summaryrefslogtreecommitdiff
path: root/src
AgeCommit message (Collapse)Author
2016-01-31core: fix selinux check for reloadEvgeny Vereshchagin
Fixes: -bash-4.3# echo 1 >/sys/fs/selinux/enforce -bash-4.3# runcon -t systemd_test_start_t systemctl start hola -bash-4.3# sesearch --allow -s systemd_test_reload_t -c service Found 1 semantic av rules: allow systemd_test_reload_t systemd_unit_file_t : service reload ; -bash-4.3# runcon -t systemd_test_reload_t systemctl reload hola Failed to reload hola.service: Access denied See system logs and 'systemctl status hola.service' for details. -bash-4.3# journalctl -b | grep -i user_avc | grep reload USER_AVC pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg=' avc: denied { start } for auid=0 uid=0 gid=0 path="/etc/systemd/system/hola.service" cmdline="systemctl reload hola" scontext=unconfined_u:unconfined_r:systemd_test_reload_t:s0-s0:c0.c1023 tcontext=system_u:object_r:systemd_unit_file_t:s0 tclass=service See https://fedoraproject.org/wiki/Features/SELinuxSystemdAccessControl#Documentation
2016-01-30Merge pull request #2469 from keszybz/resolved-2Lennart Poettering
Resolved 2
2016-01-29basic: fix touch() creating files with 07777 modeMantas Mikulėnas
mode_t is unsigned, so MODE_INVALID < 0 can never be true. This fixes a possible DoS where any user could fill /run by writing to a world-writable /run/systemd/show-status.
2016-01-29resolved: log server type when switching serversZbigniew Jędrzejewski-Szmek
I'm not defining _DNS_SERVER_TYPE_MAX/INVALID as usual in the enum, because it wouldn't be used, and then gcc would complain that various enums don't test for _DNS_SERVER_TYPE_MAX. It seems better to define the macro rather than add assert_not_reached() in multiple places.
2016-01-29resolved: add macro to compare sized fieldsZbigniew Jędrzejewski-Szmek
For consistency, generic.size is renamed to generic.data_size. nsec3.next_hashed_name comparison was missing a size check.
2016-01-29resolve-host: add option to list protocolsZbigniew Jędrzejewski-Szmek
2016-01-29resolve-host: allow specifying type as TYPEnnZbigniew Jędrzejewski-Szmek
This mirrors the behaviour of host and makes the conversion to and from string symmetrical.
2016-01-29test-tables: ellide boring parts of sparse mappingsZbigniew Jędrzejewski-Szmek
2016-01-29test-resolve-tables: new "test", useful to print mappingsZbigniew Jędrzejewski-Szmek
2016-01-29resolved: calculate and print tags for DNSKEY recordsZbigniew Jędrzejewski-Szmek
2016-01-29systemctl: actually honour the try-reload-or-restart verb aabf5d4243408 promisedLennart Poettering
The verb entry got lost in the ultimate commit.
2016-01-29systemctl: make most systemctl commands NOPs in a chroot() environmentLennart Poettering
Fixes #2015
2016-01-29systemctl: consider a chroot() environment always offlineLennart Poettering
2016-01-29basic: when parsing verb command lines, optionally shortcut them in chroot() ↵Lennart Poettering
environments This adds some basic infrastructure in order to fix #2015.
2016-01-28Merge pull request #2466 from poettering/nspawn-journalZbigniew Jędrzejewski-Szmek
Two small nspawn fixes
2016-01-28resolved: expand flags field in DNSKEY recordsZbigniew Jędrzejewski-Szmek
2016-01-28resolved: convert TLSA fields to stringZbigniew Jędrzejewski-Szmek
Example output: _443._tcp.fedoraproject.org IN TLSA 0 0 1 GUAL5bejH7czkXcAeJ0vCiRxwMnVBsDlBMBsFtfLF8A= -- Cert. usage: CA constraint -- Selector: Full Certificate -- Matching type: SHA-256
2016-01-28resolved: OPENPGPKEY recordsZbigniew Jędrzejewski-Szmek
2016-01-28resolved: TLSA recordsZbigniew Jędrzejewski-Szmek
2016-01-28resolved: add alignment to base64Zbigniew Jędrzejewski-Szmek
