Luca Boccassi [Wed, 17 Nov 2021 10:00:12 +0000 (10:00 +0000)]
core: add Condition[Memory/CPU/IO]Pressure
By default checks PSI on /proc/pressure, and causes a unit to be skipped
if the threshold is above the given configuration for the avg300
measurement.
Also allow to pass a custom timespan, and a particular slice unit to
check under.
Yu Watanabe [Mon, 29 Nov 2021 10:38:24 +0000 (19:38 +0900)]
network: route: read RTA_TABLE attribute to get route table
If the table of a route is larger than 255, then the value is stored in
RTA_TABLE attribute. But the attribute is not supported by old kernels.
So, first try to read the value from RTA_TABLE attribute, then fallback
to the value in the message header.
Luca Boccassi [Mon, 22 Nov 2021 11:11:21 +0000 (11:11 +0000)]
elf-util: switch libelf/libdw to dlopen()
In order to avoid inflating the dependency list for the core
library, use dlopen when inspecting elfs, since it's only
used in two non-core executables.
Luca Boccassi [Sun, 21 Nov 2021 17:05:28 +0000 (17:05 +0000)]
coredump: analyze object with libdwelf in forked process
Parsing objects is risky as data could be malformed or malicious,
so avoid doing that from the main systemd-coredump process and
instead fork another process, and set it to avoid generating
core files itself.
Rasmus Villemoes [Tue, 30 Nov 2021 11:50:19 +0000 (12:50 +0100)]
sysusers: avoid creating spurious "nobody" group
On distros using Debian's base-passwd, the name of the group with gid 65534 is
nogroup. Currently, systemd-sysusers creates a spurious "nobody" group
systemd-sysusers[243]: Creating group nobody with gid 996
That's both confusing and redundant, as the nobody user still has primary group
65534 aka nogroup, and the nobody group simply goes completely unused.
So explicitly specify the primary group of the nobody user, and add a line
ensuring that that group exists.
This is not a problem for Debian (or Ubuntu) itself, as they add their own
version of basic.conf in their systemd build logic. But it appears on for
example Yocto/OpenEmbedded.
Michal Sekletar [Thu, 25 Nov 2021 17:28:25 +0000 (18:28 +0100)]
unit: add jobs that were skipped because of ratelimit back to run_queue
Assumption in edc027b was that job we first skipped because of active
ratelimit is still in run_queue. Hence we trigger the queue and dispatch
it in the next iteration. Actually we remove jobs from run_queue in
job_run_and_invalidate() before we call unit_start(). Hence if we want
to attempt to run the job again in the future we need to add it back
to run_queue.
Nacho Barrientos [Mon, 29 Nov 2021 13:17:55 +0000 (14:17 +0100)]
Byte order to host before using the lifetime
I've seen this in `NetworkManager-1.34.0-0.3.el8.x86_64` (latest in CentOS
Stream 8 at the time of writing this message) which does not use the latest
Systemd but probably the code base is the same (see
https://github.com/NetworkManager/NetworkManager/commit/51f93e00a23fbd09f5ad96da6290bf4ca737d46a).
Before the patch:
```
libsystemd: eth0: DHCPv6 client: T1 expires in 34y 3w 6d 45min 31s
libsystemd: eth0: DHCPv6 client: T2 expires in 54y 5month 3w 3d 23h 20min 35s
```
After the patch:
```
libsystemd: eth0: DHCPv6 client: T1 expires in 3d 7h 58min 3s
libsystemd: eth0: DHCPv6 client: T2 expires in 5d 2h 26min 50s
```
Marco Scardovi [Mon, 29 Nov 2021 08:53:56 +0000 (09:53 +0100)]
Add missing greater than/less than tab on some HP
Some HP keyboards (like https://h30434.www3.hp.com/t5/image/serverpage/image-id/203235i01AD626584587DA1?v=v2) have <> between AltGr and left arrow. This add the fix and make it working again
Luca Boccassi [Fri, 26 Nov 2021 02:13:57 +0000 (02:13 +0000)]
coredump: fix parsing metadata without access to executable
This was broken in a subtle way: we'd get an ELF ref, but not the right one,
so no metadata note would be found.
