journal: replace a bunch of assert() with friendlier checks
We should not rely that data stored in the journal files remains
entirely untouched at all times. Because we unallocate files, data might
go away any time. Hence, never assert() on any expectations on what the
file contains. Instead, handle it more gracefully as a corruption issue,
and return EBADMSG.
This is just paranoia: let's determine the compression to use once,
instead of twice, after all te data is in journal files which might be
corrupted any time, and it would be weird if we came to different
results here each time.
journal: use EBADMSG for invalid data in file mmap
We must assume that any data in the mmap can change anytime because the
file is deallocated or similar. Let's strictly use EBADMSG for reporting
invalid file contents though (as opposed to using EINVAL if our own code
passes a wrong parameter somwhere).
Daan De Meyer [Thu, 5 Jun 2025 10:14:45 +0000 (12:14 +0200)]
meson: Don't fail install script if file doesn't exist
Depending on which optional features are enabled, the NSS module
might not have been built, which means the custom install script
will fail to remove the file. Let's pass -f so it succeeds regardless
of whether the file exists or not.
We allow omission of the part before and the part after the @. But so
far we didn't allow omitting both. There's no real reason for
disallowing that, hence be systematic and allow it.
journalctl: politely refuse if non-root usernames are specified for --machine=
We currently cannot support that (supporting that would probably require
some active component in the machine, or alternatively idmapped mounts
or so), hence politely refuse it.
run: chop off username from --machine= argument before calling OpenMachinePTY()
Let's be compatible with sd-bus' logic to talk to machine, and support
the usual user@host syntax. We only want the host part, hence chop if
off before passing it to OpenMachinePTY().
machined: open up OpenMachinePTY() for unpriv clients
The method call already does a PK check, it was just forgotten to
allowlist this in the dbus policy. And in the dbus vtable for
OpenMachinePTY() call. (It was allowlisted in the per-machine
vtable…)
core: Make sure we handle DelegateSubgroup= in combo with cgroupns
Currently, if we use a cgroup namespace together with DelegateSubgroup=,
the subgroup becomes the root of the cgroup namespace because we move the
service process to the subgroup before we unshare the cgroup namespace, and
the current cgroup becomes the root of the cgroup namespace when we unshare
the cgroup namespace.
Let's fix the problem by not moving the service process to the subgroup until
we've unshared the cgroup namespace. Note that this doesn't break the primary use
case of CLONE_INTO_CGROUP since we still use it to immediately clone into the service
main cgroup, just not anymore into the subgroup, but this shouldn't matter in practice.
Additionally, we need special handling for control processes, as those *do*
need to get spawned into the subcgroup immediately if delegation is configured to
avoid violating the cgroupsv2 "no inner processes" rule.
Effectively, this leaves us with the following logic:
- In exec_spawn(), spawn into subgroup if we're spawning a control process
that needs to be spawned into a subgroup immediately. Otherwise, spawn into
main service cgroup.
- In exec_invoke(), move into subgroup early if we don't need a cgroup namespace.
Otherwise, move into subgroup after we've unshared the cgroup namespace.
Daan De Meyer [Thu, 5 Jun 2025 09:04:06 +0000 (11:04 +0200)]
meson: Remove unnecessary deps from libsystemd-static build
blkid, libmount and openssl are not used in src/basic or src/libsystemd,
and so shouldn't be required as deps of libsystemd static, so let's drop
them.
Mike Yuan [Sun, 1 Jun 2025 07:12:13 +0000 (09:12 +0200)]
sd-daemon: add sd_pidfd_get_inode_id()
We nowadays expose pidfdid at various places, e.g. envvars
and dbus properties. Also the sd_notify() MAINPID= message
has been complemented with MAINPIDFDID=. But acquiring
pidfdid is actually non-trivial especially considering
the 32-bit case, hence let's introduce a public helper
in sd-daemon specifically for that purpose.
Mike Yuan [Sun, 1 Jun 2025 06:55:50 +0000 (08:55 +0200)]
pidfd-util: open an internal pidfd if none is passed in pidfd_check_pidfs()
I'd like to introduce a libsystemd helper for acquiring pidfd
inode id, which however means the fd passed to pidfd_check_pidfs()
can no longer be trusted. Let's add back the logic of allocating
a genuine pidfd allocated internally, which was remove in 5dc9d5b4eacbe32f58ad6ca18d70931ab89ea409.
Currently, almost all cgroup attr getters check cgroup_path for whether
cgroup is around. This is actually great, because we never want to expose
a non-existent cgroup path via IPC and such. However, it is spuriously
initialized at places where it shouldn't be, e.g. in unit_warn_leftover_processes().
This matters especially to units that *may* carry processes to run, but
not *always*, notably socket units. unit_warn_leftover_processes() is supposed
to be informative only and not try to set cgroup tracking to realized in
a half-assed way.
