Dan Walsh [Wed, 9 Mar 2016 14:29:25 +0000 (09:29 -0500)]
/dev/console must be labeled with SELinux label
If the user specifies an selinux_apifs_context all content created in
the container including /dev/console should use this label.
Currently when this uses the default label it gets labeled user_devpts_t,
which would require us to write a policy allowing container processes to
manage user_devpts_t. This means that an escaped process would be allowed
to attack all users terminals as well as other container terminals. Changing
the label to match the apifs_context, means the processes would only be allowed
to manage their specific tty.
This change fixes a problem preventing RKT containers from working with systemd-nspawn.
Joel Holdsworth [Thu, 3 Mar 2016 20:40:01 +0000 (20:40 +0000)]
core/failure-action: Set job-modes to replace-irreversibly
Up until now, the failure action has launched reboot.target and
poweroff.target with a less aggressive job mode than
"systemctl reboot" does. This has meant that the reboot and power-
off operations can stall if there are any conflicts with the target
during rebooting.
src/udev/udevadm-monitor.c: In function ‘print_device’:
src/udev/udevadm-monitor.c:44:16: warning: format ‘%u’ expects argument of type ‘unsigned int’, but argument 3 has type ‘__time_t {aka long int}’ [-Wformat=]
printf("%-6s[%"PRI_TIME".%06ld] %-8s %s (%s)\n",
^
Christian Hesse [Mon, 29 Feb 2016 20:04:02 +0000 (21:04 +0100)]
ask-password: add option --no-output to not print password to stdout
systemd-ask-password can store passwords in kernel keyring. However it
uses to print the passwords to standard output nevertheless. Depending
on where systemd-ask-password is called passwords may end on display
or in log, leaking sensitive information.
This allows to make systemd-ask-password quiet, effectively disabling
printing passwords to standard output.
Elias Probst [Fri, 26 Feb 2016 19:35:09 +0000 (20:35 +0100)]
Don't escape the name of the container in instances of
When using `%I` for instances of `systemd-nspawn@.service`, the result
will be `systemd-nspawn` trying to launch a container named e.g.
`fedora/23` instead of `fedora-23`.
Using `%i` instead prevents escaping `-` in a container name and uses
the unmodified container name from the machine store.
Martin Pitt [Fri, 26 Feb 2016 14:54:05 +0000 (15:54 +0100)]
timedated: be more tolerant in parsing /etc/adjtime
Similarly to the previous commit, make context_write_data_local_rtc()
understand /etc/adjtime files with just one or two lines, with or without a
final newline.
Normalize the file to the current definition in hwclock(8), in the spirit of
"be liberal what you accept and strict what you produce": Add line terminators,
and set the second line to "0" if missing.
Martin Pitt [Fri, 26 Feb 2016 11:33:41 +0000 (12:33 +0100)]
clock-util: be more tolerant in parsing /etc/adjtime
As we default to "hardware clock is in UTC" if /etc/adjtime is not present, it
also makes sense to have that default if /etc/adjtime contains only one or two
lines.
Drop the "gibberish" test case, as this was just EIO because of not containing
three lines, which is already contained in other tests. clock_is_localtime()
never actually validated the format of the first two lines, and there is little
point in doing that.
Martin Pitt [Fri, 26 Feb 2016 10:25:22 +0000 (11:25 +0100)]
clock-util: make clock_is_localtime() testable and add initial tests
Add path argument to clock_is_localtime() and default to "/etc/adjtime" if it's
NULL. This makes the function testable.
Add test-clock: initial test cases for some scenarios, using a temporary file.
This also checks the behaviour with a NULL (i. e. the system's /etc/adjtime)
file.
tree-wide: merge pager_open_if_enabled() to the pager_open()
Many subsystems define own pager_open_if_enabled() function which
checks '--no-pager' command line argument and open pager depends
on its value. All implementations of pager_open_if_enabled() are
the same. Let's merger this function with pager_open() from the
shared/pager.c and remove pager_open_if_enabled() from all subsytems
to prevent code duplication.
Patrik Flykt [Thu, 25 Feb 2016 13:36:40 +0000 (15:36 +0200)]
sd-dhcp-server: Send replies to BOOTP relay server port
RFC 2131 Section 4.1 says that
"If the ’giaddr’ field in a DHCP message from a client is non-zero,
the server sends any return messages to the ’DHCP server’ port on the
BOOTP relay agent whose address appears in ’giaddr’."
Fix this by adding a destination port when sending unicast UDP packets
and provide the server port when a BOOTP relay agent is being used.
basic: Bugfix Detect XEN Dom0 as no virtualization
When running in XEN Dom0 the virtualization check:
1) detect_xen returns HYPERVISOR_NONE so next checks are executed
2) /proc/sys/hypervisor detects a XEN hypervisor
it is lacking the special Dom0 detection as in detect_xen
With this patch, at the end of all virtualization checks we double-check if running in XEN Dom0 or DomU.
man: change recommended order of NSS modules in /etc/nsswitch.conf
So far we recommended placing "nss-mymachines" after "nss-resolve" in the order
of preference in /etc/nsswitch.conf. This change reverse this order.
Rationale: single-label names are resolved via LLMNR by resolved, which has to
time out if no peer by that name exists. By placing "nss-mymachines" first
(which always responds immediately) we avoid running into this timeout for most
containers. Both modules should return the same data if LLMNR is used by the
container anyway.
While we are at it, improve the man pages of the three NSS modules in other
ways a bit.
Daniel Mack [Fri, 12 Feb 2016 14:03:51 +0000 (15:03 +0100)]
Remove systemd-bootchart
This commit rips out systemd-bootchart. It will be given a new home, outside
of the systemd repository. The code itself isn't actually specific to
systemd and can be used without systemd even, so let's put it somewhere
else.