summaryrefslogtreecommitdiff
path: root/src/login/logind-dbus.c
AgeCommit message (Collapse)Author
2013-12-18core,logind: libudev usage modernizationsLennart Poettering
Always use cleanup logic and don't eat up errors returned by libudev
2013-12-10bus: introduce "trusted" bus concept and encode access control in object vtablesLennart Poettering
Introduces a new concept of "trusted" vs. "untrusted" busses. For the latter libsystemd-bus will automatically do per-method access control, for the former all access is automatically granted. Per-method access control is encoded in the vtables: by default all methods are only accessible to privileged clients. If the SD_BUS_VTABLE_UNPRIVILEGED flag is set for a method it is accessible to unprivileged clients too. By default whether a client is privileged is determined via checking for its CAP_SYS_ADMIN capability, but this can be altered via the SD_BUS_VTABLE_CAPABILITY() macro that can be ORed into the flags field of the method. Writable properties are also subject to SD_BUS_VTABLE_UNPRIVILEGED and SD_BUS_VTABLE_CAPABILITY() for controlling write access to them. Note however that read access is unrestricted, as PropertiesChanged messages might send out the values anyway as an unrestricted broadcast. By default the system bus is set to "untrusted" and the user bus is "trusted" since per-method access control on the latter is unnecessary. On dbus1 busses we check the UID of the caller rather than the configured capability since the capability cannot be determined without race. On kdbus the capability is checked if possible from the attached meta-data of a message and otherwise queried from the sending peer. This also decorates the vtables of the various daemons we ship with these flags.
2013-11-28bus: add new sd_bus_creds object to encapsulate process credentialsLennart Poettering
This way we can unify handling of credentials that are attached to messages, or can be queried for bus name owners or connection peers. This also adds the ability to extend incomplete credential information with data from /proc, Also, provide a convenience call that will automatically determine the most appropriate credential object for an incoming message, by using the the attached information if possible, the sending name information if available and otherwise the peer's credentials.
2013-11-28logind: remove unused session->closing fieldDavid Herrmann
This field is always false, drop it. If you want a reliable way to get session state, call session_get_state(). Testing for any flags directly doesn't work currently so don't pretend it would.
2013-11-28logind: require VTs on seat0 and forbid elsewhereDavid Herrmann
Sessions on seat0 must pass us a vtnr, otherwise, you shouldn't try attaching it to seat0. For seats without VTs, we do the exact opposite: we forbid VTs. There can be odd situations if the session-files contain invalid combinations. However, we try to keep sessions alive and restore state as good as possible.
2013-11-28logind: make VT numbers unsignedDavid Herrmann
Fix the whole code to use "unsigned int" for vtnr. 0 is an invalid vtnr so we don't need negative numbers at all. Note that most code already assumes it's unsigned so in case there's a negative vtnr, our code may, under special circumstances, silently break. So this patch makes sure all sources of vtnrs verify the validity. Also note that the dbus api already uses unsigned ints.
2013-11-27logind: log which process is delaying suspend and not closing locksLennart Poettering
2013-11-26pam_systemd: do not set XDG_RUNTIME_DIR if the session's original user is ↵Lennart Poettering
not the same as the newly logged in one It's better not to set any XDG_RUNTIME_DIR at all rather than one of a different user. So let's do this. This changes the bus call parameters of CreateSession(), but that is explicitly an internal API hence should be fine. Note however, that a logind restart (the way the RPM postinst scriptlets do it) is necessary to make things work again.
2013-11-21logind,machined,run: properly invoke StartTransientUnit() bus callLennart Poettering
2013-11-21bus: rework message handlers to always take an error argumentLennart Poettering
Message handler callbacks can be simplified drastically if the dispatcher automatically replies to method calls if errors are returned. Thus: add an sd_bus_error argument to all message handlers. When we dispatch a message handler and it returns negative or a set sd_bus_error we send this as message error back to the client. This means errors returned by handlers by default are given back to clients instead of rippling all the way up to the event loop, which is desirable to make things robust. As a side-effect we can now easily turn the SELinux checks into normal function calls, since the method call dispatcher will generate the right error replies automatically now. Also, make sure we always pass the error structure to all property and method handlers as last argument to follow the usual style of passing variables for return values as last argument.
2013-11-21bus: let's simplify things by getting rid of unnecessary bus parametersLennart Poettering
2013-11-20core: convert PID 1 to libsystemd-busLennart Poettering
This patch converts PID 1 to libsystemd-bus and thus drops the dependency on libdbus. The only remaining code using libdbus is a test case that validates our bus marshalling against libdbus' marshalling, and this dependency can be turned off. This patch also adds a couple of things to libsystem-bus, that are necessary to make the port work: - Synthesizing of "Disconnected" messages when bus connections are severed. - Support for attaching multiple vtables for the same interface on the same path. This patch also fixes the SetDefaultTarget() and GetDefaultTarget() bus calls which used an inappropriate signature. As a side effect we will now generate PropertiesChanged messages which carry property contents, rather than just invalidation information.
