Daniel Mack [Tue, 19 Aug 2014 20:08:54 +0000 (22:08 +0200)]
memfd: skip utf-8 escaping if we use a name that was passed in
If a name was passed in as function argument, trust it, and don't do utf-8
encoding for them. Callers are obliged to check the names themselves, and
escape them in case they use anything they got from the outside world.
socket: suffix newly added TCP sockopt time properties with "Sec"
This is what we have done so far for all other time values, and hence we
should do this here. This indicates the default unit of time values
specified here, if they don't contain a unit.
Daniel Mack [Tue, 19 Aug 2014 19:09:16 +0000 (21:09 +0200)]
memfd: reduce name escaping logic to utf-8 checks
As memfds are now created by proper kernel API, and not by our functions, we
can't rely on names being escaped/unescaped according to our current logic.
Thus, the only safe way is to remove the escaping and when reading names,
just escape names that are not properly encoded in UTF-8.
Also, remove assert(name) lines from the memfd creation functions, as we
explictly allow name to be NULL.
Michal Sekletar [Thu, 24 Jul 2014 08:40:28 +0000 (10:40 +0200)]
socket: introduce SELinuxLabelViaNet option
This makes possible to spawn service instances triggered by socket with
MLS/MCS SELinux labels which are created based on information provided by
connected peer.
Implementation of label_get_child_label derived from xinetd.
Tom Gundersen [Tue, 19 Aug 2014 15:51:50 +0000 (17:51 +0200)]
networkd: netdev - add missing callback when adding stacked devices
As the comment says, the passed in callback must always be invoked, or the underlying link
will hang. This was missed when reworking the code, so add it back in.
Tom Gundersen [Tue, 19 Aug 2014 15:50:38 +0000 (17:50 +0200)]
networkd: link - don't enforce ENSLAVING state
We are only guaranteed to stay in ENSLAVING state whilst enslaving by bridges/bonds, not
when adding stacked devices (as then the underlying device can be IFF_UP'ed and configured
in parallel), so drop these asserts.
sysusers: add a new RPM macro for creating users directly from data passed in via stdin
This allows encoding users to create directly in %pre, which is
necessary so that files owned by the RPM can be assigned to the right
users/groups.
This new macro does create a redundancy, as user definitions for all
users that shall own files need to to be listed twice, once with this
new macro, and then secondly, in the sysusers file shipped with the
package. But there's little way around that, as the users of this type
need to exist before we install the first file, but we actually want to
ship the user information in a file.
David Herrmann [Mon, 18 Aug 2014 21:54:10 +0000 (23:54 +0200)]
bus: map sealed memfds as MAP_PRIVATE
Mapping files as MAP_SHARED is handled by the kernel as 'writable'
mapping. Always! Even with PROT_READ. Reason for that is,
mprotect(PROT_WRITE) could change the mapping underneath and currently
there is no kernel infrastructure to add protection there. This might
change in the future, but until then, map sealed files as MAP_PRIVATE so
we don't get EPERM.
units: fix BindsTo= logic when applied relative to services with Type=oneshot
Start jobs for Type=oneshot units are successful when the unit state
transition activating → inactive took place. In such a case all units
that BindsTo= on it previously would continue to run, even though the unit
they dependet on was actually already gone.
Tom Gundersen [Mon, 18 Aug 2014 10:29:45 +0000 (12:29 +0200)]
networkd: warn when ignoring unsupported tuntap options
The interface for creating tuntap devices should be ported to rtnl so it would support the same settings
as other kinds. In the meantime, the best one can do is to drop in a .link file to set the desired options.
Stef Walter [Wed, 6 Aug 2014 09:45:36 +0000 (11:45 +0200)]
core: Verify systemd1 DBus method callers via polkit
DBus methods that retrieve information can be called by anyone.
