Ronny Chevalier [Sun, 14 May 2017 11:19:11 +0000 (13:19 +0200)]
conf-parser: fix wrong argument given to log_syntax_invalid_utf8
The condition is on "word", hence we give word instead of rvalue.
An assert would be triggered if !utf8_is_valid(word) is true and
rvalue == NULL, since log_syntax_invalid_utf8 calls utf8_escape_invalid
which calls assert(str).
A test case has been added to test with valid and invalid utf8.
This adds a modified version of dhcp6_option_parse_domainname() that is
able to parse compressed domain names, borrowing the idea from
dns_packet_read_name(). It also adds pieces in networkd-link and
networkd-manager to properly save/load the added option field.
nss-resolve: drop the internal fallback to libnss_dns (#5945)
If we could not communicate with systemd-resolved, we would call into
libnss_dns. libnss_dns would return NOTFOUND for stuff like "localhost" and
other names resolved by nss-myhostname, which we would fall under the !UNAVAIL=
condition and cause resolution to fail. So the following recommended
configuration in nsswitch.conf would not work:
hosts: resolve [!UNAVAIL=return] dns myhostname
Remove the internal fallback code completely so that the fallback logic
can be configured in nsswitch.conf.
Tested with
hosts: resolve [!UNAVAIL=return] myhostname
and
hosts: resolve [!UNAVAIL=return] dns myhostname
libidn2 2.0.0 supports IDNA2008, in contrast to libidn which supports IDNA2003.
https://bugzilla.redhat.com/show_bug.cgi?id=1449145
From that bug report:
Internationalized domain names exist for quite some time (IDNA2003), although
the protocols describing them have evolved in an incompatible way (IDNA2008).
These incompatibilities will prevent applications written for IDNA2003 to
access certain problematic domain names defined with IDNA2008, e.g., faß.de is
translated to domain xn--fa-hia.de with IDNA2008, while in IDNA2003 it is
translated to fass.de domain. That not only causes incompatibility problems,
but may be used as an attack vector to redirect users to different web sites.
v2:
- keep libidn support
- require libidn2 >= 2.0.0
v3:
- keep dns_name_apply_idna caller dumb, and keep the #ifdefs inside of the
function.
- use both ±IDN and ±IDN2 in the version string
We know how the field we are parsing is called, let's put this information in
the error message:
"Route Source= prefix is invalid, ignoring assignment: ..."
"Route Destination= prefix is invalid, ignoring assignment: ..."
We counted how many filesystems could not be unmounted, but only for those
filesystems which we tried to unmount. Since we only remount / ro, without
attempting to unmount, we would emit a confusing error message:
Remounting '/' read-only with options 'seclabel,space_cache,subvolid=5,subvol=/'.
Remounting '/' read-only with options 'seclabel,space_cache,subvolid=5,subvol=/'.
Remounting '/' read-only with options 'seclabel,space_cache,subvolid=5,subvol=/'.
All filesystems unmounted.
Warn when remount-ro fails, and for filesystems which we won't try to unmount,
include the failure to remount-ro in n_failed.
A few minor cleanups:
- remove unecessary goto which jumps to the next line anyway
- always calculate n_failed, even if log_error is false. This causes no change
in behaviour, but I think the code is easier to follow, since the log setting
cannot influence other logic.
Tom Gundersen [Thu, 11 May 2017 13:56:55 +0000 (15:56 +0200)]
busctl: monitor - only start printing messages once we have become a monitor (#5931)
A connection becomes a monitor the moment it loses its unique name, so any
messages received before that should not be dumped to the console.
Currently, we print NameAcquired and NameLost for the unique name of the
peer that becomes the monitor, simply discard all messages until we
receive our NameLost signal.
seccomp: enable RestrictAddressFamilies on ppc64, autodetect SECCOMP_RESTRICT_ADDRESS_FAMILIES_BROKEN
We expect that if socket() syscall is available, seccomp works for that
architecture. So instead of explicitly listing all architectures where we know
it is not available, just assume it is broken if the number is not defined.
