Petr Lautrbach [Thu, 10 Mar 2016 09:19:56 +0000 (10:19 +0100)]
socket_address_listen - do not rely on errno
Currently socket_address_listen() calls mac_selinux_bind() to bind a UNIX
socket and checks its return value and errno for EADDRINUSE. This is not
correct. When there's an SELinux context change made for the new socket,
bind() is not the last function called in mac_selinux_bind(). In that
case the last call is setfscreatecon() from libselinux which can change
errno as it uses access() to check if /proc/thread-self is available.
It fails on kernels before 3.17 and errno is set to ENOENT.
It's safe to check only the return value at it's set to -errno.
Dan Walsh [Wed, 9 Mar 2016 14:29:25 +0000 (09:29 -0500)]
/dev/console must be labeled with SELinux label
If the user specifies an selinux_apifs_context all content created in
the container including /dev/console should use this label.
Currently when this uses the default label it gets labeled user_devpts_t,
which would require us to write a policy allowing container processes to
manage user_devpts_t. This means that an escaped process would be allowed
to attack all users terminals as well as other container terminals. Changing
the label to match the apifs_context, means the processes would only be allowed
to manage their specific tty.
This change fixes a problem preventing RKT containers from working with systemd-nspawn.
networkctl: avoid reading past end of input buffer
name is IFNAMSIZ bytes, but we would copy sizeof(info->name) bytes,
which is IFNAMSIZ + 1. In effect we would go outside of the source
buffer and possibly leave a non-null terminated string in info->name.
Rename test-boot-timestamp to test-boot-timestamps and enable by default
The source file name and the binary name were mismatched.
Rename binary to match.
Make the test exit with TEST_SKIP if the data is missing or we
have no permissions. Otherwise, the data will be printed, which
should be safe to enable by default.
Franck Bui [Tue, 1 Dec 2015 17:01:44 +0000 (18:01 +0100)]
fstab-generator: fix automount option and don't start associated mount unit at boot
Without this patch applied the mount unit with 'automount' option was still
pulled by local-fs.target and thus was activated during the boot process which
defeats the purpose of the 'automount' option:
$ mount | grep mnt
systemd-1 on /mnt type autofs (rw,relatime,fd=34,pgrp=1,timeout=0,minproto=5,maxproto=5,direct)
/dev/vdb1 on /mnt type ext2 (rw,relatime)
$ systemctl status mnt.mount | grep Active
Active: active (mounted) since Thu 2016-03-03 21:36:22 CET; 42s ago
With the patch applied:
$ reboot
...
$ mount | grep mnt
systemd-1 on /mnt type autofs (rw,relatime,fd=22,pgrp=1,timeout=0,minproto=5,maxproto=5,direct)
$ systemctl status mnt.mount | grep Active
Active: inactive (dead)
$ ls /mnt
lost+found
$ systemctl status mnt.mount | grep Active
Active: active (mounted) since Thu 2016-03-03 21:47:32 CET; 4s ago
Joel Holdsworth [Thu, 3 Mar 2016 20:40:01 +0000 (20:40 +0000)]
core/failure-action: Set job-modes to replace-irreversibly
Up until now, the failure action has launched reboot.target and
poweroff.target with a less aggressive job mode than
"systemctl reboot" does. This has meant that the reboot and power-
off operations can stall if there are any conflicts with the target
during rebooting.
src/udev/udevadm-monitor.c: In function ‘print_device’:
src/udev/udevadm-monitor.c:44:16: warning: format ‘%u’ expects argument of type ‘unsigned int’, but argument 3 has type ‘__time_t {aka long int}’ [-Wformat=]
printf("%-6s[%"PRI_TIME".%06ld] %-8s %s (%s)\n",
^
Christian Hesse [Mon, 29 Feb 2016 20:04:02 +0000 (21:04 +0100)]
ask-password: add option --no-output to not print password to stdout
systemd-ask-password can store passwords in kernel keyring. However it
uses to print the passwords to standard output nevertheless. Depending
on where systemd-ask-password is called passwords may end on display
or in log, leaking sensitive information.
This allows to make systemd-ask-password quiet, effectively disabling
printing passwords to standard output.
Elias Probst [Fri, 26 Feb 2016 19:35:09 +0000 (20:35 +0100)]
Don't escape the name of the container in instances of
When using `%I` for instances of `systemd-nspawn@.service`, the result
will be `systemd-nspawn` trying to launch a container named e.g.
`fedora/23` instead of `fedora-23`.
Using `%i` instead prevents escaping `-` in a container name and uses
the unmodified container name from the machine store.
Martin Pitt [Fri, 26 Feb 2016 14:54:05 +0000 (15:54 +0100)]
timedated: be more tolerant in parsing /etc/adjtime
Similarly to the previous commit, make context_write_data_local_rtc()
understand /etc/adjtime files with just one or two lines, with or without a
final newline.
Normalize the file to the current definition in hwclock(8), in the spirit of
"be liberal what you accept and strict what you produce": Add line terminators,
and set the second line to "0" if missing.
Martin Pitt [Fri, 26 Feb 2016 11:33:41 +0000 (12:33 +0100)]
clock-util: be more tolerant in parsing /etc/adjtime
As we default to "hardware clock is in UTC" if /etc/adjtime is not present, it
also makes sense to have that default if /etc/adjtime contains only one or two
lines.
Drop the "gibberish" test case, as this was just EIO because of not containing
three lines, which is already contained in other tests. clock_is_localtime()
never actually validated the format of the first two lines, and there is little
point in doing that.