summaryrefslogtreecommitdiff
AgeCommit message (Collapse)Author
2016-01-13resolved: implement the full NSEC and NSEC3 postive wildcard proofsLennart Poettering
2016-01-13resolved: refuse validating wildcard RRs for SOA, NSEC3, DNAMELennart Poettering
2016-01-13resolved: properly handles RRs in domains beginning in an asterisk labelLennart Poettering
Properly handle RRs that begin with an asterisk label. These are the unexpanded forms of wildcard domains and appear in NSEC RRs for example. We need to make sure we handle the signatures of these RRs properly, since they mostly are considered normal RRs, except that the RRSIG labels counter is one off for them, as the asterisk label is always excluded of the signature.
2016-01-13resolved: optimize dnssec_verify_rrset() a bitLennart Poettering
Let's determine the source of synthesis once instead of for each RR in the RRset.
2016-01-13shared: add new dns_name_startswith() callLennart Poettering
dns_name_startswith() is to dns_name_endswith() as startswith() is to endswith().
2016-01-13basic: add new ascii_strcasecmp_n() callLennart Poettering
2016-01-13systemctl: improve wording of "systemctl enable" messagesLennart Poettering
Closes: #2299
2016-01-13resolved: allocate bounded strings on stack instead of heap, if we canLennart Poettering
2016-01-13resolved: consider inverted RRSIG validity intervals expiredLennart Poettering
2016-01-13update TODOLennart Poettering
2016-01-13Merge pull request #2312 from jsynacek/masterDaniel Mack
man/tmpfiles.d: add note about permissions and ownership of symlinks
2016-01-13man/tmpfiles.d: add note about permissions and ownership of symlinksJan Synacek
...because this is might not be obvious.
2016-01-12Merge pull request #490 from pyssling/masterLennart Poettering
Add machine-id setting
2016-01-12core: Add machine-id settingNils Carlson
Allow for overriding all other machine-ids which may be present on the system using a kernel command line systemd.machine_id or --machine-id= option. This is especially useful for network booted systems where the machine-id needs to be static, or for containers where a specific machine-id is wanted.
2016-01-12Merge pull request #2131 from evverx/regenerate-m4-on-reconfigureLennart Poettering
build-sys: regenerate %.m4 -> % on reconfigure
2016-01-12Merge pull request #2310 from vcaputo/sd-event-profiling-fixupsLennart Poettering
sd-event: minor fixups to delays profiling changes
2016-01-12sd-event: minor fixups to delays profiling changesVito Caputo
2016-01-12Merge pull request #2147 from vcaputo/sd-event-measure-latenciesLennart Poettering
sd-event: instrument sd_event_run() for profiling delays
2016-01-12sd-event: instrument sd_event_run() for profiling delaysVito Caputo
Set SD_EVENT_PROFILE_DELAYS to activate accounting and periodic logging of the distribution of delays between sd_event_run() calls. Time spent in dispatching as well as time spent outside of sd_event_run() is measured and accounted for. Every 5 seconds a logarithmic histogram loop iteration delays since 5 seconds previous is logged. This is useful in identifying the frequency and magnitude of latencies affecting the event loop, which should be kept to a minimum.
2016-01-12Merge pull request #2308 from zonque/xsprintfLennart Poettering
tree-wide: use xsprintf() where applicable
2016-01-12tree-wide: use xsprintf() where applicableDaniel Mack
Also add a coccinelle receipt to help with such transitions.
2016-01-12Merge pull request #2265 from ipuustin/ambientLennart Poettering
capabilities: added support for ambient capabilities.
2016-01-12Merge pull request #2303 from aadamowski/fix-miscalculated-bufferDaniel Mack
Fix miscalculated buffer size and uses of size-unlimited sprintf()
2016-01-12man: add AmbientCapabilities entry.Ismo Puustinen
2016-01-12tests: test ambient capabilities.Ismo Puustinen
The ambient capability tests are only run if the kernel has support for ambient capabilities.
2016-01-12capabilities: added support for ambient capabilities.Ismo Puustinen
This patch adds support for ambient capabilities in service files. The idea with ambient capabilities is that the execed processes can run with non-root user and get some inherited capabilities, without having any need to add the capabilities to the executable file. You need at least Linux 4.3 to use ambient capabilities. SecureBit keep-caps is automatically added when you use ambient capabilities and wish to change the user. An example system service file might look like this: [Unit] Description=Service for testing caps [Service] ExecStart=/usr/bin/sleep 10000 User=nobody AmbientCapabilities=CAP_NET_ADMIN CAP_NET_RAW After starting the service it has these capabilities: CapInh: 0000000000003000 CapPrm: 0000000000003000 CapEff: 0000000000003000 CapBnd: 0000003fffffffff CapAmb: 0000000000003000
2016-01-12capabilities: keep bounding set in non-inverted format.Ismo Puustinen
Change the capability bounding set parser and logic so that the bounding set is kept as a positive set internally. This means that the set reflects those capabilities that we want to keep instead of drop.
2016-01-12Merge pull request #2290 from vcaputo/normalize-log-source-prioritiesLennart Poettering
journal: normalize priority of logging sources
2016-01-11Fix miscalculated buffer size and uses of size-unlimited sprintf()Aleksander Adamowski
function. Not sure if this results in an exploitable buffer overflow, probably not since the the int value is likely sanitized somewhere earlier and it's being put through a bit mask shortly before being used.
