* Memory protection directives can now take a value of zero, allowing
explicit opting out of a default value propagated by an ancestor.
- * A new setting DisableControllers= has been added that may be used to
- explicitly disable one or more cgroups controllers for a unit and all
- its children.
-
* systemd now defaults to the "unified" cgroup hierarchy setup during
build-time, i.e. -Ddefault-hierarchy=unified is now the build-time
default. Previously, -Ddefault-hierarchy=hybrid was the default. This
<term><varname>DeviceAllow=</varname></term>
<listitem>
- <para>Control access to specific device nodes by the
- executed processes. Takes two space-separated strings: a
- device node specifier followed by a combination of
- <constant>r</constant>, <constant>w</constant>,
- <constant>m</constant> to control
- <emphasis>r</emphasis>eading, <emphasis>w</emphasis>riting,
- or creation of the specific device node(s) by the unit
- (<emphasis>m</emphasis>knod), respectively. This controls
- the <literal>devices.allow</literal> and
- <literal>devices.deny</literal> control group
- attributes. For details about these control group
- attributes, see <ulink
- url="https://www.kernel.org/doc/Documentation/cgroup-v1/devices.txt">devices.txt</ulink>.</para>
-
- <para>The device node specifier is either a path to a device
- node in the file system, starting with
- <filename>/dev/</filename>, or a string starting with either
- <literal>char-</literal> or <literal>block-</literal>
- followed by a device group name, as listed in
- <filename>/proc/devices</filename>. The latter is useful to
- whitelist all current and future devices belonging to a
- specific device group at once. The device group is matched
- according to filename globbing rules, you may hence use the
- <literal>*</literal> and <literal>?</literal>
- wildcards. Examples: <filename>/dev/sda5</filename> is a
- path to a device node, referring to an ATA or SCSI block
- device. <literal>char-pts</literal> and
- <literal>char-alsa</literal> are specifiers for all pseudo
- TTYs and all ALSA sound devices,
- respectively. <literal>char-cpu/*</literal> is a specifier
- matching all CPU related device groups.</para>
+ <para>Control access to specific device nodes by the executed processes. Takes two space-separated
+ strings: a device node specifier followed by a combination of <constant>r</constant>,
+ <constant>w</constant>, <constant>m</constant> to control <emphasis>r</emphasis>eading,
+ <emphasis>w</emphasis>riting, or creation of the specific device node(s) by the unit
+ (<emphasis>m</emphasis>knod), respectively. On cgroup-v1 this controls the
+ <literal>devices.allow</literal> control group attribute. For details about this control group
+ attribute, see <ulink
+ url="https://www.kernel.org/doc/Documentation/cgroup-v1/devices.txt">devices.txt</ulink>. On
+ cgroup-v2 this functionality is implemented using eBPF filtering.</para>
+
+ <para>The device node specifier is either a path to a device node in the file system, starting with
+ <filename>/dev/</filename>, or a string starting with either <literal>char-</literal> or
+ <literal>block-</literal> followed by a device group name, as listed in
+ <filename>/proc/devices</filename>. The latter is useful to whitelist all current and future
+ devices belonging to a specific device group at once. The device group is matched according to
+ filename globbing rules, you may hence use the <literal>*</literal> and <literal>?</literal>
+ wildcards. (Note that such globbing wildcards are not available for device node path
+ specifications!) In order to match device nodes by numeric major/minor, use device node paths in
+ the <filename>/dev/char/</filename> and <filename>/dev/block/</filename> directories. However,
+ matching devices by major/minor is generally not recommended as assignments are neither stable nor
+ portable between systems or different kernel versions.</para>
+
+ <para>Examples: <filename>/dev/sda5</filename> is a path to a device node, referring to an ATA or
+ SCSI block device. <literal>char-pts</literal> and <literal>char-alsa</literal> are specifiers for
+ all pseudo TTYs and all ALSA sound devices, respectively. <literal>char-cpu/*</literal> is a
+ specifier matching all CPU related device groups.</para>
<para>Note that whitelists defined this way should only reference device groups which are
resolvable at the time the unit is started. Any device groups not resolvable then are not added to
msgstr ""
"Project-Id-Version: systemd\n"
"Report-Msgid-Bugs-To: https://github.com/systemd/systemd/issues\n"
-"POT-Creation-Date: 2019-07-11 15:28+0000\n"
-"PO-Revision-Date: 2019-07-13 14:42+0200\n"
+"POT-Creation-Date: 2019-07-29 15:34+0000\n"
+"PO-Revision-Date: 2019-07-30 20:24+0200\n"
"Last-Translator: Piotr Drąg <piotrdrag@gmail.com>\n"
"Language-Team: Polish <trans-pl@lists.fedoraproject.org>\n"
"Language: pl\n"
"Wymagane jest uwierzytelnienie, aby zarządzać lokalnymi obrazami maszyn "
"wirtualnych i kontenerów."
