summaryrefslogtreecommitdiff
path: root/src
AgeCommit message (Collapse)Author
2016-03-21Merge pull request #2760 from ronnychevalier/rc/core_no_new_privileges_seccompv3Daniel Mack
core: set NoNewPrivileges for seccomp if we don't have CAP_SYS_ADMIN
2016-03-21Merge pull request #2826 from thom311/masterDaniel Mack
lldp: fix starting ttl timer for lldp neighbor
2016-03-18Merge pull request #2862 from evverx/nspawn-expose-ports-errorDaniel Mack
nspawn: don't run nspawn --port=... without libiptc support
2016-03-17nspawn: don't run nspawn --port=... without libiptc supportEvgeny Vereshchagin
We get $ systemd-nspawn --image /dev/loop1 --port 8080:80 -n -b 3 --port= is not supported, compiled without libiptc support. instead of a ping-nc-iptables debugging session
2016-03-17Merge pull request #2839 from keszybz/use-sendfile-smarterDaniel Mack
Use sendfile smarter
2016-03-17Merge pull request #2854 from keszybz/log-colorsDaniel Mack
systemd: obey systemd.log_color config
2016-03-17Merge pull request #2856 from msekletar/merge-instanceDaniel Mack
core: look for instance when processing template name
2016-03-17basic/missing: move syscall definitions to basic/missing_syscall.hZbigniew Jędrzejewski-Szmek
We have a bunch of syscall wrapper definitions and it's easier to see that they follow the same pattern if they are not interspersed with other defines. Change the wrappers to be uniform: - if __NR_XXX is not defined, do not bother to call the syscall, and return -1/ENOSYS immediately. - do not check __NR_XXX defines if we detect the symbol as defined, since we don't need them anyway - reindent stuff for readability New file basic/missing_syscall.h is included at the end of missing.h because it might make use of some of the definitions in missing.h.
2016-03-17basic/copy: use copy_file_range()Zbigniew Jędrzejewski-Szmek
For btrfs, c_f_r() is like BTRFS_IOC_CLONE which we already used, but also works when max_bytes is set. We do call copy_bytes in coredump code with max_bytes set, and for large files, so we might see some benefit from using c_f_r() on btrfs. For other filesystems, c_f_r() falls back to do_splice_direct(), the same as sendfile, which we already call, so there shouldn't be much difference. Tested with test-copy and systemd-coredump on Linux 4.3 (w/o c_f_r) and 4.5 (w/ c_f_r).
2016-03-17basic/missing: add copy_file_rangeZbigniew Jędrzejewski-Szmek
syscall numbers based on: https://fedora.juszkiewicz.com.pl/syscalls.html
2016-03-17Merge pull request #2858 from keszybz/fbdev-uaccessDavid Herrmann
rules: allow users to access frame buffer devices
2016-03-17Merge pull request #2848 from keszybz/clang-warningsDaniel Mack
Clang warnings
2016-03-17systemd: obey systemd.log_color configZbigniew Jędrzejewski-Szmek
Fixes #2845.
2016-03-17rules: allow users to access frame buffer devicesZbigniew Jędrzejewski-Szmek
For example it allows weston to be started unprivileged. Related discussion: https://bugs.freedesktop.org/show_bug.cgi?id=73782 https://lists.freedesktop.org/archives/wayland-devel/2015-May/022005.html https://bugzilla.redhat.com/show_bug.cgi?id=1226680
2016-03-16core: look for instance when processing template nameMichal Sekletar
If first attempt to merge units failed and we are trying to do merge the other way around and at the same time we are working with template name, then other unit can't possibly be template, because it is not possible to have template unit running, only instances of the template. Thus we need to look for already active instance instead.
2016-03-16nspawn: Fix two misspellings of "hierarchy" in error messagesTobias Klauser
2016-03-16Merge pull request #2797 from evverx/selinux-use-rawZbigniew Jędrzejewski-Szmek
selinux: use *_raw API from libselinux
2016-03-15basic/log: remove unused return valueZbigniew Jędrzejewski-Szmek
2016-03-15basic/c-rbtree: remove unused functionZbigniew Jędrzejewski-Szmek
2016-03-15basic/macros: clang 3.5 doesn't support alloc_sizeZbigniew Jędrzejewski-Szmek
The attribute was removed in commit c047507 in the clang repository as it was never properly implemented anyway. Avoid using the attribute with clang because it generates a ton of annoying warnings.