We try to fit the lengthy key data into available space. If the other fields take less than half of the available columns, we use align everything in the remaining columns. Otherwise, we put everything after a newline, indented with 8 spaces. This is similar to dig and other tools do. $ COLUMNS=78 ./systemd-resolve -t any . . IN SOA a.root-servers.net nstld.verisign-grs.com 2016012701 1800 900 604800 86400 . IN RRSIG SOA RSASHA256 0 86400 20160206170000 20160127160000 54549 S1uhUoBAReAFi5wH/KczVDgwLb+B9Zp57dSYj9aX4XxBhKuzccIducpg0wWXhjCRAWuzY fQ/J2anm4+C4BLUTdlytPIemd42SUffQk2WGuuukI8e67nkrNF3WFtoeXQ4OchsyO24t2 rxi682Zo9ViqmXZ+MSsjWKt1jdem4noaY= . IN NS h.root-servers.net . IN NS k.root-servers.net . IN NS e.root-servers.net . IN NS c.root-servers.net . IN NS b.root-servers.net . IN NS g.root-servers.net . IN NS d.root-servers.net . IN NS f.root-servers.net . IN NS i.root-servers.net . IN NS j.root-servers.net . IN NS m.root-servers.net . IN NS a.root-servers.net . IN NS l.root-servers.net . IN RRSIG NS RSASHA256 0 518400 20160206170000 20160127160000 54549 rxhmTVKUgs72G3VzL+1JRuD0nGLIrPM+ISfmUx0eYUH5wZD5XMu2X+8PfkAsEQT1dziPs ac+zK1YZPbNgr3yGI5H/wEbK8S7DmlvO+/I9WKTLp/Zxn3yncvnTOdjFMZxkAqHbjVOm+ BFz7RjQuvCQlEJX4PQBFphgEnkiOnmMdI= . IN NSEC aaa ( NS SOA RRSIG NSEC DNSKEY ) . IN RRSIG NSEC RSASHA256 0 86400 20160206170000 20160127160000 54549 HY49/nGkUJJP1zLmH33MIKnkNH33jQ7bsAHE9itEjvC4wfAzgq8+Oh9fjYav1R1GDeJ2Z HOu3Z2uDRif10R8RsmZbxyZXJs7eHui9KcAMot1U4uKCCooC/5GImf+oUDbvaraUCMQRU D3mUzoa0BGWfxgZEDqZ55raVFT/olEgG8= . IN DNSKEY 257 3 RSASHA256 AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0 O8gcCjFFVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0 NfnfL2MTJRkxoXbfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL4 96M/QZxkjf5/Efucp2gaDX6RS6CXpoY68LsvPVjR0ZSwzz1ap AzvN9dlzEheX7ICJBBtuA6G3LQpzW5hOA2hzCTMjJPJ8LbqF6 dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relSQageu+ipAdTTJ2 5AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulqQxA+Uk1 ihz0= . IN DNSKEY 256 3 RSASHA256 AwEAAbr/RV0stAWYbmKOldjShp4AOQGOyY3ATI1NUpP4X1qBs 6lsXpc+1ABgv6zkg02IktjZrHnmD0HsElu3wqXMrT5KL1W7Sp mg0Pou9WZ8QttdTKXwrVXrASsaGI2z/pLBSnK8EdzqUrTVxY4 TEGZtxV519isM06CCMihxTn5cfFBF . IN RRSIG DNSKEY RSASHA256 0 172800 20160204235959 20160121000000 19036 XYewrVdYKRDfZptAATwT+W4zng04riExV36+z04kok09W0RmOtDlQrlrwHLlD2iN/zYpg EqGgDF5T2xlrQdNpn+PFHhypHM7NQAgLTrwmiw6mGbV0bsZN3rhFxHwW7QVUFAvo9eNVu INrjm+sArwxq3DnPkmA+3K4ikKD2iiT/jT91VYr9SHFqXXURccLjI+nmaE7m31hXcirX/ r5i3J+B4Fx4415IavSD72r7cmruocnCVjcp+ZAUKeMyW+RwigzevLz3oEcCZ4nrTpGLEj wFaVePYoP+rfdmfLfTdmkkm4APRJa2My3XOdGFlgNS1pW1pH4az5LapLE2vMO7p1aQ== -- Information acquired via protocol DNS in 14.4ms. -- Data is authenticated: no
2016-01-28resolved: emit full path to file we failed to writeZbigniew Jędrzejewski-Szmek
Otherwise it's unclear if it's /etc/resolv.conf or some other file that is meant.
2016-01-28nspawn: make sure --link-journal=host may be used twice in a rowLennart Poettering
Fixes #2186 This fixes fall-out from 574edc90066c3faeadcf4666928ed9b0ac409c75.
2016-01-28nspawn: make journal linking non-fatal in try and auto modesLennart Poettering
Fixes #2091
2016-01-28systemctl: rename "reload-or-try-restart" verb to "try-reload-or-restart"Lennart Poettering
But also keep the old name as (undocumented) compatibility around. The reload-or-try-restart was documented to be a NOP if the unit is not running, since the previous commits this is also implemented. The old name suggests that the "try" logic only applies to restarting. Fix this, by moving the "try-" to the front, to indicate that the whole option is a NOP if the service isn't running.
2016-01-28systemctl: improve message when a job fails with a JOB_INVALID stateLennart Poettering
This result can only happen if the job was a reload job for an inactive unit. Make the error message actually say that.
