The function previously drops multiple except for the last parents
which matches the specified subsystem.
But the commit d340bdd1bd435e9f5524f4246feaf38511b2ff45 drops all
parents.
E.g. input is pci-pci-pci-usb-usb-usb, then
Before d340bdd: pci-pci-pci-usb
After d340bdd: pci-pci-pci
Apparently the previous limit set on the max number of inodes for /dev was too
small as a system with 4096 LUNs attached can consume up to 95k inodes for
symlinks:
Hence this patch bumps the limit from 64k to 128k although the new limit is
still pretty arbitrary (that said, not sure if it really makes sense to put
such absolute limit number).
In 9cf75222f20 the conf.get() statements for `bpf-framework` and
`valgrind` were dropped, which causes the respective features to always
show as disabled (since they don't follow the "standard" naming scheme
with HAVE_/ENABLE_ prefixes).
lgtm: detect uninitialized variables using the __cleanup__ attribute
This is a slightly modified version of the original
`cpp/uninitialized-local` CodeQL query which focuses only on variables
using the cleanup macros. Since this has proven to cause issues in the
past, let's panic on every uninitialized variable using any of the
cleanup macros (as long as they're written using the __cleanup__
attribute).
Some test results from a test I used when writing the query:
int main(void) {
__attribute__((__cleanup__(foo))) char *a;
char *b;
_cleanup_foo_ char *c;
char **d;
_cleanup_free_ char *e;
int r;
r = fun(&e);
if (r < 0)
return 1;
puts(a);
puts(b);
puts(c);
puts(*d);
puts(e);
return 0;
}
```
```
+| test.c:23:14:23:14 | e | The variable $@ may not be initialized here, but has a cleanup handler. | test.c:20:26:20:26 | e | e |
+| test.c:27:10:27:10 | a | The variable $@ may not be initialized here, but has a cleanup handler. | test.c:16:45:16:45 | a | a |
+| test.c:29:10:29:10 | c | The variable $@ may not be initialized here, but has a cleanup handler. | test.c:18:25:18:25 | c | c |
```
meson: disallow the combination of cryptolib=openssl and dns-over-tls=gnutls
It could work, but it doesn't make much sense. If we already have openssl as
the cryptolib that provides the necessary support, let's not bring in another
library. Disallowing this simplifies things and reduces our support matrix.
Yu Watanabe [Mon, 29 Nov 2021 12:21:21 +0000 (21:21 +0900)]
network/wireguard: cleanups for resolving endpoints
This makes
- drop peers_with_unresolved_endpoint and peers_with_failed_endpoint,
- drop destroy handler for sd_resolve_query, and manage each query by peer,
- add random fluctuation to the timeout for retry handler,
- retry timer event source is now managed by peer,
- use sd_event_source_disable_unref().
Luca Boccassi [Tue, 30 Nov 2021 23:49:33 +0000 (23:49 +0000)]
cgroup: don't emit BPF firewall warning when manager is in test mode
Support for BPF might not have been checked, since it's not necessary
in test mode (eg: running offline analysis of units). This causes an
assert:
Assertion '(_error) != 0' failed at src/core/bpf-firewall.c:914, function emit_bpf_firewall_warning(). Aborting.
Export SYSTEMD_LOG_LEVEl=debug in TEST-65-ANALYZE is enough to trigger
this assert while doing an offline analysis of a unit that has some
firewall/network restrictions set.
ci: temporarily set -Wno-deprecated-declarations in Packit
to suppress OpenSSL 3.0 deprecation warnings (until a proper solution is
deployed): RSA_free, EC_KEY_free, RSA_set0_key, RSA_size, EVP_PKEY_assign,
EC_KEY_set_group, and others are deprecated.
Yu Watanabe [Wed, 1 Dec 2021 10:43:40 +0000 (19:43 +0900)]
network: dhcp6-pd: exclude all explicitly specified subnet IDs when searching free IDs
When the upstream link gained a lease, then several downstream links may
not appear yet. Previously, the explicitly specified subnet ID for a
downstream link which appears later may be already assigned to an
interface which does not request specific subnet ID.
To avoid such situation, this makes all specified IDs are excluded when
searching free IDs.
As a side effect, we can avoid the second call of
dhcp6_pd_distribute_prefix().
Luca Boccassi [Wed, 17 Nov 2021 10:00:12 +0000 (10:00 +0000)]
core: add Condition[Memory/CPU/IO]Pressure
By default checks PSI on /proc/pressure, and causes a unit to be skipped
if the threshold is above the given configuration for the avg300
measurement.
Also allow to pass a custom timespan, and a particular slice unit to
check under.
import: port importd from libgcrypt to openssl^gcrypt
This is heavily based on Kevin Kuehler's work, but the logic is also
significantly changed: instead of a straighforward port to openssl, both
versions of the code are kept, and at compile time we pick one or the other.
The code is purposefully kept "dumb" — the idea is that the libgcrypt codepaths
are only temporary and will be removed after everybody upgrades to openssl 3.
Thus, a separate abstraction layer is not introduced. Instead, very simple
ifdefs are used to select one or the other. If we added an abstraction layer,
we'd have to remove it again afterwards, and it don't think it makes sense to
do that for a temporary solution.
Co-authored-by: Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl>
# Conflicts:
# meson.build
Kevin Kuehler [Wed, 20 Oct 2021 10:21:18 +0000 (12:21 +0200)]
repart: port to our home-grown hmac_sha256
This reduces dependencies. The speed of the code here is uimportant, because we
hash only a tiny amount of input data.
Debian and Ubuntu currently build without repart, see
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=976959
> repart requires openssl and so far I tried to avoid linking against
> both gnutls and openssl.
Co-authored-by: Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl>
Yu Watanabe [Mon, 29 Nov 2021 10:38:24 +0000 (19:38 +0900)]
network: route: read RTA_TABLE attribute to get route table
If the table of a route is larger than 255, then the value is stored in
RTA_TABLE attribute. But the attribute is not supported by old kernels.
So, first try to read the value from RTA_TABLE attribute, then fallback
to the value in the message header.
Luca Boccassi [Mon, 22 Nov 2021 11:11:21 +0000 (11:11 +0000)]
elf-util: switch libelf/libdw to dlopen()
In order to avoid inflating the dependency list for the core
library, use dlopen when inspecting elfs, since it's only
used in two non-core executables.
Luca Boccassi [Sun, 21 Nov 2021 17:05:28 +0000 (17:05 +0000)]
coredump: analyze object with libdwelf in forked process
Parsing objects is risky as data could be malformed or malicious,
so avoid doing that from the main systemd-coredump process and
instead fork another process, and set it to avoid generating
core files itself.