Daniel Wang [Sat, 20 May 2017 11:05:18 +0000 (04:05 -0700)]
DHCP: when adding static routes set scopes properly (#5982)
DHCP responses could include static routes, but unfortunately not an
option to tell what scope to use. So it's important that the client sets
it properly.
This mimics what the `ip route add` command does when adding a static
route without an explicit scope:
* If the destination IP is on the local host, use scope `host`
* Otherwise if the gateway IP is null (direct route), use scope `link`
* If anything else, use the current default `global`.
journald: process "binary" fields the same as text fields
MESSAGE=data\n and MESSAGE\n40000000data\n are both valid serializations, so
they should be stored in the journal. Before, MESSAGE, SYSLOG_FACILITY,
SYSLOG_IDENTIFIER, PRIORITY, and OBJECT_PID would be only honoured if they were
given in the first form.
journald: properly process multiple entries in the same native packet
For all except the last entry in a single packet, we would dispatch the
message to the journal, but not forward it, nor perform proper cleanup.
Rewrite the code to process each entry in a helper function, and make
server_process_native_message() just call this function in a loop.
Fixes #5643.
v2:
- properly decrement *remaining when processing entry separator
Hans de Goede [Fri, 19 May 2017 14:05:27 +0000 (16:05 +0200)]
hwdb: Fix mapping for home-key on Cube iWork8 air (#5994)
The intent of the hwdb entry for the Cube iWork8 air tablet buttons is
to fix them being swapped. The kernel is using left-meta for the
home key (it is being treated as the windows key on keyboards, as it has
a windows logo on most x86 tablets).
Fix the hwdb entry to only swap the buttons and not change the keycode
emitted by the home key.
timex::time::tv_sec can have different sizes depending on the
host architecture. On x32 in particular, it is 8 bytes
long while the long int type is only 4 bytes long. Hence,
using li as a format specifier will trigger a format
error. Thus, better use PRI_TIME instead of li which is
actually the right format specifier to use for time_t.
timex::time::tv_usec and timex::freq can have different sizes
depending on the host architecture. On x32 in particular,
it is 8 bytes long while the long int type is only 4 bytes
long. Hence, using li as a format specifier will trigger
a format error. Thus, introduce a new format specifier
PRI_TIMEX which is defined as PRIi64 on x32 and li
everywhere else.
timespec::tv_nsec can have different sizes depending on the
host architecture. On x32 in particular, it is 8 bytes long
while the long int type is only 4 bytes long. Hence, using
ld as a format specifier will trigger a format error. Thus,
explicitly cast timespec::tv_nsec to nsec_t and use PRI_NSEC
as the format specifier to make sure the sizes for both match.
timespec::tv_nsec can have different sizes depending on the
host architecture. On x32 in particular, it is 8 bytes long
while the long int type is only 4 bytes long. Hence, using
ld as a format specifier will trigger a format error. Thus,
explicitly cast timespec::tv_nsec to nsec_t and use PRI_NSEC
as the format specifier to make sure the sizes for both match.
Peter Hutterer [Fri, 19 May 2017 08:56:29 +0000 (18:56 +1000)]
udev: skip EVDEV_ABS override on devices without EV_ABS (#5984)
When we first handle a device with an EVDEV_ABS override, check if it has
EV_ABS bits. If not, print a warning and continue. This is required on devices
where the match string applies to multiple device nodes, not all of which may
have absolute axes.
udev: turn off -Wformat-nonliteral for one safe case
c20e6de897b2378bc3f936e1e265d2d2e2450a73 introduced a format string as
variable, but didn't turn off -Wformat-nonliteral warnings on it, thus
breaking the build. Let's fix that, by simply turning off the warning in
this case, as we know it's safe.
Patrik Flykt [Fri, 12 May 2017 13:48:39 +0000 (16:48 +0300)]
test-ndisc-ra: Add Router Advertisement test cases
Add tests for prefix creation, router variable setting and finally
verify that a Router Advertisement is properly formatted when sending.
