| Age | Commit message (Collapse) | Author |
|---|
|
Before 34a3baa4d 'sleep-config: Dereference pointer before check for NULL'
oom conditions would not be detected properly. After that commit, a double
free was performed.
Rework the whole function to be easier to understand, and also replace
strv_split_nulstr with strv_new, since we know the strings anyway.
|
|
This fixes a bug pointed out by http://css.csail.mit.edu/stack/
(Optimization-unstable code)
It is a similar fix as f146f5e159 (2013-12-30, core:
Forgot to dereference pointer when checking for NULL)
To explain this bug consider the following similar, but simpler code:
if (!p)
free(*p)
Assume the if condition evaluates to true, then we will access *p,
which means the compiler can assume p is a valid pointer, so it could
dereference p and use the value *p.
Assuming p as a valid pointer, !p will be false.
But initally we assumed the condition evaluates to true.
By this reasoning the optimizing compiler can deduce, we have dead code.
("The if will never be taken, as *p must be valid, because otherwise
accessing *p inside the if would segfault")
This led to an error message of the static code checker, so I checked the
code in question.
As we access *modes and *states before the check in the changed line of
this patch, I assume the line to be wrong and we actually wanted to check
for *modes and *states being both non null.
|
|
compat parser
|
|
Suggested-by: Russ Allbery <rra@debian.org>
|
|
|
|
Even if the lower-leveld dbus1 protocol calls it "serial", let's expose
the word "cookie" for this instead, as this is what kdbus uses and since
it doesn't imply monotonicity the same way "serial" does.
|
|
|
|
socket-activated services
|
|
Since 0c6f1f4ea49 the check was useless, because the kernel will
ever only write "partition" or "file" there.
OTOH, it is possible that "\\040(deleted)" (escaped " (deleted)")
will be added for removed files. This should not happen, so add
a warning to detect those cases.
|
|
before parsing
|
|
including it in the log strings
|
|
|
|
Introduce new call getpeercred() which internally just uses SO_PEERCRED
but checks if the returned data is actually useful due to namespace
quirks.
|
|
then read message
There's no EOF generated for AF_UNIX/SOCK_DGRAM sockets, hence let's
wait for the child first to see if it succeeded, only then read the socket.
|
|
instead
|
|
|
|
Let's try to standardize on a single non-cryptographic hash algorithm,
and for that SipHash appears to be the best answer.
With this change there are two other hash functions left in systemd: an
older version of MurmurHash embedded into libudev for the bloom filters
in udev messages (which is hard to update, given that the we probably
should stay compatible with older versions of the library). And lookup3
in the journal files (which we could replace for new files, but which is
probably not worth the work).
|
|
|
|
Units from user services underneath user@.service would not be detected
properly.
|
|
SipHash appears to be the new gold standard for hashing smaller strings
for hashtables these days, so let's make use of it.
|
|
|
|
|
|
This fixes rm_rf_children_dangerous to detect errors during directory
reading. Previously, it could dereference an uninitialized pointer.
|
|
The old code incorrectly assumed that readdir_r updates errno.
|
|
|
|
For a user, the timeout of 1 min per message seems equivalent to a hang.
If journald cannot process a message from PID1 for 10 ms then something
is significantly wrong. It's better to lose the message and continue.
|
|
|
|
|
|
This reverts commit e7d43b3cc30764138c90eaaf95d3d8f49e448890.
This broke the console terminal when booting up a container, so let's
not do this.
|
|
|
|
reconnect
|
|
Instead, force reopen it only if we really really have to.
|
|
In some circumstances, for example when start-up times out we
immediately jump into the final state, at which point we still should
try to watch the main pid so that the SIGCHLD allows us to quickly
move into dead state.
|
|
activated
|
|
also define noreturn w/o <stdnoreturn.h>
|
|
the process only has one working directory, and a race is
harmless
|
|
Also make thread_local available w/o including <threads.h>.
(as the latter hasn't been implemented, but this part is trivial)
|
|
Due to this patch, message dump (for message which includes boolean
type) is more consistent with dbus-send (which display true/false
instead of yes/no for boolean). It's only simple 'cosmetics change'.
** For dbus-send **
dbus-send --system --dest=org.freedesktop.DBus --type=method_call --print-reply / org.freedesktop.DBus.NameHasOwner string:org.freedesktop.login1
method return sender=org.freedesktop.DBus -> dest=:1.97 reply_serial=2
boolean true
** For libsystemd-bus (without this patch) **
‣ Type=method_call Endian=l Flags=0 Version=2 Serial=8
Destination=org.freedesktop.DBus Path=/org/freedesktop/DBus Interface=org.freedesktop.DBus Member=NameHasOwner
MESSAGE "s" {
STRING "org.freedesktop.login1";
};
‣ Type=method_return Endian=l Flags=1 Version=2 Serial=51 ReplySerial=8
Sender=:1.59 Destination=:1.67
UniqueName=:1.59 WellKnownNames={org.freedesktop.DBus}
MESSAGE "b" {
BOOLEAN yes;
};
For me true/false seems to be better readable than yes/no for BOOLEAN.
|
|
|
|
bus also switch over PID namespace
This is necessary to ensure that kdbus can collect creds of the
destination namespace when connecting.
|
|
If we have the priviliges we will try SO_SNDBUFFORCE/SO_RCVBUFFORCE and
only fall back to SO_SNDBUF/SO_RCVBUF if that fails.
|
|
These specifiers require NSS lookups to work, and we really shouldn't do
them from PID 1 hence. With this change they are now only supported for
user systemd instance, or when the configured user for a unit is root.
|
|
Since numbers involved are all small, behaviour was correct already.
https://bugzilla.redhat.com/show_bug.cgi?id=1043304
|
|
|
|
the transition
|
|
Previously we'd open the connection in the originating namespace, which
meant most peers of the bus would not be able to make sense of the
PID/UID/... identity of us since we didn't exist in the namespace they
run in. However they require this identity for privilege decisions,
hence disallowing access to anything from the host.
Instead, when connecting to a container, create a temporary subprocess,
make it join the container's namespace and then connect from there to
the kdbus instance. This is similar to how we do it for socket
conections already.
THis also unifies the namespacing code used by machinectl and the bus
APIs.
|
|
|
|
|
|
Needed for socketpair, recv
|
|
% build/journalctl help
Assertion 'match_is_valid(data, size)' failed at ../src/journal/sd-journal.c:227, function sd_journal_add_match(). Ignoring.
Callers cannot be expect to check all arguments always.
|
