Lennart Poettering [Thu, 6 Oct 2016 09:58:13 +0000 (11:58 +0200)]
Merge pull request #4199 from dvdhrm/hwdb-order
hwdb: return conflicts in a well-defined order
Susant Sahani [Thu, 6 Oct 2016 09:45:07 +0000 (15:15 +0530)]
networkd: fix coding style (#4294)
Yuki Inoguchi [Thu, 6 Oct 2016 09:44:51 +0000 (18:44 +0900)]
journald, ratelimit: fix inaccurate message suppression in journal_rate_limit_test() (#4291)
Currently, the ratelimit does not handle the number of suppressed messages accurately.
Even though the number of messages reaches the limit, it still allows to add one extra messages to journal.
This patch fixes the problem.
Piotr Drąg [Wed, 5 Oct 2016 20:59:37 +0000 (22:59 +0200)]
catalog,po: update Polish translation (#4290)
Tobias Jungel [Wed, 5 Oct 2016 15:06:40 +0000 (17:06 +0200)]
networkd: use BridgeFDB as well on bridge ports (#4253)
[BridgeFDB] did not apply to bridge ports so far. This patch adds the proper
handling. In case of a bridge interface the correct flag NTF_MASTER is now set
in the netlink call. FDB MAC addresses are now applied in
link_enter_set_addresses to make sure the link is setup.
Zeal Jagannatha [Wed, 5 Oct 2016 12:00:06 +0000 (14:00 +0200)]
Added ArchLinux config for mkosi (#4274)
hbrueckner [Wed, 5 Oct 2016 11:58:55 +0000 (13:58 +0200)]
seccomp: add support for the s390 architecture (#4287)
Add seccomp support for the s390 architecture (31-bit and 64-bit)
to systemd.
This requires libseccomp >= 2.3.1.
Djalal Harouni [Wed, 5 Oct 2016 04:57:02 +0000 (06:57 +0200)]
nspawn: add log message to let users know that nspawn needs an empty /dev directory (#4226)
Fixes https://github.com/systemd/systemd/issues/3695
At the same time it adds a protection against userns chown of inodes of
a shared mount point.
Thomas H. P. Andersen [Tue, 4 Oct 2016 18:41:46 +0000 (20:41 +0200)]
NEWS: typo fixes (#4285)
Stefan Schweter [Sun, 2 Oct 2016 17:37:21 +0000 (19:37 +0200)]
tree-wide: remove consecutive duplicate words in comments
Michael Olbrich [Tue, 4 Oct 2016 14:15:37 +0000 (16:15 +0200)]
list: LIST_INSERT_BEFORE: update head if necessary (#4261)
If the new item is inserted before the first item in the list, then the
head must be updated as well.
Add a test to the list unit test to check for this.
Michael Olbrich [Tue, 4 Oct 2016 14:13:27 +0000 (16:13 +0200)]
automount: make sure the expire event is restarted after a daemon-reload (#4265)
If the corresponding mount unit is deserialized after the automount unit
then the expire event is set up in automount_trigger_notify(). However, if
the mount unit is deserialized first then the automount unit is still in
state AUTOMOUNT_DEAD and automount_trigger_notify() aborts without setting
up the expire event.
Explicitly call automount_start_expire() during coldplug to make sure that
the expire event is set up as necessary.
Fixes #4249.
Lucas Werkmeister [Tue, 4 Oct 2016 13:53:16 +0000 (15:53 +0200)]
Typo (`mathes` → `matches`) (#4283)
andhe [Tue, 4 Oct 2016 13:36:03 +0000 (15:36 +0200)]
po: updated Swedish translation (#4241)
* po: updated Swedish translation
* po: swedish: fix login vs write logs to confusion
Since previous commit (updated messages) there's now a mix of
different translation meanings for the same thing.
While both translations are technically correct I think the
meaning of the original messages are probably "to login" rather
than "to write log messages to". This commit switches all
translations to the "login" meaning.
Martin Pitt [Tue, 4 Oct 2016 13:34:08 +0000 (15:34 +0200)]
Merge pull request #4273 from keszybz/docs
Routing-domains-manpage tweak and NEWS update
Elias Probst [Tue, 4 Oct 2016 12:37:28 +0000 (14:37 +0200)]
Typo (`virtiualization` → `virtualization`) (#4281)
Stefan Schweter [Mon, 3 Oct 2016 15:09:54 +0000 (17:09 +0200)]
man: remove consecutive duplicate words (#4268)
This PR removes consecutive duplicate words from the man pages of:
* `resolved.conf.xml`
* `systemd.exec.xml`
* `systemd.socket.xml`
Alban Crequy [Sat, 1 Oct 2016 08:58:56 +0000 (10:58 +0200)]
nspawn: set shared propagation mode for the container
Zbigniew Jędrzejewski-Szmek [Sun, 2 Oct 2016 12:52:52 +0000 (14:52 +0200)]
build-sys: use non-breaking spaces in contributor list
I think it's easier to read peoples' names with this change.
