| Age | Commit message (Collapse) | Author |
|---|
|
Why the strange name: the prefix is necessary to follow our own advice that
environment generators should have numerical prefixes. I also put -d- in the
name because otherwise the name was very easy to mistake with
systemd.environment-generator. This additional letter clarifies that this
on special generator that supports environment.d files.
|
|
We added mmap() and mmap2(), but forgot munmap(). Fix that.
Pointed out by @lucaswerkmeister:
https://github.com/systemd/systemd/pull/4537#issuecomment-273275298
|
|
Just as a matter of coding style: whenever we return successfully, let's
make sure all our return parameters are properly initialized to
something.
|
|
After generating the template name we can shortcut things and just call
unit_file_find_dirs() from inside itself, just with the new name and
save a good number of duplicate lines.
|
|
|
|
After all, most units won't have drop-in dirs, hence there's no point in
logging about that.
Fixes: #5252
|
|
Add new MountAPIVFS= boolean unit file setting + RootImage=
|
|
Add a bit of code that tries to get the right parameter order in place
for some of the better known architectures, and skips
restrict_namespaces for other archs.
This also bypasses the test on archs where we don't know the right
order.
In this case I didn't bother with testing the case where no filter is
applied, since that is hopefully just an issue for now, as there's
nothing stopping us from supporting more archs, we just need to know
which order is right.
Fixes: #5241
|
|
On i386 we block the old mmap() call entirely, since we cannot properly
filter it. Thankfully it hasn't been used by glibc since quite some
time.
Fixes: #5240
|
|
Mask individual .wants/.requires symlinks
|
|
The flag is originally defined for "basic data partitions", but not for the
ESP. We reuse it for the various partitions defined by the Discoverable
Partitions Spec, but it isn't defined for the ESP, hence don't check for
it. Instead, do check for GPT_FLAG_NO_BLOCK_IO_PROTOCOL, as that flag
actually is defined for all partition types, and recommended to use by
the UEFI spec.
Fixes: #5218
|
|
|
|
dropins
Essentially, instead of sequentially adding deps based on all symlinks
encountered in .wants and .requires dirs for each name and each unit file load
path, iteratate over the load paths and unit names gathering symlinks, then
order them based on priority, and then iterate over the final list, adding
dependencies.
This patch doesn't change the logic too much, except that the order in which
dependencies are applied might be different. It wasn't defined before, so that
not really a change. Adding filtering on the symlinks is left for later
patches.
|
|
No need to pass what we don't use.
|
|
it enabled
If a unit foobar@.service stored below /usr is instantiated via a
symlink foobar@quux.service also below /usr, then we should consider the
instance statically enabled, while the template itself should continue
to be considered enabled/disabled/static depending on its [Install]
section.
In order to implement this we'll now look for enablement symlinks in all
unit search paths, not just in the config and runtime dirs.
Fixes: #5136
|
|
Before this patch, if we'd encounter an instance or template symlink
while traversing a chain of symlinks we'd fill in the instance name and
retry the iteration. This makes no sense if the resulting name is
actually the same as we are coming from, as we'd just spin a couple of
times in the loop, until the UNIT_FILE_FOLLOW_SYMLINK_MAX iteration
limit is hit.
Fix this, by accepted the symlink as it is, if it identical to what we
filled in.
|
|
This slightly extends the roothash loading logic to first check for a
user.verity.roothash extended attribute on the image file. If it exists,
it is used as Verity root hash and the ".roothash" file is not used.
This should improve the chance that the roothash is retained when the
file is moved around, as the data snippet is attached directly to the
image file. The field is still detached from the file payload however,
in order to make sure it may be trusted independently.
This does not replace the ".roothash" file loading, it simply adds a
second way to retrieve the data.
Extended attributes are often a poor choice for storing metadata like
this as it is usually difficult to discover for admins and users, and
hard to fix if it ever gets out of sync. However, in this case I think
it's safe as verity implies read-only access, and thus there's little
chance of it to get out of sync.
|
|
This makes nspawn's logic of automatically discovering the root hash of
an image file generic, and then reuses it in systemd-dissect and in
PID1's RootImage= logic, so that verity is automatically set up whenever
we can.
|
|
directory for a service
This is similar to RootDirectory= but mounts the root file system from a
block device or loopback file instead of another directory.
