Martin Pitt [Fri, 3 Jun 2016 09:15:44 +0000 (11:15 +0200)]
resolved: fix comments in resolve.conf for search domain overflows (#3422)
Write comments about "too many search domains" and "Total length of all search
domains is too long" just once. Also put it on a separate line, as
resolv.conf(5) only specifies comments in a line by themselves.
This is ugly to do if write_resolv_conf_search() gets called once for every
search domain. So change it to receive the complete OrderedSet instead and do
the iteration by itself.
Matthieu Codron [Fri, 3 Jun 2016 07:41:14 +0000 (09:41 +0200)]
hwdb: Add Thinkpad X1 carbon 4th gen to 70-pointingstick.hwdb (#3426)
Like many other recent thinkpads the factory default pointingstick
sensitivity on these devices is quite low, making the pointingstick
very slow in moving the cursor.
This extends the existing hwdb rules for tweaking the sensitivity to
also apply to the X1 carbon 4thgen model.
Franck Bui [Wed, 1 Jun 2016 09:52:35 +0000 (11:52 +0200)]
units: wait for plymouth to shut down in rescue.sevice (#3367)
In the same vein as commit ac59f0c12c117b9bb5b7e17f33987b0107791239 which added
the --wait option to the emergency service, this patch makes sure that plymouth
has exited before entering into the rescue mode.
Susant Sahani [Tue, 31 May 2016 16:20:25 +0000 (21:50 +0530)]
systemctl: systemctl show --property' needs verification of property (#3364)
systemctl --property doesn't validate if a requested property is valid or not,
and always returns with an exit code of 0, regardless of whether the requested
property exists or not.
How reproducible:
This works fine:
Id=multi-user.target
But put in a non-existing property:
Id=default.targets.service
Id=default.targets.service
0
[root@shou18lkvm8 ~]# systemctl show --property Id this.is.rubbish; echo $?
Id=this.is.rubbish.service
0
After:
sus@maximus bz-95593]$ ./systemctl show --property Id this.is.rubbish; echo $?
Can't display property this.is.rubbish. Unit this.is.rubbish.service does not
exist.
4
Susant Sahani [Mon, 30 May 2016 14:53:15 +0000 (20:23 +0530)]
systemctl: return diffrent error code if service exist or not (#3385)
Before:
[sus@maximus bz-1256858]$ systemctl status rsyslog.service;echo $?
● rsyslog.service - System Logging Service
Loaded: loaded (/usr/lib/systemd/system/rsyslog.service; enabled; vendor
preset: enabled)
Drop-In: /etc/systemd/system/rsyslog.service.d
└─50-CPUShares.conf
Active: inactive (dead) since Mon 2016-05-30 11:54:25 IST; 2h 26min ago
Docs: man:rsyslogd(8)
http://www.rsyslog.com/doc/
Process: 1159 ExecStart=/usr/sbin/rsyslogd -n $SYSLOGD_OPTIONS (code=exited,
status=0/SUCCESS)
Main PID: 1159 (code=exited, status=0/SUCCESS)
May 30 11:07:50 maximus systemd[1]: Starting System Logging Service...
May 30 11:07:50 maximus systemd[1]: Started System Logging Service.
May 30 11:54:25 maximus systemd[1]: Stopping System Logging Service...
May 30 11:54:25 maximus systemd[1]: Stopped System Logging Service.
3
[sus@maximus bz-1256858]$ systemctl status hello.service;echo $?
● hello.service
Loaded: not-found (Reason: No such file or directory)
Active: inactive (dead)
3
After:
$ ./systemctl status hello.service;echo $?
Failed to dump process list, ignoring: Access denied
● hello.service
Loaded: not-found (Reason: No such file or directory)
Active: inactive (dead)
4
[sus@maximus bz-1256858]$ ./systemctl status rsyslog.service;echo $?
