| Age | Commit message (Collapse) | Author |
|---|
|
logind considers it an error for a seat other than seat0 to have a
non-zero vtnr for CreateSession
|
|
Compat stuff is moved to src/compat-libs/.
Warnings are issued when programs are linked with the deprecated library.
|
|
A compatibility libsystemd-login library is created which uses
.symver and ifunc magic proposed by Lennart to make programs linked
to the old library name continue to work seamlessly.
Unfortunately the bfd linker crashes:
https://sourceware.org/bugzilla/show_bug.cgi?id=16467
This will be fixed in binutils 2.25.
As a work-around, gold can be used:
LDFLAGS=-Wl,-fuse-ld=gold
Unfortunately the switch to pick the linker appeared in gcc 4.8.
This also doesn't work with LLVM:
http://llvm.org/bugs/show_bug.cgi?id=11897
|
|
logind has no concept of session ordering. Sessions have a unique name,
some attributes about the capabilities and that's already it. There is
currently no stable+total order on sessions. If we use the logind API to
switch between sessions, we are faced with an unordered list of sessions
we have no clue of.
This used to be no problem on seats with VTs or on seats with only a
single active session. However, with the introduction of multi-session
capability for seats without VTs, we need to find a way to order sessions
in a stable way.
This patch introduces session "positions". A position is a simple integer
assigned to a session which is never changed implicitly (currently, we
also don't change it explicitly, but that may be changed someday). For
seats with VTs, we force the position to be the same as the VTnr. Without
VTs, we simply find the lowest unassigned number and use it as position.
If position-assignment fails or if, for any reason, we decide to not
assign a position to a session, the position is set to 0 (which is treated
as invalid position).
During session_load() or if two sessions have the same VTnr, we may end up
with two sessions with the same position (this shouldn't happen, but lets
be fail-safe in case some other part of the stack fails). This case is
dealt with gracefully by ignoring any session but the first session
assigned to the position. Thus, session->pos is a hint, seat->positions[i]
is the definite position-assignment. Always verify both match in case you
need to modify them!
Additionally, we introduce SwitchTo(unsigned int) on the seat-dbus-API.
You can call it with any integer value != 0 and logind will try to switch
to the request position. If you implement a compositor or any other
session-controller, you simply watch for ctrl+alt+F1 to F12 and call
SwitchTo(Fx). logind will figure a way out deal with this number.
For convenience, we also introduce SwitchToNext/Previous(). It should be
called on ctrl+alt+Left/Right (like the kernel-console used to support).
Note that the public API (SwitchTo*()) is *not* bound to the underlying
logic that is implemented now. We don't export "session-positions" on the
dbus/C API! They are an implementation detail. Instead, the SwitchTo*()
API is supposed to be a hint to let logind choose the session-switching
logic. Any foreground session-controller is free to enumerate/order
existing sessions according to their needs and call Session.Activate()
manually. But the SwitchTo*() API provides a uniform behavior across
session-controllers.
Background: Session-switching keys depend on the active keymap. The XKB
specification provides the XKB_KEY_XF86Switch_VT_1-12 key-symbols which
have to be mapped by all keymaps to allow session-switching. It is usually
bound to ctrl+alt+Fx but may be set differently. A compositor passes any
keyboard input to XKB before passing it to clients. In case a key-press
invokes the XKB_KEY_XF86Switch_VT_x action, the keypress is *not*
forwarded to clients, but instead a session-switch is scheduled.
This actually prevents us from handling these keys outside of the session.
If an active compositor has a keymap with a different mapping of these
keys, and logind itself tries to catch these combinations, we end up with
the key-press sent to the compositor's clients *and* handled by logind.
This is *bad* and we must avoid this. The only situation where a
background process is allowed to handle key-presses is debugging and
emergency-keys. In these cases, we don't care for keymap mismatches and
accept the double-event. Another exception is unmapped keys like
PowerOff/Suspend (even though this one is controversial).
|
|
X11 never made use of it anyway and it's probably better to just push
$DISPLAY into the systemd daemon from gnome-session (or equivalent
program) than to change libX11 to look for this socket. In particular
since we won't need this for Wayland anyway and we shouldn't add
infrastructure for stuff that's on its way out anyway.
|
|
|
|
This reverts commit 9130f2128b64de19a3b7d6db7e0d371adfd296c2.
