Alexander Tsoy [Mon, 28 Jun 2021 20:00:11 +0000 (23:00 +0300)]
resolved: do not try to copy empty NSEC types bitmaps
dns_resource_record_copy() assumes that NSEC types bitmap is non-empty
which results in a null pointer dereference inside bitmap_copy() in some
cases. Fix this by calling bitmap_copy() conditionally.
Yu Watanabe [Sat, 26 Jun 2021 17:30:52 +0000 (02:30 +0900)]
sd-netlink: do not trigger assertion by calling socket_broadcast_group_unref() with an arbitrary group number
socket_broadcast_group_unref() is only called in netlink_slot_disconnect(),
so the assertion should not be triggered as the match slot was
successfully created.
But, we usually design `_ref/unref()` functions as they can be called
for any inputs. So, let's also follow the design rule here.
We checked the wrong field, which was always NULL here, so we would always
reject the assignment. We would also print the wrong string in the error
message:
Luca Boccassi [Tue, 22 Jun 2021 21:59:40 +0000 (22:59 +0100)]
ExtensionImages: log explicit error when extension-release metadata does not match
When an ExtensionImages= extension-release metadata does not match, the
log messages (unless debug level is set) are pretty much incomprehensible:
systemd[463]: run-u11.service: Failed to set up mount namespacing: /run/systemd/unit-extensions/0: Stale file handle
systemd[463]: run-u11.service: Failed at step NAMESPACE spawning /usr/bin/echo: Stale file handle
Add an explicit log message if we get ESTALE from the dissect code, to
make it clear what's happening without needing to enable debugging:
systemd[463]: Failed to mount image /tmp/app3.raw, extension-release metadata does not match the lower layer's: ID=debian VERSION_ID=11 SYSEXT_LEVEL=11
Mike Crowe [Thu, 24 Jun 2021 14:25:58 +0000 (15:25 +0100)]
resolvectl: Only strip ifname suffixes when being resolvconf
Only treat interface names containing dots specially when resolvectl is
pretending to be resolvconf to fix
https://github.com/systemd/systemd/issues/20014 .
Move the special suffix-stripping behaviour of ifname_mangle out to the
new ifname_resolvconf_mangle to be called from resolvconf only.
Yu Watanabe [Fri, 25 Jun 2021 06:30:13 +0000 (15:30 +0900)]
core: do not set nosuid mount option when SELinux is enabled
The mount option has special meaning when SELinux is enabled. To make
NoNewPrivileges=yes not break SELinux enabled systems, let's not set the
mount flag on such systems.
Let's re-enable that feature now. As reported when the original commit
was merged, this causes some trouble on SELinux enabled systems. So,
in the subsequent commit, the feature will be disabled when SELinux is enabled.
But, anyway, this commit just re-enable that feature unconditionally.
This fixes repart's, systemctl's, sysusers' and tmpfiles' specifier
expansion to honour the root dir specified with --root=. This is
relevant for specifiers such as %m, %o, … which are directly sourced
from files on disk.
This doesn't try to be overly smart: specifiers referring to runtime
concepts (i.e. boot ID, architecture, hostname) rather than files on the
medium are left as is. There's certainly a point to be made that they
should fail in case --root= is specified, but I am not entirely convinced
about that, and it's certainly something we can look into later if
there's reason to.
I wondered for a while how to hook this up best, but given that quite a
large number of specifiers resolve to data from files on disks, and most
of our tools needs this, I ultimately decided to make the root dir a
first class parameter to specifier_printf().
Frantisek Sumsal [Thu, 24 Jun 2021 10:13:52 +0000 (12:13 +0200)]
test: correctly mask supporting services in tests, take #2
Due to a little misunderstanding the last patch doesn't work as
expected, since test_create_image() is called only for the first image
(usually TEST-01-BASIC), and all subsequent images are then (possibly)
modified with test_append_files().
Dan Streetman [Tue, 8 Jun 2021 16:01:31 +0000 (12:01 -0400)]
network: default RequiredForOnline=false if ActivactionPolicy= not set to up
If ActivationPolicy= is set to down, always-down, or manual, then any
matching link will delay boot (due to delaying network-online.target).
If RequiredForOnline= wasn't explicitly set, then default it to false
if ActivationPolicy= is down or manual. If ActivationPolicy=always-down,
then force RequiredForOnline=no.
core: avoid calling path_simplify() unnecessarilly for u.requires_mounts_for keys
We would always call path_simplify() before doing a lookup, which requires the
path key to be duplicated first. But the hashmap lookup doesn't require this…
So let's opportunistically skip the allocation if the key is already present.
Inspired by https://github.com/systemd/systemd/pull/19973.
shared/selinux-util: rework switching of the getenforce() function
The approach with function pointer was neat, but it gets in the way
when we want to resolve the symbol dynamically: static initialization
is not possible. It also makes the code more complicated than necessary.
In this case, a simple boolean is sufficient.
dlfcn-util: invert function naming and add helper that does the whole job
We warn when the operation fails, not when it succeeds. Hence this should be
"<do>_or_<handle failure>", not "<do>_and_<handle failure>". We *could* use
whatever convention we want, but rust and perl are rather consistent in using
the logical convention. We don't care about perl that much, but having a naming
convention inverted wrt. rust would be rather confusing.
Also, pretty much every implementation does similar steps, so add a nice
wrapper which combines opening of the library and loading of the symbols.
Also add missing sentinel attribute in dlopen_or_warn().
meson: drop libseccomp and libselinux from libbasic linkage
This means libsystemd.so is without them now. This is important
because countless programs link to libsystemd.so, and do not need
to pull in selinux now. And libselinux.so pulls in libpcre2, so
we trim a nice dependency tree.
I'm not sure why libseccomp was listed there. No code seems to
refer to it.
basic,shared: move a bunch of files to src/shared/
The goal is to move everything that requires selinux or smack
away from src/basic/. This means that src/basic/label.[ch] must move,
which implies btrfs-util.[ch], copy.[ch], and a bunch of other files
which form a cluster of internal use.
This is just moving text around, so there should be no functional difference.
test-blockdev-util is new, because path_is_encrypted() is moved to
blockdev-util.c, and so far we didn't have any tests for code there.
This was added in 88d775b734644f26fb490836769c2bc275498fde,
with the apparent intent of using in shared/ and the rest of our code.
It doesn't matter much for our code, since libdl is part of glibc anyway,
but moving it removes one linkage from libsystemd. (libshared was already
linking to libdl explicitly).
basic: move acquire_data_fd() and fd_duplicate_data_fd() to new data-fd-util.c
fd_duplicate_data_fd() is renamed to copy_data_fd(). This makes
the two functions have nicely similar names.
Now fd-util.[ch] is again about low-level file descriptor manipulations.
copy_data_fd() is a complex function that internally wraps the other
functions in copy.c. I want to move copy.c and the whole cluster of
related code from basic/ to shared/ later on, and this is a preparatory
step for that.
udev: replace unsafe characters on assigning ENV{key}="val" when OPTIONS="string_escape=replace" is set
Strictly speaking, this breaks backward compatibility, as previously
`ENV{key}="val"` ignored `string_escape=` option. But, introducing
a new option such as `string_escape=hoge` sounds overkill for me.
The default escape mode is `ESCAPE_UNSET`, so I hope this merely break
existing rules.