tmpfiles: make t and a globby, add their recursive versions T and A
For types which adapt existing files it is generally more useful to accept
globs.
In analogy to z and Z, add recursive versions using uppercase letters.
Technically, making a accept globs is backwards incompatible, but in
practice it probably isn't yet widely used and we can assume that most
people don't create files with wildcards in names.
Functions which are used as callbacks, but not directly on items, are
renamed not to have "item_" prefix.
The data structure used by tmpfiles is changed: instead of hashmaps
mapping {path → Item*} we now have hashmaps containing
{path -> ItemArray}, where ItemArray contains a pointer
to an array of Items.
For current code it doesn't matter much, but when we add new types it
is easier to simply add a new Item for a given path, then to coalesce
multiple lines into one Item.
In the future, this change will also make it possible to remember the
file and line where each Item originates, and use that in reporting
errors. Currently this is not possible, since each Item can be created
from multiple lines.
int[] should not be used as pid_t[], even if happens to be same thing.
Also deduplicating in a quadratic loop right before sorting is unnecessary.
Remove custom greedy_realloc implementation.
import: introduce new mini-daemon systemd-importd, and make machinectl a client to it
The old "systemd-import" binary is now an internal tool. We still use it
as asynchronous backend for systemd-importd. Since the import tool might
require some IO and CPU resources (due to qcow2 explosion, and
decompression), and because we might want to run it with more minimal
priviliges we still keep it around as the worker binary to execute as
child process of importd.
machinectl now has verbs for pulling down images, cancelling them and
listing them.
Martin Pitt [Wed, 21 Jan 2015 16:10:20 +0000 (17:10 +0100)]
build: Add parallel-tests automake option
We use PY_LOG_COMPILER in Makefile.am for running *.py tests, which requires
automake's parallel test runner. This has only been the default from 1.13 on.
As we only require automake 1.11, add it as an option explicitly.
Martin Pitt [Wed, 21 Jan 2015 09:25:14 +0000 (10:25 +0100)]
sysv-generator: Replace Provides: symlinks with real units
Since commit b7e7184 the SysV generator creates symlinks for all "Provides:" in
the LSB header. However, this is too greedy; there are cases where the
creation of a unit .service file fails because of an already existing
symlink with the same name:
- Backup files such as /etc/init.d/foo.bak still have "Provides: foo", and
thus get a foo.service -> foo.bak.service link. foo.bak would not be enabled
in rcN.d/, but we (deliberately) create units for all executables in init.d/
so that a manual "systemctl start" works. If foo.bak is processed before,
the symlink already exists.
- init.d/bar has "Provides: foo", while there also is a real init.d/foo. The
former would create a link foo.service -> bar.service, while the latter
would fail to create the real foo.service.
If we encounter an existing symlink, just remove it before writing a real unit.
Note that two init.d scripts "foo" and "bar" which both provide the same name
"common" already work. The first processed init script wins and creates the
"common.service" symlink, and the second just fails to create the symlink
again. Thus create an additional test case for this to ensure that it keeps
working sensibly.
Martin Pitt [Tue, 20 Jan 2015 15:41:31 +0000 (16:41 +0100)]
sysv-generator: Handle .sh suffixes when translating Provides:
When deciding whether the provided name equals the file name in
sysv_translate_facility(), also consider them equal if the file name has a
".sh" suffix.
This was uncovered by commit b7e7184 which then created a symlink
"<name>.service" to itself for ".sh" suffixed init.d scripts.
For additional robustness, refuse to create symlinks to itself in add_alias().
Christian Seiler [Tue, 13 Jan 2015 10:53:25 +0000 (11:53 +0100)]
journal: Fix syslog forwarding without CAP_SYS_ADMIN
In case CAP_SYS_ADMIN is missing (like in containers), one cannot fake pid in
struct ucred (uid/gid are fine if CAP_SETUID/CAP_SETGID are present).
Ensure that journald will try again to forward the messages to syslog without
faking the SCM_CREDENTIALS pid (which isn't guaranteed to succeed anyway, since
it also does the same thing if the process has already exited).
With this patch, journald will no longer silently discard messages
that are supposed to be sent to syslog in these situations.
Wieland Hoffmann [Sat, 17 Jan 2015 01:10:42 +0000 (02:10 +0100)]
zsh-completion: Do not interpret escape sequences in _filter_units_by_property
This makes all functions that rely on _filter_units_by_property() (like
_systemctl_{stop,kill,try_restart}) work with unit names that contain backslash
escaped sequences (like automount units with spaces that are escaped to
"\x20").
Martin Pitt [Tue, 20 Jan 2015 20:26:35 +0000 (21:26 +0100)]
test: eliminate shell wrapper for Python test
Use the parallel test runner's TEST_EXTENSIONS/*_LOG_COMPILER feature
(https://www.gnu.org/software/automake/manual/html_node/Parallel-Test-Harness.html)
to run *.py tests through $(PYTHON), and only if we have python
available/enabled.
This eliminates the need of having shell wrappers, thus drop
test/rules-test.sh.
Martin Pitt [Tue, 20 Jan 2015 19:50:35 +0000 (20:50 +0100)]
test: simplify rules-test.sh wrapper
Drop globbing of rules/*.rules in the rules-test.sh wrapper and move that logic
into the actual test rule-syntax-check.py. This can still be called with
individual rules files, but when being called without arguments it will now
process all top_builddir/rules/*.rules.
