dissect: try to read roothash value off user.verity.roothash xattr of image file
This slightly extends the roothash loading logic to first check for a
user.verity.roothash extended attribute on the image file. If it exists,
it is used as Verity root hash and the ".roothash" file is not used.
This should improve the chance that the roothash is retained when the
file is moved around, as the data snippet is attached directly to the
image file. The field is still detached from the file payload however,
in order to make sure it may be trusted independently.
This does not replace the ".roothash" file loading, it simply adds a
second way to retrieve the data.
Extended attributes are often a poor choice for storing metadata like
this as it is usually difficult to discover for admins and users, and
hard to fix if it ever gets out of sync. However, in this case I think
it's safe as verity implies read-only access, and thus there's little
chance of it to get out of sync.
core,nspawn,dissect: make nspawn's .roothash file search reusable
This makes nspawn's logic of automatically discovering the root hash of
an image file generic, and then reuses it in systemd-dissect and in
PID1's RootImage= logic, so that verity is automatically set up whenever
we can.
dissect: make sure to manually follow symlinks when mounting dissected image
If the dissected image contains symlinks for the mount points we need we
need to make sure to follow this with chase_symlinks() so that we don't
leave the image.
core: actually make "+" prefix in ReadOnlyPaths=, InaccessiblePaths=, ReadWritablePaths= work
5327c910d2fc1ae91bd0b891be92b30379c7467b claimed to add support for "+"
for prefixing paths with the configured RootDirectory=. But actually it
only implemented it in the backend, it did not add support for it to the
configuration file parsers. Fix that now.
core: add a per-unit setting MountAPIVFS= for mounting /dev, /proc, /sys in conjunction with RootDirectory=
This adds a boolean unit file setting MountAPIVFS=. If set, the three
main API VFS mounts will be mounted for the service. This only has an
effect on RootDirectory=, which it makes a ton times more useful.
(This is basically the /dev + /proc + /sys mounting code posted in the
original #4727, but rebased on current git, and with the automatic logic
replaced by explicit logic controlled by a unit file setting)
The compiler should not be able to optimize out the memset, because optarg is global
memory. In this case, not making the argument an empty string is nicer, so just use
an open-coded version of string_erase from before the explicit_bzero change.
treewide: replace homegrown memory_erase with explicit_bzero
explicit_bzero was added in glibc 2.25. Make use of it.
explicit_bzero is hardcoded to zero the memory, so string erase now
truncates the string, instead of overwriting it with 'x'. This causes
a visible difference only in the journalctl case.
libseccomp does not allow you to add architectures to a filter that
doesn't match the byte ordering of the architectures already added to
the filter (it would be a mess, not to mention largely pointless) and
since systemd attempts to add an ABI before removing the default native
ABI, you will always fail on Power (either due to ppc or ppc64le). The
fix is to remove the native ABI before adding a new ABI so you don't run
into problems with byte ordering.
You would likely see the same failure on a MIPS system.
Silence two "unused function af_lookup" warnings (#5222)
Gcc7 is smarter about detecting unused functions and detects those two functions
which are unused in tests. But gperf generates them for us, so let's instead of removing
tell gcc that we know they might be unused in the test code.
In file included from ../src/test/test-af-list.c:29:0:
./src/basic/af-from-name.h:140:1: warning: ‘lookup_af’ defined but not used [-Wunused-function]
lookup_af (register const char *str, register size_t len)
^~~~~~~~~
In file included from ../src/test/test-arphrd-list.c:29:0:
./src/basic/arphrd-from-name.h:125:1: warning: ‘lookup_arphrd’ defined but not used [-Wunused-function]
lookup_arphrd (register const char *str, register size_t len)
^~~~~~~~~~~~~
Lukas Rusak [Sat, 4 Feb 2017 15:21:49 +0000 (07:21 -0800)]
systemd-mount features and improvements (#5067)
systemd-mount --unmount /some/path
systemd-mount --umount /some/path
systemd-mount -u /some/path
systemd-unmount /some/path
all do the same thing that one could expect from the name.
core/execute: pass the username to utmp/wtmp database
Before previous commit, username would be NULL for root, and set only
for other users. So the argument passed to utmp_put_init_process()
would be "root" for other users and NULL for root. Seems strange.