+#: src/network/org.freedesktop.network1.policy:22
+msgid "Set NTP servers"
+msgstr "Ustawienie serwerów NTP"
+
+#: src/network/org.freedesktop.network1.policy:23
+msgid "Authentication is required to set NTP servers."
+msgstr "Wymagane jest uwierzytelnienie, aby ustawić serwery NTP."
+
+#: src/network/org.freedesktop.network1.policy:33
+msgid "Set DNS servers"
+msgstr "Ustawienie serwerów DNS"
+
+#: src/network/org.freedesktop.network1.policy:34
+msgid "Authentication is required to set DNS servers."
+msgstr "Wymagane jest uwierzytelnienie, aby ustawić serwery DNS."
+
+#: src/network/org.freedesktop.network1.policy:44
+msgid "Set domains"
+msgstr "Ustawienie domen"
+
+#: src/network/org.freedesktop.network1.policy:45
+msgid "Authentication is required to set domains."
+msgstr "Wymagane jest uwierzytelnienie, aby ustawić domeny."
+
+#: src/network/org.freedesktop.network1.policy:55
+msgid "Set default route"
+msgstr "Ustawienie domyślnej trasy"
+
+#: src/network/org.freedesktop.network1.policy:56
+msgid "Authentication is required to set default route."
+msgstr "Wymagane jest uwierzytelnienie, aby ustawić domyślną trasę."
+
+#: src/network/org.freedesktop.network1.policy:66
+msgid "Enable/disable LLMNR"
+msgstr "Włączenie/wyłączenie LLMNR"
+
+#: src/network/org.freedesktop.network1.policy:67
+msgid "Authentication is required to enable or disable LLMNR."
+msgstr "Wymagane jest uwierzytelnienie, aby włączyć lub wyłączyć LLMNR."
+
+#: src/network/org.freedesktop.network1.policy:77
+msgid "Enable/disable multicast DNS"
+msgstr "Włączenie/wyłączenie multikastowego DNS"
+
+#: src/network/org.freedesktop.network1.policy:78
+msgid "Authentication is required to enable or disable multicast DNS."
+msgstr ""
+"Wymagane jest uwierzytelnienie, aby włączyć lub wyłączyć multikastowe DNS."
+
+#: src/network/org.freedesktop.network1.policy:88
+msgid "Enable/disable DNS over TLS"
+msgstr "Włączenie/wyłączenie DNS przez TLS"
+
+#: src/network/org.freedesktop.network1.policy:89
+msgid "Authentication is required to enable or disable DNS over TLS."
+msgstr ""
+"Wymagane jest uwierzytelnienie, aby włączyć lub wyłączyć DNS przez TLS."
+
+#: src/network/org.freedesktop.network1.policy:99
+msgid "Enable/disable DNSSEC"
+msgstr "Włączenie/wyłączenie DNSSEC"
+
+#: src/network/org.freedesktop.network1.policy:100
+msgid "Authentication is required to enable or disable DNSSEC."
+msgstr "Wymagane jest uwierzytelnienie, aby włączyć lub wyłączyć DNSSEC."
+
+#: src/network/org.freedesktop.network1.policy:110
+msgid "Set DNSSEC Negative Trust Anchors"
+msgstr "Ustawienie negatywnych kotwic zaufania DNSSEC"
+
+#: src/network/org.freedesktop.network1.policy:111
+msgid "Authentication is required to set DNSSEC Negative Trust Anchros."
+msgstr ""
+"Wymagane jest uwierzytelnienie, aby ustawić negatywne kotwice zaufania "
+"DNSSEC."
+
+#: src/network/org.freedesktop.network1.policy:121
+msgid "Revert NTP settings"
+msgstr "Przywrócenie ustawień NTP"
+
+#: src/network/org.freedesktop.network1.policy:122
+msgid "Authentication is required to revert NTP settings."
+msgstr "Wymagane jest uwierzytelnienie, aby przywrócić ustawienia NTP."
+
+#: src/network/org.freedesktop.network1.policy:132
+msgid "Revert DNS settings"
+msgstr "Przywrócenie ustawień DNS"
+
+#: src/network/org.freedesktop.network1.policy:133
+msgid "Authentication is required to revert DNS settings."
+msgstr "Wymagane jest uwierzytelnienie, aby przywrócić ustawienia DNS."
