summaryrefslogtreecommitdiff
path: root/src/shared
AgeCommit message (Collapse)Author
2016-01-05resolved,networkd: add a per-interface DNSSEC settingLennart Poettering
This adds a DNSSEC= setting to .network files, and makes resolved honour them.
2016-01-05resolved,networkd: unify ResolveSupport enumLennart Poettering
networkd previously knew an enum "ResolveSupport" for configuring per-interface LLMNR support, resolved had a similar enum just called "Support", with the same value and similar pasers. Unify this, call the enum ResolveSupport, and port both daemons to it.
2016-01-04Add GPT partition type GUID for Itanium root partitionAndrew Wilcox
2015-12-28shared: relax restrictions on valid domain name characters a bitLennart Poettering
Previously, we'd not allow control characters to be embedded in domain names, even when escaped. Since cloudflare uses \000 however to implement its synthethic minimally covering NSEC RRs, we should allow them, as long as they are properly escaped.
2015-12-27shared: fix handling of suffix "." in dns_name_compare_func()Lennart Poettering
All our other domain name handling functions make no destinction between domain names that end in a dot plus a NUL, or those just ending in a NUL. Make sure dns_name_compare_func() and dns_label_unescape_suffix() do the same.
2015-12-26shared: fix error propagation in dns_name_compare_func()Lennart Poettering
2015-12-26resolved: tighten search for NSEC3 RRs a bitLennart Poettering
Be stricter when searching suitable NSEC3 RRs for proof: generalize the check we use to find suitable NSEC3 RRs, in nsec3_is_good(), and add additional checks, such as checking whether all NSEC3 RRs use the same parameters, have the same suffix and so on.
2015-12-26resolved: properly implement RRSIG validation of wildcarded RRsetsLennart Poettering
Note that this is still not complete, one additional step is still missing: when we verified that a wildcard RRset is properly signed, we still need to do an NSEC/NSEC3 proof that no more specific RRset exists.
2015-12-23Merge pull request #2158 from keszybz/journal-decompressionLennart Poettering
Journal decompression fixes
2015-12-18shared: add dns_name_parent() call to determine parent domain of a domainLennart Poettering
2015-12-13journal: properly handle an unexpectedly missing fieldZbigniew Jędrzejewski-Szmek
parse_field() checks if the field has the expected format, and returns 0 if it doesn't. In that case, value and size are not set. Nevertheless, we would try to continue, and hit an assert in safe_atou64. This case shouldn't happen, unless sd_j_get_data is borked, so cleanly assert that we got the expected field. Also, oom is the only way that parse_field can fail, which we log already. Instead of outputting a debug statement and carrying on, treat oom as fatal.
2015-12-10importd: drop dkr supportLennart Poettering
The current code is not compatible with current dkr protocols anyway, and dkr has a different focus ("microservices") than nspawn anyway ("whole machine containers"), hence drop support for it, we cannot reasonably keep this up to date, and it creates the impression we'd actually care for the microservices usecase.
2015-12-10Merge pull request #2056 from evverx/expose-soft-limits-on-the-busLennart Poettering
Expose soft limits on the bus
2015-12-06shared: include what we useThomas Hindoe Paaboel Andersen
The next step of a general cleanup of our includes. This one mostly adds missing includes but there are a few removals as well.
2015-12-02resolved: add basic DNSSEC supportLennart Poettering
This adds most basic operation for doing DNSSEC validation on the client side. However, it does not actually add the verification logic to the resolver. Specifically, this patch only includes: - Verifying DNSKEY RRs against a DS RRs - Verifying RRSets against a combination of RRSIG and DNSKEY RRs - Matching up RRSIG RRs and DNSKEY RRs - Matching up RR keys and RRSIG RRs - Calculating the DNSSEC key tag from a DNSKEY RR All currently used DNSSEC combinations of SHA and RSA are implemented. Support for MD5 hashing and DSA or EC cyphers are not. MD5 and DSA are probably obsolete, and shouldn't be added. EC should probably be added eventually, if it actually is deployed on the Internet.
2015-12-02util-lib: update dns_name_to_wire_format() to optionally generate DNSSEC ↵Lennart Poettering
canonical names We'll need this later when putting together RR serializations to checksum.
