summaryrefslogtreecommitdiff
AgeCommit message (Collapse)Author
2016-10-26seccomp: also block shmat(..., SHM_EXEC) for MemoryDenyWriteExecuteTopi Miettinen
shmat(..., SHM_EXEC) can be used to create writable and executable memory, so let's block it when MemoryDenyWriteExecute is set.
2016-10-25man: document that systemctl cat shows file content (#4488)Lucas Werkmeister
... and that that content might be outdated.
2016-10-25build-sys/autogen: don't use bashisms (#4489)Evgeny Vereshchagin
Fixes: $ ls -l /bin/sh lrwxrwxrwx 1 root root 4 Feb 17 2016 /bin/sh -> dash $ ./autogen.sh c ./autogen.sh: 22: ./autogen.sh: [[: not found ... checking whether make supports nested variables... (cached) yes checking build system type... Invalid configuration `c': machine `c' not recognized configure: error: /bin/bash build-aux/config.sub c failed this is a follow-up for a5e739a570081231
2016-10-25Merge pull request #4476 from poettering/systemctl-freeMartin Pitt
two minor systemctl memleak fixes
2016-10-25test: skip exec tests when inaccessible dir is unavailableDongsu Park
In case of running test-execute on systems with systemd < v232, several tests like privatedevices or protectkernelmodules fail because /run/systemd/inaccessible/ doesn't exist. In these cases, we should skip tests to avoid unnecessary errors. See also https://github.com/systemd/systemd/pull/4243#issuecomment-253665566
2016-10-25systemctl: fix two minor memory leaks in --wait handlingLennart Poettering
(Also, let's not use the binary |= operator on "bool" variables). Fix-up for 93a0884126146361ca078ec627da2cf766205a1c.
2016-10-25update NEWS file a bit moreLennart Poettering
2016-10-25Merge pull request #4474 from poettering/nsswitchMartin Pitt
various nss module/resolved fixes
2016-10-24Merge pull request #4450 from poettering/seccompfixesZbigniew Jędrzejewski-Szmek
Various seccomp fixes and NEWS update.
2016-10-25man: Fix event source priority enum names in synopsis (#4478)Martin Ejdestig
2016-10-24Merge pull request #4477 from poettering/enumerate-load-fixLennart Poettering
Properly synthesize -.slice and init.scope
2016-10-24networkd: fix mixup of bond options (#4470)Benjamin Richter
2016-10-24core: drop -.slice from shipped unitsLennart Poettering
Since this unit is synthesized anyway there's no point in actually shipping it on disk. This also has the benefit that "cd /usr/lib/systemd/system ; ls *" won't be confused by the leading dash of the file name anymore.
2016-10-24core: move initialization of -.slice and init.scope into the unit_load() ↵Lennart Poettering
callbacks Previously, we'd synthesize the root slice unit and the init scope unit in the enumerator callbacks for the unit type. This is problematic if either of them is already referenced from a unit that is loaded as result of another unit type's enumerator logic. Let's clean this up and simply create the two objects from the enumerator callbacks, if they are not around yet. Do the actual filling in of the settings from the unit_load() callbacks, to match how other units are loaded. Fixes: #4322
2016-10-24man: sync up the suggested nsswitch.conf configuration for our four NSS modulesLennart Poettering
This unifies the suggested nsswitch.conf configuration for our four NSS modules to this: hosts: files mymachines resolve [!UNAVAIL=return] dns myhostname Note that this restores "myhostname" to the suggested configuration of nss-resolve for the time being, undoing 4484e1792b64b01614f04b7bde97bf019f601bf9. "myhostname" should probably be dropped eventually, but when we do this we should do it in full, and not only drop it from the suggested nsswitch.conf for one of the modules, but also drop it in source and stop referring to it altogether. Note that nss-resolve doesn't replace nss-myhostname in full: the former only works if D-Bus/resolved is available for resolving the local hostname, the latter works in all cases even if D-Bus or resolved are not in operation, hence there's some value in keeping the line as it is right now. Note that neither dns nor myhostname are considered at all with the above configuration unless the resolve module actually returns UNAVAIL. Thus, even though handling of local hostname resolving is implemented twice this way it is only executed once for each lookup.
