| Age | Commit message (Collapse) | Author |
|---|
|
In case of running test-execute on systems with systemd < v232, several
tests like privatedevices or protectkernelmodules fail because
/run/systemd/inaccessible/ doesn't exist. In these cases, we should skip
tests to avoid unnecessary errors.
See also https://github.com/systemd/systemd/pull/4243#issuecomment-253665566
|
|
This validates the system call set table and many of our seccomp-util.c APIs.
|
|
Commandline parsing simplification and udev fix
|
|
test: lets add more tests to cover SupplementaryGroups= cases.
|
|
|
|
Introduce a new enum to get rid of some boolean arguments of unit_file_*
functions. It unifies the code, makes it a bit cleaner and extensible.
|
|
|
|
|
|
This stripping is contolled by a new boolean parameter. When the parameter
is true, it means that the caller does not care about the distinction between
initrd and real root, and wants to act on both rd-dot-prefixed and unprefixed
parameters in the initramfs, and only on the unprefixed parameters in real
root. If the parameter is false, behaviour is the same as before.
Changes by caller:
log.c (systemd.log_*): changed to accept rd-dot-prefix params
pid1: no change, custom logic
cryptsetup-generator: no change, still accepts rd-dot-prefix params
debug-generator: no change, does not accept rd-dot-prefix params
fsck: changed to accept rd-dot-prefix params
fstab-generator: no change, custom logic
gpt-auto-generator: no change, custom logic
hibernate-resume-generator: no change, does not accept rd-dot-prefix params
journald: changed to accept rd-dot-prefix params
modules-load: no change, still accepts rd-dot-prefix params
quote-check: no change, does not accept rd-dot-prefix params
udevd: no change, still accepts rd-dot-prefix params
I added support for "rd." params in the three cases where I think it's
useful: logging, fsck options, journald forwarding options.
|
|
No functional change.
|
|
|
|
Fixes:
```
==10750==
==10750== HEAP SUMMARY:
==10750== in use at exit: 96 bytes in 3 blocks
==10750== total heap usage: 1,711 allocs, 1,708 frees, 854,545 bytes
allocated
==10750==
==10750== 96 (64 direct, 32 indirect) bytes in 1 blocks are definitely
lost in loss record 3 of 3
==10750== at 0x4C2DA60: calloc (vg_replace_malloc.c:711)
==10750== by 0x4EB3BDA: calendar_spec_from_string
(calendarspec.c:771)
==10750== by 0x109675: test_hourly_bug_4031 (test-calendarspec.c:118)
==10750== by 0x10A00E: main (test-calendarspec.c:202)
==10750==
==10750== LEAK SUMMARY:
==10750== definitely lost: 64 bytes in 1 blocks
==10750== indirectly lost: 32 bytes in 2 blocks
==10750== possibly lost: 0 bytes in 0 blocks
==10750== still reachable: 0 bytes in 0 blocks
==10750== suppressed: 0 bytes in 0 blocks
==10750==
==10750== For counts of detected and suppressed errors, rerun with: -v
==10750== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 0 from 0)
```
|
|
Various install-related tweaks
|
|
When a unit file is invalid, we'd return an error without any details:
$ systemctl --root=/ enable testing@instance.service
Failed to enable: Invalid argument.
Fix things to at least print the offending file name:
$ systemctl enable testing@instance.service
Failed to enable unit: File testing@instance.service: Invalid argument
$ systemctl --root=/ enable testing@instance.service
Failed to enable unit, file testing@instance.service: Invalid argument.
A real fix would be to pass back a proper error message from conf-parser.
But this would require major surgery, since conf-parser functions now
simply print log errors, but we would need to return them over the bus.
So let's just print the file name, to indicate where the error is.
(Incomplete) fix for #4210.
|
|
Apparently this works just fine, so the issue in #4031 is elsewhere.
|
|
endocode/djalal/sandbox-first-protection-kernelmodules-v1
core:sandbox: Add ProtectKernelModules= and some fixes
|
|
Fixes: #4181
|
|
propagation
|
|
Lets go further and make /lib/modules/ inaccessible for services that do
not have business with modules, this is a minor improvment but it may
help on setups with custom modules and they are limited... in regard of
kernel auto-load feature.
