summaryrefslogtreecommitdiff
path: root/src/core/execute.h
AgeCommit message (Collapse)Author
2014-12-18core: make exec_command_free_list return NULLZbigniew Jędrzejewski-Szmek
2014-11-24smack: introduce new SmackProcessLabel optionWaLyong Cho
In service file, if the file has some of special SMACK label in ExecStart= and systemd has no permission for the special SMACK label then permission error will occurred. To resolve this, systemd should be able to set its SMACK label to something accessible of ExecStart=. So introduce new SmackProcessLabel. If label is specified with SmackProcessLabel= then the child systemd will set its label to that. To successfully execute the ExecStart=, accessible label should be specified with SmackProcessLabel=. Additionally, by SMACK policy, if the file in ExecStart= has no SMACK64EXEC then the executed process will have given label by SmackProcessLabel=. But if the file has SMACK64EXEC then the SMACK64EXEC label will be overridden. [zj: reword man page]
2014-11-05core: introduce new Delegate=yes/no property controlling creation of cgroup ↵Lennart Poettering
subhierarchies For priviliged units this resource control property ensures that the processes have all controllers systemd manages enabled. For unpriviliged services (those with User= set) this ensures that access rights to the service cgroup is granted to the user in question, to create further subgroups. Note that this only applies to the name=systemd hierarchy though, as access to other controllers is not safe for unpriviliged processes. Delegate=yes should be set for container scopes where a systemd instance inside the container shall manage the hierarchies below its own cgroup and have access to all controllers. Delegate=yes should also be set for user@.service, so that systemd --user can run, controlling its own cgroup tree. This commit changes machined, systemd-nspawn@.service and user@.service to set this boolean, in order to ensure that container management will just work, and the user systemd instance can run fine.
2014-10-17environment: append unit_id to error messages regarding EnvironmentFileLukas Nykryn
2014-09-29swap: introduce Discard propertyJan Synacek
Process possible "discard" values from /etc/fstab.
2014-09-19socket: introduce SELinuxContextFromNet optionMichal Sekletar
This makes possible to spawn service instances triggered by socket with MLS/MCS SELinux labels which are created based on information provided by connected peer. Implementation of label_get_child_mls_label derived from xinetd. Reviewed-by: Paul Moore <pmoore@redhat.com>
2014-09-08service: hook up custom endpoint logicDaniel Mack
If BusPolicy= was passed, the parser function will have created an ExecContext->bus_endpoint object, along with policy information. In that case, create a kdbus endpoint, and pass its path name to the namespace logic, to it will be mounted over the actual 'bus' node. At endpoint creation time, no policy is updloaded. That is done after fork(), through a separate call. This is necessary because we don't know the real uid of the process earlier than that.
2014-09-08bus: add kdbus endpoint typesDaniel Mack
Add types to describe endpoints and associated policy entries, and add a BusEndpoint instace to ExecContext.
2014-09-05exec: factor out most function arguments of exec_spawn() to ExecParametersDaniel Mack
This way, the list of arguments to that function gets more comprehensive, and we can get around passing lots of NULL and 0 arguments from socket.c, swap.c and mount.c. It also allows for splitting up the code in exec_spawn(). While at it, make ExecContext const in execute.c.
2014-08-19Revert "socket: introduce SELinuxLabelViaNet option"Lennart Poettering
This reverts commit cf8bd44339b00330fdbc91041d6731ba8aba9fec. Needs more discussion on the mailing list.
2014-08-19socket: introduce SELinuxLabelViaNet optionMichal Sekletar
This makes possible to spawn service instances triggered by socket with MLS/MCS SELinux labels which are created based on information provided by connected peer. Implementation of label_get_child_label derived from xinetd. Reviewed-by: Paul Moore <pmoore@redhat.com>
2014-06-04core: rename ReadOnlySystem= to ProtectSystem= and add a third value for ↵Lennart Poettering
also mounting /etc read-only Also, rename ProtectedHome= to ProtectHome=, to simplify things a bit. With this in place we now have two neat options ProtectSystem= and ProtectHome= for protecting the OS itself (and optionally its configuration), and for protecting the user's data.
2014-06-03core: add new ReadOnlySystem= and ProtectedHome= settings for service unitsLennart Poettering
ReadOnlySystem= uses fs namespaces to mount /usr and /boot read-only for a service. ProtectedHome= uses fs namespaces to mount /home and /run/user inaccessible or read-only for a service. This patch also enables these settings for all our long-running services. Together they should be good building block for a minimal service sandbox, removing the ability for services to modify the operating system or access the user's private data.
