hostnamed: minimize caching of /etc/hostname, /etc/os-release and /etc/machine-info
Instead of reading these files at startup and never again, let's read
them when we need them. As an optimization (in particular as some of
these files contain the data for many fields at once) let's cache the
results as long as the stat data (i.e. mtime) remains stable.
Also, while we are at it, if we can't read any of these props, let's not
fail everything, but continue without the data.
Luca Boccassi [Tue, 2 Jun 2020 14:35:58 +0000 (15:35 +0100)]
dissect/nspawn: add support for dm-verity root hash signature
Since cryptsetup 2.3.0 a new API to verify dm-verity volumes by a
pkcs7 signature, with the public key in the kernel keyring,
is available. Use it if libcryptsetup supports it.
Luca Boccassi [Thu, 4 Jun 2020 16:41:28 +0000 (17:41 +0100)]
veritysetup: add support for dm-verity root hash signature
Since cryptsetup 2.3.0 a new API to verify dm-verity volumes by a
pkcs7 signature, with the public key in the kernel keyring,
is available. Use it if libcryptsetup supports it in the
veritysetup helper binary.
This gets rid of most but not occasions of these loaded terms:
1. scsi_id and friends are something that is supposed to be removed from
our tree (see #7594)
2. The test suite defines an API used by the ubuntu CI. We can remove
this too later, but this needs to be done in sync with the ubuntu CI.
3. In some cases the terms are part of APIs we call or where we expose
concepts the kernel names the way it names them. (In particular all
remaining uses of the word "slave" in our codebase are like this,
it's used by the POSIX PTY layer, by the network subsystem, the mount
API and the block device subsystem). Getting rid of the term in these
contexts would mean doing some major fixes of the kernel ABI first.
Regarding the replacements: when whitelist/blacklist is used as noun we
replace with with allow list/deny list, and when used as verb with
allow-list/deny-list.
message is only valid until message_len, and we need to make sure we're not
reading pass that. Bug introduced in 2108b56749ebb8d17f06d08b6ada2f79ae4f0.
Michal Koutný [Wed, 24 Jun 2020 18:40:02 +0000 (20:40 +0200)]
cgroup: Parse infinity properly for memory protections
This fixes commit db2b8d2e2895010f3443a589c9c1f1dfb25256a6 that
rectified parsing empty values but broke parsing explicit infinity.
Intended parsing semantics will be captured in a testcase in a follow up
commit.
It's just a follow-up to https://github.com/systemd/systemd/pull/16266.
Currently the Coverity stage is failing with
```
Starting container systemd-fedora-latest 2db425228e1addbce607c7e47e492a0faef2c2c4e85701c6c239a50de95944eb
Error: No such container: bash
The command "$CI_MANAGERS/fedora.sh SETUP" failed and exited with 1 during .
Your build has been stopped.
```
Looks like DOCKER_EXEC got lost somewhere along the way, which, in
turn, caused the "coverity" job to fail with
```
$ $DOCKER_EXEC meson cov-build -Dman=false
Command 'meson' not found, but can be installed with:
apt install meson
Please ask your administrator.
```
log: introduce log_parse_environment_cli() and log_setup_cli()
Presently, CLI utilities such as systemctl will check whether they have a tty
attached or not to decide whether to parse /proc/cmdline or EFI variable
SystemdOptions looking for systemd.log_* entries.
But this check will be misleading if these tools are being launched by a
daemon, such as a monitoring daemon or automation service that runs in
background.
Make log handling of CLI tools uniform by never checking /proc/cmdline or EFI
variables to determine the logging level.
Furthermore, introduce a new log_setup_cli() shortcut to set up common options
used by most command-line utilities.
basic/hashmap,set: propagate allocation location info in _copy()
Also use double space before the tracking args at the end. Without
the comma this looks ugly, but it's a bit better with the double space.
At least it doesn't look like a variable with a type.
networkd: take ref immediately after storing item in set
I'm not sure if I understand the code correctly, but it seems that if
storig in the second set failed, we'd return with the first set having
no reference on the link object, and the link object could be freed in the
future, leaving the set with a dangling reference.
core/bpf-firewall: use the correct cleanup function
On error, we'd just free the object, and not close the fd.
While at it, let's use set_ensure_consume() to make sure we don't leak
the object if it was already in the set. I'm not sure if that condition
can be achieved.
