| Age | Commit message (Collapse) | Author |
|---|
|
That way only one file with condition code remaining, in src/shared/,
rather than src/core/.
Next step: dropping the "-util" suffix from condition-util.[ch].
|
|
fatal for a start job if not met
|
|
|
|
|
|
|
|
And conditionalize journald audit support with it
|
|
new mac_{smack,selinux,apparmor}_xyz() convention
|
|
ConditionFirstBoot= instead
As Zbigniew pointed out a new ConditionFirstBoot= appears like the nicer
way to hook in systemd-firstboot.service on first boots (those with /etc
unpopulated), so let's do this, and get rid of the generator again.
|
|
This new condition allows checking whether /etc or /var are out-of-date
relative to /usr. This is the counterpart for the update flag managed by
systemd-update-done.service. Services that want to be started once after
/usr got updated should use:
[Unit]
ConditionNeedsUpdate=/etc
Before=systemd-update-done.service
This makes sure that they are only run if /etc is out-of-date relative
to /usr. And that it will be executed after systemd-update-done.service
which is responsible for marking /etc up-to-date relative to the current
/usr.
ConditionNeedsUpdate= will also checks whether /etc is actually
writable, and not trigger if it isn't, since no update is possible then.
|
|
|
|
No functional change expected :)
|
|
by uname()'s machine field.
|
|
The parts that require linknig to libcap, libselinux and friends stays in libsystemd-core.
|
|
No functional change, just move code around a bit to make it simpler to split out
some functions.
|
|
Instead of individually checking for containers in each user do this
once in a new call proc_cmdline() that read the file only if we are not
in a container.
|
|
Always cache the results, and bypass low-level security calls when the
respective subsystem is not enabled.
|
|
$ systemctl --user status hoohoo
hoohoo.service
Loaded: loaded (/home/zbyszek/.config/systemd/user/hoohoo.service; static)
Active: inactive (dead)
start condition failed at Tue 2013-06-25 18:08:42 EDT; 1s ago
ConditionPathExists=/tmp/hoo was not met
Full information is exported over D-Bus:
[(condition, trigger, negate, param, state),...]
where state is one of "failed" (<0), "untested" (0), "OK" (>0).
I've decided to use 0 for "untested", because it might be useful to
differentiate different types of failure later on, without breaking
compatibility.
systemctl shows the failing condition, if there was a non-trigger
failing condition, or says "none of the trigger conditions were met",
because there're often many trigger conditions, and they must all
fail for the condition to fail, so printing them all would consume
a lot of space, and bring unnecessary attention to something that is
quite low-level.
|
|
ConditionPathExists=/tmp/nosuchpath failed for nosuchpath.service.
|
|
The tests check if the tables have entries for all values
in the enum, and that the entries are unique.
|
|
Lennart:
> Hmm, I just noticed this patch:
>
> https://code.launchpad.net/~mdeslaur/upstart/apparmor-support/+merge/164169
>
> It contains a different check for AppArmor. Basically something like this:
>
> /sys/module/apparmor/parameters/enabled == 'Y'
>
> I'd prefer if we could change our code to do the same, given that
> the Ubuntu guys are guys are upstream for apparmor.
https://bugs.freedesktop.org/show_bug.cgi?id=63312
|
|
Just as with SMACK, we don't really know if a policy has been
loaded or not, as the policy interface is write-only. Assume
therefore that if ima is present in securityfs that it is
enabled.
Update the man page to reflect that "ima" is a valid option
now as well.
|
|
|
|
According to Documentation/security/Smack.txt:
In keeping with the intent of Smack, configuration data is minimal
and not strictly required. The most important configuration step is
mounting the smackfs pseudo filesystem.
This means that checking the mount point should be enough.
|
|
Checking for the apparmor directory in securityfs means the apparmor module is
loaded and enabled, and hence should suffice as a test.
https://bugs.freedesktop.org/show_bug.cgi?id=63312
|
|
Also split out some fileio functions to fileio.c and provide a SELinux
aware pendant in fileio-label.c
see https://bugzilla.redhat.com/show_bug.cgi?id=881577
|
|
|
|
https://bugs.freedesktop.org/show_bug.cgi?id=54448
|
|
|
|
|
|
/sys/class/tty/console/active is misleading
|
|
|
|
We finally got the OK from all contributors with non-trivial commits to
relicense systemd from GPL2+ to LGPL2.1+.
Some udev bits continue to be GPL2+ for now, but we are looking into
relicensing them too, to allow free copy/paste of all code within
systemd.
The bits that used to be MIT continue to be MIT.
The big benefit of the relicensing is that closed source code may now
link against libsystemd-login.so and friends.
|
|
|