2013-11-12bus: rename sd_bus_send_with_reply_and_block() to sd_bus_call()Lennart Poettering
The call is one of the most important ones we expose, where we place major emphasis on. We should make sure to give it a short, memorable name.
2013-11-05logind: automatically determine client side PID if GetSessionByPID() is ↵Lennart Poettering
called with a PID == 0
2013-11-05logind: fix serialization for PrepareForSleep booleanLennart Poettering
2013-11-05logind: fix serialization of ListInhibitors() requestLennart Poettering
2013-11-05logind: fix serialization of ListSeats() bus callLennart Poettering
2013-11-05logind: port logind to libsystemd-busLennart Poettering
2013-10-13Fix write-only use of a few variablesZbigniew Jędrzejewski-Szmek
Since the invention of read-only memory, write-only memory has been considered deprecated. Where appropriate, either make use of the value, or avoid writing it, to make it clear that it is not used.
2013-09-26logind: never consider a closing session relevant for PK checksLennart Poettering
https://bugzilla.redhat.com/show_bug.cgi?id=1010215
2013-09-20logind: put correct user object paths in introspection dataMantas Mikulėnas
Sync with user_bus_path() in logind-user-dbus.c
2013-09-17Remove six unused variables and add annotationZbigniew Jędrzejewski-Szmek
clang FTW!
2013-09-17logind: extract has_vts() from can_multi_session()David Herrmann
We currently use seat_can_multi_session() to test for two things: * whether the seat can handle session-switching * whether the seat has VTs As both are currently logically equivalent, we didn't care. However, we want to allow session-switching on seats without VTs, so split this helper into: * seat_can_multi_session(): whether session-switching is supported * seat_has_vts(): whether the seat has VTs Note that only one seat on a system can have VTs. There is only one set of them. We automatically assign them to seat0 as usual. With this patch in place, we can easily add new session-switching/tracking methods without breaking any VT code as it is now protected by has_vts(), no longer by can_multi_session().
2013-09-17logind: rename vtconsole to seat0David Herrmann
The seat->vtconsole member always points to the default seat seat0. Even if VTs are disabled, it's used as default seat. Therefore, rename it to seat0 to correctly state what it is. This also changes the seat files in /run from IS_VTCONSOLE to IS_SEAT0. It wasn't used by any code, yet, so this seems fine. While we are at it, we also remove every "if (s->vtconsole)" as this pointer is always valid!
2013-09-17logind: add session controllersDavid Herrmann
A session usually has only a single compositor or other application that controls graphics and input devices on it. To avoid multiple applications from hijacking each other's devices or even using the devices in parallel, we add session controllers. A session controller is an application that manages a session. Specific API calls may be limited to controllers to avoid others from getting unprivileged access to restricted resources. A session becomes a controller by calling the RequestControl() dbus API call. It can drop it via ReleaseControl(). logind tracks bus-names to release the controller once an application closes the bus. We use the new bus-name tracking to do that. Note that during ReleaseControl() we need to check whether some other session also tracks the name before we remove it from the bus-name tracking list. Currently, we only allow one controller at a time. However, the public API does not enforce this restriction. So if it makes sense, we can allow multiple controllers in parallel later. Or we can add a "scope" parameter, which allows a different controller for graphics-devices, sound-devices and whatever you want. Note that currently you get -EBUSY if there is already a controller. You can force the RequestControl() call (root-only) to drop the current controller and recover the session during an emergency. To recover a seat, this is not needed, though. You can simply create a new session or force-activate it. To become a session controller, a dbus caller must either be root or the same user as the user of the session. This allows us to run a session compositor as user and we no longer need any CAP_SYS_ADMIN.
2013-09-17logind: add infrastructure to watch busnamesDavid Herrmann
If we want to track bus-names to allow exclusive resource-access, we need a way to get notified when a bus-name is gone. We make logind watch for NameOwnerChanged dbus events and check whether the name is currently watched. If it is, we remove it from the watch-list (notification for other objects can be added in follow-up patches).
2013-09-16Verify validity of session name when received from outsideZbigniew Jędrzejewski-Szmek
Only ASCII letters and digits are allowed.
2013-08-13logind: restore logic to kill user processes when session endsLennart Poettering
2013-07-30logind: make sure login sessions are terminated with SIGHUPLennart Poettering
bash ignores SIGTERM, and can only be terminated cleanly via SIGHUP. Hence make sure that we the scope unit for the session is created with SendSIGHUP enabled.