2015-11-30core: expose soft limits on the busEvgeny Vereshchagin
This is a follow-up for https://github.com/systemd/systemd/pull/1994 See https://github.com/systemd/systemd/pull/1994#issuecomment-160087219
2015-11-30dns-domain: change error codes when dealing with too short buffers to ENOBUFSLennart Poettering
Some calls used ENOBUFS to indicate too-short result buffers, others used ENOSPC. Let's unify this on ENOBUFS.
2015-11-30dns-domain: check resulting domain name length in dns_name_to_wire_format()Lennart Poettering
Let's better be safe than sorry.
2015-11-30dns-domain: make sure dns_name_to_wire_format() may properly encode the root ↵Lennart Poettering
domain The root domain consists of zero labels, and we should be able to encode that.
2015-11-30dns-domain: don't accept overly long hostnamesLennart Poettering
Make sure dns_name_normalize(), dns_name_concat(), dns_name_is_valid() do not accept/generate invalidly long hostnames, i.e. longer than 253 characters.
2015-11-30dns-domain: be more strict when encoding/decoding labelsLennart Poettering
Labels of zero length are not OK, refuse them early on. The concept of a "zero-length label" doesn't exist, a zero-length full domain name however does (representing the root domain). See RFC 2181, Section 11.
2015-11-30Merge pull request #2053 from poettering/selinux-fixDavid Herrmann
Two unrelated fixes
2015-11-30Merge pull request #2063 from keszybz/issue-1977-2Lennart Poettering
journal: clean up permission setting and acl adjustements on user journals
2015-11-29tree-wide: remove unused variablesThomas Hindoe Paaboel Andersen
2015-11-28acl-util: only set the mask if not presentZbigniew Jędrzejewski-Szmek
When we have non-owner user or group entries, we need the mask for the acl to be valid. But acl_calc_mask() calculates the mask to include all permissions, even those that were masked before. Apparently this happens when we inherit *:r-x permissions from a parent directory — the kernel sets *:r-x, mask:r--, effectively masking the executable bit. acl_calc_mask() would set the mask:r-x, effectively enabling the bit. To avoid this, be more conservative when to add the mask entry: first iterate over all entries, and do nothing if a mask. This returns the code closer to J.A.Steffens' original version in v204-90-g23ad4dd884. Should fix https://github.com/systemd/systemd/issues/1977.
2015-11-27journal: move the gist of server_fix_perms to acl-util.[hc]Zbigniew Jędrzejewski-Szmek
Most of the function is moved to acl-util.c to make it possible to add tests in subsequent commit. Setting of the mode in server_fix_perms is removed: - we either just created the file ourselves, and the permission be better right, - or the file was already there, and we should not modify the permissions. server_fix_perms is renamed to server_fix_acls to better reflect new meaning, and made static because it is only used in one file.
2015-11-27selinux: split up mac_selinux_have() from mac_selinux_use()Lennart Poettering
Let's distuingish the cases where our code takes an active role in selinux management, or just passively reports whatever selinux properties are set. mac_selinux_have() now checks whether selinux is around for the passive stuff, and mac_selinux_use() for the active stuff. The latter checks the former, plus also checks UID == 0, under the assumption that only when we run priviliged selinux management really makes sense. Fixes: #1941
2015-11-27util-lib: move nss-util.h from shared/ to basic/Lennart Poettering
The header file defines some helpers for GLIBC NSS and doesn't include anything else but glibc headers, hence there's little reason to keep it in shared/. See: #2008
2015-11-27tree-wide: expose "p"-suffix unref calls in public APIs to make gcc cleanup easyLennart Poettering
GLIB has recently started to officially support the gcc cleanup attribute in its public API, hence let's do the same for our APIs. With this patch we'll define an xyz_unrefp() call for each public xyz_unref() call, to make it easy to use inside a __attribute__((cleanup())) expression. Then, all code is ported over to make use of this. The new calls are also documented in the man pages, with examples how to use them (well, I only added docs where the _unref() call itself already had docs, and the examples, only cover sd_bus_unrefp() and sd_event_unrefp()). This also renames sd_lldp_free() to sd_lldp_unref(), since that's how we tend to call our destructors these days. Note that this defines no public macro that wraps gcc's attribute and makes it easier to use. While I think it's our duty in the library to make our stuff easy to use, I figure it's not our duty to make gcc's own features easy to use on its own. Most likely, client code which wants to make use of this should define its own: #define _cleanup_(function) __attribute__((cleanup(function))) Or similar, to make the gcc feature easier to use. Making this logic public has the benefit that we can remove three header files whose only purpose was to define these functions internally. See #2008.
