summaryrefslogtreecommitdiff
path: root/Makefile.am
AgeCommit message (Collapse)Author
2016-02-28core: set NoNewPrivileges for seccomp if we don't have CAP_SYS_ADMINRonny Chevalier
The manpage of seccomp specify that using seccomp with SECCOMP_SET_MODE_FILTER will return EACCES if the caller do not have CAP_SYS_ADMIN set, or if the no_new_privileges bit is not set. Hence, without NoNewPrivilege set, it is impossible to use a SystemCall* directive with a User directive set in system mode. Now, NoNewPrivileges is set if we are in user mode, or if we are in system mode and we don't have CAP_SYS_ADMIN, and SystemCall* directives are used.
2016-02-24Merge pull request #2719 from evverx/add-test-to-makefileMartin Pitt
tests: various fixes
2016-02-23tests: add exec-capabilityambientset* to Makefile.amEvgeny Vereshchagin
This is a follow-up to 70d7aea5c
2016-02-23tests: add exec-runtimedirectory* to Makefile.amEvgeny Vereshchagin
This is a follow-up to cc3ddc851
2016-02-23tests: add exec-spec-interpolation.service to Makefile.amEvgeny Vereshchagin
This is a follow-up to 2525499
2016-02-23Remove systemd-bootchartDaniel Mack
This commit rips out systemd-bootchart. It will be given a new home, outside of the systemd repository. The code itself isn't actually specific to systemd and can be used without systemd even, so let's put it somewhere else.
2016-02-22build-sys: move shared/architecture.[ch] into basic/Lennart Poettering
After all, it is pretty generic, has no external deps besides libc, and is very similar to virt.[ch] which is also in basic/
2016-02-22build-sys: add missing header file to Makefile.amLennart Poettering
Fixes: #2700
2016-02-21networkd: add basic LLDP transmission supportLennart Poettering
Let's add some minimalistic LLDP sender support. The idea is that this is either on or off, and all fields determined automatically rather than configured explicitly.
2016-02-21sd-lldp: rework sd-lldp APILennart Poettering
This reworks the sd-lldp substantially, simplifying things on one hand, and extending the logic a bit on the other. Specifically: - Besides the sd_lldp object only one other object is maintained now, sd_lldp_neighbor. It's used both as storage for literal LLDP packets, and for maintainging info about peers in the database. Separation between packet, TLV and chassis data is not maintained anymore. This should be a major simplification. - The sd-lldp API has been extended so that a couple of per-neighbor fields may be queried directly, without iterating through the object. Other fields that may appear multiple times, OTOH have to be iterated through. - The maximum number of entries in the neighbor database is now configurable during runtime. - The generation of callbacks from sd_lldp objects is more restricted: callbacks are only invoked when actual data changed. - The TTL information is now hooked with a timer event, so that removals from the neighbor database due to TTLs now result in a callback event. - Querying LLDP neighbor database will now return a strictly ordered array, to guarantee stability. - A "capabilities" mask may now be configured, that selects what type of LLDP neighbor data is collected. This may be used to restrict collection of LLDP info about routers instead of all neighbors. This is now exposed via networkd's LLDP= setting. - sd-lldp's API to serialize the collected data to text files has been removed. Instead, there's now an API to extract the raw binary data from LLDP neighbor objects, as well as one to convert this raw binary data back to an LLDP neighbor object. networkd will save this raw binary data to /run now, and the client side can simply parse the information. - support for parsing the more exotic TLVs has been removed, since we are not using that. Instead there are now APIs to extract the raw data from TLVs. Given how easy it is to parse the TLVs clients should do so now directly instead of relying on our APIs for that. - A lot of the APIs that parse out LLDP strings have been simplified so that they actually return strings, instead of char arrays with a length. To deal with possibly dangerous characters the strings are escaped if needed. - APIs to extract and format the chassis and port IDs as strings has been added. - lldp.h has been simplified a lot. The enums are anonymous now, since they were never used as enums, but simply as constants. Most definitions we don't actually use ourselves have eben removed.
2016-02-20sd-lldp: drop "port" objectLennart Poettering
Let's just keep the few parts we actually need of it in the main sd_lldp object, so that we can simplify things quite a bit. While we are at it, remove ifname and mac fields which we make no use of whatsoever.
2016-02-19Merge pull request #2648 from keszybz/dnssec-workMartin Pitt
Better support for DANE, shell completion
2016-02-18systemd-resolve: initial shell completionZbigniew Jędrzejewski-Szmek
v2: - use /sys/class/net to list interfaces, also copy the same code to systemd-nspawn v3: - do not propose "any" twice for --type
2016-02-18build-sys: remove duplicated entry in testsZbigniew Jędrzejewski-Szmek
test-dns-domain should be built and run even without ENABLE_RESOLVED.
