summaryrefslogtreecommitdiff
path: root/src
AgeCommit message (Collapse)Author
2016-01-11Merge pull request #2262 from pohly/smack-networkLennart Poettering
smack: Handling network
2016-01-11Merge pull request #2294 from zonque/in_setLennart Poettering
macro.h: improve IN_SET helper macro
2016-01-11macro.h: provide a switch-case statement generator for IN_SETDaniel Mack
Rather than walking a list of valid values one-by-one, generate a switch-case statement for the IN_SET() macro. This allows the compiler to further optimize its code output, possibly by generating jump tables. This effectively decreases the binary size slightly. The implementation is based on macro overloading depending on the number of arguments. h/t to the following post: https://stackoverflow.com/questions/11761703/overloading-macro-on-number-of-arguments
2016-01-11smack: Handling networkCasey Schaufler
- Set Smack ambient to match run label - Set Smack netlabel host rules Set Smack ambient to match run label ------------------------------------ Set the Smack networking ambient label to match the run label of systemd. System services may expect to communicate with external services over IP. Setting the ambient label assigns that label to IP packets that do not include CIPSO headers. This allows systemd and the services it spawns access to unlabeled IP packets, and hence external services. A system may choose to restrict network access to particular services later in the startup process. This is easily done by resetting the ambient label elsewhere. Set Smack netlabel host rules ----------------------------- If SMACK_RUN_LABEL is defined set all other hosts to be single label hosts at the specified label. Set the loopback address to be a CIPSO host. If any netlabel host rules are defined in /etc/smack/netlabel.d install them into the smackfs netlabel interface. [Patrick Ohly: copied from https://review.tizen.org/git/?p=platform/upstream/systemd.git;a=commit;h=db4f6c9a074644aa2bf] [Patrick Ohly: adapt to write_string_file() change in "fileio: consolidate write_string_file*()"] [Patrick Ohly: create write_netlabel_rules() based on the original write_rules() that was removed in "smack: support smack access change-rule"] [Patrick Ohly: adapted to upstream code review feedback: error logging, string constants]
2016-01-10tree-wide: unify argument lists of IN_SET()Daniel Mack
The new implementation will not allow passing the same values more than once, so clean up first.
2016-01-10sd-netlink: fix assertDaniel Mack
nl->fd can be 0.
2016-01-08Merge pull request #2287 from dandedrick/journal-gatewayd-timeout-fixDaniel Mack
journal-gatewayd: timeout journal wait to allow thread cleanup
2016-01-07Merge pull request #2285 from evverx/fix-test-resolveDaniel Mack
tests: test-resolve: wait until all queries are completed
2016-01-07Merge pull request #2284 from teg/resolved-cname-2Lennart Poettering
resolved: query_process_cname - make fully recursive
2016-01-07tests: test-resolve: wait until all queries are completedEvgeny Vereshchagin
This is a follow-up for 4a134c4903dbf6ef6c6a Fixes: $ ./test-resolve 209.132.183.105:80 209.132.183.105:80 canonical name: n/a 193.99.144.85:0 [2a02:2e0:3fe:1001:7777:772e:2:85]:0 canonical name: www.heise.de Host: web.heise.de -- Serv: http $ ./test-resolve 193.99.144.85:0 [2a02:2e0:3fe:1001:7777:772e:2:85]:0 canonical name: www.heise.de Host: web.heise.de -- Serv: http $ ./test-resolve ...
2016-01-07Merge pull request #2276 from poettering/dnssec12Tom Gundersen
Twelfth DNSSEC PR
2016-01-07resolved: query_process_cname - make fully recursiveTom Gundersen
This ensures we properly resolve the CNAME chain as far as we can, rather than only CNAME chains of length one.
2016-01-06update DNSSEC TODOLennart Poettering
2016-01-06resolved: introduce support for per-interface negative trust anchorsLennart Poettering
2016-01-06nspawn: fix two typos in error messagesDaniel Mack
On errors, mention the functions that really failed.
2016-01-06Merge pull request #2137 from fbuihuu/fstab-gen-fix-device-timeoutDaniel Mack
Fstab gen fix device timeout
2016-01-06Merge pull request #2261 from evverx/fix-test-rlimit-utilDaniel Mack
tests: don't change hard limit in test-rlimit-util
2016-01-06Merge pull request #2273 from evverx/fix-possible-lost-in-test-bus-cleanupDaniel Mack
tests: use sd_bus_flush_close_unref instead of sd_bus_unref in test-bus-cleanup
2016-01-06resolved: when dumping the NTA database, sort outputLennart Poettering
Now that we populate the trust database by default with a larger number of entires, we better make sure to output a more readable version.
