I kept the _SYSTEMD_UNIT= example because it is easy to understand and
not very verbose. _SYSTEMD_CGROUP has much longer entries which do not
fit well in the narrow man page. Instead, I added an explanation of what
-u is translated into.
man: add a note about "archived" journal files and when files can be copied
Issue #6673 requests advice on backup strategy. But the right backup strategy
depends on many factors, too many to describe in a man page. So let's just
provide some general information which files are mutable and that it is always
safe to use/copy files.
man: add a note about $XDG_SEAT and $XDG_VTNR to pam_systemd(8)
Issue #6499 requests that a mention that those varibles can be set in the
environment is added. But the man page already says that. There isn't much
detail, but a man page does not need to and in this case should not include
all the details. Instead a note is added that those vars can be derived from
$DISPLAY.
We're moving towards just SPDX license identifiers, and the boilerplate
is especially annoying in a man page. Also adjust to the smaller indentation
to make the code fit better on a page.
man: move examples out of sd_journal_get_fd into separate files
man/.dir-locals is to keep indentation under control.
This makes it much easier to compile and run those examples, c.f. #7578.
v2:
- copy more of .dir-locals.el from the root to man/.dir-locals.el
(I though emacs would inherit from the one in the parent dir, but
it seems it just uses its own broken defaults, including
indent-tabs-mode by default.)
move MANAGER_IS_RELOADING() check into manager_recheck_{dbus|journal}() (#8510)
Let's better check this inside of the call than before it, so that we
never issue this while reloading, even should these calls be called due
to other reasons than just the unit notify.
This makes sure the reload state is unset a bit earlier in
manager_reload() so that we can safely call this function from there and
they do the right thing.
Long Li [Wed, 21 Mar 2018 10:51:28 +0000 (03:51 -0700)]
v3: Properly parsing SCSI Hyperv devices (#8509)
Since 2016, Hyperv devices moved to using standard way to expose UUID to sysfs. Fix the parsing function to work with the newer format.
Change log:
v2: changed code to work with both old and new path format
v3: changed guid_str_len type to size_t, fixed length in char guid[] in handle_scsi_hyperv()
Yu Watanabe [Wed, 21 Mar 2018 04:39:03 +0000 (13:39 +0900)]
nss-systemd: make dynamic users enumerable by `getent`
This adds `setpwent()`, `getpwent_r()`, `endpwent()`, `setgrent()`,
`getgrent_r()`, and `endgrent()` interfaces to nss-systemd library.
Thus, dynamic users can be enumerated by e.g. `getent passwd` command.
core/load-fragment: reject overly long paths early
No need to go through the specifier_printf() if the path is already too long in
the unexpanded form (since specifiers increase the length of the string in all
practical cases).
In the oss-fuzz test case, valgrind reports:
total heap usage: 179,044 allocs, 179,044 frees, 72,687,755,703 bytes allocated
and the original config file is ~500kb. This isn't really a security issue,
since the config file has to be trusted any way, but just a matter of
preventing accidental resource exhaustion.
journal: don't insist that the journal file header's boot ID matches the last entry
We update the boot ID whenever the file is opened for writing (i.e. set
to ONLINE stat), even if we never write a single entry to it. Hence,
don't insist that the last entry's boot ID matches the file header.
Alex Gartrell [Tue, 27 Feb 2018 05:56:35 +0000 (21:56 -0800)]
journal: provide compress_threshold_bytes parameter
Previously the compression threshold was hardcoded to 512, which meant that
smaller values wouldn't be compressed. This left some storage savings on the
table, so instead, we make that number tunable.
basic/fs-util: skip fsync_directory_of_file() if /proc/self/fd/ is not available (#8386)
When systemd is running under lorax (in Fedora compose process), it'd think that
it failed to write /etc/machine-id, even though the write succeeded, because
fsync_directory_of_file() would fail, because /proc/self/fd/ is not available.
fsync_directory_of_file() is mostly an additional safety net, so I think it's best
to just silently ignore the error.
Strace of pid1:
35791 stat("/etc", {st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0
35791 openat(AT_FDCWD, "/etc/machine-id", O_RDWR|O_CREAT|O_NOCTTY|O_CLOEXEC, 0444) = 3
35791 umask(022) = 000
35791 read(3, "", 38) = 0
35791 openat(AT_FDCWD, "/var/lib/dbus/machine-id", O_RDONLY|O_NOCTTY|O_NOFOLLOW|O_CLOEXEC) = -1 ENOENT (No such file o
r directory)
35791 openat(AT_FDCWD, "/sys/class/dmi/id/product_name", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
35791 openat(AT_FDCWD, "/sys/class/dmi/id/sys_vendor", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
35791 openat(AT_FDCWD, "/sys/class/dmi/id/board_vendor", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
35791 openat(AT_FDCWD, "/sys/class/dmi/id/bios_vendor", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
35791 access("/proc/xen", F_OK) = -1 ENOENT (No such file or directory)
35791 openat(AT_FDCWD, "/sys/hypervisor/type", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
35791 openat(AT_FDCWD, "/proc/cpuinfo", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
35791 getrandom("\xb8\x82\xed\xd4\x35\x11\xd0\xeb\xa6\x79\xd7\x31\x6e\x7b\x99\xce", 16, GRND_NONBLOCK) = 16
35791 writev(2, [{iov_base="Initializing machine ID from random generator.", iov_len=46}, {iov_base="\n", iov_len=1}],
2) = 47
35791 lseek(3, 0, SEEK_SET) = 0
35791 ftruncate(3, 0) = 0
35791 write(3, "b882edd4351140eba679d7316e7b99ce\n", 33) = 33
35791 fsync(3) = 0
35791 fstat(3, {st_mode=S_IFREG|0444, st_size=33, ...}) = 0
35791 readlinkat(AT_FDCWD, "/proc/self/fd/3", 0x564df8c694c0, 99) = -1 ENOENT (No such file or directory)
35791 close(3) = 0
35791 umask(022) = 022
35791 openat(AT_FDCWD, "/run/machine-id", O_WRONLY|O_CREAT|O_NOCTTY|O_TRUNC|O_CLOEXEC, 0444) = 3
35791 write(3, "b882edd4351140eba679d7316e7b99ce\n", 33) = 33
35791 close(3) = 0
35791 umask(022) = 022
35791 mount("/run/machine-id", "/etc/machine-id", NULL, MS_BIND, NULL) = 0
35791 writev(2, [{iov_base="Installed transient /etc/machine-id file.", iov_len=41}, {iov_base="\n", iov_len=1}], 2) = 42
35791 mount(NULL, "/etc/machine-id", NULL, MS_RDONLY|MS_REMOUNT|MS_BIND, NULL) = 0
nspawn: move network namespace creation to a separate step (#8430)
Fixes #8427.