Failed to dump process list, ignoring: Access denied
● rsyslog.service - System Logging Service
Loaded: loaded (/usr/lib/systemd/system/rsyslog.service; enabled; vendor
preset: enabled)
Drop-In: /etc/systemd/system/rsyslog.service.d
└─50-CPUShares.conf
Active: inactive (dead) since Mon 2016-05-30 11:54:25 IST; 2h 24min ago
Docs: man:rsyslogd(8)
http://www.rsyslog.com/doc/
Process: 1159 ExecStart=/usr/sbin/rsyslogd -n $SYSLOGD_OPTIONS (code=exited,
status=0/SUCCESS)
Main PID: 1159 (code=exited, status=0/SUCCESS)
May 30 11:07:50 maximus systemd[1]: Starting System Logging Service...
May 30 11:07:50 maximus systemd[1]: Started System Logging Service.
May 30 11:54:25 maximus systemd[1]: Stopping System Logging Service...
May 30 11:54:25 maximus systemd[1]: Stopped System Logging Service.
3
Definitions of ReadWriteDirectories=, ReadOnlyDirectories=, InaccessibleDirectories=,
WorkingDirectory=, and RootDirecory= were not clear. This patch specifies when
they are relative to the host's root directory and when they are relative to the service's
root directory.
Michael Karcher [Mon, 30 May 2016 00:03:51 +0000 (02:03 +0200)]
util-lib: Add sparc64 support for process creation (#3348)
The current raw_clone function takes two arguments, the cloning flags and
a pointer to the stack for the cloned child. The raw cloning without
passing a "thread main" function does not make sense if a new stack is
specified, as it returns in both the parent and the child, which will fail
in the child as the stack is virgin. All uses of raw_clone indeed pass NULL
for the stack pointer which indicates that both processes should share the
stack address (so you better don't pass CLONE_VM).
This commit refactors the code to not require the caller to pass the stack
address, as NULL is the only sensible option. It also adds the magic code
needed to make raw_clone work on sparc64, which does not return 0 in %o0
for the child, but indicates the child process by setting %o1 to non-zero.
This refactoring is not plain aesthetic, because non-NULL stack addresses
need to get mangled before being passed to the clone syscall (you have to
apply STACK_BIAS), whereas NULL must not be mangled. Implementing the
conditional mangling of the stack address would needlessly complicate the
code.
raw_clone is moved to a separete header, because the burden of including
the assert machinery and sched.h shouldn't be applied to every user of
missing_syscalls.h
unit_write_drop_in{,_private}{,_format} are all affected.
We already append a header to the file (and section markers), so those functions
can only be used to write a whole file at once. Including the newline at
the end feels natural.
After this commit newlines will be duplicated. They will be removed in
subsequent commit.
Also, rewrap the "autogenerated" header to fit within 80 columns.
Michael Biebl [Sat, 28 May 2016 09:03:03 +0000 (11:03 +0200)]
login: Fix policy for org.freedesktop.login1.set-self-linger (#3365) (#3373)
We need to explicitly define authorizations for allow_inactive and
allow_active. Otherwise one is getting "Access denied" when run from a
local console:
$ loginctl enable-linger
Could not enable linger: Access denied
Tejun Heo [Fri, 27 May 2016 16:10:18 +0000 (09:10 -0700)]
core: add cgroup memory controller support on the unified hierarchy (#3315)
On the unified hierarchy, memory controller implements three control knobs -
low, high and max which enables more useable and versatile control over memory
usage. This patch implements support for the three control knobs.
* MemoryLow, MemoryHigh and MemoryMax are added for memory.low, memory.high and
memory.max, respectively.
* As all absolute limits on the unified hierarchy use "max" for no limit, make
memory limit parse functions accept "max" in addition to "infinity" and
document "max" for the new knobs.
* Implement compatibility translation between MemoryMax and MemoryLimit.
v2:
- Fixed missing else's in config_parse_memory_limit().
- Fixed missing newline when writing out drop-ins.
- Coding style updates to use "val > 0" instead of "val".
- Minor updates to documentation.
Djalal Harouni [Thu, 26 May 2016 20:42:29 +0000 (22:42 +0200)]
nspawn: split out seccomp call into nspawn-seccomp.[ch]
Split seccomp into nspawn-seccomp.[ch]. Currently there are no changes,
but this will make it easy in the future to share or use the seccomp logic
from systemd core.