This reuses the image dissector code now used by nspawn and
gpt-auto-discovery.
|
|
If the dissected image contains symlinks for the mount points we need we
need to make sure to follow this with chase_symlinks() so that we don't
leave the image.
|
|
ReadWritablePaths= work
5327c910d2fc1ae91bd0b891be92b30379c7467b claimed to add support for "+"
for prefixing paths with the configured RootDirectory=. But actually it
only implemented it in the backend, it did not add support for it to the
configuration file parsers. Fix that now.
|
|
conjunction with RootDirectory=
This adds a boolean unit file setting MountAPIVFS=. If set, the three
main API VFS mounts will be mounted for the service. This only has an
effect on RootDirectory=, which it makes a ton times more useful.
(This is basically the /dev + /proc + /sys mounting code posted in the
original #4727, but rebased on current git, and with the automatic logic
replaced by explicit logic controlled by a unit file setting)
|
|
it a NOP
See: #5215
|
|
explicit_bzero was added in glibc 2.25. Make use of it.
explicit_bzero is hardcoded to zero the memory, so string erase now
truncates the string, instead of overwriting it with 'x'. This causes
a visible difference only in the journalctl case.
|
|
(#5230)
https://github.com/systemd/systemd/issues/5215#issuecomment-277156262
libseccomp does not allow you to add architectures to a filter that
doesn't match the byte ordering of the architectures already added to
the filter (it would be a mess, not to mention largely pointless) and
since systemd attempts to add an ABI before removing the default native
ABI, you will always fail on Power (either due to ppc or ppc64le). The
fix is to remove the native ABI before adding a new ABI so you don't run
into problems with byte ordering.
You would likely see the same failure on a MIPS system.
Thanks @pcmoore!
|
|
run: fix race for "systemd-run --wait"
|
|
This reworks systemd-run so that in --pty mode we watch the unit state
the way we do it in --wait mode. Whenever we notice that the service is
in failed or inactive state finish right-away, but first write all
unwritten characters we can read from the master TTY device.
This makes sure that when the TTY service fails before it opens the
slave PTY device we properly notice that and exit early, so that borked
start parameters result in immediate systemd-run failure. Previously,
we'd not notice this at all, as a PTY slave that never was opened won't
result in POLLHUP events, and we'd hence simply keep reading from it
forever.
In essence, --pty now enables the same unit watching logic that --wait
enables. However, unless --wait is specified we won#t show the final
summary, hence the effective difference should be pretty minimal.
Fixes: #3915
|
|
Two fixes to path lookup when --root is used
|
|
ptyfwd object
|
|
usec_t is always 64bit, which means it can cover quite a number of
years. However, 4 digit year display and glibc limitations around time_t
limit what we can actually parse and format. Let's make this explicit,
so that we never end up formatting dates we can#t parse and vice versa.
Note that this is really just about formatting/parsing. Internal
calculations with times outside of the formattable range are not
affected.
|
|
The general rule is:
- code in shared/ should take an "original_root" argument (possibly NULL)
and pass it along down to chase_symlinks
- code in core/ should always use specify original_root==NULL, since we
don't support running the manager from non-root directory
- code in systemctl and other tools should pass arg_root.
For any code that is called from tools which support --root, chase_symlinks
must be used to look up paths.
|
|
systemd-cgls --unit --user-unit
|
|
…and use it where possible.
|
|
show_cgroup_get_root_and_warn is renamed to show_cgroup_get_path_and_warn
because it now optionally allows querying a non-root path.
This removes duplicated code and teaches cgtop to combine
-M with a root prefix:
$ systemd-cgtop -M myprecious /system.slice
...
|
|
No functional change.
|
|
We use different idioms at different places. Let's replace this is the
one true new idiom, that is even a bit faster...
|
|
CID #1368243.
|
|
|
|
|
|
This substantially reworks the seccomp code, to ensure better
compatibility with some architectures, including i386.
So far we relied on libseccomp's internal handling of the multiple
syscall ABIs supported on Linux. This is problematic however, as it does
not define clear semantics if an ABI is not able to support specific
seccomp rules we install.