Zbigniew Jędrzejewski-Szmek [Sun, 2 Oct 2016 12:51:49 +0000 (14:51 +0200)]
NEWS: add another batch of entries
Zbigniew Jędrzejewski-Szmek [Sun, 2 Oct 2016 12:32:44 +0000 (14:32 +0200)]
man: rework the explanation of Domains=
Put more emphasis on the routing part. This is the more interesting
thing, and also more complicated and novel.
Explain "search domains" as the special case. Also explain the effect of
~. in more detail.
Zbigniew Jędrzejewski-Szmek [Sun, 2 Oct 2016 11:24:54 +0000 (13:24 +0200)]
man: fix indentation in table
<entry>-ies must be a single line of text. Otherwise docbook does strange
things to the indentation.
Zbigniew Jędrzejewski-Szmek [Sun, 25 Sep 2016 13:58:29 +0000 (09:58 -0400)]
core: do not try to create /run/systemd/transient in test mode
This prevented systemd-analyze from unprivileged operation on older systemd
installations, which should be possible.
Also, we shouldn't touch the file system in test mode even if we can.
Zbigniew Jędrzejewski-Szmek [Sun, 25 Sep 2016 13:55:26 +0000 (09:55 -0400)]
analyze-verify: honour $SYSTEMD_UNIT_PATH, allow system paths to be ignored
SYSTEMD_UNIT_PATH=foobar: systemd-analyze verify barbar/unit.service
will load units from barbar/, foobar/, /etc/systemd/system/, etc.
SYSTEMD_UNIT_PATH= systemd-analyze verify barbar/unit.service
will load units only from barbar/, which is useful e.g. when testing
systemd's own units on a system with an older version of systemd installed.
Zbigniew Jędrzejewski-Szmek [Sun, 25 Sep 2016 12:34:30 +0000 (08:34 -0400)]
core: complain if Before= dep on .device is declared
[Unit]
Before=foobar.device
[Service]
ExecStart=/bin/true
Type=oneshot
$ systemd-analyze verify before-device.service
before-device.service: Dependency Before=foobar.device ignored (.device units cannot be delayed)
Martin Pitt [Mon, 5 Sep 2016 11:14:36 +0000 (13:14 +0200)]
systemctl: Add --wait option to wait until started units terminate again
Fixes #3830
Stefan Schweter [Sat, 1 Oct 2016 15:11:38 +0000 (17:11 +0200)]
man: update mx record example (#4257)
Zbigniew Jędrzejewski-Szmek [Sat, 1 Oct 2016 15:09:51 +0000 (17:09 +0200)]
Merge pull request #4164 from martinpitt/nss-resolve
nss-resolve: return NOTFOUND instead of UNAVAIL for DNSSEC validation failures
Martin Pitt [Fri, 16 Sep 2016 06:27:39 +0000 (08:27 +0200)]
nss-resolve: return NOTFOUND instead of UNAVAIL on resolution errors
It needs to be possible to tell apart "the nss-resolve module does not exist"
(which can happen when running foreign-architecture programs) from "the queried
DNS name failed DNSSEC validation" or other errors. So return NOTFOUND for these
cases too, and only keep UNAVAIL for the cases where we cannot handle the given
address family.
This makes it possible to configure a fallback to "dns" without breaking
DNSSEC, with "resolve [!UNAVAIL=return] dns". Add this to the manpage.
This does not change behaviour if resolved is not running, as that already
falls back to the "dns" glibc module.
Fixes #4157
Martin Pitt [Sat, 1 Oct 2016 14:54:45 +0000 (16:54 +0200)]
man: drop myhostname from recommended nsswitch host configuration
resolve includes myhostname functionality, so there is no need to add it again.
Martin Pitt [Fri, 16 Sep 2016 08:57:06 +0000 (10:57 +0200)]
nss-resolve: simplify error handling
Handle general errors from the resolved call in _nss_resolve_gethostbyaddr2_r()
the same say as in the other variants: Just "goto fail" as that does exactly
the same.
Zbigniew Jędrzejewski-Szmek [Fri, 30 Sep 2016 11:35:07 +0000 (13:35 +0200)]
core: update warning message
"closing all" might suggest that _all_ fds received with the notification message
will be closed. Reword the message to clarify that only the "unused" ones will be
closed.
