summaryrefslogtreecommitdiff
AgeCommit message (Collapse)Author
2016-05-27Merge pull request #3356 from OpenDZ/tixxdz/nspawn-quick-v1Lennart Poettering
nspawn: filesystem uid patching fixes and other minor improvments
2016-05-26nspawn: rename arg_retain to arg_caps_retainDjalal Harouni
The argument is about capabilities.
2016-05-26nspawn: split out seccomp call into nspawn-seccomp.[ch]Djalal Harouni
Split seccomp into nspawn-seccomp.[ch]. Currently there are no changes, but this will make it easy in the future to share or use the seccomp logic from systemd core.
2016-05-26nspawn: rename is_procfs_sysfs_or_suchlike() to is_fs_fully_userns_compatible()Djalal Harouni
Rename is_procfs_sysfs_or_suchlike() to is_fs_fully_userns_compatible() to give it the real meaning. This may prevent future modifications that may introduce bugs.
2016-05-26nspawn: a bench of special fileystems that should not be shiftedDjalal Harouni
Add some special filesystems that should not be shifted, most of them relate to the host and not to containers.
2016-05-26{machine,system}ctl: always pass &changes and &n_changes (#3350)Christian Hesse
We have to pass addresses of changes and n_changes to bus_deserialize_and_dump_unit_file_changes(). Otherwise we are hit by missing information (subsequent calls to unit_file_changes_add() to not add anything). Also prevent null pointer dereference in bus_deserialize_and_dump_unit_file_changes() by asserting. Fixes #3339
2016-05-26Typo: systemd-nspaw -> systemd-nspawn (#3354)Ansgar Burchardt
2016-05-24Merge pull request #3247 from fbuihuu/ask-passowrd-on-all-consolesLennart Poettering
ask-password: ask for passphrases not only on the first console
2016-05-24Udevadm trivial cleanups (#3331)Zbigniew Jędrzejewski-Szmek
* udevadm-info: use _cleanup_ * udevadm-info: propagate return value from export_devices() * sd-device: add comment and remove unnecessary braces
2016-05-24ask-password: ask for passphrases not only on the first console of /dev/consoleWerner Fink
but also on all other consoles. This does help on e.g. mainframes where often a serial console together with other consoles are used. Even rack based servers attachted to both a serial console as well as having a virtual console do sometimes miss a connected monitor. To be able to ask on all terminal devices of /dev/console the devices are collected. If more than one device are found, then on each of the terminals a inquiring task for passphrase is forked and do not return to the caller. Every task has its own session and its own controlling terminal. If one of the tasks does handle a password, the remaining tasks will be terminated. Also let contradictory options on the command of systemd-tty-ask-password-agent fail. Spwan for each device of the system console /dev/console a own process. Replace the system call wait() with with system call waitid(). Use SIGTERM instead of SIGHUP to get unresponsive childs down. Port the collect_consoles() function forward to a pulbic and strv based function "get_kernel_consoles()" in terminal-util.c and use this in tty-ask-password-agent.c.
2016-05-24Revert "rules: allow users to access frame buffer devices" (#3333)Zbigniew Jędrzejewski-Szmek
This reverts commit 483d8bbb4c0190f419bf9fba57fb0feb1a56bea6. In [1] Michel Dänzer and Daniel Vetter wrote: >> The scenario you describe isn't possible if the Wayland compositor >> directly uses the KMS API of /dev/dri/card*, but it may be possible if >> the Wayland compositor uses the fbdev API of /dev/fb* instead (e.g. if >> weston uses its fbdev backend). > > Yeah, if both weston and your screen grabber uses native fbdev API you can > now screenshot your desktop. And since fbdev has no concept of "current > owner of the display hw" like the drm master, I think this is not fixable. > At least not just in userspace. Also even with native KMS compositors > fbdev still doesn't have the concept of ownership, which is why it doesn't > bother clearing it's buffer before KMS takes over. I agree that this > should be reverted or at least hidden better. TBH, I think that privilege separation between processes running under the same UID is tenuous. Even with drm, in common setups any user process can ptrace the "current owner of the display" and call DROP_MASTER or do whatever. It *is* possible to prevent that, e.g. by disabling ptrace using yama.ptrace_scope, or selinux, and so on, but afaik this is not commonly done. E.g. all Fedora systems pull in elfutils-default-yama-scope.rpm through dependencies which sets yama.ptrace_scope=0. And