platform/upstream/systemd.git
8 years agocore: don't use the unified hierarchy for the systemd cgroup yet (#4628)
Martin Pitt [Thu, 10 Nov 2016 04:33:13 +0000 (05:33 +0100)]
core: don't use the unified hierarchy for the systemd cgroup yet (#4628)

Too many things don't get along with the unified hierarchy yet:

 * https://github.com/opencontainers/runc/issues/1175
 * https://github.com/docker/docker/issues/28109
 * https://github.com/lxc/lxc/issues/1280

So revert the default to the legacy hierarchy for now. Developers of the above
software can opt into the unified hierarchy with
"systemd.legacy_systemd_cgroup_controller=0".

8 years agoman/sd_watchdog_enabled: correct minor typos (#4632)
Jonathan Boulle [Wed, 9 Nov 2016 16:30:10 +0000 (17:30 +0100)]
man/sd_watchdog_enabled: correct minor typos (#4632)

8 years agonspawn: fix condition for mounting resolv.conf (#4622)
Christian Hesse [Wed, 9 Nov 2016 03:01:26 +0000 (04:01 +0100)]
nspawn: fix condition for mounting resolv.conf (#4622)

The file /usr/lib/systemd/resolv.conf can be stale, it does not tell us
whether or not systemd-resolved is running or not.
So check for /run/systemd/resolve/resolv.conf as well, which is created
at runtime and hence is a better indication.

8 years agocore: on DynamicUser= make sure that protecting sensitive paths is enforced (#4596)
Djalal Harouni [Sun, 6 Nov 2016 22:31:55 +0000 (23:31 +0100)]
core: on DynamicUser= make sure that protecting sensitive paths is enforced (#4596)

This adds a variable that is always set to false to make sure that
protect paths inside sandbox are always enforced and not ignored. The only
case when it is set to true is on DynamicUser=no and RootDirectory=/chroot
is set. This allows users to use more our sandbox features inside RootDirectory=

The only exception is ProtectSystem=full|strict and when DynamicUser=yes
is implied. Currently RootDirectory= is not fully compatible with these
due to two reasons:

* /chroot/usr|etc has to be present on ProtectSystem=full
* /chroot// has to be a mount point on ProtectSystem=strict.

8 years agoMerge pull request #4536 from poettering/seccomp-namespaces
Zbigniew Jędrzejewski-Szmek [Wed, 9 Nov 2016 00:54:21 +0000 (19:54 -0500)]
Merge pull request #4536 from poettering/seccomp-namespaces

core: add new RestrictNamespaces= unit file setting

Merging, not rebasing, because this touches many files and there were tree-wide cleanups in the mean time.

8 years agoMerge pull request #4612 from keszybz/format-strings
Zbigniew Jędrzejewski-Szmek [Tue, 8 Nov 2016 13:09:40 +0000 (08:09 -0500)]
Merge pull request #4612 from keszybz/format-strings

Format string tweaks (and a small fix on 32bit)

8 years agoman: fix typo (#4615)
Yu Watanabe [Tue, 8 Nov 2016 09:51:35 +0000 (18:51 +0900)]
man: fix typo (#4615)

8 years agoMerge pull request #4509 from keszybz/foreach-word-quoted
Martin Pitt [Tue, 8 Nov 2016 08:41:51 +0000 (09:41 +0100)]
Merge pull request #4509 from keszybz/foreach-word-quoted

Remove FOREACH_WORD_QUOTED

8 years agoman: add an example how to unconditionally empty a directory (#4570)
Zbigniew Jędrzejewski-Szmek [Tue, 8 Nov 2016 08:39:10 +0000 (03:39 -0500)]
man: add an example how to unconditionally empty a directory (#4570)

It was logical, but not entirely obvious, that 'e' with no arguments does
nothing. Expand the explanation a bit and add an example.

Fixes #4564.

8 years agoAdjust pkgconfig files to point at rootlibdir (#4584)
Mike Gilbert [Tue, 8 Nov 2016 08:36:41 +0000 (03:36 -0500)]
Adjust pkgconfig files to point at rootlibdir (#4584)

The .so symlinks got moved to rootlibdir in 082210c7.

8 years agobuild-sys: remove leftover setcap configure check (#4597)
Michael Biebl [Tue, 8 Nov 2016 08:09:53 +0000 (09:09 +0100)]
build-sys: remove leftover setcap configure check (#4597)

The check for the setcap binary was added in commit
dd5ae4c36c89da5dbe8d1628939b26c00db98753 to set the CAP_MAC_ADMIN
capability for systemd-bus-proxyd. Later on, bus-proxyd was removed in
commit 798c486fbcdce3346cd862c52e1a200bb8a2cb23.
So remove the leftover setcap configure check as well.

8 years agocoredump: bump type of arg_journal_size_max to uint64 too
Zbigniew Jędrzejewski-Szmek [Tue, 8 Nov 2016 05:21:20 +0000 (00:21 -0500)]
coredump: bump type of arg_journal_size_max to uint64 too

For normal arches this doesn't matter, but on arm32 arg_journal_size_max was smaller
than the other *SizeMax variables. This doesn't seem useful.

This is anothet part of the fix in 5206a724a0.

8 years agobuild-sys: fix appending of CFLAGS and define __SANE_USERSPACE_TYPES__
Zbigniew Jędrzejewski-Szmek [Tue, 8 Nov 2016 04:38:17 +0000 (23:38 -0500)]
build-sys: fix appending of CFLAGS and define __SANE_USERSPACE_TYPES__

It's pointless to call AC_SUBST more than once on the same variable. Because
of all the copypasta, we were mixing CLFAGS and LDFLAGS.