Preparation for dropping the shell wrappers altogether.
nspawn: work around kernel bug with partition table probing on loopback devices
When we set up a loopback device with partition probing, the udev
"change" event about the configured device is first passed on to
userspace, only the the in-kernel partition prober is started. Since
partition probing fails with EBUSY when somebody has the device open,
the probing frequently fails since udev starts probing/opening the
device as soon as it gets the notification about it, and it might do so
earlier than the kernel probing.
This patch adds a (hopefully temporary) work-around for this, that
compares the number of probed partitions of the kernel with those of
blkid and synchronously asks for reprobing until the numebrs are in
sync.
Also do not say "No jobs" with --no-legend. We skip
reporting the number of jobs with --no-legend if there
are any, and 0 is also a number, and should be skipped.
David Herrmann [Sun, 18 Jan 2015 22:56:19 +0000 (23:56 +0100)]
bus: drop systemd.kdbus_attach_flags_mask= cmdline
There is no reason to provide our own attach_flags_mask. We can simply
rely on kdbus.attach_flags_mask= which is read by the kernel *and* kmod.
If it's set, we assume the user wants to override our setting, so we
simply skip setting it.
David Herrmann [Sun, 18 Jan 2015 22:54:42 +0000 (23:54 +0100)]
core: write kdbus.attach_flags_mask only on real boot
The kernel module system is not namespaced, so no container should ever
modify global options. Make sure we set the kdbus attach_flags_mask only
on a real boot as PID1.
Topi Miettinen [Sun, 18 Jan 2015 14:01:25 +0000 (16:01 +0200)]
timesyncd: consider too long packets as invalid
If the received NTP message from server didn't fit to our buffer, either
it is doing something nasty or we don't know the protocol. Consider the
packet as invalid.
David Herrmann [Sun, 18 Jan 2015 20:34:33 +0000 (21:34 +0100)]
bus-proxy: don't pretend everyone is root
While it's a lovely scenario, it's probably not really useful. Fix our
GetConnectionUnixUser() to return the actual 'euid' which we asked for,
not the possible uninitialized 'uid'.
David Herrmann [Sun, 18 Jan 2015 19:07:51 +0000 (20:07 +0100)]
Revert "test-exec: do not skip all the tests"
This reverts commit 68e68ca8106e7cd874682ae425843b48579c6539. We *need*
root access to create cgroups. The only exception is if it is run from
within a cgroup with "Delegate=yes". However, this is not always true and
we really shouldn't rely on this.
If your terminal runs from within a systemd --user instance, you're fine.
Everyone else is not (like running from ssh, VTs, and so on..).
David Herrmann [Sun, 18 Jan 2015 18:37:34 +0000 (19:37 +0100)]
bus: fix SD_BUS_CREDS_AUGMENT on kdbus queries
If we set SD_BUS_CREDS_AUGMENT, we *need* the PID from the kernel so we
can lookup further information from /proc. However, we *must* set
SD_BUS_CREDS_PIDS in "mask", otherwise, our creds-collector will never
actually copy the pid into "sd_bus_creds". Fix this, so
SD_BUS_CREDS_AUGMENT works even if SD_BUS_CREDS_PID is not specified by
the caller.
David Herrmann [Sun, 18 Jan 2015 12:55:55 +0000 (13:55 +0100)]
bus: use EUID over UID and fix unix-creds
Whenever a process performs an action on an object, the kernel uses the
EUID of the process to do permission checks and to apply on any newly
created objects. The UID of a process is only used if someone *ELSE* acts
on the process. That is, the UID of a process defines who owns the
process, the EUID defines what privileges are used by this process when
performing an action.
Process limits, on the other hand, are always applied to the real UID, not
the effective UID. This is, because a process has a user object linked,
which always corresponds to its UID. A process never has a user object
linked for its EUID. Thus, accounting (and limits) is always done on the
real UID.
This commit fixes all sd-bus users to use the EUID when performing
privilege checks and alike. Furthermore, it fixes unix-creds to be parsed
as EUID, not UID (as the kernel always takes the EUID on UDS). Anyone
using UID (eg., to do user-accounting) has to fall back to the EUID as UDS
does not transmit the UID.
David Herrmann [Sun, 18 Jan 2015 12:54:46 +0000 (13:54 +0100)]
bus-proxy: fake all UIDs/GIDs, not just the real UID/GID
Make sure we tell the kernel to fake all UIDs/GIDs. Otherwise, the remote
side has no chance of querying our effective UID (which is usually what
they're interested in).
David Herrmann [Sun, 18 Jan 2015 12:07:21 +0000 (13:07 +0100)]
bus-proxy: fix bus-uid tracking
We need to implicitly allow HELLO from users with the same uid as the bus.
Fix the bus-uid tracking to use the original uid, not the uid after
privilege-dropping.
David Herrmann [Sun, 18 Jan 2015 11:59:39 +0000 (12:59 +0100)]
logind: hide 'self' links if not available
If the caller does not run in a session/seat or has no tracked user, hide
the /org/freedesktop/login1/.../self links in introspection data.
Otherwise, "busctl tree org.freedesktop.login1" tries to query those nodes
even though it cant.
David Herrmann [Sat, 17 Jan 2015 20:18:52 +0000 (21:18 +0100)]
bus-proxy: don't print error-messages if we check multiple dests
If we test the policy against multiple destination names, we really should
not print warnings if one of the names results in DENY. Instead, pass the
whole array of names to the policy and let it deal with it.
David Herrmann [Sat, 17 Jan 2015 17:23:33 +0000 (18:23 +0100)]
bus-proxy: drop privileges if run as root
We cannot use "User=" in unit-files if we want to retain privileges. So
make bus-proxy.c explicitly drop privileges. However, only do that if
we're root, as there is no need to drop it on the user-bus.