idna(la, r, la, sizeof(la));
- if (k < 0)
- return k;
- if (k > 0)
- r = k;
+ if (r > 0) {
+ k = dns_label_undo_idna(la, r, la, sizeof(la));
+ if (k < 0)
+ return k;
+ if (k > 0)
+ r = k;
+ }
q = dns_label_unescape(&y, lb, sizeof(lb));
if (q < 0)
return q;
- w = dns_label_undo_idna(lb, q, lb, sizeof(lb));
- if (w < 0)
- return w;
- if (w > 0)
- q = w;
+ if (q > 0) {
+ w = dns_label_undo_idna(lb, q, lb, sizeof(lb));
+ if (w < 0)
+ return w;
+ if (w > 0)
+ q = w;
+ }
+
+ /* If one name had fewer labels than the other, this
+ * will show up as empty label here, which the
+ * strcasecmp() below will properly consider different
+ * from a non-empty label. */
la[r] = lb[q] = 0;
- if (strcasecmp(la, lb))
+ if (strcasecmp(la, lb) != 0)
return false;
}
}
@@ -550,11 +602,13 @@ int dns_name_endswith(const char *name, const char *suffix) {
r = dns_label_unescape(&n, ln, sizeof(ln));
if (r < 0)
return r;
- k = dns_label_undo_idna(ln, r, ln, sizeof(ln));
- if (k < 0)
- return k;
- if (k > 0)
- r = k;
+ if (r > 0) {
+ k = dns_label_undo_idna(ln, r, ln, sizeof(ln));
+ if (k < 0)
+ return k;
+ if (k > 0)
+ r = k;
+ }
if (!saved_n)
saved_n = n;
@@ -562,11 +616,13 @@ int dns_name_endswith(const char *name, const char *suffix) {
q = dns_label_unescape(&s, ls, sizeof(ls));
if (q < 0)
return q;
- w = dns_label_undo_idna(ls, q, ls, sizeof(ls));
- if (w < 0)
- return w;
- if (w > 0)
- q = w;
+ if (q > 0) {
+ w = dns_label_undo_idna(ls, q, ls, sizeof(ls));
+ if (w < 0)
+ return w;
+ if (w > 0)
+ q = w;
+ }
if (r == 0 && q == 0)
return true;
@@ -606,11 +662,13 @@ int dns_name_change_suffix(const char *name, const char *old_suffix, const char
r = dns_label_unescape(&n, ln, sizeof(ln));
if (r < 0)
return r;
- k = dns_label_undo_idna(ln, r, ln, sizeof(ln));
- if (k < 0)
- return k;
- if (k > 0)
- r = k;
+ if (r > 0) {
+ k = dns_label_undo_idna(ln, r, ln, sizeof(ln));
+ if (k < 0)
+ return k;
+ if (k > 0)
+ r = k;
+ }
if (!saved_after)
saved_after = n;
@@ -618,11 +676,13 @@ int dns_name_change_suffix(const char *name, const char *old_suffix, const char
q = dns_label_unescape(&s, ls, sizeof(ls));
if (q < 0)
return q;
- w = dns_label_undo_idna(ls, q, ls, sizeof(ls));
- if (w < 0)
- return w;
- if (w > 0)
- q = w;
+ if (q > 0) {
+ w = dns_label_undo_idna(ls, q, ls, sizeof(ls));
+ if (w < 0)
+ return w;
+ if (w > 0)
+ q = w;
+ }
if (r == 0 && q == 0)
break;
@@ -813,37 +873,60 @@ bool dns_name_is_single_label(const char *name) {
return dns_name_is_root(name);
}
-/* Encode a domain name according to RFC 1035 Section 3.1 */
-int dns_name_to_wire_format(const char *domain, uint8_t *buffer, size_t len) {
- uint8_t *label_length;
- uint8_t *out;
+/* Encode a domain name according to RFC 1035 Section 3.1, without compression */
+int dns_name_to_wire_format(const char *domain, uint8_t *buffer, size_t len, bool canonical) {
+ uint8_t *label_length, *out;
int r;
- assert_return(buffer, -EINVAL);
- assert_return(domain, -EINVAL);
- assert_return(domain[0], -EINVAL);
+ assert(domain);
+ assert(buffer);
out = buffer;
do {
- /* reserve a byte for label length */
- if (len == 0)
+ /* Reserve a byte for label length */
+ if (len <= 0)
return -ENOBUFS;
len--;
label_length = out;
out++;
- /* convert and copy a single label */
+ /* Convert and copy a single label. Note that
+ * dns_label_unescape() returns 0 when it hits the end
+ * of the domain name, which we rely on here to encode
+ * the trailing NUL byte. */
r = dns_label_unescape(&domain, (char *) out, len);
if (r < 0)
return r;
- /* fill label length, move forward */
+ if (canonical) {
+ size_t i;
+
+ /* Optionally, output the name in DNSSEC
+ * canonical format, as described in RFC 4034,
+ * section 6.2. Or in other words: in
+ * lower-case. */
+
+ for (i = 0; i < (size_t) r; i++) {
+ if (out[i] >= 'A' && out[i] <= 'Z')
+ out[i] = out[i] - 'A' + 'a';
+ }
+ }
+
+ /* Fill label length, move forward */
*label_length = r;
out += r;
len -= r;
+
} while (r != 0);
+ /* Verify the maximum size of the encoded name. The trailing
+ * dot + NUL byte account are included this time, hence
+ * compare against DNS_HOSTNAME_MAX + 2 (which is 255) this
+ * time. */
+ if (out - buffer > DNS_HOSTNAME_MAX + 2)
+ return -EINVAL;
+
return out - buffer;
}
diff --git a/src/shared/dns-domain.h b/src/shared/dns-domain.h
index 99c72574db..3f8f621802 100644
--- a/src/shared/dns-domain.h
+++ b/src/shared/dns-domain.h
@@ -22,12 +22,26 @@
#pragma once
+#include <errno.h>
+#include <stdbool.h>
+#include <stddef.h>
+#include <stdint.h>
+
#include "hashmap.h"
#include "in-addr-util.h"
+/* Length of a single label, with all escaping removed, excluding any trailing dot or NUL byte */
#define DNS_LABEL_MAX 63
+
+/* Worst case length of a single label, with all escaping applied and room for a trailing NUL byte. */
#define DNS_LABEL_ESCAPED_MAX (DNS_LABEL_MAX*4+1)
+/* Maximum length of a full hostname, consisting of a series of unescaped labels, and no trailing dot or NUL byte */
+#define DNS_HOSTNAME_MAX 253
+
+/* Maximum length of a full hostname, on the wire, including the final NUL byte */
+#define DNS_WIRE_FOMAT_HOSTNAME_MAX 255
+
int dns_label_unescape(const char **name, char *dest, size_t sz);
int dns_label_unescape_suffix(const char *name, const char **label_end, char *dest, size_t sz);
int dns_label_escape(const char *p, size_t l, char *dest, size_t sz);
@@ -71,7 +85,7 @@ int dns_name_address(const char *p, int *family, union in_addr_union *a);
bool dns_name_is_root(const char *name);
bool dns_name_is_single_label(const char *name);
-int dns_name_to_wire_format(const char *domain, uint8_t *buffer, size_t len);
+int dns_name_to_wire_format(const char *domain, uint8_t *buffer, size_t len, bool canonical);
bool dns_srv_type_is_valid(const char *name);
bool dns_service_name_is_valid(const char *name);
diff --git a/src/shared/dropin.c b/src/shared/dropin.c
index 0d44401cc2..692e8b8338 100644
--- a/src/shared/dropin.c
+++ b/src/shared/dropin.c
@@ -19,17 +19,27 @@
along with systemd; If not, see <http://www.gnu.org/licenses/>.
***/
+#include <dirent.h>
+#include <errno.h>
+#include <stdarg.h>
+#include <stdio.h>
+#include <stdlib.h>
+
#include "alloc-util.h"
#include "conf-files.h"
#include "dropin.h"
#include "escape.h"
#include "fd-util.h"
#include "fileio-label.h"
+#include "hashmap.h"
+#include "log.h"
+#include "macro.h"
#include "mkdir.h"
#include "path-util.h"
+#include "set.h"
#include "string-util.h"
#include "strv.h"
-#include "util.h"
+#include "unit-name.h"
int drop_in_file(const char *dir, const char *unit, unsigned level,
const char *name, char **_p, char **_q) {
diff --git a/src/shared/dropin.h b/src/shared/dropin.h
index d4531fca2d..a8d647e990 100644
--- a/src/shared/dropin.h
+++ b/src/shared/dropin.h
@@ -21,6 +21,7 @@
along with systemd; If not, see <http://www.gnu.org/licenses/>.
***/
+#include "hashmap.h"
#include "macro.h"
#include "set.h"
#include "unit-name.h"
diff --git a/src/shared/efivars.c b/src/shared/efivars.c
index 89deeb9b55..13af68d539 100644
--- a/src/shared/efivars.c
+++ b/src/shared/efivars.c
@@ -19,17 +19,27 @@
along with systemd; If not, see <http://www.gnu.org/licenses/>.
***/
+#include <dirent.h>
+#include <errno.h>
#include <fcntl.h>
+#include <limits.h>
+#include <stdio.h>
+#include <stdlib.h>
#include <string.h>
+#include <sys/stat.h>
#include <unistd.h>
+#include "sd-id128.h"
+
#include "alloc-util.h"
#include "dirent-util.h"
#include "efivars.h"
#include "fd-util.h"
#include "io-util.h"
+#include "macro.h"
#include "parse-util.h"
#include "stdio-util.h"
+#include "time-util.h"
#include "utf8.h"
#include "util.h"
#include "virt.h"
diff --git a/src/shared/efivars.h b/src/shared/efivars.h
index 5cb4c3af4e..94af9717b0 100644
--- a/src/shared/efivars.h
+++ b/src/shared/efivars.h
@@ -22,6 +22,8 @@
***/
#include <stdbool.h>
+#include <stddef.h>
+#include <stdint.h>
#include "sd-id128.h"
diff --git a/src/shared/firewall-util.c b/src/shared/firewall-util.c
index 5acfb0191b..9606122345 100644
--- a/src/shared/firewall-util.c
+++ b/src/shared/firewall-util.c
@@ -19,9 +19,14 @@
along with systemd; If not, see <http://www.gnu.org/licenses/>.
***/
+#include <alloca.h>
#include <arpa/inet.h>
+#include <endian.h>
+#include <errno.h>
#include <net/if.h>
-#include <sys/types.h>
+#include <stddef.h>
+#include <string.h>
+#include <sys/socket.h>
#include <linux/netfilter_ipv4/ip_tables.h>
#include <linux/netfilter/nf_nat.h>
#include <linux/netfilter/xt_addrtype.h>
@@ -29,7 +34,8 @@
#include "alloc-util.h"
#include "firewall-util.h"
-#include "util.h"
+#include "in-addr-util.h"
+#include "macro.h"
DEFINE_TRIVIAL_CLEANUP_FUNC(struct xtc_handle*, iptc_free);
diff --git a/src/shared/firewall-util.h b/src/shared/firewall-util.h
index 93152e3978..463e09bcaf 100644
--- a/src/shared/firewall-util.h
+++ b/src/shared/firewall-util.h
@@ -21,6 +21,9 @@
along with systemd; If not, see <http://www.gnu.org/licenses/>.
***/
+#include <stdbool.h>
+#include <stdint.h>
+
#include "in-addr-util.h"
#ifdef HAVE_LIBIPTC
diff --git a/src/shared/fstab-util.c b/src/shared/fstab-util.c
index eb2845cddf..d013901973 100644
--- a/src/shared/fstab-util.c
+++ b/src/shared/fstab-util.c
@@ -19,9 +19,16 @@
along with systemd; If not, see <http://www.gnu.org/licenses/>.
***/
+#include <errno.h>
+#include <mntent.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+
#include "alloc-util.h"
#include "device-nodes.h"
#include "fstab-util.h"
+#include "macro.h"
#include "mount-util.h"
#include "parse-util.h"
#include "path-util.h"
diff --git a/src/shared/generator.c b/src/shared/generator.c
index 9998c64416..37de3f7cb1 100644
--- a/src/shared/generator.c
+++ b/src/shared/generator.c
@@ -19,6 +19,7 @@
along with systemd; If not, see <http://www.gnu.org/licenses/>.
***/
+#include <errno.h>
#include <unistd.h>
#include "alloc-util.h"
@@ -28,11 +29,13 @@
#include "fileio.h"
#include "fstab-util.h"
#include "generator.h"
+#include "log.h"
+#include "macro.h"
#include "mkdir.h"
-#include "mount-util.h"
#include "path-util.h"
#include "special.h"
#include "string-util.h"
+#include "time-util.h"
#include "unit-name.h"
#include "util.h"
diff --git a/src/shared/import-util.c b/src/shared/import-util.c
index ddc8c00a2d..29ce732b56 100644
--- a/src/shared/import-util.c
+++ b/src/shared/import-util.c
@@ -19,9 +19,14 @@
along with systemd; If not, see <http://www.gnu.org/licenses/>.
***/
+#include <errno.h>
+#include <string.h>
+
#include "alloc-util.h"
#include "btrfs-util.h"
#include "import-util.h"
+#include "log.h"
+#include "macro.h"
#include "path-util.h"
#include "string-table.h"
#include "string-util.h"
diff --git a/src/shared/install-printf.c b/src/shared/install-printf.c
index 74b909d34d..645b3ce33c 100644
--- a/src/shared/install-printf.c
+++ b/src/shared/install-printf.c
@@ -19,15 +19,18 @@
along with systemd; If not, see <http://www.gnu.org/licenses/>.
***/
-#include <stdlib.h>
+#include <errno.h>
+#include <stdio.h>
+#include <string.h>
+#include <unistd.h>
-#include "alloc-util.h"
#include "formats-util.h"
#include "install-printf.h"
+#include "install.h"
+#include "macro.h"
#include "specifier.h"
#include "unit-name.h"
#include "user-util.h"
-#include "util.h"
static int specifier_prefix_and_instance(char specifier, void *data, void *userdata, char **ret) {
UnitFileInstallInfo *i = userdata;
diff --git a/src/shared/install.c b/src/shared/install.c
index 17e03e59cd..b37f8922df 100644
--- a/src/shared/install.c
+++ b/src/shared/install.c
@@ -19,22 +19,31 @@
along with systemd; If not, see <http://www.gnu.org/licenses/>.