2014-03-24core: remove tcpwrap supportLennart Poettering
tcpwrap is legacy code, that is barely maintained upstream. It's APIs are awful, and the feature set it exposes (such as DNS and IDENT access control) questionnable. We should not support this natively in systemd. Hence, let's remove the code. If people want to continue making use of this, they can do so by plugging in "tcpd" for the processes they start. With that scheme things are as well or badly supported as they were from traditional inetd, hence no functionality is really lost.
2014-03-05core: don't override NoNewPriviliges= from SystemCallFilter= if it is ↵Lennart Poettering
already explicitly set
2014-03-05missing: if RLIMIT_RTTIME is not defined by the libc, then we need a new ↵Lennart Poettering
define for the max number of rlimits, too
2014-03-03core: introduce new RuntimeDirectory= and RuntimeDirectoryMode= unit settingsLennart Poettering
As discussed on the ML these are useful to manage runtime directories below /run for services.
2014-03-03execute: no need to include seccomp.h from execute.hLennart Poettering
2014-02-26core: add new RestrictAddressFamilies= switchLennart Poettering
This new unit settings allows restricting which address families are available to processes. This is an effective way to minimize the attack surface of services, by turning off entire network stacks for them. This is based on seccomp, and does not work on x86-32, since seccomp cannot filter socketcall() syscalls on that platform.
2014-02-21core: Add AppArmor profile switchingMichael Scherer
This permit to switch to a specific apparmor profile when starting a daemon. This will result in a non operation if apparmor is disabled. It also add a new build requirement on libapparmor for using this feature.
2014-02-19core: add Personality= option for units to set the personality for spawned ↵Lennart Poettering
processes
2014-02-17core: store and expose SELinuxContext field normalized as bool + stringLennart Poettering
2014-02-13core: add SystemCallArchitectures= unit setting to allow disabling of non-nativeLennart Poettering
architecture support for system calls Also, turn system call filter bus properties into complex types instead of concatenated strings.
2014-02-12core: rework syscall filterLennart Poettering
- Allow configuration of an errno error to return from blacklisted syscalls, instead of immediately terminating a process. - Fix parsing logic when libseccomp support is turned off - Only keep the actual syscall set in the ExecContext, and generate the string version only on demand.
2014-02-12syscallfilter: port to libseccompRonny Chevalier
2014-02-10exec: Add SELinuxContext configuration itemMichael Scherer
This permit to let system administrators decide of the domain of a service. This can be used with templated units to have each service in a différent domain ( for example, a per customer database, using MLS or anything ), or can be used to force a non selinux enabled system (jvm, erlang, etc) to start in a different domain for each service.
2014-01-20exec: introduce PrivateDevices= switch to provide services with a private /devLennart Poettering
Similar to PrivateNetwork=, PrivateTmp= introduce PrivateDevices= that sets up a private /dev with only the API pseudo-devices like /dev/null, /dev/zero, /dev/random, but not any physical devices in them.
2013-12-22sd-daemon: introduce sd_watchdog_enabled() for parsing $WATCHDOG_USECLennart Poettering
Also, introduce a new environment variable named $WATCHDOG_PID which cotnains the PID of the process that is supposed to send the keep-alive events. This is similar how $LISTEN_FDS and $LISTEN_PID work together, and protects against confusing processes further down the process tree due to inherited environment.
2013-12-05execute.h: remove redefinition of UnitThomas Hindoe Paaboel Andersen
Unit is typedef'ed in both unit.h and execute.h. The typedef existed first in unit.h and was later added to execute.h in c17ec25e4d9bd6c8e8617416f813e25b2ebbafc5 It is no longer needed so let's just keep the one in unit.h to avoid redefining it.
2013-11-27service: add the ability for units to join other unit's PrivateNetwork= and ↵Lennart Poettering
PrivateTmp= namespaces
2013-11-08Remove dead code and unexport some callsLennart Poettering
"make check-api-unused" informs us about code that is not used anymore or that is exported but only used internally. Fix these all over the place.
2013-06-27core: general cgroup reworkLennart Poettering
Replace the very generic cgroup hookup with a much simpler one. With this change only the high-level cgroup settings remain, the ability to set arbitrary cgroup attributes is removed, so is support for adding units to arbitrary cgroup controllers or setting arbitrary paths for them (especially paths that are different for the various controllers). This also introduces a new -.slice root slice, that is the parent of system.slice and friends. This enables easy admin configuration of root-level cgrouo properties. This replaces DeviceDeny= by DevicePolicy=, and implicitly adds in /dev/null, /dev/zero and friends if DeviceAllow= is used (unless this is turned off by DevicePolicy=).