Hence, let's kill cgroup_realized field, and make sure cgroup_path is set
only if cgroup has been created. Be extra careful with deserialization
though, since the previous versions don't follow this rule and we need
to patch cgroup_path manually based on cgroup_realized we got from deserialization.
Calls to unit_watch_cgroup*() are dropped in cgroup_runtime_deserialize_one(),
because unit_deserialize_state() will invalidate cgroup realized state and
reapply later.
Mike Yuan [Wed, 4 Jun 2025 19:59:23 +0000 (21:59 +0200)]
core/unit-serialize: drop deserialization compat for state_change_timestamp
This was from v228, i.e. before cgroup v2 got introduced.
Nowadays cgroup v1 is outright rejected during initialization,
i.e. upgrading isn't possible whatsoever. Remove the compat glue there.
journal-file: let's make journal_file_copy_entry() robust against concurrent writing of the source
As usual, we need to protect ourselves against concurrent modification
of journal files. We a pretty good at that these days when reading
journal files. But journal_file_copy_entry() so far wasn't too good with
that. journal_file_append_data() so far returned EINVAL when you pass
invalid data to it. Since we pass the source data as-is in there, it's
going to fail if the journal source file is slightly invalid due to a
concurrent update.
Hence, we need to validate data gracefully here that we think comes from
a safe place, because actually it doesn't, it's directly copied from an
unsafe journal file.
Hence, let's introduce a clear error code here, and look for it in
journal_file_copy_entry(), and handle it gracefully.
Pretty sure this fixes #33372, but it's a race, so I don't know for
sure. If this remains reproducible we need to look at this again.
Let's rename the return parameters as "ret_xyz" systematically in
sd-login.
Also, let's make the return parameters systematically optional, like we
typically do these days. So far some where optional, other's weren't.
Let's clean this up.
Since 8065d02e263a ("copy: Fix error handling in fd_copy_directory()")
we immediately abort recursive copy operations on ENOSPC. Let's also
abort on the common case of filesystems not supporting fs-verity: if
it's unsupported for one file, it's unlikely to work for the 1000s that
follow it.
We do this by mapping the two fs-verity "not supported" errors (ENOTTY,
EOPNOTSUPP) to ESOCKTNOSUPPORT as a special "fs-verity not supported
here" error. When we see that error at the top level we exit
immediately.
This prevents us from having to see the same error message literally
thousands of time when using fsverity=copy with systemd-repart on a
filesystem which lacks the proper support.
Adjust the test-copy test case to expect the new errno. Previously this
test case would output multiple failure lines per `copy_tree_at()`
invocation (for the failing cases) but now it only outputs one.
Yu Watanabe [Tue, 3 Jun 2025 20:38:35 +0000 (05:38 +0900)]
TEST-17-UDEV: acquire SYS_UID_MAX/SYS_GID_MAX from userdbctl
Suse build systemd with -Dsystem-uid-max=499 -Dsystem-gid-max=499,
and seems to not provide /etc/login.defs file. See
https://github.com/bmwiedemann/openSUSE/blob/2dc224ae5d446e928519315f4d46f76d1e34b8a8/packages/s/systemd/systemd.spec
Yu Watanabe [Wed, 4 Jun 2025 09:14:52 +0000 (18:14 +0900)]
userdb: make ENOEXEC wins over ESRCH
Both ENOEXEC and ESRCH is a kind of error that indicate successful
lookup. ENOEXEC means the server found an entry but it does not
pass filter. ESRCH means the server could not find an entry.
Hence, ENOEXEC should have more information, and should be propagated to
the caller.
Reverted change broke EnterNamespace= completely. For example, libdw
tries to access libc in /lib64 which points to usr/lib64 and that fails.
Similarly for binaries, we need to be able to resolve /bin to usr/bin
and /sbin to usr/sbin at the very least.
pcrlock: add "is-supported" verb that checks if the local TPM supports the commands we need for pcrlock
systemd-pcrlock requires support for the PolicyAuthorizeNV command,
which is not implemented in the first TPM2 releases. We also strictly
require SHA-256 support. Hence add a tool for checking for both of
these.
This is a tighter version of "systemd-analyze has-tpm2", that checks for
the precise feature that systemd-pcrlock needs, on top of basic TPM2
functionality.
Yu Watanabe [Fri, 30 May 2025 19:30:43 +0000 (04:30 +0900)]
bus-unit-util: warn and ignore assignment of deprecated properties
With 5da476ac7728b91ad3a49c1b126b3559b4fbeed8, we refused to set the
properties, but this relaxes the behavior, and now commands warn and
ignore the assignment.
projects / thirdparty / systemd.git / log