***/
+#include <dirent.h>
#include <errno.h>
#include <fcntl.h>
#include <fnmatch.h>
+#include <limits.h>
+#include <stddef.h>
+#include <stdio.h>
+#include <stdlib.h>
#include <string.h>
+#include <sys/stat.h>
#include <unistd.h>
#include "alloc-util.h"
#include "conf-files.h"
#include "conf-parser.h"
#include "dirent-util.h"
+#include "extract-word.h"
#include "fd-util.h"
#include "fileio.h"
#include "fs-util.h"
#include "hashmap.h"
#include "install-printf.h"
#include "install.h"
+#include "log.h"
+#include "macro.h"
#include "mkdir.h"
#include "path-lookup.h"
#include "path-util.h"
@@ -45,7 +54,6 @@
#include "string-util.h"
#include "strv.h"
#include "unit-name.h"
-#include "util.h"
#define UNIT_FILE_FOLLOW_SYMLINK_MAX 64
diff --git a/src/shared/install.h b/src/shared/install.h
index 45a417df92..5519fbcf8f 100644
--- a/src/shared/install.h
+++ b/src/shared/install.h
@@ -30,7 +30,10 @@ typedef struct UnitFileChange UnitFileChange;
typedef struct UnitFileList UnitFileList;
typedef struct UnitFileInstallInfo UnitFileInstallInfo;
+#include <stdbool.h>
+
#include "hashmap.h"
+#include "macro.h"
#include "path-lookup.h"
#include "strv.h"
#include "unit-name.h"
diff --git a/src/shared/logs-show.c b/src/shared/logs-show.c
index 0d7892ac1e..193dad1943 100644
--- a/src/shared/logs-show.c
+++ b/src/shared/logs-show.c
@@ -21,9 +21,17 @@
#include <errno.h>
#include <fcntl.h>
+#include <signal.h>
+#include <stdint.h>
+#include <stdlib.h>
#include <string.h>
#include <sys/socket.h>
+#include <syslog.h>
#include <time.h>
+#include <unistd.h>
+
+#include "sd-id128.h"
+#include "sd-journal.h"
#include "alloc-util.h"
#include "fd-util.h"
@@ -34,11 +42,15 @@
#include "journal-internal.h"
#include "log.h"
#include "logs-show.h"
+#include "macro.h"
+#include "output-mode.h"
#include "parse-util.h"
#include "process-util.h"
+#include "sparse-endian.h"
#include "string-table.h"
#include "string-util.h"
#include "terminal-util.h"
+#include "time-util.h"
#include "utf8.h"
#include "util.h"
diff --git a/src/shared/logs-show.h b/src/shared/logs-show.h
index 98927bbc59..396050936d 100644
--- a/src/shared/logs-show.h
+++ b/src/shared/logs-show.h
@@ -22,11 +22,15 @@
***/
#include <stdbool.h>
+#include <stddef.h>
+#include <stdio.h>
#include <sys/types.h>
#include "sd-journal.h"
+#include "macro.h"
#include "output-mode.h"
+#include "time-util.h"
#include "util.h"
int output_journal(
diff --git a/src/shared/machine-image.c b/src/shared/machine-image.c
index 2c1da0a40d..2ded0ff698 100644
--- a/src/shared/machine-image.c
+++ b/src/shared/machine-image.c
@@ -19,10 +19,15 @@
along with systemd; If not, see <http://www.gnu.org/licenses/>.
***/
+#include <dirent.h>
+#include <errno.h>
#include <fcntl.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <sys/stat.h>
+#include <unistd.h>
#include <linux/fs.h>
-#include <sys/statfs.h>
-
#include "alloc-util.h"
#include "btrfs-util.h"
#include "chattr-util.h"
@@ -30,6 +35,10 @@
#include "dirent-util.h"
#include "fd-util.h"
#include "fs-util.h"
+#include "hashmap.h"
+#include "lockfile-util.h"
+#include "log.h"
+#include "macro.h"
#include "machine-image.h"
#include "mkdir.h"
#include "path-util.h"
@@ -37,7 +46,9 @@
#include "string-table.h"
#include "string-util.h"
#include "strv.h"
+#include "time-util.h"
#include "utf8.h"
+#include "util.h"
#include "xattr-util.h"
static const char image_search_path[] =
diff --git a/src/shared/machine-image.h b/src/shared/machine-image.h
index 038db7453c..5e9d8f6980 100644
--- a/src/shared/machine-image.h
+++ b/src/shared/machine-image.h
@@ -21,8 +21,12 @@
along with systemd; If not, see <http://www.gnu.org/licenses/>.
***/
+#include <stdbool.h>
+#include <stdint.h>
+
#include "hashmap.h"
#include "lockfile-util.h"
+#include "macro.h"
#include "time-util.h"
typedef enum ImageType {
diff --git a/src/shared/machine-pool.c b/src/shared/machine-pool.c
index 4172a63fd0..23cbd8d600 100644
--- a/src/shared/machine-pool.c
+++ b/src/shared/machine-pool.c
@@ -19,10 +19,23 @@
along with systemd; If not, see <http://www.gnu.org/licenses/>.
***/
+#include <errno.h>
+#include <fcntl.h>
+#include <linux/loop.h>
+#include <signal.h>
+#include <stdbool.h>
+#include <stdio.h>
+#include <stdlib.h>
+#include <sys/ioctl.h>
#include <sys/mount.h>
#include <sys/prctl.h>
+#include <sys/stat.h>
+#include <sys/statfs.h>
#include <sys/statvfs.h>
-#include <sys/vfs.h>
+#include <unistd.h>
+
+#include "sd-bus-protocol.h"
+#include "sd-bus.h"
#include "alloc-util.h"
#include "btrfs-util.h"
@@ -30,7 +43,10 @@
#include "fileio.h"
#include "fs-util.h"
#include "lockfile-util.h"
+#include "log.h"
#include "machine-pool.h"
+#include "macro.h"
+#include "missing.h"
#include "mkdir.h"
#include "mount-util.h"
#include "parse-util.h"
@@ -39,7 +55,6 @@
#include "signal-util.h"
#include "stat-util.h"
#include "string-util.h"
-#include "util.h"
#define VAR_LIB_MACHINES_SIZE_START (1024UL*1024UL*500UL)
#define VAR_LIB_MACHINES_FREE_MIN (1024UL*1024UL*750UL)
diff --git a/src/shared/machine-pool.h b/src/shared/machine-pool.h
index fe01d3d47c..a1f2c5c626 100644
--- a/src/shared/machine-pool.h
+++ b/src/shared/machine-pool.h
@@ -21,6 +21,8 @@
along with systemd; If not, see <http://www.gnu.org/licenses/>.
***/
+#include <stdint.h>
+
#include "sd-bus.h"
/* Grow the /var/lib/machines directory after each 10MiB written */
diff --git a/src/shared/pager.c b/src/shared/pager.c
index d149bc1722..07ce926d75 100644
--- a/src/shared/pager.c
+++ b/src/shared/pager.c
@@ -19,7 +19,11 @@
along with systemd; If not, see <http://www.gnu.org/licenses/>.
***/
-#include <fcntl.h>
+#include <errno.h>
+#include <signal.h>
+#include <stddef.h>
+#include <stdint.h>
+#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/prctl.h>
@@ -28,13 +32,13 @@
#include "copy.h"
#include "fd-util.h"
#include "locale-util.h"
+#include "log.h"
#include "macro.h"
#include "pager.h"
#include "process-util.h"
#include "signal-util.h"
#include "string-util.h"
#include "terminal-util.h"
-#include "util.h"
static pid_t pager_pid = 0;
diff --git a/src/shared/path-lookup.c b/src/shared/path-lookup.c
index 4a82bd18cd..90114001ee 100644
--- a/src/shared/path-lookup.c
+++ b/src/shared/path-lookup.c
@@ -26,6 +26,8 @@
#include "alloc-util.h"
#include "install.h"
+#include "log.h"
+#include "macro.h"
#include "path-lookup.h"
#include "path-util.h"
#include "string-util.h"
diff --git a/src/shared/path-lookup.h b/src/shared/path-lookup.h
index e35c8d3c04..b8036718ba 100644
--- a/src/shared/path-lookup.h
+++ b/src/shared/path-lookup.h
@@ -21,6 +21,7 @@
along with systemd; If not, see <http://www.gnu.org/licenses/>.
***/
+#include <stdbool.h>
#include "macro.h"
typedef struct LookupPaths {
diff --git a/src/shared/ptyfwd.c b/src/shared/ptyfwd.c
index 2666b8f7e2..e6a7a488c9 100644
--- a/src/shared/ptyfwd.c
+++ b/src/shared/ptyfwd.c
@@ -19,15 +19,27 @@
along with systemd; If not, see <http://www.gnu.org/licenses/>.
***/
+#include <errno.h>
#include <limits.h>
+#include <signal.h>
+#include <stddef.h>
+#include <stdint.h>
+#include <stdlib.h>
+#include <string.h>
#include <sys/epoll.h>
#include <sys/ioctl.h>
+#include <sys/time.h>
#include <termios.h>
+#include <unistd.h>
+
+#include "sd-event.h"
#include "alloc-util.h"
#include "fd-util.h"
+#include "log.h"
+#include "macro.h"
#include "ptyfwd.h"
-#include "util.h"
+#include "time-util.h"
struct PTYForward {
sd_event *event;
diff --git a/src/shared/ptyfwd.h b/src/shared/ptyfwd.h
index 9b3214221b..002590d1cf 100644
--- a/src/shared/ptyfwd.h
+++ b/src/shared/ptyfwd.h
@@ -25,6 +25,8 @@
#include "sd-event.h"
+#include "macro.h"
+
typedef struct PTYForward PTYForward;
typedef enum PTYForwardFlags {
diff --git a/src/shared/seccomp-util.c b/src/shared/seccomp-util.c
index 09baf51661..bd1d44a0ab 100644
--- a/src/shared/seccomp-util.c
+++ b/src/shared/seccomp-util.c
@@ -19,11 +19,13 @@
along with systemd; If not, see <http://www.gnu.org/licenses/>.
***/
+#include <errno.h>
#include <seccomp.h>
+#include <stddef.h>
+#include "macro.h"
#include "seccomp-util.h"
#include "string-util.h"
-#include "util.h"
const char* seccomp_arch_to_string(uint32_t c) {
diff --git a/src/shared/seccomp-util.h b/src/shared/seccomp-util.h
index 60d97154ec..79ee8c728d 100644
--- a/src/shared/seccomp-util.h
+++ b/src/shared/seccomp-util.h
@@ -22,6 +22,7 @@
***/
#include <seccomp.h>
+#include <stdint.h>
const char* seccomp_arch_to_string(uint32_t c);
int seccomp_arch_from_string(const char *n, uint32_t *ret);
diff --git a/src/shared/sleep-config.c b/src/shared/sleep-config.c
index 39b836d053..7ba11e2f0e 100644
--- a/src/shared/sleep-config.c
+++ b/src/shared/sleep-config.c
@@ -19,7 +19,13 @@
along with systemd; If not, see <http://www.gnu.org/licenses/>.
***/
+#include <errno.h>
+#include <stdbool.h>
+#include <stddef.h>
#include <stdio.h>
+#include <string.h>
+#include <syslog.h>
+#include <unistd.h>
#include "alloc-util.h"
#include "conf-parser.h"
@@ -27,11 +33,11 @@
#include "fd-util.h"
#include "fileio.h"
#include "log.h"
+#include "macro.h"
#include "parse-util.h"
#include "sleep-config.h"
#include "string-util.h"
#include "strv.h"
-#include "util.h"
#define USE(x, y) do{ (x) = (y); (y) = NULL; } while(0)
diff --git a/src/shared/spawn-polkit-agent.c b/src/shared/spawn-polkit-agent.c
index 8ea6cb830b..ada4bdb17e 100644
--- a/src/shared/spawn-polkit-agent.c
+++ b/src/shared/spawn-polkit-agent.c
@@ -28,9 +28,11 @@
#include "fd-util.h"
#include "io-util.h"
#include "log.h"
+#include "macro.h"
#include "process-util.h"
#include "spawn-polkit-agent.h"
#include "stdio-util.h"
+#include "time-util.h"
#include "util.h"
#ifdef ENABLE_POLKIT
diff --git a/src/shared/specifier.c b/src/shared/specifier.c
index c5c4a4d7d7..841f4654b0 100644
--- a/src/shared/specifier.c
+++ b/src/shared/specifier.c
@@ -19,15 +19,20 @@
along with systemd; If not, see <http://www.gnu.org/licenses/>.
***/
+#include <errno.h>
+#include <stdbool.h>
+#include <stddef.h>
+#include <stdlib.h>
#include <string.h>
#include <sys/utsname.h>
+#include "sd-id128.h"
+
#include "alloc-util.h"
#include "hostname-util.h"
#include "macro.h"
#include "specifier.h"
#include "string-util.h"
-#include "util.h"
/*
* Generic infrastructure for replacing %x style specifiers in
diff --git a/src/shared/switch-root.c b/src/shared/switch-root.c
index fc885f6cb8..b1bbbdaadd 100644
--- a/src/shared/switch-root.c
+++ b/src/shared/switch-root.c
@@ -21,14 +21,16 @@
#include <errno.h>
#include <fcntl.h>
+#include <limits.h>
#include <stdbool.h>
-#include <string.h>
+#include <stdio.h>
#include <sys/mount.h>
#include <sys/stat.h>
#include <unistd.h>
#include "base-filesystem.h"
#include "fd-util.h"
+#include "log.h"
#include "missing.h"
#include "mkdir.h"
#include "path-util.h"
diff --git a/src/shared/switch-root.h b/src/shared/switch-root.h
index adf893a922..1350fd9b1c 100644
--- a/src/shared/switch-root.h
+++ b/src/shared/switch-root.h
@@ -2,6 +2,7 @@
#pragma once
+#include <stdbool.h>
/***
This file is part of systemd.
diff --git a/src/shared/sysctl-util.c b/src/shared/sysctl-util.c
index 70caa542e7..a2cb6e9763 100644
--- a/src/shared/sysctl-util.c
+++ b/src/shared/sysctl-util.c
@@ -19,19 +19,14 @@
along with systemd; If not, see <http://www.gnu.org/licenses/>.
***/
-#include <errno.h>
-#include <getopt.h>
-#include <limits.h>
-#include <stdbool.h>
#include <stdio.h>
-#include <stdlib.h>
#include <string.h>
#include "fileio.h"
#include "log.h"
+#include "macro.h"
#include "string-util.h"
#include "sysctl-util.h"
-#include "util.h"
char *sysctl_normalize(char *s) {
char *n;
diff --git a/src/shared/uid-range.c b/src/shared/uid-range.c
index 079dd8752c..1ecef5a44c 100644
--- a/src/shared/uid-range.c
+++ b/src/shared/uid-range.c
@@ -19,9 +19,13 @@
along with systemd; If not, see <http://www.gnu.org/licenses/>.
