summaryrefslogtreecommitdiff
path: root/Makefile.am
AgeCommit message (Collapse)Author
2016-11-15test: add tests for RestrictNamespaces=Djalal Harouni
2016-11-14networkd: clean up main header file a bitTom Gundersen
Rename networkd.h to networkd-manager.h, to more accurately describe what it contains.
2016-11-13networkd: netdev - move to separate subdirectoryTom Gundersen
This could (and should) be made into a separate daemon, at least move the sourcefiles out for now.
2016-11-13networkd-wait-online: move to separate subdirectoryTom Gundersen
Also clean up the header files a bit.
2016-11-12build-sys: do not install ctrl-alt-del.target symlink twiceZbigniew Jędrzejewski-Szmek
It was a harmless but pointless duplication. Fixes #4655. Note: in general we try to install as little as possible in /etc/systemd/{system,user}. We only install .wants links there for units which are "user configurable", i.e. which have an [Install] section. Most our units and aliases are not user configurable, do not have an [Install] section, and must be symlinked statically during installation. A few units do have an [Install] section, and are enabled through symlinks in /etc/ during installation using GENERAL_ALIASES. It *would* be possible to not create those symlinks, and instead require 'systemctl preset' to be invoked after installation, but GENERAL_ALIASES works well enough.
2016-11-08Merge pull request #4536 from poettering/seccomp-namespacesZbigniew Jędrzejewski-Szmek
core: add new RestrictNamespaces= unit file setting Merging, not rebasing, because this touches many files and there were tree-wide cleanups in the mean time.
2016-11-08Merge pull request #4612 from keszybz/format-stringsZbigniew Jędrzejewski-Szmek
Format string tweaks (and a small fix on 32bit)
2016-11-08Adjust pkgconfig files to point at rootlibdir (#4584)Mike Gilbert
The .so symlinks got moved to rootlibdir in 082210c7.
2016-11-07Rename formats-util.h to format-util.hZbigniew Jędrzejewski-Szmek
We don't have plural in the name of any other -util files and this inconsistency trips me up every time I try to type this file name from memory. "formats-util" is even hard to pronounce.
2016-11-04core: add new RestrictNamespaces= unit file settingLennart Poettering
This new setting permits restricting whether namespaces may be created and managed by processes started by a unit. It installs a seccomp filter blocking certain invocations of unshare(), clone() and setns(). RestrictNamespaces=no is the default, and does not restrict namespaces in any way. RestrictNamespaces=yes takes away the ability to create or manage any kind of namspace. "RestrictNamespaces=mnt ipc" restricts the creation of namespaces so that only mount and IPC namespaces may be created/managed, but no other kind of namespaces. This setting should be improve security quite a bit as in particular user namespacing was a major source of CVEs in the kernel in the past, and is accessible to unprivileged processes. With this setting the entire attack surface may be removed for system services that do not make use of namespaces.
2016-11-03build-sys: link test-seccomp against seccomp libs (#4560)Martin Pitt
Fixes build error on recent toolchains: ../src/test/test-seccomp.c:35: error: undefined reference to 'seccomp_arch_native' collect2: error: ld returned 1 exit status
2016-11-03test: test DynamicUser= with SupplementaryGroups=Djalal Harouni
2016-11-03test: test DynamicUser= with a fixed userDjalal Harouni
2016-11-02build-sys: bump package and library version in preparation for v232Lennart Poettering
2016-10-24Merge pull request #4450 from poettering/seccompfixesZbigniew Jędrzejewski-Szmek
Various seccomp fixes and NEWS update.
2016-10-24core: drop -.slice from shipped unitsLennart Poettering
Since this unit is synthesized anyway there's no point in actually shipping it on disk. This also has the benefit that "cd /usr/lib/systemd/system ; ls *" won't be confused by the leading dash of the file name anymore.
2016-10-24seccomp: add test-seccomp test toolLennart Poettering
This validates the system call set table and many of our seccomp-util.c APIs.
