diff options
| -rw-r--r-- | NEWS | 5 | ||||
| -rw-r--r-- | configure.ac | 13 | ||||
| -rw-r--r-- | m4/attributes.m4 | 15 | ||||
| -rw-r--r-- | man/systemd-run.xml | 2 | ||||
| -rw-r--r-- | src/basic/missing.h | 2 | ||||
| -rw-r--r-- | src/core/dbus-execute.c | 27 | ||||
| -rw-r--r-- | src/core/execute.c | 68 | ||||
| -rw-r--r-- | src/core/main.c | 7 | ||||
| -rw-r--r-- | src/libsystemd/sd-bus/busctl.c | 9 | ||||
| -rw-r--r-- | src/network/networkd-link.c | 24 | ||||
| -rw-r--r-- | src/shared/bus-util.c | 3 |
11 files changed, 107 insertions, 68 deletions
@@ -31,8 +31,9 @@ CHANGES WITH 227: assignments and "auto" for picking a free value automatically. - * The PrivateTmp, PrivateDevices, PrivateNetwork and - NoNewPrivileges properties can now be set for transient units. + * The PrivateTmp, PrivateDevices, PrivateNetwork, + NoNewPrivileges, TTYPath, WorkingDirectory and RootDirectory + properties can now be set for transient units. * Galician and Turkish translations were added. diff --git a/configure.ac b/configure.ac index d71cb07366..ef03fb082c 100644 --- a/configure.ac +++ b/configure.ac @@ -171,7 +171,6 @@ CC_CHECK_FLAGS_APPEND([with_cflags], [CFLAGS], [\ -Werror=implicit-function-declaration \ -Werror=missing-declarations \ -Werror=return-type \ - -Werror=shadow \ -Wstrict-prototypes \ -Wredundant-decls \ -Wmissing-noreturn \ @@ -196,6 +195,17 @@ CC_CHECK_FLAGS_APPEND([with_cflags], [CFLAGS], [\ -fPIE \ --param=ssp-buffer-size=4]) +CC_CHECK_FLAG_APPEND([with_cflags], [CFLAGS], [-Werror=shadow], [ +#include <time.h> +#include <inttypes.h> +typedef uint64_t usec_t; +usec_t now(clockid_t clock); +int main(void) { + struct timespec now; + return 0; +} +]) + AS_CASE([$CC], [*clang*], [CC_CHECK_FLAGS_APPEND([with_cppflags], [CPPFLAGS], [\ -Wno-typedef-redefinition \ @@ -1251,7 +1261,6 @@ if test "x$enable_myhostname" != "xno"; then AC_TYPE_SIZE_T AC_HEADER_TIME - AC_FUNC_MALLOC AC_FUNC_SELECT_ARGTYPES AC_CHECK_FUNCS([gethostbyaddr gethostbyname gettimeofday inet_ntoa memset select socket strcspn strdup strerror strncasecmp strcasecmp strspn]) diff --git a/m4/attributes.m4 b/m4/attributes.m4 index 97f094b07a..db5df250f4 100644 --- a/m4/attributes.m4 +++ b/m4/attributes.m4 @@ -35,15 +35,18 @@ dnl well. dnl Check if FLAG in ENV-VAR is supported by compiler and append it dnl to WHERE-TO-APPEND variable. Note that we invert -Wno-* checks to -dnl -W* as gcc cannot test for negated warnings. -dnl CC_CHECK_FLAG_APPEND([WHERE-TO-APPEND], [ENV-VAR], [FLAG]) +dnl -W* as gcc cannot test for negated warnings. If a C snippet is passed, +dnl use it, otherwise use a simple main() definition that just returns 0. +dnl CC_CHECK_FLAG_APPEND([WHERE-TO-APPEND], [ENV-VAR], [FLAG], [C-SNIPPET]) AC_DEFUN([CC_CHECK_FLAG_APPEND], [ AC_CACHE_CHECK([if $CC supports flag $3 in envvar $2], AS_TR_SH([cc_cv_$2_$3]), [eval "AS_TR_SH([cc_save_$2])='${$2}'" eval "AS_TR_SH([$2])='-Werror `echo "$3" | sed 's/^-Wno-/-W/'`'" - AC_LINK_IFELSE([AC_LANG_SOURCE([int main(void) { return 0; } ])], + AC_LINK_IFELSE([AC_LANG_SOURCE(ifelse([$4], [], + [int main(void) { return 0; } ], + [$4]))], [eval "AS_TR_SH([cc_cv_$2_$3])='yes'"], [eval "AS_TR_SH([cc_cv_$2_$3])='no'"]) eval "AS_TR_SH([$2])='$cc_save_$2'"]) @@ -52,10 +55,10 @@ AC_DEFUN([CC_CHECK_FLAG_APPEND], [ [eval "$1='${$1} $3'"]) ]) -dnl CC_CHECK_FLAGS_APPEND([WHERE-TO-APPEND], [ENV-VAR], [FLAG1 FLAG2]) +dnl CC_CHECK_FLAGS_APPEND([WHERE-TO-APPEND], [ENV-VAR], [FLAG1 FLAG2], [C-SNIPPET]) AC_DEFUN([CC_CHECK_FLAGS_APPEND], [ - for flag in $3; do - CC_CHECK_FLAG_APPEND($1, $2, $flag) + for flag in [$3]; do + CC_CHECK_FLAG_APPEND([$1], [$2], $flag, [$4]) done ]) diff --git a/man/systemd-run.xml b/man/systemd-run.xml index b220e0dce1..8850735a34 100644 --- a/man/systemd-run.xml +++ b/man/systemd-run.xml @@ -381,7 +381,7 @@ Dec 08 20:44:48 container systemd[1]: Started /bin/touch /tmp/foo.