***/
+#include <errno.h>
+#include <stdlib.h>
+#include <string.h>
+
+#include "macro.h"
#include "uid-range.h"
#include "user-util.h"
-#include "util.h"
static bool uid_range_intersect(UidRange *range, uid_t start, uid_t nr) {
assert(range);
diff --git a/src/shared/utmp-wtmp.c b/src/shared/utmp-wtmp.c
index 13b32a0509..e72f6fa1a2 100644
--- a/src/shared/utmp-wtmp.c
+++ b/src/shared/utmp-wtmp.c
@@ -22,7 +22,11 @@
#include <errno.h>
#include <fcntl.h>
#include <poll.h>
+#include <stddef.h>
+#include <stdio.h>
+#include <stdlib.h>
#include <string.h>
+#include <sys/time.h>
#include <sys/utsname.h>
#include <unistd.h>
#include <utmpx.h>
@@ -34,7 +38,9 @@
#include "path-util.h"
#include "string-util.h"
#include "terminal-util.h"
+#include "time-util.h"
#include "user-util.h"
+#include "util.h"
#include "utmp-wtmp.h"
int utmp_get_runlevel(int *runlevel, int *previous) {
diff --git a/src/shared/utmp-wtmp.h b/src/shared/utmp-wtmp.h
index e0ceb873ac..3aec3f959d 100644
--- a/src/shared/utmp-wtmp.h
+++ b/src/shared/utmp-wtmp.h
@@ -21,6 +21,10 @@
along with systemd; If not, see <http://www.gnu.org/licenses/>.
***/
+#include <stdbool.h>
+#include <sys/types.h>
+
+#include "time-util.h"
#include "util.h"
#ifdef HAVE_UTMP
diff --git a/src/shared/watchdog.c b/src/shared/watchdog.c
index 7131e94cdb..bc171817ea 100644
--- a/src/shared/watchdog.c
+++ b/src/shared/watchdog.c
@@ -22,11 +22,13 @@
#include <errno.h>
#include <fcntl.h>
#include <sys/ioctl.h>
+#include <syslog.h>
#include <unistd.h>
#include <linux/watchdog.h>
#include "fd-util.h"
#include "log.h"
+#include "time-util.h"
#include "watchdog.h"
static int watchdog_fd = -1;
diff --git a/src/shared/watchdog.h b/src/shared/watchdog.h
index b748b15857..fd1c11a644 100644
--- a/src/shared/watchdog.h
+++ b/src/shared/watchdog.h
@@ -21,6 +21,9 @@
along with systemd; If not, see <http://www.gnu.org/licenses/>.
***/
+#include <stdbool.h>
+
+#include "time-util.h"
#include "util.h"
int watchdog_set_timeout(usec_t *usec);
diff --git a/src/systemd/_sd-common.h b/src/systemd/_sd-common.h
index 18765bff32..6b5e6c50f9 100644
--- a/src/systemd/_sd-common.h
+++ b/src/systemd/_sd-common.h
@@ -57,10 +57,10 @@
# ifdef __cplusplus
# define _SD_BEGIN_DECLARATIONS \
extern "C" { \
- struct __useless_struct_to_allow_trailing_semicolon__
+ struct _sd_useless_struct_to_allow_trailing_semicolon_
# else
# define _SD_BEGIN_DECLARATIONS \
- struct __useless_struct_to_allow_trailing_semicolon__
+ struct _sd_useless_struct_to_allow_trailing_semicolon_
# endif
#endif
@@ -68,10 +68,10 @@
# ifdef __cplusplus
# define _SD_END_DECLARATIONS \
} \
- struct __useless_struct_to_allow_trailing_semicolon__
+ struct _sd_useless_cpp_struct_to_allow_trailing_semicolon_
# else
# define _SD_END_DECLARATIONS \
- struct __useless_struct_to_allow_trailing_semicolon__
+ struct _sd_useless_struct_to_allow_trailing_semicolon_
# endif
#endif
@@ -80,6 +80,6 @@
if (*p) \
func(*p); \
} \
- struct __useless_struct_to_allow_trailing_semicolon__
+ struct _sd_useless_struct_to_allow_trailing_semicolon_
#endif
diff --git a/src/test/test-acl-util.c b/src/test/test-acl-util.c
new file mode 100644
index 0000000000..91866daf2d
--- /dev/null
+++ b/src/test/test-acl-util.c
@@ -0,0 +1,87 @@
+/*-*- Mode: C; c-basic-offset: 8; indent-tabs-mode: nil -*-*/
+
+/***
+ This file is part of systemd.
+
+ Copyright 2015 Zbigniew Jędrzejewski-Szmek
+
+ systemd is free software; you can redistribute it and/or modify it
+ under the terms of the GNU Lesser General Public License as published by
+ the Free Software Foundation; either version 2.1 of the License, or
+ (at your option) any later version.
+
+ systemd is distributed in the hope that it will be useful, but
+ WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ Lesser General Public License for more details.
+
+ You should have received a copy of the GNU Lesser General Public License
+ along with systemd; If not, see <http://www.gnu.org/licenses/>.
+***/
+
+#include <fcntl.h>
+#include <stdlib.h>
+#include <sys/stat.h>
+#include <unistd.h>
+
+#include "acl-util.h"
+#include "fd-util.h"
+#include "fileio.h"
+#include "string-util.h"
+#include "user-util.h"
+
+static void test_add_acls_for_user(void) {
+ char fn[] = "/tmp/test-empty.XXXXXX";
+ _cleanup_close_ int fd = -1;
+ char *cmd;
+ uid_t uid;
+ int r;
+
+ fd = mkostemp_safe(fn, O_RDWR|O_CLOEXEC);
+ assert_se(fd >= 0);
+
+ /* Use the mode that user journal files use */
+ assert_se(fchmod(fd, 0640) == 0);
+
+ cmd = strjoina("ls -l ", fn);
+ assert_se(system(cmd) == 0);
+
+ cmd = strjoina("getfacl -p ", fn);
+ assert_se(system(cmd) == 0);
+
+ if (getuid() == 0) {
+ const char *nobody = "nobody";
+ r = get_user_creds(&nobody, &uid, NULL, NULL, NULL);
+ if (r < 0)
+ uid = 0;
+ } else
+ uid = getuid();
+
+ r = add_acls_for_user(fd, uid);
+ assert_se(r >= 0);
+
+ cmd = strjoina("ls -l ", fn);
+ assert_se(system(cmd) == 0);
+
+ cmd = strjoina("getfacl -p ", fn);
+ assert_se(system(cmd) == 0);
+
+ /* set the acls again */
+
+ r = add_acls_for_user(fd, uid);
+ assert_se(r >= 0);
+
+ cmd = strjoina("ls -l ", fn);
+ assert_se(system(cmd) == 0);
+
+ cmd = strjoina("getfacl -p ", fn);
+ assert_se(system(cmd) == 0);
+
+ unlink(fn);
+}
+
+int main(int argc, char **argv) {
+ test_add_acls_for_user();
+
+ return 0;
+}
diff --git a/src/test/test-condition.c b/src/test/test-condition.c
index f224c6cdd8..8903d10db7 100644
--- a/src/test/test-condition.c
+++ b/src/test/test-condition.c
@@ -203,7 +203,7 @@ static void test_condition_test_security(void) {
condition_free(condition);
condition = condition_new(CONDITION_SECURITY, "selinux", false, true);
- assert_se(condition_test(condition) != mac_selinux_use());
+ assert_se(condition_test(condition) != mac_selinux_have());
condition_free(condition);
condition = condition_new(CONDITION_SECURITY, "ima", false, false);
diff --git a/src/test/test-dns-domain.c b/src/test/test-dns-domain.c
index f010e4e19a..de003e251c 100644
--- a/src/test/test-dns-domain.c
+++ b/src/test/test-dns-domain.c
@@ -39,7 +39,7 @@ static void test_dns_label_unescape_one(const char *what, const char *expect, si
static void test_dns_label_unescape(void) {
test_dns_label_unescape_one("hallo", "hallo", 6, 5);
- test_dns_label_unescape_one("hallo", "hallo", 4, -ENOSPC);
+ test_dns_label_unescape_one("hallo", "hallo", 4, -ENOBUFS);
test_dns_label_unescape_one("", "", 10, 0);
test_dns_label_unescape_one("hallo\\.foobar", "hallo.foobar", 20, 12);
test_dns_label_unescape_one("hallo.foobar", "hallo", 10, 5);
@@ -56,7 +56,7 @@ static void test_dns_name_to_wire_format_one(const char *what, const char *expec
uint8_t buffer[buffer_sz];
int r;
- r = dns_name_to_wire_format(what, buffer, buffer_sz);
+ r = dns_name_to_wire_format(what, buffer, buffer_sz, false);
assert_se(r == ret);
if (r < 0)
@@ -66,11 +66,38 @@ static void test_dns_name_to_wire_format_one(const char *what, const char *expec
}
static void test_dns_name_to_wire_format(void) {
- const char out1[] = { 3, 'f', 'o', 'o', 0 };
- const char out2[] = { 5, 'h', 'a', 'l', 'l', 'o', 3, 'f', 'o', 'o', 3, 'b', 'a', 'r', 0 };
- const char out3[] = { 4, ' ', 'f', 'o', 'o', 3, 'b', 'a', 'r', 0 };
-
- test_dns_name_to_wire_format_one("", NULL, 0, -EINVAL);
+ static const char out0[] = { 0 };
+ static const char out1[] = { 3, 'f', 'o', 'o', 0 };
+ static const char out2[] = { 5, 'h', 'a', 'l', 'l', 'o', 3, 'f', 'o', 'o', 3, 'b', 'a', 'r', 0 };
+ static const char out3[] = { 4, ' ', 'f', 'o', 'o', 3, 'b', 'a', 'r', 0 };
+ static const char out4[] = { 9, 'a', '1', '2', '3', '4', '5', '6', '7', '8',
+ 9, 'a', '1', '2', '3', '4', '5', '6', '7', '8',
+ 9, 'a', '1', '2', '3', '4', '5', '6', '7', '8',
+ 9, 'a', '1', '2', '3', '4', '5', '6', '7', '8',
+ 9, 'a', '1', '2', '3', '4', '5', '6', '7', '8',
+ 9, 'a', '1', '2', '3', '4', '5', '6', '7', '8',
+ 9, 'a', '1', '2', '3', '4', '5', '6', '7', '8',
+ 9, 'a', '1', '2', '3', '4', '5', '6', '7', '8',
+ 9, 'a', '1', '2', '3', '4', '5', '6', '7', '8',
+ 9, 'a', '1', '2', '3', '4', '5', '6', '7', '8',
+ 9, 'a', '1', '2', '3', '4', '5', '6', '7', '8',
+ 9, 'a', '1', '2', '3', '4', '5', '6', '7', '8',
+ 9, 'a', '1', '2', '3', '4', '5', '6', '7', '8',
+ 9, 'a', '1', '2', '3', '4', '5', '6', '7', '8',
+ 9, 'a', '1', '2', '3', '4', '5', '6', '7', '8',
+ 9, 'a', '1', '2', '3', '4', '5', '6', '7', '8',
+ 9, 'a', '1', '2', '3', '4', '5', '6', '7', '8',
+ 9, 'a', '1', '2', '3', '4', '5', '6', '7', '8',
+ 9, 'a', '1', '2', '3', '4', '5', '6', '7', '8',
+ 9, 'a', '1', '2', '3', '4', '5', '6', '7', '8',
+ 9, 'a', '1', '2', '3', '4', '5', '6', '7', '8',
+ 9, 'a', '1', '2', '3', '4', '5', '6', '7', '8',
+ 9, 'a', '1', '2', '3', '4', '5', '6', '7', '8',
+ 9, 'a', '1', '2', '3', '4', '5', '6', '7', '8',
+ 9, 'a', '1', '2', '3', '4', '5', '6', '7', '8',
+ 3, 'a', '1', '2', 0 };
+
+ test_dns_name_to_wire_format_one("", out0, sizeof(out0), sizeof(out0));
test_dns_name_to_wire_format_one("foo", out1, sizeof(out1), sizeof(out1));
test_dns_name_to_wire_format_one("foo", out1, sizeof(out1) + 1, sizeof(out1));
@@ -80,6 +107,9 @@ static void test_dns_name_to_wire_format(void) {
test_dns_name_to_wire_format_one("hallo.foo..bar", NULL, 32, -EINVAL);
test_dns_name_to_wire_format_one("\\032foo.bar", out3, sizeof(out3), sizeof(out3));
+
+ test_dns_name_to_wire_format_one("a12345678.a12345678.a12345678.a12345678.a12345678.a12345678.a12345678.a12345678.a12345678.a12345678.a12345678.a12345678.a12345678.a12345678.a12345678.a12345678.a12345678.a12345678.a12345678.a12345678.a12345678.a12345678.a12345678.a12345678.a12345678.a123", NULL, 500, -EINVAL);
+ test_dns_name_to_wire_format_one("a12345678.a12345678.a12345678.a12345678.a12345678.a12345678.a12345678.a12345678.a12345678.a12345678.a12345678.a12345678.a12345678.a12345678.a12345678.a12345678.a12345678.a12345678.a12345678.a12345678.a12345678.a12345678.a12345678.a12345678.a12345678.a12", out4, sizeof(out4), sizeof(out4));
}
static void test_dns_label_unescape_suffix_one(const char *what, const char *expect1, const char *expect2, size_t buffer_sz, int ret1, int ret2) {
@@ -102,7 +132,7 @@ static void test_dns_label_unescape_suffix_one(const char *what, const char *exp
static void test_dns_label_unescape_suffix(void) {
test_dns_label_unescape_suffix_one("hallo", "hallo", "", 6, 5, 0);
- test_dns_label_unescape_suffix_one("hallo", "hallo", "", 4, -ENOSPC, -ENOSPC);
+ test_dns_label_unescape_suffix_one("hallo", "hallo", "", 4, -ENOBUFS, -ENOBUFS);
test_dns_label_unescape_suffix_one("", "", "", 10, 0, 0);
test_dns_label_unescape_suffix_one("hallo\\.foobar", "hallo.foobar", "", 20, 12, 0);
test_dns_label_unescape_suffix_one("hallo.foobar", "foobar", "hallo", 10, 6, 5);