2016-01-11Merge pull request #2289 from poettering/dnssec13Tom Gundersen
Thirteenth DNSSEC patch set
2016-01-11resolved: improve query RR type error wording a bitLennart Poettering
2016-01-11resolved: don#t allow explicit queries for RRSIG RRsLennart Poettering
We wouldn't know how to validate them, since they are the signatures, and hence have no signatures.
2016-01-11resolved: refuse doing queries for known-obsolete RR typesLennart Poettering
Given how fragile DNS servers are with some DNS types, and given that we really should avoid confusing them with known-weird lookups, refuse doing lookups for known-obsolete RR types.
2016-01-11resolved: rename DnsTransaction's current_features field to ↵Lennart Poettering
current_feature_level This is a follow-up for f4461e5641d53f27d6e76e0607bdaa9c0c58c1f6.
2016-01-11resolved: split out resetting of DNS server counters into a function call of ↵Lennart Poettering
its own A suggested by Vito Caputo: https://github.com/systemd/systemd/pull/2289#discussion-diff-49276220
2016-01-11resolved: accept rightfully unsigned NSEC responsesLennart Poettering
2016-01-11resolved: rework how and when we detect whether our chosen DNS server knows ↵Lennart Poettering
DNSSEC Move detection into a set of new functions, that check whether one specific server can do DNSSEC, whether a server and a specific transaction can do DNSSEC, or whether a transaction and all its auxiliary transactions could do so. Also, do these checks both before we acquire additional RRs for the validation (so that we can skip them if the server doesn't do DNSSEC anyway), and after we acquired them all (to see if any of the lookups changed our opinion about the servers). THis also tightens the checks a bit: a server that lacks TCP support is considered incompatible with DNSSEC too.
2016-01-11resolved: cache formatted server string in DnsServer structureLennart Poettering
This makes it easier to log information about a specific DnsServer object.
2016-01-11resolved: rework server feature level logicLennart Poettering
This changes the DnsServer logic to count failed UDP and TCP failures separately. This is useful so that we don't end up downgrading the feature level from one UDP level to a lower UDP level just because a TCP connection we did because of a TC response failed. This also adds accounting of truncated packets. If we detect incoming truncated packets, and count too many failed TCP connections (which is the normal fall back if we get a trucnated UDP packet) we downgrade the feature level, given that the responses at the current levels don't get through, and we somehow need to make sure they become smaller, which they will do if we don't request DNSSEC or EDNS support. This makes resolved work much better with crappy DNS servers that do not implement TCP and only limited UDP packet sizes, but otherwise support DNSSEC RRs. They end up choking on the generally larger DNSSEC RRs and there's no way to retrieve the full data.
2016-01-11resolved: add missing case to switch statementLennart Poettering
2016-01-11resolved: log why we use TCP when UDP isn't supported by a serverLennart Poettering
2016-01-11resolved: log about truncated replies before trying again, not afterLennart Poettering
2016-01-11resolved: don't attempt to send queries for DNSSEC RR types to servers not ↵Lennart Poettering
supporting them If we already degraded the feature level below DO don't bother with sending requests for DS, DNSKEY, RRSIG, NSEC, NSEC3 or NSEC3PARAM RRs. After all, we cannot do DNSSEC validation then anyway, and we better not press a legacy server like this with such modern concepts. This also has the benefit that when we try to validate a response we received using DNSSEC, and we detect a limited server support level while doing so, all further auxiliary DNSSEC queries will fail right-away.
2016-01-11resolved: log about reasons for switching to TCPLennart Poettering
2016-01-11resolved: when we get a packet failure from a server, don't downgrade UDP to ↵Lennart Poettering
TCP or vice versa Under the assumption that packet failures (i.e. FORMERR, SERVFAIL, NOTIMP) are caused by packet contents, not used transport, we shouldn't switch between UDP and TCP when we get them, but only downgrade the higher levels down to UDP.
2016-01-11resolved: properly handle UDP ICMP errors as lost packetsLennart Poettering
UDP ICMP errors are reported to us via recvmsg() when we read a reply. Handle this properly, and consider this a lost packet, and retry the connection. This also adds some additional logging for invalid incoming packets.
2016-01-11resolved: when we get a TCP connection failure, try againLennart Poettering
Previously, when we couldn't connect to a DNS server via TCP we'd abort the whole transaction using a "connection-failure" state. This change removes that, and counts failed connections as "lost packet" events, so that we switch back to the UDP protocol again.
2016-01-11resolved: when DNS/TCP doesn't work, try DNS/UDP againLennart Poettering
If we failed to contact a DNS server via TCP, bump of the feature level to UDP again. This way we'll switch back between UDP and TCP if we fail to contact a host. Generally, we prefer UDP over TCP, which is why UDP is a higher feature level. But some servers only support UDP but not TCP hence when reaching the lowest feature level of TCP and want to downgrade from there, pick UDP again. We this keep downgrading until we reach TCP and then we cycle through UDP and TCP.
2016-01-11resolved: introduce dns_transaction_retry() and use it everywhereLennart Poettering
The code to retry transactions has been used over and over again, simplify it by replacing it by a new function.
2016-01-11resolved: set a description on all our event sourcesLennart Poettering