</programlisti as a service passing its standard input, output and error to the calling TTY.</para> - <programlisting># systemd-run -t /bin/bash</programlisting> + <programlisting># systemd-run -t --send-sighup /bin/bash</programlisting> </refsect1> diff --git a/src/basic/missing.h b/src/basic/missing.h index dc1f244d4c..93a7cb9aa0 100644 --- a/src/basic/missing.h +++ b/src/basic/missing.h @@ -139,6 +139,8 @@ static inline int pivot_root(const char *new_root, const char *put_old) { # define __NR_memfd_create 385 # elif defined __aarch64__ # define __NR_memfd_create 279 +# elif defined __s390__ +# define __NR_memfd_create 350 # elif defined _MIPS_SIM # if _MIPS_SIM == _MIPS_SIM_ABI32 # define __NR_memfd_create 4354 diff --git a/src/core/dbus-execute.c b/src/core/dbus-execute.c index fd13c6d019..868c8cc05a 100644 --- a/src/core/dbus-execute.c +++ b/src/core/dbus-execute.c @@ -847,27 +847,36 @@ int bus_exec_context_set_transient_property( return 1; - } else if (streq(name, "TTYPath")) { - const char *tty; + } else if (STR_IN_SET(name, + "TTYPath", "WorkingDirectory", "RootDirectory")) { + const char *s; - r = sd_bus_message_read(message, "s", &tty); + r = sd_bus_message_read(message, "s", &s); if (r < 0) return r; - if (!path_is_absolute(tty)) - return sd_bus_error_setf(error, SD_BUS_ERROR_INVALID_ARGS, "TTY device not absolute path"); + if (!path_is_absolute(s)) + return sd_bus_error_setf(error, SD_BUS_ERROR_INVALID_ARGS, "%s takes an absolute path", name); if (mode != UNIT_CHECK) { char *t; - t = strdup(tty); + t = strdup(s); if (!t) return -ENOMEM; - free(c->tty_path); - c->tty_path = t; + if (streq(name, "TTYPath")) { + free(c->tty_path); + c->tty_path = t; + } else if (streq(name, "WorkingDirectory")) { + free(c->working_directory); + c->working_directory = t; + } else if (streq(name, "RootDirectory")) { + free(c->root_directory); + c->root_directory = t; + } - unit_write_drop_in_private_format(u, mode, name, "TTYPath=%s\n", tty); + unit_write_drop_in_private_format(u, mode, name, "%s=%s\n", name, s); } return 1; diff --git a/src/core/execute.c b/src/core/execute.c index a0e39ccae9..7796c07fcf 100644 --- a/src/core/execute.c +++ b/src/core/execute.c @@ -1601,25 +1601,50 @@ static int exec_child( } } + umask(context->umask); + if (params->apply_permissions) { r = enforce_groups(context, username, gid); if (r < 0) { *exit_status = EXIT_GROUP; return r; } - } +#ifdef HAVE_SMACK + if (context->smack_process_label) { + r = mac_smack_apply_pid(0, context->smack_process_label); + if (r < 0) { + *exit_status = EXIT_SMACK_PROCESS_LABEL; + return r; + } + } +#ifdef SMACK_DEFAULT_PROCESS_LABEL + else { + _cleanup_free_ char *exec_label = NULL; - umask(context->umask); + r = mac_smack_read(command->path, SMACK_ATTR_EXEC, &exec_label); + if (r < 0 && r != -ENODATA && r != -EOPNOTSUPP) { + *exit_status = EXIT_SMACK_PROCESS_LABEL; + return r; + } + r = mac_smack_apply_pid(0, exec_label ? : SMACK_DEFAULT_PROCESS_LABEL); + if (r < 0) { + *exit_status = EXIT_SMACK_PROCESS_LABEL; + return r; + } + } +#endif +#endif #ifdef HAVE_PAM - if (params->apply_permissions && context->pam_name && username) { - r = setup_pam(context->pam_name, username, uid, context->tty_path, &pam_env, fds, n_fds); - if (r < 0) { - *exit_status = EXIT_PAM; - return r; + if (context->pam_name && username) { + r = setup_pam(context->pam_name, username, uid, context->tty_path, &pam_env, fds, n_fds); + if (r < 0) { + *exit_status = EXIT_PAM; + return r; + } } - } #endif + } if (context->private_network && runtime && runtime->netns_storage_socket[0] >= 0) { r = setup_netns(runtime->netns_storage_socket); @@ -1748,33 +1773,6 @@ static int exec_child( } } -#ifdef HAVE_SMACK - if (context->smack_process_label) { - r = mac_smack_apply_pid(0, context->smack_process_label); - if (r < 0) { - *exit_status = EXIT_SMACK_PROCESS_LABEL; - return r; - } - } -#ifdef SMACK_DEFAULT_PROCESS_LABEL - else { - _cleanup_free_ char *exec_label = NULL; - - r = mac_smack_read(command->path, SMACK_ATTR_EXEC, &exec_label); - if (r < 0 && r != -ENODATA && r != -EOPNOTSUPP) { - *exit_status = EXIT_SMACK_PROCESS_LABEL; - return r; - } - - r = mac_smack_apply_pid(0, exec_label ? : SMACK_DEFAULT_PROCESS_LABEL); - if (r < 0) { - *exit_status = EXIT_SMACK_PROCESS_LABEL; - return r; - } - } -#endif -#endif - if (context->user) { r = enforce_user(context, uid); if (r < 0) { diff --git a/src/core/main.c b/src/core/main.c index 9c1f8648e7..b57f4c1b7a 100644 --- a/src/core/main.c +++ b/src/core/main.c @@ -1807,6 +1807,13 @@ int main(int argc, char *argv[]) { goto finish; case MANAGER_EXIT: + if (m->running_as == MANAGER_USER) { + retval = EXIT_SUCCESS; + log_debug("Exit."); + goto finish; + } + + /* fallthrough */ case MANAGER_REBOOT: case MANAGER_POWEROFF: case MANAGER_HALT: diff --git a/src/libsystemd/sd-bus/busctl.c b/src/libsystemd/sd-bus/busctl.c index 09eba51d1c..5d07d5809c 100644 --- a/src/libsystemd/sd-bus/busctl.c +++ b/src/libsystemd/sd-bus/busctl.c @@ -1096,6 +1096,15 @@ static int monitor(sd_bus *bus, char *argv[], int (*dump)(sd_bus_message *m, FIL if (r < 0) return log_error_errno(r, "Failed to add match: %m"); + free(m); + m = strjoin("destination='", *i, "'", NULL); + if (!m) + return log_oom(); + + r = sd_bus_add_match(bus, NULL, m, NULL, NULL); + if (r < 0) + return log_error_errno(r, "Failed to add match: %m"); + added_something = true; } diff --git a/src/network/networkd-link.c b/src/network/networkd-link.c index 86f1c3bb1a..05a1358eca 100644 --- a/src/network/networkd-link.c +++ b/src/network/networkd-link.c @@ -1794,7 +1794,6 @@ static int link_set_ipv6_privacy_extensions(Link *link) { static int link_set_ipv6_accept_ra(Link *link) { const char *p = NULL, *v = NULL; - bool b; int r; /* Make this a NOP if IPv6 is not available */ @@ -1804,20 +1803,21 @@ static int link_set_ipv6_accept_ra(Link *link) { if (link->flags & IFF_LOOPBACK) return 0; - /* if unset check the ip forwarding setting maintained for the interface - * and then set it to depending on that. enabled if local forwarding - * is disabled. disabled if local forwarding is enabled. + /* If unset use system default (enabled if local forwarding is disabled. + * disabled if local forwarding is enabled). + * If set, ignore or enforce RA independent of local forwarding state. */ if (link->network->ipv6_accept_ra < 0) { - if (IN_SET(link->network->ip_forward, ADDRESS_FAMILY_YES, ADDRESS_FAMILY_IPV6)) - b = false; - else - b = true; - } else - b = link->network->ipv6_accept_ra; - + /* default to accept RA if ip_forward is disabled and ignore RA if ip_forward is enabled */ + v = "1"; + } else if (link->network->ipv6_accept_ra > 0) { + /* "2" means accept RA even if ip_forward is enabled */ + v = "2"; + } else { + /* "0" means ignore RA */ + v = "0"; + } p = strjoina("/proc/sys/net/ipv6/conf/", link->ifname, "/accept_ra"); - v = one_zero(b); r = write_string_file(p, v, 0); if (r < 0) { diff --git a/src/shared/bus-util.c b/src/shared/bus-util.c index fdf41cec19..16b17c2c82 100644 --- a/src/shared/bus-util.c +++ b/src/shared/bus-util.c @@ -1492,7 +1492,8 @@ int bus_append_unit_property_assignment(sd_bus_message *m, const char *assignmen "User", "Group", "DevicePolicy", "KillMode", "UtmpIdentifier", "UtmpMode", "PAMName", "TTYPath", "StandardInput", "StandardOutput", "StandardError", - "Description", "Slice", "Type")) + "Description", "Slice", "Type", "WorkingDirectory", + "RootDirectory")) r = sd_bus_message_append(m, "v", "s", eq); else if (streq(field, "DeviceAllow")) { |