This combines set_ensure_allocated() with set_consume(). The cool thing is that
because we know the hash ops, we can correctly free the item if appropriate.
Similarly to set_consume(), the goal is to simplify handling of the case where
the item needs to be freed on error and if already present in the set.
Luca Boccassi [Tue, 23 Jun 2020 10:45:50 +0000 (11:45 +0100)]
make-autosuspend-rules: restore compatibility with Python3 < 3.6
The f'...' format was introduced in Python 3.6 ( https://www.python.org/dev/peps/pep-0498/ )
and returns an error when systemd is built on a system with an older Python3 version:
<...>
File /home/bluca/git/systemd/tools/make-autosuspend-rules.py, line 15
print(f'pci:v{vendor:08X}d{device:08X}*')
^
SyntaxError: invalid syntax
[2/388] Generating version.h with a custom command.
ninja: build stopped: subcommand failed.
$ python3 --version
Python 3.5.6
Use an older format to keep backward compatibility.
Previously we'd used the existance of a specific AF_UNIX socket in the
abstract namespace as lock for disabling lookup recursions. (for
breaking out of the loop: userdb synthesized from nss → nss synthesized
from userdb → userdb synthesized from nss → …)
I did it like that because it promised to work the same both in static
and in dynmically linked environments and is accessible easily from any
programming language.
However, it has a weakness regarding reuse attacks: the socket is
securely hashed (siphash) from the thread ID in combination with the
AT_RANDOM secret. Thus it should not be guessable from an attacker in
advance. That's only true if a thread takes the lock only once and
keeps it forever. However, if a thread takes and releases it multiple
times an attacker might monitor that and quickly take the lock
after the first iteration for follow-up iterations.
It's not a big issue given that userdb (as the primary user for this)
never released the lock and we never made the concept a public
interface, and it was only included in one release so far, but it's
something that deserves fixing. (moreover it's a local DoS only, only
permitting to disable native userdb lookups)
With this rework the libnss_systemd.so.2 module will now export two
additional symbols. These symbols are not used by glibc, but can be used
by arbitrary programs: one can be used to disable nss-systemd, the other
to check if it is currently disabled.
The lock is per-thread. It's slightly less pretty, since it requires
people to manually link against C code via dlopen()/dlsym(), but it
should work safely without the aforementioned weakness.
This just adds a _cleanup_ helper call encapsulating dlclose().
This also means libsystemd-shared is linked against libdl now. I don't
think this is much of an issue, since libdl is part of glibc anyway, and
anything from exotic. It's not an optional part of the OS (think: NSS
requires dynamic linking), hence this pulls in no deps and is almost
certainly loaded into all process' memory anyway.
Revert "cgroup: Allow empty assignments of Memory{Low,Min}="
This reverts commit 53aa85af24cda4470b6750f88e181b775385e228.
The reason is that that patch changes the dbus api to be different than
the types declared by introspection api.
At least Fedora and Debian have already reverted this at the distro
level because it causes more problems than it solves. Arch is debating
reverting it as well [0] but would strongly prefer that this happens
upstream first. Fixes #15188.
Benjamin Berg [Tue, 23 Jun 2020 08:44:50 +0000 (10:44 +0200)]
xdg-autostart: Ignore all files with GNOME autostart phase
If an autostart file for GNOME has a phase specified, then this implies
it is a session service that needs to be started at a specific time.
We have no way of handling the ordering, and while it does make sense
to explicitly hide these services with X-systemd-skip, there is no point
in even trying to handle them.
nspawn: mkdir selinux mount point once, but not twice
Since #15533 we didn't create the mount point for selinuxfs anymore.
Before it we created it twice because we mount selinuxfs twice: once the
superblock, and once we remount its bind mound read-only. The second
mkdir would mean we'd chown() the host version of selinuxfs (since
there's only one selinuxfs superblock kernel-wide).
The right time to create mount point point is once: before we mount the
selinuxfs. But not a second time for the remount.
