unit: move "not supported" check after condition check in unit_start()
Make sure we always check conditions before checking whether the unit
type is supported in unit_start(), since condition checks are "clean
errors", while "not supported" errors are fatal.
This cleans up the boot output of systemd in containers, where a lot of
NOTSUPP lines were shown befor this fix.
David Herrmann [Mon, 7 Sep 2015 08:57:50 +0000 (10:57 +0200)]
man: clarify wording of os-release.CPE_NAME
We expect the CPE_NAME to be formatted in URI binding syntax. Make that
clear in the documentation. Furthermore, the CPE-spec has been taken over
by NIST, so adjust the links as well.
Martin Pitt [Mon, 7 Sep 2015 06:09:13 +0000 (08:09 +0200)]
tests: Skip test-cgroup-util test_mask_supported() when not running under systemd
Commit 5f4c5fef6 introduced this new test case, but this does not work in
build chroots where cgroupfs is not mounted. So skip the test if systemd is not
running.
sd-event: make sure to create a signal queue for the right signal
We should never access the "signal" part of the event source unless the
event source is actually for a signal. In this case it's a child pid
handler however, hence make sure to use the right signal.
gpt-auto: try to handle LUKS root partitions better
If the root file system is located on an encrypted root disk, we'll not
find the GPT partition table for it. Let's fix that by following the
slaves/ symlinks in /sys for the device. We only handle devices having
exactly one backing device.
Michael Biebl [Sun, 6 Sep 2015 17:05:35 +0000 (19:05 +0200)]
build-sys: remove sphinx binary from configure summary
We no longer use sphinx as part of the build process so remove it from
the configure summary as well.
This is a leftover from commit 2799e519cabb6dfa99341b9a56ebd4dc2a4ec22a.
nspawn: add new .nspawn files for container settings
.nspawn fiels are simple settings files that may accompany container
images and directories and contain settings otherwise passed on the
nspawn command line. This provides an efficient way to attach execution
data directly to containers.
This funciton is exposed via CanStart on the bus, and should be as
accurate as possible. Hence: make sure to return false for units of unit
types not supported on the system, and for unit types where
configuration failed to load.
This is grossly incorrect. The spec says that we're allowed to return
non-directed children, however, it does not allow us to return data
recursively in multiple parents. If we return "org", then we must not
return anything else that starts with "org/".
It is unclear, whether we can include child-nodes as a tree. Moreover, it
is usually not what the caller wants. Hence, this patch changes sd-bus to
never return introspection data recursively. Instead, only a single
child-layer is returned.
This patch relies on enumerators to never return hierarchies. If someone
registers an enumerator via sd_bus_add_enumerator, they better register
sub-enumerators if they support *TRUE* hierarchies. Each enumerator is
treated as a single layer and not filtered.
Enumerators are still allowed to return nested data. However, that data
is still required to be a single hierarchy. For instance, returning
"/org/foo" and "/com/bar" is fine, but including "/com" or "/org" in that
dataset is not.
This should be the default for enumerators and I see no reason to filter
in sd-bus. Moreover, filtering that data-set would require to sort the
strv by path and then do prefix-filtering. This is O(n log n), which
would be fine, but still better to avoid.
David Herrmann [Sat, 5 Sep 2015 11:03:59 +0000 (13:03 +0200)]
CODING_STYLE: mandate alphabetical include order
systemd-internal headers must not rely on include order. That means, they
either must contain forward-declarations of used types/functions, or they
must include all dependencies on their own. Therefore, there is no reason
to mandate an include order on the call-side.
However, global includes should always be ordered first. We don't want
local definitions to leak into global includes, possible changing their
behavior. Apparently, namespacing is a complex problem that people are
incapable of implementing properly..
Apart from "global before local", there is no reason to mandate a random
include order (which we happen to do right now). Instead, mandate
alphabetical ordering. The current rules do not have any benefit at all.
They neither reduce include-complexity, nor allow easy auditing of
include files. But with alphabetical ordering, we get duplicate-detection
for free, it gets *much much* easier to figure out whether a header is
already included, and it is trivial to add new headers.
David Herrmann [Sat, 5 Sep 2015 15:54:30 +0000 (17:54 +0200)]
sd-bus: derive uid from cgroup if possible
Whenever we run in a user context, sd_bus_{default_user,open_user}() and
friends should always connect to the user-bus of the current context,
instead of deriving the uid from getuid(). This allows us running
programs via sudo/su, without the nasty side-effect of accidentally
connecting to the root user-bus.
This patch enforces the idea of making su/sudo *not* opening sessions by
default. That is, all they do is raising privileges, but keeping
everything set as before. You can still use su/sudo to open real sessions
by requesting a login-session (or loading pam_systemd otherwise).
However, in this case XDG_RUNTIME_DIR= will not be set (as usual in these
cases), hence, you will not be able to connect to *any* user-bus.
Long story short: With this patch applied, both:
- ./busctl --user
- sudo ./busctl --user
..will successfully connect to the user-bus of the local user.
Michael Chapman [Sat, 5 Sep 2015 14:07:17 +0000 (00:07 +1000)]
core: pass details to polkit for some unit actions
The following details are passed:
- unit: the primary name of the unit upon which the action was
invoked (i.e. after resolving any aliases);
- verb: one of 'start', 'stop', 'reload', 'restart', 'try-restart',
'reload-or-restart', 'reload-or-try-restart', 'kill',
'reset-failed', or 'set-property', corresponding to the
systemctl verb used to invoke the action.
Typical use of these details in a polkit policy rule might be:
// Allow alice to manage example.service;
// fall back to implicit authorization otherwise.
polkit.addRule(function(action, subject) {
if (action.id == "org.freedesktop.systemd1.manage-units" &&
action.lookup("unit") == "example.service" &&
subject.user == "alice") {
return polkit.Result.YES;
}
});
We also supply a custom polkit message that includes the unit's name and
the requested operation.