Djalal Harouni [Thu, 26 May 2016 10:59:49 +0000 (12:59 +0200)]
nspawn: rename is_procfs_sysfs_or_suchlike() to is_fs_fully_userns_compatible()
Rename is_procfs_sysfs_or_suchlike() to is_fs_fully_userns_compatible()
to give it the real meaning. This may prevent future modifications that
may introduce bugs.
Christian Hesse [Thu, 26 May 2016 13:57:37 +0000 (15:57 +0200)]
{machine,system}ctl: always pass &changes and &n_changes (#3350)
We have to pass addresses of changes and n_changes to
bus_deserialize_and_dump_unit_file_changes(). Otherwise we are hit by
missing information (subsequent calls to unit_file_changes_add() to
not add anything).
Also prevent null pointer dereference in
bus_deserialize_and_dump_unit_file_changes() by asserting.
Let's make the seed actually work as stable seed, and use siphash24 to generate
the series of addresses, instead of the opaque libc random_r().
This not only makes the seed truly work as stable, portable seed, but also
makes the code quite a bit shorter, and removes a couple of memory allocations.
We try to stick to usec_t for encoding time information, do that here too. In
particular, get rid of "int" second specifications, since signed timespans are
a weird thing.
These objects are only useful when multiple threads are involved, as they
operate with atomic operations. Given that our libraries are explicitly not
thread-safe don't make use of RefCnt here, and make things a bit simpler.
assert_return() should only be used to validate user-facing parameters and
state, assert() should be used for checking our own internal state and
parameters.
sd-network: rename "index" field of the various clients to "ifindex"
A field "index" is not particularly precise and also might conflict with libc's
index() function definition. Also, pretty much everywhere else we call this
concept "ifindex", including in networkd, the primary user of these libraries.
Hence, let's fix this up and call this "ifindex" everywhere here too.
Tom Yan [Wed, 25 May 2016 12:40:48 +0000 (20:40 +0800)]
networkd: Disable IPv6 when DHCPv6 is only enabled
DHCPv6 requires an IPv6 link-local address to work. The client will not be started (even when enabled explicitly with `DHCP=`) if none is configured (either by autoconfiguration or manually). Therefore, disable IPv6 in such case.
Tom Yan [Wed, 25 May 2016 12:04:01 +0000 (20:04 +0800)]
networkd: set IFLA_INET6_ADDR_GEN_MODE as per stable_secret
Although networkd has option (LinkLocalAddressing=) to toggle IPv6LL autoconfiguration, when it is enabled, the address is autoconfigured by the kernel, but not networkd.
Therefore, we do not statically set IFLA_INET6_ADDR_GEN_MODE to IN6_ADDR_GEN_MODE_EUI64, but dynamically depending on whether stable_secret is set, just as what the kernel does by default.
Note that this does NOT affect the global addresses configured by networkd.
Werner Fink [Wed, 18 Nov 2015 11:28:30 +0000 (12:28 +0100)]
ask-password: ask for passphrases not only on the first console of /dev/console
but also on all other consoles. This does help on e.g. mainframes
where often a serial console together with other consoles are
used. Even rack based servers attachted to both a serial console
as well as having a virtual console do sometimes miss a connected
monitor.
To be able to ask on all terminal devices of /dev/console the devices
are collected. If more than one device are found, then on each of the
terminals a inquiring task for passphrase is forked and do not return
to the caller.
Every task has its own session and its own controlling terminal.
If one of the tasks does handle a password, the remaining tasks
will be terminated.
Also let contradictory options on the command of
systemd-tty-ask-password-agent fail.
Spwan for each device of the system console /dev/console a own process.
Replace the system call wait() with with system call waitid().
Use SIGTERM instead of SIGHUP to get unresponsive childs down.
Port the collect_consoles() function forward to a pulbic and strv
based function "get_kernel_consoles()" in terminal-util.c and use this
in tty-ask-password-agent.c.
In [1] Michel Dänzer and Daniel Vetter wrote:
>> The scenario you describe isn't possible if the Wayland compositor
>> directly uses the KMS API of /dev/dri/card*, but it may be possible if
>> the Wayland compositor uses the fbdev API of /dev/fb* instead (e.g. if
>> weston uses its fbdev backend).
>
> Yeah, if both weston and your screen grabber uses native fbdev API you can
> now screenshot your desktop. And since fbdev has no concept of "current
> owner of the display hw" like the drm master, I think this is not fixable.
