Age | Commit message (Collapse) | Author |
|
Let's better check the size before we subtract. Also, let's change the size
argument to size_t, as it cannot be signed anyway.
Finally, use EBADMSG for indicating invalid packets, like we do everywhere
else.
|
|
|
|
Otherwise it gets too confusing whether "timeout" refers to an event source or
just a timeout time specification.
|
|
Also make use of it where appropriate.
|
|
There's no "client" object, in both cases. There's only "nd".
This wasn't noticed before, as the context object is currently not actually
used by the log macros.
|
|
|
|
Appears to be a (confusing) left-over from copy/paste when this still was
ipv4ll code.
|
|
|
|
Appears to be a copy/paste mistake from sd-ipv4ll. Let's get rid of this.
|
|
Let's make the seed actually work as stable seed, and use siphash24 to generate
the series of addresses, instead of the opaque libc random_r().
This not only makes the seed truly work as stable, portable seed, but also
makes the code quite a bit shorter, and removes a couple of memory allocations.
|
|
Let's make clear this always has the same size, since otherwise it's not useful
for reproducible runs, which this is really about however.
|
|
for errors
|
|
We try to stick to usec_t for encoding time information, do that here too. In
particular, get rid of "int" second specifications, since signed timespans are
a weird thing.
|
|
|
|
|
|
This state is active immediately after the state engine was started, but before
the first timer hits.
This way multiple _start() invocations on the same object are always detected
correctly.
|
|
This is much less confusing, since there's also sd_ipv4acd_stop(), which was
idfferent from ipv4acd_stop().
After renaming it, let's also use the funciton when destroying ipv4acd objects,
as the code is pretty much the same for that.
|
|
Otherwise the field "receive_message" is a bit too confusing, as it suggests it
actually stores a message object of some kind.
|
|
They are counters after all, and can never go below zero, hence don't pretend
with the chose type that they could.
Also, prefix their name with "n_", to indicate that they are counters.
|
|
And some other minor fixes.
|
|
Or actually, not at any level higher than debug.
|
|
These objects are only useful when multiple threads are involved, as they
operate with atomic operations. Given that our libraries are explicitly not
thread-safe don't make use of RefCnt here, and make things a bit simpler.
|
|
It's OK to abbreviate this in the local scope, but otherwise, let's not be
needlessly terse.
|
|
|
|
It's a good idea to make stopcalls idempotent, so that they become nops if the
object is already stopped.
|
|
assert_return() should only be used to validate user-facing parameters and
state, assert() should be used for checking our own internal state and
parameters.
|
|
After all, it's actually used for resetting the state, not only for the initial
initialization.
While we are at it, also simplify the error path for
sd_ndisc_discovery_start().
|
|
A field "index" is not particularly precise and also might conflict with libc's
index() function definition. Also, pretty much everywhere else we call this
concept "ifindex", including in networkd, the primary user of these libraries.
Hence, let's fix this up and call this "ifindex" everywhere here too.
|
|
|
|
|
|
|
|
Let's always check for errno being EAGAIN/EINTR the same way, and always log if
we receive weirdly short packets.
|
|
|
|
ask-password: ask for passphrases not only on the first console
|
|
* udevadm-info: use _cleanup_
* udevadm-info: propagate return value from export_devices()
* sd-device: add comment and remove unnecessary braces
|
|
but also on all other consoles. This does help on e.g. mainframes
where often a serial console together with other consoles are
used. Even rack based servers attachted to both a serial console
as well as having a virtual console do sometimes miss a connected
monitor.
To be able to ask on all terminal devices of /dev/console the devices
are collected. If more than one device are found, then on each of the
terminals a inquiring task for passphrase is forked and do not return
to the caller.
Every task has its own session and its own controlling terminal.
If one of the tasks does handle a password, the remaining tasks
will be terminated.
Also let contradictory options on the command of
systemd-tty-ask-password-agent fail.
Spwan for each device of the system console /dev/console a own process.
Replace the system call wait() with with system call waitid().
Use SIGTERM instead of SIGHUP to get unresponsive childs down.
Port the collect_consoles() function forward to a pulbic and strv
based function "get_kernel_consoles()" in terminal-util.c and use this
in tty-ask-password-agent.c.
|
|
This reverts commit 483d8bbb4c0190f419bf9fba57fb0feb1a56bea6.
In [1] Michel Dänzer and Daniel Vetter wrote:
>> The scenario you describe isn't possible if the Wayland compositor
>> directly uses the KMS API of /dev/dri/card*, but it may be possible if
>> the Wayland compositor uses the fbdev API of /dev/fb* instead (e.g. if
>> weston uses its fbdev backend).
>
> Yeah, if both weston and your screen grabber uses native fbdev API you can
> now screenshot your desktop. And since fbdev has no concept of "current
> owner of the display hw" like the drm master, I think this is not fixable.
> At least not just in userspace. Also even with native KMS compositors
> fbdev still doesn't have the concept of ownership, which is why it doesn't
> bother clearing it's buffer before KMS takes over. I agree that this
> should be reverted or at least hidden better.