2016-10-24nss-resolve: be a bit more careful with returning NSS_STATUS_NOTFOUNDLennart Poettering
Let's tighten the cases when our module returns NSS_STATUS_NOTFOUND. Let's do so only if we actually managed to talk to resolved. In all other cases stick to NSS_STATUS_UNAVAIL as before, as it clearly indicates that our module or the system is borked, and the "dns" fallback should really take place. In particular this fixes the 2nd-level fallback from our own dlopen() based fallback handling. In this case we really should return UNAVAIL so that the caller can apply its own fallback still. Fix-up for d7247512a904f1dd74125859d8da66166c2a6933. Note that our own dlopen() based fallback is pretty much redundant now if nsswitch.conf is configured like this: hosts: files mymachines resolve [!UNAVAIL=return] dns myhostname In a future release we should probably drop our internal fallback then, in favour of this nsswitch.conf-based one.
2016-10-24resolved: properly check for the root domainLennart Poettering
Fix-up for #4164
2016-10-24Various additions to NEWSLennart Poettering
2016-10-24seccomp: add test-seccomp test toolLennart Poettering
This validates the system call set table and many of our seccomp-util.c APIs.
2016-10-24seccomp: add new helper call seccomp_load_filter_set()Lennart Poettering
This allows us to unify most of the code in apply_protect_kernel_modules() and apply_private_devices().
2016-10-24seccomp: two fixes for the syscall set tablesLennart Poettering
"oldumount()" is not a syscall, but simply a wrapper for it, the actual syscall nr is called "umount" (and the nr of umount() is called umount2 internally). "sysctl()" is not a syscall, but "_syscall()" is. Fix this in the table. Without these changes libseccomp cannot actually translate the tables in full. This wasn't noticed before as the code was written defensively for this case.
2016-10-24seccomp: add new seccomp_init_conservative() helperLennart Poettering
This adds a new seccomp_init_conservative() helper call that is mostly just a wrapper around seccomp_init(), but turns off NNP and adds in all secondary archs, for best compatibility with everything else. Pretty much all of our code used the very same constructs for these three steps, hence unifying this in one small function makes things a lot shorter. This also changes incorrect usage of the "scmp_filter_ctx" type at various places. libseccomp defines it as typedef to "void*", i.e. it is a pointer type (pretty poor choice already!) that casts implicitly to and from all other pointer types (even poorer choice: you defined a confusing type now, and don't even gain any bit of type safety through it...). A lot of the code assumed the type would refer to a structure, and hence aded additional "*" here and there. Remove that.
2016-10-24core: rework apply_protect_kernel_modules() to use ↵Lennart Poettering
seccomp_add_syscall_filter_set() Let's simplify this call, by making use of the new infrastructure. This is actually more in line with Djalal's original patch but instead of search the filter set in the array by its name we can now use the set index and jump directly to it.
2016-10-24core: rework syscall filter set handlingLennart Poettering
A variety of fixes: - rename the SystemCallFilterSet structure to SyscallFilterSet. So far the main instance of it (the syscall_filter_sets[] array) used to abbreviate "SystemCall" as "Syscall". Let's stick to one of the two syntaxes, and not mix and match too wildly. Let's pick the shorter name in this case, as it is sufficiently well established to not confuse hackers reading this. - Export explicit indexes into the syscall_filter_sets[] array via an enum. This way, code that wants to make use of a specific filter set, can index it directly via the enum, instead of having to search for it. This makes apply_private_devices() in particular a lot simpler. - Provide two new helper calls in seccomp-util.c: syscall_filter_set_find() to find a set by its name, seccomp_add_syscall_filter_set() to add a set to a seccomp object. - Update SystemCallFilter= parser to use extract_first_word(). Let's work on deprecating FOREACH_WORD_QUOTED(). - Simplify apply_private_devices() using this functionality
2016-10-24core: move misplaced comment to the right placeLennart Poettering
2016-10-24core: simplify skip_seccomp_unavailable() a bitLennart Poettering
Let's prefer early-exit over deep-indented if blocks. Not behavioural change.