2016-02-18build-sys: Do not build tests that depend on resolved when it has been disabledFilipe Brandenburger
If ./configure --disable-resolved has been used, do not try to build test-dns-packet and test-resolve-tables which depend on it. Previously, the SOURCES, LIBS and LDADDs for these tests were made conditional while the main rules for them weren't, causing build failures trying to build a binary with no sources. This was uncovered when trying to build udeb for systemd in CI, which uses --disable-resolved for a minimal build, which uncovered the issue. Fixes #2651.
2016-02-16resolved: turn on DNSSEC by default, unless configured otherwiseLennart Poettering
Let's make sure DNSSEC gets more testing, by defaulting DNSSEC to "allow-downgrade" mode. Since distros should probably not ship DNSSEC enabled by default add a configure switch to disable this again. DNSSEC in "allow-downgrade" mode should mostly work without affecting user experience. There's one exception: some captive portal systems rewrite DNS in order to redirect HTTP traffic to the captive portal. If these systems implement DNS servers that are otherwise DNSSEC-capable (which in fact is pretty unlikely, but still...), then this will result in the captive portal being inaccessible. To fix this support in NetworkManager (or any other network management solution that does captive portal detection) is required, which simply turns off DNSSEC during the captive portal detection, and resets it back to the default (i.e. on) after captive portal authentication is complete.
2016-02-15Merge pull request #2618 from zonque/busproxy-removalLennart Poettering
remove bus-proxyd
2016-02-14Promote systemd-activate to /usr/bin/systemd-socket-activateZbigniew Jędrzejewski-Szmek
It has fairly wide functionality now and the interface has been stable for a while. It it a useful testing tool. The name is changed to better indicate what it does.
2016-02-13Merge pull request #2603 from poettering/drop-compat-libsZbigniew Jędrzejewski-Szmek
Some spring cleaning
2016-02-13build-sys: drop aufs-util.[ch]Lennart Poettering
Left over cruft from the dkr excercise.
2016-02-13util-lib: drop json parserLennart Poettering
This was used by the dkr logic, which is gone now, hence remove this too. Should we need it one day again the git history never forgets... Note that this only covers the JSON parser. The JSON generator used by "journalctl -o json" remains, as its much much simpler and requires no infrastructure except printf() and the most basic escaping.
2016-02-13build-sys: drop libsystemd-{id128,daemon,login,journal}.so compat libsLennart Poettering
They have long been obsolete, and upstream distros and packages have mostly switched over, let's get rid of it for good.
2016-02-13Merge pull request #2589 from keszybz/resolve-tool-2Lennart Poettering
Better support of OPENPGPKEY, CAA, TLSA packets and tests
2016-02-12resolve: always align flags to 8th column and print CAA flagsZbigniew Jędrzejewski-Szmek
Left-over unknown flags are printed numerically. Otherwise, it wouldn't be known what bits are remaining without knowning what the known bits are. A test case is added to verify the flag printing code: ============== src/resolve/test-data/fake-caa.pkts ============== google.com. IN CAA 0 issue "symantec.com" google.com. IN CAA 128 issue "symantec.com" -- Flags: critical google.com. IN CAA 129 issue "symantec.com" -- Flags: critical 1 google.com. IN CAA 22 issue "symantec.com" -- Flags: 22
2016-02-12Fix hashing of TLSA packetsZbigniew Jędrzejewski-Szmek
Also add example files with TLSA and SSHFP records.
2016-02-12test-dns-packet: allow running without argumentsZbigniew Jędrzejewski-Szmek
2016-02-12test-dns-packet: add framework to read and dump packetsZbigniew Jędrzejewski-Szmek
Packets are stored in a simple format: <size> <packet-wire-format> <size> <packet-wire-format> ... Packets for some example domains are dumped, to test rr code for various record types. Currently: A AAAA CAA DNSKEY LOC MX NS NSEC OPENPGPKEY SOA SPF TXT The hashing code is executed, but results are not checked. Also build other tests in src/resolve only with --enable-resolve.
2016-02-12remove bus-proxydDaniel Mack
As kdbus won't land in the anticipated way, the bus-proxy is not needed in its current form. It can be resurrected at any time thanks to the history, but for now, let's remove it from the sources. If we'll have a similar tool in the future, it will look quite differently anyway. Note that stdio-bridge is still available. It was restored from a version prior to f252ff17, and refactored to make use of the current APIs.
2016-02-11Remove kdbus custom endpoint supportDaniel Mack
This feature will not be used anytime soon, so remove a bit of cruft. The BusPolicy= config directive will stay around as compat noop.
