stub: override StubInfo EFI variable unconditionally, since *we* own it
The other variables are owned by the boot menu (i.e. sd-boot), we only
fill those in if it didn't do so for us (to support cases where our stub
kernel is directly invoked by UEFI). But StubInfo is genuinely about the
stub, hence let's simplify things and unconditionally set it from the
stub.
boot: introduce common shortcut exit path in pack_cpio()
THis will be useful in a later commit, when we add more stuff to the
common exit path. But even without that, it's a nice simplification,
removing redundant lines.
journal: Move more pattern matching logic into pcre2-util
To avoid having "#if HAVE_PCRE2" all throughout the code, let's
confine the pcre2 header specific stuff to pcre2-util.c. Instead of
exposing all the individual symbols from pcre2, let's only expose
three high level functions that do all we need:
- pcre2_pattern_compile(): Compile the regex
- pcre2_pattern_matches(): Check if the compiled regex matches a message
- pcre2_pattern_free(): Free the compiled regex
We expose the compiled pcre2 pattern (which is of type pcre2_code *) as
a void pointer to avoid having to include pcre2.h in all code where we
work with compiled pcre2 patterns. For readability, we typedef void
to pcre2_pattern and use that as the type specifier for compiled pcre2
patterns.
systemctl: fix type used for array sizes to size_t
We always should use size_t for sizes of arrays (and any size of memory,
in fact), unless there's a strong reason to use something else. Hence,
let's fix these cases where we sloppily used "unsigned" or "int"
instead.
No change in behaviour, this is just to make things less surprising for
the random reader.
sysctl: add --strict option to fail if sysctl does not exists
systemd-sysctl currently fails silently under any of these conditions:
- Missing permission to write a sysctl.
- Invalid sysctl (path doesn't exists).
- Ignore failure flag ('-' in front of the sysctl name).
Because of this behaviour, configuration issues can go unnoticed as
there is no way to detect those unless going through the logs.
--strict option forces systemd-sysctl to fail if a sysctl is invalid or
if permission are insufficient. Errors on sysctl marked as "ignore
failure" will still be ignored.
And this makes the new merged function `sd_nfnl_nft_message_new_setelems()`
not open container, as containers should be opened and closed in the
same function in general. Otherwise, it is hard to understand which
level we are in the nested attribute tree.
Yu Watanabe [Tue, 14 Jun 2022 13:22:54 +0000 (22:22 +0900)]
sd-netlink: several cleanups for netfilter
- rename family -> nfproto, and other arguments,
- check specified nfproto,
- change type of several function arguments that specify data length,
- add several assertions,
- drop unnecessary headers.
udev: reload rules and builtins only when mtime of a config changed
This makes udevd reload rules only when the timestamp is updated,
even on SIGHUP or `udevadm control --reload`.
So, we can call `udevadm control --reload` without huge performance
penalty when no rules, .link files, and so on are changed.
network: do not silently stop to process configuration on activation failure
Previously, if activation failed, link did not enter the failed state,
but still Link.activated flag not set. Hence, nothing processed even if
the interface is manually brought up later.
For the system manager, /run/systemd/private is publicly accessible, because
/run/systemd is 0755, and /run/systemd/private is 0777. For the user manager,
/run/user/<uid> is 0700, and /run/user/<uid>/systemd/private is 0777. This
does not directly cause any security issue because we check the sender in
bus_check_peercred (ucred.uid != 0 && ucred.uid != geteuid()).
But it makes sense to limit access to the socket to avoid wasting time in PID1.
Somebody could send messages there that'd we'd reject anyway. It also makes
things more explicit.
libblkid gained new tags - FSSIZE, FSLASTBLOCK and FSBLOCKSIZE.
These tags are filesystem related properties probed from superblock.
All of them are enabled by BLKID_SUBLKS_FSINFO flag.
Set the flag to allow these tags to be cached in udev db.
Kai Lueke [Fri, 22 Jul 2022 12:57:55 +0000 (14:57 +0200)]
man: Use correct target type for sysupdate entry
While Type=file works because it seems to be the default, the line gets
ignored as printed on the stderr output.
Use the correct value "regular-file" for the target type.
Kai Lueke [Fri, 22 Jul 2022 13:09:21 +0000 (15:09 +0200)]
man: Document mask workaround for sysext images
A read-only /usr may ship a sysext image by default and the user wants
to opt out. Currently it's not clear how to do this.
Document that a /dev/null symlink in /etc/extensions/ works to "mask" a
sysext image in a folder with lower precedence.
Kai Lueke [Fri, 22 Jul 2022 13:03:12 +0000 (15:03 +0200)]
man: Do not recommend to overlay files with sysext even if possible
While overlaying files with a sysext can be useful, it may lead to
unexpected problems depending on when a process got started and which
version of the file it gets.
Call out that overlaying files is possible but don't recommend to make
use of it.
Let's re-introduce the option in the correct way, as some servers seem
to return borked message when the solicit message contain the rapid
commit option.
test-network: do not stop/restart udevd and related socket units
That's not necessary. Moreover, if the socket units are stopped in
`setUpModule()`, then there exists a short timespan that we cannot call
`udevadm control`, as the control socket may not be opened yet.
If we run whole tests, then the first test is
NetworkctlTests.test_altname, and it calls `udevadm control` in `setUp()`.
Hence, the test may fail.