… and the assertion in previous commit was wrong. PPC64 is a special snowflake.

__SANE_USERSPACE_TYPES__ is needed on PPC64 to make __u64 be llu, instead of
lu. Considering that both lu and llu are 64 bits, there's nothing sane about
this, maybe the flag should be called __INSANE_USERSPACE_TYPES__ instead. Sane
or not, this makes ppc64 kernel headers behave consistent with other
architectures. With this flag, no warnings are emitted at -O0 level.

8 years agonspawn: fix exit code for --help and --version (#4609)
Martin Pitt [Tue, 8 Nov 2016 04:31:55 +0000 (05:31 +0100)]
nspawn: fix exit code for --help and --version (#4609)

Commit b006762 inverted the initial exit code which is relevant for --help and
--version without a particular reason.  For these special options, parse_argv()
returns 0 so that our main() immediately skips to the end without adjusting
"ret". Otherwise, if an actual container is being started, ret is set on error
in run(), which still provides the "non-zero exit on error" behaviour.

Fixes #4605.

8 years agotree-wide: drop (llu) casts for kernel's __u64
Zbigniew Jędrzejewski-Szmek [Mon, 7 Nov 2016 16:49:51 +0000 (11:49 -0500)]
tree-wide: drop (llu) casts for kernel's __u64

According to comments in <asm/types.h>, __u64 is always defined as unsigned
long long. Those casts should be superfluous.

8 years agotree-wide: add PRI_[NU]SEC, and use time format strings more
Zbigniew Jędrzejewski-Szmek [Mon, 7 Nov 2016 16:49:25 +0000 (11:49 -0500)]
tree-wide: add PRI_[NU]SEC, and use time format strings more

8 years agoMerge pull request #4594 from endocode/djalal/fix-rootdir-apply-mntns
Evgeny Vereshchagin [Mon, 7 Nov 2016 22:53:21 +0000 (01:53 +0300)]
Merge pull request #4594 from endocode/djalal/fix-rootdir-apply-mntns

core: make RootDirectory= and ProtectKernelModules= work

8 years agotests: use less aggressive systemctl --wait timeout in TEST-03-JOBS (#4606)
Martin Pitt [Mon, 7 Nov 2016 18:51:20 +0000 (19:51 +0100)]
tests: use less aggressive systemctl --wait timeout in TEST-03-JOBS (#4606)

If the "systemctl start" happens at an "unlucky" time such as 1000.9 seconds
and then e. g.  runs for 2.6 s (sleep 2 plus the overhead of starting the unit
and waiting for it) the END_SEC would be 1003.5s which would round to 1004,
making the difference 4. On busier testbeds the overhead apparently can take a
bit more than 0.5s. The main point is really that it doesn't wait that much
longer, so "-le 4" seems perfectly fine. We allow up to 1.5s in the subsequent
"wait5fail" test below too.

Fixes #4582

8 years agocoredump: fix format string on 32 bits
Zbigniew Jędrzejewski-Szmek [Mon, 7 Nov 2016 16:46:38 +0000 (11:46 -0500)]
coredump: fix format string on 32 bits

In file included from ./src/basic/macro.h:415:0,
                 from ./src/shared/acl-util.h:28,
                 from src/coredump/coredump.c:36:
src/coredump/coredump.c: In function ‘submit_coredump’:
src/coredump/coredump.c:711:26: warning: format ‘%zu’ expects argument of type ‘size_t’, but argument 7 has type ‘uint64_t {aka long long unsigned int}’ [-Wformat=]
                 log_info("The core will not be stored: size %zu is greater than %zu (the configured maximum)",
                          ^
./src/basic/log.h:175:82: note: in definition of macro ‘log_full_errno’
                         ? log_internal(_level, _e, __FILE__, __LINE__, __func__, __VA_ARGS__) \
                                                                                  ^~~~~~~~~~~
./src/basic/log.h:183:28: note: in expansion of macro ‘log_full’
 #define log_info(...)      log_full(LOG_INFO,    __VA_ARGS__)
                            ^~~~~~~~
src/coredump/coredump.c:711:17: note: in expansion of macro ‘log_info’
                 log_info("The core will not be stored: size %zu is greater than %zu (the configured maximum)",
                 ^~~~~~~~
src/coredump/coredump.c:711:26: warning: format ‘%zu’ expects argument of type ‘size_t’, but argument 8 has type ‘uint64_t {aka long long unsigned int}’ [-Wformat=]
                 log_info("The core will not be stored: size %zu is greater than %zu (the configured maximum)",
                          ^
./src/basic/log.h:175:82: note: in definition of macro ‘log_full_errno’
                         ? log_internal(_level, _e, __FILE__, __LINE__, __func__, __VA_ARGS__) \
                                                                                  ^~~~~~~~~~~
./src/basic/log.h:183:28: note: in expansion of macro ‘log_full’
 #define log_info(...)      log_full(LOG_INFO,    __VA_ARGS__)
                            ^~~~~~~~
src/coredump/coredump.c:711:17: note: in expansion of macro ‘log_info’
                 log_info("The core will not be stored: size %zu is greater than %zu (the configured maximum)",
                 ^~~~~~~~
src/coredump/coredump.c:741:27: warning: format ‘%zu’ expects argument of type ‘size_t’, but argument 7 has type ‘uint64_t {aka long long unsigned int}’ [-Wformat=]
                 log_debug("Not generating stack trace: core size %zu is greater than %zu (the configured maximum)",
                           ^
./src/basic/log.h:175:82: note: in definition of macro ‘log_full_errno’
                         ? log_internal(_level, _e, __FILE__, __LINE__, __func__, __VA_ARGS__) \
                                                                                  ^~~~~~~~~~~
./src/basic/log.h:182:28: note: in expansion of macro ‘log_full’
 #define log_debug(...)     log_full(LOG_DEBUG,   __VA_ARGS__)
                            ^~~~~~~~
src/coredump/coredump.c:741:17: note: in expansion of macro ‘log_debug’
                 log_debug("Not generating stack trace: core size %zu is greater than %zu (the configured maximum)",
                 ^~~~~~~~~
src/coredump/coredump.c:741:27: warning: format ‘%zu’ expects argument of type ‘size_t’, but argument 8 has type ‘uint64_t {aka long long unsigned int}’ [-Wformat=]
                 log_debug("Not generating stack trace: core size %zu is greater than %zu (the configured maximum)",
                           ^
./src/basic/log.h:175:82: note: in definition of macro ‘log_full_errno’
                         ? log_internal(_level, _e, __FILE__, __LINE__, __func__, __VA_ARGS__) \
                                                                                  ^~~~~~~~~~~
./src/basic/log.h:182:28: note: in expansion of macro ‘log_full’
 #define log_debug(...)     log_full(LOG_DEBUG,   __VA_ARGS__)
                            ^~~~~~~~
src/coredump/coredump.c:741:17: note: in expansion of macro ‘log_debug’
                 log_debug("Not generating stack trace: core size %zu is greater than %zu (the configured maximum)",
                 ^~~~~~~~~
src/coredump/coredump.c:768:34: warning: format ‘%zu’ expects argument of type ‘size_t’, but argument 7 has type ‘uint64_t {aka long long unsigned int}’ [-Wformat=]
                         log_info("The core will not be stored: size %zu is greater than %zu (the configured maximum)",
                                  ^
./src/basic/log.h:175:82: note: in definition of macro ‘log_full_errno’
                         ? log_internal(_level, _e, __FILE__, __LINE__, __func__, __VA_ARGS__) \
                                                                                  ^~~~~~~~~~~
./src/basic/log.h:183:28: note: in expansion of macro ‘log_full’
 #define log_info(...)      log_full(LOG_INFO,    __VA_ARGS__)
                            ^~~~~~~~
src/coredump/coredump.c:768:25: note: in expansion of macro ‘log_info’
                         log_info("The core will not be stored: size %zu is greater than %zu (the configured maximum)",
                         ^~~~~~~~