This change introduce NameSpaceInfo struct which we may embed later
inside ExecContext but for now lets just reduce the argument number to
setup_namespace() and merge ProtectKernelModules feature.
|
|
|
|
This just adds capabilities test.
|
|
Add an "invocation ID" concept to the service manager
|
|
This is a bit crude and only works for new systemd versions which
have libsystemd-shared.
|
|
Let's make sure people invoking STRV_FOREACH_BACKWARDS() as a single statement
of an if statement don't fall into a trap, and find the tail for the list via
strv_length().
|
|
If the new item is inserted before the first item in the list, then the
head must be updated as well.
Add a test to the list unit test to check for this.
|
|
core:sandbox: Add new ProtectKernelTunables=, ProtectControlGroups=, ProtectSystem=strict and fixes
|
|
propagation
Better safe.
|
|
|
|
|
|
This adds logic to chase symlinks for all mount points that shall be created in
a namespace environment in userspace, instead of leaving this to the kernel.
This has the advantage that we can correctly handle absolute symlinks that
shall be taken relative to a specific root directory. Moreover, we can properly
handle mounts created on symlinked files or directories as we can merge their
mounts as necessary.
(This also drops the "done" flag in the namespace logic, which was never
actually working, but was supposed to permit a partial rollback of the
namespace logic, which however is only mildly useful as it wasn't clear in
which case it would or would not be able to roll back.)
Fixes: #3867
|
|
If a dir is marked to be inaccessible then everything below it should be masked
by it.
|
|
ProtectControlGroups=
If enabled, these will block write access to /sys, /proc/sys and
/proc/sys/fs/cgroup.
|
|
Also some trivial tests for STR_IN_SET and STRPTR_IN_SET.
|
|
|
|
Strerror removal and other janitorial cleanups
|
|
|
|
According to its manual page, flags given to mkostemp(3) shouldn't include
O_RDWR, O_CREAT or O_EXCL flags as these are always included. Beyond
those, the only flag that all callers (except a few tests where it
probably doesn't matter) use is O_CLOEXEC, so set that unconditionally.
|
|
A follow-up for #3818 (992e8f2).
|
|
One trailing dot is valid, but more than one isn't. This also fixes glibc's
posix/tst-getaddrinfo5 test.
Fixes #3978.
|
|
Fixes #3882
|
|
Trivial fixes to udev and condition tests
|
|
Our tests should test for OOM too explicitly, hence fix the test accordingly
|
|
Let's add one more test that came up during the discussion of an issue.
The selected name with 69 chars is above the Linux hostname limit of 64.
|
|
This adds the boolean RemoveIPC= setting to service, socket, mount and swap
units (i.e. all unit types that may invoke processes). if turned on, and the
unit's user/group is not root, all IPC objects of the user/group are removed
when the service is shut down. The life-cycle of the IPC objects is hence bound
to the unit life-cycle.
This is particularly relevant for units with dynamic users, as it is essential
that no objects owned by the dynamic users survive the service exiting. In
fact, this patch adds code to imply RemoveIPC= if DynamicUser= is set.
In order to communicate the UID/GID of an executed process back to PID 1 this
adds a new "user lookup" socket pair, that is inherited into the forked
processes, and closed before the exec(). This is needed since we cannot do NSS
from PID 1 due to deadlock risks, However need to know the used UID/GID in
order to clean up IPC owned by it if the unit shuts down.