2016-01-28core: when propagating reload jobs, downgrade them to try-reloadLennart Poettering
Otherwise we might end up generating jobs that fail immediately. This follows the same logic that restart propagation follows.
2016-01-28core: when determining system state, don't bother with JOB_TRY_RESTARTLennart Poettering
When we determine the current system state we check whether units like emergency.target are running or a job that results in them being run is queued. However, this is not the case for JOB_TRY_RESTART, since that's a NOP if the unit has not been running before. Hence, don't bother with checking for that job type.
2016-01-28core: make sure "systemctl reload-or-try-restart is actually a noop if a ↵Lennart Poettering
unit is not running This makes sure we follow the same basic logic for try-restart if we have a try-reload. Fixes #688
2016-01-28basic: getauxval(AT_RANDOM) is apparently not necessarily alignedLennart Poettering
Let's make sure we read it in a way compatible with non-aligned memory. Fixes: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=812928
2016-01-28systemctl: don't make up unit states, and don't eat up errors to eagerlyLennart Poettering
When checking a unit's state, don't ignore errors too eagerly, but generate proper error messages. Also, don't synthesize an "unknown" state on error, but let the operation file. If a unit file isn't loaded treat this as "inactive" as that's effectively what it means.
2016-01-28systemctl: don't mangle unit names in check_unit_generic()Lennart Poettering
As it turns out all callers of check_unit_generic() already mangle unit names, or get the unit names directly from PID 1 (and hence arein normalized form anyway), hence there's no point in mangling then...
2016-01-28shared: meanor clean-ups for logs-show.cLennart Poettering
Some minor simplifications. Shouldn't change codepaths.
2016-01-28core: don't reset /dev/console if stdin/stdout/stderr as passed as fd in a ↵Lennart Poettering
transient service Otherwise we might end resetting /dev/console all the time when a transient service starts or stops. Fixes #2377 Fixes #2198 Fixes #2061
2016-01-27Merge pull request #2451 from zonque/pr-2162-rebasedLennart Poettering
utf8.[ch] et al: use char32_t and char16_t instead of int, int32_t, i…
2016-01-27utf8.[ch] et al: use char32_t and char16_t instead of int, int32_t, int16_tShawn Landden
rework C11 utf8.[ch] to use char32_t instead of uint32_t when referring to unicode chars, to make things more expressive. [ @zonque: * rebased to current master * use AC_CHECK_DECLS to detect availibility of char{16,32}_t * make utf8_encoded_to_unichar() return int ]
2016-01-27nss-resolve: also fall back to nss-dns if dbus doesn't workLennart Poettering
Fixes #1692
2016-01-27nss: block various signals while running NSS lookupsLennart Poettering
Let's make sure our poll() calls don't get interrupted where they shouldn't (SIGALRM, ...), but allow them to be interrupted where they should (SIGINT, ...). Fixes #1965
2016-01-27basic: don't append suffixes to unit name glob expressionsLennart Poettering
When the user specifies "foo*" as unit name glob expression, we shouldn't turn this into "foo*.service". Hence: only append a suffix if the specified string isn't a glob expression. Fixes: #2397
2016-01-27systemctl: piece-meal strv extension is expensiveLennart Poettering
If we have many entries to add to an strv we really should try to be smarter than constantly realloc()ing the strv array. Instead, grow it exponentially.
2016-01-27tests: don't abbreviate function names needlesslyLennart Poettering
THis is otherwise really hard to read...
2016-01-27machined: add early checks for unrealistically large image/pool sizesLennart Poettering
2016-01-27machined: when the pool limit is set to infinity don't resize backing ↵Lennart Poettering
loopback file An unlimited quota makes a lot of sense, but we really should try to propagate this onto the loopback file size, since an infinitely sized file makes no sense. Fixes: #2314 #2253
2016-01-27Merge pull request #1975 from ssahani/vxlan2Tom Gundersen
networkd: Add support to configure VXLAN Port
2016-01-26Merge pull request #2446 from keszybz/ask-passwordLennart Poettering
Ask password unicode fix
2016-01-26ask-password-api: only emit a star on valid unicode codepointZbigniew Jędrzejewski-Szmek
https://bugzilla.redhat.com/show_bug.cgi?id=1301984
2016-01-26test-ask-password-api: add a manual test for password readingZbigniew Jędrzejewski-Szmek
2016-01-26Merge pull request #2306 from walyong/exec_v01Lennart Poettering
[v1] core: resolve specifier in config_parse_exec()
2016-01-26resolve: fix compare function for EtcHostItemThomas Hindoe Paaboel Andersen
From dd0bc0f1
2016-01-26nss-resolve: fix gethostbyaddr h_aliasesSamu Kallio
Fix the comparison to include the first alias, which will otherwise be left as a bogus pointer.
2016-01-26Merge pull request #2440 from poettering/journal-fixTom Gundersen
journald: minor fixes