Zbigniew Jędrzejewski-Szmek [Fri, 30 Sep 2016 11:34:10 +0000 (13:34 +0200)]
core: get rid of unneeded state variable
No functional change.
Elias Probst [Fri, 30 Sep 2016 11:25:25 +0000 (13:25 +0200)]
networkd: fix "parametres" typo (#4244)
Martin Pitt [Fri, 30 Sep 2016 09:16:51 +0000 (11:16 +0200)]
Merge pull request #4225 from keszybz/coredump
coredump: remove Storage=both support, various fixes for sd-coredump and coredumpctl
Martin Pitt [Fri, 30 Sep 2016 07:30:08 +0000 (09:30 +0200)]
resolved: don't query domain-limited DNS servers for other domains (#3621)
DNS servers which have route-only domains should only be used for
the specified domains. Routing queries about other domains there is a privacy
violation, prone to fail (as that DNS server was not meant to be used for other
domains), and puts unnecessary load onto that server.
Introduce a new helper function dns_server_limited_domains() that checks if the
DNS server should only be used for some selected domains, i. e. has some
route-only domains without "~.". Use that when determining whether to query it
in the scope, and when writing resolv.conf.
Extend the test_route_only_dns() case to ensure that the DNS server limited to
~company does not appear in resolv.conf. Add test_route_only_dns_all_domains()
to ensure that a server that also has ~. does appear in resolv.conf as global
name server. These reproduce #3420.
Add a new test_resolved_domain_restricted_dns() test case that verifies that
domain-limited DNS servers are only being used for those domains. This
reproduces #3421.
Clarify what a "routing domain" is in the manpage.
Fixes #3420
Fixes #3421
Zbigniew Jędrzejewski-Szmek [Thu, 29 Sep 2016 14:07:41 +0000 (16:07 +0200)]
pid1: more informative error message for ignored notifications
It's probably easier to diagnose a bad notification message if the
contents are printed. But still, do anything only if debugging is on.
Zbigniew Jędrzejewski-Szmek [Thu, 29 Sep 2016 14:06:02 +0000 (16:06 +0200)]
pid1: process zero-length notification messages again
This undoes
531ac2b234. I acked that patch without looking at the code
carefully enough. There are two problems:
- we want to process the fds anyway
- in principle empty notification messages are valid, and we should
process them as usual, including logging using log_unit_debug().
Franck Bui [Thu, 29 Sep 2016 17:44:34 +0000 (19:44 +0200)]
pid1: don't return any error in manager_dispatch_notify_fd() (#4240)
If manager_dispatch_notify_fd() fails and returns an error then the handling of
service notifications will be disabled entirely leading to a compromised system.
For example pid1 won't be able to receive the WATCHDOG messages anymore and
will kill all services supposed to send such messages.
Jorge Niedbalski [Wed, 28 Sep 2016 21:25:50 +0000 (18:25 -0300)]
If the notification message length is 0, ignore the message (#4237)
Fixes #4234.
Signed-off-by: Jorge Niedbalski <jnr@metaklass.org>
Zbigniew Jędrzejewski-Szmek [Tue, 27 Sep 2016 10:40:54 +0000 (12:40 +0200)]
coredump,catalog: give better notice when a core file is truncated
coredump had code to check if copy_bytes() hit the max_bytes limit,
and refuse further processing in that case.
But in
84ee0960443, the return convention for copy_bytes() was changed
from -EFBIG to 1 for the case when the limit is hit, so the condition
check in coredump couldn't ever trigger.
But it seems that *do* want to process such truncated cores [1].
So change the code to detect truncation properly, but instead of
returning an error, give a nice log entry.
[1] https://github.com/systemd/systemd/issues/3883#issuecomment-
239106337
Should fix (or at least alleviate) #3883.
Zbigniew Jędrzejewski-Szmek [Tue, 27 Sep 2016 09:32:36 +0000 (11:32 +0200)]
coredump: log if the core is too large to store or generate backtrace
Another fix for #4161.
Zbigniew Jędrzejewski-Szmek [Mon, 26 Sep 2016 22:32:42 +0000 (00:32 +0200)]
coredumpctl: delay the "on tty" refusal until as late as possible
For the user, if the core file is missing or inaccessible, it is
more interesting that the fact that they forgot to pipe to a file.
So delay the failure from the check until after we have verified
that the file or the COREDUMP field are present.
Partially fixes #4161.
Also, error reporting on failure was duplicated. save_core() now
always prints an error message (because it knows the paths involved,
so can the most useful message), and the callers don't have to.