@@ -136,7 +166,7 @@ static void test_dns_label_escape_one(const char *what, size_t l, const char *ex
}
static void test_dns_label_escape(void) {
- test_dns_label_escape_one("", 0, "", 0);
+ test_dns_label_escape_one("", 0, NULL, -EINVAL);
test_dns_label_escape_one("hallo", 5, "hallo", 5);
test_dns_label_escape_one("hallo", 6, NULL, -EINVAL);
test_dns_label_escape_one("hallo hallo.foobar,waldi", 24, "hallo\\032hallo\\.foobar\\044waldi", 31);
@@ -314,6 +344,24 @@ static void test_dns_name_is_valid(void) {
test_dns_name_is_valid_one("\\zbar", 0);
test_dns_name_is_valid_one("ä", 1);
test_dns_name_is_valid_one("\n", 0);
+
+ /* 256 characters*/
+ test_dns_name_is_valid_one("a12345678.a12345678.a12345678.a12345678.a12345678.a12345678.a12345678.a12345678.a12345678.a12345678.a12345678.a12345678.a12345678.a12345678.a12345678.a12345678.a12345678.a12345678.a12345678.a12345678.a12345678.a12345678.a12345678.a12345678.a12345678.a12345", 0);
+
+ /* 255 characters*/
+ test_dns_name_is_valid_one("a12345678.a12345678.a12345678.a12345678.a12345678.a12345678.a12345678.a12345678.a12345678.a12345678.a12345678.a12345678.a12345678.a12345678.a12345678.a12345678.a12345678.a12345678.a12345678.a12345678.a12345678.a12345678.a12345678.a12345678.a12345678.a1234", 0);
+
+ /* 254 characters*/
+ test_dns_name_is_valid_one("a12345678.a12345678.a12345678.a12345678.a12345678.a12345678.a12345678.a12345678.a12345678.a12345678.a12345678.a12345678.a12345678.a12345678.a12345678.a12345678.a12345678.a12345678.a12345678.a12345678.a12345678.a12345678.a12345678.a12345678.a12345678.a123", 0);
+
+ /* 253 characters*/
+ test_dns_name_is_valid_one("a12345678.a12345678.a12345678.a12345678.a12345678.a12345678.a12345678.a12345678.a12345678.a12345678.a12345678.a12345678.a12345678.a12345678.a12345678.a12345678.a12345678.a12345678.a12345678.a12345678.a12345678.a12345678.a12345678.a12345678.a12345678.a12", 1);
+
+ /* label of 64 chars length */
+ test_dns_name_is_valid_one("a123456789a123456789a123456789a123456789a123456789a123456789a123", 0);
+
+ /* label of 63 chars length */
+ test_dns_name_is_valid_one("a123456789a123456789a123456789a123456789a123456789a123456789a12", 1);
}
static void test_dns_service_name_is_valid(void) {
diff --git a/src/test/test-engine.c b/src/test/test-engine.c
index c98d01168c..e23eec7370 100644
--- a/src/test/test-engine.c
+++ b/src/test/test-engine.c
@@ -25,6 +25,7 @@
#include "bus-util.h"
#include "manager.h"
+#include "test-helper.h"
int main(int argc, char *argv[]) {
_cleanup_(sd_bus_error_free) sd_bus_error err = SD_BUS_ERROR_NULL;
@@ -38,8 +39,8 @@ int main(int argc, char *argv[]) {
/* prepare the test */
assert_se(set_unit_path(TEST_DIR) >= 0);
r = manager_new(MANAGER_USER, true, &m);
- if (IN_SET(r, -EPERM, -EACCES, -EADDRINUSE, -EHOSTDOWN, -ENOENT, -ENOEXEC)) {
- printf("Skipping test: manager_new: %s", strerror(-r));
+ if (MANAGER_SKIP_TEST(r)) {
+ printf("Skipping test: manager_new: %s\n", strerror(-r));
return EXIT_TEST_SKIP;
}
assert_se(r >= 0);
diff --git a/src/test/test-execute.c b/src/test/test-execute.c
index 03ec0fcfc7..753afadb0a 100644
--- a/src/test/test-execute.c
+++ b/src/test/test-execute.c
@@ -29,6 +29,7 @@
#include "mkdir.h"
#include "path-util.h"
#include "rm-rf.h"
+#include "test-helper.h"
#include "unit.h"
#include "util.h"
@@ -296,8 +297,8 @@ int main(int argc, char *argv[]) {
assert_se(unsetenv("VAR3") == 0);
r = manager_new(MANAGER_USER, true, &m);
- if (IN_SET(r, -EPERM, -EACCES, -EADDRINUSE, -EHOSTDOWN, -ENOENT)) {
- printf("Skipping test: manager_new: %s", strerror(-r));
+ if (MANAGER_SKIP_TEST(r)) {
+ printf("Skipping test: manager_new: %s\n", strerror(-r));
return EXIT_TEST_SKIP;
}
assert_se(r >= 0);
diff --git a/src/test/test-helper.h b/src/test/test-helper.h
index f75dd3374a..c0f6a91787 100644
--- a/src/test/test-helper.h
+++ b/src/test/test-helper.h
@@ -23,9 +23,21 @@
#include "sd-daemon.h"
+#include "macro.h"
+
#define TEST_REQ_RUNNING_SYSTEMD(x) \
if (sd_booted() > 0) { \
x; \
} else { \
printf("systemd not booted skipping '%s'\n", #x); \
}
+
+#define MANAGER_SKIP_TEST(r) \
+ IN_SET(r, \
+ -EPERM, \
+ -EACCES, \
+ -EADDRINUSE, \
+ -EHOSTDOWN, \
+ -ENOENT, \
+ -ENOMEDIUM /* cannot determine cgroup */ \
+ )
diff --git a/src/test/test-path.c b/src/test/test-path.c
index 8302bdd283..7a3b145414 100644
--- a/src/test/test-path.c
+++ b/src/test/test-path.c
@@ -29,6 +29,7 @@
#include "rm-rf.h"
#include "string-util.h"
#include "strv.h"
+#include "test-helper.h"
#include "unit.h"
#include "util.h"
@@ -44,8 +45,8 @@ static int setup_test(Manager **m) {
assert_se(m);
r = manager_new(MANAGER_USER, true, &tmp);
- if (IN_SET(r, -EPERM, -EACCES, -EADDRINUSE, -EHOSTDOWN, -ENOENT, -ENOEXEC)) {
- printf("Skipping test: manager_new: %s", strerror(-r));
+ if (MANAGER_SKIP_TEST(r)) {
+ printf("Skipping test: manager_new: %s\n", strerror(-r));
return -EXIT_TEST_SKIP;
}
assert_se(r >= 0);
diff --git a/src/test/test-rbtree.c b/src/test/test-rbtree.c
new file mode 100644
index 0000000000..8ae416c557
--- /dev/null
+++ b/src/test/test-rbtree.c
@@ -0,0 +1,362 @@
+/***
+ This file is part of systemd. See COPYING for details.
+
+ systemd is free software; you can redistribute it and/or modify it
+ under the terms of the GNU Lesser General Public License as published by
+ the Free Software Foundation; either version 2.1 of the License, or
+ (at your option) any later version.
+
+ systemd is distributed in the hope that it will be useful, but
+ WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ Lesser General Public License for more details.
+
+ You should have received a copy of the GNU Lesser General Public License
+ along with systemd; If not, see <http://www.gnu.org/licenses/>.
+***/
+
+/*
+ * Tests for RB-Tree
+ */
+
+#undef NDEBUG
+#include <assert.h>
+#include <stddef.h>
+#include <stdlib.h>
+#include "c-rbtree.h"
+
+/* verify that all API calls are exported */
+static void test_api(void) {
+ CRBTree t = {};
+ CRBNode n = C_RBNODE_INIT(n);
+
+ assert(!c_rbnode_is_linked(&n));
+
+ /* init, is_linked, add, remove, remove_init */
+
+ c_rbtree_add(&t, NULL, &t.root, &n);
+ assert(c_rbnode_is_linked(&n));
+
+ c_rbtree_remove_init(&t, &n);
+ assert(!c_rbnode_is_linked(&n));
+
+ c_rbtree_add(&t, NULL, &t.root, &n);
+ assert(c_rbnode_is_linked(&n));
+
+ c_rbtree_remove(&t, &n);
+ assert(c_rbnode_is_linked(&n)); /* @n wasn't touched */
+
+ c_rbnode_init(&n);
+ assert(!c_rbnode_is_linked(&n));
+
+ /* first, last, leftmost, rightmost, next, prev */
+
+ assert(!c_rbtree_first(&t));
+ assert(!c_rbtree_last(&t));
+ assert(&n == c_rbnode_leftmost(&n));
+ assert(&n == c_rbnode_rightmost(&n));
+ assert(!c_rbnode_next(&n));
+ assert(!c_rbnode_prev(&n));
+}
+
+/* copied from c-rbtree.c, relies on internal representation */
+static inline _Bool c_rbnode_is_red(CRBNode *n) {
+ return !((unsigned long)n->__parent_and_color & 1UL);
+}
+
+/* copied from c-rbtree.c, relies on internal representation */
+static inline _Bool c_rbnode_is_black(CRBNode *n) {
+ return !!((unsigned long)n->__parent_and_color & 1UL);
+}
+
+static size_t validate(CRBTree *t) {
+ unsigned int i_black, n_black;
+ CRBNode *n, *p, *o;
+ size_t count = 0;
+
+ assert(t);
+ assert(!t->root || c_rbnode_is_black(t->root));
+
+ /* traverse to left-most child, count black nodes */
+ i_black = 0;
+ n = t->root;
+ while (n && n->left) {
+ if (c_rbnode_is_black(n))
+ ++i_black;
+ n = n->left;
+ }
+ n_black = i_black;
+
+ /*
+ * Traverse tree and verify correctness:
+ * 1) A node is either red or black
+ * 2) The root is black
+ * 3) All leaves are black
+ * 4) Every red node must have two black child nodes
+ * 5) Every path to a leaf contains the same number of black nodes
+ *
+ * Note that NULL nodes are considered black, which is why we don't
+ * check for 3).
+ */
+ o = NULL;
+ while (n) {
+ ++count;
+
+ /* verify natural order */
+ assert(n > o);
+ o = n;
+
+ /* verify consistency */
+ assert(!n->right || c_rbnode_parent(n->right) == n);
+ assert(!n->left || c_rbnode_parent(n->left) == n);
+
+ /* verify 2) */
+ if (!c_rbnode_parent(n))
+ assert(c_rbnode_is_black(n));
+
+ if (c_rbnode_is_red(n)) {
+ /* verify 4) */
+ assert(!n->left || c_rbnode_is_black(n->left));
+ assert(!n->right || c_rbnode_is_black(n->right));
+ } else {
+ /* verify 1) */
+ assert(c_rbnode_is_black(n));
+ }
+
+ /* verify 5) */
+ if (!n->left && !n->right)
+ assert(i_black == n_black);
+
+ /* get next node */
+ if (n->right) {
+ n = n->right;
+ if (c_rbnode_is_black(n))
+ ++i_black;
+
+ while (n->left) {
+ n = n->left;
+ if (c_rbnode_is_black(n))
+ ++i_black;
+ }
+ } else {
+ while ((p = c_rbnode_parent(n)) && n == p->right) {
+ n = p;
+ if (c_rbnode_is_black(p->right))
+ --i_black;
+ }
+
+ n = p;
+ if (p && c_rbnode_is_black(p->left))
+ --i_black;
+ }
+ }
+
+ return count;
+}
+
+static void insert(CRBTree *t, CRBNode *n) {
+ CRBNode **i, *p;
+
+ assert(t);
+ assert(n);
+ assert(!c_rbnode_is_linked(n));
+
+ i = &t->root;
+ p = NULL;
+ while (*i) {
+ p = *i;
+ if (n < *i) {
+ i = &(*i)->left;
+ } else {
+ assert(n > *i);
+ i = &(*i)->right;
+ }
+ }
+
+ c_rbtree_add(t, p, i, n);
+}
+
+static void shuffle(void **nodes, size_t n_memb) {
+ unsigned int i, j;
+ void *t;
+
+ for (i = 0; i < n_memb; ++i) {
+ j = rand() % n_memb;
+ t = nodes[j];
+ nodes[j] = nodes[i];
+ nodes[i] = t;
+ }
+}
+
+/* run some pseudo-random tests on the tree */
+static void test_shuffle(void) {
+ CRBNode *nodes[256];
+ CRBTree t = {};
+ unsigned int i, j;
+ size_t n;
+
+ /* allocate and initialize all nodes */
+ for (i = 0; i < sizeof(nodes) / sizeof(*nodes); ++i) {
+ nodes[i] = malloc(sizeof(*nodes[i]));
+ assert(nodes[i]);
+ c_rbnode_init(nodes[i]);
+ }
+
+ /* shuffle nodes and validate *empty* tree */
+ shuffle((void **)nodes, sizeof(nodes) / sizeof(*nodes));
+ n = validate(&t);
+ assert(n == 0);
+
+ /* add all nodes and validate after each insertion */
+ for (i = 0; i < sizeof(nodes) / sizeof(*nodes); ++i) {
+ insert(&t, nodes[i]);
+ n = validate(&t);
+ assert(n == i + 1);
+ }
+
+ /* shuffle nodes again */
+ shuffle((void **)nodes, sizeof(nodes) / sizeof(*nodes));
+
+ /* remove all nodes (in different order) and validate on each round */
+ for (i = 0; i < sizeof(nodes) / sizeof(*nodes); ++i) {
+ c_rbtree_remove(&t, nodes[i]);
+ n = validate(&t);
+ assert(n == sizeof(nodes) / sizeof(*nodes) - i - 1);
+ c_rbnode_init(nodes[i]);
+ }
+
+ /* shuffle nodes and validate *empty* tree again */
+ shuffle((void **)nodes, sizeof(nodes) / sizeof(*nodes));
+ n = validate(&t);
+ assert(n == 0);
+
+ /* add all nodes again */
+ for (i = 0; i < sizeof(nodes) / sizeof(*nodes); ++i) {
+ insert(&t, nodes[i]);
+ n = validate(&t);
