summaryrefslogtreecommitdiff
AgeCommit message (Collapse)Author
2016-06-09Merge branch 'parabola' into lukeshu/premoveLuke Shumaker
# Conflicts: # Makefile.am
2016-06-09Merge tag 'v230-3.parabola1' into parabolaLuke Shumaker
2016-06-09# Rename "Linux Boot Manager" -> "Systemd Boot Manager"systemd/v230-3.parabola1Luke Shumaker
sed -i 's|Linux Boot Manager|Systemd Boot Manager|' src/boot/bootctl.c
2016-06-09FSDG: man/: Use FSDG operating systems as examples.Luke Shumaker
2016-06-09FSDG: systemd-resolved: Default to hostname "gnu-linux" instead of "linux"Luke Shumaker
2016-06-09FSDG: os-release: Default ID to "gnu-linux" instead of "linux".Luke Shumaker
As far as I can tell, no code in this repository actually uses the ID field, so this is just a man page change.
2016-06-09FSDG: os-release: Default to NAME "GNU/Linux" instead of "Linux".Luke Shumaker
2016-06-09FSDG: os-release: Default to PRETTY_NAME "GNU/Linux" instead of "Linux".Luke Shumaker
2016-06-09FSDG: man/: Refer to the operating system as GNU/Linux.Luke Shumaker
This is not a blind replacement of "Linux" with "GNU/Linux". In some cases, "Linux" is (correctly) used to refer to just the kernel. In others, it is in a string for which code must also be adjusted; these instances are not included in this commit.
2016-06-09systemctl: fix return values on successsystemd/v230-3Christian Hesse
2016-06-09{machine,system}ctl: always pass &changes and &n_changes (#3350)Christian Hesse
We have to pass addresses of changes and n_changes to bus_deserialize_and_dump_unit_file_changes(). Otherwise we are hit by missing information (subsequent calls to unit_file_changes_add() to not add anything). Also prevent null pointer dereference in bus_deserialize_and_dump_unit_file_changes() by asserting. Fixes #3339
2016-06-09Revert "rules: allow users to access frame buffer devices" (#3333)Zbigniew Jędrzejewski-Szmek
This reverts commit 483d8bbb4c0190f419bf9fba57fb0feb1a56bea6. In [1] Michel Dänzer and Daniel Vetter wrote: >> The scenario you describe isn't possible if the Wayland compositor >> directly uses the KMS API of /dev/dri/card*, but it may be possible if >> the Wayland compositor uses the fbdev API of /dev/fb* instead (e.g. if >> weston uses its fbdev backend). > > Yeah, if both weston and your screen grabber uses native fbdev API you can > now screenshot your desktop. And since fbdev has no concept of "current > owner of the display hw" like the drm master, I think this is not fixable. > At least not just in userspace. Also even with native KMS compositors > fbdev still doesn't have the concept of ownership, which is why it doesn't > bother clearing it's buffer before KMS takes over. I agree that this > should be reverted or at least hidden better. TBH, I think that privilege separation between processes running under the same UID is tenuous. Even with drm, in common setups any user process can ptrace the "current owner of the display" and call DROP_MASTER or do whatever. It *is* possible to prevent that, e.g. by disabling ptrace using yama.ptrace_scope, or selinux, and so on, but afaik this is not commonly done. E.g. all Fedora systems pull in elfutils-default-yama-scope.rpm through dependencies which sets yama.ptrace_scope=0. And even assuming that ptrace was disabled, it is trivial to modify files on disk, communicate through dbus, etc; there is just to many ways for a non-sandboxed process to interact maliciously with the display shell to close them all off. To achieve real protection, some sort of sandboxing must be implemented, and in that case there is no need to rely on access mode on the device files, since much more stringent measures have to be implemented anyway. The situation is similar for framebuffer devices. It is common to add framebuffer users to video group to allow them unlimited access to /dev/fb*. Using uaccess would be better solution in that case. Also, since there is no "current owner" limitation like in DRM, processes running under the same UID should be able to access /proc/<pid-of-display-server>/fd/* and gain access to the devices. Nevertheless, weston implements a suid wrapper to access the devices and then drop privileges, and this patch would make this daemon pointless. So if the weston developers feel that this change reduces security, I prefer to revert it. [1] https://lists.freedesktop.org/archives/wayland-devel/2016-May/029017.html
2016-06-07fewer differencesLuke Shumaker
2016-06-07oopsLuke Shumaker
2016-06-07oopsLuke Shumaker
2016-06-07fewer differencesLuke Shumaker
2016-06-07sLuke Shumaker
2016-06-07mLuke Shumaker
2016-06-07no more automake2autothing macroLuke Shumaker
2016-06-07local addressesLuke Shumaker
2016-06-07fixLuke Shumaker
2016-06-07split grp-machine betterLuke Shumaker
2016-06-07moreLuke Shumaker
2016-06-06stuffLuke Shumaker
2016-06-06move moreLuke Shumaker
2016-06-06move stuffLuke Shumaker
2016-06-06.gitignoreLuke Shumaker
2016-06-06stuffLuke Shumaker
2016-06-02tidy bzip2 variablesLuke Shumaker
2016-06-02busctlLuke Shumaker
2016-06-02stuff in MakefilesLuke Shumaker
2016-06-02move libsystemd-journal source filesLuke Shumaker
2016-06-01moreLuke Shumaker
2016-06-01moreLuke Shumaker
2016-06-01more stuffLuke Shumaker
2016-06-01default to calling automake2autothingLuke Shumaker
2016-06-01stuffLuke Shumaker
2016-06-01stuffLuke Shumaker
2016-06-01fix?Luke Shumaker
2016-06-01oopsLuke Shumaker
2016-06-01tidyLuke Shumaker
2016-06-01More Makefile fixupLuke Shumaker
2016-06-01move.sh: fixup makefile target pathsLuke Shumaker
2016-06-01oopsLuke Shumaker
2016-06-01tidy scriptsLuke Shumaker
2016-06-01*.sh: Add boilerplate that I was running as one-liners.Luke Shumaker
2016-06-01stuffLuke Shumaker
2016-06-01and moreLuke Shumaker
2016-06-01more stuffLuke Shumaker
2016-06-01More stuffLuke Shumaker