8 years agoRename formats-util.h to format-util.h
Zbigniew Jędrzejewski-Szmek [Mon, 7 Nov 2016 15:14:59 +0000 (10:14 -0500)]
Rename formats-util.h to format-util.h

We don't have plural in the name of any other -util files and this
inconsistency trips me up every time I try to type this file name
from memory. "formats-util" is even hard to pronounce.

8 years agonspawn: slight simplification
Zbigniew Jędrzejewski-Szmek [Mon, 7 Nov 2016 13:57:30 +0000 (08:57 -0500)]
nspawn: slight simplification

8 years agonspawn: avoid one strdup by using free_and_replace
Zbigniew Jędrzejewski-Szmek [Mon, 7 Nov 2016 13:54:47 +0000 (08:54 -0500)]
nspawn: avoid one strdup by using free_and_replace

8 years agosystemd-nspawn: decrease non-fatal mount errors to debug level (#4569)
tblume [Mon, 7 Nov 2016 13:20:43 +0000 (14:20 +0100)]
systemd-nspawn: decrease non-fatal mount errors to debug level (#4569)

non-fatal mount errors shouldn't be logged as warnings.

8 years agocore: make RootDirectory= and ProtectKernelModules= work
Djalal Harouni [Sun, 6 Nov 2016 21:51:49 +0000 (22:51 +0100)]
core: make RootDirectory= and ProtectKernelModules= work

Instead of having two fields inside BindMount struct where one is stack
based and the other one is heap, use one field to store the full path
and updated it when we chase symlinks. This way we avoid dealing with
both at the same time.

This makes RootDirectory= work with ProtectHome= and ProtectKernelModules=yes

Fixes: https://github.com/systemd/systemd/issues/4567

8 years agomachinectl: don't output "No machines." with --no-legend option (#4593)
Viktar Vaŭčkievič [Sun, 6 Nov 2016 14:19:57 +0000 (17:19 +0300)]
machinectl: don't output "No machines." with --no-legend option (#4593)

8 years agodelta: skip symlink paths when split-usr is enabled (#4591)
Felipe Sateler [Sun, 6 Nov 2016 14:16:42 +0000 (11:16 -0300)]
delta: skip symlink paths when split-usr is enabled (#4591)

If systemd is built with --enable-split-usr, but the system is indeed a
merged-usr system, then systemd-delta gets all confused and reports
that all units and configuration files have been overridden.

Skip any prefix paths that are symlinks in this case.

Fixes: #4573

8 years agoDrop FOREACH_WORD_QUOTED
Zbigniew Jędrzejewski-Szmek [Fri, 28 Oct 2016 02:44:50 +0000 (22:44 -0400)]
Drop FOREACH_WORD_QUOTED

8 years agocore/device: port to extract_first_word
Zbigniew Jędrzejewski-Szmek [Fri, 28 Oct 2016 01:30:48 +0000 (21:30 -0400)]
core/device: port to extract_first_word

8 years agocore/load-fragment: modify existing environment instead of copying strv over and...
Zbigniew Jędrzejewski-Szmek [Fri, 28 Oct 2016 01:15:59 +0000 (21:15 -0400)]
core/load-fragment: modify existing environment instead of copying strv over and over

8 years agocore/load-fragment: port to extract_first_word
Zbigniew Jędrzejewski-Szmek [Fri, 28 Oct 2016 00:15:22 +0000 (20:15 -0400)]
core/load-fragment: port to extract_first_word

8 years agotree-wide: drop unneded WHITESPACE param to extract_first_word
Zbigniew Jędrzejewski-Szmek [Fri, 28 Oct 2016 00:06:44 +0000 (20:06 -0400)]
tree-wide: drop unneded WHITESPACE param to extract_first_word

It's the default, and NULL is shorter.