2016-10-24update-done: minor clean-upsLennart Poettering
This is a follow-up for fb8b0869a7bc30e23be175cf978df23192d59118, and makes a couple of minor clean-up changes: - The field name in the timestamp file is changed from "TimestampNSec=" to "TIMESTAMP_NSEC=". This is done simply to reflect the fact that we parse the file with the env var file parser, and hence the contents should better follow the usual capitalization of env vars, i.e. be all uppercase. - Needless negation of the errno parameter log_error_errno() and friends has been removed. - Instead of manually calculating the nsec remainder of the timestamp, use timespec_store(). - We now check whether we were able to write the timestamp file in full with fflush_and_check() the way we usually do it.
2016-10-24Merge pull request #4459 from keszybz/commandline-parsingLennart Poettering
Commandline parsing simplification and udev fix
2016-10-24Merge pull request #4469 from endocode/djalal/groups-testDjalal Harouni
test: lets add more tests to cover SupplementaryGroups= cases.
2016-10-24Merge pull request #4406 from jsynacek/jsynacek-is-enabledLennart Poettering
shared, systemctl: teach is-enabled to show install targets
2016-10-24networkd-ndisc: Don't add NDisc route for local address (#4467)Patrik Flykt
When systemd-networkd is run on the same IPv6 enabled interface where radvd is announcing prefixes, a route is being set up pointing to the interface address. As this will fail with an invalid argument error, the link is marked as failed and the following message like the following will appear in in the logs: systemd-networkd[21459]: eth1: Could not set NDisc route or address: Invalid argument systemd-networkd[21459]: eth1: Failed Should the interface be required by systemd-networkd-wait-online, network-online.target will wait until its timeout hits thereby significantly delaying system startup. The fix is to check whether the gateway address obtained from NDisc messages is equal to any of the interface addresses on the same link and not set the NDisc route in that case.
2016-10-24core: do not assert when sysconf(_SC_NGROUPS_MAX) fails (#4466)Djalal Harouni
Remove the assert and check the return code of sysconf(_SC_NGROUPS_MAX). _SC_NGROUPS_MAX maps to NGROUPS_MAX which is defined in <limits.h> to 65536 these days. The value is a sysctl read-only /proc/sys/kernel/ngroups_max and the kernel assumes that it is always positive otherwise things may break. Follow this and support only positive values for all other case return either -errno or -EOPNOTSUPP. Now if there are systems that want to re-write NGROUPS_MAX then they should not pass SupplementaryGroups= in units even if it is empty, in this case nothing fails and we just ignore supplementary groups. However if SupplementaryGroups= is passed even if it is empty we have to assume that there will be groups manipulation from our side or the kernel and since the kernel always assumes that NGROUPS_MAX is positive, then follow that and support only positive values.
2016-10-24test: lets add more tests to cover SupplementaryGroups= cases.Djalal Harouni
2016-10-24shared, systemctl: teach is-enabled to show installation targetsJan Synacek
It may be desired by users to know what targets a particular service is installed into. Improve user friendliness by teaching the is-enabled command to show such information when used with --full. This patch makes use of the newly added UnitFileFlags and adds UNIT_FILE_DRY_RUN flag into it. Since the API had already been modified, it's now easy to add the new dry-run feature for other commands as well. As a next step, --dry-run could be added to systemctl, which in turn might pave the way for a long requested dry-run feature when running systemctl start.
2016-10-24install: introduce UnitFileFlagsJan Synacek
Introduce a new enum to get rid of some boolean arguments of unit_file_* functions. It unifies the code, makes it a bit cleaner and extensible.