Zbigniew Jędrzejewski-Szmek [Tue, 27 Sep 2016 08:52:10 +0000 (10:52 +0200)]
coredumpctl: tighten print_field() code
Propagate errors properly, so that if we hit oom or an error in the
journal, the whole command will fail. This is important when using
the output in scripts.
Support the output of multiple values for the same field with -F.
The journal supports that, and our official commands should too, as
far as it makes sense. -F can be used to print user-defined fields
(e.g. somebody could use a TAG field with multiple occurences), so
we should support that too. That seems better than silently printing
the last value found as was done before.
We would iterate trying to match the same field with all possible
field names. Once we find something, cut the loop short, since we
know that nothing else can match.
Zbigniew Jędrzejewski-Szmek [Mon, 26 Sep 2016 23:41:38 +0000 (01:41 +0200)]
coredumpctl: rework presence reporting
The column for "present" was easy to miss, especially if somebody had no
coredumps present at all, in which case the column of spaces of width one
wasn't visually distinguished from the neighbouring columns. Replace this
with an explicit text, one of: "missing", "journal", "present", "error".
$ coredumpctl
TIME PID UID GID SIG COREFILE EXE
Mon 2016-09-26 22:46:31 CEST 8623 0 0 11 missing /usr/bin/bash
Mon 2016-09-26 22:46:35 CEST 8639 1001 1001 11 missing /usr/bin/bash
Tue 2016-09-27 01:10:46 CEST 16110 1001 1001 11 journal /usr/bin/bash
Tue 2016-09-27 01:13:20 CEST 16290 1001 1001 11 journal /usr/bin/bash
Tue 2016-09-27 01:33:48 CEST 17867 1001 1001 11 present /usr/bin/bash
Tue 2016-09-27 01:37:55 CEST 18549 0 0 11 error /usr/bin/bash
Also, use access(…, R_OK), so that we can report a present but inaccessible
file different than a missing one.
Zbigniew Jędrzejewski-Szmek [Mon, 26 Sep 2016 23:19:01 +0000 (01:19 +0200)]
coredumpctl: report corefile presence properly
In 'list', show present also for coredumps stored in the journal.
In 'status', replace "File" with "Storage" line that is always present.
Possible values:
Storage: none
Storage: journal
Storage: /path/to/file (inacessible)
Storage: /path/to/file
Previously the File field be only present if the file was accessible, so users
had to manually extract the file name precisely in the cases where it was
needed, i.e. when coredumpctl couldn't access the file. It's much more friendly
to always show something. This output is designed for human consumption, so
it's better to be a bit verbose.
The call to sd_j_set_data_threshold is moved, so that status is always printed
with the default of 64k, list uses 4k, and coredump retrieval is done with the
limit unset. This should make checking for the presence of the COREDUMP field
not too costly.
Zbigniew Jędrzejewski-Szmek [Mon, 26 Sep 2016 23:18:48 +0000 (01:18 +0200)]
coredumpctl: report user unit properly
Zbigniew Jędrzejewski-Szmek [Mon, 26 Sep 2016 22:40:55 +0000 (00:40 +0200)]
coredumpctl: fix spurious "more than one entry matches" warning
sd_journal_previous() returns 0 if it didn't do any move, so the
warning was stupidly always printed.
Zbigniew Jędrzejewski-Szmek [Mon, 26 Sep 2016 22:10:04 +0000 (00:10 +0200)]
coredumpctl: fix handling of files written to fd
Added in
9fe13294a9 (by me :[```), and later obfuscated in
d0c8806d4ab, if an
uncompressed external file or an internally stored coredump was supposed to be
written to a file descriptor, nothing would be written.
Zbigniew Jędrzejewski-Szmek [Mon, 26 Sep 2016 21:40:20 +0000 (23:40 +0200)]
coredump: remove Storage=both option
Back when external storage was initially added in
34c10968cb, this mode of
storage was added. This could have made some sense back when XZ compression was
used, and an uncompressed core on disk could be used as short-lived cache file
which does require costly decompression. But now fast LZ4 compression is used
(by default) both internally and externally, so we have duplicated storage,
using the same compression and same default maximum core size in both cases,
but with different expiration lifetimes. Even the uncompressed-external,
compressed-internal mode is not very useful: for small files, decompression
with LZ4 is fast enough not to matter, and for large files, decompression is
still relatively fast, but the disk-usage penalty is very big.
An additional problem with the two modes of storage is that it complicates
the code and makes it much harder to return a useful error message to the user
if we cannot find the core file, since if we cannot find the file we have to
check the internal storage first.
