summaryrefslogtreecommitdiff
path: root/src/machine/org.freedesktop.machine1.conf
AgeCommit message (Collapse)Author
2016-06-24machined: make sure CleanPool() method is opened up in the dbus policyLennart Poettering
The method is already hooked up to PolicyKit, hence let's open this up via the bus policy language too. Fixes: #3585
2015-08-24machined: add new OpenShell() bus callLennart Poettering
This new bus call opens an interactive shell in a container. It works like the existing OpenLogin() call, but does not involve getty, and instead opens an arbitrary command line. This is similar to "systemd-run -t -M" but is controlled by a specific PolicyKit privilege.
2015-07-09nss-mymachines: map userns users of containers to real user namesLennart Poettering
Given a container "foo", that maps user id $UID to container user, using user namespaces, this NSS module extenstion will now map the $UID to a name "vu-foo-$TUID" for the translated UID $UID. Similar, userns groups are mapped to "vg-foo-$TGID" for translated GIDs of $GID. This simple change should make userns users more discoverable. Also, given that many tools like "adduser" check NSS before allocating a UID, should lower the chance of UID range conflicts between tools.
2015-02-25machined,machinectl: add calls for changing container/VM quotasLennart Poettering
2015-02-24machined: actually open up methods to unprivileged clients on dbus1Lennart Poettering
Many of machined's operations are now opened up to unprivileged clients via PolicyKit. Open up the dbus policy so that we can actually make these calls. kdbus doesn't reuqire this, hence this wasn't noticed before.
2014-12-23machined: introduce polkit for OpenLogin() callLennart Poettering
This way "machinectl login" can be opened up to run without privileges.
2014-12-19machined: add new GetImage() bus call for retrieving the bus path for an imageLennart Poettering
2014-12-19machined/machinectl: add logic to show list of available imagesLennart Poettering
This adds a new bus call to machined that enumerates /var/lib/container and returns all trees stored in it, distuingishing three types: - GPT disk images, which are files suffixed with ".gpt" - directory trees - btrfs subvolumes
2014-08-04machine: make sure unpriviliged "machinectl status" can show the machine's ↵Lennart Poettering
OS version
2014-07-03machinectl: show /etc/os-release information of container in status outputLennart Poettering
2014-05-19machined: make sure GetMachineAddresses() is available for unprivileged ↵Lennart Poettering
processes
2013-12-10bus: introduce "trusted" bus concept and encode access control in object vtablesLennart Poettering
Introduces a new concept of "trusted" vs. "untrusted" busses. For the latter libsystemd-bus will automatically do per-method access control, for the former all access is automatically granted. Per-method access control is encoded in the vtables: by default all methods are only accessible to privileged clients. If the SD_BUS_VTABLE_UNPRIVILEGED flag is set for a method it is accessible to unprivileged clients too. By default whether a client is privileged is determined via checking for its CAP_SYS_ADMIN capability, but this can be altered via the SD_BUS_VTABLE_CAPABILITY() macro that can be ORed into the flags field of the method. Writable properties are also subject to SD_BUS_VTABLE_UNPRIVILEGED and SD_BUS_VTABLE_CAPABILITY() for controlling write access to them. Note however that read access is unrestricted, as PropertiesChanged messages might send out the values anyway as an unrestricted broadcast. By default the system bus is set to "untrusted" and the user bus is "trusted" since per-method access control on the latter is unnecessary. On dbus1 busses we check the UID of the caller rather than the configured capability since the capability cannot be determined without race. On kdbus the capability is checked if possible from the attached meta-data of a message and otherwise queried from the sending peer. This also decorates the vtables of the various daemons we ship with these flags.
2013-07-02machined: relax access to GetMachine()Lennart Poettering
2013-07-02machined: split out machine registration stuff from logindLennart Poettering
Embedded folks don't need the machine registration stuff, hence it's nice to make this optional. Also, I'd expect that machinectl will grow additional commands quickly, for example to join existing containers and suchlike, hence it's better keeping that separate from loginctl.