2016-01-06resolved: populate negative trust anchor by defaultLennart Poettering
Let's increase compatibility with many private domains by default, and ship a default NTA list of wel-known private domains, where it is unlikely they will be deployed as official TLD anytime soon.
2016-01-06resolved: log all OOM errorsLennart Poettering
2016-01-06resolved: reuse dns_trust_anchor_knows_domain() at another locationLennart Poettering
2016-01-06resolved: count unsupported dnssec algorithm as indeterminate RRsetLennart Poettering
After all, when we don't support the algorithm we cannot determine validity.
2016-01-05resolved: try to detect fritz.box-style private DNS zones, and downgrade to ↵Lennart Poettering
non-DNSSEC mode for them This adds logic to detect cases like the Fritz!Box routers which serve a private DNS domain "fritz.box" under the TLD "box" that does not exist in the root servers. If this is detected DNSSEC validation is turned off for this private domain, thus improving compatibility with such private DNS zones. This should be fairly secure as we first rely on the proof that .box does not exist before this logic is applied. Nevertheless the logic is only enabled for DNSSEC=allow-downgrade mode. This logic does not work for routers that set up a full DNS zone directly under a non-existing TLD, as in that case we cannot prove that the domain is truly non-existing according to the root servers.
2016-01-05resolved: when dumping trust anchor contents, clarify when it is emptyLennart Poettering
2016-01-05resolved: fix DNSSEC transaction dependency recursion checkLennart Poettering
We followed the wrong connection. This only worked sometimes at all, because we also return the wrong error code.
2016-01-05update DNSSEC TODOLennart Poettering
2016-01-05resolved,networkd: add a per-interface DNSSEC settingLennart Poettering
This adds a DNSSEC= setting to .network files, and makes resolved honour them.
2016-01-05resolved: log about per-interface setting parse errorsLennart Poettering
2016-01-05resolved: properly release all DnsServers that belong to a linkLennart Poettering
2016-01-05resolved: rename "downgrade-ok" mode to "allow-downgrade"Lennart Poettering
After discussing this with Tom, we figured out "allow-downgrade" sounds nicer.
2016-01-05resolved: make MulticastDNS support configurable in resolved.confLennart Poettering
The option is already there, but wasn't exported in the configuration file so far. Fix that.
2016-01-05networkd,resolved: add a per-interface mdns configuration optionLennart Poettering
2016-01-05resolved,networkd: unify ResolveSupport enumLennart Poettering
networkd previously knew an enum "ResolveSupport" for configuring per-interface LLMNR support, resolved had a similar enum just called "Support", with the same value and similar pasers. Unify this, call the enum ResolveSupport, and port both daemons to it.
2016-01-05basic: add string table macros for "extended boolean" enumsLennart Poettering
In a couple of cases we maintain configuration settings that know an on and off state, like a boolean, plus some additional states. We generally parse them as booleans first, and if that fails check for specific additional values. This adds a generalized set of macros for parsing such settings, and ports one use in resolved and another in networkd over to it.
2016-01-05sd-network: unify parsing of /run/systemd/netif/links/* string fieldsLennart Poettering
2016-01-05tests: use sd_bus_flush_close_unref instead of sd_bus_unref in test-bus-cleanupEvgeny Vereshchagin
Fixes: $ make valgrind-tests TESTS=test-bus-cleanup ==6363== 9 bytes in 1 blocks are possibly lost in loss record 1 of 28 ==6363== at 0x4C2BBCF: malloc (vg_replace_malloc.c:299) ==6363== by 0x197D12: hexmem (hexdecoct.c:79) ==6363== by 0x183083: bus_socket_start_auth_client (bus-socket.c:639) ==6363== by 0x1832A0: bus_socket_start_auth (bus-socket.c:678) ==6363== by 0x183438: bus_socket_connect (bus-socket.c:705) ==6363== by 0x14B0F2: bus_start_address (sd-bus.c:1053) ==6363== by 0x14B592: sd_bus_start (sd-bus.c:1134) ==6363== by 0x14B95E: sd_bus_open_system (sd-bus.c:1235) ==6363== by 0x1127E2: test_bus_open (test-bus-cleanup.c:42) ==6363== by 0x112AAE: main (test-bus-cleanup.c:87) ==6363== ... $ ./libtool --mode=execute valgrind ./test-bus-cleanup ==6584== LEAK SUMMARY: ... ==6584== possibly lost: 10,566 bytes in 27 blocks
2016-01-05machine: fix typo: MS_MOUNT does not existAlban Crequy
2016-01-05Merge pull request #2269 from poettering/dnssec11Tom Gundersen
Eleventh DNSSEC patch set
2016-01-05resolved: also skip built-in trust anchor addition of there's a DNSKEY RR ↵Lennart Poettering
for the root domain defined We already skip this when the trust anchor files define a DS RR for the root domain, now also skip it if there's a DNSKEY RR.