Unsharing the namespace in a separate step changes the ownership of
/proc/net/ip_tables_names (and related files) from nobody:nobody to
root:root. See [1] and [2] for all the details.
mkosi: set file permissions in copy of source tree (#8370)
Meson keeps permissions around during the build, so details of how umask
was set when cloning the original git tree will leak all the way to the
installed files in the mkosi image.
So reset the permissions of the files in the copy of the tree before
starting the build.
Also set the umask explicitly.
Tested by creating a mkosi image and booting it on a tree that was
cloned with a umask of 027, confirmed that the *.target files were not
created as world-unreadable anymore.
seccomp: enable RestrictAddressFamilies on ppc (#8505)
In commit da1921a5c3 ppc64/ppc64el were added as supported architectures for
socketcall() for the POWER family. Extend the support for the 32bits
architectures.
Franck Bui [Tue, 20 Mar 2018 08:32:05 +0000 (09:32 +0100)]
sysusers: also add support for NIS entries in /etc/shadow
Commit 563dc6f8e2cda4114dd20f32655890ed378c3740 added support for
/etc/{passwd,group} only but since nsswitch.conf(5) appears to document the NIS
entries also for shadow, let's support this case too.
hwdb: ThinkPad T560 doesn't have a caps lock led (#8490)
Similar to 16bed3afa1b916ace5e927392a1baab9dd9ff963, this model also doesn't have the
LED.
```
cat /sys/class/dmi/id/modalias
dmi:bvnLENOVO:bvrN1KET16W(1.03):bd01/20/2016:svnLENOVO:pn20FH001AMX:pvrThinkPadT560:rvnLENOVO:rn20FH001AMX:rvrSDK0J40705WIN:cvnLENOVO:ct10:cvrNone:
```
Yu Watanabe [Wed, 14 Mar 2018 08:48:29 +0000 (17:48 +0900)]
tree-wide: voidify pager_open()
Even if pager_open() fails, in general, we should continue the operations.
All erroneous cases in pager_open() show log message in the function.
So, it is not necessary to check the returned value.
Once upon a time shutdown.c didn't have the logic to check whether any
unmount attempts succeeded or not. So instead it kept looping for
a fixed amount and hoped all was right. Nowadays, we do know if we
changed anything during a iteration and also stop looping then, but
we still limit ourselves to FINALIZE_ATTEMPTS.
But, theoretically, we could have such a complicated and nested
setup that would survive that limit, leaving stuff around we
might actually be able to unmount. And we could also end up in a
situation where the extra loop with raised unmount error level could
be skipped too.
So let's just drop the retries logic and rely fully on the changed
flag.
It's common for sysusers files to contain quotes (in particular around the
comment/GECOS field), and using echo "..." is very likely to not work properly
in that case. Let's use <<EOF redirection. It's not bulletproof, but should
work in general.
core/unit: delay creating a stack variable until after length has been checked
path_is_normalized() will reject paths longer than 4095 bytes, so it's better
to not create a stack variable of unbounded size, but instead do the check first
and only then do that allocation.
fuzz-unit-file: simply do not test ListenNetlink= at all
msan doesn't understand sscanf with %ms, so it falsely reports unitialized
memory. Using sscanf with %ms is quite convenient in
socket_address_parse_netlink(), so let's just not run the fuzzer for
ListenNetlink= at all for now. If msan is fixed, we can remove this.
fuzz: add test case for oss-fuzz #6897 and a work-around
The orignal reproducer from oss-fuzz depends on the hostname (via %H and %c).
The hostname needs a dash for msan to report this, so a simpler case from
@evverx with the dash hardcoded is also added.
The issue is a false positive from msan, which does not instruct stpncpy
(https://github.com/google/sanitizers/issues/926). Let's add a work-around
until this is fixed.
unit-file: do not allow bogus IOSchedulingClass values
We have only three bits of space, i.e. 8 possible classes. Immediately reject
anything outside of that range. Add the fuzzer test case and an additional
unit test.
basic/calendarspec: set a limit on length of calendarspec component chains
We probably should allow very deep calls of our recursive functions. Let's add
a limit to avoid resource exhaustion. 240 is 10 per hour (if somebody is using
this for time based triggers...), so it should be more than enough for most use
cases, and is conveniently below the 250 stack limit in msan.