наб [Thu, 18 Jun 2020 23:55:09 +0000 (01:55 +0200)]
man/sd-makefs: link to btrfs.wiki.kernel.org for btrfs-man5, since the man-pages link is dead
This also adds a <citerefentry project="url"> type,
since the other btrfs manpages use man-pages/die-net and are alive,
and btrfs.w.k.o won't be used anywhere else
set_put()/set_ensure_put() return 0, not -EEXIST, if the entry is already
found in the set. In this case this does not make any difference, but let's
not confuse the reader.
fuzz-netdev-parser: add test case for earlier version of preceding patches
AddressSanitizer:DEADLYSIGNAL
=================================================================
==12==ERROR: AddressSanitizer: ABRT on unknown address 0x00000000000c (pc 0x7f0a518b3428 bp 0x7fffa463bfd0 sp 0x7fffa463be68 T0)
SCARINESS: 10 (signal)
#0 0x7f0a518b3428 in raise (/lib/x86_64-linux-gnu/libc.so.6+0x35428)
#1 0x7f0a518b5029 in abort (/lib/x86_64-linux-gnu/libc.so.6+0x37029)
#2 0x7f0a52ca635a in log_assert_failed_realm /work/build/../../src/systemd/src/basic/log.c:819:9
#3 0x4eea92 in config_parse_wireguard_endpoint /work/build/../../src/systemd/src/network/netdev/wireguard.c:808:9
#4 0x7f0a52b2f74e in next_assignment /work/build/../../src/systemd/src/shared/conf-parser.c:133:32
#5 0x7f0a52b2954e in parse_line /work/build/../../src/systemd/src/shared/conf-parser.c:242:16
#6 0x7f0a52b28911 in config_parse /work/build/../../src/systemd/src/shared/conf-parser.c:377:21
#7 0x7f0a52b29ec6 in config_parse_many_files /work/build/../../src/systemd/src/shared/conf-parser.c:439:21
#8 0x7f0a52b2a5a6 in config_parse_many /work/build/../../src/systemd/src/shared/conf-parser.c:507:16
#9 0x4d8d6c in netdev_load_one /work/build/../../src/systemd/src/network/netdev/netdev.c:732:13
#10 0x4d3e2b in LLVMFuzzerTestOneInput /work/build/../../src/systemd/src/network/fuzz-netdev-parser.c:23:16
#11 0x6b3266 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/libfuzzer/FuzzerLoop.cpp:558:15
#12 0x6af860 in fuzzer::Fuzzer::RunOne(unsigned char const*, unsigned long, bool, fuzzer::InputInfo*, bool*) /src/libfuzzer/FuzzerLoop.cpp:470:3
#13 0x6b6970 in fuzzer::Fuzzer::ReadAndExecuteSeedCorpora(std::__1::vector<fuzzer::SizedFile, fuzzer::fuzzer_allocator<fuzzer::SizedFile> >&) /src/libfuzzer/FuzzerLoop.cpp:770:7
#14 0x6b7376 in fuzzer::Fuzzer::Loop(std::__1::vector<fuzzer::SizedFile, fuzzer::fuzzer_allocator<fuzzer::SizedFile> >&) /src/libfuzzer/FuzzerLoop.cpp:799:3
#15 0x67573f in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/libfuzzer/FuzzerDriver.cpp:846:6
#16 0x667097 in main /src/libfuzzer/FuzzerMain.cpp:19:10
#17 0x7f0a5189e82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
#18 0x4295a8 in _start (out/fuzz-netdev-parser+0x4295a8)
DEDUP_TOKEN: raise--abort--log_assert_failed_realm
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: ABRT (/lib/x86_64-linux-gnu/libc.so.6+0x35428) in raise
==12==ABORTING
Patch contains a coccinelle script, but it only works in some cases. Many
parts were converted by hand.
Note: I did not fix errors in return value handing. This will be done separate
to keep the patch comprehensible. No functional change is intended in this
patch.
It's such a common operation to allocate the set and put an item in it,
that it deserves a helper. set_ensure_put() has the same return values
as set_put().
tools: rewrite make-autosuspend-rules.py and add udev rules
Concatenating strings is not a very efficient approach. And in this case fully
unnecessary. We also need some rules to make use of those hwdb entries.
PCI needs to be 8 characters, not 4. And we need to use uppercase hexadecimal
for both. With udev rules this made no difference, but hwdb match is case
sensitive.
ignapk [Fri, 19 Jun 2020 06:29:59 +0000 (08:29 +0200)]
man: add note regarding editing user groups
Currently the manual doesn't clearly say whether `homectl update username -G group` will append the group to the user, or overwrite the list and remove user from the groups that aren't specified.
Fix this by updating the manual, basing the change on the usermod manual.