2016-10-24test: lets add more tests to cover SupplementaryGroups= cases.Djalal Harouni
2016-10-23Merge pull request #4372 from evverx/fix-synced-cgroup-hierarchy-permsZbigniew Jędrzejewski-Szmek
2016-10-23tests/TEST-13-NSPAWN-SMOKE: remove an expected failure checkEvgeny Vereshchagin
https://github.com/systemd/systemd/issues/4352 has been fixed So, we don't need this workaround anymore
2016-10-23test: add more tests for SupplementaryGroups=Djalal Harouni
2016-10-23test: Add simple test for supplementary groupsDjalal Harouni
2016-10-21failure-action: generalize failure action to emergency actionLukas Nykryn
2016-10-17tests: add smoke test for systemd-nspawnEvgeny Vereshchagin
Basically, this test runs: ``` systemd-nspawn --register=no -D "$_root" -b systemd-nspawn --register=no -D "$_root" --private-network -b systemd-nspawn --register=no -D "$_root" -U -b systemd-nspawn --register=no -D "$_root" --private-network -U -b ``` and exports the `UNIFIED_CGROUP_HIERARCHY=[yes|no]`, `SYSTEMD_NSPAWN_USE_CGNS=[yes|no]` Inspired by * systemd#3589 (comment) * systemd#4372 (comment) * systemd#4223 (comment) * systemd#1555 and so on :-)
2016-10-13Merge pull request #4243 from ↵Lennart Poettering
endocode/djalal/sandbox-first-protection-kernelmodules-v1 core:sandbox: Add ProtectKernelModules= and some fixes
2016-10-12build-sys: Allow disabling installation of pam config snippetFelipe Sateler
2016-10-12test: add test to make sure that ProtectKernelModules=yes disconnect mount ↵Djalal Harouni
propagation
2016-10-12test: add capability tests for ProtectKernelModules=Djalal Harouni
This just adds capabilities test.
2016-10-10unit: drop console-shell.service (#4298) (#4325)Franck Bui
console-shell.service was supposed to be useful for normal clean boots (i.e. multi-user.target or so), as a replacement for logind/getty@.service for simpler use cases. But due to the lack of documentation and sanity check one can easily be confused and enable this service in // with getty@.service. In this case we end up with both services sharing the same tty which ends up in strange results. Even worse, console-shell.service might be failing while getty@.service tries to acquire the terminal which ends up in the system to poweroff since console-shell.service uses: "ExecStopPost=-/usr/bin/systemctl poweroff". Another issue: this service doesn't work well if plymouth is also used since it lets the splash screen program run and mess the tty (at least a "plymouth quit" is missing). So let's kill it for now.
2016-10-03build-sys: use non-breaking spaces in contributor listZbigniew Jędrzejewski-Szmek
I think it's easier to read peoples' names with this change.
2016-09-27test: make sure that {readonly|inaccessible|readwrite}paths disconnect mount ↵Djalal Harouni
propagation Better safe.
2016-09-27test: add tests for simple ReadOnlyPaths= caseDjalal Harouni
2016-09-25test: add CAP_MKNOD tests for PrivateDevices=Djalal Harouni
2016-09-24build-sys: get rid of move-to-rootlibdirMaciek Borzecki
Replace move-to-rootlibdir calls in post-install hooks with explicitly used ${rootlibdir} where needed. Signed-off-by: Maciek Borzecki <maciek.borzecki@gmail.com>
2016-09-21nss: install nss modules to ${rootlibdir}Maciek Borzecki
NSS modules (libnss_*.so.*) need to be installed into ${rootlibdir} (typically /lib) in order to be used. Previously, the modules were installed into ${libdir}, thus usually ending up in /usr/lib, even on systems where split usr is enabled, or ${libdir} is passed explicitly. Signed-off-by: Maciek Borzecki <maciek.borzecki@gmail.com>
2016-09-14networkd: add support to configure virtual CAN device (#4139)Susant Sahani
1. add support for kind vcan 2. fixup indention netlink-types.c, networkd-netdev.c
2016-08-22sd-bus: add a small test case for sd_bus_trackLennart Poettering
This tests in particular that disconnecting results in the tracking object's handlers to be called.