even assuming that ptrace was disabled, it is trivial to modify files on disk, communicate through dbus, etc; there is just to many ways for a non-sandboxed process to interact maliciously with the display shell to close them all off. To achieve real protection, some sort of sandboxing must be implemented, and in that case there is no need to rely on access mode on the device files, since much more stringent measures have to be implemented anyway. The situation is similar for framebuffer devices. It is common to add framebuffer users to video group to allow them unlimited access to /dev/fb*. Using uaccess would be better solution in that case. Also, since there is no "current owner" limitation like in DRM, processes running under the same UID should be able to access /proc/<pid-of-display-server>/fd/* and gain access to the devices. Nevertheless, weston implements a suid wrapper to access the devices and then drop privileges, and this patch would make this daemon pointless. So if the weston developers feel that this change reduces security, I prefer to revert it. [1] https://lists.freedesktop.org/archives/wayland-devel/2016-May/029017.html
2016-05-23sd-device: udev-db - handle properties with empty value (#3330)Tom Gundersen
The statemachine was unable to parse properties with empty values, reported in [0]. When reaching the start of the KEY, we would unconditionally read one more character before starting to look for the end-of-line. Simply look for the end-of-line from the first character. [0]: <https://bugzilla.redhat.com/show_bug.cgi?id=1338823>
2016-05-23man: explain what list-units does a bit better (#3324)Zbigniew Jędrzejewski-Szmek
https://bugzilla.redhat.com/show_bug.cgi?id=1338584
2016-05-23networkd: networkd: ndisc set SO_BINDTODEVICE on socket (#3294)Susant Sahani
From the issue #2004 we are receiving packet even if this packet is not intended for this interface. This can be reproduced. lp3s0: Updating address: 2001:db8:1:0:7e7a:91ff:fe6d:ffe2/64 (valid for 1d) wlp3s0: Updating address: fe80::7e7a:91ff:fe6d:ffe2/64 (valid forever) NDisc CLIENT: Received RA from non-link-local address ::. Ignoring. NDisc CLIENT: Received RA on wrong interface: 2 != 6. Ignoring. NDisc CLIENT: Received RA on wrong interface: 2 != 3. Ignoring. enp0s25: Updating address: 2001:db8:1:0:2ad2:44ff:fe6a:ae07/64 (valid for 1d) enp0s25: Updating address: fe80::2ad2:44ff:fe6a:ae07/64 (valid forever) NDisc CLIENT: Sent Router Solicitation NDisc CLIENT: Sent Router Solicitation NDisc CLIENT: Sent Router Solicitation NDisc CLIENT: Received RA on wrong interface: 3 != 2. Ignoring. NDisc CLIENT: Received RA on wrong interface: 3 != 6. Ignoring. NDisc CLIENT: Received RA from non-link-local address ::. Ignoring. NDisc CLIENT: Received RA on wrong interface: 2 != 6. Ignoring. NDisc CLIENT: Received RA on wrong interface: 2 != 3. Ignoring. enp0s25: Updating address: 2001:db8:1:0:2ad2:44ff:fe6a:ae07/64 (valid for 1d) enp0s25: Updating address: fe80::2ad2:44ff:fe6a:ae07/64 (valid forever) Add SO_BINDTODEVICE to socket fixes #2004
2016-05-23Mention initrd-root-device.target in NEWS (#3325)Dave Reisner
2016-05-23resolved: don't stop handle messages after receiving a zero length UDP ↵Evgeny Vereshchagin
packet (#3323) Fixes: -bash-4.3# ss --udp -l -p State Recv-Q Send-Q Local Address:Port Peer Address:Port UNCONN 0 0 *:5355 *:* users:(("systemd-resolve",pid=601,fd=12)) UNCONN 0 0 :::5355 :::* users:(("systemd-resolve",pid=601,fd=14)) -bash-4.3# nping --udp -p 5355 --data-length 0 -c 1 localhost -bash-4.3# journalctl -u systemd-resolved -b --no-hostname ... May 21 14:59:22 systemd-resolved[601]: Event source llmnr-ipv4-udp (type io) returned error, disabling: Input/output error ... -bash-4.3# nping --udp -p 5355 --data-length 1000 -c 1 localhost -bash-4.3# ss --udp -l State Recv-Q Send-Q Local Address:Port Peer Address:Port UNCONN 2304 0 *:5355 *:* UNCONN 0 0 :::5355 :::*
2016-05-23Merge pull request #3322 from poettering/random-ipv4acd-fixesTom Gundersen
Random ipv4acd fixes
2016-05-22ipv4acd/ipv4ll: stop using read() on SOCK_DGRAM socketsLennart Poettering
This is a follow-up to cf447cb62d01137f4cbd1cd14b83b88823542bbf. Let's generally follow the rule to not use read() on SOCK_DGRAM sockets, let's always use recv() on that. Also, don't abort IPV4ACD logic in case we read a short packet. Simply log and ignore.
2016-05-22sd-ipv4acd: do not define ether_addr_is_nul() redundantlyLennart Poettering
we already have ether_addr_is_null() in ether-addr-util.h, let's use it here, too.