Also check that there is a Router Advertisment with zero lifetime
when Router Advertisement sending is stopped.
Patrik Flykt [Fri, 12 May 2017 13:48:38 +0000 (16:48 +0300)]
sd-radv: Receive Router Solicitations
Receive Router Solicitations and send a unicast Router Advertisment
in response. Refactor ICMPv6 packet handling code so that the common
ICMPv6 validation parts are reused between the existing router
discovery and the new functionality adding reception of Router
Solicitation messages.
Patrik Flykt [Fri, 12 May 2017 13:48:37 +0000 (16:48 +0300)]
sd-radv: Send Router Advertisments
Create and remove the ICMPv6 Router Advertisement socket file
descriptor and implement Router Advertisment sending. As not
all options are mandatory, use IO vectors to point to the included
options and the prefix information.
Patrik Flykt [Fri, 12 May 2017 13:48:35 +0000 (16:48 +0300)]
icmp6-util: Bind Router Advertisement socket
Reuse and refactor the functionality already present for Router
Solicitations in order to create a socket for sending Router
Advertisements. Anticipate reception of incoming Router
Solicitations by setting the ICMPv6 filter accordingly. Also set
the unicast hop limit to 255 for ICMPv6 sockets as unicast Router
Advertisments are to be sent in response to Router Solicitations.
Update the Router Solicitation test case code with a function
definition in order to keep the test case working.
Router Advertisements are sent uniformly distributed between a
minimum and maximum time according to RFC 4861, Section 6.2.4.
Default values from RFC 4861 are for now used as minimum and
maximum Router Advertisement timeouts.
When stopping, a Router Advertisement with a router lifetime set
to zero is sent in order to inform any nodes that the interface
on this host no longer is a router.
Patrik Flykt [Fri, 12 May 2017 13:48:30 +0000 (16:48 +0300)]
networkd: Add Router Advertisement variables
Add variables for enabling Router Advertisements, router lifetime as
well as managed and other information flags indicating use of DHCPv6.
Add configuration of default router preferences as defined in RFC 4191.
IPv6PrefixDelegation in the [Network] section has to be set in order
to enable prefix delegation. The rest of the prefix delegation values
are stored in the [IPv6PrefixDelegation] section. The host will act as
a default router if it is given a non-zero lifetime with
RouterLifetimeSec. Managed and OtherInformation booleans set the level
of DHCPv6 support, and the RouterPreference configures the router's
preference between low, medium and high. Words 'normal' and 'default'
are added as synonyms for 'medium' just to make configuration simpler.
This adds a section like the following to .network configuration files:
[Network]
IPv6PrefixDelegation=true
Patrik Flykt [Fri, 12 May 2017 13:48:29 +0000 (16:48 +0300)]
networkd: Add IPv6Prefix sections to the network configuration files
Support zero or more [IPv6Prefix] sections in the network configuration
files. Each section can have one Prefix=<subnet>[/<prefixlength>]
option, with the preferred and valid lifetimes specified by
ValidLifetimeSec and PreferredLifetimeSec measured in seconds, and
with onlink and address autoconfiguration booleans specified by
OnLink and AddressAutoconfiguration variables.
This adds a section like the following to .network configuration files:
[IPv6Prefix]
Prefix=2001:db8:dead:beef::/64
OnLink=true
AddressAutoconfiguration=true
ValidLifetimeSec=1500
PreferredLifetimeSec=1000
Patrik Flykt [Fri, 12 May 2017 13:48:27 +0000 (16:48 +0300)]
sd-radv: Add Router Advertisement prefix handling
Define Router Advertisement prefix structure. Add the Prefix
Information ICMPv6 option defined in RFC 4861 to the prefix
information structure, as it will simplify sending a Prefix
Information option later on. In order to handle endianness
correctly, the structure is redefined here instead of using
the one in netinet/icmp6.h.
Add functions to create and modify prefix information and set
default values as defined in RFC 4861, Section 6.2.1.