2016-03-15test-copy: test with different max_bytes valuesZbigniew Jędrzejewski-Szmek
2016-03-15basic/copy: use sendfile smarterZbigniew Jędrzejewski-Szmek
We called sendfile with 16kb (a.k.a. COPY_BUFFER_SIZE) as the maximum number of bytes to copy. This seems rather inefficient, especially with large files. Instead, call sendfile with a "large" maximum. What "large" max means is a bit tricky: current file offset + max must fit in loff_t. This means that as we call sendfile more than once, we have to lower the max size. With this patch, test-copy calls sendfile twice, e.g.: sendfile(4, 3, NULL, 9223372036854775807) = 738760 sendfile(4, 3, NULL, 9223372036854037047) = 0 The second call is necessary to determine EOF.
2016-03-15test-copy: add a test shuffling bytes between normal filesZbigniew Jędrzejewski-Szmek
I started looking into adding copy_file_range support, and discovered that we can improve the way we call sendfile: - sendfile(2) man page is missing an important bit: the number of bytes to copy cannot be too big (SSIZE_MAX actually), and the description of EINVAL return code does not mention this either, - our implementation works but calls sendfile over and over with a small size, which seems suboptimal. First add a test which (under strace) can be used to see current behaviour.
2016-03-15time-util: fall back to CLOCK_MONOTONIC if CLOCK_BOOTTIME unsupportedLubomir Rintel
It was added in 2.6.39, and causes an assertion to fail when running in mock hosted on 2.6.23-based RHEL-6: Assertion 'clock_gettime(map_clock_id(clock_id), &ts) == 0' failed at systemd/src/basic/time-util.c:70, function now(). Aborting.
2016-03-15Merge pull request #2840 from linkmauve/use-xdg-config-homeZbigniew Jędrzejewski-Szmek
sd-path: use XDG_CONFIG_HOME instead of hardcoding ~/.config for user-dirs
2016-03-15sd-path: use XDG_CONFIG_HOME instead of hardcoding ~/.config for user-dirsEmmanuel Gil Peyrot
2016-03-14include sys/sysmacros.h in more placesMike Frysinger
Since glibc is moving away from implicitly including sys/sysmacros.h all the time via sys/types.h, include the header directly in more places. This seems to cover most makedev/major/minor usage.
2016-03-14lldp: fix starting ttl timer for lldp neighborThomas Haller
lldp_start_timer() was only called during sd_lldp_get_neighbors(). Ensure that the timer is (re-)started when a new neighbor appears. Otherwise, the timer is not started when relying on the events alone. Fixes: 34437b4f9c9c51b0a6f93788bdb9a105b8e46b66
2016-03-14Merge pull request #2827 from keszybz/public-headersDaniel Mack
ANSI C compatibility for public headers
2016-03-14Merge pull request #2834 from coling/masterZbigniew Jędrzejewski-Szmek
2016-03-14device: Ensure we have sysfs path before comparing.Colin Guthrie
In some cases we do not have a udev device when setting up a unit (certainly the code gracefully handles this). However, we do then go on to compare the path via path_equal which will assert if a null value is passed in. See https://bugs.mageia.org/show_bug.cgi?id=17766 Not sure if this is the correct fix, but it avoids the crash
2016-03-14shared/machine-pool: fix another mkfs.btrfs checkingEvgeny Vereshchagin
Fixes: Message: Process 806 (systemd-importd) of user 0 dumped core. Stack trace of thread 806: #0 0x00007f5eaeff7227 raise (libc.so.6) #1 0x00007f5eaeff8e8a abort (libc.so.6) #2 0x000055b6d3418f4f log_assert_failed (systemd-importd) #3 0x000055b6d3409daf safe_close (systemd-importd) #4 0x000055b6d33c25ea closep (systemd-importd) #5 0x000055b6d33c38d9 setup_machine_directory (systemd-importd) #6 0x000055b6d33b8536 method_pull_tar_or_raw (systemd-importd) #7 0x000055b6d33ed097 method_callbacks_run (systemd-importd) #8 0x000055b6d33ef929 object_find_and_run (systemd-importd) #9 0x000055b6d33eff6b bus_process_object (systemd-importd) #10 0x000055b6d3447f77 process_message (systemd-importd) #11 0x000055b6d344815a process_running (systemd-importd) #12 0x000055b6d3448a10 bus_process_internal (systemd-importd) #13 0x000055b6d3448ae1 sd_bus_process (systemd-importd) #14 0x000055b6d3449779 time_callback (systemd-importd) #15 0x000055b6d3454ff4 source_dispatch (systemd-importd) #16 0x000055b6d34562b9 sd_event_dispatch (systemd-importd) #17 0x000055b6d34566f8 sd_event_run (systemd-importd) #18 0x000055b6d33ba72a bus_event_loop_with_idle (systemd-importd) #19 0x000055b6d33b95bc manager_run (systemd-importd) #20 0x000055b6d33b9766 main (systemd-importd) #21 0x00007f5eaefe2a00 __libc_start_main (libc.so.6) #22 0x000055b6d33b5569 _start (systemd-importd)