2016-05-22sd-ipv4acd: drop HASH_KEY definition, as it is unusedLennart Poettering
2016-05-22nspawn: remove unreachable return statement (#3320)Zbigniew Jędrzejewski-Szmek
2016-05-21networkd-ndisc: do not return value from void functionsystemd/v230Zbigniew Jędrzejewski-Szmek
Fixup for #3304. Only warn, and not return, because that's what sd_dhcp6_client_start() does right below the call to sd_dhcp6_client_set_local_address().
2016-05-21build-sys: bump so versionZbigniew Jędrzejewski-Szmek
2016-05-21NEWS: final updates for v230Zbigniew Jędrzejewski-Szmek
2016-05-21run: do not try to use reply after freeing it (#3318)Zbigniew Jędrzejewski-Szmek
We'd call sd_bus_message_unref and then proceed to use variables pointing into the reply buffer (fd and char*). dup the fd and copy the string before destorying the reply. This makes systemd-run run again for me. https://bugzilla.redhat.com/show_bug.cgi?id=1337636
2016-05-21units: restore ConditionNeesUpdate=/etc in ldconfig.service (#3311)Lennart Poettering
In order to support stateless systems that support offline /usr updates properly, let's restore the ConditionNeesUpdate=/etc line that makes sure we are run when /usr is updated and this update needs to be propagated to the /etc/ld.so.conf file stored in /etc. This reverts part of #2859, which snuck this change in, but really shouldn't have.
2016-05-22libsystemd-network: use recv(..., 0) instead of read(...) (#3317)Tom Gundersen
According to recv(2) these should be the same, but that is not true. Passing a buffer of length 0 to read is defined to be a noop according to read(2), but passing a buffer of length 0 to recv will discard the pending pacet. We can easily hit this as we allocate our buffer size depending on the size of the incoming packet (using FIONREAD). As pointed out in issue #3299 simply sending an empty UDP packet to the DHCP client port will trigger a busy loop in networkd as we are polling on the socket but never discarding the empty packet. This reverts ad5ae47a0d159ea473c9730d7e0298a3e5d31cf6 but fixes the same issue.
2016-05-21core: set all log fds to -1 when freezing (#3314)Evgeny Vereshchagin
Fixes: -bash-4.3# echo core >/proc/sys/kernel/core_pattern -bash-4.3# kill -ABRT 1 -bash-4.3# kill -ABRT 1 [ 61.373922] systemd[1]: segfault at 7fff1d0a8f48 ip 00007fc9ca91b1c3 sp 00007fff1d0a8f50 error 6 in libc-2.23.so[7fc9ca8ce000+1c0000] [ 61.768017] Kernel panic - not syncing: Attempted to kill init! exitcode=0x0000008b [ 61.768017] ... Recursive ABRT and segfault: PID 1 - core TID 1: ... #153905 0x00005575fc3f829d log_dispatch #153906 0x00005575fc3f8aa3 log_assert #153907 0x00005575fc3f8ae9 log_assert_failed #153908 0x00005575fc3e7eb1 safe_close #153909 0x00005575fc3f6d5e log_close_journal #153910 0x00005575fc3f829d log_dispatch #153911 0x00005575fc3f85a1 log_internalv #153912 0x00005575fc3f86a1 log_internal #153913 0x00005575fc31c4c1 crash #153914 0x00007fb26f2cf3d0 __restore_rt #153915 0x00007fb26f2ced00 pause #153916 0x00005575fc403944 freeze #153917 0x00005575fc31bf7b freeze_or_reboot ...
2016-05-20core: put opening curly braces on the same line as function names (#3313)Tejun Heo
Recently added cgroup helper functions break the style convention. Fix them up.
2016-05-20Revert "core/dbus: further simplify branch code" (#3307)Lennart Poettering
2016-05-20Merge pull request #3304 from tomty89/masterTom Gundersen
[networkd] ndisc DHCPv6 triggering fixes
2016-05-20Merge pull request #3276 from ssahani/issue-3264Tom Gundersen
networkd: Drop IPv6LL address when link is down.