2016-01-05resolved: move trust anchor files to /etc/dnssec-trust-anchors.d/Lennart Poettering
These files are not specific to resolved really, and this is then more in-line with how /etc/sysctl.d and suchlike is handled.
2016-01-05mount-setup.c: fix handling of symlink Smack labelling in cgroup setupPatrick Ohly
The code introduced in f8c1a81c51 (= systemd 227) failed for me with: Failed to copy smack label from net_cls to /sys/fs/cgroup/net_cls: No such file or directory There is no need for a symlink in this case because source and target are identical. The symlink() call is allowed to fail when the target already exists. When that happens, copying the Smack label must be skipped. But the code also failed when there is a symlink, like "cpu -> cpu,cpuacct", because mac_smack_copy() got called with src="cpu,cpuacct" which fails to find the entry because the current directory is not inside /sys/fs/cgroup. The absolute path to the existing entry must be used instead.
2016-01-05resolved: when caching negative responses, honour NSEC/NSEC3 TTLsLennart Poettering
When storing negative responses, clamp the SOA minimum TTL (as suggested by RFC2308) to the TTL of the NSEC/NSEC3 RRs we used to prove non-existance, if it there is any. This is necessary since otherwise an attacker might put together a faked negative response for one of our question including a high-ttl SOA RR for any parent zone, and we'd use trust the TTL.
2016-01-04update DNSSEC TODOLennart Poettering
2016-01-04resolved: explicitly handle case when the trust anchor is emptyLennart Poettering
Since we honour RFC5011 revoked keys it might happen we end up with an empty trust anchor, or one where there's no entry for the root left. With this patch the logic is changed what to do in this case. Before this patch we'd end up requesting the root DS, which returns with NODATA but a signed NSEC we cannot verify, since the trust anchor is empty after all. Thus we'd return a DNSSEC result of "missing-key", as we lack a verified version of the key. With this patch in place, look-ups for the root DS are explicitly recognized, and not passed on to the DNS servers. Instead, if downgrade-ok mode is on an unsigned NODATA response is synthesized, so that the validator code continues under the assumption the root zone was unsigned. If downgrade-ok mode is off a new transaction failure is generated, that makes this case recognizable.
2016-01-04resolved: introduce a proper bus error for DNSSEC validation errorsLennart Poettering
2016-01-04resolved: explicitly avoid cyclic transaction dependenciesLennart Poettering
We already try hard not to create cyclic transaction dependencies, where a transaction requires another one for DNSSEC validation purposes, which in turn (possibly indirectly) pulls in the original transaction again, thus resulting in a cyclic dependency and ultimately a deadlock since each transaction waits for another one forever. So far we wanted to avoid such cyclic dependencies by only going "up the tree" when requesting auxiliary RRs and only going from one RR type to another, but never back. However this turned out to be insufficient. Consider a domain that publishes one or more DNSKEY but which has no DS for it. A request for the domain's DNSKEY triggers a request for the domain's DS, which will then fail, but return an NSEC, signed by the DNSKEY. To validate that we'd request the DNSKEY again. Thus a DNSKEY request results in a DS request which results in the original DNSKEY request again. If the original lookup had been a DS lookup we'd end up in the same cyclic dependency, hence we cannot statically break one of them, since both requests are of course fully valid. Hence, do full cyclic dependency checking: each time we are about to add a dependency to a transaction, check if the transaction is already a dependency of the dependency (recursively down the tree).
2016-01-04resolved: block transaction GC'ing while ↵Lennart Poettering
dns_transaction_request_dnssec_keys() is running If any of the transactions started by dns_transaction_request_dnssec_keys() finishes promptly without requiring asynchronous operation this is reported back to the issuing transaction from the same stackframe. This might ultimately result in this transaction to be freed while we are still in its _request_dnssec_keys() stack frame. To avoid memory corruption block the transaction GC while in the call, and manually issue a GC after it returned.
2016-01-04update RFCsLennart Poettering
2016-01-04resolved: partially implement RFC5011 Trust Anchor supportLennart Poettering
With this patch resolved will properly handle revoked keys, but not augment the locally configured trust anchor database with newly learned keys. Specifically, resolved now refuses validating RRsets with revoked keys, and it will remove revoked keys from the configured trust anchors (only until reboot). This patch does not add logic for adding new keys to the set of trust anchors. This is a deliberate decision as this only can work with persistent disk storage, and would result in a different update logic for stateful and stateless systems. Since we have to support stateless systems anyway, and don't want to encourage two independent upgrade paths we focus on upgrading the trust anchor database via the usual OS upgrade logic. Whenever a trust anchor entry is found revoked and removed from the trust anchor a recognizable log message is written, encouraging the user to update the trust anchor or update his operating system.