| Age | Commit message (Collapse) | Author |
|---|
|
smack: Handling network
|
|
- Set Smack ambient to match run label
- Set Smack netlabel host rules
Set Smack ambient to match run label
------------------------------------
Set the Smack networking ambient label to match the
run label of systemd. System services may expect to
communicate with external services over IP. Setting
the ambient label assigns that label to IP packets
that do not include CIPSO headers. This allows systemd
and the services it spawns access to unlabeled IP
packets, and hence external services.
A system may choose to restrict network access to
particular services later in the startup process.
This is easily done by resetting the ambient label
elsewhere.
Set Smack netlabel host rules
-----------------------------
If SMACK_RUN_LABEL is defined set all other hosts to be
single label hosts at the specified label. Set the loopback
address to be a CIPSO host.
If any netlabel host rules are defined in /etc/smack/netlabel.d
install them into the smackfs netlabel interface.
[Patrick Ohly: copied from https://review.tizen.org/git/?p=platform/upstream/systemd.git;a=commit;h=db4f6c9a074644aa2bf]
[Patrick Ohly: adapt to write_string_file() change in "fileio: consolidate write_string_file*()"]
[Patrick Ohly: create write_netlabel_rules() based on the original write_rules() that was removed in "smack: support smack access change-rule"]
[Patrick Ohly: adapted to upstream code review feedback: error logging, string constants]
|
|
The new implementation will not allow passing the same values more than
once, so clean up first.
|
|
The code introduced in f8c1a81c51 (= systemd 227) failed for me with:
Failed to copy smack label from net_cls to /sys/fs/cgroup/net_cls: No such file or directory
There is no need for a symlink in this case because source and target
are identical. The symlink() call is allowed to fail when the target
already exists. When that happens, copying the Smack label must be
skipped.
But the code also failed when there is a symlink, like "cpu ->
cpu,cpuacct", because mac_smack_copy() got called with
src="cpu,cpuacct" which fails to find the entry because the current
directory is not inside /sys/fs/cgroup. The absolute path to the existing
entry must be used instead.
|
|
Fixes:
$ systemd-analyze verify ...
Failed to open /dev/tty0: Permission denied
|
|
This reverts commit 5aa1054521596c3d268db5f4aff9f2b69647ffc9.
Fixes test-execute
$ sudo make check TESTS=test-execute
...
$ cat test-execute.log
+ test /tmp/test-exec_workingdirectory = /tmp/test-exec_workingdirectory
Test timeout when testing exec-workingdirectory.service
exec-workingdirectory.service
UMask: 0022
WorkingDirectory: /tmp/test-exec_workingdirectory
RootDirectory: /
NonBlocking: no
PrivateTmp: no
PrivateNetwork: no
PrivateDevices: no
ProtectHome: no
ProtectSystem: no
IgnoreSIGPIPE: yes
RuntimeDirectoryMode: 0755
StandardInput: null
StandardOutput: inherit
StandardError: inherit
FAIL test-execute (exit status: 1)
|
|
SCTP_NODELAY is diffrent to TCP_NODELAY.
Apply proper options in case of SCTP.
|
|
manager: do not set up signals in test mode
|
|
When we are running in test mode, we don't expect any signals.
In fact ^C should end the program. This also avoids permission
issues when running systemd-analyze verify.
|
|
core: re-sync bus name list after deserializing during daemon-reload
|
|
When the daemon reloads, it doesn not actually give up its DBus connection,
as wrongly stated in an earlier commit. However, even though the bus
connection stays open, the daemon flushes out all its internal state.
Hence, if there is a NameOwnerChanged signal after the flush and before the
deserialization, it cannot be matched against any pending unit.
To fix this, rename bus_list_names() to manager_sync_bus_names() and call
it explicitly at the end of the daemon reload operation.
|
|
A socket shouldn't be used after socket_done() returns, but follow the
general guideline here and avoid dangling pointers anyway.
|
|
Plug a small memory leak.
|
|
During daemon-reload, PID1 temporarly loses its DBus connection, so there's
a small window in which all signals sent by dbus-daemon are lost.
This is a problem, since we rely on the NameOwnerChanged signals in order to
consider a service with Type=dbus fully started or terminated, respectively.
In order to fix this, a rewrite of bus_list_names() is necessary. We used
to walk the current list of names on the bus, and blindly triggered the
bus_name_owner_change() callback on each service, providing the actual name
as current owner. This implementation has a number of problems:
* We cannot detect if the the name was moved from one owner to the other
while we were reloading
* We don't notify services which missed the name loss signal
* Providing the actual name as current owner is a hack, as the comment also
admits.
To fix this, this patch carries the following changes:
* Track the name of the current bus name owner, and (de-)serialize it
during reload. This way, we can detect changes.
* In bus_list_names(), walk the list of bus names we're interested in
first, and then see if the name is active on the bus. If it is,
check it it's still the same as it used to be, and synthesize
NameOwnerChanged signals for the name add and/or loss.