Instead, always pass the username if available.
Making the environment special for the root user complicates things
unnecessarily. This change simplifies both our logic (by making the setting
of the variables unconditional), and should also simplify the logic in
services (particularly scripts).
This reworks systemd-run so that in --pty mode we watch the unit state
the way we do it in --wait mode. Whenever we notice that the service is
in failed or inactive state finish right-away, but first write all
unwritten characters we can read from the master TTY device.
This makes sure that when the TTY service fails before it opens the
slave PTY device we properly notice that and exit early, so that borked
start parameters result in immediate systemd-run failure. Previously,
we'd not notice this at all, as a PTY slave that never was opened won't
result in POLLHUP events, and we'd hence simply keep reading from it
forever.
In essence, --pty now enables the same unit watching logic that --wait
enables. However, unless --wait is specified we won#t show the final
summary, hence the effective difference should be pretty minimal.
run: explicitly close pty forwarder before printing summary
If the PTY forwarder is still around our TTY will have borked settings,
regarding newlines, hence explicitly close it before showing the
summary, so that it looks pretty.
sd-event: when an event source fails, don't assume the type of it is still set
If a callback of an event source returns an error, then the event source
might already be half-destroyed, if the callback dropped all refs.
Hence, don't assume that the type is still valid, and save it before we
issue the callback.
afrantzis [Fri, 3 Feb 2017 01:39:26 +0000 (03:39 +0200)]
logind: Don't try to emit a change signal for the 'Sessions' property (#5211)
The 'Sessions' property for both org.freedesktop.login1.User and
org.freedesktop.login1.Seat is marked as EmitsChangedSignal(false).
Trying to emit a change signal that includes the 'Sessions' property
leads to the signal not being sent at all.
D-Bus is inherently racy when a function returns an object path for a
newly allocated object the client shall watch: as the object already
exists before the client can subscribe to it, it might lose messages
from it.
Let's fix this, by explicitly querying unit properties right after
subscribing to its property changes.
time-util: refuse formatting/parsing times that we can't store
usec_t is always 64bit, which means it can cover quite a number of
years. However, 4 digit year display and glibc limitations around time_t
limit what we can actually parse and format. Let's make this explicit,
so that we never end up formatting dates we can#t parse and vice versa.
Note that this is really just about formatting/parsing. Internal
calculations with times outside of the formattable range are not
affected.
time: time_t is signed, and mktime() is happy to return negative time
Passing a year such as 1960 to mktime() will result in a negative return
value. This is quite confusing, as the man page claims that on failure
the call will return -1...
Given that our own usec_t type is unsigned, and we can't express times
before 1970 hence, let's consider all negative times returned by
mktime() as invalid, regardless if just -1, or anything else negative.
There's no point in updating exec_target for each binary we try to
execute, if we override it right-away anyway... Let's just do this once,
and include all binaries we try each time.
Franck Bui [Thu, 2 Feb 2017 18:29:44 +0000 (19:29 +0100)]
systemctl: 'show' don't exit with a failure status if the requested property does not exist (#5201)
"systemctl show -pUnknown <service>" used to exit with '0' even if the property
passed by '-p' doesn't exist. But since commit 3dced37b7c2c9a5c733817 (v231+),
it exits with a failure status.
"systemctl show" is supposed to be scriptable and therefore its behavior is
supposed to be stable.
This patch restores the old behavior on which a couple of scripts already rely
now.
Also when the requested property doesn't exist, it always logs it at the debug
level since this part of the code is only used by the show command.
The general rule is:
- code in shared/ should take an "original_root" argument (possibly NULL)
and pass it along down to chase_symlinks
- code in core/ should always use specify original_root==NULL, since we
don't support running the manager from non-root directory
- code in systemctl and other tools should pass arg_root.
For any code that is called from tools which support --root, chase_symlinks
must be used to look up paths.
cgls: allow --unit, --user-unit to take optional argument
The following are all equivalent:
--unit foo.service bar.service
--unit=foo.service bar.service
--unit=foo.service --unit=bar.service
foo.service bar.service --unit
Similarly for --user-unit.