+
#: src/portable/org.freedesktop.portable1.policy:13
msgid "Inspect a portable service image"
msgstr "Badanie obrazu przenośnej usługi"
"Wymagane jest uwierzytelnienie, aby kontrolować, czy włączyć synchronizację "
"czasu przez sieć."
-#: src/core/dbus-unit.c:353
+#: src/core/dbus-unit.c:354
msgid "Authentication is required to start '$(unit)'."
msgstr "Wymagane jest uwierzytelnienie, aby uruchomić jednostkę „$(unit)”."
-#: src/core/dbus-unit.c:354
+#: src/core/dbus-unit.c:355
msgid "Authentication is required to stop '$(unit)'."
msgstr "Wymagane jest uwierzytelnienie, aby zatrzymać jednostkę „$(unit)”."
-#: src/core/dbus-unit.c:355
+#: src/core/dbus-unit.c:356
msgid "Authentication is required to reload '$(unit)'."
msgstr ""
"Wymagane jest uwierzytelnienie, aby ponownie wczytać jednostkę „$(unit)”."
-#: src/core/dbus-unit.c:356 src/core/dbus-unit.c:357
+#: src/core/dbus-unit.c:357 src/core/dbus-unit.c:358
msgid "Authentication is required to restart '$(unit)'."
msgstr ""
"Wymagane jest uwierzytelnienie, aby ponownie uruchomić jednostkę „$(unit)”."
-#: src/core/dbus-unit.c:529
+#: src/core/dbus-unit.c:530
msgid ""
"Authentication is required to send a UNIX signal to the processes of "
"'$(unit)'."
"Wymagane jest uwierzytelnienie, aby wysłać sygnał uniksowy do procesów "
"jednostki „$(unit)”."
-#: src/core/dbus-unit.c:560
+#: src/core/dbus-unit.c:561
msgid "Authentication is required to reset the \"failed\" state of '$(unit)'."
msgstr ""
"Wymagane jest uwierzytelnienie, aby przywrócić stan „failed” (niepowodzenia) "
"jednostki „$(unit)”."
-#: src/core/dbus-unit.c:593
+#: src/core/dbus-unit.c:594
msgid "Authentication is required to set properties on '$(unit)'."
msgstr ""
"Wymagane jest uwierzytelnienie, aby ustawić właściwości jednostki „$(unit)”."
-#: src/core/dbus-unit.c:702
+#: src/core/dbus-unit.c:703
msgid ""
"Authentication is required to delete files and directories associated with "
"'$(unit)'."
}
}
+ assert(weight_sum > 0);
+
if (details_table) {
size_t row;
return log_error_errno(r, "Failed to output table: %m");
}
- assert(weight_sum > 0);
exposure = DIV_ROUND_UP(badness_sum * 100U, weight_sum);
for (i = 0; i < ELEMENTSOF(badness_table); i++)
return 0;
}
+static int dump_exit_status(int argc, char *argv[], void *userdata) {
+ _cleanup_(table_unrefp) Table *table = NULL;
+ int r;
+
+ table = table_new("name", "status", "class");
+ if (!table)
+ return log_oom();
+
+ r = table_set_align_percent(table, table_get_cell(table, 0, 1), 100);
+ if (r < 0)
+ return log_error_errno(r, "Failed to right-align status: %m");
+
+ if (strv_isempty(strv_skip(argv, 1)))
+ for (size_t i = 0; i < ELEMENTSOF(exit_status_mappings); i++) {
+ if (!exit_status_mappings[i].name)
+ continue;
+
+ r = table_add_many(table,
+ TABLE_STRING, exit_status_mappings[i].name,
+ TABLE_INT, (int) i,
+ TABLE_STRING, exit_status_class(i));
+ if (r < 0)
+ return r;
+ }
+ else
+ for (int i = 1; i < argc; i++) {
+ int status;
+
+ status = exit_status_from_string(argv[i]);
+ if (status < 0)
+ return log_error_errno(r, "Invalid exit status \"%s\": %m", argv[i]);
+
+ assert(status >= 0 && (size_t) status < ELEMENTSOF(exit_status_mappings));
+ r = table_add_many(table,
+ TABLE_STRING, exit_status_mappings[status].name ?: "-",
+ TABLE_INT, status,
+ TABLE_STRING, exit_status_class(status) ?: "-");
+ if (r < 0)
+ return r;
+ }
+
+ (void) pager_open(arg_pager_flags);
+
+ return table_print(table, NULL);
+}
+
#if HAVE_SECCOMP
static int load_kernel_syscalls(Set **ret) {
printf(" %s%s%s\n", syscall[0] == '@' ? ansi_underline() : "", syscall, ansi_normal());
}
-static int dump_exit_status(int argc, char *argv[], void *userdata) {
