Age | Commit message (Collapse) | Author |
|
We will re-use the code to walk items in order to populate a creds object,
so let's factor it out first.
|
|
kdbus learned a new command to query a bus creator's credentials. Sync
kdbus.h first, which also renames some struct to more generic terms.
That is, however, not an ABI break this time.
|
|
systemd-journald check the cgroup id to support rate limit option for
every messages. so journald should be available to access cgroup node in
each process send messages to journald.
In system using SMACK, cgroup node in proc is assigned execute label
as each process's execute label.
so if journald don't want to denied for every process, journald
should have all of access rule for all process's label.
It's too heavy. so we could give special smack label for journald te get
all accesses's permission.
'^' label.
When assign '^' execute smack label to systemd-journald,
systemd-journald need to add CAP_MAC_OVERRIDE capability to get that smack privilege.
so I want to notice this information and set default capability to
journald whether system use SMACK or not.
because that capability affect to only smack enabled kernel
|
|
The compaq ku 0133 keyboard has 8 special keys at the top:
http://lackof.org/taggart/hacking/keyboard/cpqwireless.jpg
3 of these use standard HID usage codes from the consumer page, the 5
others use part of the reserved 0x07 - 0x1f range.
This commit adds mapping for this keyboard for these reserved codes, making
the other 5 keys work.
Cc: Hans de Goede <hdegoede@redhat.com>
Signed-off-by: Hans de Goede <hdegoede@redhat.com>
|
|
|
|
We can simplify our code quite a bit if we explicitly check for the
ifindex being 1 on Linux as a loopback check. Apparently, this is
hardcoded on Linux on the kernel, and effectively exported to userspace
via rtnl and such, hence we should be able to rely on it.
|
|
|
|
Don't handle clock_gettime() errors gracefully but use assert_se().
|
|
|
|
we stritcly require features from util-linux v2.25, such a new version
is not optional, hence document this.
|
|
The -l (lock) has been temporary disabled due to conflict with
udev (https://bugs.freedesktop.org/show_bug.cgi?id=79576)
The problem is fixed since util-linux v2.25 (Jul 2014).
|
|
|
|
|
|
kdbus_msg.timeout_ns now takes an absolute value, based on CLOCK_MONOTONIC,
in order to eventually support automatically restarted syscalls.
Signed-off-by: Daniel Mack <daniel@zonque.org>
|
|
In kdbus.h, the following details changed:
* All commands gained a 'kernel_flags' field to report the flags supported
by the driver. Before, this was done in the 'flags' field in a
bidirectional way, which turned out to be a problem for the code in
sd-bus, as many parts of it reuse the same ioctl struct more than once
and consider them to be owned by userspace.
* Name listings are now returned by a new struct instead of reusing struct
kdbus_cmd_name for that matter. This way, we don't add more unneeded
fields to it and make the API cleaner.
* 'conn_flags' was renamed to 'flags' in struct kdbus_cmd_hello to make
the API a bit more unified.
|
|
This could overflow on 32bit, where size_t is the same as unsigned.
|
|
https://bugs.freedesktop.org/show_bug.cgi?id=76745
|
|
Add examples to clarify how to use coredumpctl
See https://bugs.freedesktop.org/show_bug.cgi?id=83437
|
|
|
|
|
|
|
|
|
|
- mkdir_p_prefix: It has never been used
- mkdir_parents_prefix_label: Unused since 1434ae6fd49f8377b0ddbd4c675736e0d3226ea6
|
|
|
|
|
|
|
|
provides us with
|
|
This reverts commit b0f84d4d7832659f2216bda7a7cdf51f5e79c6eb.
get_creds_by_name() already translate the error nicely, we just need to
make use of it.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Quoting from Jon Corbet's report of Stephen Hemminger's talk at Linux
Plumbers Conference 2014 (https://lwn.net/Articles/616241/):
[...] So Stephen encouraged everybody to run a command like:
sysctl -w net.core.default_qdisc=fq_codel
That will cause fq_codel to be used for all future connections
[Qdiscs apply to interfaces, not connections. Pointed out by TomH
in the article comments. -- mschmidt] (up to the next reboot).
Unfortunately, the default queuing discipline cannot be changed,
since it will certainly disturb some user's workload somewhere.
Let's have the recommended default in systemd.
Thanks to Dave Täht for advice and the summary at
https://lists.bufferbloat.net/pipermail/cerowrt-devel/2014-October/003701.html
|
|
kdbus.h now has KDBUS_ATTACH_COMM split into KDBUS_ATTACH_TID_COMM and
KDBUS_ATTACH_PID_COMM. The items were split already, so the change in
systemd is easy.
|
|
|
|
In kdbus.h, the 'features' field has been dropped again. Instead of
negotiating features that way, we decided to make the kernel return the
set of supported flags in each ioctl struct's .flags field, in both the
success and error cases.
|
|
Without the socket open we are going to crash and burn. If for
whatever reason we fail during deserialization we will fail when
trying to open the socket. In this case it is better to unlink the old
socket and maybe lose some messages, than to continue without the
notification socket.
Of course this situation should not happen, but we should handle
it as gracefully as possible anyway.
https://bugzilla.redhat.com/show_bug.cgi?id=1099299
|
|
If we failed to parse something that we wrote ourselves,
things are seriously off. This is also likely to lead to
problems futher on.
|
|
Leaving the old root around seems better than aborting the
switch.
|
|
Commit 864e17068 ("nspawn: actually allow access to /dev/net/tun in the
container") added "/dev/net/tun" to the list of allowed devices but forgot
to tweak the array length, which caused "/dev/kdbus/*" to be missed.
|
|
|
|
It was only used in readahead.
|
|
Also, extend the printed warning a bit, explaining the situation more
verbosely.
|
|
|
|
|
|
Also, allow using --no-ask-password to turn off ineractive polkit
authorization.
|
|
If we don't have privileges to setup the namespaces then we are most likely
running inside some sort of unprivileged container, hence not being able to
create namespace is not a problem because spawned service can't access host
system anyway.
|