summaryrefslogtreecommitdiff
AgeCommit message (Collapse)Author
2016-01-11resolved: make sure domain name hash function deals nicely with NUL embedded ↵Lennart Poettering
in labels
2016-01-11basic: introduce generic ascii_strlower_n() call and make use of it everywhereLennart Poettering
2016-01-11resolved: rework trust anchor revoke checkingLennart Poettering
Instead of first iterating through all DNSKEYs in the DnsAnswer in dns_transaction_check_revoked_trust_anchors(), and then doing that a second time in dns_trust_anchor_check_revoked(), do so only once in the former, and pass the dnskey we found directly to the latter.
2016-01-11resolved: look for revoked trust anchors before validating a messageLennart Poettering
There's not reason to wait for checking for revoked trust anchors until after validation, after all revoked DNSKEYs only need to be self-signed, but not have a full trust chain. This way, we can be sure that all trust anchor lookups we do during validation already honour that some keys might have been revoked.
2016-01-11resolved: use dns_answer_size() where appropriate to handle NULL DnsAnswerLennart Poettering
2016-01-11resolved: remove one level of indentation in dns_transaction_validate_dnssec()Lennart Poettering
Invert an "if" check, so that we can use "continue" rather than another code block indentation.
2016-01-11resolved: be less strict where the OPT pseudo-RR is placedLennart Poettering
This increases compatibility with crappy Belkin routers.
2016-01-11resolved: rename suffix_rr → zone_rrLennart Poettering
The domain name for this NSEC3 RR was originally stored in a variable called "suffix", which was then renamed to "zone" in d1511b3338f431de3c95a50a9c1aca297e0c0734. Hence also rename the RR variable accordingly.
2016-01-11resolved: fix NSEC3 iterations limit to what RFC5155 suggestsLennart Poettering
2016-01-11Merge pull request #2262 from pohly/smack-networkLennart Poettering
smack: Handling network
2016-01-11Merge pull request #2301 from martinpitt/kmod-static-conditionLennart Poettering
kmod-static-nodes: don't run if module list is empty
2016-01-11Merge pull request #2302 from arthur-c/masterDaniel Mack
doc typo, src: systemd/src/journal-remote/journal-gatewayd.c
2016-01-11Merge pull request #2294 from zonque/in_setLennart Poettering
macro.h: improve IN_SET helper macro
2016-01-11doc typo, src: systemd/src/journal-remote/journal-gatewayd.cArthur Clement
2016-01-11kmod-static-nodes: don't run if module list is emptyMartin Pitt
With this kmod commit, modules.devname will be empty by default instead of containing just a comment: https://git.kernel.org/cgit/utils/kernel/kmod/kmod.git/commit/?id=4c30a11d5f Refine the startup condition of kmod-static-nodes.service to not run needlessly if the list is empty.
2016-01-11Merge pull request #2293 from zonque/issue-2292Tom Gundersen
sd-netlink: fix assert
2016-01-11Merge pull request #2296 from dankor/masterDaniel Mack
Updated Ukrainian translation
2016-01-11Updated Ukrainian translationDaniel Korostil
2016-01-11macro.h: provide a switch-case statement generator for IN_SETDaniel Mack
Rather than walking a list of valid values one-by-one, generate a switch-case statement for the IN_SET() macro. This allows the compiler to further optimize its code output, possibly by generating jump tables. This effectively decreases the binary size slightly. The implementation is based on macro overloading depending on the number of arguments. h/t to the following post: https://stackoverflow.com/questions/11761703/overloading-macro-on-number-of-arguments
2016-01-11smack: Handling networkCasey Schaufler
- Set Smack ambient to match run label - Set Smack netlabel host rules Set Smack ambient to match run label ------------------------------------ Set the Smack networking ambient label to match the run label of systemd. System services may expect to communicate with external services over IP. Setting the ambient label assigns that label to IP packets that do not include CIPSO headers. This allows systemd and the services it spawns access to unlabeled IP packets, and hence external services. A system may choose to restrict network access to particular services later in the startup process. This is easily done by resetting the ambient label elsewhere. Set Smack netlabel host rules ----------------------------- If SMACK_RUN_LABEL is defined set all other hosts to be single label hosts at the specified label. Set the loopback address to be a CIPSO host. If any netlabel host rules are defined in /etc/smack/netlabel.d install them into the smackfs netlabel interface. [Patrick Ohly: copied from https://review.tizen.org/git/?p=platform/upstream/systemd.git;a=commit;h=db4f6c9a074644aa2bf] [Patrick Ohly: adapt to write_string_file() change in "fileio: consolidate write_string_file*()"] [Patrick Ohly: create write_netlabel_rules() based on the original write_rules() that was removed in "smack: support smack access change-rule"] [Patrick Ohly: adapted to upstream code review feedback: error logging, string constants]
2016-01-10tree-wide: unify argument lists of IN_SET()Daniel Mack
The new implementation will not allow passing the same values more than once, so clean up first.
2016-01-10sd-netlink: fix assertDaniel Mack
nl->fd can be 0.
