| Age | Commit message (Collapse) | Author |
|---|
|
like:
src/shared/install.c: In function ‘unit_file_lookup_state’:
src/shared/install.c:1861:16: warning: ‘r’ may be used uninitialized in
this function [-Wmaybe-uninitialized]
return r < 0 ? r : state;
^
src/shared/install.c:1796:13: note: ‘r’ was declared here
int r;
^
|
|
This patch removes includes that are not used. The removals were found with
include-what-you-use which checks if any of the symbols from a header is
in use.
|
|
The assert added in 7d328b5446 was wrong. Also update the comments
and make sure we don't try to shift by type size.
|
|
We were dropping the most significant bit. Add an assert to make sure it does not happen again.
Fixes a bug introduced in 7d328b544621d4b1bec936dec612947ad8bfb65a.
|
|
|
|
From fd.o bug 88898:
systemd-resolved fails to start:
Failed to drop capabilities: Operation not permitted
Broken in f11943c53ec181829a821c6b27acf828bab71caa.
Drop all capabilities:
1. prctl(PR_SET_KEEPCAPS, keep_capabilities != 0) // 0 when we drop all
capabilities
2. setresuid() // bye bye capabilities
3. Add CAP_SETPCAP // fails because we have no capabilities
4. Reduce capability bounding set
5. Drop capabilities
6. prctl(PR_SET_KEEPCAPS, 0)
Capabilites should always be kept after setresuid() so that the capability
bounding set can be reduced.
Based-on-a-patch-by: mustrumr97@gmail.com
https://bugs.freedesktop.org/show_bug.cgi?id=88898
We must be careful not to leave PR_SET_KEEPCAPS on. We could use the
setresuid() call to drop capabilities, but the rules when capabilities
are dropped are fairly complex, since a transition to non-zero uid must
happen. Let's instead keep the capabilities during setresuid(), and drop
them later.
|
|
https://bugs.freedesktop.org/show_bug.cgi?id=87354
|
|
This file was introduced with linux-3.2, use it instead of probing for it
via prctl(PR_CAPBSET_READ).
For now, keep the old code for backwards compat. We can drop it once 3.2
is our lowest requirement.
The test-cap-list code is extended to verify cap_last_cap() is the same as
we'd get via prctl probing and /proc.
|
|
When dbus client connects to systemd-bus-proxyd through
Unix domain socket proxy takes client's smack label and sets for itself.
It is done before and independent of dropping privileges.
The reason of such soluton is fact that tests of access rights
performed by lsm may take place inside kernel, not only
in userspace of recipient of message.
The bus-proxyd needs CAP_MAC_ADMIN to manipulate its label.
In case of systemd running in system mode, CAP_MAC_ADMIN
should be added to CapabilityBoundingSet in service file of bus-proxyd.
In case of systemd running in user mode ('systemd --user')
it can be achieved by addition
Capabilities=cap_mac_admin=i and SecureBits=keep-caps
to user@.service file
and setting cap_mac_admin+ei on bus-proxyd binary.
|
|
Using the same scripts as in f647962d64e "treewide: yet more log_*_errno
+ return simplifications".
|
|
If the format string contains %m, clearly errno must have a meaningful
value, so we might as well use log_*_errno to have ERRNO= logged.
Using:
find . -name '*.[ch]' | xargs sed -r -i -e \
's/log_(debug|info|notice|warning|error|emergency)\((".*%m.*")/log_\1_errno(errno, \2/'
Plus some whitespace, linewrap, and indent adjustments.
|
|
Using:
find . -name '*.[ch]' | while read f; do perl -i.mmm -e \
'local $/;
local $_=<>;
s/(if\s*\([^\n]+\))\s*{\n(\s*)(log_[a-z_]*_errno\(\s*([->a-zA-Z_]+)\s*,[^;]+);\s*return\s+\g4;\s+}/\1\n\2return \3;/msg;
print;'
$f
done
And a couple of manual whitespace fixups.
|
|
It corrrectly handles both positive and negative errno values.
|
|
As a followup to 086891e5c1 "log: add an "error" parameter to all
low-level logging calls and intrdouce log_error_errno() as log calls
that take error numbers", use sed to convert the simple cases to use
the new macros:
find . -name '*.[ch]' | xargs sed -r -i -e \
's/log_(debug|info|notice|warning|error|emergency)\("(.*)%s"(.*), strerror\(-([a-zA-Z_]+)\)\);/log_\1_errno(-\4, "\2%m"\3);/'
Multi-line log_*() invocations are not covered.