Michael Chapman [Sat, 5 Sep 2015 14:07:16 +0000 (00:07 +1000)]
bus-util: support details in CheckAuthorization calls
Extra details for an action can be supplied when calling polkit's
CheckAuthorization method. Details are a list of key/value string pairs.
Custom policy can use these details when making authorization decisions.
This adds a new sd_pid_get_cgroup() call to sd-login which may be used
to query the control path of a process. This is useful for programs when
making use of delegation units, in order to figure out which subtree has
been delegated.
In light of the unified control group hierarchy this is finally safe to
do, hence let's add a proper API for it, to make it easier to use this.
Martin Pitt [Fri, 4 Sep 2015 14:34:21 +0000 (16:34 +0200)]
tests: Skip tests which need to access /sys/fs/cgroup if that is not available
Commit efdb023 ("core: unified cgroup hierarchy support") introduced a new
error ENOEXEC in cg_unified() if /sys/fs/cgroup/ is not available. Adjust the
"skip" checks in various tests accordingly.
Add a corresponding "skip" check to test-bus-creds as well, as
sd_bus_creds_new_from_pid() now calls cg_unified() as well.
This re-fixes "make check" in build chroots without /sys/fs/cgroup.
Hans de Goede [Fri, 4 Sep 2015 13:20:15 +0000 (15:20 +0200)]
hwdb: Add Thinkpad T550 / W550s to 70-pointingstick.hwdb
Like many other recent thinkpads the factory default pointingstick
sensitivity on these devices is quite low, making the pointingstick
very slow in moving the cursor.
This extends the existing hwdb rules for tweaking the sensitivity to
also apply to the T550 / W550s models.
David Herrmann [Fri, 4 Sep 2015 09:13:32 +0000 (11:13 +0200)]
bus-proxy: increase NOFILE limit
The bus-proxy manages the kdbus connections of all users on the system
(regarding the system bus), hence, it needs an elevated NOFILE.
Otherwise, a single user can trigger ENFILE by opening NOFILE connections
to the bus-proxy.
Note that the bus-proxy still does per-user accounting, indirectly via
the proxy/fake API of kdbus. Hence, the effective per-user limit is not
raised by this. However, we now prevent one user from consuming the whole
FD limit of the shared proxy.
Also note that there is no *perfect* way to set this. The proxy is a
shared object, so it needs a larger NOFILE limit than the highest limit
of all users. This limit can be changed dynamically, though. Hence, we
cannot protect against it. However, a raised NOFILE limit is a privilege,
so we just treat it as such and basically allow these privileged users to
be able to consume more resources than normal users (and, maybe, cause
some limits to be exceeded by this).
Right now, kdbus hard-codes 1024 max connections per user on each bus.
However, we *must not* rely on this. This limits could be easily dropped
entirely, as the NOFILE limit is a suitable limit on its on.
cgroups: delegation to unprivileged services is safe in the unified hierarchy
Delegation to unpriviliged processes is safe in the unified hierarchy,
hence allow it. This has the benefit of permitting "systemd --user"
instances to further partition their resources between user services.
Makre sure we always return sensible errors for the various, following
the same rules, and document them in a comment in sd-login.c. Also,
update all relevant man pages accordingly.
RT signals operate in a queue, and we should be careful to never merge
two queued signals into one. Hence, makes sure we only ever dequeue a
single signal at a time and leave the remaining ones queued in the
signalfd. In order to implement correct priorities for the signals
introduce one signalfd per priority, so that we only process the highest
priority signal at a time.
nspawn: enable all controllers we can for the "payload" subcgroup we create
In the unified hierarchy delegating controller access is safe, hence
make sure to enable all controllers for the "payload" subcgroup if we
create it, so that the container will have all controllers enabled the
nspawn service itself has.
cgroup-util: make cg_pid_get_path() return -ENODATA when controller can't be found
If the controller managed by systemd cannot found in /proc/$PID/cgroup,
return ENODATA, the usual error for cases where the data being looked
for does not exist, even if the process does.
cgroup: make sure cg_is_empty_recursive() returns 1 for non-existing cgroups
Previously, on the legacy hierarchy a non-existing cgroup was considered
identical to an empty one, but the unified hierarchy the check for a
non-existing one returned ENOENT.
Let's move the actual cgroup part of it into a new separate function
manager_get_unit_by_pid_cgroup(), and then make
manager_get_unit_by_pid() just a wrapper that also checks the two pid
hashmaps.
Then, let's make sure the various calls that want to deliver events to
the owners of a PID check both hashmaps and the cgroup and deliver the
event to *each* of them. OTOH make sure bus calls like GetUnitByPID()
continue to check the PID hashmaps first and the cgroup only as
fallback.
This simply factors out the uid validation checks from parse_uid() and
uses them everywhere. This simply verifies that the passed UID is
neither 64bit -1 nor 32bit -1.
macro: introduce new PID_TO_PTR macros and make use of them
This adds a new PID_TO_PTR() macro, plus PTR_TO_PID() and makes use of
it wherever we maintain processes in a hash table. Previously we
sometimes used LONG_TO_PTR() and other times ULONG_TO_PTR() for that,
hence let's make this more explicit and clean up things.
David Herrmann [Thu, 3 Sep 2015 13:18:06 +0000 (15:18 +0200)]
udev: ignore ENOEXEC from cgroup lookup
The recent cgroup-rework changed the error code for un-mounted cgroupfs to
ENOEXEC. Make sure udev ignores it just like ENOENT and does not spill
warnings on the screen.