8 years agoMerge pull request #4578 from evverx/no-hostname-memleak
Ronny Chevalier [Sat, 5 Nov 2016 14:23:31 +0000 (15:23 +0100)]
Merge pull request #4578 from evverx/no-hostname-memleak

journalctl: fix memleak

8 years agoMerge pull request #4579 from evverx/acl-memleak
Ronny Chevalier [Sat, 5 Nov 2016 13:22:59 +0000 (14:22 +0100)]
Merge pull request #4579 from evverx/acl-memleak

acl-util: fix memleak

8 years agocore: add new RestrictNamespaces= unit file setting
Lennart Poettering [Wed, 2 Nov 2016 02:25:19 +0000 (20:25 -0600)]
core: add new RestrictNamespaces= unit file setting

This new setting permits restricting whether namespaces may be created and
managed by processes started by a unit. It installs a seccomp filter blocking
certain invocations of unshare(), clone() and setns().

RestrictNamespaces=no is the default, and does not restrict namespaces in any
way. RestrictNamespaces=yes takes away the ability to create or manage any kind
of namspace. "RestrictNamespaces=mnt ipc" restricts the creation of namespaces
so that only mount and IPC namespaces may be created/managed, but no other
kind of namespaces.

This setting should be improve security quite a bit as in particular user
namespacing was a major source of CVEs in the kernel in the past, and is
accessible to unprivileged processes. With this setting the entire attack
surface may be removed for system services that do not make use of namespaces.

8 years agokernel-install: use exit instead of return (#4565)
Yu Watanabe [Fri, 4 Nov 2016 12:58:41 +0000 (21:58 +0900)]
kernel-install: use exit instead of return (#4565)

/bin/kernel-install: line 143: return: can only `return' from a function or sourced script

https://bugzilla.redhat.com/show_bug.cgi?id=1391829

8 years agoman: update kernel-install(8) to match reality (#4563)
Zbigniew Jędrzejewski-Szmek [Fri, 4 Nov 2016 12:40:58 +0000 (08:40 -0400)]
man: update kernel-install(8) to match reality (#4563)

8 years agoMerge pull request #4548 from keszybz/seccomp-help
Zbigniew Jędrzejewski-Szmek [Fri, 4 Nov 2016 00:27:45 +0000 (20:27 -0400)]
Merge pull request #4548 from keszybz/seccomp-help

systemd-analyze syscall-filter

8 years agodoc: clarify NoNewPrivileges (#4562)
Kees Cook [Fri, 4 Nov 2016 00:26:59 +0000 (18:26 -0600)]
doc: clarify NoNewPrivileges (#4562)

Setting no_new_privs does not stop UID changes, but rather blocks
gaining privileges through execve(). Also fixes a small typo.

8 years agoacl-util: fix memleak
Evgeny Vereshchagin [Thu, 3 Nov 2016 22:04:40 +0000 (22:04 +0000)]
acl-util: fix memleak

Fixes:
$ ./libtool --mode execute valgrind --leak-check=full ./journalctl >/dev/null
==22309== Memcheck, a memory error detector
==22309== Copyright (C) 2002-2015, and GNU GPL'd, by Julian Seward et al.
==22309== Using Valgrind-3.11.0 and LibVEX; rerun with -h for copyright info
==22309== Command: /home/vagrant/systemd/.libs/lt-journalctl
==22309==
Hint: You are currently not seeing messages from other users and the system.
      Users in groups 'adm', 'systemd-journal', 'wheel' can see all messages.
      Pass -q to turn off this notice.
==22309==
==22309== HEAP SUMMARY:
==22309==     in use at exit: 8,680 bytes in 4 blocks
==22309==   total heap usage: 5,543 allocs, 5,539 frees, 9,045,618 bytes allocated
==22309==
==22309== 488 (56 direct, 432 indirect) bytes in 1 blocks are definitely lost in loss record 2 of 4
==22309==    at 0x4C2BBAD: malloc (vg_replace_malloc.c:299)
==22309==    by 0x6F37A0A: __new_var_obj_p (__libobj.c:36)
==22309==    by 0x6F362F7: __acl_init_obj (acl_init.c:28)
==22309==    by 0x6F37731: __acl_from_xattr (__acl_from_xattr.c:54)
==22309==    by 0x6F36087: acl_get_file (acl_get_file.c:69)
==22309==    by 0x4F15752: acl_search_groups (acl-util.c:172)
==22309==    by 0x113A1E: access_check_var_log_journal (journalctl.c:1836)
==22309==    by 0x113D8D: access_check (journalctl.c:1889)
==22309==    by 0x115681: main (journalctl.c:2236)
==22309==
==22309== LEAK SUMMARY:
==22309==    definitely lost: 56 bytes in 1 blocks
==22309==    indirectly lost: 432 bytes in 1 blocks
==22309==      possibly lost: 0 bytes in 0 blocks
==22309==    still reachable: 8,192 bytes in 2 blocks
==22309==         suppressed: 0 bytes in 0 blocks