And we also should add log_unit_*_errno().
|
|
|
|
Either become uid/gid of the client we have been forked for, or become
the "systemd-bus-proxy" user if the client was root. We retain
CAP_IPC_OWNER so that we can tell kdbus we are actually our own client.
|
|
|
|
|
|
make use of it from other daemons too
This is preparation to make networkd work as unpriviliged user.
|
|
with CAP_SYS_TIME)
|
|
Unfortunately a different cleanup function is necessary per type,
because cap_t** and char** are incompatible with void**.
|
|
Even if the lower-leveld dbus1 protocol calls it "serial", let's expose
the word "cookie" for this instead, as this is what kdbus uses and since
it doesn't imply monotonicity the same way "serial" does.
|
|
Also make thread_local available w/o including <threads.h>.
(as the latter hasn't been implemented, but this part is trivial)
|
|
You can write much more than just one line with this call (and we
frequently do), so let's correct the naming.
|
|
Also split out some fileio functions to fileio.c and provide a SELinux
aware pendant in fileio-label.c
see https://bugzilla.redhat.com/show_bug.cgi?id=881577
|
|
usermode helpers
This hooks things up with /proc/sys/kernel/usermodehelper/bset and
/proc/sys/kernel/usermodehelper/inheritable.
|
|
This also ensures that caps dropped from the bounding set are also
dropped from the inheritable set, to be extra-secure. Usually that should
change very little though as the inheritable set is empty for all our uses
anyway.
|
|
We finally got the OK from all contributors with non-trivial commits to
relicense systemd from GPL2+ to LGPL2.1+.
Some udev bits continue to be GPL2+ for now, but we are looking into
relicensing them too, to allow free copy/paste of all code within
systemd.
The bits that used to be MIT continue to be MIT.
The big benefit of the relicensing is that closed source code may now
link against libsystemd-login.so and friends.
|
|
internal libraries
Before:
$ ldd /lib/systemd/systemd-timestamp
linux-vdso.so.1 => (0x00007fffb05ff000)
libselinux.so.1 => /lib64/libselinux.so.1 (0x00007f90aac57000)
libcap.so.2 => /lib64/libcap.so.2 (0x00007f90aaa53000)
librt.so.1 => /lib64/librt.so.1 (0x00007f90aa84a000)
libc.so.6 => /lib64/libc.so.6 (0x00007f90aa494000)
/lib64/ld-linux-x86-64.so.2 (0x00007f90aae90000)
libdl.so.2 => /lib64/libdl.so.2 (0x00007f90aa290000)
libattr.so.1 => /lib64/libattr.so.1 (0x00007f90aa08a000)
libpthread.so.0 => /lib64/libpthread.so.0 (0x00007f90a9e6e000)
After:
$ ldd systemd-timestamp
linux-vdso.so.1 => (0x00007fff3cbff000)
libselinux.so.1 => /lib64/libselinux.so.1 (0x00007f5eaa1c3000)
librt.so.1 => /lib64/librt.so.1 (0x00007f5ea9fbb000)
libc.so.6 => /lib64/libc.so.6 (0x00007f5ea9c04000)
/lib64/ld-linux-x86-64.so.2 (0x00007f5eaa3fc000)
libdl.so.2 => /lib64/libdl.so.2 (0x00007f5ea9a00000)
libpthread.so.0 => /lib64/libpthread.so.0 (0x00007f5ea97e4000)
|