TBH, I think that privilege separation between processes running under the same
UID is tenuous. Even with drm, in common setups any user process can ptrace the
"current owner of the display" and call DROP_MASTER or do whatever. It *is*
possible to prevent that, e.g. by disabling ptrace using yama.ptrace_scope, or
selinux, and so on, but afaik this is not commonly done. E.g. all Fedora
systems pull in elfutils-default-yama-scope.rpm through dependencies which sets
yama.ptrace_scope=0. And even assuming that ptrace was disabled, it is trivial
to modify files on disk, communicate through dbus, etc; there is just to many
ways for a non-sandboxed process to interact maliciously with the display shell
to close them all off. To achieve real protection, some sort of sandboxing
must be implemented, and in that case there is no need to rely on access mode
on the device files, since much more stringent measures have to be implemented
anyway.
The situation is similar for framebuffer devices. It is common to add
framebuffer users to video group to allow them unlimited access to /dev/fb*.
Using uaccess would be better solution in that case. Also, since there is no
"current owner" limitation like in DRM, processes running under the same UID
should be able to access /proc/<pid-of-display-server>/fd/* and gain access to
the devices. Nevertheless, weston implements a suid wrapper to access the
devices and then drop privileges, and this patch would make this daemon
pointless. So if the weston developers feel that this change reduces security,
I prefer to revert it.
[1] https://lists.freedesktop.org/archives/wayland-devel/2016-May/029017.html
|
|
The statemachine was unable to parse properties with empty values,
reported in [0].
When reaching the start of the KEY, we would unconditionally read
one more character before starting to look for the end-of-line.
Simply look for the end-of-line from the first character.
[0]: <https://bugzilla.redhat.com/show_bug.cgi?id=1338823>
|
|
https://bugzilla.redhat.com/show_bug.cgi?id=1338584
|
|
From the issue #2004 we are receiving packet even if this
packet is not intended for this interface.
This can be reproduced.
lp3s0: Updating address: 2001:db8:1:0:7e7a:91ff:fe6d:ffe2/64 (valid for 1d)
wlp3s0: Updating address: fe80::7e7a:91ff:fe6d:ffe2/64 (valid forever)
NDisc CLIENT: Received RA from non-link-local address ::. Ignoring.
NDisc CLIENT: Received RA on wrong interface: 2 != 6. Ignoring.
NDisc CLIENT: Received RA on wrong interface: 2 != 3. Ignoring.
enp0s25: Updating address: 2001:db8:1:0:2ad2:44ff:fe6a:ae07/64 (valid for 1d)
enp0s25: Updating address: fe80::2ad2:44ff:fe6a:ae07/64 (valid forever)
NDisc CLIENT: Sent Router Solicitation
NDisc CLIENT: Sent Router Solicitation
NDisc CLIENT: Sent Router Solicitation
NDisc CLIENT: Received RA on wrong interface: 3 != 2. Ignoring.
NDisc CLIENT: Received RA on wrong interface: 3 != 6. Ignoring.
NDisc CLIENT: Received RA from non-link-local address ::. Ignoring.
NDisc CLIENT: Received RA on wrong interface: 2 != 6. Ignoring.
NDisc CLIENT: Received RA on wrong interface: 2 != 3. Ignoring.
enp0s25: Updating address: 2001:db8:1:0:2ad2:44ff:fe6a:ae07/64 (valid for 1d)
enp0s25: Updating address: fe80::2ad2:44ff:fe6a:ae07/64 (valid forever)
Add SO_BINDTODEVICE to socket
fixes #2004
|
|
|
|
packet (#3323)
Fixes:
-bash-4.3# ss --udp -l -p
State Recv-Q Send-Q Local Address:Port Peer Address:Port
UNCONN 0 0 *:5355 *:* users:(("systemd-resolve",pid=601,fd=12))
UNCONN 0 0 :::5355 :::* users:(("systemd-resolve",pid=601,fd=14))
-bash-4.3# nping --udp -p 5355 --data-length 0 -c 1 localhost
-bash-4.3# journalctl -u systemd-resolved -b --no-hostname
...
May 21 14:59:22 systemd-resolved[601]: Event source llmnr-ipv4-udp (type io) returned error, disabling: Input/output error
...
-bash-4.3# nping --udp -p 5355 --data-length 1000 -c 1 localhost
-bash-4.3# ss --udp -l
State Recv-Q Send-Q Local Address:Port Peer Address:Port
UNCONN 2304 0 *:5355 *:*
UNCONN 0 0 :::5355 :::*
|
|
Random ipv4acd fixes
|
|
This is a follow-up to cf447cb62d01137f4cbd1cd14b83b88823542bbf.
Let's generally follow the rule to not use read() on SOCK_DGRAM sockets, let's
always use recv() on that.
Also, don't abort IPV4ACD logic in case we read a short packet. Simply log and
ignore.
|
|
we already have ether_addr_is_null() in ether-addr-util.h, let's use it here,
too.
|
|
|
|
|
|
Fixup for #3304.
Only warn, and not return, because that's what sd_dhcp6_client_start()
does right below the call to sd_dhcp6_client_set_local_address().
|
|
|
|
|