Age | Commit message (Collapse) | Author |
|
Noticed by Sergey Ptashnick
|
|
This is an S/MIME signed message
The new function ima_setup() loads an IMA custom policy from a file in the
default location '/etc/ima/ima-policy', if present, and writes it to the
path 'ima/policy' in the security filesystem. This function is executed
at early stage in order to avoid that some file operations are not measured
by IMA and it is placed after the initialization of SELinux because IMA
needs the latter (or other security modules) to understand LSM-specific
rules. This feature is enabled by default and can be disabled by providing
the option '--disable-ima' to the configure script.
Signed-off-by: Roberto Sassu <roberto.sassu@polito.it>
Acked-by: Gianluca Ramunno <ramunno@polito.it>
|
|
This is an S/MIME signed message
The mount of the securityfs filesystem is now performed in the main systemd
executable as it is used by IMA to provide the interface for loading custom
policies. The unit file 'units/sys-kernel-security.mount' has been removed
because it is not longer necessary.
Signed-off-by: Roberto Sassu <roberto.sassu@polito.it>
Acked-by: Gianluca Ramunno <ramunno@polito.it>
|
|
Let's use NAME_MAX, as suggested by Dan Walsh
|
|
|
|
|
|
|
|
|
|
They've moved to systemd-ui.
|
|
The function checks if the entry is a directory before recursing, but
there is a window between the check and the open, during which the
directory could be replaced with a symlink.
CVE-2012-1174
https://bugzilla.redhat.com/show_bug.cgi?id=803358
|
|
|
|
|
|
|
|
|
|
|
|
There is a 'break' missing in the -q handling
so, for example, 'systemd-journalctl --new-id128 -q'
does nothing.
This patch fixes the problem.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Hi!
I was trying out the journal and the journalctl utility sometimes
crashed on me. After some debugging, I tracked it down to the fact
that next_with_matches() holds the "c" object pointer through the
journal_file_next_entry_for_data() call -- which apparently may re-map
the journal file, invalidating the pointer.
The attached patch fixes this crash for me, but being unfamiliar with
the code, I don't know if I'm doing the right thing.
This patch is also available from my github repository:
git://github.com/intgr/systemd.git
https://github.com/intgr/systemd
Regards,
Marti
For the record, here's the original stack trace at the time of remapping:
ret=0x7fff1d5cdec0) at src/journal/journal-file.c:330
ret=0x7fff1d5cdf28) at src/journal/journal-file.c:414
ret=0x7fff1d5ce0a0, offset=0x7fff1d5ce098) at
src/journal/journal-file.c:1101
i=5705, ret=0x7fff1d5ce0a0, offset=0x7fff1d5ce098) at
src/journal/journal-file.c:1147
p=6413608, data_offset=66600, direction=DIRECTION_DOWN,
ret=0x7fff1d5ce0a0, offset=0x7fff1d5ce098) at
src/journal/journal-file.c:1626
direction=DIRECTION_DOWN, ret=0x7fff1d5ce120, offset=0x7fff1d5ce128)
at src/journal/sd-journal.c:533
direction=DIRECTION_DOWN, ret=0x7fff1d5ce170, offset=0x7fff1d5ce178)
at src/journal/sd-journal.c:595
src/journal/sd-journal.c:651
From 9266fc6a58065a7c5dab67430fd78925e519dce9 Mon Sep 17 00:00:00 2001
From: Marti Raudsepp <marti@juffo.org>
Date: Fri, 9 Mar 2012 16:23:00 +0200
Subject: [PATCH] journal: Don't hold pointers to journal while remapping
This would cause a segfault otherwise.
|
|
|
|
|
|
path order
|
|
After long consideration we came to the conclusion that user
configuration in /etc should always override the (generally computer
generated) configuration in /run. User configuration should always be
what matters over anything else. Hence rearrange the search orders
accordingly.
In general this should change very little as overriding like this is
seldomn done so far, and the order between /etc and /usr stays the same.
|
|
This is a result of the discussions on
https://bugs.freedesktop.org/show_bug.cgi?id=46894
|
|
As suggested in https://bugzilla.redhat.com/show_bug.cgi?id=798760
|
|
If a client connects to us repeatedly always using the same source port
and we instantiate a service for the incoming connection this might
clash with an old instance. Hence, include the connection number, the
same way we do it for AF_UNIX to make connections unique.
https://bugs.freedesktop.org/show_bug.cgi?id=45297
|
|
the socket in failure mode
An incoming connection that is immediately terminated might result in
getpeername() or a similar call failing. Hence it is quite possible that
while we are setting up an instantiated service for a socket we might
get an error and we shouldn't take this as hint to take the listening
socket down.
https://bugs.freedesktop.org/show_bug.cgi?id=45297
https://bugzilla.novell.com/show_bug.cgi?id=741590
|
|
https://bugzilla.redhat.com/show_bug.cgi?id=768523
|
|
https://bugzilla.redhat.com/show_bug.cgi?id=783134
|
|
If /proc is not available (i.e. in chroot envs) let's fall back to brute
forcing our way through the fd table.
https://bugzilla.redhat.com/show_bug.cgi?id=784921
|
|
https://bugzilla.redhat.com/show_bug.cgi?id=798760
|
|
https://bugzilla.redhat.com/show_bug.cgi?id=798760
(Note that this work is not complete yet, as the kernel seems to send us
useless data with SCM_SECURITY enabled)
|
|
This device is a combination USB hub, displaylink graphics, and e2i touchscreen
Bus 001 Device 005: ID 058f:6254 Alcor Micro Corp. USB Hub
Bus 001 Device 006: ID 17e9:401a Newnham Research
Bus 001 Device 007: ID 1ac7:0001
|__ Port 1: Dev 5, If 0, Class=hub, Driver=hub/4p, 480M
|__ Port 2: Dev 6, If 0, Class=vend., Driver=udlfb, 480M
|__ Port 2: Dev 6, If 1, Class=HID, Driver=usbhid, 480M
|__ Port 3: Dev 7, If 0, Class=vend., Driver=usbtouchscreen, 12M
|
|
we need to make sure that configuration data we expose via the bus ends
up in using getting an assert(). Even though configuration data is only
parsed from trusted sources we should be more careful with what we read.
|
|
a data object
|
|
Previously, mount_load_etc_fstab() could never fail for reasons other
than a setmntent() or allocation failure.
|