This should have the same effect, except that other architectures where it is
also broken will pass tests without further changes. (Architectures where the
filter should work, but does not work because of missing entries in
seccomp-util.c, will still fail.)
i386, s390, s390x are the exception — setting the filter fails, even though
socket() is available, so it needs to be special-cased
(https://github.com/systemd/systemd/issues/5215#issuecomment-277241488).
This remove the last define in seccomp-util.h that was only used in test-seccomp.c. Porting
the seccomp filter to new architectures should be simpler because now only two places need
to be modified.
RestrictAddressFamilies seems to work on ppc64[bl]e, so enable it (the tests pass).
Anchor Cat [Wed, 10 May 2017 11:23:58 +0000 (21:23 +1000)]
automount: ack automount requests even when already mounted (#5916)
If a process accesses an autofs filesystem while systemd is in the
middle of starting the mount unit on top of it, it is possible for the
autofs_ptype_missing_direct request from the kernel to be received after
the mount unit has been fully started:
systemd forks and execs mount ...
... access autofs, blocks
mount exits ...
systemd receives SIGCHLD ...
... kernel sends request
systemd receives request ...
systemd needs to respond to this request, otherwise the kernel will
continue to block access to the mount point.
50-udev-default.rules.in: set correct group for mediaX/cecX (#5921)
The /dev/mediaX and /dev/cecX devices belong to the video group.
Add two default rules for that.
The /dev/cecX devices were introduced in kernel 4.8 in staging and moved
out of staging in 4.10. These devices support the HDMI CEC bus.
The /dev/mediaX devices are much older, but because they are not used very
frequently nobody got around to adding this rule to systemd. They let the
user control complex media pipelines.
Adds support for booting in a SecureBoot environment with shim as a
preloader. Install an appropriate UEFI security policy to check PE
signature of a chained kernel or UEFI application (using LoadImage())
against the MOK database maintained by shim, using shim's installed
BootServices.
Implementation details for installing the security policy are based on
code from the LinuxFoundation's SecureBoot PreLoader, part of efitools
licensed under LGPL 2.1
Current signed (by Microsoft) versions of shim (Versions 0.8 & 0.9)
so not install a security policy by themselves, future Versions of
shim might (a compile time switch exists in rectent git versions),
so in the future this PR might become unnecessary.
Rip out setting of the log level from udev_new and put it in a new function
This function is internal to systemd code, so external users of libudev
will not see those log messages. I think this is better. If we want to
allow that, the function could be put in libudev and exported.
v2: check that the string is more than one char before stripping quotes
Any call to set/query/use the log level in the code with LOG_REALM=LOG_REALM_UDEV
refers to log_max_level[1]. In particular this means that systemd code using
the libudev library uses does not set the log level for log calls done in libudev.
basic/log: split max log level into multiple "realms"
The single log level is split into an array of log levels. Which index in the
array is used can be determined for each compilation unit separately by setting
a macro before including log.h. All compilation units use the same index
(LOG_REALM_SYSTEMD), so there should be no functional change.
v2:
- the "realm" is squished into the level (upper bits that are not used by
priority or facility), and unsquished later in functions in log.c.
v3:
- rename REALM_PLUS_LEVEL to LOG_REALM_PLUS_LEVEL and REALM to LOG_REALM_REMOVE_LEVEL.
