Age | Commit message (Collapse) | Author |
|
in labels
|
|
|
|
Instead of first iterating through all DNSKEYs in the DnsAnswer in
dns_transaction_check_revoked_trust_anchors(), and
then doing that a second time in dns_trust_anchor_check_revoked(), do so
only once in the former, and pass the dnskey we found directly to the
latter.
|
|
There's not reason to wait for checking for revoked trust anchors until
after validation, after all revoked DNSKEYs only need to be self-signed,
but not have a full trust chain.
This way, we can be sure that all trust anchor lookups we do during
validation already honour that some keys might have been revoked.
|
|
|
|
Invert an "if" check, so that we can use "continue" rather than another
code block indentation.
|
|
This increases compatibility with crappy Belkin routers.
|
|
The domain name for this NSEC3 RR was originally stored in a variable
called "suffix", which was then renamed to "zone" in
d1511b3338f431de3c95a50a9c1aca297e0c0734. Hence also rename the
RR variable accordingly.
|
|
|
|
smack: Handling network
|
|
kmod-static-nodes: don't run if module list is empty
|
|
doc typo, src: systemd/src/journal-remote/journal-gatewayd.c
|
|
macro.h: improve IN_SET helper macro
|
|
|
|
With this kmod commit, modules.devname will be empty by default instead of
containing just a comment:
https://git.kernel.org/cgit/utils/kernel/kmod/kmod.git/commit/?id=4c30a11d5f
Refine the startup condition of kmod-static-nodes.service to not run needlessly
if the list is empty.
|
|
sd-netlink: fix assert
|
|
Updated Ukrainian translation
|
|
|
|
Rather than walking a list of valid values one-by-one, generate a
switch-case statement for the IN_SET() macro. This allows the compiler to
further optimize its code output, possibly by generating jump tables.
This effectively decreases the binary size slightly.
The implementation is based on macro overloading depending on the number of
arguments. h/t to the following post:
https://stackoverflow.com/questions/11761703/overloading-macro-on-number-of-arguments
|
|
- Set Smack ambient to match run label
- Set Smack netlabel host rules
Set Smack ambient to match run label
------------------------------------
Set the Smack networking ambient label to match the
run label of systemd. System services may expect to
communicate with external services over IP. Setting
the ambient label assigns that label to IP packets
that do not include CIPSO headers. This allows systemd
and the services it spawns access to unlabeled IP
packets, and hence external services.
A system may choose to restrict network access to
particular services later in the startup process.
This is easily done by resetting the ambient label
elsewhere.
Set Smack netlabel host rules
-----------------------------
If SMACK_RUN_LABEL is defined set all other hosts to be
single label hosts at the specified label. Set the loopback
address to be a CIPSO host.
If any netlabel host rules are defined in /etc/smack/netlabel.d
install them into the smackfs netlabel interface.
[Patrick Ohly: copied from https://review.tizen.org/git/?p=platform/upstream/systemd.git;a=commit;h=db4f6c9a074644aa2bf]
[Patrick Ohly: adapt to write_string_file() change in "fileio: consolidate write_string_file*()"]
[Patrick Ohly: create write_netlabel_rules() based on the original write_rules() that was removed in "smack: support smack access change-rule"]
[Patrick Ohly: adapted to upstream code review feedback: error logging, string constants]
|
|
The new implementation will not allow passing the same values more than
once, so clean up first.
|
|
nl->fd can be 0.
|
|
journal-gatewayd: timeout journal wait to allow thread cleanup
|
|
tests: test-resolve: wait until all queries are completed
|
|
resolved: query_process_cname - make fully recursive
|
|
This is a follow-up for 4a134c4903dbf6ef6c6a
Fixes:
$ ./test-resolve
209.132.183.105:80
209.132.183.105:80
canonical name: n/a
193.99.144.85:0
[2a02:2e0:3fe:1001:7777:772e:2:85]:0
canonical name: www.heise.de
Host: web.heise.de -- Serv: http
$ ./test-resolve
193.99.144.85:0
[2a02:2e0:3fe:1001:7777:772e:2:85]:0
canonical name: www.heise.de
Host: web.heise.de -- Serv: http
$ ./test-resolve
...
|
|
Twelfth DNSSEC PR
|
|
This ensures we properly resolve the CNAME chain as far as we can, rather
than only CNAME chains of length one.
|
|
build-sys: valgrind-tests: exclude python scripts too
|
|
|
|
|
|
|
|
On errors, mention the functions that really failed.
|
|
Fstab gen fix device timeout
|
|
tests: don't change hard limit in test-rlimit-util
|
|
tests: add regression test for `systemctl restart systemd-journald`
|
|
tests: use sd_bus_flush_close_unref instead of sd_bus_unref in test-bus-cleanup
|
|
systemd-mailing-devs/1452047873-6043-1-git-send-email-hui.wang@canonical.com
keymap: remap microphone mute keycode for Lenovo Thinkcentre M800z
|
|
This Lenovo machine use codec Line2 to implement a microphone mute
button, it depends on the unsolicited interrupt to generate key event,
the scan code for this button is assigned to 0x00 in the linux kernel
driver, and the keycode is KEY_MICMUTE(248), we need to remap this
keycode to KEY_F20 to make this hotkey work in X11.
BugLink: https://bugs.launchpad.net/bugs/1531362
Signed-off-by: Hui Wang <hui.wang@canonical.com>
|
|
Now that we populate the trust database by default with a larger number
of entires, we better make sure to output a more readable version.
|
|
Let's increase compatibility with many private domains by default, and
ship a default NTA list of wel-known private domains, where it is
unlikely they will be deployed as official TLD anytime soon.
|
|
|
|
|
|
After all, when we don't support the algorithm we cannot determine
validity.
|
|
non-DNSSEC mode for them
This adds logic to detect cases like the Fritz!Box routers which serve
a private DNS domain "fritz.box" under the TLD "box" that does not
exist in the root servers. If this is detected DNSSEC validation is
turned off for this private domain, thus improving compatibility with
such private DNS zones.
This should be fairly secure as we first rely on the proof that .box
does not exist before this logic is applied. Nevertheless the logic is
only enabled for DNSSEC=allow-downgrade mode.
This logic does not work for routers that set up a full DNS zone directly
under a non-existing TLD, as in that case we cannot prove
that the domain is truly non-existing according to the root servers.
|
|
|
|
We followed the wrong connection. This only worked sometimes at all, because we
also return the wrong error code.
|
|
|
|
This adds a DNSSEC= setting to .network files, and makes resolved honour
them.
|
|
|