8 years agojournalctl: fix memleak
Evgeny Vereshchagin [Thu, 3 Nov 2016 21:23:22 +0000 (21:23 +0000)]
journalctl: fix memleak

bash-4.3# journalctl --no-hostname >/dev/null

=================================================================
==288==ERROR: LeakSanitizer: detected memory leaks

Direct leak of 48492 byte(s) in 2694 object(s) allocated from:
    #0 0x7fb4aba13e60 in malloc (/lib64/libasan.so.3+0xc6e60)
    #1 0x7fb4ab5b2cc4 in malloc_multiply src/basic/alloc-util.h:70
    #2 0x7fb4ab5b3194 in parse_field src/shared/logs-show.c:98
    #3 0x7fb4ab5b4918 in output_short src/shared/logs-show.c:347
    #4 0x7fb4ab5b7cb7 in output_journal src/shared/logs-show.c:977
    #5 0x5650e29cd83d in main src/journal/journalctl.c:2581
    #6 0x7fb4aabdb730 in __libc_start_main (/lib64/libc.so.6+0x20730)

SUMMARY: AddressSanitizer: 48492 byte(s) leaked in 2694 allocation(s).

Closes: #4568

8 years agobuild-sys: link test-seccomp against seccomp libs (#4560)
Martin Pitt [Thu, 3 Nov 2016 21:15:33 +0000 (23:15 +0200)]
build-sys: link test-seccomp against seccomp libs (#4560)

Fixes build error on recent toolchains:

  ../src/test/test-seccomp.c:35: error: undefined reference to 'seccomp_arch_native'
  collect2: error: ld returned 1 exit status

8 years agoanalyze: fix build w/o seccomp
Zbigniew Jędrzejewski-Szmek [Thu, 3 Nov 2016 18:33:49 +0000 (14:33 -0400)]
analyze: fix build w/o seccomp

8 years agoMerge pull request #4510 from keszybz/tree-wide-cleanups
Lennart Poettering [Thu, 3 Nov 2016 19:59:20 +0000 (13:59 -0600)]
Merge pull request #4510 from keszybz/tree-wide-cleanups

Tree wide cleanups

8 years agoRevert "sd-bus: use PRIu64 instead of casting" (#4556)
Zbigniew Jędrzejewski-Szmek [Thu, 3 Nov 2016 17:16:42 +0000 (13:16 -0400)]
Revert "sd-bus: use PRIu64 instead of casting" (#4556)

This reverts commit 75ead2b753cb9586f3f208326446081baab70da1.

Follow up for #4546:
> @@ -848,8 +848,7 @@ static int bus_kernel_make_message(sd_bus *bus, struct kdbus_msg *k) {
         if (k->src_id == KDBUS_SRC_ID_KERNEL)
                 bus_message_set_sender_driver(bus, m);
         else {
-                xsprintf(m->sender_buffer, ":1.%llu",
-                         (unsigned long long)k->src_id);
+                xsprintf(m->sender_buffer, ":1.%"PRIu64, k->src_id);

This produces:

src/libsystemd/sd-bus/bus-kernel.c: In function ‘bus_kernel_make_message’:
src/libsystemd/sd-bus/bus-kernel.c:851:44: warning: format ‘%lu’ expects argument of type ‘long
unsigned int’, but argument 4 has type ‘__u64 {aka long long unsigned int}’ [-Wformat=]
                 xsprintf(m->sender_buffer, ":1.%"PRIu64, k->src_id);
                                            ^

8 years agohwdb update for 232 (#4557)
Lennart Poettering [Thu, 3 Nov 2016 17:16:01 +0000 (11:16 -0600)]
hwdb update for 232 (#4557)

8 years agofinal NEWS update for 232 (#4558)
Lennart Poettering [Thu, 3 Nov 2016 14:56:26 +0000 (08:56 -0600)]
final NEWS update for 232 (#4558)

let's get this out today!

8 years agoseccomp-util, analyze: export comments as a help string
Zbigniew Jędrzejewski-Szmek [Wed, 2 Nov 2016 16:24:34 +0000 (12:24 -0400)]
seccomp-util, analyze: export comments as a help string

Just to make the whole thing easier for users.

8 years agoseccomp-util: move @default to the first position
Zbigniew Jędrzejewski-Szmek [Wed, 2 Nov 2016 16:01:04 +0000 (12:01 -0400)]
seccomp-util: move @default to the first position

Now that the list is user-visible, @default should be first.

8 years agoanalyze: add syscall-filter verb
Zbigniew Jędrzejewski-Szmek [Wed, 2 Nov 2016 15:58:18 +0000 (11:58 -0400)]
analyze: add syscall-filter verb

This should make it easier for users to understand what each filter
means as the list of syscalls is updated in subsequent systemd versions.

8 years agoMerge pull request #4543 from endocode/djalal/fix-dynamicuser-supplementary-groups
Djalal Harouni [Thu, 3 Nov 2016 10:48:28 +0000 (11:48 +0100)]
Merge pull request #4543 from endocode/djalal/fix-dynamicuser-supplementary-groups

core: intialize user aux groups and SupplementaryGroups= when DynamicUser= is set

8 years agotest: test DynamicUser= with SupplementaryGroups=
Djalal Harouni [Wed, 2 Nov 2016 22:02:28 +0000 (23:02 +0100)]
test: test DynamicUser= with SupplementaryGroups=

8 years agotest: test DynamicUser= with a fixed user
Djalal Harouni [Wed, 2 Nov 2016 21:59:41 +0000 (22:59 +0100)]
test: test DynamicUser= with a fixed user

8 years agocore: intialize user aux groups and SupplementaryGroups= when DynamicUser= is set
Djalal Harouni [Wed, 2 Nov 2016 21:42:40 +0000 (22:42 +0100)]
core: intialize user aux groups and SupplementaryGroups= when DynamicUser= is set