+ assert(n == i + 1);
+ }
+
+ /* 4 times, remove half of the nodes and add them again */
+ for (j = 0; j < 4; ++j) {
+ /* shuffle nodes again */
+ shuffle((void **)nodes, sizeof(nodes) / sizeof(*nodes));
+
+ /* remove half of the nodes */
+ for (i = 0; i < sizeof(nodes) / sizeof(*nodes) / 2; ++i) {
+ c_rbtree_remove(&t, nodes[i]);
+ n = validate(&t);
+ assert(n == sizeof(nodes) / sizeof(*nodes) - i - 1);
+ c_rbnode_init(nodes[i]);
+ }
+
+ /* shuffle the removed half */
+ shuffle((void **)nodes, sizeof(nodes) / sizeof(*nodes) / 2);
+
+ /* add the removed half again */
+ for (i = 0; i < sizeof(nodes) / sizeof(*nodes) / 2; ++i) {
+ insert(&t, nodes[i]);
+ n = validate(&t);
+ assert(n == sizeof(nodes) / sizeof(*nodes) / 2 + i + 1);
+ }
+ }
+
+ /* shuffle nodes again */
+ shuffle((void **)nodes, sizeof(nodes) / sizeof(*nodes));
+
+ /* remove all */
+ for (i = 0; i < sizeof(nodes) / sizeof(*nodes); ++i) {
+ c_rbtree_remove(&t, nodes[i]);
+ n = validate(&t);
+ assert(n == sizeof(nodes) / sizeof(*nodes) - i - 1);
+ c_rbnode_init(nodes[i]);
+ }
+
+ /* free nodes again */
+ for (i = 0; i < sizeof(nodes) / sizeof(*nodes); ++i)
+ free(nodes[i]);
+}
+
+typedef struct {
+ unsigned long key;
+ CRBNode rb;
+} Node;
+
+#define node_from_rb(_rb) ((Node *)((char *)(_rb) - offsetof(Node, rb)))
+
+static int compare(CRBTree *t, void *k, CRBNode *n) {
+ unsigned long key = (unsigned long)k;
+ Node *node = node_from_rb(n);
+
+ return (key < node->key) ? -1 : (key > node->key) ? 1 : 0;
+}
+
+/* run tests against the c_rbtree_find*() helpers */
+static void test_map(void) {
+ CRBNode **slot, *p;
+ CRBTree t = {};
+ Node *nodes[2048];
+ unsigned long i;
+
+ /* allocate and initialize all nodes */
+ for (i = 0; i < sizeof(nodes) / sizeof(*nodes); ++i) {
+ nodes[i] = malloc(sizeof(*nodes[i]));
+ assert(nodes[i]);
+ nodes[i]->key = i;
+ c_rbnode_init(&nodes[i]->rb);
+ }
+
+ /* shuffle nodes */
+ shuffle((void **)nodes, sizeof(nodes) / sizeof(*nodes));
+
+ /* add all nodes, and verify that each node is linked */
+ for (i = 0; i < sizeof(nodes) / sizeof(*nodes); ++i) {
+ assert(!c_rbnode_is_linked(&nodes[i]->rb));
+ assert(!c_rbtree_find_entry(&t, compare, (void *)nodes[i]->key, Node, rb));
+
+ slot = c_rbtree_find_slot(&t, compare, (void *)nodes[i]->key, &p);
+ assert(slot);
+ c_rbtree_add(&t, p, slot, &nodes[i]->rb);
+
+ assert(c_rbnode_is_linked(&nodes[i]->rb));
+ assert(nodes[i] == c_rbtree_find_entry(&t, compare, (void *)nodes[i]->key, Node, rb));
+ }
+
+ /* shuffle nodes again */
+ shuffle((void **)nodes, sizeof(nodes) / sizeof(*nodes));
+
+ /* remove all nodes (in different order) */
+ for (i = 0; i < sizeof(nodes) / sizeof(*nodes); ++i) {
+ assert(c_rbnode_is_linked(&nodes[i]->rb));
+ assert(nodes[i] == c_rbtree_find_entry(&t, compare, (void *)nodes[i]->key, Node, rb));
+
+ c_rbtree_remove_init(&t, &nodes[i]->rb);
+
+ assert(!c_rbnode_is_linked(&nodes[i]->rb));
+ assert(!c_rbtree_find_entry(&t, compare, (void *)nodes[i]->key, Node, rb));
+ }
+
+ /* free nodes again */
+ for (i = 0; i < sizeof(nodes) / sizeof(*nodes); ++i)
+ free(nodes[i]);
+}
+
+int main(int argc, char **argv) {
+ unsigned int i;
+
+ /* we want stable tests, so use fixed seed */
+ srand(0xdeadbeef);
+
+ test_api();
+
+ /*
+ * The tests are pseudo random; run them multiple times, each run will
+ * have different orders and thus different results.
+ */
+ for (i = 0; i < 4; ++i) {
+ test_shuffle();
+ test_map();
+ }
+
+ return 0;
+}
diff --git a/src/test/test-rlimit-util.c b/src/test/test-rlimit-util.c
new file mode 100644
index 0000000000..00d3ecc0de
--- /dev/null
+++ b/src/test/test-rlimit-util.c
@@ -0,0 +1,69 @@
+/***
+ This file is part of systemd
+
+ systemd is free software; you can redistribute it and/or modify it
+ under the terms of the GNU Lesser General Public License as published by
+ the Free Software Foundation; either version 2.1 of the License, or
+ (at your option) any later version.
+
+ systemd is distributed in the hope that it will be useful, but
+ WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ Lesser General Public License for more details.
+
+ You should have received a copy of the GNU Lesser General Public License
+ along with systemd; If not, see <http://www.gnu.org/licenses/>.
+***/
+
+#include <sys/resource.h>
+
+#include "capability-util.h"
+#include "macro.h"
+#include "rlimit-util.h"
+#include "string-util.h"
+#include "util.h"
+
+int main(int argc, char *argv[]) {
+ struct rlimit old, new, high;
+ struct rlimit err = {
+ .rlim_cur = 10,
+ .rlim_max = 5,
+ };
+
+ log_parse_environment();
+ log_open();
+
+ assert_se(drop_capability(CAP_SYS_RESOURCE) == 0);
+
+ assert_se(getrlimit(RLIMIT_NOFILE, &old) == 0);
+ new.rlim_cur = MIN(5U, old.rlim_max);
+ new.rlim_max = MIN(10U, old.rlim_max);
+ assert_se(setrlimit(RLIMIT_NOFILE, &new) >= 0);
+
+ assert_se(rlimit_from_string("LimitNOFILE") == RLIMIT_NOFILE);
+ assert_se(rlimit_from_string("DefaultLimitNOFILE") == -1);
+
+ assert_se(streq_ptr(rlimit_to_string(RLIMIT_NOFILE), "LimitNOFILE"));
+ assert_se(rlimit_to_string(-1) == NULL);
+
+ assert_se(getrlimit(RLIMIT_NOFILE, &old) == 0);
+ assert_se(setrlimit_closest(RLIMIT_NOFILE, &old) == 0);
+ assert_se(getrlimit(RLIMIT_NOFILE, &new) == 0);
+ assert_se(old.rlim_cur == new.rlim_cur);
+ assert_se(old.rlim_max == new.rlim_max);
+
+ assert_se(getrlimit(RLIMIT_NOFILE, &old) == 0);
+ high = RLIMIT_MAKE_CONST(old.rlim_max + 1);
+ assert_se(setrlimit_closest(RLIMIT_NOFILE, &high) == 0);
+ assert_se(getrlimit(RLIMIT_NOFILE, &new) == 0);
+ assert_se(new.rlim_max == old.rlim_max);
+ assert_se(new.rlim_cur == new.rlim_max);
+
+ assert_se(getrlimit(RLIMIT_NOFILE, &old) == 0);
+ assert_se(setrlimit_closest(RLIMIT_NOFILE, &err) == -EINVAL);
+ assert_se(getrlimit(RLIMIT_NOFILE, &new) == 0);
+ assert_se(old.rlim_cur == new.rlim_cur);
+ assert_se(old.rlim_max == new.rlim_max);
+
+ return 0;
+}
diff --git a/src/test/test-sched-prio.c b/src/test/test-sched-prio.c
index 8396ae60f3..60b5160cec 100644
--- a/src/test/test-sched-prio.c
+++ b/src/test/test-sched-prio.c
@@ -23,6 +23,7 @@
#include "macro.h"
#include "manager.h"
+#include "test-helper.h"
int main(int argc, char *argv[]) {
Manager *m = NULL;
@@ -35,8 +36,8 @@ int main(int argc, char *argv[]) {
/* prepare the test */
assert_se(set_unit_path(TEST_DIR) >= 0);
r = manager_new(MANAGER_USER, true, &m);
- if (IN_SET(r, -EPERM, -EACCES, -EADDRINUSE, -EHOSTDOWN, -ENOENT, -ENOEXEC)) {
- printf("Skipping test: manager_new: %s", strerror(-r));
+ if (MANAGER_SKIP_TEST(r)) {
+ printf("Skipping test: manager_new: %s\n", strerror(-r));
return EXIT_TEST_SKIP;
}
assert_se(r >= 0);
diff --git a/src/udev/scsi_id/scsi.h b/src/udev/scsi_id/scsi.h
index 3f99ae7724..1054551d0b 100644
--- a/src/udev/scsi_id/scsi.h
+++ b/src/udev/scsi_id/scsi.h
@@ -1,3 +1,5 @@
+/*-*- Mode: C; c-basic-offset: 8; indent-tabs-mode: nil -*-*/
+
/*
* scsi.h
*
@@ -24,25 +26,25 @@ struct scsi_ioctl_command {
/*
* Default 5 second timeout
*/
-#define DEF_TIMEOUT 5000
+#define DEF_TIMEOUT 5000
-#define SENSE_BUFF_LEN 32
+#define SENSE_BUFF_LEN 32
/*
* The request buffer size passed to the SCSI INQUIRY commands, use 254,
* as this is a nice value for some devices, especially some of the usb
* mass storage devices.
*/
-#define SCSI_INQ_BUFF_LEN 254
+#define SCSI_INQ_BUFF_LEN 254
/*
* SCSI INQUIRY vendor and model (really product) lengths.
*/
-#define VENDOR_LENGTH 8
-#define MODEL_LENGTH 16
+#define VENDOR_LENGTH 8
+#define MODEL_LENGTH 16
-#define INQUIRY_CMD 0x12
-#define INQUIRY_CMDLEN 6
+#define INQUIRY_CMD 0x12
+#define INQUIRY_CMDLEN 6
/*
* INQUIRY VPD page 0x83 identifier descriptor related values. Reference the
@@ -52,34 +54,34 @@ struct scsi_ioctl_command {
/*
* id type values of id descriptors. These are assumed to fit in 4 bits.
*/
-#define SCSI_ID_VENDOR_SPECIFIC 0
-#define SCSI_ID_T10_VENDOR 1
-#define SCSI_ID_EUI_64 2
-#define SCSI_ID_NAA 3
-#define SCSI_ID_RELPORT 4
+#define SCSI_ID_VENDOR_SPECIFIC 0
+#define SCSI_ID_T10_VENDOR 1
+#define SCSI_ID_EUI_64 2
+#define SCSI_ID_NAA 3
+#define SCSI_ID_RELPORT 4
#define SCSI_ID_TGTGROUP 5
#define SCSI_ID_LUNGROUP 6
-#define SCSI_ID_MD5 7
-#define SCSI_ID_NAME 8
+#define SCSI_ID_MD5 7
+#define SCSI_ID_NAME 8
/*
* Supported NAA values. These fit in 4 bits, so the "don't care" value
* cannot conflict with real values.
*/
-#define SCSI_ID_NAA_DONT_CARE 0xff
-#define SCSI_ID_NAA_IEEE_REG 5
-#define SCSI_ID_NAA_IEEE_REG_EXTENDED 6
+#define SCSI_ID_NAA_DONT_CARE 0xff
+#define SCSI_ID_NAA_IEEE_REG 0x05
+#define SCSI_ID_NAA_IEEE_REG_EXTENDED 0x06
/*
* Supported Code Set values.
*/
-#define SCSI_ID_BINARY 1
-#define SCSI_ID_ASCII 2
+#define SCSI_ID_BINARY 1
+#define SCSI_ID_ASCII 2
struct scsi_id_search_values {
- u_char id_type;
- u_char naa_type;
- u_char code_set;
+ u_char id_type;
+ u_char naa_type;
+ u_char code_set;
};
/*
@@ -87,13 +89,13 @@ struct scsi_id_search_values {
* used a 1 bit right and masked version of these. So now CHECK_CONDITION
* and friends (in <scsi/scsi.h>) are deprecated.
*/
-#define SCSI_CHECK_CONDITION 0x2
-#define SCSI_CONDITION_MET 0x4
-#define SCSI_BUSY 0x8
-#define SCSI_IMMEDIATE 0x10
+#define SCSI_CHECK_CONDITION 0x02
+#define SCSI_CONDITION_MET 0x04
+#define SCSI_BUSY 0x08
+#define SCSI_IMMEDIATE 0x10
#define SCSI_IMMEDIATE_CONDITION_MET 0x14
-#define SCSI_RESERVATION_CONFLICT 0x18
-#define SCSI_COMMAND_TERMINATED 0x22
-#define SCSI_TASK_SET_FULL 0x28
-#define SCSI_ACA_ACTIVE 0x30
-#define SCSI_TASK_ABORTED 0x40
+#define SCSI_RESERVATION_CONFLICT 0x18
+#define SCSI_COMMAND_TERMINATED 0x22
+#define SCSI_TASK_SET_FULL 0x28
+#define SCSI_ACA_ACTIVE 0x30
+#define SCSI_TASK_ABORTED 0x40
diff --git a/src/udev/scsi_id/scsi_id.c b/src/udev/scsi_id/scsi_id.c
index 4655691642..e9ab7dce59 100644
--- a/src/udev/scsi_id/scsi_id.c
+++ b/src/udev/scsi_id/scsi_id.c
@@ -1,3 +1,5 @@
+/*-*- Mode: C; c-basic-offset: 8; indent-tabs-mode: nil -*-*/
+
/*
* Copyright (C) IBM Corp. 2003
* Copyright (C) SUSE Linux Products GmbH, 2006
diff --git a/src/udev/scsi_id/scsi_id.h b/src/udev/scsi_id/scsi_id.h
index 141b116a88..25f3d1a3b7 100644
--- a/src/udev/scsi_id/scsi_id.h
+++ b/src/udev/scsi_id/scsi_id.h
@@ -1,3 +1,5 @@
+/*-*- Mode: C; c-basic-offset: 8; indent-tabs-mode: nil -*-*/
+
/*
* Copyright (C) IBM Corp. 2003
*
diff --git a/src/udev/scsi_id/scsi_serial.c b/src/udev/scsi_id/scsi_serial.c
index c7ef783684..bc18af05af 100644
--- a/src/udev/scsi_id/scsi_serial.c
+++ b/src/udev/scsi_id/scsi_serial.c
@@ -1,3 +1,5 @@
+/*-*- Mode: C; c-basic-offset: 8; indent-tabs-mode: nil -*-*/
+
/*
* Copyright (C) IBM Corp. 2003
*
@@ -50,11 +52,11 @@
* is normally one or some small number of descriptors.