This patch drops "both" storage mode. Effectively this means that if somebody
configured coredump this way, they will get a warning about an unsupported
value for Storage, and the default of "external" will be used.
I'm pretty sure that this mode is very rarely used anyway.
Alfie John [Wed, 28 Sep 2016 09:10:26 +0000 (09:10 +0000)]
man: remove duplicate "the" for systemctl --plain (#4230)
Vito Caputo [Wed, 28 Sep 2016 05:35:48 +0000 (22:35 -0700)]
journal: add stdout_stream_scan() comment (#4102)
When s->length is zero this function doesn't do anything, note that in a
comment.
Evgeny Vereshchagin [Wed, 28 Sep 2016 01:50:30 +0000 (04:50 +0300)]
Merge pull request #4185 from endocode/djalal-sandbox-first-protection-v1
core:sandbox: Add new ProtectKernelTunables=, ProtectControlGroups=, ProtectSystem=strict and fixes
Martin Pitt [Tue, 27 Sep 2016 14:25:27 +0000 (16:25 +0200)]
Merge pull request #4220 from keszybz/show-and-formatting-fixes
Show and formatting fixes
Susant Sahani [Tue, 27 Sep 2016 13:55:13 +0000 (19:25 +0530)]
basic: fix for IPv6 status (#4224)
Even if
```
cat /proc/sys/net/ipv6/conf/all/disable_ipv6
1
```
is disabled
cat /proc/net/sockstat6
```
TCP6: inuse 2
UDP6: inuse 1
UDPLITE6: inuse 0
RAW6: inuse 0
FRAG6: inuse 0 memory 0
```
Looking for /proc/net/if_inet6 is the right choice.
Djalal Harouni [Sun, 25 Sep 2016 17:50:25 +0000 (19:50 +0200)]
test: make sure that {readonly|inaccessible|readwrite}paths disconnect mount propagation
Better safe.
Djalal Harouni [Sun, 25 Sep 2016 17:24:25 +0000 (19:24 +0200)]
test: add tests for simple ReadOnlyPaths= case
Zbigniew Jędrzejewski-Szmek [Mon, 26 Sep 2016 20:22:28 +0000 (22:22 +0200)]
test-bus-creds: are more debugging info
This test sometimes fails in semaphore, but not when run interactively,
so it's hard to debug.
Keith Busch [Mon, 26 Sep 2016 19:01:07 +0000 (13:01 -0600)]
udev/path_id: introduce support for NVMe devices (#4169)
This appends the nvme name and namespace identifier attribute the the
PCI path for by-path links. Symlinks like the following are now present:
lrwxrwxrwx. 1 root root 13 Sep 16 12:12 pci-0000:01:00.0-nvme-1 -> ../../nvme0n1
lrwxrwxrwx. 1 root root 15 Sep 16 12:12 pci-0000:01:00.0-nvme-1-part1 -> ../../nvme0n1p1
Cc: Michal Sekletar <sekletar.m@gmail.com>
Signed-off-by: Keith Busch <keith.busch@intel.com>
Paweł Szewczyk [Mon, 26 Sep 2016 16:45:47 +0000 (18:45 +0200)]
core: Fix USB functionfs activation and clarify its documentation (#4188)
There was no certainty about how the path in service file should look
like for usb functionfs activation. Because of this it was treated
differently in different places, which made this feature unusable.
This patch fixes the path to be the *mount directory* of functionfs, not
ep0 file path and clarifies in the documentation that ListenUSBFunction should be
the location of functionfs mount point, not ep0 file itself.
Zbigniew Jędrzejewski-Szmek [Mon, 26 Sep 2016 15:45:31 +0000 (11:45 -0400)]
machinectl: prefer user@ to --uid=user for shell (#4006)
It seems to me that the explicit positional argument should have higher
priority than "an option".
HATAYAMA Daisuke [Mon, 26 Sep 2016 15:36:20 +0000 (00:36 +0900)]
journald,ratelimit: fix wrong calculation of burst_modulate() (#4218)
This patch fixes wrong calculation of burst_modulate(), which now calculates
the values smaller than really expected ones if available disk space is
strictly more than 1MB.
In particular, if available disk space is strictly more than 1MB and strictly
less than 16MB, the resulted value becomes smaller than its original one.
>>> (math.log2(1*1024**2)-16) / 4
1.0
>>> (math.log2(16*1024**2)-16) / 4
2.0
>>> (math.log2(256*1024**2)-16) / 4
3.0
→ This matches the comment in the function.