DBus methods that modify state of units are verified via polkit
action: org.freedesktop.systemd1.manage-units
DBus methods that modify state of unit files are verified via polkit
action: org.freedesktop.systemd1.manage-unit-files
DBus methods that reload the entire daemon state are verified via polkit
action: org.freedesktop.systemd1.reload-daemon
DBus methods that modify job state are callable from the clients
that started the job.
root (ie: CAP_SYS_ADMIN) can continue to perform all calls, property
access etc. There are several DBus methods that can only be
called by root.
Open up the dbus1 policy for the above methods.
(Heavily modified by Lennart, making use of the new
bus_verify_polkit_async() version that doesn't force us to always
pass the original callback around. Also, interactive auhentication must
be opt-in, not unconditional, hence I turned this off.)
bus-util: simplify bus_verify_polkit_async() a bit
First, let's drop the "bus" argument, we can determine it from the
message anyway.
Secondly, determine the right callback/userdata pair automatically from
what is currently is being dispatched. This should simplify things a lot
for us, since it makes it unnecessary to pass pointers through the
original handlers through all functions when we process messages, which
might require authentication.
Daniel Mack [Mon, 18 Aug 2014 11:28:43 +0000 (13:28 +0200)]
memfd: internalize functions, drop sd_memfd type
Remove the sd_ prefix from internal functions and get rid of the sd_memfd
type. As a memfd is now just a native file descriptor, we can get rid of our
own wrapper type, and also use close() and dup() on them directly.
David Herrmann [Mon, 18 Aug 2014 11:05:48 +0000 (13:05 +0200)]
memfd: map unsealed files as MAP_SHARED
We need to map sealed files as MAP_PRIVATE so far as the kernel treats
MAP_SHARED as writable mapping (you can run mprotect(PROT_WRITE) at any
time on those). However, unsealed files must be mapped as MAP_SHARED.
Otherwise, we never end up writing to the real file.
David Herrmann [Mon, 18 Aug 2014 11:03:09 +0000 (13:03 +0200)]
memfd: disallow importing memfds without sealing
We use memfds for sealing. Lets not bother with memfds created without
MFD_ALLOW_SEALING for now. They're equivalent to random shmem files, so
don't bother treating them as sealable memfds.
sd-bus: add API to check if a client has privileges
This is a generalization of the vtable privilege check we already have,
but exported, and hence useful when preparing for a polkit change.
This will deal with the complexity that on dbus1 one cannot trust the
capability field we retrieve via the bus, since it is read via
/proc/$$/stat (and thus might be out-of-date) rather than directly from
the message (like on kdbus) or bus connection (as for uid creds on
dbus1).
main,log: parse the log related kernel command line parameters at one place only, and for all tools
Previously, we ended up parsing some of them three times: in main.c when
processing the kernel cmdline, in main.c when processing the process
cmdline (only for containers), and in log.c again.
Let's streamline this, and only parse them in log.c
In PID 1 also make sure we parse "quiet" first, and then override this
with the more specific checks in log.c
David Herrmann [Fri, 15 Aug 2014 14:54:52 +0000 (16:54 +0200)]
macro: add CONST_MAX() macro
The CONST_MAX() macro is similar to MAX(), but verifies that both
arguments have the same type and are constant expressions. Furthermore,
the result of CONST_MAX() is again a constant-expression.
CONST_MAX() avoids any statement-expressions and other non-trivial
expression-types. This avoids rather arbitrary restrictions in both GCC
and LLVM, which both either fail with statement-expressions inside
type-declarations or statement-expressions inside static-const
initializations.
If anybody knows how to circumvent this, please feel free to unify
CONST_MAX() and MAX().
David Herrmann [Fri, 15 Aug 2014 14:16:30 +0000 (16:16 +0200)]
macro: const'ify MIN/MAX/... macros
We must add 'const' to local variables in statement-expressions to
guarantee that the macros can produce constant-expressions if given such.
GCC seems to ignore this, but LLVM/clang requires it (understandably).