*/
static const struct scsi_id_search_values id_search_list[] = {
- { SCSI_ID_TGTGROUP, SCSI_ID_NAA_DONT_CARE, SCSI_ID_BINARY },
- { SCSI_ID_NAA, SCSI_ID_NAA_IEEE_REG_EXTENDED, SCSI_ID_BINARY },
- { SCSI_ID_NAA, SCSI_ID_NAA_IEEE_REG_EXTENDED, SCSI_ID_ASCII },
- { SCSI_ID_NAA, SCSI_ID_NAA_IEEE_REG, SCSI_ID_BINARY },
- { SCSI_ID_NAA, SCSI_ID_NAA_IEEE_REG, SCSI_ID_ASCII },
+ { SCSI_ID_TGTGROUP, SCSI_ID_NAA_DONT_CARE, SCSI_ID_BINARY },
+ { SCSI_ID_NAA, SCSI_ID_NAA_IEEE_REG_EXTENDED, SCSI_ID_BINARY },
+ { SCSI_ID_NAA, SCSI_ID_NAA_IEEE_REG_EXTENDED, SCSI_ID_ASCII },
+ { SCSI_ID_NAA, SCSI_ID_NAA_IEEE_REG, SCSI_ID_BINARY },
+ { SCSI_ID_NAA, SCSI_ID_NAA_IEEE_REG, SCSI_ID_ASCII },
/*
* Devices already exist using NAA values that are now marked
* reserved. These should not conflict with other values, or it is
@@ -64,14 +66,14 @@ static const struct scsi_id_search_values id_search_list[] = {
* non-IEEE descriptors in a random order will get different
* names.
*/
- { SCSI_ID_NAA, SCSI_ID_NAA_DONT_CARE, SCSI_ID_BINARY },
- { SCSI_ID_NAA, SCSI_ID_NAA_DONT_CARE, SCSI_ID_ASCII },
- { SCSI_ID_EUI_64, SCSI_ID_NAA_DONT_CARE, SCSI_ID_BINARY },
- { SCSI_ID_EUI_64, SCSI_ID_NAA_DONT_CARE, SCSI_ID_ASCII },
- { SCSI_ID_T10_VENDOR, SCSI_ID_NAA_DONT_CARE, SCSI_ID_BINARY },
- { SCSI_ID_T10_VENDOR, SCSI_ID_NAA_DONT_CARE, SCSI_ID_ASCII },
- { SCSI_ID_VENDOR_SPECIFIC, SCSI_ID_NAA_DONT_CARE, SCSI_ID_BINARY },
- { SCSI_ID_VENDOR_SPECIFIC, SCSI_ID_NAA_DONT_CARE, SCSI_ID_ASCII },
+ { SCSI_ID_NAA, SCSI_ID_NAA_DONT_CARE, SCSI_ID_BINARY },
+ { SCSI_ID_NAA, SCSI_ID_NAA_DONT_CARE, SCSI_ID_ASCII },
+ { SCSI_ID_EUI_64, SCSI_ID_NAA_DONT_CARE, SCSI_ID_BINARY },
+ { SCSI_ID_EUI_64, SCSI_ID_NAA_DONT_CARE, SCSI_ID_ASCII },
+ { SCSI_ID_T10_VENDOR, SCSI_ID_NAA_DONT_CARE, SCSI_ID_BINARY },
+ { SCSI_ID_T10_VENDOR, SCSI_ID_NAA_DONT_CARE, SCSI_ID_ASCII },
+ { SCSI_ID_VENDOR_SPECIFIC, SCSI_ID_NAA_DONT_CARE, SCSI_ID_BINARY },
+ { SCSI_ID_VENDOR_SPECIFIC, SCSI_ID_NAA_DONT_CARE, SCSI_ID_ASCII },
};
static const char hex_str[]="0123456789abcdef";
@@ -81,21 +83,21 @@ static const char hex_str[]="0123456789abcdef";
* are used here.
*/
-#define DID_NO_CONNECT 0x01 /* Unable to connect before timeout */
-#define DID_BUS_BUSY 0x02 /* Bus remain busy until timeout */
-#define DID_TIME_OUT 0x03 /* Timed out for some other reason */
-#define DRIVER_TIMEOUT 0x06
-#define DRIVER_SENSE 0x08 /* Sense_buffer has been set */
+#define DID_NO_CONNECT 0x01 /* Unable to connect before timeout */
+#define DID_BUS_BUSY 0x02 /* Bus remain busy until timeout */
+#define DID_TIME_OUT 0x03 /* Timed out for some other reason */
+#define DRIVER_TIMEOUT 0x06
+#define DRIVER_SENSE 0x08 /* Sense_buffer has been set */
/* The following "category" function returns one of the following */
#define SG_ERR_CAT_CLEAN 0 /* No errors or other information */
#define SG_ERR_CAT_MEDIA_CHANGED 1 /* interpreted from sense buffer */
#define SG_ERR_CAT_RESET 2 /* interpreted from sense buffer */
-#define SG_ERR_CAT_TIMEOUT 3
-#define SG_ERR_CAT_RECOVERED 4 /* Successful command after recovered err */
-#define SG_ERR_CAT_NOTSUPPORTED 5 /* Illegal / unsupported command */
-#define SG_ERR_CAT_SENSE 98 /* Something else in the sense buffer */
-#define SG_ERR_CAT_OTHER 99 /* Some other error/warning */
+#define SG_ERR_CAT_TIMEOUT 3
+#define SG_ERR_CAT_RECOVERED 4 /* Successful command after recovered err */
+#define SG_ERR_CAT_NOTSUPPORTED 5 /* Illegal / unsupported command */
+#define SG_ERR_CAT_SENSE 98 /* Something else in the sense buffer */
+#define SG_ERR_CAT_OTHER 99 /* Some other error/warning */
static int do_scsi_page80_inquiry(struct udev *udev,
struct scsi_id_device *dev_scsi, int fd,
@@ -212,7 +214,7 @@ static int scsi_dump_sense(struct udev *udev,
s = sense_buffer[7] + 8;
if (sb_len < s) {
log_debug("%s: sense buffer too small %d bytes, %d bytes too short",
- dev_scsi->kernel, sb_len, s - sb_len);
+ dev_scsi->kernel, sb_len, s - sb_len);
return -1;
}
if ((code == 0x0) || (code == 0x1)) {
@@ -222,7 +224,7 @@ static int scsi_dump_sense(struct udev *udev,
* Possible?
*/
log_debug("%s: sense result too" " small %d bytes",
- dev_scsi->kernel, s);
+ dev_scsi->kernel, s);
return -1;
}
asc = sense_buffer[12];
@@ -233,15 +235,15 @@ static int scsi_dump_sense(struct udev *udev,
ascq = sense_buffer[3];
} else {
log_debug("%s: invalid sense code 0x%x",
- dev_scsi->kernel, code);
+ dev_scsi->kernel, code);
return -1;
}
log_debug("%s: sense key 0x%x ASC 0x%x ASCQ 0x%x",
- dev_scsi->kernel, sense_key, asc, ascq);
+ dev_scsi->kernel, sense_key, asc, ascq);
} else {
if (sb_len < 4) {
log_debug("%s: sense buffer too small %d bytes, %d bytes too short",
- dev_scsi->kernel, sb_len, 4 - sb_len);
+ dev_scsi->kernel, sb_len, 4 - sb_len);
return -1;
}
@@ -249,9 +251,9 @@ static int scsi_dump_sense(struct udev *udev,
log_debug("%s: old sense key: 0x%x", dev_scsi->kernel, sense_buffer[0] & 0x0f);
else
log_debug("%s: sense = %2x %2x",
- dev_scsi->kernel, sense_buffer[0], sense_buffer[2]);
+ dev_scsi->kernel, sense_buffer[0], sense_buffer[2]);
log_debug("%s: non-extended sense class %d code 0x%0x",
- dev_scsi->kernel, sense_class, code);
+ dev_scsi->kernel, sense_class, code);
}
@@ -282,7 +284,7 @@ static int scsi_dump(struct udev *udev,
}
log_debug("%s: sg_io failed status 0x%x 0x%x 0x%x 0x%x",
- dev_scsi->kernel, io->driver_status, io->host_status, io->msg_status, io->status);
+ dev_scsi->kernel, io->driver_status, io->host_status, io->msg_status, io->status);
if (io->status == SCSI_CHECK_CONDITION)
return scsi_dump_sense(udev, dev_scsi, io->sbp, io->sb_len_wr);
else
@@ -302,8 +304,7 @@ static int scsi_dump_v4(struct udev *udev,
}
log_debug("%s: sg_io failed status 0x%x 0x%x 0x%x",
- dev_scsi->kernel, io->driver_status, io->transport_status,
- io->device_status);
+ dev_scsi->kernel, io->driver_status, io->transport_status, io->device_status);
if (io->device_status == SCSI_CHECK_CONDITION)
return scsi_dump_sense(udev, dev_scsi, (unsigned char *)(uintptr_t)io->response,
io->response_len);
@@ -399,7 +400,7 @@ resend:
error:
if (retval < 0)
log_debug("%s: Unable to get INQUIRY vpd %d page 0x%x.",
- dev_scsi->kernel, evpd, page);
+ dev_scsi->kernel, evpd, page);
return retval;
}
@@ -421,7 +422,7 @@ static int do_scsi_page0_inquiry(struct udev *udev,
return 1;
}
if (buffer[3] > len) {
- log_debug("%s: page 0 buffer too long %d", dev_scsi->kernel, buffer[3]);
+ log_debug("%s: page 0 buffer too long %d", dev_scsi->kernel, buffer[3]);
return 1;
}
@@ -464,7 +465,7 @@ static int prepend_vendor_model(struct udev *udev,
*/
if (ind != (VENDOR_LENGTH + MODEL_LENGTH)) {
log_debug("%s: expected length %d, got length %d",
- dev_scsi->kernel, (VENDOR_LENGTH + MODEL_LENGTH), ind);
+ dev_scsi->kernel, (VENDOR_LENGTH + MODEL_LENGTH), ind);
return -1;
}
return ind;
@@ -529,7 +530,7 @@ static int check_fill_0x83_id(struct udev *udev,
if (max_len < len) {
log_debug("%s: length %d too short - need %d",
- dev_scsi->kernel, max_len, len);
+ dev_scsi->kernel, max_len, len);
return 1;
}
@@ -785,7 +786,7 @@ static int do_scsi_page80_inquiry(struct udev *udev,
len = 1 + VENDOR_LENGTH + MODEL_LENGTH + buf[3];
if (max_len < len) {
log_debug("%s: length %d too short - need %d",
- dev_scsi->kernel, max_len, len);
+ dev_scsi->kernel, max_len, len);
return 1;
}
/*
diff --git a/src/udev/udev-builtin-blkid.c b/src/udev/udev-builtin-blkid.c
index d0e47ec6d8..0b1ae706e7 100644
--- a/src/udev/udev-builtin-blkid.c
+++ b/src/udev/udev-builtin-blkid.c
@@ -1,3 +1,5 @@
+/*-*- Mode: C; c-basic-offset: 8; indent-tabs-mode: nil -*-*/
+
/*
* probe disks for filesystems and partitions
*
diff --git a/src/udev/udev-builtin-btrfs.c b/src/udev/udev-builtin-btrfs.c
index cfaa463804..467010f5b3 100644
--- a/src/udev/udev-builtin-btrfs.c
+++ b/src/udev/udev-builtin-btrfs.c
@@ -1,3 +1,5 @@
+/*-*- Mode: C; c-basic-offset: 8; indent-tabs-mode: nil -*-*/
+
/***
This file is part of systemd.
diff --git a/src/udev/udev-builtin-hwdb.c b/src/udev/udev-builtin-hwdb.c
index f4a065a97d..a9e312e2c0 100644
--- a/src/udev/udev-builtin-hwdb.c
+++ b/src/udev/udev-builtin-hwdb.c
@@ -1,3 +1,5 @@
+/*-*- Mode: C; c-basic-offset: 8; indent-tabs-mode: nil -*-*/
+
/***
This file is part of systemd.
diff --git a/src/udev/udev-builtin-input_id.c b/src/udev/udev-builtin-input_id.c
index fddafbd4dc..1d31829a08 100644
--- a/src/udev/udev-builtin-input_id.c
+++ b/src/udev/udev-builtin-input_id.c
@@ -1,3 +1,5 @@
+/*-*- Mode: C; c-basic-offset: 8; indent-tabs-mode: nil -*-*/
+
/*
* expose input properties via udev
*
diff --git a/src/udev/udev-builtin-keyboard.c b/src/udev/udev-builtin-keyboard.c
index aa10beafb0..b80be52567 100644
--- a/src/udev/udev-builtin-keyboard.c
+++ b/src/udev/udev-builtin-keyboard.c
@@ -1,3 +1,5 @@
+/*-*- Mode: C; c-basic-offset: 8; indent-tabs-mode: nil -*-*/
+
/***
This file is part of systemd.
diff --git a/src/udev/udev-builtin-kmod.c b/src/udev/udev-builtin-kmod.c
index 9665f678fd..9210d1cc71 100644
--- a/src/udev/udev-builtin-kmod.c
+++ b/src/udev/udev-builtin-kmod.c
@@ -1,3 +1,5 @@
+/*-*- Mode: C; c-basic-offset: 8; indent-tabs-mode: nil -*-*/
+
/*
* load kernel modules
*
diff --git a/src/udev/udev-builtin-net_id.c b/src/udev/udev-builtin-net_id.c
index bf5c9c6b77..e549fdbee9 100644
--- a/src/udev/udev-builtin-net_id.c
+++ b/src/udev/udev-builtin-net_id.c
@@ -1,3 +1,5 @@
+/*-*- Mode: C; c-basic-offset: 8; indent-tabs-mode: nil -*-*/
+
/***
This file is part of systemd.