It's too early to do that. For now we should only "break" the
--enable-kdbus case, not the normal one.
|
|
attempt
|
|
It was removed from user@.service, so it should be added here.
|
|
|
|
|
|
|
|
Introduce new call getpeercred() which internally just uses SO_PEERCRED
but checks if the returned data is actually useful due to namespace
quirks.
|
|
|
|
SipHash appears to be the new gold standard for hashing smaller strings
for hashtables these days, so let's make use of it.
|
|
Noticed-by: Jan Alexander Steffens <jan.steffens@gmail.com>
|
|
|
|
where appropriate
|
|
|
|
Commit f8f14b3654bcd introduced a regression that makes
loginctl session-status to not show the correct session ID(s)
In print_session_status_info() the map[] array, element "Seat" receives
the offset of the "id" in "SessionStatusInfo" struct instead of the
offset of the "seat" member.
This will cause prop_map_first_of_struct() function to overwrite the
SessionStatusInfo.id memory with seats if there are any.
Fix this typo by using the "seat" member.
Before:
- tixxdz (1000)
Since: Sat 2013-12-21 10:07:23 CET; 5h 26min ago
Leader: 1265 (sshd)
After:
1 - tixxdz (1000)
Since: Sat 2013-12-21 10:07:23 CET; 5h 26min ago
Leader: 1265 (sshd)
|
|
|
|
1) Instead of checking if we need to print a new line on each iteration,
pass the "new_line" as a pointer to those functions, so they can use
it to check if a new line is needed. This makes the code more consistent
as it is done in other places: machinectl, systemctl...
2) Move the error messages from show_{session|user|seat}() to their
appropriate print_{session|user|seat}_status_info() functions, this will
prevent from logging an error message twice in case show_properties()
fails and it will improve code readability.
3) Also do not ignore error codes on these functions.
|
|
Commit f8f14b3654bcd introduced a regression that makes loginctl ignore
the "--property" option.
This patch fixes the bug, it uses a new show_properties() function to
query and filter properties.
|
|
|
|
useful
|
|
Always use cleanup logic and don't eat up errors returned by libudev
|
|
matches
Instead of checking each device after we got it, check wuth an
enumeration filter instead, to make it more efficient.
|
|
With the current logic, a user will never be garbage-collected, since its
manager will always be around. Change the logic such that a user is
garbage-collected when it has no sessions and linger is disabled.
|
|
udev initialization
Managers shouldn't pick up the devices the manage before udev finished
initialization, hence check explicitly for that.
|
|
Also make thread_local available w/o including <threads.h>.
(as the latter hasn't been implemented, but this part is trivial)
|
|
We really should return errors from event handlers if we have a
continous problem and don't know any other solution.
|
|
|
|
flags conversion
|
|
that are closer to kdbus
This turns around DO_NOT_QUEUE into QUEUE which implies a more useful
default. (And negative options are awful anyway.)
|
|
Adds a new call sd_event_set_watchdog() that can be used to hook up the
event loop with the watchdog supervision logic of systemd. If enabled
and $WATCHDOG_USEC is set the event loop will ping the invoking systemd
daemon right after coming back from epoll_wait() but not more often than
$WATCHDOG_USEC/4. The epoll_wait() will sleep no longer than
$WATCHDOG_USEC/4*3, to make sure the service manager is called in time.
This means that setting WatchdogSec= in a .service file and calling
sd_event_set_watchdog() in your daemon is enough to hook it up with the
watchdog logic.
|
|
|
|
Introduces a new concept of "trusted" vs. "untrusted" busses. For the
latter libsystemd-bus will automatically do per-method access control,
for the former all access is automatically granted. Per-method access
control is encoded in the vtables: by default all methods are only
accessible to privileged clients. If the SD_BUS_VTABLE_UNPRIVILEGED flag
is set for a method it is accessible to unprivileged clients too. By
default whether a client is privileged is determined via checking for
its CAP_SYS_ADMIN capability, but this can be altered via the
SD_BUS_VTABLE_CAPABILITY() macro that can be ORed into the flags field
of the method.
Writable properties are also subject to SD_BUS_VTABLE_UNPRIVILEGED and
SD_BUS_VTABLE_CAPABILITY() for controlling write access to them. Note
however that read access is unrestricted, as PropertiesChanged messages
might send out the values anyway as an unrestricted broadcast.
By default the system bus is set to "untrusted" and the user bus is
"trusted" since per-method access control on the latter is unnecessary.
On dbus1 busses we check the UID of the caller rather than the
configured capability since the capability cannot be determined without
race. On kdbus the capability is checked if possible from the attached
meta-data of a message and otherwise queried from the sending peer.
This also decorates the vtables of the various daemons we ship with
these flags.
|
|
Use [brackets] only for optional elements.
Use <optional> in XML sources.
|
|
The only problem is that libgen.h #defines basename to point to it's
own broken implementation instead of the GNU one. This can be fixed
by #undefining basename.
|
|
other calls
Instead of returning an enum of return codes, make them return error
codes like kdbus does internally.