This rework hence changes a couple of things:
- We no longer use seccomp_rule_add(), but only
seccomp_rule_add_exact(), and fail the installation of a filter if the
architecture doesn't support it.
- We no longer rely on adding multiple syscall architectures to a single filter,
but instead install a separate filter for each syscall architecture
supported. This way, we can install a strict filter for x86-64, while
permitting a less strict filter for i386.
- All high-level filter additions are now moved from execute.c to
seccomp-util.c, so that we can test them independently of the service
execution logic.
- Tests have been added for all types of our seccomp filters.
- SystemCallFilters= and SystemCallArchitectures= are now implemented in
independent filters and installation logic, as they semantically are
very much independent of each other.
Fixes: #4575
|
|
instance might be "", and that string would be leaked.
CID #1368264.
|
|
|
|
This is a follow-up for dc7dd61de610e9330
|
|
Fixes:
```
touch hola.service
systemctl link $(pwd)/hola.service $(pwd)/hola.service
```
```
==1==ERROR: AddressSanitizer: attempting double-free on 0x60300002c560 in thread T0 (systemd):
#0 0x7fc8c961cb00 in free (/lib64/libasan.so.3+0xc6b00)
#1 0x7fc8c90ebd3b in strv_clear src/basic/strv.c:83
#2 0x7fc8c90ebdb6 in strv_free src/basic/strv.c:89
#3 0x55637c758c77 in strv_freep src/basic/strv.h:37
#4 0x55637c763ba9 in method_enable_unit_files_generic src/core/dbus-manager.c:1960
#5 0x55637c763d16 in method_link_unit_files src/core/dbus-manager.c:2001
#6 0x7fc8c92537ec in method_callbacks_run src/libsystemd/sd-bus/bus-objects.c:418
#7 0x7fc8c9258830 in object_find_and_run src/libsystemd/sd-bus/bus-objects.c:1255
#8 0x7fc8c92594d7 in bus_process_object src/libsystemd/sd-bus/bus-objects.c:1371
#9 0x7fc8c91e7553 in process_message src/libsystemd/sd-bus/sd-bus.c:2563
#10 0x7fc8c91e78ce in process_running src/libsystemd/sd-bus/sd-bus.c:2605
#11 0x7fc8c91e8f61 in bus_process_internal src/libsystemd/sd-bus/sd-bus.c:2837
#12 0x7fc8c91e90d2 in sd_bus_process src/libsystemd/sd-bus/sd-bus.c:2856
#13 0x7fc8c91ea8f9 in io_callback src/libsystemd/sd-bus/sd-bus.c:3126
#14 0x7fc8c928333b in source_dispatch src/libsystemd/sd-event/sd-event.c:2268
#15 0x7fc8c9285cf7 in sd_event_dispatch src/libsystemd/sd-event/sd-event.c:2627
#16 0x7fc8c92865fa in sd_event_run src/libsystemd/sd-event/sd-event.c:2686
#17 0x55637c6b5257 in manager_loop src/core/manager.c:2274
#18 0x55637c6a2194 in main src/core/main.c:1920
#19 0x7fc8c7ac7400 in __libc_start_main (/lib64/libc.so.6+0x20400)
#20 0x55637c697339 in _start (/usr/lib/systemd/systemd+0xcd339)
0x60300002c560 is located 0 bytes inside of 19-byte region [0x60300002c560,0x60300002c573)
freed by thread T0 (systemd) here:
#0 0x7fc8c961cb00 in free (/lib64/libasan.so.3+0xc6b00)
#1 0x7fc8c90ee320 in strv_remove src/basic/strv.c:630
#2 0x7fc8c90ee190 in strv_uniq src/basic/strv.c:602
#3 0x7fc8c9180533 in unit_file_link src/shared/install.c:1996
#4 0x55637c763b25 in method_enable_unit_files_generic src/core/dbus-manager.c:1985
#5 0x55637c763d16 in method_link_unit_files src/core/dbus-manager.c:2001
#6 0x7fc8c92537ec in method_callbacks_run src/libsystemd/sd-bus/bus-objects.c:418