2016-05-20Merge pull request #3290 from htejun/cgroup2-io-compatLennart Poettering
Implement compat translation between IO* and BlockIO* settings
2016-05-20Merge pull request #3235 from dkg/hwaddr-cleanupTom Gundersen
minor improvements for dealing with MAC Addresses
2016-05-20core/dbus: revert oversimplification (#3309)Jonathan Boulle
free_and_strdup handles NULL but not empty strings. See also: https://github.com/systemd/systemd/pull/3283#issuecomment-220603145 https://github.com/systemd/systemd/pull/3307
2016-05-20Make the fix for net/if.h fuckup even worse (#3287)Zbigniew Jędrzejewski-Szmek
The original conflict is fixed in the kernel in v4.6-rc7-40-g4a91cb61bb, but now our work-around causes a compilation failure. Keep the workaround to support 4.5 kernels for now, and layer more ugliness on top. Tested with: kernel-headers-4.6.0-1.fc25.x86_64 glibc-devel-2.23.90-18.fc25.x86_64 kernel-headers-4.5.4-300.fc24.x86_64 glibc-devel-2.23.1-7.fc24.x86_64 kernel-headers-4.4.9-300.fc23.x86_64 glibc-devel-2.22-16.fc23.x86_64 kernel-headers-4.1.13-100.fc21.x86_64 glibc-devel-2.20-8.fc21.x86_64
2016-05-20resolved: fix accounting of dns serves on a link (#3291)Zbigniew Jędrzejewski-Szmek
After a few link up/down events I got this warning: May 17 22:05:10 laptop systemd-resolved[2983]: Failed to read DNS servers for interface wlp3s0, ignoring: Argument list too long
2016-05-20core/dbus: expose SELinuxContext property (#3284)Jonathan Boulle
Adds support to core for systemd D-Bus clients to send the `SELinuxContext` property . This means `systemd-run -p SELinuxContext=foo` should now work.
2016-05-20basic: remove rm_rf_and_free, add rm_rf_physical_and_free, use ↵Evgeny Vereshchagin
rm_rf_physical_and_freep in tests (#3292) Some distros don't mount /tmp as tmpfs. For example: https://lists.ubuntu.com/archives/ubuntu-cloud/2016-January/001009.html Some tests: * print 'Attempted to remove disk file system, and we can't allow that.' * don't really cleanup /tmp
2016-05-20NEWS: typo fix and american english (#3301)Thomas H. P. Andersen
2016-05-20sd-dhcp-client: fix busy loop reading zero sized DHCP UDP packets. (#3299)sadag
2016-05-20[networkd-dhcp6] do not call sd_dhcp6_client_start() from ↵tomty89
dhcp6_request_address() Starting the DHCP client doesn't seem like dhcp6_request_address()'s responsibility anyway. Whenever it's called, sd_dhcp6_client_start() is unconditionally called outside of it as well. See ndisc_router_handler() and ndisc_handler() in networkd-ndisc.c.
2016-05-20[networkd-ndisc] set IPv6LL address in DHCP clienttomty89
Fix issue #3256 and probably #1982. Referenced link_acquire_ipv6_conf() in networkd-link.c.
2016-05-19systemctl: suppress no-[Install] hint when --quiet is used (#3295)Zbigniew Jędrzejewski-Szmek
https://bugzilla.redhat.com/show_bug.cgi?id=1336960
2016-05-19systemctl: reload configuration when enabling sysv units too (#3297)Franck Bui
After enabling/disabling a unit, the daemon configuration is expected to be unless '--no-reload' option is passed. However this is not done when enabling a sysv units. This can lead to the following scenario: $ cp /etc/init.d/named /etc/init.d/foo $ systemctl enable foo foo.service is not a native service, redirecting to systemd-sysv-install Executing /usr/lib/systemd/systemd-sysv-install enable foo $ systemctl start foo Failed to start foo.service: Unit foo.service failed to load: No such file or directory. This can also be seen after installing a package providing a sysv service: the service can't be started unless 'daemon-reload' is called manually. This shouldn't be needed and this patch will fix this case too since during package installation, the service is expected to be enabled/disabled.
2016-05-19systemctl: restore the no-sync option for legacy halt (#3249)tblume
The sync() call on shutdown had been removed with commit 57371e5829a61e5ee6c9f98404dfc729d6c62608 together with the no-sync option for the shutdown commands. The sync call was restored in commit 4a3ad39957399c4a30fc472a804e72907ecaa4f9 but the no-sync option wasn't re-added. I think we should restore this option at least for the legacy halt command.
2016-05-19Merge pull request #3293 from michaelolbrich/partuuidZbigniew Jędrzejewski-Szmek
rules: add /dev/disk/by-partuuid symlinks also for dos partition tables
2016-05-19rules: add /dev/disk/by-partuuid symlinks also for dos partition tablesUwe Kleine-König
blkid reports PARTUUID values also for partitions that are defined by a dos partitioning scheme. Instead of limiting the partitioning scheme to "gpt or dos" just drop the test for the partitioning scheme and trust blkid to do the right thing.
2016-05-19NEWS: mention SessionsMax, InhibitorsMax, MulticastSnooping...Zbigniew Jędrzejewski-Szmek
... logind SIGHUP support, sd_journal_open_{directory,files}_fd, specifiers in DeviceAllow, "generated" and "trasnient" unit types. Move removed features to the end and cluster features by type.
2016-05-18core/dbus: further simplify branch code (#3283)Jonathan Boulle
free_and_strdup already handles the NULL case for us, so we can remove an extraneous conditional check. As noted in https://github.com/systemd/systemd/pull/3279/files#r63687717