Matej Habrnal [Mon, 26 Sep 2016 15:28:58 +0000 (17:28 +0200)]
coredump: initialize coredump_size in submit_coredump() (#4219)
If ulimit is smaller than page_size(), function save_external_coredump()
returns -EBADSLT and this causes skipping whole core dumping part in
submit_coredump(). Initializing coredump_size to UINT64_MAX prevents
evaluating a condition with uninitialized varialbe which leads to
calling allocate_journal_field() with coredump_fd = -1 which causes
aborting.
Signed-off-by: Matej Habrnal <mhabrnal@redhat.com>
Torstein Husebø [Mon, 26 Sep 2016 09:32:47 +0000 (11:32 +0200)]
treewide: fix typos (#4217)
Djalal Harouni [Sun, 25 Sep 2016 11:04:30 +0000 (13:04 +0200)]
test: add CAP_MKNOD tests for PrivateDevices=
Djalal Harouni [Sun, 25 Sep 2016 10:52:27 +0000 (12:52 +0200)]
core: Use @raw-io syscall group to filter I/O syscalls when PrivateDevices= is set
Instead of having a local syscall list, use the @raw-io group which
contains the same set of syscalls to filter.
Djalal Harouni [Sun, 25 Sep 2016 10:41:16 +0000 (12:41 +0200)]
core:namespace: simplify ProtectHome= implementation
As with previous patch simplify ProtectHome and don't care about
duplicates, they will be sorted by most restrictive mode and cleaned.
Djalal Harouni [Sun, 25 Sep 2016 10:21:25 +0000 (12:21 +0200)]
core: simplify ProtectSystem= implementation
ProtectSystem= with all its different modes and other options like
PrivateDevices= + ProtectKernelTunables= + ProtectHome= are orthogonal,
however currently it's a bit hard to parse that from the implementation
view. Simplify it by giving each mode its own table with all paths and
references to other Protect options.
With this change some entries are duplicated, but we do not care since
duplicate mounts are first sorted by the most restrictive mode then
cleaned.
Djalal Harouni [Sun, 25 Sep 2016 09:30:11 +0000 (11:30 +0200)]
core:sandbox: add more /proc/* entries to ProtectKernelTunables=
Make ALSA entries, latency interface, mtrr, apm/acpi, suspend interface,
filesystems configuration and IRQ tuning readonly.
Most of these interfaces now days should be in /sys but they are still
available through /proc, so just protect them. This patch does not touch
/proc/net/...
Djalal Harouni [Mon, 19 Sep 2016 19:46:17 +0000 (21:46 +0200)]
doc: explicitly document that /dev/mem and /dev/port are blocked by PrivateDevices=true
Djalal Harouni [Mon, 19 Sep 2016 19:46:17 +0000 (21:46 +0200)]
doc: documentation fixes for ReadWritePaths= and ProtectKernelTunables=
Documentation fixes for ReadWritePaths= and ProtectKernelTunables=
as reported by Evgeny Vereshchagin.
Djalal Harouni [Sun, 25 Sep 2016 09:25:00 +0000 (11:25 +0200)]
core:namespace: simplify mount calculation
Move out mount calculation on its own function. Actually the logic is
smart enough to later drop nop and duplicates mounts, this change
improves code readability.
---
src/core/namespace.c | 47 ++++++++++++++++++++++++++++++++++++-----------
1 file changed, 36 insertions(+), 11 deletions(-)
Djalal Harouni [Sun, 25 Sep 2016 09:16:44 +0000 (11:16 +0200)]
core:namespace: put paths protected by ProtectKernelTunables= in
Instead of having all these paths everywhere, put the ones that are
protected by ProtectKernelTunables= into their own table. This way it
is easy to add paths and track which ones are protected.
Djalal Harouni [Sun, 25 Sep 2016 09:03:21 +0000 (11:03 +0200)]
core:namespace: minor improvements to append_mounts()
Lennart Poettering [Fri, 26 Aug 2016 15:40:42 +0000 (17:40 +0200)]
execute: move SMACK setup code into its own function
While we are at it, move PAM code #ifdeffery into setup_pam() to simplify the
main execution logic a bit.
Lennart Poettering [Fri, 26 Aug 2016 15:25:40 +0000 (17:25 +0200)]
namespace: drop all mounts outside of the new root directory
There's no point in mounting these, if they are outside of the root directory
we'll move to.
Lennart Poettering [Fri, 26 Aug 2016 15:25:08 +0000 (17:25 +0200)]
main: minor simplification
Lennart Poettering [Wed, 24 Aug 2016 18:53:56 +0000 (20:53 +0200)]
Update TODO
Lennart Poettering [Fri, 26 Aug 2016 14:39:04 +0000 (16:39 +0200)]
execute: filter low-level I/O syscalls if PrivateDevices= is set
If device access is restricted via PrivateDevices=, let's also block the
various low-level I/O syscalls at the same time, so that we know that the
minimal set of devices in our virtualized /dev are really everything the unit
can access.
