Age | Commit message (Collapse) | Author |
|
Previously we'd open the connection in the originating namespace, which
meant most peers of the bus would not be able to make sense of the
PID/UID/... identity of us since we didn't exist in the namespace they
run in. However they require this identity for privilege decisions,
hence disallowing access to anything from the host.
Instead, when connecting to a container, create a temporary subprocess,
make it join the container's namespace and then connect from there to
the kdbus instance. This is similar to how we do it for socket
conections already.
THis also unifies the namespacing code used by machinectl and the bus
APIs.
|
|
|
|
and dbus1)
Due to this patch, sd_bus_release_name() function
returns the same code errors for kdbus and dbus1
if we try release non-existing name or foreign
name.
|
|
|
|
|
|
When trying a couple of addresses one after the other, make sure to
reattach the fds to the event loop.
|
|
|
|
|
|
The pattern of unreffing an IO event source and then closing its fd is
frequently seen in even source callbacks. Previously this likely
resultet in us removing the fd from the epoll after it was closed which
is problematic, since while we were dispatching we always kept an extra
reference to event source objects because we might still need it later.
|
|
With this change a failing event source handler will not cause the
entire event loop to fail. Instead, we just disable the specific event
source, log a message at debug level and go on.
This also introduces a new concept of "exit code" which can be stored in
the event loop and is returned by sd_event_loop(). We also rename "quit"
to "exit" everywhere else.
Altogether this should make things more robus and keep errors local
while still providing a way to return event loop errors in a clear way.
|
|
|
|
to match against names coming/going
|
|
generate NameLost
|
|
|
|
|
|
|
|
|
|
|
|
flags conversion
|
|
that are closer to kdbus
This turns around DO_NOT_QUEUE into QUEUE which implies a more useful
default. (And negative options are awful anyway.)
|
|
|
|
containers)
|
|
to queue/starter
|
|
|
|
|
|
assert_return()
These are not programming errors, so they shouldn't use assert_return()
|
|
kdbus fortunately exposes the container's busses in the host fs, hence
we can access it directly instead of doing the namespacing dance.
|
|
In addition to the same spot within every 1min, every 1s, every 250s
|
|
This adds the new library call sd_journal_open_container() and a new
"-M" switch to journalctl. Particular care is taken that journalctl's
"-b" switch resolves to the current boot ID of the container, not the
host.
|
|
Adds a new call sd_event_set_watchdog() that can be used to hook up the
event loop with the watchdog supervision logic of systemd. If enabled
and $WATCHDOG_USEC is set the event loop will ping the invoking systemd
daemon right after coming back from epoll_wait() but not more often than
$WATCHDOG_USEC/4. The epoll_wait() will sleep no longer than
$WATCHDOG_USEC/4*3, to make sure the service manager is called in time.
This means that setting WatchdogSec= in a .service file and calling
sd_event_set_watchdog() in your daemon is enough to hook it up with the
watchdog logic.
|
|
event source
That way the even source callback is run with the zombie process still
around so that it can access /proc/$PID/ and similar, and so that it can
be sure that the PID has not been reused yet.
|
|
|
|
|
|
|
|
|
|
We support unreffing NULL pointers just fine and we shouldn't pay the
_unlikely_() price for it, not get a debug message if we do, hence let's
not use assert_return() here.
|
|
|
|
This reverts commit f7e2bd5a8070ba86cba6bcbf7d1c9a8173d846d4.
Most of these checks are not programming errors, but happen during
normal runtime. For example bus_kernel_pop_memfd() is called all the
time on non-kdbus systems and is supposed to quickly fail if kdbus is
not available. However, assert_return() makes this failure
expensive, and hence has no place here. With the most recent change to
assert_return() it will even log a debug message, which should never
happen here.
|
|
|
|
|
|
When this flag is set then its member will not be shown in the
introspection data. Also, properties with this flag set will not be
included in GetAll() responses.
|
|
Introduces a new concept of "trusted" vs. "untrusted" busses. For the
latter libsystemd-bus will automatically do per-method access control,
for the former all access is automatically granted. Per-method access
control is encoded in the vtables: by default all methods are only
accessible to privileged clients. If the SD_BUS_VTABLE_UNPRIVILEGED flag
is set for a method it is accessible to unprivileged clients too. By
default whether a client is privileged is determined via checking for
its CAP_SYS_ADMIN capability, but this can be altered via the
SD_BUS_VTABLE_CAPABILITY() macro that can be ORed into the flags field
of the method.
Writable properties are also subject to SD_BUS_VTABLE_UNPRIVILEGED and
SD_BUS_VTABLE_CAPABILITY() for controlling write access to them. Note
however that read access is unrestricted, as PropertiesChanged messages
might send out the values anyway as an unrestricted broadcast.
By default the system bus is set to "untrusted" and the user bus is
"trusted" since per-method access control on the latter is unnecessary.
On dbus1 busses we check the UID of the caller rather than the
configured capability since the capability cannot be determined without
race. On kdbus the capability is checked if possible from the attached
meta-data of a message and otherwise queried from the sending peer.
This also decorates the vtables of the various daemons we ship with
these flags.
|
|
|
|
|
|
|
|
|
|
THis might happen when sending arrays with 0 enttries, hence this is not
an indication for a problem.
|
|
|
|
|
|
|