This should fully synchronize the current name list with the internal
state of all services.
|
|
Manager status
|
|
Output the same message when a request to change the log level is
received over dbus and through a signal. From the user point of view
those two operations are very similar and it's easy to think that the
dbus operation didn't work when the expected message is not emitted.
Also "downgrade" the message level to info, since this is a normal
user initiated action.
|
|
This way we can only print the debug message when the status actually
changes. We also means we don't print anything when running in --user
mode, where status output is always disabled.
|
|
core: do not warn about Wants depencencies on masked units
|
|
Expose soft limits on the bus
|
|
When masking is used to prevent a unit from being loaded,
every transaction with dependent units would generate a warning.
Downgrade this warning to debug level.
transaction_add_job_and_dependencies only generated a few return
values found in the table in bus_common_errors.c, and EADDRNOTAVAIL
is not one of them, so do not try to suppress EADDRNOTAVAIL.
https://bugzilla.redhat.com/show_bug.cgi?id=1278264
|
|
|
|
This is a follow-up for https://github.com/systemd/systemd/pull/1994
See https://github.com/systemd/systemd/pull/1994#issuecomment-160087219
|
|
Let's merge access_init() and mac_selinux_access_init(), and only call
mac_selinux_use() once, inside the merged function, instead of multiple
times, including in the caller.
See comments on:
https://github.com/systemd/systemd/pull/2053
|
|
GLIB has recently started to officially support the gcc cleanup
attribute in its public API, hence let's do the same for our APIs.
With this patch we'll define an xyz_unrefp() call for each public
xyz_unref() call, to make it easy to use inside a
__attribute__((cleanup())) expression. Then, all code is ported over to
make use of this.
The new calls are also documented in the man pages, with examples how to
use them (well, I only added docs where the _unref() call itself already
had docs, and the examples, only cover sd_bus_unrefp() and
sd_event_unrefp()).
This also renames sd_lldp_free() to sd_lldp_unref(), since that's how we
tend to call our destructors these days.
Note that this defines no public macro that wraps gcc's attribute and
makes it easier to use. While I think it's our duty in the library to
make our stuff easy to use, I figure it's not our duty to make gcc's own
features easy to use on its own. Most likely, client code which wants to
make use of this should define its own:
#define _cleanup_(function) __attribute__((cleanup(function)))
Or similar, to make the gcc feature easier to use.
Making this logic public has the benefit that we can remove three header
files whose only purpose was to define these functions internally.
See #2008.
|
|
If pid < 0 after fork(), 0 is always returned because r =
exec_context_load_environment() has exited successfully.
This will make the caller of exec_spawn() not able to handle
the fork() error case and make systemd abort assert() possibly.
|
|
drop warning if setting preset worked anyways
|
|
core: Do not bind a mount unit to a device, if it was from mountinfo
|
|
core: allow 'SetUnitProperties()' to run on inactive units too
|
|
Return of the file triggers
|
|
core: rename Random* to RandomizedDelay*
|
|
|
|
* refuse limits if soft > hard
* print an actual value instead of (null)
see https://github.com/systemd/systemd/pull/1994#issuecomment-159999123
|
|
The name RandomSec is too generic: "Sec" just specifies the default
unit type, and "Random" by itself is not enough. Rename to something
that should give the user general idea what the setting does without
looking at documentation.
|
|
core: support <soft:hard> ranges for RLIMIT options
|
|
The new parser supports:
<value> - specify both limits to the same value
<soft:hard> - specify both limits
the size or time specific suffixes are supported, for example
LimitRTTIME=1sec
LimitAS=4G:16G
The patch introduces parse_rlimit_range() and rlim type (size, sec,
usec, etc.) specific parsers. No code is duplicated now.
The patch also sync docs for DefaultLimitXXX= and LimitXXX=.
References: https://github.com/systemd/systemd/issues/1769
|
|
If a mount unit is bound to a device, systemd tries to umount the
mount point, if it thinks the device has gone away.
Due to the uevent queue and inotify of /proc/self/mountinfo being two
different sources, systemd can never get the ordering reliably correct.
It can happen, that in the uevent queue ADD,REMOVE,ADD is queued
and an inotify of mountinfo (or libmount event) happend with the
device in question.
systemd cannot know, at which point of time the mount happend in the
ADD,REMOVE,ADD sequence.
The real ordering might have been ADD,REMOVE,ADD,mount
and systemd might think ADD,mount,REMOVE,ADD and would umount the
mountpoint.
A test script which triggered this behaviour is:
rm -f test-efi-disk.img
dd if=/dev/null of=test-efi-disk.img bs=1M seek=512 count=1
parted --script test-efi-disk.img \
"mklabel gpt" \
"mkpart ESP fat32 1MiB 511MiB" \
"set 1 boot on"
LOOP=$(losetup --show -f -P test-efi-disk.img)
udevadm settle
mkfs.vfat -F32 ${LOOP}p1
mkdir -p mnt
mount ${LOOP}p1 mnt
... <dostuffwith mnt>
Without the "udevadm settle" systemd unmounted mnt while the script was
operating on mnt.