2016-02-11Merge pull request #2587 from haraldh/tpmv3Lennart Poettering
sd-boot: put hashed kernel command line in a PCR of the TPM
2016-02-11systemd-resolve: allow easy querying of openpgp keysZbigniew Jędrzejewski-Szmek
$ systemd-resolve --openpgp zbyszek@fedoraproject.org d08ee310438ca124a6149ea5cc21b6313b390dce485576eff96f8722._openpgpkey.fedoraproject.org. IN OPENPGPKEY mQINBFBHPMsBEACeInGYJCb+7TurKfb6wGyTottCDtiSJB310i37/6ZYoeIay/5soJjlM yfMFQ9T2XNT/0LM6gTa0MpC1st9LnzYTMsT6tzRly1D1UbVI6xw0g0vE5y2Cjk3xUwAyn ...
2016-02-11Move initialize_libgcrypt to separate fileZbigniew Jędrzejewski-Szmek
It's annoying to have the exact same function in three places. It's stored in src/shared, but it's not added to the library to avoid the dependency on libgcrypt.
2016-02-11sd-boot: put hashed kernel command line in a PCR of the TPMHarald Hoyer
The UEFI BIOS already hashes the contents of the loaded image, so the initrd and the command line of the binary are recorded. Because manually added LoadOptions are not taken into account, these should be recorded also. This patch logs and extends a TPM PCR register with the LoadOptions. This feature can be enabled with configure --enable-tpm The PCR register index can be specified with configure --with-tpm-pcrindex=<NUM>
2016-02-11build-sys: bump so versionLennart Poettering
2016-02-10build-sys: add TEST-06-SELINUX to distEvgeny Vereshchagin
This is a follow-up to https://github.com/systemd/systemd/pull/2493
2016-02-10tests: add test for https://github.com/systemd/systemd/issues/1981Evgeny Vereshchagin
2016-02-10coredump: dump priviliges when processing system coredumpsLennart Poettering
Let's add an extra-safety net and change UID/GID to the "systemd-coredump" user when processing coredumps from system user. For coredumps of normal users we keep the current logic of processing the coredumps from the user id the coredump was created under. Fixes: https://bugs.freedesktop.org/show_bug.cgi?id=87354
2016-02-10coredump: rework coredumping logicLennart Poettering
This reworks the coredumping logic so that the coredump handler invoked from the kernel only collects runtime data about the crashed process, and then submits it for processing to a socket-activate coredump service, which extracts a stacktrace and writes the coredump to disk. This has a number of benefits: the disk IO and stack trace generation may take a substantial amount of resources, and hence should better be managed by PID 1, so that resource management applies. This patch uses RuntimeMaxSec=, Nice=, OOMScoreAdjust= and various sandboxing settings to ensure that the coredump handler doesn't take away unbounded resources from normally priorized processes. This logic is also nice since this makes sure the coredump processing and storage is delayed correctly until /var/systemd/coredump is mounted and writable. Fixes: #2286
2016-02-10build-sys: move coredump logic into subdir of its ownLennart Poettering
2016-02-10Makefile.am: remove some relictsDaniel Mack
2016-02-08Merge pull request #2543 from keszybz/build-sys-and-man-fixesLennart Poettering
Build sys and man fixes
2016-02-06build-sys: simplify conditionals around shell completion filesZbigniew Jędrzejewski-Szmek
Repeating those conditionals for every program is annoying. Use a helper variable to avoid conditionals. Also always add generated completion files to CLEANFILES.
2016-02-06build-sys: move CLEANFILES additions out from under HAVE_GNUEFIZbigniew Jędrzejewski-Szmek
It's better to always include them in 'make clean'. It is also easier to read Makefile.am when less stuff is conditional.
2016-02-03nspawn: optionally run a stub init process as PID 1Lennart Poettering
This adds a new switch --as-pid2, which allows running commands as PID 2, while a stub init process is run as PID 1. This is useful in order to run arbitrary commands in a container, as PID1's semantics are different from all other processes regarding reaping of unknown children or signal handling.
2016-02-02Merge pull request #2510 from msekletar/journalctl-dev-sda-v4Lennart Poettering
journalctl: make "journalctl /dev/sda" work
2016-02-02journalctl: make "journalctl /dev/sda" workMichal Sekletar
Currently when journalctl is called with path to block device node we add following match _KERNEL_DEVICE=b$MAJOR:$MINOR. That is not sufficient to actually obtain logs about the disk because dev_printk() kernel helper puts to /dev/kmsg information about the device in following format, +$SUBSYSTEM:$ADDRESS, e.g. "+pci:pci:0000:00:14.0". Now we will walk upward the syspath and add match for every device in format produced by dev_printk() as well as match for its device node if it exists.
2016-01-31resolved: allow building without libgcryptMichael Olbrich
2016-01-30Merge pull request #2469 from keszybz/resolved-2Lennart Poettering
Resolved 2
2016-01-29test-resolve-tables: new "test", useful to print mappingsZbigniew Jędrzejewski-Szmek
2016-01-29resolved: calculate and print tags for DNSKEY recordsZbigniew Jędrzejewski-Szmek