Make sure that when DynamicUser= is set that we intialize the user
supplementary groups and that we also support SupplementaryGroups=

Fixes: https://github.com/systemd/systemd/issues/4539

Thanks Evgeny Vereshchagin (@evverx)

8 years agoMerge pull request #4547 from keszybz/two-testsuite-tweaks
Lennart Poettering [Thu, 3 Nov 2016 05:06:53 +0000 (23:06 -0600)]
Merge pull request #4547 from keszybz/two-testsuite-tweaks

Two testsuite tweaks

8 years agoMerge pull request #4546 from keszybz/xsprintf-revert
Lennart Poettering [Thu, 3 Nov 2016 04:44:36 +0000 (22:44 -0600)]
Merge pull request #4546 from keszybz/xsprintf-revert

xsprintf revert

8 years agoparse_hwdb: add import fallback for python2
Zbigniew Jędrzejewski-Szmek [Thu, 3 Nov 2016 02:48:08 +0000 (22:48 -0400)]
parse_hwdb: add import fallback for python2

8 years agoudev/udev-watch: calculate the real buffer sizes needed
Zbigniew Jędrzejewski-Szmek [Thu, 3 Nov 2016 02:05:48 +0000 (22:05 -0400)]
udev/udev-watch: calculate the real buffer sizes needed

8 years agoDo not raise in switch root if paths are too long
Zbigniew Jędrzejewski-Szmek [Thu, 3 Nov 2016 02:05:06 +0000 (22:05 -0400)]
Do not raise in switch root if paths are too long

If we encounter the (unlikely) situation where the combined path to the
new root and a path to a mount to be moved together exceed maximum path length,
we shouldn't crash, but fail this path instead.

8 years agosd-bus: use PRIu64 instead of casting
Zbigniew Jędrzejewski-Szmek [Thu, 3 Nov 2016 02:03:27 +0000 (22:03 -0400)]
sd-bus: use PRIu64 instead of casting

8 years agoRevert some uses of xsprintf
Zbigniew Jędrzejewski-Szmek [Thu, 3 Nov 2016 02:02:46 +0000 (22:02 -0400)]
Revert some uses of xsprintf

This reverts some changes introduced in d054f0a4d4.
xsprintf should be used in cases where we calculated the right buffer
size by hand (using DECIMAL_STRING_MAX and such), and never in cases where
we are printing externally specified strings of arbitrary length.

Fixes #4534.

8 years agoMerge pull request #4481 from poettering/perpetual
Zbigniew Jędrzejewski-Szmek [Thu, 3 Nov 2016 01:03:26 +0000 (21:03 -0400)]
Merge pull request #4481 from poettering/perpetual

Add "perpetual" unit concept, sysctl fixes, networkd fixes, systemctl color fixes, nspawn discard.

8 years agoMerge pull request #4542 from poettering/v232prep
Zbigniew Jędrzejewski-Szmek [Thu, 3 Nov 2016 00:13:27 +0000 (20:13 -0400)]
Merge pull request #4542 from poettering/v232prep

preparation for 232

8 years agocore: make a constant table actually constant
Lennart Poettering [Wed, 2 Nov 2016 18:05:22 +0000 (12:05 -0600)]
core: make a constant table actually constant

8 years agocore: don't hit an assert when printing status messages about units with overly long...
Lennart Poettering [Wed, 2 Nov 2016 18:02:53 +0000 (12:02 -0600)]
core: don't hit an assert when printing status messages about units with overly long description strings

This essentially reverts one part of d054f0a4d451120c26494263fc4dc175bfd405b1.

(We might also choose to use proper ellipsation here, but I wasn't sure the
memory allocation this requires wouöld be a good idea here...)

Fixes: #4534

8 years agoman: fix two typos (is → are) (#4544)
Lucas Werkmeister [Thu, 3 Nov 2016 00:10:29 +0000 (01:10 +0100)]
man: fix two typos (is → are) (#4544)

8 years agoMerge pull request #4456 from keszybz/stored-fds
Lennart Poettering [Wed, 2 Nov 2016 22:29:04 +0000 (16:29 -0600)]
Merge pull request #4456 from keszybz/stored-fds

Preserve stored fds over service restart

8 years agosystemctl: fix incorrect "need reload" on cat (#4535)
Lucas Werkmeister [Wed, 2 Nov 2016 22:12:03 +0000 (23:12 +0100)]
systemctl: fix incorrect "need reload" on cat (#4535)

Reported by @evverx in #4493.

8 years agoMerge pull request #4483 from poettering/exec-order
Lennart Poettering [Wed, 2 Nov 2016 22:09:59 +0000 (16:09 -0600)]
Merge pull request #4483 from poettering/exec-order

more seccomp fixes, and change of order of selinux/aa/smack and seccomp application on exec

8 years agobuild-sys: bump package and library version in preparation for v232
Lennart Poettering [Wed, 2 Nov 2016 22:04:40 +0000 (16:04 -0600)]
build-sys: bump package and library version in preparation for v232

8 years agoadd two additional entries to NEWS
Lennart Poettering [Wed, 2 Nov 2016 22:02:12 +0000 (16:02 -0600)]
add two additional entries to NEWS

8 years agoNEWS: add contributor list to news file
Lennart Poettering [Wed, 2 Nov 2016 21:52:57 +0000 (15:52 -0600)]
NEWS: add contributor list to news file

Unfortunately, github drops the original commiter when a PR is "squashed" (even
if it is only a single commit) and replaces it with some rubbish
github-specific user id. Thus, to make the contributors list somewhat useful,
update the .mailmap file and undo all the weirdness github applied there.