2013-07-26logind: update the session state file before we send out the CreateSession() ↵Lennart Poettering
reply https://bugs.freedesktop.org/show_bug.cgi?id=67273
2013-07-26logind: update state file after generating the session fifo, not beforeLennart Poettering
https://bugs.freedesktop.org/show_bug.cgi?id=67273
2013-07-10user-sessions: rely on PID 1 to kill sessionsLennart Poettering
As we want to centralized cgroup access we should stop killing the user sessions directly from the systemd-user-sessions service. Instead, rely on PID 1 doing this by adding the right ordering dependencies to the session scope units.
2013-07-10logind: don't misunderstand UnitRemoved signals during reloadingLennart Poettering
When PID 1 reloads the units logind/machined will see UnitRemoved signals for all units. Instead of trusting these immediately, let's check the actual unit state before considering a unit gone, so that reloading PID 1 is not mistaken as the end of all sessions.
2013-07-10core: serialize/deserialize bus subscribersLennart Poettering
2013-07-03logind/machined: properly notice when units are gc'edLennart Poettering
2013-07-02login: pass correct boolean type to libdbusLennart Poettering
2013-07-02machined: sync to /run after job completedLennart Poettering
2013-07-02machined: split out machine registration stuff from logindLennart Poettering
Embedded folks don't need the machine registration stuff, hence it's nice to make this optional. Also, I'd expect that machinectl will grow additional commands quickly, for example to join existing containers and suchlike, hence it's better keeping that separate from loginctl.
2013-07-02logind: port over to use scopes+slices for all cgroup stuffLennart Poettering
In order to prepare things for the single-writer cgroup scheme, let's make logind use systemd's own primitives for cgroup management. Every login user now gets his own private slice unit, in which his sessions live in a scope unit each. Also, add user@$UID.service to the same slice, and implicitly start it on first login.
2013-06-20logind: add infrastructure to keep track of machines, and move to slicesLennart Poettering
- This changes all logind cgroup objects to use slice objects rather than fixed croup locations. - logind can now collect minimal information about running VMs/containers. As fixed cgroup locations can no longer be used we need an entity that keeps track of machine cgroups in whatever slice they might be located. Since logind already keeps track of users, sessions and seats this is a trivial addition. - nspawn will now register with logind and pass various bits of metadata along. A new option "--slice=" has been added to place the container in a specific slice. - loginctl gained commands to list, introspect and terminate machines. - user.slice and machine.slice will now be pulled in by logind.service, since only logind.service requires this slice.
2013-05-06systemd-sleep: add support for freeze and standbyZbigniew Jędrzejewski-Szmek
A new config file /etc/systemd/sleep.conf is added. It is parsed by systemd-sleep and logind. The strings written to /sys/power/disk and /sys/power/state can be configured. This allows people to use different modes of suspend on systems with broken or special hardware. Configuration is shared between systemd-sleep and logind to enable logind to answer the question "can the system be put to sleep" as correctly as possible without actually invoking the action. If the user configured systemd-sleep to only use 'freeze', but current kernel does not support it, logind will properly report that the system cannot be put to sleep. https://bugs.freedesktop.org/show_bug.cgi?id=57793 https://git.kernel.org/?p=linux/kernel/git/torvalds/linux.git;a=commit;h=7e73c5ae6e7991a6c01f6d096ff8afaef4458c36 http://lists.freedesktop.org/archives/systemd-devel/2013-February/009238.html SYSTEM_CONFIG_FILE and USER_CONFIG_FILE defines were removed since they were used in only a few places and with the addition of /etc/systemd/sleep.conf it becomes easier to just append the name of each file to the dir name.
2013-04-24logind: don't busy loop if a job is still running but the delay timeout expiresLennart Poettering
2013-04-19logind-dbus: initialize result variableLukas Nykryn
2013-04-18move _cleanup_ attribute in front of the typeHarald Hoyer
http://lists.freedesktop.org/archives/systemd-devel/2013-April/010510.html
2013-04-18Move bus_error to dbus-common and remove bus_error_message_or_strerrorSimon Peeters
bus_error and bus_error_message_or_strerror dit almost exactly the same, so use only one of them and place it in dbus-common.
2013-04-16nspawn: introduce the new /machine/ tree in the cgroup tree and move ↵Lennart Poettering
containers there Containers will now carry a label (normally derived from the root directory name, but configurable by the user), and the container's root cgroup is /machine/<label>. This label is called "machine name", and can cover both containers and VMs (as soon as libvirt also makes use of /machine/). libsystemd-login can be used to query the machine name from a process. This patch also includes numerous clean-ups for the cgroup code.
2013-04-16logind: filter configured cgroup controller listsLennart Poettering
2013-04-15Fix spelling errors using 'codespell' toolAnatol Pomozov
2013-04-09logind: introduce an explicit session class for cronjobs and similarLennart Poettering
cronjobs are neither interactive user session, nor lock screens, nor login screens, hence they should get their own class.
2013-04-03util: rename write_one_line_file() to write_string_file()Lennart Poettering
You can write much more than just one line with this call (and we frequently do), so let's correct the naming.