diff --git a/src/udev/udev-builtin-path_id.c b/src/udev/udev-builtin-path_id.c
index aa18c7e420..7851cec17f 100644
--- a/src/udev/udev-builtin-path_id.c
+++ b/src/udev/udev-builtin-path_id.c
@@ -1,3 +1,5 @@
+/*-*- Mode: C; c-basic-offset: 8; indent-tabs-mode: nil -*-*/
+
/*
* compose persistent device path
*
diff --git a/src/udev/udev-builtin-uaccess.c b/src/udev/udev-builtin-uaccess.c
index 3ebe36f043..b650a15bd8 100644
--- a/src/udev/udev-builtin-uaccess.c
+++ b/src/udev/udev-builtin-uaccess.c
@@ -1,3 +1,5 @@
+/*-*- Mode: C; c-basic-offset: 8; indent-tabs-mode: nil -*-*/
+
/*
* manage device node user ACL
*
diff --git a/src/udev/udev-builtin-usb_id.c b/src/udev/udev-builtin-usb_id.c
index 587649eff0..40d1e8cc47 100644
--- a/src/udev/udev-builtin-usb_id.c
+++ b/src/udev/udev-builtin-usb_id.c
@@ -1,3 +1,5 @@
+/*-*- Mode: C; c-basic-offset: 8; indent-tabs-mode: nil -*-*/
+
/*
* USB device properties and persistent device path
*
diff --git a/src/udev/udev-builtin.c b/src/udev/udev-builtin.c
index e6b36f124f..18fb6615d5 100644
--- a/src/udev/udev-builtin.c
+++ b/src/udev/udev-builtin.c
@@ -1,3 +1,5 @@
+/*-*- Mode: C; c-basic-offset: 8; indent-tabs-mode: nil -*-*/
+
/***
This file is part of systemd.
diff --git a/src/udev/udev-ctrl.c b/src/udev/udev-ctrl.c
index 962de22f43..10dd747256 100644
--- a/src/udev/udev-ctrl.c
+++ b/src/udev/udev-ctrl.c
@@ -1,3 +1,5 @@
+/*-*- Mode: C; c-basic-offset: 8; indent-tabs-mode: nil -*-*/
+
/*
* libudev - interface to udev device information
*
diff --git a/src/udev/udev-event.c b/src/udev/udev-event.c
index 2ef8bfe59e..c1dcee6c73 100644
--- a/src/udev/udev-event.c
+++ b/src/udev/udev-event.c
@@ -1,3 +1,5 @@
+/*-*- Mode: C; c-basic-offset: 8; indent-tabs-mode: nil -*-*/
+
/*
* Copyright (C) 2003-2013 Kay Sievers <kay@vrfy.org>
*
@@ -848,11 +850,11 @@ void udev_event_execute_rules(struct udev_event *event,
/* disable watch during event processing */
if (major(udev_device_get_devnum(dev)) != 0)
udev_watch_end(event->udev, event->dev_db);
- }
- if (major(udev_device_get_devnum(dev)) == 0 &&
- streq(udev_device_get_action(dev), "move"))
- udev_device_copy_properties(dev, event->dev_db);
+ if (major(udev_device_get_devnum(dev)) == 0 &&
+ streq(udev_device_get_action(dev), "move"))
+ udev_device_copy_properties(dev, event->dev_db);
+ }
udev_rules_apply_to_event(rules, event,
timeout_usec, timeout_warn_usec,
diff --git a/src/udev/udev-node.c b/src/udev/udev-node.c
index c2edf2c5cd..39ae2cc1b1 100644
--- a/src/udev/udev-node.c
+++ b/src/udev/udev-node.c
@@ -1,3 +1,5 @@
+/*-*- Mode: C; c-basic-offset: 8; indent-tabs-mode: nil -*-*/
+
/*
* Copyright (C) 2003-2013 Kay Sievers <kay@vrfy.org>
*
diff --git a/src/udev/udev-rules.c b/src/udev/udev-rules.c
index c06ace09cf..7342f2849e 100644
--- a/src/udev/udev-rules.c
+++ b/src/udev/udev-rules.c
@@ -1,3 +1,5 @@
+/*-*- Mode: C; c-basic-offset: 8; indent-tabs-mode: nil -*-*/
+
/*
* Copyright (C) 2003-2012 Kay Sievers <kay@vrfy.org>
*
diff --git a/src/udev/udev-watch.c b/src/udev/udev-watch.c
index f1fdccaed8..60de703706 100644
--- a/src/udev/udev-watch.c
+++ b/src/udev/udev-watch.c
@@ -1,3 +1,5 @@
+/*-*- Mode: C; c-basic-offset: 8; indent-tabs-mode: nil -*-*/
+
/*
* Copyright (C) 2004-2012 Kay Sievers <kay@vrfy.org>
* Copyright (C) 2009 Canonical Ltd.
diff --git a/src/udev/udev.h b/src/udev/udev.h
index 1f9c8120c0..4f4002056c 100644
--- a/src/udev/udev.h
+++ b/src/udev/udev.h
@@ -1,3 +1,5 @@
+/*-*- Mode: C; c-basic-offset: 8; indent-tabs-mode: nil -*-*/
+
/*
* Copyright (C) 2003 Greg Kroah-Hartman <greg@kroah.com>
* Copyright (C) 2003-2010 Kay Sievers <kay@vrfy.org>
diff --git a/src/udev/udevadm-control.c b/src/udev/udevadm-control.c
index 989decbe95..119033c2af 100644
--- a/src/udev/udevadm-control.c
+++ b/src/udev/udevadm-control.c
@@ -1,3 +1,5 @@
+/*-*- Mode: C; c-basic-offset: 8; indent-tabs-mode: nil -*-*/
+
/*
* Copyright (C) 2005-2011 Kay Sievers <kay@vrfy.org>
*
diff --git a/src/udev/udevadm-hwdb.c b/src/udev/udevadm-hwdb.c
index 948ad0f5a5..53f0871957 100644
--- a/src/udev/udevadm-hwdb.c
+++ b/src/udev/udevadm-hwdb.c
@@ -1,3 +1,5 @@
+/*-*- Mode: C; c-basic-offset: 8; indent-tabs-mode: nil -*-*/
+
/***
This file is part of systemd.
diff --git a/src/udev/udevadm-info.c b/src/udev/udevadm-info.c
index 7182668f23..ca67c385b4 100644
--- a/src/udev/udevadm-info.c
+++ b/src/udev/udevadm-info.c
@@ -1,3 +1,5 @@
+/*-*- Mode: C; c-basic-offset: 8; indent-tabs-mode: nil -*-*/
+
/*
* Copyright (C) 2004-2009 Kay Sievers <kay@vrfy.org>
*
diff --git a/src/udev/udevadm-monitor.c b/src/udev/udevadm-monitor.c
index f9cb5e63a2..1579894082 100644
--- a/src/udev/udevadm-monitor.c
+++ b/src/udev/udevadm-monitor.c
@@ -1,3 +1,5 @@
+/*-*- Mode: C; c-basic-offset: 8; indent-tabs-mode: nil -*-*/
+
/*
* Copyright (C) 2004-2010 Kay Sievers <kay@vrfy.org>
*
diff --git a/src/udev/udevadm-settle.c b/src/udev/udevadm-settle.c
index 6a5dc6e9e4..2cc9f123bd 100644
--- a/src/udev/udevadm-settle.c
+++ b/src/udev/udevadm-settle.c
@@ -1,3 +1,5 @@
+/*-*- Mode: C; c-basic-offset: 8; indent-tabs-mode: nil -*-*/
+
/*
* Copyright (C) 2006-2009 Kay Sievers <kay@vrfy.org>
* Copyright (C) 2009 Canonical Ltd.
diff --git a/src/udev/udevadm-test-builtin.c b/src/udev/udevadm-test-builtin.c
index 0b180d03eb..7389ca1b72 100644
--- a/src/udev/udevadm-test-builtin.c
+++ b/src/udev/udevadm-test-builtin.c
@@ -1,3 +1,5 @@
+/*-*- Mode: C; c-basic-offset: 8; indent-tabs-mode: nil -*-*/
+
/*
* Copyright (C) 2011 Kay Sievers <kay@vrfy.org>
*
diff --git a/src/udev/udevadm-test.c b/src/udev/udevadm-test.c
index ff427cf292..00ad917efc 100644
--- a/src/udev/udevadm-test.c
+++ b/src/udev/udevadm-test.c
@@ -1,3 +1,5 @@
+/*-*- Mode: C; c-basic-offset: 8; indent-tabs-mode: nil -*-*/
+
/*
* Copyright (C) 2003-2004 Greg Kroah-Hartman <greg@kroah.com>
* Copyright (C) 2004-2008 Kay Sievers <kay@vrfy.org>
diff --git a/src/udev/udevadm-trigger.c b/src/udev/udevadm-trigger.c
index 9d52345d92..1385b87b3a 100644
--- a/src/udev/udevadm-trigger.c
+++ b/src/udev/udevadm-trigger.c
@@ -1,3 +1,5 @@
+/*-*- Mode: C; c-basic-offset: 8; indent-tabs-mode: nil -*-*/
+
/*
* Copyright (C) 2008-2009 Kay Sievers <kay@vrfy.org>
*
diff --git a/src/udev/udevadm-util.c b/src/udev/udevadm-util.c
index 3539c1d6ab..94cbe21f3e 100644
--- a/src/udev/udevadm-util.c
+++ b/src/udev/udevadm-util.c
@@ -1,3 +1,5 @@
+/*-*- Mode: C; c-basic-offset: 8; indent-tabs-mode: nil -*-*/
+
/*
* Copyright (C) 2008-2009 Kay Sievers <kay@vrfy.org>
*
diff --git a/src/udev/udevadm-util.h b/src/udev/udevadm-util.h
index 37e4fe8369..5882096081 100644
--- a/src/udev/udevadm-util.h
+++ b/src/udev/udevadm-util.h
@@ -1,3 +1,5 @@
+/*-*- Mode: C; c-basic-offset: 8; indent-tabs-mode: nil -*-*/
+
/*
* Copyright (C) 2014 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl>
*
diff --git a/src/udev/udevadm.c b/src/udev/udevadm.c
index 60f122ebda..af1b5a9186 100644
--- a/src/udev/udevadm.c
+++ b/src/udev/udevadm.c
@@ -1,4 +1,5 @@
/*-*- Mode: C; c-basic-offset: 8; indent-tabs-mode: nil -*-*/
+
/*
* Copyright (C) 2007-2012 Kay Sievers <kay@vrfy.org>
*
diff --git a/src/udev/udevd.c b/src/udev/udevd.c
index 8b2f5d4e30..366e7fbb87 100644
--- a/src/udev/udevd.c
+++ b/src/udev/udevd.c
@@ -1,3 +1,5 @@
+/*-*- Mode: C; c-basic-offset: 8; indent-tabs-mode: nil -*-*/
+
/*
* Copyright (C) 2004-2012 Kay Sievers <kay@vrfy.org>
* Copyright (C) 2004 Chris Friesen <chris_friesen@sympatico.ca>
diff --git a/src/udev/v4l_id/v4l_id.c b/src/udev/v4l_id/v4l_id.c
index aec6676a33..377eb7a72c 100644
--- a/src/udev/v4l_id/v4l_id.c
+++ b/src/udev/v4l_id/v4l_id.c
@@ -1,3 +1,5 @@
+/*-*- Mode: C; c-basic-offset: 8; indent-tabs-mode: nil -*-*/
+
/*
* Copyright (C) 2009 Kay Sievers <kay@vrfy.org>
* Copyright (c) 2009 Filippo Argiolas <filippo.argiolas@gmail.com>
diff --git a/src/user-sessions/user-sessions.c b/src/user-sessions/user-sessions.c
index 252cbdb26c..d28b196c4e 100644
--- a/src/user-sessions/user-sessions.c
+++ b/src/user-sessions/user-sessions.c
@@ -23,7 +23,9 @@
#include <unistd.h>
#include "fileio.h"
+#include "fileio-label.h"
#include "log.h"
+#include "selinux-util.h"
#include "string-util.h"
#include "util.h"
@@ -40,6 +42,8 @@ int main(int argc, char*argv[]) {
umask(0022);
+ mac_selinux_init(NULL);
+
if (streq(argv[1], "start")) {
int r = 0;
@@ -65,7 +69,7 @@ int main(int argc, char*argv[]) {
} else if (streq(argv[1], "stop")) {
int r;
- r = write_string_file("/run/nologin", "System is going down.", WRITE_STRING_FILE_CREATE|WRITE_STRING_FILE_ATOMIC);
+ r = write_string_file_atomic_label("/run/nologin", "System is going down.");
if (r < 0) {
log_error_errno(r, "Failed to create /run/nologin: %m");
return EXIT_FAILURE;
@@ -76,5 +80,7 @@ int main(int argc, char*argv[]) {
return EXIT_FAILURE;
}
+ mac_selinux_finish();
+
return EXIT_SUCCESS;
}
diff --git a/test/networkd-test.py b/test/networkd-test.py
new file mode 100755
index 0000000000..d76ab507d2
--- /dev/null
+++ b/test/networkd-test.py
@@ -0,0 +1,371 @@
+#!/usr/bin/env python3
+#
+# networkd integration test
+# This uses temporary configuration in /run and temporary veth devices, and
+# does not write anything on disk or change any system configuration;
+# but it assumes (and checks at the beginning) that networkd is not currently
+# running.
+# This can be run on a normal installation, in QEMU, nspawn, or LXC.
+# ATTENTION: This uses the *installed* networkd, not the one from the built
+# source tree.
+#
+# (C) 2015 Canonical Ltd.
+# Author: Martin Pitt <martin.pitt@ubuntu.com>
+#
+# systemd is free software; you can redistribute it and/or modify it
+# under the terms of the GNU Lesser General Public License as published by
+# the Free Software Foundation; either version 2.1 of the License, or
+# (at your option) any later version.
+
+# systemd is distributed in the hope that it will be useful, but
+# WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+# Lesser General Public License for more details.
+#
+# You should have received a copy of the GNU Lesser General Public License
+# along with systemd; If not, see <http://www.gnu.org/licenses/>.