|
|
It was meant to write to q instead of t
FAIL: test-id128
================
=================================================================
==125770==ERROR: AddressSanitizer: stack-buffer-overflow on address 0x7ffd4615bd31 at pc 0x7a2f41b1bf33 bp 0x7ffd4615b750 sp 0x7ffd4615b748
WRITE of size 1 at 0x7ffd4615bd31 thread T0
#0 0x7a2f41b1bf32 in id128_to_uuid_string src/libsystemd/sd-id128/id128-util.c:42
#1 0x401f73 in main src/test/test-id128.c:147
#2 0x7a2f41336341 in __libc_start_main (/lib64/libc.so.6+0x20341)
#3 0x401129 in _start (/home/crrodriguez/scm/systemd/.libs/test-id128+0x401129)
Address 0x7ffd4615bd31 is located in stack of thread T0 at offset 1409 in frame
#0 0x401205 in main src/test/test-id128.c:37
This frame has 23 object(s):
[32, 40) 'b'
[96, 112) 'id'
[160, 176) 'id2'
[224, 240) 'a'
[288, 304) 'b'
[352, 368) 'a'
[416, 432) 'b'
[480, 496) 'a'
[544, 560) 'b'
[608, 624) 'a'
[672, 688) 'b'
[736, 752) 'a'
[800, 816) 'b'
[864, 880) 'a'
[928, 944) 'b'
[992, 1008) 'a'
[1056, 1072) 'b'
[1120, 1136) 'a'
[1184, 1200) 'b'
[1248, 1264) 'a'
[1312, 1328) 'b'
[1376, 1409) 't' <== Memory access at offset 1409 overflows this variable
[1472, 1509) 'q'
HINT: this may be a false positive if your program uses some custom stack unwind mechanism or swapcontext
(longjmp and C++ exceptions *are* supported)
SUMMARY: AddressSanitizer: stack-buffer-overflow src/libsystemd/sd-id128/id128-util.c:42 in id128_to_uuid_string
Shadow bytes around the buggy address:
0x100028c23750: f2 f2 00 00 f4 f4 f2 f2 f2 f2 00 00 f4 f4 f2 f2
0x100028c23760: f2 f2 00 00 f4 f4 f2 f2 f2 f2 00 00 f4 f4 f2 f2
0x100028c23770: f2 f2 00 00 f4 f4 f2 f2 f2 f2 00 00 f4 f4 f2 f2
0x100028c23780: f2 f2 00 00 f4 f4 f2 f2 f2 f2 00 00 f4 f4 f2 f2
0x100028c23790: f2 f2 00 00 f4 f4 f2 f2 f2 f2 00 00 f4 f4 f2 f2
=>0x100028c237a0: f2 f2 00 00 00 00[01]f4 f4 f4 f2 f2 f2 f2 00 00
0x100028c237b0: 00 00 05 f4 f4 f4 00 00 00 00 00 00 00 00 00 00
0x100028c237c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x100028c237d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x100028c237e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
0x100028c237f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Shadow byte legend (one shadow byte represents 8 application bytes):
Addressable: 00
Partially addressable: 01 02 03 04 05 06 07
Heap left redzone: fa
Heap right redzone: fb
Freed heap region: fd
Stack left redzone: f1
Stack mid redzone: f2
Stack right redzone: f3
Stack partial redzone: f4
Stack after return: f5
Stack use after scope: f8
Global redzone: f9
Global init order: f6
Poisoned by user: f7
Container overflow: fc
Array cookie: ac
Intra object redzone: bb
ASan internal: fe
Left alloca redzone: ca
Right alloca redzone: cb
==125770==ABORTING
FAIL test-id128 (exit status: 1)
|
|
ASAN is unable to handle it.
|
|
beef up /var/tmp and /tmp handling; set $SERVICE_RESULT/$EXIT_CODE/$EXIT_STATUS on ExecStop= and make sure root/nobody are always resolvable
|
|
This adds parse_nice() that parses a nice level and ensures it is in the right
range, via a new nice_is_valid() helper. It then ports over a number of users
to this.
No functional changes.
|
|
Beef up the existing var_tmp() call, rename it to var_tmp_dir() and add a
matching tmp_dir() call (the former looks for the place for /var/tmp, the
latter for /tmp).
Both calls check $TMPDIR, $TEMP, $TMP, following the algorithm Python3 uses.
All dirs are validated before use. secure_getenv() is used in order to limite
exposure in suid binaries.
This also ports a couple of users over to these new APIs.
The var_tmp() return parameter is changed from an allocated buffer the caller
will own to a const string either pointing into environ[], or into a static
const buffer. Given that environ[] is mostly considered constant (and this is
exposed in the very well-known getenv() call), this should be OK behaviour and
allows us to avoid memory allocations in most cases.
Note that $TMPDIR and friends override both /var/tmp and /tmp usage if set.
|
|
|