Since all our python scripts have a proper python3 shebang, there is no benefit
to letting meson autodetect them. On linux, meson will just uses exec(), so the
shebang is used anyway. The only difference should be in how meson reports the
script and that the detection won't fail for (most likely misconfigured)
non-UTF8 locales.
seccomp: assume clone() arg order is known on all architectures
While adding the defines for arm, I realized that we have pretty much all
known architectures covered, so SECCOMP_RESTRICT_NAMESPACES_BROKEN is not
necessary anymore. clone(2) is adamant that the order of the first two
arguments is only reversed on s390/s390x. So let's simplify things and remove
the #if.
seccomp: drop SECCOMP_MEMORY_DENY_WRITE_EXECUTE_BROKEN, add test for shmat
SECCOMP_MEMORY_DENY_WRITE_EXECUTE_BROKEN was conflating two separate things:
1. whether shmat/shmdt/shmget can be filtered (if ipc multiplexer is used, they can not)
2. whether we know this for the current architecture
For i386, shmat is implemented as ipc, so seccomp filter is "broken" for shmat,
but not for mmap, and SECCOMP_MEMORY_DENY_WRITE_EXECUTE_BROKEN cannot be used
to cover both cases. The define was only used for tests — not in the implementation
in seccomp-util.c. So let's get rid of SECCOMP_MEMORY_DENY_WRITE_EXECUTE_BROKEN
and encode the right condition directly in tests.
meson: use booleans for conf.set and drop unecessary conditionals
Using conf.set() with a boolean argument does the right thing:
either #ifdef or #undef. This means that conf.set can be used unconditionally.
Previously I used '1' as the placeholder value, and that needs to be changed to
'true' for consistency (under meson 1 cannot be used in boolean context). All
checks need to be adjusted.
This is similar to what ./configure prints. Instead of a long list of yes/no lines,
I added two lines at the end with "enabled features" and "disabled features".
This is what the mplayer/mencoder ./configure script did back in the day.
The advantage is that it's easy to look at the list of disabled features
and check for any unexpected entries.
Patrik Flykt [Tue, 2 May 2017 19:36:24 +0000 (22:36 +0300)]
sd-ndisc: Reset counter for sent Router Solicitations (#5874)
Reset also the counter for number of Router Solicitations sent when
the associated file descriptor is closed and the event source
unreferenced. With this change the router discovery can now be
stopped and restarted arbitrary many times.
Michael Biebl [Tue, 2 May 2017 19:30:14 +0000 (21:30 +0200)]
build-sys: re-add systemd.directives and systemd.index to MANPAGES (#5876)
Those were dropped accidentally in commit 19fe49f62cc916f1237ea92a04fc80ee75285dde, most likely by running
make update-man-list. This is a known limitation of the autotools build:
the man pages must be built before update-man-list is called.
meson: make sure html symlinks are also created in build directory
The symlinks should be created in the build directory in two cases: when
configuration specifies -Dhtml=true, or when ninja html target is built.
Normally install : {true,false} is used to decide if a target should be built,
but in this case, we cannot use install : true, because, as described in 488477d101, that results in the target file being copied into the
installation directory instead of a symlink. So we need a work-around. To
achieve the first end, the commands to create the symlinks are added as
dependencies of the command to create the html page. To the second end, they
are added as dependencies of the html target.
This adds two somewhat independent rules:
1. to create symlinks to html pages in the build directory
2. to create symlinks in the installation directory
The second part needs to be coded separately, because telling meson to install
the symlinks created in step 1. results in a copy of the target, instead of a
symlink. So step 2. needs to ignore the result of 1. and create the symlink again.
Jörg Thalheim [Mon, 1 May 2017 00:26:56 +0000 (02:26 +0200)]
more portable python shebangs (#5816)
This is useful on systems like NixOS, where python3 is not in
/usr/bin/python3 as well as for people using alternative ways to
install python such as virtualenv/pyenv.
networkd: Add check to ensure link is down before attempting to enslave (#5853)
netdev to bond.
There are situations where a link can be in an "UP" state when
systemd-networkd attempts to add the link to a bond device.
This is a problem because the bonding driver will refuse to
enslave a link if it is in the "UP" state.
This check ensures systemd-networkd sets the link to "DOWN"
before attempting to add the link to the bond.