- _cleanup_(table_unrefp) Table *table = NULL;
- int r;
-
- table = table_new("name", "status", "class");
- if (!table)
- return log_oom();
-
- r = table_set_align_percent(table, table_get_cell(table, 0, 1), 100);
- if (r < 0)
- return log_error_errno(r, "Failed to right-align status: %m");
-
- if (strv_isempty(strv_skip(argv, 1)))
- for (size_t i = 0; i < ELEMENTSOF(exit_status_mappings); i++) {
- if (!exit_status_mappings[i].name)
- continue;
-
- r = table_add_many(table,
- TABLE_STRING, exit_status_mappings[i].name,
- TABLE_INT, (int) i,
- TABLE_STRING, exit_status_class(i));
- if (r < 0)
- return r;
- }
- else
- for (int i = 1; i < argc; i++) {
- int status;
-
- status = exit_status_from_string(argv[i]);
- if (status < 0)
- return log_error_errno(r, "Invalid exit status \"%s\": %m", argv[i]);
-
- assert(status >= 0 && (size_t) status < ELEMENTSOF(exit_status_mappings));
- r = table_add_many(table,
- TABLE_STRING, exit_status_mappings[status].name ?: "-",
- TABLE_INT, status,
- TABLE_STRING, exit_status_class(status) ?: "-");
- if (r < 0)
- return r;
- }
-
- (void) pager_open(arg_pager_flags);
-
- return table_print(table, NULL);
-}
-
static int dump_syscall_filters(int argc, char *argv[], void *userdata) {
bool first = true;
log_warning_errno(r, "Failed to enable job run queue event source, ignoring: %m");
}
- prioq_put(j->manager->run_queue, j, &j->run_queue_idx);
- j->in_run_queue = true;
+ r = prioq_put(j->manager->run_queue, j, &j->run_queue_idx);
+ if (r < 0)
+ log_warning_errno(r, "Failed put job in run queue, ignoring: %m");
+ else
+ j->in_run_queue = true;
}
void job_add_to_dbus_queue(Job *j) {
STATIC_DESTRUCTOR_REGISTER(arg_default_options, freep);
STATIC_DESTRUCTOR_REGISTER(arg_default_keyfile, freep);
-static int split_keyspec(const char *keyspec, char **keyfile, char **keydev) {
+static int split_keyspec(const char *keyspec, char **ret_keyfile, char **ret_keydev) {
_cleanup_free_ char *kfile = NULL, *kdev = NULL;
- char *c;
+ const char *c;
assert(keyspec);
- assert(keyfile);
- assert(keydev);
+ assert(ret_keyfile);
+ assert(ret_keydev);
c = strrchr(keyspec, ':');
if (c) {
kfile = strndup(keyspec, c-keyspec);
kdev = strdup(c + 1);
- if (!*kfile || !*kdev)
+ if (!kfile || !kdev)
return log_oom();
} else {
/* No keydev specified */
kfile = strdup(keyspec);
kdev = NULL;
- if (!*kfile)
+ if (!kfile)
return log_oom();
}
- *keyfile = TAKE_PTR(kfile);
- *keydev = TAKE_PTR(kdev);
+ *ret_keyfile = TAKE_PTR(kfile);
+ *ret_keydev = TAKE_PTR(kdev);
return 0;
}
r = unit_ids_map_get(unit_ids_map, template, &fragment);
if (r < 0 && !IN_SET(r, -ENOENT, -ENXIO))
- return log_debug_errno(r, "Cannot load template %s: %m", *t);
+ return log_debug_errno(r, "Cannot load template %s: %m", template);
if (fragment) {
/* Add any aliases of the original name to the set of names */
/* SPDX-License-Identifier: LGPL-2.1+ */
#include <getopt.h>
-#include "log.h"
+#include "fd-util.h"
#include "fs-util.h"
+#include "log.h"
#include "main-func.h"
static char *arg_root = NULL;
log_error_errno(r, "failed: %m");
else
log_info("→ %s", p);
+
+ if (FLAGS_SET(arg_flags, CHASE_OPEN))
+ safe_close(r);
}
return 0;
}
static void test_exec_systemcallfilter_system(Manager *m) {
-#if HAVE_SECCOMP
+/* Skip this particular test case when running under ASan, as
+ * LSan intermittently segfaults when accessing memory right
+ * after the test finishes. Generally, ASan & LSan don't like
+ * the seccomp stuff.
+ */
+#if HAVE_SECCOMP && !HAS_FEATURE_ADDRESS_SANITIZER
if (!is_seccomp_available()) {
log_notice("Seccomp not available, skipping %s", __func__);
return;