| Age | Commit message (Collapse) | Author |
|---|
|
socket-activated services
|
|
Introduce new call getpeercred() which internally just uses SO_PEERCRED
but checks if the returned data is actually useful due to namespace
quirks.
|
|
|
|
|
|
Also, introduce a new environment variable named $WATCHDOG_PID which
cotnains the PID of the process that is supposed to send the keep-alive
events. This is similar how $LISTEN_FDS and $LISTEN_PID work together,
and protects against confusing processes further down the process tree
due to inherited environment.
|
|
SipHash appears to be the new gold standard for hashing smaller strings
for hashtables these days, so let's make use of it.
|
|
|
|
Since the vtable includes this information anyway, let's just use that
|
|
where appropriate
|
|
|
|
|
|
That way we the random socket name stays stable across reexec and we
won't lose client messages.
|
|
|
|
|
|
|
|
|
|
This way, when a tty path is configured TERM is set, which is nice to
set a useful term for gettys.
|
|
Always use cleanup logic and don't eat up errors returned by libudev
|
|
matches
Instead of checking each device after we got it, check wuth an
enumeration filter instead, to make it more efficient.
|
|
sd-event's logic
|
|
|
|
Instead, force reopen it only if we really really have to.
|
|
In some circumstances, for example when start-up times out we
immediately jump into the final state, at which point we still should
try to watch the main pid so that the SIGCHLD allows us to quickly
move into dead state.
|
|
|
|
udev initialization
Managers shouldn't pick up the devices the manage before udev finished
initialization, hence check explicitly for that.
|
|
also define noreturn w/o <stdnoreturn.h>
|
|
up the kdbus system bus
|
|
|
|
We need to properly initialize all error structs before use and free
them after use.
Also, there's no point in flushing stdout if we output a \n anyway...
|
|
connected to journald
|
|
|
|
|
|
|
|
Drop most of the arguments and instead introduce link_set_{flags,type}.
|
|
These specifiers require NSS lookups to work, and we really shouldn't do
them from PID 1 hence. With this change they are now only supported for
user systemd instance, or when the configured user for a unit is root.
|
|
Clang is a bit more strict wrt format-nonliterals:
http://clang.llvm.org/docs/LanguageExtensions.html#format-string-checking
Adding these extra printf attributes also makes gcc able to find more
problems. E.g. this patch uncovers a format issue in udev-builtin-path_id.c
Some parts looked intetional about breaking the format-nonliteral check.
I added some supression for warnings there.
|
|
Previously we'd open the connection in the originating namespace, which
meant most peers of the bus would not be able to make sense of the
PID/UID/... identity of us since we didn't exist in the namespace they
run in. However they require this identity for privilege decisions,
hence disallowing access to anything from the host.
Instead, when connecting to a container, create a temporary subprocess,
make it join the container's namespace and then connect from there to
the kdbus instance. This is similar to how we do it for socket
conections already.
THis also unifies the namespacing code used by machinectl and the bus
APIs.
|
|
We really should return errors from event handlers if we have a
continous problem and don't know any other solution.
|
|
This way it is easy to only exclude directories from the current boot
from automatic clean up in /var/tmp.
Also, pick a longer name for the directories so that are globs in
tmp.conf can be simpler yet equally accurate.
|
|
|
|
|
|
that are closer to kdbus
This turns around DO_NOT_QUEUE into QUEUE which implies a more useful
default. (And negative options are awful anyway.)
|
|
|
|
|
|
|
|
SetProperties has signature "ba(sv)", but the bus_unit_set_properties()
helper already does a enter_container('a', "sv") so we have to skip it in
bus_unit_method_set_properties().
|
|
|
|
This reverts commit e775289d56ace2f8d23e62ed79316d71332d6d05.
We really should let the dependency logic add jobs for dependencies here
rather than manually adding in jobs, overtaping the real problem.
|
|
|
|
Introduces a new concept of "trusted" vs. "untrusted" busses. For the
latter libsystemd-bus will automatically do per-method access control,
for the former all access is automatically granted. Per-method access
control is encoded in the vtables: by default all methods are only
accessible to privileged clients. If the SD_BUS_VTABLE_UNPRIVILEGED flag
is set for a method it is accessible to unprivileged clients too. By
default whether a client is privileged is determined via checking for
its CAP_SYS_ADMIN capability, but this can be altered via the
SD_BUS_VTABLE_CAPABILITY() macro that can be ORed into the flags field
of the method.
Writable properties are also subject to SD_BUS_VTABLE_UNPRIVILEGED and
SD_BUS_VTABLE_CAPABILITY() for controlling write access to them. Note
however that read access is unrestricted, as PropertiesChanged messages
might send out the values anyway as an unrestricted broadcast.
By default the system bus is set to "untrusted" and the user bus is
"trusted" since per-method access control on the latter is unnecessary.
On dbus1 busses we check the UID of the caller rather than the
configured capability since the capability cannot be determined without
race. On kdbus the capability is checked if possible from the attached
meta-data of a message and otherwise queried from the sending peer.
This also decorates the vtables of the various daemons we ship with
these flags.
|