2016-08-19Merge pull request #3909 from poettering/mount-toolEvgeny Vereshchagin
add a new tool for creating transient mount and automount units
2016-08-19units: install user units as real files, not symlinks to ../system/Zbigniew Jędrzejewski-Szmek
This was causing preset-all --global to create symlinks: $ systemctl preset-all --global --root=/var/tmp/inst1 Created symlink /var/tmp/inst1/etc/systemd/user/shutdown.target → /usr/lib/systemd/user/../system/shutdown.target. Created symlink /var/tmp/inst1/etc/systemd/user/sockets.target → /usr/lib/systemd/user/../system/sockets.target. Created symlink /var/tmp/inst1/etc/systemd/user/timers.target → /usr/lib/systemd/user/../system/timers.target. Created symlink /var/tmp/inst1/etc/systemd/user/paths.target → /usr/lib/systemd/user/../system/paths.target. Created symlink /var/tmp/inst1/etc/systemd/user/bluetooth.target → /usr/lib/systemd/user/../system/bluetooth.target. Created symlink /var/tmp/inst1/etc/systemd/user/printer.target → /usr/lib/systemd/user/../system/printer.target. Created symlink /var/tmp/inst1/etc/systemd/user/sound.target → /usr/lib/systemd/user/../system/sound.target. Created symlink /var/tmp/inst1/etc/systemd/user/smartcard.target → /usr/lib/systemd/user/../system/smartcard.target. Created symlink /var/tmp/inst1/etc/systemd/user/busnames.target → /usr/lib/systemd/user/../system/busnames.target. It is better to create units in a state that completely matches the presets, i.e. preset-all should do nothing when invoked immediately after installation. I'm sure it was confusing to users too, suggesting that system and user units may somehow alias each other.
2016-08-19units: synchronize Makefile and presets settingsZbigniew Jędrzejewski-Szmek
Enable reboot.target and disable exit.target: the first is used on normal machines, the second only in containers, and the more general one should be enabled by default. Also fix the Makefile to match what preset-all does. With this and the previous commits, doing "make instal DESTDIR=…" followed by "systemctl preset-all --root=…" doesn't result in any changes.
2016-08-18add a new tool for creating transient mount and automount unitsLennart Poettering
This adds "systemd-mount" which is for transient mount and automount units what "systemd-run" is for transient service, scope and timer units. The tool allows establishing mounts and automounts during runtime. It is very similar to the usual /bin/mount commands, but can pull in additional dependenices on access (for example, it pulls in fsck automatically), an take benefit of the automount logic. This tool is particularly useful for mount removable file systems (such as USB sticks), as the automount logic (together with automatic unmount-on-idle), as well as automatic fsck on first access ensure that the removable file system has a high chance to remain in a fully clean state even when it is unplugged abruptly, and returns to a clean state on the next re-plug. This is a follow-up for #2471, as it adds a simple client-side for the transient automount logic added in that PR. In later work it might make sense to invoke this tool automatically from udev rules in order to implement a simpler and safer version of removable media management á la udisks.
2016-08-09build-sys: hook up the hwdb parser to checkZbigniew Jędrzejewski-Szmek
2016-08-02test: fix test-execute personality tests on ppc64 and aarch64 (#3825)Jan Synacek
2016-08-02units: add graphical-session-pre.target user unit (#3848)Martin Pitt
This complements graphical-session.target for services which set up the environment (e. g. dbus-update-activation-environment) and need to run before the actual graphical session.
2016-07-28Merge pull request #3742 from msoltyspl/vconfix2Zbigniew Jędrzejewski-Szmek
vconsole-setup: updates & fixes V2
2016-07-27vconsole: Don't do static installation under sysinit.targetMichal Soltys
Udev rules cover all the necessary initializations. As the service now is neither installed, nor installable - we can remove explicit dependencies and RemainAfterExit=yes option.
2016-07-25Merge pull request #3728 from poettering/dynamic-usersZbigniew Jędrzejewski-Szmek
2016-07-25units: add graphical-session.target user unit (#3678)Martin Pitt
This unit acts as a dynamic "alias" target for any concrete graphical user session like gnome-session.target; these should declare "BindsTo=graphical-session.target" so that both targets stop and start at the same time. This allows services that run in a particular graphical user session (e. g. gnome-settings-daemon.service) to declare "PartOf=graphical-session.target" without having to know or get updated for all/new session types. This will ensure that stopping the graphical session will stop all services which are associated to it.
2016-07-25build-sys: metadata updates for v231 (#3803)systemd/v231-1systemd/v231Lennart Poettering
2016-07-22nss: add new "nss-systemd" NSS module for mapping dynamic usersLennart Poettering
With this NSS module all dynamic service users will be resolvable via NSS like any real user.