Also, document this behaviour so that clients can stick to it.
(Also rework bus-control.c to always have to functions for dbus1 vs.
kernel implementation of the various calls.)
|
|
|
|
We should return seat_can_graphical() instead of seat_can_tty() for the
public dbus CanGraphical attribute. This used to work, but the
dbus -> sd-bus conversion introduced this regression.
|
|
introduced in 1ca208fb4f93e5869704af1812cbff7130a2fc03
|
|
This way we can unify handling of credentials that are attached to
messages, or can be queried for bus name owners or connection peers.
This also adds the ability to extend incomplete credential information
with data from /proc,
Also, provide a convenience call that will automatically determine the
most appropriate credential object for an incoming message, by using the
the attached information if possible, the sending name information if
available and otherwise the peer's credentials.
|
|
This field is always false, drop it. If you want a reliable way to get
session state, call session_get_state(). Testing for any flags directly
doesn't work currently so don't pretend it would.
|
|
Sessions on seat0 must pass us a vtnr, otherwise, you shouldn't try
attaching it to seat0. For seats without VTs, we do the exact opposite: we
forbid VTs.
There can be odd situations if the session-files contain invalid
combinations. However, we try to keep sessions alive and restore state as
good as possible.
|
|
Fix the whole code to use "unsigned int" for vtnr. 0 is an invalid vtnr so
we don't need negative numbers at all.
Note that most code already assumes it's unsigned so in case there's a
negative vtnr, our code may, under special circumstances, silently break.
So this patch makes sure all sources of vtnrs verify the validity. Also
note that the dbus api already uses unsigned ints.
|
|
If a session process calls TakeControl(), we now put the VT into
KD_GRAPHICS+K_OFF mode. This way, the new session controller can solely
rely on the logind-dbus API to manage the session.
Once the controller exits or calls ReleaseControl(), we restore the VT. We
also restore it, if we lost a controller during crash/restart (but only if
there really *was* a controller previously).
Note that we also must put the VT into VT_PROCESS mode. We want VT_AUTO
semantics, but VT_AUTO+KD_GRAPHICS actually disables *all* VT switches
(who came up with that great idea?). Hence, we set VT_PROCESS for logind
but acknowledge *all* requests immediately.
If a compositor wants custom VT setups, they can still get this by *first*
calling TakeControl() and afterwards setting up the VT. logind doesn't
touch the VT during controller runtime, only during setup/teardown. This
is actually what weston already does.
|
|
We now save the unique bus-name of a session-controller as CONTROLLER=%s
in the session files. This allows us to restore the controller after a
crash or restart.
Note that we test whether the name is still valid (dbus guarantees that
the name is unique as long as the machine is up and running). If it is,
we know that the controller still exists and can safely restore it. Our
dbus-name-tracking guarantees that we're notified once it exits.
Also note that session-devices are *not* restored. We have no way to know
which devices where used before the crash. We could store all these on
disk, too, or mark them via udev. However, this seems to be rather
cumbersome. Instead, we expect controllers to listen for NewSession
signals for their own session. This is sent on session_load() and they can
then re-request all devices.
The only race I could find is if logind crashes, then the session
controller tries calling ReleaseControl() (which will fail as logind is
down) but keeps the bus-connection valid for other independent requests.
If logind is restarted, it will restore the old controller and thus block
the session.
However, this seems unlikely for several reasons:
- The ReleaseControl() call must occur exactly in the timespan where
logind is dead.
- A process which calls ReleaseControl() usually closes the
bus-connection afterwards. Especially if ReleaseControl() fails, the
process should notice that something is wrong and close the bus.
- A process calling ReleaseControl() usually exits afterwards. There may
be any cleanup pending, but other than that, usual compositors exit.
- If a session-controller calls ReleaseControl(), a session is usually
considered closing. There is no known use-case where we hand-over
session-control in a single session. So we don't care whether the
controller is locked afterwards.
So this seems negligible.
|
|
Unfortunately, close() on a revoked/removed character-device fails with
ENODEV. I tried tracking this down in the kernel, but couldn't figure out
were exactly it comes from. However, can be easily reproduced with:
fd = open("/dev/input/event0", O_RDWR);
ioctl(fd, EVIOCREVOKE, 0);
r = close(fd);
A second close on @fd would return EBADF so the close is actually valid.
We simply ignore close() errors for all session-devices as their access
may be revoked asynchronously, or the device might get unplugged.
We use close_nointr() in case anyone ever looks at the return value (or
anyone runs "grep 'close(' -r src/" to find broken close() calls).
Fixes:
systemd-logind[31992]: Assertion 'close_nointr(fd) == 0' failed at src/shared/util.c:185, function close_nointr_nofail(). Aborting.
|