Of course the question is, why there was a REMOVE in the first place,
but this is not part of this patch.
|
|
FOREACH_WORD_SEPARATOR is no need here since we only
apply only one mount flag. The rvalue is sufficient for
this.
|
|
make sure all swap units are ordered before the swap target
|
|
At least the %filetriggerpostun script can be invoked hundreds of
times during an upgrade, so it makes sense to optimize it a bit.
assert(exec(...)) is used because of https://bugzilla.redhat.com/show_bug.cgi?id=1094072.
Add -P (--priority) to have %filetriggerpostun run as early as
possible (before any reload/stop actions), and %transfiletriggerin as
late as possible (after any enable/disable/preset actions).
|
|
When shutting down the system, the swap devices can be disabled long
time before the swap target is stopped. They're actually the first
units systemd turns off on my system.
This is incorrect and due to swap devices having multiple associated
swap unit files. The main one is usually created by the fstab
generator and is used to start the swap device.
Once done, systemd creates some 'alias' units for the same swap
device, one for each swap dev link. But those units are missing an
ordering dependencies which was created by the fstab generator for the
main swap unit.
Therefore during shutdown those 'alias' units can be stopped at
anytime before unmount.target target.
This patch makes sure that all swap units are stopped after the
swap.target target.
|
|
This turns out to be more complicated than it looked initially...
%transfiletriggerun is called early, while %transfiletriggerin is
called late, and neither satifisfies the requirement to call
daemon-reload after new unit files have been installed, but before
%postun scripts in packages get to fire.
It seems that the only solution is to use %filetriggerun (which
is called once per package) to do the reload, and keep state in
/var/lib/rpm-state/systemd/ to avoid calling the reload multiple
times.
https://fedoraproject.org/wiki/Packaging:ScriptletSnippets#Saving_state_between_scriptlets
says that /var/lib/rpm-state/systemd/ is the right dir.
|
|
Escape "--user" and "--global" arguments with "\\" since rpm treats
arguments starting with "-" as macro options which causes "Unknown
option" rpm error.
Use %{expand:...} to force expansion of the inner macro. Otherwise %{?*}
is recursively defined as "\--user \--global {%?*}" which causes
"Too many levels of recursion in macro expansion" rpm error.
Thanks to Michael Mráka for helping me fix the above issues.
|
|
'set-property' has been primarly designed to change some properties of
*active* units.
However it can easily work on inactive units as well. In that case
changes are only saved in a drop-in for futur uses and changes will be
effective when unit will be started.
Actually it already works on inactive units but that was not
documented and not fully supported. Indeed the inactive units had to
be known by the manager otherwise it was reported as not loaded:
$ systemctl status my-test.service
* my-test.service - My Testing Unit
Loaded: loaded (/etc/systemd/system/my-test.service; static; vendor preset: disabled)
Drop-In: /etc/systemd/system/my-test.service.d
Active: inactive (dead)
$ systemctl set-property my-test.service MemoryLimit=1000000
Failed to set unit properties on my-test.service: Unit my-test.service is not loaded.
[ Note: that the unit load state reported by the 'status' command
might be confusing since it claimed the unit as loaded but
'set-property' reported the contrary. ]
One can possibily workaround this by making the unit a dependency of
another active unit so the manager will keep it around:
$ systemctl add-wants multi-user.target my-test.service
Created symlink from /etc/systemd/system/multi-user.target.wants/my-test.service to /etc/systemd/system/my-test.service.
$ systemctl set-property my-test.service MemoryLimit=1000000
$ systemctl status my-test.service
* my-test.service - My Testing Unit
Loaded: loaded (/etc/systemd/system/my-test.service; enabled; vendor preset: disabled)
Drop-In: /etc/systemd/system/my-test.service.d
`-50-MemoryLimit.conf
Active: inactive (dead)
This patch simply forces 'SetUnitProperties()' to load the unit if
it's not already the case.
It also documents the fact that 'set-property' can be used on inactive
units.
|
|
This function is used to check that a previous unit load succeed and
returns 0 in this case.
In the case the load failed, the function setup a bus error
accordingly and returns -errno.
|
|
tree-wide: sort includes in *.h
|
|
This is a continuation of the previous include sort patch, which
only sorted for .c files.
|
|
This allows configuration of a random time on top of the elapse events,
in order to spread time events in a network evenly across a range.
|
|
socket: Add support for socket protcol
|
|
|
|
Now we don't support the socket protocol like
sctp and udplite .
This patch add a new config param
SocketProtocol: udplite/sctp
With this now we can configure the protocol as
udplite = IPPROTO_UDPLITE
sctp = IPPROTO_SCTP
Tested with nspawn:
|