2016-03-14shared/machine-pool: fix mkfs.btrfs checkingEvgeny Vereshchagin
binary_is_good translates ENOENT to 0 See https://github.com/systemd/systemd/commit/85eca92e#diff-bcad68c477b6651521e880c40b7a9b40R813
2016-03-12run: Improve the help message about timer options and existing unitsWieland Hoffmann
2016-03-11headers: remove commas at end of enum listsZbigniew Jędrzejewski-Szmek
src/systemd/sd-journal.h:75:51: warning: commas at the end of enumerator lists are a C99-specific feature [-Wc99-extensions]
2016-03-11headers: do not use siginfo_t if not definedZbigniew Jędrzejewski-Szmek
Simply avoid the trouble and use a void* if the define is missing. We lose type safety, but who cares. sigaction(2) says that siginfo_t requires _POSIX_C_SOURCE >= 199309L, but we can be a bit more generous and use the same define as /usr/include/signal.h.
2016-03-11headers: use __inline__ instead of inlineZbigniew Jędrzejewski-Szmek
https://gcc.gnu.org/onlinedocs/gcc-5.3.0/gcc/Alternate-Keywords.html#Alternate-Keywords recommends __inline__ over inline in ANSI C compatible headers. Tested with gcc-5.3 and clang-3.7. https://bugzilla.redhat.com/show_bug.cgi?id=1316964
2016-03-10Merge pull request #2821 from keszybz/mac_selinux_bind-do-not-rely-on-errnoDaniel Mack
socket_address_listen: do not rely on errno (2)
2016-03-10Merge pull request #2794 from jhol/dont-unmount-initramfs-mountsDaniel Mack
core/mount: Don't unmount initramfs mounts
2016-03-10socket_address_listen: do not rely on errno (2)Zbigniew Jędrzejewski-Szmek
We'd still use the invalid errno for a return value. Rework the code to simply return the right error right away.
2016-03-10Merge pull request #2818 from vinaykul/masterTom Gundersen
DHCP DUID and IAID configurability
2016-03-10Merge pull request #2820 from lnykryn/test-ipcrmDaniel Mack
test-ipcrm: fix log message
2016-03-10test-ipcrm: fix log messageLukas Nykryn
2016-03-10socket_address_listen - do not rely on errnoPetr Lautrbach
Currently socket_address_listen() calls mac_selinux_bind() to bind a UNIX socket and checks its return value and errno for EADDRINUSE. This is not correct. When there's an SELinux context change made for the new socket, bind() is not the last function called in mac_selinux_bind(). In that case the last call is setfscreatecon() from libselinux which can change errno as it uses access() to check if /proc/thread-self is available. It fails on kernels before 3.17 and errno is set to ENOENT. It's safe to check only the return value at it's set to -errno.
2016-03-09DHCP DUID and IAID configurabilityVinay Kulkarni
2016-03-09Merge pull request #2792 from ronnychevalier/rc/tests_movev2Zbigniew Jędrzejewski-Szmek
tests: move out unrelated tests from test-util to their own file
2016-03-09Merge pull request #2816 from rhatdan/selinuxZbigniew Jędrzejewski-Szmek
/dev/console must be labeled with SELinux label in containers
2016-03-09Merge pull request #2793 from fbuihuu/fstab-generator-automount-optionZbigniew Jędrzejewski-Szmek
fstab-generator: fix automounts to not mount automatically
2016-03-09Merge pull request #2755 from keszybz/more-testsMartin Pitt
Enable more tests by default, and even more with `--enable-tests=unsafe`
2016-03-09/dev/console must be labeled with SELinux labelDan Walsh
If the user specifies an selinux_apifs_context all content created in the container including /dev/console should use this label. Currently when this uses the default label it gets labeled user_devpts_t, which would require us to write a policy allowing container processes to manage user_devpts_t. This means that an escaped process would be allowed to attack all users terminals as well as other container terminals. Changing the label to match the apifs_context, means the processes would only be allowed to manage their specific tty. This change fixes a problem preventing RKT containers from working with systemd-nspawn.