2015-11-27Merge pull request #2040 from keszybz/randomized-delayLennart Poettering
core: rename Random* to RandomizedDelay*
2015-11-26core: rename Random* to RandomizedDelay*Zbigniew Jędrzejewski-Szmek
The name RandomSec is too generic: "Sec" just specifies the default unit type, and "Random" by itself is not enough. Rename to something that should give the user general idea what the setting does without looking at documentation.
2015-11-25dns-domain: rework dns_label_escape() to not imply memory allocationLennart Poettering
The new dns_label_escape() call now operates on a buffer passed in, similar to dns_label_unescape(). This should make decoding a bit faster, and nicer.
2015-11-25dns-domain: change dns_srv_type_is_valid() return value to boolLennart Poettering
For similar reasons as dns_name_is_root() got changed in the previous commit.
2015-11-25dns-domain: simplify dns_name_is_root() and dns_name_is_single_label()Lennart Poettering
Let's change the return value to bool. If we encounter an error while parsing, return "false" instead of the actual parsing error, after all the specified hostname does not qualify for what the function is supposed to test. Dealing with the additional error codes was always cumbersome, and easily misused, like for example in the DHCP code. Let's also rename the functions from dns_name_root() to dns_name_is_root(), to indicate that this function checks something and returns a bool. Similar for dns_name_is_signal_label().
2015-11-25dns-domain: remove prototype for function that doesn't existLennart Poettering
2015-11-24resolved: implement client-side DNAME resolutionLennart Poettering
Most servers apparently always implicitly convert DNAME to CNAME, but some servers don't, hence implement this properly, as this is required by edns0.
2015-11-23dns-domain: add calls to join/split SRV/DNS-SD service domainsLennart Poettering
This adds dns_service_join() and dns_service_split() which may be used to concatenate a DNS-SD service name, am SRV service type string, and a domain name into a full resolvable DNS domain name string. If the service name is specified as NULL, only the type and domain are appended, to implement classic, non-DNS-SD SRV lookups. The reverse is dns_service_split() which takes the full name, and split it into the three components again.
2015-11-23dns-domain: add code for verifying validity of DNS-SD service names and typesLennart Poettering
2015-11-19Merge pull request #1947 from phomes/sort-includes2Lennart Poettering
tree-wide: sort includes in *.h
2015-11-19Merge pull request #1931 from bengal/dhcp-fqdn-v2Tom Gundersen
libsystemd-network: add support for "Client FQDN" DHCP option (v2)
2015-11-18tree-wide: sort includes in *.hThomas Hindoe Paaboel Andersen
This is a continuation of the previous include sort patch, which only sorted for .c files.
2015-11-18core: add new RandomSec= setting for time unitsLennart Poettering
This allows configuration of a random time on top of the elapse events, in order to spread time events in a network evenly across a range.
2015-11-18bus-util: make sure --property=RemainAfterElapse=1 worksLennart Poettering
2015-11-18bus-util: add in forgotten error messagesLennart Poettering
2015-11-17dns-domain: add dns_name_to_wire_format()Beniamino Galvani
The function converts a domain name string to the wire format described in RFC 1035 Section 3.1.
2015-11-16tree-wide: sort includesThomas Hindoe Paaboel Andersen
Sort the includes accoding to the new coding style.
2015-11-15install: don't mix state and type enumsThomas Hindoe Paaboel Andersen
from 0ec0deaa
2015-11-13Merge pull request #1869 from poettering/kill-overridableMichal Schmidt
Remove support for RequiresOverridable= and RequisiteOverridable=
2015-11-12generator: order initrd fsck-root after local-fs-preMichael Marineau
The initrd version of systemd-fsck-root.service must wait for local-fs-pre.target just like systemd-fsck@.service to prevent modifications to the filesystem prior to resuming from hibernation. As-is my laptop routinely fails to resume due to fsck errors. The rest of the time it is probably silently corrupting the filesystem. Unlike normal boot, in the initrd systemd-fsck-root.service has no special significance so it needs to be kept in sync with systemd-fsck@.service. The name systemd-fsck-root.service is only used to preserve state across switch-root.