+
+import os
+import sys
+import time
+import unittest
+import tempfile
+import subprocess
+import shutil
+
+networkd_active = subprocess.call(['systemctl', 'is-active', '--quiet',
+ 'systemd-networkd']) == 0
+have_dnsmasq = shutil.which('dnsmasq')
+
+
+@unittest.skipIf(networkd_active,
+ 'networkd is already active')
+class ClientTestBase:
+ def setUp(self):
+ self.iface = 'test_eth42'
+ self.if_router = 'router_eth42'
+ self.workdir_obj = tempfile.TemporaryDirectory()
+ self.workdir = self.workdir_obj.name
+ self.config = '/run/systemd/network/test_eth42.network'
+ os.makedirs(os.path.dirname(self.config), exist_ok=True)
+
+ # avoid "Failed to open /dev/tty" errors in containers
+ os.environ['SYSTEMD_LOG_TARGET'] = 'journal'
+
+ # determine path to systemd-networkd-wait-online
+ for p in ['/usr/lib/systemd/systemd-networkd-wait-online',
+ '/lib/systemd/systemd-networkd-wait-online']:
+ if os.path.exists(p):
+ self.networkd_wait_online = p
+ break
+ else:
+ self.fail('systemd-networkd-wait-online not found')
+
+ # get current journal cursor
+ out = subprocess.check_output(['journalctl', '-b', '--quiet',
+ '--no-pager', '-n0', '--show-cursor'],
+ universal_newlines=True)
+ self.assertTrue(out.startswith('-- cursor:'))
+ self.journal_cursor = out.split()[-1]
+
+ def tearDown(self):
+ self.shutdown_iface()
+ if os.path.exists(self.config):
+ os.unlink(self.config)
+ subprocess.call(['systemctl', 'stop', 'systemd-networkd'])
+
+ def show_journal(self, unit):
+ '''Show journal of given unit since start of the test'''
+
+ print('---- %s ----' % unit)
+ sys.stdout.flush()
+ subprocess.call(['journalctl', '-b', '--no-pager', '--quiet',
+ '--cursor', self.journal_cursor, '-u', unit])
+
+ def create_iface(self, ipv6=False):
+ '''Create test interface with DHCP server behind it'''
+
+ raise NotImplementedError('must be implemented by a subclass')
+
+ def shutdown_iface(self):
+ '''Remove test interface and stop DHCP server'''
+
+ raise NotImplementedError('must be implemented by a subclass')
+
+ def print_server_log(self):
+ '''Print DHCP server log for debugging failures'''
+
+ raise NotImplementedError('must be implemented by a subclass')
+
+ def do_test(self, coldplug=True, ipv6=False, extra_opts='',
+ online_timeout=10, dhcp_mode='yes'):
+ with open(self.config, 'w') as f:
+ f.write('''[Match]
+Name=%s
+[Network]
+DHCP=%s
+%s''' % (self.iface, dhcp_mode, extra_opts))
+
+ if coldplug:
+ # create interface first, then start networkd
+ self.create_iface(ipv6=ipv6)
+ subprocess.check_call(['systemctl', 'start', 'systemd-networkd'])
+ else:
+ # start networkd first, then create interface
+ subprocess.check_call(['systemctl', 'start', 'systemd-networkd'])
+ self.create_iface(ipv6=ipv6)
+
+ try:
+ subprocess.check_call([self.networkd_wait_online, '--interface',
+ self.iface, '--timeout=%i' % online_timeout])
+
+ if ipv6:
+ # check iface state and IP 6 address; FIXME: we need to wait a bit
+ # longer, as the iface is "configured" already with IPv4 *or*
+ # IPv6, but we want to wait for both
+ for timeout in range(10):
+ out = subprocess.check_output(['ip', 'a', 'show', 'dev', self.iface])
+ if b'state UP' in out and b'inet6 2600' in out and b'inet 192.168' in out:
+ break
+ time.sleep(1)
+ else:
+ self.fail('timed out waiting for IPv6 configuration')
+
+ self.assertRegex(out, b'inet6 2600::.* scope global .*dynamic')
+ self.assertRegex(out, b'inet6 fe80::.* scope link')
+ else:
+ # should have link-local address on IPv6 only
+ out = subprocess.check_output(['ip', '-6', 'a', 'show', 'dev', self.iface])
+ self.assertRegex(out, b'inet6 fe80::.* scope link')
+ self.assertNotIn(b'scope global', out)
+
+ # should have IPv4 address
+ out = subprocess.check_output(['ip', '-4', 'a', 'show', 'dev', self.iface])
+ self.assertIn(b'state UP', out)
+ self.assertRegex(out, b'inet 192.168.5.\d+/.* scope global dynamic')
+
+ # check networkctl state
+ out = subprocess.check_output(['networkctl'])
+ self.assertRegex(out, ('%s\s+ether\s+routable\s+unmanaged' % self.if_router).encode())
+ self.assertRegex(out, ('%s\s+ether\s+routable\s+configured' % self.iface).encode())
+
+ out = subprocess.check_output(['networkctl', 'status', self.iface])
+ self.assertRegex(out, b'Type:\s+ether')
+ self.assertRegex(out, b'State:\s+routable.*configured')
+ self.assertRegex(out, b'Address:\s+192.168.5.\d+')
+ if ipv6:
+ self.assertRegex(out, b'2600::')
+ else:
+ self.assertNotIn(b'2600::', out)
+ self.assertRegex(out, b'fe80::')
+ self.assertRegex(out, b'Gateway:\s+192.168.5.1')
+ self.assertRegex(out, b'DNS:\s+192.168.5.1')
+ except (AssertionError, subprocess.CalledProcessError):
+ # show networkd status, journal, and DHCP server log on failure
+ with open(self.config) as f:
+ print('\n---- %s ----\n%s' % (self.config, f.read()))
+ print('---- interface status ----')
+ sys.stdout.flush()
+ subprocess.call(['ip', 'a', 'show', 'dev', self.iface])
+ print('---- networkctl status %s ----' % self.iface)
+ sys.stdout.flush()
+ subprocess.call(['networkctl', 'status', self.iface])
+ self.show_journal('systemd-networkd.service')
+ self.print_server_log()
+ raise
+
+ # verify resolv.conf if it gets dynamically managed
+ if os.path.islink('/etc/resolv.conf'):
+ for timeout in range(50):
+ with open('/etc/resolv.conf') as f:
+ contents = f.read()
+ if 'nameserver 192.168.5.1\n' in contents:
+ break
+ # resolv.conf can have at most three nameservers; if we already
+ # have three different ones, that's also okay
+ if contents.count('nameserver ') >= 3:
+ break
+ time.sleep(0.1)
+ else:
+ self.fail('nameserver 192.168.5.1 not found in /etc/resolv.conf')
+
+ if not coldplug:
+ # check post-down.d hook
+ self.shutdown_iface()
+
+ def test_coldplug_dhcp_yes_ip4(self):
+ # we have a 12s timeout on RA, so we need to wait longer
+ self.do_test(coldplug=True, ipv6=False, online_timeout=15)
+
+ def test_coldplug_dhcp_yes_ip4_no_ra(self):
+ # with disabling RA explicitly things should be fast
+ self.do_test(coldplug=True, ipv6=False,
+ extra_opts='IPv6AcceptRouterAdvertisements=False')
+
+ def test_coldplug_dhcp_ip4_only(self):
+ # we have a 12s timeout on RA, so we need to wait longer
+ self.do_test(coldplug=True, ipv6=False, dhcp_mode='ipv4',
+ online_timeout=15)
+
+ def test_coldplug_dhcp_ip4_only_no_ra(self):
+ # with disabling RA explicitly things should be fast
+ self.do_test(coldplug=True, ipv6=False, dhcp_mode='ipv4',
+ extra_opts='IPv6AcceptRouterAdvertisements=False')
+
+ def test_coldplug_dhcp_ip6(self):
+ self.do_test(coldplug=True, ipv6=True)
+
+ def test_hotplug_dhcp_ip4(self):
+ # With IPv4 only we have a 12s timeout on RA, so we need to wait longer
+ self.do_test(coldplug=False, ipv6=False, online_timeout=15)
+
+ def test_hotplug_dhcp_ip6(self):
+ self.do_test(coldplug=False, ipv6=True)
+
+
+@unittest.skipUnless(have_dnsmasq, 'dnsmasq not installed')
+class DnsmasqClientTest(ClientTestBase, unittest.TestCase):
+ '''Test networkd client against dnsmasq'''
+
+ def setUp(self):
+ super().setUp()
+ self.dnsmasq = None
+
+ def create_iface(self, ipv6=False):
+ '''Create test interface with DHCP server behind it'''
+
+ # add veth pair
+ subprocess.check_call(['ip', 'link', 'add', 'name', self.iface, 'type',
+ 'veth', 'peer', 'name', self.if_router])
+
+ # give our router an IP
+ subprocess.check_call(['ip', 'a', 'flush', 'dev', self.if_router])
+ subprocess.check_call(['ip', 'a', 'add', '192.168.5.1/24', 'dev', self.if_router])
+ if ipv6:
+ subprocess.check_call(['ip', 'a', 'add', '2600::1/64', 'dev', self.if_router])
+ subprocess.check_call(['ip', 'link', 'set', self.if_router, 'up'])
+
+ # add DHCP server
+ self.dnsmasq_log = os.path.join(self.workdir, 'dnsmasq.log')
+ lease_file = os.path.join(self.workdir, 'dnsmasq.leases')
+ if ipv6:
+ extra_opts = ['--enable-ra', '--dhcp-range=2600::10,2600::20']
+ else:
+ extra_opts = []
+ self.dnsmasq = subprocess.Popen(
+ ['dnsmasq', '--keep-in-foreground', '--log-queries',
+ '--log-facility=' + self.dnsmasq_log, '--conf-file=/dev/null',
+ '--dhcp-leasefile=' + lease_file, '--bind-interfaces',
+ '--interface=' + self.if_router, '--except-interface=lo',
+ '--dhcp-range=192.168.5.10,192.168.5.200'] + extra_opts)
+
+ def shutdown_iface(self):
+ '''Remove test interface and stop DHCP server'''
+
+ if self.if_router:
+ subprocess.check_call(['ip', 'link', 'del', 'dev', self.if_router])
+ self.if_router = None
+ if self.dnsmasq:
+ self.dnsmasq.kill()
+ self.dnsmasq.wait()
+ self.dnsmasq = None
+
+ def print_server_log(self):
+ '''Print DHCP server log for debugging failures'''
+
+ with open(self.dnsmasq_log) as f:
+ sys.stdout.write('\n\n---- dnsmasq log ----\n%s\n------\n\n' % f.read())
+
+
+class NetworkdClientTest(ClientTestBase, unittest.TestCase):
+ '''Test networkd client against networkd server'''
+
+ def setUp(self):
+ super().setUp()
+ self.dnsmasq = None
+
+ def create_iface(self, ipv6=False):
+ '''Create test interface with DHCP server behind it'''
+
+ # run "router-side" networkd in own mount namespace to shield it from
+ # "client-side" configuration and networkd
+ (fd, script) = tempfile.mkstemp(prefix='networkd-router.sh')
+ self.addCleanup(os.remove, script)
+ with os.fdopen(fd, 'w+') as f:
+ f.write('''#!/bin/sh -eu
+mkdir -p /run/systemd/network
+mkdir -p /run/systemd/netif
+mount -t tmpfs none /run/systemd/network
+mount -t tmpfs none /run/systemd/netif
+[ ! -e /run/dbus ] || mount -t tmpfs none /run/dbus
+# create router/client veth pair
+cat << EOF > /run/systemd/network/test.netdev
+[NetDev]
+Name=%(ifr)s
+Kind=veth
+
+[Peer]
+Name=%(ifc)s
+EOF
+
+cat << EOF > /run/systemd/network/test.network
+[Match]
+Name=%(ifr)s
+
+[Network]
+Address=192.168.5.1/24
+%(addr6)s
+DHCPServer=yes
+
+[DHCPServer]
+PoolOffset=10
+PoolSize=50
+DNS=192.168.5.1
+EOF
+
+# run networkd as in systemd-networkd.service
+exec $(systemctl cat systemd-networkd.service | sed -n '/^ExecStart=/ { s/^.*=//; p}')
+''' % {'ifr': self.if_router, 'ifc': self.iface, 'addr6': ipv6 and 'Address=2600::1/64' or ''})
+
+ os.fchmod(fd, 0o755)
+
+ subprocess.check_call(['systemd-run', '--unit=networkd-test-router.service',
+ '-p', 'InaccessibleDirectories=-/etc/systemd/network',
+ '-p', 'InaccessibleDirectories=-/run/systemd/network',
+ '-p', 'InaccessibleDirectories=-/run/systemd/netif',
+ '--service-type=notify', script])
+
+ # wait until devices got created
+ for timeout in range(50):
+ out = subprocess.check_output(['ip', 'a', 'show', 'dev', self.if_router])
+ if b'state UP' in out and b'scope global' in out:
+ break
+ time.sleep(0.1)
+
+ def shutdown_iface(self):
+ '''Remove test interface and stop DHCP server'''
+
+ if self.if_router:
+ subprocess.check_call(['systemctl', 'stop', 'networkd-test-router.service'])
+ # ensure failed transient unit does not stay around
+ subprocess.call(['systemctl', 'reset-failed', 'networkd-test-router.service'])
+ subprocess.call(['ip', 'link', 'del', 'dev', self.if_router])
+ self.if_router = None
+
+ def print_server_log(self):
+ '''Print DHCP server log for debugging failures'''
+
+ self.show_journal('networkd-test-router.service')
+
+ @unittest.skip('networkd does not have DHCPv6 server support')
+ def test_hotplug_dhcp_ip6(self):
+ pass
+
+ @unittest.skip('networkd does not have DHCPv6 server support')
+ def test_coldplug_dhcp_ip6(self):
+ pass
+
+
+if __name__ == '__main__':
+ unittest.main(testRunner=unittest.TextTestRunner(stream=sys.stdout,
+ verbosity=2))
diff --git a/tmpfiles.d/systemd.conf.m4 b/tmpfiles.d/systemd.conf.m4
index d9d51af929..0575408dbe 100644
--- a/tmpfiles.d/systemd.conf.m4
+++ b/tmpfiles.d/systemd.conf.m4
@@ -33,9 +33,13 @@ A+ /run/log/journal/%m - - - - group:adm:r-x,group:wheel:r-x
z /var/log/journal 2755 root systemd-journal - -
z /var/log/journal/%m 2755 root systemd-journal - -
+z /var/log/journal/%m/system.journal 0640 root systemd-journal - -
m4_ifdef(`HAVE_ACL',``
+a+ /var/log/journal - - - - d:group:adm:r-x,d:group:wheel:r-x
+a+ /var/log/journal - - - - group:adm:r-x,group:wheel:r-x
a+ /var/log/journal/%m - - - - d:group:adm:r-x,d:group:wheel:r-x
a+ /var/log/journal/%m - - - - group:adm:r-x,group:wheel:r-x
+a+ /var/log/journal/%m/system.journal - - - - group:adm:r--,group:wheel:r--
'')m4_dnl
d /var/lib/systemd 0755 root root -