8 years agopid1: fix fd memleak when we hit FileDescriptorStoreMax limit
Zbigniew Jędrzejewski-Szmek [Wed, 2 Nov 2016 19:00:54 +0000 (15:00 -0400)]
pid1: fix fd memleak when we hit FileDescriptorStoreMax limit

Since service_add_fd_store() already does the check, remove the redundant check
from service_add_fd_store_set().

Also, print a warning when repopulating FDStore after daemon-reexec and we hit
the limit. This is a user visible issue, so we should not discard fds silently.
(Note that service_deserialize_item is impacted by the return value from
service_add_fd_store(), but we rely on the general error message, so the caller
does not need to be modified, and does not show up in the diff.)

8 years agocore: change mount_synthesize_root() return to int
Lennart Poettering [Wed, 2 Nov 2016 17:38:12 +0000 (11:38 -0600)]
core: change mount_synthesize_root() return to int

Let's propagate the error here, instead of eating it up early.

In a later change we should probably also change mount_enumerate() to propagate
errors up, but that would mean we'd have to change the unit vtable, and thus
change all unit types, hence is quite an invasive change.

8 years agonetworkd: flush DNSSL/RDNSS lists when we lose carrier
Lennart Poettering [Tue, 25 Oct 2016 10:08:43 +0000 (12:08 +0200)]
networkd: flush DNSSL/RDNSS lists when we lose carrier

Fixes: #3870

8 years agonetword: minor memory leak fix
Lennart Poettering [Tue, 25 Oct 2016 10:08:24 +0000 (12:08 +0200)]
netword: minor memory leak fix

8 years agonspawn: if we set up a loopback device, try to mount it with "discard"
Lennart Poettering [Tue, 25 Oct 2016 09:39:09 +0000 (11:39 +0200)]
nspawn: if we set up a loopback device, try to mount it with "discard"

Let's make sure that our loopback files remain sparse, hence let's set
"discard" as mount option on file systems that support it if the backing device
is a loopback.

8 years agosystemctl: tweak the "systemctl list-units" output a bit
Lennart Poettering [Tue, 25 Oct 2016 09:06:47 +0000 (11:06 +0200)]
systemctl: tweak the "systemctl list-units" output a bit

Make the underlining between the header and the body and between the units of
different types span the whole width of the table.

Let's never make the table wider than necessary (which is relevant due the
above).

When space is limited and we can't show the full ID or description string
prefer showing the full ID over the full description. The ID is after all
something people might want to copy/paste, while the description is mostly just
helpful decoration.

8 years agosystemctl: properly turn off color after active column
Lennart Poettering [Tue, 25 Oct 2016 08:00:06 +0000 (10:00 +0200)]
systemctl: properly turn off color after active column

If we turn on red color for the active column and it is not combined with
underlining, then we need to turn it off explicitly afterwards. Do that.

8 years agosysctl: minor simplification
Lennart Poettering [Tue, 25 Oct 2016 07:27:39 +0000 (09:27 +0200)]
sysctl: minor simplification

Let's place only one ternary operator.

8 years agosysctl: no need to check for eof twice
Lennart Poettering [Tue, 25 Oct 2016 07:26:31 +0000 (09:26 +0200)]
sysctl: no need to check for eof twice

Let's only check for eof once after the fgets(). There's no point in checking
EOF before the first read, and twice in each loop.

8 years agosysctl: when failing to process a config line, show line nr
Lennart Poettering [Tue, 25 Oct 2016 07:26:10 +0000 (09:26 +0200)]
sysctl: when failing to process a config line, show line nr

8 years agosysctl: split out condition check into its own function
Lennart Poettering [Tue, 25 Oct 2016 07:25:21 +0000 (09:25 +0200)]
sysctl: split out condition check into its own function

This way, we can get rid of a label/goto.

8 years agosysctl: do not fail systemd-sysctl.service if /proc/sys is mounted read-only
Lennart Poettering [Tue, 25 Oct 2016 07:22:22 +0000 (09:22 +0200)]
sysctl: do not fail systemd-sysctl.service if /proc/sys is mounted read-only

Let's make missing write access to /proc/sys non-fatal to the sysctl service.

This is a follow-up to 411e869f497c7c7bd0688f1e3500f9043bc56e48 which altered
the condition for running the sysctl service to check for /proc/sys/net being
writable, accepting that /proc/sys might be read-only. In order to ensure the
boot-up stays clean in containers lower the log level for the EROFS errors
generated due to this.

8 years agounit: unify some code with new unit_new_for_name() call
Lennart Poettering [Mon, 24 Oct 2016 22:29:05 +0000 (00:29 +0200)]
unit: unify some code with new unit_new_for_name() call

8 years agocore: make the root mount perpetual too
Lennart Poettering [Mon, 24 Oct 2016 22:04:55 +0000 (00:04 +0200)]
core: make the root mount perpetual too

Now that have a proper concept of "perpetual" units, let's make the root mount
one too, since it also cannot go away.

8 years agocore: rework the "no_gc" unit flag to become a more generic "perpetual" flag
Lennart Poettering [Mon, 24 Oct 2016 19:41:54 +0000 (21:41 +0200)]
core: rework the "no_gc" unit flag to become a more generic "perpetual" flag

So far "no_gc" was set on -.slice and init.scope, to units that are always
running, cannot be stopped and never exist in an "inactive" state. Since these
units are the only users of this flag, let's remodel it and rename it
"perpetual" and let's derive more funcitonality off it. Specifically, refuse
enqueing stop jobs for these units, and report that they are "unstoppable" in
the CanStop bus property.