Ronny Chevalier [Sun, 14 May 2017 11:19:11 +0000 (13:19 +0200)]
conf-parser: fix wrong argument given to log_syntax_invalid_utf8
The condition is on "word", hence we give word instead of rvalue.
An assert would be triggered if !utf8_is_valid(word) is true and
rvalue == NULL, since log_syntax_invalid_utf8 calls utf8_escape_invalid
which calls assert(str).
A test case has been added to test with valid and invalid utf8.
tests,meson: add test-bus-vtable, compiled as C and C++
This test is mostly a compilation test that checks that various defines in
sd-bus-vtable.h are valid C++. The code is executed, but the results are not
checked (apart from sd-bus functions not returning an error). test-bus-objects
contains pretty extensive tests for this functionality.
The C++ version is only added to meson, since it's simpler there.
Because of the .cc extension, meson will compile the executable with c++.
This test is necessary to properly check the macros in sd-bus-vtable.h. Just
running the headers through g++ is not enough, because the macros are not
exercised.
This adds a meson test because it fits nicely into the existing framework.
It should be enough to run this test once in a while, so I don't think it's
crucial to also have it under autotools.
This adds a modified version of dhcp6_option_parse_domainname() that is
able to parse compressed domain names, borrowing the idea from
dns_packet_read_name(). It also adds pieces in networkd-link and
networkd-manager to properly save/load the added option field.
Gary Tierney [Tue, 2 May 2017 20:05:32 +0000 (21:05 +0100)]
audit-fd: check for CAP_AUDIT_WRITE before opening an audit socket
Adds a check to audit-fd.c to ensure that CAP_AUDIT_WRITE is present in
the set of effective capabilities before opening an audit netlink
socket. This ensures that unprivileged systemd instances (MANAGER_USER)
don't try to log AVC permission checks with the audit subsystem when
CAP_AUDIT_WRITE is not present.
The previously mentioned commit inadvertently broke a lot of SELinux related
functionality for both unprivileged users and systemd instances running as
MANAGER_USER. In particular, setting the correct SELinux context after a User=
directive is used would fail to work since we attempt to set the security
context after changing UID. Additionally, it causes activated socket units to
be mislabeled for systemd --user processes since setsockcreatecon() would never
be called.
Reverting this fixes the issues with labeling outlined above, and reinstates
SELinux access checks on unprivileged user services.
nss-resolve: drop the internal fallback to libnss_dns (#5945)
If we could not communicate with systemd-resolved, we would call into
libnss_dns. libnss_dns would return NOTFOUND for stuff like "localhost" and
other names resolved by nss-myhostname, which we would fall under the !UNAVAIL=
condition and cause resolution to fail. So the following recommended
configuration in nsswitch.conf would not work:
hosts: resolve [!UNAVAIL=return] dns myhostname
Remove the internal fallback code completely so that the fallback logic
can be configured in nsswitch.conf.
Tested with
hosts: resolve [!UNAVAIL=return] myhostname
and
hosts: resolve [!UNAVAIL=return] dns myhostname
libidn2 2.0.0 supports IDNA2008, in contrast to libidn which supports IDNA2003.
https://bugzilla.redhat.com/show_bug.cgi?id=1449145
From that bug report:
Internationalized domain names exist for quite some time (IDNA2003), although
the protocols describing them have evolved in an incompatible way (IDNA2008).
These incompatibilities will prevent applications written for IDNA2003 to
access certain problematic domain names defined with IDNA2008, e.g., faß.de is
translated to domain xn--fa-hia.de with IDNA2008, while in IDNA2003 it is
translated to fass.de domain. That not only causes incompatibility problems,
but may be used as an attack vector to redirect users to different web sites.
v2:
- keep libidn support
- require libidn2 >= 2.0.0
v3:
- keep dns_name_apply_idna caller dumb, and keep the #ifdefs inside of the
function.
- use both ±IDN and ±IDN2 in the version string
We know how the field we are parsing is called, let's put this information in
the error message:
"Route Source= prefix is invalid, ignoring assignment: ..."