Lennart Poettering [Mon, 19 Sep 2016 19:29:06 +0000 (21:29 +0200)]
NEWS: update news about systemd-udevd.service
Lennart Poettering [Fri, 26 Aug 2016 11:23:27 +0000 (13:23 +0200)]
units: further lock down our long-running services
Let's make this an excercise in dogfooding: let's turn on more security
features for all our long-running services.
Specifically:
- Turn on RestrictRealtime=yes for all of them
- Turn on ProtectKernelTunables=yes and ProtectControlGroups=yes for most of
them
- Turn on RestrictAddressFamilies= for all of them, but different sets of
address families for each
Also, always order settings in the unit files, that the various sandboxing
features are close together.
Add a couple of missing, older settings for a numbre of unit files.
Note that this change turns off AF_INET/AF_INET6 from udevd, thus effectively
turning of networking from udev rule commands. Since this might break stuff
(that is already broken I'd argue) this is documented in NEWS.
Lennart Poettering [Fri, 26 Aug 2016 10:45:10 +0000 (12:45 +0200)]
units: permit importd to mount stuff
Fixes #3996
Lennart Poettering [Fri, 26 Aug 2016 10:29:52 +0000 (12:29 +0200)]
man: shorten the exit status table a bit
Let's merge a couple of columns, to make the table a bit shorter. This
effectively just drops whitespace, not contents, but makes the currently
humungous table much much more compact.
Lennart Poettering [Fri, 26 Aug 2016 10:29:28 +0000 (12:29 +0200)]
man: the exit code/signal is stored in $EXIT_CODE, not $EXIT_STATUS
Lennart Poettering [Fri, 26 Aug 2016 10:24:37 +0000 (12:24 +0200)]
man: rework documentation for ReadOnlyPaths= and related settings
This reworks the documentation for ReadOnlyPaths=, ReadWritePaths=,
InaccessiblePaths=. It no longer claims that we'd follow symlinks relative to
the host file system. (Which wasn't true actually, as we didn't follow symlinks
at all in the most recent releases, and we know do follow them, but relative to
RootDirectory=).
This also replaces all references to the fact that all fs namespacing options
can be undone with enough privileges and disable propagation by a single one in
the documentation of ReadOnlyPaths= and friends, and then directs the read to
this in all other places.
Moreover a hint is added to the documentation of SystemCallFilter=, suggesting
usage of ~@mount in case any of the fs namespacing related options are used.
Lennart Poettering [Fri, 26 Aug 2016 10:22:23 +0000 (12:22 +0200)]
man: in user-facing documentaiton don't reference C function names
Let's drop the reference to the cap_from_name() function in the documentation
for the capabilities setting, as it is hardly helpful. Our readers are not
necessarily C hackers knowing the semantics of cap_from_name(). Moreover, the
strings we accept are just the plain capability names as listed in
capabilities(7) hence there's really no point in confusing the user with
anything else.
Lennart Poettering [Fri, 26 Aug 2016 09:27:38 +0000 (11:27 +0200)]
namespace: don't make the root directory of a namespace a mount if it already is one
Let's not stack mounts needlessly.
Lennart Poettering [Sat, 24 Sep 2016 10:41:30 +0000 (12:41 +0200)]
namespace: chase symlinks for mounts to set up in userspace
This adds logic to chase symlinks for all mount points that shall be created in
a namespace environment in userspace, instead of leaving this to the kernel.
This has the advantage that we can correctly handle absolute symlinks that
shall be taken relative to a specific root directory. Moreover, we can properly
handle mounts created on symlinked files or directories as we can merge their
mounts as necessary.
(This also drops the "done" flag in the namespace logic, which was never
actually working, but was supposed to permit a partial rollback of the
namespace logic, which however is only mildly useful as it wasn't clear in
which case it would or would not be able to roll back.)
Fixes: #3867
Lennart Poettering [Thu, 25 Aug 2016 15:30:47 +0000 (17:30 +0200)]
namespace: invoke unshare() only after checking all parameters
Let's create the new namespace only after we validated and processed all
parameters, right before we start with actually mounting things.
This way, the window where we can roll back is larger (not that it matters
IRL...)
Lennart Poettering [Thu, 25 Aug 2016 15:29:12 +0000 (17:29 +0200)]
execute: drop group priviliges only after setting up namespace
If PrivateDevices=yes is set, the namespace code creates device nodes in /dev
that should be owned by the host's root, hence let's make sure we set up the
namespace before dropping group privileges.