Change the parsing function to return 1 when it finds something, so that
we can return early only when that happens.
networkd: replace a table with log2 fields by a list
The code looks a bit more complicated, but the compiler generates a simpler and
more compact text.
An additional advantage is that if any of the fields were repeating or not
power-of-two, the compiler would warn about an overridden entry in the table.
The macro variants can be used in static initializers.
The same guard against calling __builtin_clz(0) is added as for
__builtin_clzll(0), since that's undefined behaviour too. Our code
wouldn't call it, but this avoids a potential pitfall with the macro.
All variants map 0→0. Otherwise we'd often have to handle 0 specially
in callers.
__builtin_clz takes unsigned as the argument, so there's no LOG2I macro.
Topi Miettinen [Fri, 26 Nov 2021 14:34:48 +0000 (16:34 +0200)]
pam_systemd: Check also abstract socket for X11
It seems that `pam_systemd` was the only thing left that wanted to use sockets
in file system path `/tmp/.X11-unix/X*`. X11 apps actually prefer using the
abstract socket version.
This allows running Xserver with `-nolisten tcp -nolisten unix`, which makes
the server only listen to an abstract socket.
Also in my setup, Xserver is running as a separate system service instead of
starting from display manager service, and now `PrivateTmp=yes` can be used for
both. The file system of the display manager service is inherited by user apps
and now their `/tmp` will be separate from `/tmp` of PID1 namespace as well as
`/tmp` of Xserver.
Jan Janssen [Fri, 26 Nov 2021 13:00:02 +0000 (14:00 +0100)]
meson: Default to sbat-distro=auto
Any recent shim will refuse starting an image that does not have an sbat section
and will do so with a generic "Security Violation" message. And it is very easy
to forget passing -Dsbat-distro=auto to meson when creating a fresh build dir.
Adding sbat info when shim is not used or secure boot is disabled does not hurt
anyone, so default to auto. This still ensures to not add auto-detected info in
case we are cross building.
Jan Janssen [Thu, 25 Nov 2021 11:05:57 +0000 (12:05 +0100)]
test: Convert to TEST/TEST_RET macros
Note that test-cgroup-mask, test-cgroup-unit-default and test-unit-name will now
report being skipped instead of reporting success if not run under systemd.
Jan Janssen [Thu, 25 Nov 2021 09:45:15 +0000 (10:45 +0100)]
test: Add sd_booted condition test to TEST macro
Note that this will only report test skips if they use TEST_RET macro.
Regular TEST macros can still be skipped, but this will not be reported
back to main();
Topi Miettinen [Sat, 27 Nov 2021 10:51:39 +0000 (12:51 +0200)]
namespace: allow ProcSubset=pid with some ProtectKernel options
In case `/proc` is successfully mounted with pid tree subset only due to
`ProcSubset=pid`, the protective mounts for `ProtectKernelTunables=yes` and
`ProtectKernelLogs=yes` to non-pid `/proc` paths are failing because the paths
don't exist. But the pid only option may have failed gracefully (for example
because of ancient kernel), so let's try the mounts but it's not fatal if they
don't succeed.
Alyssa Ross [Sat, 27 Nov 2021 12:10:38 +0000 (12:10 +0000)]
docs: fix descriptions in discoverable partitions
00db9a114e ("docs: generate table from header using a script") got the
descriptions for the partition types mixed up. After that change, the
spec claimed, for example, that the /usr partition should contain
"dm-verity integrity hash data for the matching root partition", and
that the /usr verity partition should be of type "Any native, optionally
in LUKS". This made the spec an extremely confusing read before I
figured out what must have happened!
I've gone through the table as it existed prior to 00db9a114e, and moved
the descriptions around in the script that generates the table until
they matched up with what they used to be. Then I regenerated the
table from the fixed script.
Luca Boccassi [Fri, 26 Nov 2021 15:46:40 +0000 (15:46 +0000)]
analyze: add --profile switch to security verb
Allows to pass a portable profile when doing offline analysis of
units. Especially useful for analyzing portable images, since a
lot of the security-relevant settings in those cases come from
the profiles, but they are not shipped in the portable images.