8 years agocore: initialize groups list before checking SupplementaryGroups= of a unit (#4533)
Djalal Harouni [Wed, 2 Nov 2016 16:51:35 +0000 (17:51 +0100)]
core: initialize groups list before checking SupplementaryGroups= of a unit (#4533)

Always initialize the supplementary groups of caller before checking the
unit SupplementaryGroups= option.

Fixes https://github.com/systemd/systemd/issues/4531

8 years agotests: make sure tests pass when invoked in "sudo"
Lennart Poettering [Wed, 2 Nov 2016 02:30:11 +0000 (20:30 -0600)]
tests: make sure tests pass when invoked in "sudo"

This is a follow-up for 6309e51ea32d64524431ee65c49eecd44390da8f and makes sure
we compare test results with the right user identifier.

8 years agoman: document that too strict system call filters may affect the service manager
Lennart Poettering [Tue, 25 Oct 2016 14:08:38 +0000 (16:08 +0200)]
man: document that too strict system call filters may affect the service manager

If execve() or socket() is filtered the service manager might get into trouble
executing the service binary, or handling any failures when this fails. Mention
this in the documentation.

The other option would be to implicitly whitelist all system calls that are
required for these codepaths. However, that appears less than desirable as this
would mean socket() and many related calls have to be whitelisted
unconditionally. As writing system call filters requires a certain level of
expertise anyway it sounds like the better option to simply document these
issues and suggest that the user disables system call filters in the service
temporarily in order to debug any such failures.

See: #3993.

8 years agoexecute: apply seccomp filters after changing selinux/aa/smack contexts
Lennart Poettering [Tue, 25 Oct 2016 13:52:54 +0000 (15:52 +0200)]
execute: apply seccomp filters after changing selinux/aa/smack contexts

Seccomp is generally an unprivileged operation, changing security contexts is
most likely associated with some form of policy. Moreover, while seccomp may
influence our own flow of code quite a bit (much more than the security context
change) make sure to apply the seccomp filters immediately before executing the
binary to invoke.

This also moves enforcement of NNP after the security context change, so that
NNP cannot affect it anymore. (However, the security policy now has to permit
the NNP change).

This change has a good chance of breaking current SELinux/AA/SMACK setups, because
the policy might not expect this change of behaviour. However, it's technically
the better choice I think and should hence be applied.

Fixes: #3993

8 years agoseccomp: add two new syscall groups
Lennart Poettering [Wed, 2 Nov 2016 14:46:18 +0000 (08:46 -0600)]
seccomp: add two new syscall groups

@resources contains various syscalls that alter resource limits and memory and
scheduling parameters of processes. As such they are good candidates to block
for most services.

@basic-io contains a number of basic syscalls for I/O, similar to the list
seccomp v1 permitted but slightly more complete. It should be useful for
building basic whitelisting for minimal sandboxes

8 years agoman: two minor fixes
Lennart Poettering [Tue, 25 Oct 2016 13:44:54 +0000 (15:44 +0200)]
man: two minor fixes

8 years agoseccomp: include pipes and memfd in @ipc
Lennart Poettering [Tue, 25 Oct 2016 13:43:31 +0000 (15:43 +0200)]
seccomp: include pipes and memfd in @ipc

These system calls clearly fall in the @ipc category, hence should be listed
there, simply to avoid confusion and surprise by the user.

8 years agoseccomp: drop execve() from @process list
Lennart Poettering [Tue, 25 Oct 2016 13:42:10 +0000 (15:42 +0200)]
seccomp: drop execve() from @process list

The system call is already part in @default hence implicitly allowed anyway.
Also, if it is actually blocked then systemd couldn't execute the service in
question anymore, since the application of seccomp is immediately followed by
it.

8 years agoseccomp: add clock query and sleeping syscalls to "@default" group
Lennart Poettering [Tue, 25 Oct 2016 13:38:36 +0000 (15:38 +0200)]
seccomp: add clock query and sleeping syscalls to "@default" group

Timing and sleep are so basic operations, it makes very little sense to ever
block them, hence don't.

8 years agoupdate TODO
Lennart Poettering [Tue, 25 Oct 2016 10:43:53 +0000 (12:43 +0200)]
update TODO

8 years agoudev: net_id: add support for phys_port_name attribute (#4506)
Jiří Pírko [Wed, 2 Nov 2016 02:46:01 +0000 (03:46 +0100)]
udev: net_id: add support for phys_port_name attribute (#4506)

Switch drivers uses phys_port_name attribute to pass front panel port
name to user. Use it to generate netdev names.

Signed-off-by: Jiri Pirko <jiri@mellanox.com>
8 years agotests: add test that journald keeps fds over termination by signal
Evgeny Vereshchagin [Thu, 20 Oct 2016 13:18:12 +0000 (13:18 +0000)]
tests: add test that journald keeps fds over termination by signal

This test fails before previous commit, and passes with it.

8 years agocore: when restarting services, don't close fds
Zbigniew Jędrzejewski-Szmek [Sun, 23 Oct 2016 02:16:02 +0000 (22:16 -0400)]
core: when restarting services, don't close fds

We would close all the stored fds in service_release_resources(), which of
course broke the whole concept of storing fds over service restart.

Fixes #4408.

8 years agoseccomp: allow specifying arm64, mips, ppc (#4491)
Zbigniew Jędrzejewski-Szmek [Tue, 1 Nov 2016 15:33:18 +0000 (11:33 -0400)]
seccomp: allow specifying arm64, mips, ppc (#4491)

"Secondary arch" table for mips is entirely speculative…