The only case that doesn't work well is when --unit and --user-unit are mixed:
--unit=foo.service --user-unit=bar.service
We'll treat both names as user units. I think this is OK.
I opted for a "global" switch, instead of modifying the behaviour of just one
argument. It seem to be a more useful setting, since usually one will want to
query one or more units, and not mix unit names with paths.
76ec966f0e33685f833 changed the code from ESHUTDOWN to ERFKILL, but missed one
spot in bus-common-errors.c. Fix that.
The code in transaction.c was checking for ERFKILL, but I'm not sure if this
mismatch had any effect, i.e. if there were any code paths in which the wrong
code actually made difference.
Also add comments when ESHUTDOWN is used in the journal code, so it's easy to
distinguish those cases when grepping. Standarize on the same capitalization.
(There's also a bunch of uses in sd-bus.c, but that's clearly different.)
system-update-generator: warn if the command line blocks updates (#5173)
If "3", "5", "systemd.unit=", or similar are present on the kernel command line,
the system will not enter into offline update. This behaviour is in line with the
general logic that configuration on the kernel command line has higher priority
than the configuration on disk, but is rather surprising. Emit a warning to help
users diagnose the situation.
Philip Withnall [Wed, 1 Feb 2017 13:36:16 +0000 (13:36 +0000)]
nspawn: Print attempted execv() path on failure (#5199)
The failure message is typically currently:
execv() failed: No such file or directory
which is not very useful because it doesn’t tell you which file or
directory it was trying to exec.
Merge pull request #5146 from ssahani/ifname-alias
networkd: Allow ':' in label
This reverts a341dfe563 and takes a slightly different approach: anything is
allowed in network interface labels, but network interface names are verified
as before (i.e. amongst other things, no colons are allowed there).
nss-util: silence warning about deprecated RES_USE_INET6
src/nss-resolve/nss-resolve.c: In function ‘_nss_resolve_gethostbyname_r’:
src/nss-resolve/nss-resolve.c:680:13: warning: RES_USE_INET6 is deprecated
NSS_GETHOSTBYNAME_FALLBACKS(resolve);
^~~~~~~~~~~~~~~~~~~~~~~~~
In glibc bz #19582, RES_USE_INET6 was deprecated. This might make sense for
clients, but they didn't take into account nss module implementations which
*must* continue to support the option. glibc internally defines
DEPRECATED_RES_USE_INET6 which can be used without emitting a warning, but
it's not exported publicly. Let's do the same, and just copy the definition
to our header.
tree-wide: adjust fall through comments so that gcc is happy
gcc 7 adds -Wimplicit-fallthrough=3 to -Wextra. There are a few ways
we could deal with that. After we take into account the need to stay compatible
with older versions of the compiler (and other compilers), I don't think adding
__attribute__((fallthrough)), even as a macro, is worth the trouble. It sticks
out too much, a comment is just as good. But gcc has some very specific
requiremnts how the comment should look. Adjust it the specific form that it
likes. I don't think the extra stuff we had in those comments was adding much
value.
(Note: the documentation seems to be wrong, and seems to describe a different
pattern from the one that is actually used. I guess either the docs or the code
will have to change before gcc 7 is finalized.)
```
-bash-4.3# systemd-run --property BindPaths=/etc:tmp/hey sh -c 'ls /tmp/hey'
```
prints
`Destination path tmp/hey is not absolute.`
instead of
`Destination path /etc is not absolute.`
Also, fixes CID #1368263
```
==352== 130 bytes in 1 blocks are definitely lost in loss record 1 of 2
==352== at 0x4C2ED5F: realloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==352== by 0x4ED8581: greedy_realloc (alloc-util.c:57)
==352== by 0x4ECAAD5: get_process_cmdline (process-util.c:147)
==352== by 0x10E385: get_process_container_parent_cmdline (coredump.c:645)
==352== by 0x112949: process_kernel (coredump.c:1240)
==352== by 0x113003: main (coredump.c:1297)
==352==
```