2016-10-23Merge pull request #4372 from evverx/fix-synced-cgroup-hierarchy-permsZbigniew Jędrzejewski-Szmek
2016-10-23tests/TEST-13-NSPAWN-SMOKE: remove an expected failure checkEvgeny Vereshchagin
https://github.com/systemd/systemd/issues/4352 has been fixed So, we don't need this workaround anymore
2016-10-23nspawn: become a new root earlyEvgeny Vereshchagin
https://github.com/torvalds/linux/commit/036d523641c66bef713042894a17f4335f199e49 > vfs: Don't create inodes with a uid or gid unknown to the vfs It is expected that filesystems can not represent uids and gids from outside of their user namespace. Keep things simple by not even trying to create filesystem nodes with non-sense uids and gids. So, we actually should `reset_uid_gid` early to prevent https://github.com/systemd/systemd/pull/4223#issuecomment-252522955 $ sudo UNIFIED_CGROUP_HIERARCHY=no LD_LIBRARY_PATH=.libs .libs/systemd-nspawn -D /var/lib/machines/fedora-rawhide -U -b systemd.unit=multi-user.target Spawning container fedora-rawhide on /var/lib/machines/fedora-rawhide. Press ^] three times within 1s to kill container. Child died too early. Selected user namespace base 1073283072 and range 65536. Failed to mount to /sys/fs/cgroup/systemd: No such file or directory Details: https://github.com/systemd/systemd/pull/4223#issuecomment-253046519 Fixes: #4352
2016-10-23nspawn: really lchown(uid/gid)Evgeny Vereshchagin
https://github.com/systemd/systemd/pull/4372#issuecomment-253723849: * `mount_all (outer_child)` creates `container_dir/sys/fs/selinux` * `mount_all (outer_child)` doesn't patch `container_dir/sys/fs` and so on. * `mount_sysfs (inner_child)` tries to create `/sys/fs/cgroup` * This fails 370 stat("/sys/fs", {st_dev=makedev(0, 28), st_ino=13880, st_mode=S_IFDIR|0755, st_nlink=3, st_uid=65534, st_gid=65534, st_blksize=4096, st_blocks=0, st_size=60, st_atime=2016/10/14-05:16:43.398665943, st_mtime=2016/10/14-05:16:43.399665943, st_ctime=2016/10/14-05:16:43.399665943}) = 0 370 mkdir("/sys/fs/cgroup", 0755) = -1 EACCES (Permission denied) * `mount_syfs (inner_child)` ignores that error and mount(NULL, "/sys", NULL, MS_RDONLY|MS_NOSUID|MS_NODEV|MS_NOEXEC|MS_REMOUNT|MS_BIND, NULL) = 0 * `mount_cgroups` finally fails
2016-10-23basic: fallback to the fstat if we don't have access to the /proc/self/fdinfoEvgeny Vereshchagin
https://github.com/systemd/systemd/pull/4372#discussion_r83354107: I get `open("/proc/self/fdinfo/13", O_RDONLY|O_CLOEXEC) = -1 EACCES (Permission denied)` 327 mkdir("/proc", 0755 <unfinished ...> 327 <... mkdir resumed> ) = -1 EEXIST (File exists) 327 stat("/proc", <unfinished ...> 327 <... stat resumed> {st_dev=makedev(8, 1), st_ino=28585, st_mode=S_IFDIR|0755, st_nlink=2, st_uid=0, st_gid=0, st_blksize=1024, st_blocks=4, st_size=1024, st_atime=2016/10/14-02:55:32, st_mtime=2016/ 327 mount("proc", "/proc", "proc", MS_NOSUID|MS_NODEV|MS_NOEXEC, NULL <unfinished ...> 327 <... mount resumed> ) = 0 327 lstat("/proc", <unfinished ...> 327 <... lstat resumed> {st_dev=makedev(0, 34), st_ino=1, st_mode=S_IFDIR|0555, st_nlink=75, st_uid=65534, st_gid=65534, st_blksize=1024, st_blocks=0, st_size=0, st_atime=2016/10/14-03:13:35.971031263, 327 lstat("/proc/sys", {st_dev=makedev(0, 34), st_ino=4026531855, st_mode=S_IFDIR|0555, st_nlink=1, st_uid=65534, st_gid=65534, st_blksize=1024, st_blocks=0, st_size=0, st_atime=2016/10/14-03:13:39.1630 327 openat(AT_FDCWD, "/proc", O_RDONLY|O_DIRECTORY|O_CLOEXEC|O_PATH) = 11</proc> 327 name_to_handle_at(11</proc>, "sys", {handle_bytes=128}, 0x7ffe3a238604, AT_SYMLINK_FOLLOW) = -1 EOPNOTSUPP (Operation not supported) 327 name_to_handle_at(11</proc>, "", {handle_bytes=128}, 0x7ffe3a238608, AT_EMPTY_PATH) = -1 EOPNOTSUPP (Operation not supported) 327 openat(11</proc>, "sys", O_RDONLY|O_CLOEXEC|O_PATH) = 13</proc/sys> 327 open("/proc/self/fdinfo/13", O_RDONLY|O_CLOEXEC) = -1 EACCES (Permission denied) 327 close(13</proc/sys> <unfinished ...