> At least not just in userspace. Also even with native KMS compositors
> fbdev still doesn't have the concept of ownership, which is why it doesn't
> bother clearing it's buffer before KMS takes over. I agree that this
> should be reverted or at least hidden better.
TBH, I think that privilege separation between processes running under the same
UID is tenuous. Even with drm, in common setups any user process can ptrace the
"current owner of the display" and call DROP_MASTER or do whatever. It *is*
possible to prevent that, e.g. by disabling ptrace using yama.ptrace_scope, or
selinux, and so on, but afaik this is not commonly done. E.g. all Fedora
systems pull in elfutils-default-yama-scope.rpm through dependencies which sets
yama.ptrace_scope=0. And even assuming that ptrace was disabled, it is trivial
to modify files on disk, communicate through dbus, etc; there is just to many
ways for a non-sandboxed process to interact maliciously with the display shell
to close them all off. To achieve real protection, some sort of sandboxing
must be implemented, and in that case there is no need to rely on access mode
on the device files, since much more stringent measures have to be implemented
anyway.
The situation is similar for framebuffer devices. It is common to add
framebuffer users to video group to allow them unlimited access to /dev/fb*.
Using uaccess would be better solution in that case. Also, since there is no
"current owner" limitation like in DRM, processes running under the same UID
should be able to access /proc/<pid-of-display-server>/fd/* and gain access to
the devices. Nevertheless, weston implements a suid wrapper to access the
devices and then drop privileges, and this patch would make this daemon
pointless. So if the weston developers feel that this change reduces security,
I prefer to revert it.
Tom Gundersen [Mon, 23 May 2016 23:34:29 +0000 (01:34 +0200)]
sd-device: udev-db - handle properties with empty value (#3330)
The statemachine was unable to parse properties with empty values,
reported in [0].
When reaching the start of the KEY, we would unconditionally read
one more character before starting to look for the end-of-line.
Simply look for the end-of-line from the first character.
Tejun Heo [Mon, 23 May 2016 20:48:46 +0000 (16:48 -0400)]
core: fix missing newlines when writing out drop-ins for cgroup settings
Except for per-device BlockIO, IO and DeviceAllow/Deny settings, all were
missing newline causing the next drop-in to be concatenated at the end of the
line. Fix it.
Susant Sahani [Mon, 23 May 2016 09:13:57 +0000 (14:43 +0530)]
networkd: networkd: ndisc set SO_BINDTODEVICE on socket (#3294)
From the issue #2004 we are receiving packet even if this
packet is not intended for this interface.
This can be reproduced.
lp3s0: Updating address: 2001:db8:1:0:7e7a:91ff:fe6d:ffe2/64 (valid for 1d)
wlp3s0: Updating address: fe80::7e7a:91ff:fe6d:ffe2/64 (valid forever)
NDisc CLIENT: Received RA from non-link-local address ::. Ignoring.
NDisc CLIENT: Received RA on wrong interface: 2 != 6. Ignoring.
NDisc CLIENT: Received RA on wrong interface: 2 != 3. Ignoring.
enp0s25: Updating address: 2001:db8:1:0:2ad2:44ff:fe6a:ae07/64 (valid for 1d)
enp0s25: Updating address: fe80::2ad2:44ff:fe6a:ae07/64 (valid forever)
NDisc CLIENT: Sent Router Solicitation
NDisc CLIENT: Sent Router Solicitation
NDisc CLIENT: Sent Router Solicitation
NDisc CLIENT: Received RA on wrong interface: 3 != 2. Ignoring.
NDisc CLIENT: Received RA on wrong interface: 3 != 6. Ignoring.
NDisc CLIENT: Received RA from non-link-local address ::. Ignoring.
NDisc CLIENT: Received RA on wrong interface: 2 != 6. Ignoring.
NDisc CLIENT: Received RA on wrong interface: 2 != 3. Ignoring.
enp0s25: Updating address: 2001:db8:1:0:2ad2:44ff:fe6a:ae07/64 (valid for 1d)
enp0s25: Updating address: fe80::2ad2:44ff:fe6a:ae07/64 (valid forever)