#7 0x7fc8c9258830 in object_find_and_run src/libsystemd/sd-bus/bus-objects.c:1255
#8 0x7fc8c92594d7 in bus_process_object src/libsystemd/sd-bus/bus-objects.c:1371
#9 0x7fc8c91e7553 in process_message src/libsystemd/sd-bus/sd-bus.c:2563
#10 0x7fc8c91e78ce in process_running src/libsystemd/sd-bus/sd-bus.c:2605
#11 0x7fc8c91e8f61 in bus_process_internal src/libsystemd/sd-bus/sd-bus.c:2837
#12 0x7fc8c91e90d2 in sd_bus_process src/libsystemd/sd-bus/sd-bus.c:2856
#13 0x7fc8c91ea8f9 in io_callback src/libsystemd/sd-bus/sd-bus.c:3126
#14 0x7fc8c928333b in source_dispatch src/libsystemd/sd-event/sd-event.c:2268
#15 0x7fc8c9285cf7 in sd_event_dispatch src/libsystemd/sd-event/sd-event.c:2627
#16 0x7fc8c92865fa in sd_event_run src/libsystemd/sd-event/sd-event.c:2686
#17 0x55637c6b5257 in manager_loop src/core/manager.c:2274
#18 0x55637c6a2194 in main src/core/main.c:1920
#19 0x7fc8c7ac7400 in __libc_start_main (/lib64/libc.so.6+0x20400)
previously allocated by thread T0 (systemd) here:
#0 0x7fc8c95b0160 in strdup (/lib64/libasan.so.3+0x5a160)
#1 0x7fc8c90edf32 in strv_extend src/basic/strv.c:552
#2 0x7fc8c923ae41 in bus_message_read_strv_extend src/libsystemd/sd-bus/bus-message.c:5578
#3 0x7fc8c923b0de in sd_bus_message_read_strv src/libsystemd/sd-bus/bus-message.c:5600
#4 0x55637c7639d1 in method_enable_unit_files_generic src/core/dbus-manager.c:1969
#5 0x55637c763d16 in method_link_unit_files src/core/dbus-manager.c:2001
#6 0x7fc8c92537ec in method_callbacks_run src/libsystemd/sd-bus/bus-objects.c:418
#7 0x7fc8c9258830 in object_find_and_run src/libsystemd/sd-bus/bus-objects.c:1255
#8 0x7fc8c92594d7 in bus_process_object src/libsystemd/sd-bus/bus-objects.c:1371
#9 0x7fc8c91e7553 in process_message src/libsystemd/sd-bus/sd-bus.c:2563
#10 0x7fc8c91e78ce in process_running src/libsystemd/sd-bus/sd-bus.c:2605
#11 0x7fc8c91e8f61 in bus_process_internal src/libsystemd/sd-bus/sd-bus.c:2837
#12 0x7fc8c91e90d2 in sd_bus_process src/libsystemd/sd-bus/sd-bus.c:2856
#13 0x7fc8c91ea8f9 in io_callback src/libsystemd/sd-bus/sd-bus.c:3126
#14 0x7fc8c928333b in source_dispatch src/libsystemd/sd-event/sd-event.c:2268
#15 0x7fc8c9285cf7 in sd_event_dispatch src/libsystemd/sd-event/sd-event.c:2627
#16 0x7fc8c92865fa in sd_event_run src/libsystemd/sd-event/sd-event.c:2686
#17 0x55637c6b5257 in manager_loop src/core/manager.c:2274
#18 0x55637c6a2194 in main src/core/main.c:1920
#19 0x7fc8c7ac7400 in __libc_start_main (/lib64/libc.so.6+0x20400)
SUMMARY: AddressSanitizer: double-free (/lib64/libasan.so.3+0xc6b00) in free
==1==ABORTING
```
Closes #5015
|
|
Easily reproducible:
1) systemctl mask foo
2) systemctl unmask foo foo
The problem here is that the *i that is put into todo[] is later freed
in strv_uniq(), which is not directly visible from this patch. Somewhere
further in the code, the string that *i pointed to is freed again. That
happens only when multiple services with the same name/path are specified.
|
|
|
|
This permits "systemctl enable" and "systemctl add-wants" on template
units without any specifications of an instance name, neither specified
on the command line, nor specified in DefaultInstance= field of the
[install] section.
Fixes: #3473
|
|
The system call is obsolete after all.
|
|
|
|
These groupe reboot()/kexec() and swapon()/swapoff() respectively
|