2016-01-08Merge pull request #2287 from dandedrick/journal-gatewayd-timeout-fixDaniel Mack
journal-gatewayd: timeout journal wait to allow thread cleanup
2016-01-07Merge pull request #2285 from evverx/fix-test-resolveDaniel Mack
tests: test-resolve: wait until all queries are completed
2016-01-07Merge pull request #2284 from teg/resolved-cname-2Lennart Poettering
resolved: query_process_cname - make fully recursive
2016-01-07tests: test-resolve: wait until all queries are completedEvgeny Vereshchagin
This is a follow-up for 4a134c4903dbf6ef6c6a Fixes: $ ./test-resolve 209.132.183.105:80 209.132.183.105:80 canonical name: n/a 193.99.144.85:0 [2a02:2e0:3fe:1001:7777:772e:2:85]:0 canonical name: www.heise.de Host: web.heise.de -- Serv: http $ ./test-resolve 193.99.144.85:0 [2a02:2e0:3fe:1001:7777:772e:2:85]:0 canonical name: www.heise.de Host: web.heise.de -- Serv: http $ ./test-resolve ...
2016-01-07Merge pull request #2276 from poettering/dnssec12Tom Gundersen
Twelfth DNSSEC PR
2016-01-07resolved: query_process_cname - make fully recursiveTom Gundersen
This ensures we properly resolve the CNAME chain as far as we can, rather than only CNAME chains of length one.
2016-01-07Merge pull request #2283 from evverx/update-valgrind-testsDaniel Mack
build-sys: valgrind-tests: exclude python scripts too
2016-01-07build-sys: valgrind-tests: exclude python scripts tooEvgeny Vereshchagin
2016-01-06update DNSSEC TODOLennart Poettering
2016-01-06resolved: introduce support for per-interface negative trust anchorsLennart Poettering
2016-01-06nspawn: fix two typos in error messagesDaniel Mack
On errors, mention the functions that really failed.
2016-01-06Merge pull request #2137 from fbuihuu/fstab-gen-fix-device-timeoutDaniel Mack
Fstab gen fix device timeout
2016-01-06Merge pull request #2261 from evverx/fix-test-rlimit-utilDaniel Mack
tests: don't change hard limit in test-rlimit-util
2016-01-06Merge pull request #2243 from evverx/add-regression-test-for-journald-restartDaniel Mack
tests: add regression test for `systemctl restart systemd-journald`
2016-01-06Merge pull request #2273 from evverx/fix-possible-lost-in-test-bus-cleanupDaniel Mack
tests: use sd_bus_flush_close_unref instead of sd_bus_unref in test-bus-cleanup
2016-01-06Merge pull request #2278 from ↵Daniel Mack
systemd-mailing-devs/1452047873-6043-1-git-send-email-hui.wang@canonical.com keymap: remap microphone mute keycode for Lenovo Thinkcentre M800z
2016-01-06keymap: remap microphone mute keycode for Lenovo Thinkcentre M800zHui Wang
This Lenovo machine use codec Line2 to implement a microphone mute button, it depends on the unsolicited interrupt to generate key event, the scan code for this button is assigned to 0x00 in the linux kernel driver, and the keycode is KEY_MICMUTE(248), we need to remap this keycode to KEY_F20 to make this hotkey work in X11. BugLink: https://bugs.launchpad.net/bugs/1531362 Signed-off-by: Hui Wang <hui.wang@canonical.com>
2016-01-06resolved: when dumping the NTA database, sort outputLennart Poettering
Now that we populate the trust database by default with a larger number of entires, we better make sure to output a more readable version.
2016-01-06resolved: populate negative trust anchor by defaultLennart Poettering
Let's increase compatibility with many private domains by default, and ship a default NTA list of wel-known private domains, where it is unlikely they will be deployed as official TLD anytime soon.
2016-01-06resolved: log all OOM errorsLennart Poettering
2016-01-06resolved: reuse dns_trust_anchor_knows_domain() at another locationLennart Poettering
2016-01-06resolved: count unsupported dnssec algorithm as indeterminate RRsetLennart Poettering
After all, when we don't support the algorithm we cannot determine validity.
2016-01-05resolved: try to detect fritz.box-style private DNS zones, and downgrade to ↵Lennart Poettering
non-DNSSEC mode for them This adds logic to detect cases like the Fritz!Box routers which serve a private DNS domain "fritz.box" under the TLD "box" that does not exist in the root servers. If this is detected DNSSEC validation is turned off for this private domain, thus improving compatibility with such private DNS zones. This should be fairly secure as we first rely on the proof that .box does not exist before this logic is applied. Nevertheless the logic is only enabled for DNSSEC=allow-downgrade mode. This logic does not work for routers that set up a full DNS zone directly under a non-existing TLD, as in that case we cannot prove that the domain is truly non-existing according to the root servers.
2016-01-05resolved: when dumping trust anchor contents, clarify when it is emptyLennart Poettering
2016-01-05resolved: fix DNSSEC transaction dependency recursion checkLennart Poettering
We followed the wrong connection. This only worked sometimes at all, because we also return the wrong error code.
2016-01-05update DNSSEC TODOLennart Poettering
2016-01-05resolved,networkd: add a per-interface DNSSEC settingLennart Poettering
This adds a DNSSEC= setting to .network files, and makes resolved honour them.
2016-01-05resolved: log about per-interface setting parse errorsLennart Poettering