"Route Destination= prefix is invalid, ignoring assignment: ..."
We counted how many filesystems could not be unmounted, but only for those
filesystems which we tried to unmount. Since we only remount / ro, without
attempting to unmount, we would emit a confusing error message:
Remounting '/' read-only with options 'seclabel,space_cache,subvolid=5,subvol=/'.
Remounting '/' read-only with options 'seclabel,space_cache,subvolid=5,subvol=/'.
Remounting '/' read-only with options 'seclabel,space_cache,subvolid=5,subvol=/'.
All filesystems unmounted.
Warn when remount-ro fails, and for filesystems which we won't try to unmount,
include the failure to remount-ro in n_failed.
A few minor cleanups:
- remove unecessary goto which jumps to the next line anyway
- always calculate n_failed, even if log_error is false. This causes no change
in behaviour, but I think the code is easier to follow, since the log setting
cannot influence other logic.
Tom Gundersen [Thu, 11 May 2017 13:56:55 +0000 (15:56 +0200)]
busctl: monitor - only start printing messages once we have become a monitor (#5931)
A connection becomes a monitor the moment it loses its unique name, so any
messages received before that should not be dumped to the console.
Currently, we print NameAcquired and NameLost for the unique name of the
peer that becomes the monitor, simply discard all messages until we
receive our NameLost signal.
seccomp: enable RestrictAddressFamilies on ppc64, autodetect SECCOMP_RESTRICT_ADDRESS_FAMILIES_BROKEN
We expect that if socket() syscall is available, seccomp works for that
architecture. So instead of explicitly listing all architectures where we know
it is not available, just assume it is broken if the number is not defined.
This should have the same effect, except that other architectures where it is
also broken will pass tests without further changes. (Architectures where the
filter should work, but does not work because of missing entries in
seccomp-util.c, will still fail.)
i386, s390, s390x are the exception — setting the filter fails, even though
socket() is available, so it needs to be special-cased
(https://github.com/systemd/systemd/issues/5215#issuecomment-277241488).
This remove the last define in seccomp-util.h that was only used in test-seccomp.c. Porting
the seccomp filter to new architectures should be simpler because now only two places need
to be modified.
RestrictAddressFamilies seems to work on ppc64[bl]e, so enable it (the tests pass).
Anchor Cat [Wed, 10 May 2017 11:23:58 +0000 (21:23 +1000)]
automount: ack automount requests even when already mounted (#5916)
If a process accesses an autofs filesystem while systemd is in the
middle of starting the mount unit on top of it, it is possible for the
autofs_ptype_missing_direct request from the kernel to be received after
the mount unit has been fully started:
systemd forks and execs mount ...
... access autofs, blocks
mount exits ...
systemd receives SIGCHLD ...
... kernel sends request
systemd receives request ...
systemd needs to respond to this request, otherwise the kernel will
continue to block access to the mount point.
50-udev-default.rules.in: set correct group for mediaX/cecX (#5921)
The /dev/mediaX and /dev/cecX devices belong to the video group.
Add two default rules for that.
The /dev/cecX devices were introduced in kernel 4.8 in staging and moved
out of staging in 4.10. These devices support the HDMI CEC bus.
The /dev/mediaX devices are much older, but because they are not used very
frequently nobody got around to adding this rule to systemd. They let the
user control complex media pipelines.
Adds support for booting in a SecureBoot environment with shim as a
preloader. Install an appropriate UEFI security policy to check PE
signature of a chained kernel or UEFI application (using LoadImage())
against the MOK database maintained by shim, using shim's installed
BootServices.
Implementation details for installing the security policy are based on
code from the LinuxFoundation's SecureBoot PreLoader, part of efitools
licensed under LGPL 2.1
Current signed (by Microsoft) versions of shim (Versions 0.8 & 0.9)
so not install a security policy by themselves, future Versions of
shim might (a compile time switch exists in rectent git versions),
so in the future this PR might become unnecessary.