2013-05-02Add __attribute__((const, pure, format)) in various placesZbigniew Jędrzejewski-Szmek
I'm assuming that it's fine if a _const_ or _pure_ function calls assert. It is assumed that the assert won't trigger, and even if it does, it can only trigger on the first call with a given set of parameters, and we don't care if the compiler moves the order of calls.
2013-03-15core: reuse the same /tmp, /var/tmp and inaccessible dirMichal Sekletar
All Execs within the service, will get mounted the same /tmp and /var/tmp directories, if service is configured with PrivateTmp=yes. Temporary directories are cleaned up by service itself in addition to systemd-tmpfiles. Directory which is mounted as inaccessible is created at runtime in /run/systemd.
2013-02-28core/execute: determine if ExecContext may fiddle with /dev/consoleMichal Schmidt
There is some guesswork, but it should work satisfactorily for the purpose of knowing when to suppress printing of status messages.
2012-07-20unit: split off KillContext from ExecContext containing only kill definitionsLennart Poettering
2012-07-19use #pragma once instead of foo*foo #define guardsShawn Landden
#pragma once has been "un-deprecated" in gcc since 3.3, and is widely supported in other compilers. I've been using and maintaining (rebasing) this patch for a while now, as it annoyed me to see #ifndef fooblahfoo, etc all over the place, almost arrogant about the annoyance of having to define all these names to perform a commen but neccicary functionality, when a completely superior alternative exists. I havn't sent it till now, cause its kindof a style change, and it is bad voodoo to mess with style that has been established by more established editors. So feel free to lambast me as a crazy bafoon. v2 - preserve externally used headers
2012-07-17execute: support syscall filtering using seccomp filtersLennart Poettering
2012-06-22journal: set the _SYSTEMD_UNIT field for messages from terminated processesEelco Dolstra
As described in https://bugs.freedesktop.org/show_bug.cgi?id=50184 the journal currently doesn't set fields such as _SYSTEMD_UNIT properly for messages coming from processes that have already terminated. This means among other things that "systemctl status" may not show some of the output of services that wrote messages just before they exited. This patch fixes this by having processes that log to the journal write their unit identifier to journald when the connection to /run/systemd/journal/stdout is opened. Journald stores the unit ID and uses it to fill in _SYSTEMD_UNIT when it cannot be obtained normally (i.e. from the cgroup). To prevent impersonating another unit, this information is only used when the caller is root. This doesn't fix the general problem of getting metadata about messages from terminated processes (which requires some kernel support), but it allows "systemctl status" and similar queries to do the Right Thing for units that log via stdout/stderr.
2012-05-31util: introduce a proper nsec_t and make use of it where appropriateLennart Poettering
2012-04-24service: introduce Type=idle and use it for gettysLennart Poettering
Type=idle is much like Type=simple, however between the fork() and the exec() in the child we wait until PID 1 informs us that no jobs are left. This is mostly a cosmetic fix to make gettys appear only after all boot output is finished and complete. Note that this does not impact the normal job logic as we do not delay the completion of any jobs. We just delay the invocation of the actual binary, and only for services that otherwise would be of Type=simple.
2012-04-13service: place control command in subcgroup control/Lennart Poettering
Previously, we were brutally and onconditionally killing all processes in a service's cgroup before starting the service anew, in order to ensure that StartPre lines cannot be misused to spawn long-running processes. On logind-less systems this has the effect that restarting sshd necessarily calls all active ssh sessions, which is usually not desirable. With this patch control processes for a service are placed in a sub-cgroup called "control/". When starting a service anew we simply kill this cgroup, but not the main cgroup, in order to avoid killing any long-running non-control processes from previous runs. https://bugzilla.redhat.com/show_bug.cgi?id=805942
2012-04-12relicense to LGPLv2.1 (with exceptions)Lennart Poettering
We finally got the OK from all contributors with non-trivial commits to relicense systemd from GPL2+ to LGPL2.1+. Some udev bits continue to be GPL2+ for now, but we are looking into relicensing them too, to allow free copy/paste of all code within systemd. The bits that used to be MIT continue to be MIT. The big benefit of the relicensing is that closed source code may now link against libsystemd-login.so and friends.
2012-04-11move libsystemd_core.la sources into core/Kay Sievers