> 327 <... close resumed> ) = 0 327 close(11</proc> <unfinished ...> 327 <... close resumed> ) = 0 -bash-4.3# ls -ld /proc/ dr-xr-xr-x 76 65534 65534 0 Oct 14 02:57 /proc/ -bash-4.3# ls -ld /proc/1 dr-xr-xr-x 9 root root 0 Oct 14 02:57 /proc/1 -bash-4.3# ls -ld /proc/1/fdinfo dr-x------ 2 65534 65534 0 Oct 14 03:00 /proc/1/fdinfo
2016-10-23Merge pull request #4373 from endocode/djalal/fix-mountflagsZbigniew Jędrzejewski-Szmek
2016-10-23core: lets move the setup of working directory before group enforceDjalal Harouni
This is minor but lets try to split and move bit by bit cgroups and portable environment setup before applying the security context.
2016-10-23test: add more tests for SupplementaryGroups=Djalal Harouni
2016-10-23test: Add simple test for supplementary groupsDjalal Harouni
2016-10-23core: first lookup and cache creds then apply them after namespace setupDjalal Harouni
This fixes: https://github.com/systemd/systemd/issues/4357 Let's lookup and cache creds then apply them. We also switch from getgroups() to getgrouplist().
2016-10-22Merge pull request #4428 from lnykryn/ctrl_v2Zbigniew Jędrzejewski-Szmek
rename failure-action to emergency-action and use it for ctrl+alt+del burst
2016-10-22tree-wide: make parse_proc_cmdline() strip "rd." prefix automaticallyZbigniew Jędrzejewski-Szmek
This stripping is contolled by a new boolean parameter. When the parameter is true, it means that the caller does not care about the distinction between initrd and real root, and wants to act on both rd-dot-prefixed and unprefixed parameters in the initramfs, and only on the unprefixed parameters in real root. If the parameter is false, behaviour is the same as before. Changes by caller: log.c (systemd.log_*): changed to accept rd-dot-prefix params pid1: no change, custom logic cryptsetup-generator: no change, still accepts rd-dot-prefix params debug-generator: no change, does not accept rd-dot-prefix params fsck: changed to accept rd-dot-prefix params fstab-generator: no change, custom logic gpt-auto-generator: no change, custom logic hibernate-resume-generator: no change, does not accept rd-dot-prefix params journald: changed to accept rd-dot-prefix params modules-load: no change, still accepts rd-dot-prefix params quote-check: no change, does not accept rd-dot-prefix params udevd: no change, still accepts rd-dot-prefix params I added support for "rd." params in the three cases where I think it's useful: logging, fsck options, journald forwarding options.
2016-10-22udev: change kernel commandline option parsingZbigniew Jędrzejewski-Szmek
- do not crash if an option without value is specified on the kernel command line, e.g. "udev.log-priority" :P - simplify the code a bit - warn about unknown "udev.*" options — this should make it easier to spot typos and reduce user confusion
2016-10-22journald: convert journald to use parse_proc_cmdlineZbigniew Jędrzejewski-Szmek
This makes journald use the common option parsing functionality. One behavioural change is implemented: "systemd.journald.forward_to_syslog" is now equivalent to "systemd.journald.forward_to_syslog=1". I think it's nicer to use this way.
2016-10-22tree-wide: allow state to be passed through to parse_proc_cmdline_itemZbigniew Jędrzejewski-Szmek
No functional change.