Lennart Poettering [Thu, 25 Aug 2016 14:25:49 +0000 (16:25 +0200)]
nspawn: let's mount /proc/sysrq-trigger read-only by default
LXC does this, and we should probably too. Better safe than sorry.
Lennart Poettering [Thu, 25 Aug 2016 14:12:46 +0000 (16:12 +0200)]
core: imply ProtectHome=read-only and ProtectSystem=strict if DynamicUser=1
Let's make sure that services that use DynamicUser=1 cannot leave files in the
file system should the system accidentally have a world-writable directory
somewhere.
This effectively ensures that directories need to be whitelisted rather than
blacklisted for access when DynamicUser=1 is set.
Lennart Poettering [Thu, 25 Aug 2016 13:57:21 +0000 (15:57 +0200)]
core: introduce ProtectSystem=strict
Let's tighten our sandbox a bit more: with this change ProtectSystem= gains a
new setting "strict". If set, the entire directory tree of the system is
mounted read-only, but the API file systems /proc, /dev, /sys are excluded
(they may be managed with PrivateDevices= and ProtectKernelTunables=). Also,
/home and /root are excluded as those are left for ProtectHome= to manage.
In this mode, all "real" file systems (i.e. non-API file systems) are mounted
read-only, and specific directories may only be excluded via
ReadWriteDirectories=, thus implementing an effective whitelist instead of
blacklist of writable directories.
While we are at, also add /efi to the list of paths always affected by
ProtectSystem=. This is a follow-up for
b52a109ad38cd37b660ccd5394ff5c171a5e5355 which added /efi as alternative for
/boot. Our namespacing logic should respect that too.
Lennart Poettering [Thu, 25 Aug 2016 13:51:37 +0000 (15:51 +0200)]
namespace: add some debug logging when enforcing InaccessiblePaths=
Lennart Poettering [Sun, 25 Sep 2016 08:40:51 +0000 (10:40 +0200)]
namespace: rework how ReadWritePaths= is applied
Previously, if ReadWritePaths= was nested inside a ReadOnlyPaths=
specification, then we'd first recursively apply the ReadOnlyPaths= paths, and
make everything below read-only, only in order to then flip the read-only bit
again for the subdirs listed in ReadWritePaths= below it.
This is not only ugly (as for the dirs in question we first turn on the RO bit,
only to turn it off again immediately after), but also problematic in
containers, where a container manager might have marked a set of dirs read-only
and this code will undo this is ReadWritePaths= is set for any.
With this patch behaviour in this regard is altered: ReadOnlyPaths= will not be
applied to the children listed in ReadWritePaths= in the first place, so that
we do not need to turn off the RO bit for those after all.
This means that ReadWritePaths=/ReadOnlyPaths= may only be used to turn on the
RO bit, but never to turn it off again. Or to say this differently: if some
dirs are marked read-only via some external tool, then ReadWritePaths= will not
undo it.
This is not only the safer option, but also more in-line with what the man page
currently claims:
"Entries (files or directories) listed in ReadWritePaths= are
accessible from within the namespace with the same access rights as
from outside."
To implement this change bind_remount_recursive() gained a new "blacklist"
string list parameter, which when passed may contain subdirs that shall be
excluded from the read-only mounting.
A number of functions are updated to add more debug logging to make this more
digestable.
Lennart Poettering [Thu, 25 Aug 2016 09:29:32 +0000 (11:29 +0200)]
namespace: when enforcing fs namespace restrictions suppress redundant mounts
If /foo is marked to be read-only, and /foo/bar too, then the latter may be
suppressed as it has no effect.
Lennart Poettering [Thu, 25 Aug 2016 08:44:09 +0000 (10:44 +0200)]
namespace: simplify mount_path_compare() a bit
Lennart Poettering [Thu, 25 Aug 2016 08:42:38 +0000 (10:42 +0200)]
execute: if RuntimeDirectory= is set, it should be writable
Implicitly make all dirs set with RuntimeDirectory= writable, as the concept
otherwise makes no sense.
Lennart Poettering [Thu, 25 Aug 2016 08:24:10 +0000 (10:24 +0200)]
execute: move suppression of HOME=/ and SHELL=/bin/nologin into user-util.c
This adds a new call get_user_creds_clean(), which is just like
get_user_creds() but returns NULL in the home/shell parameters if they contain
no useful information. This code previously lived in execute.c, but by
generalizing this we can reuse it in run.c.
Lennart Poettering [Thu, 25 Aug 2016 08:12:57 +0000 (10:12 +0200)]
execute: split out creation of runtime dirs into its own functions