Michael Scherer [Thu, 20 Feb 2014 15:19:44 +0000 (16:19 +0100)]
core: Add AppArmor profile switching
This permit to switch to a specific apparmor profile when starting a daemon. This
will result in a non operation if apparmor is disabled.
It also add a new build requirement on libapparmor for using this feature.
Colin Walters [Fri, 21 Feb 2014 02:29:00 +0000 (03:29 +0100)]
selinux: Don't attempt to load policy in initramfs if it doesn't exist
Currently on at least Fedora, SELinux policy does not come in the
initramfs. systemd will attempt to load *both* in the initramfs and
in the real root.
Now, the selinux_init_load_policy() API has a regular error return
value, as well as an "enforcing" boolean. To determine enforcing
state, it looks for /etc/selinux/config as well as the presence of
"enforcing=" on the kernel command line.
Ordinarily, neither of those exist in the initramfs, so it will return
"unknown" for enforcing, and systemd will simply ignore the failure to
load policy.
Holger Schurig [Thu, 20 Feb 2014 13:39:13 +0000 (14:39 +0100)]
build-sys: Add setns() functions if not in the C library.
Debian Stable is still using glibc 2.13, which doesn't provide the setns().
So we detect this and provide a tiny wrapper that issues the setns syscall
towards the kernel.
Daniel Mack [Thu, 20 Feb 2014 16:14:50 +0000 (17:14 +0100)]
libsystemd: fix compiler warning in property_get_set_callbacks_run()
gcc (4.8.2, arm) doesn't understand that vtable_property_get_userdata()
will always set 'u' when it returns > 0. Hence, the warning is bogus,
but anyway.
src/libsystemd/sd-bus/bus-objects.c:510:19: warning: 'u' may be used uninitialized in this function [-Wmaybe-uninitialized]
(and yes, indeed, even the reported line numbers are bogus in this case)
api: in constructor function calls, always put the returned object pointer first (or second)
Previously the returned object of constructor functions where sometimes
returned as last, sometimes as first and sometimes as second parameter.
Let's clean this up a bit. Here are the new rules:
1. The object the new object is derived from is put first, if there is any
2. The object we are creating will be returned in the next arguments
3. This is followed by any additional arguments
Rationale:
For functions that operate on an object we always put that object first.
Constructors should probably not be too different in this regard. Also,
if the additional parameters might want to use varargs which suggests to
put them last.
Note that this new scheme only applies to constructor functions, not to
all other functions. We do give a lot of freedom for those.
Note that this commit only changes the order of the new functions we
added, for old ones we accept the wrong order and leave it like that.
If -flto is used then gcc will generate a lot more warnings than before,
among them a number of use-without-initialization warnings. Most of them
without are false positives, but let's make them go away, because it
doesn't really matter.
David Herrmann [Wed, 19 Feb 2014 12:24:38 +0000 (13:24 +0100)]
event: fix crash on child-source state modifications
Setting a child-source state to anything but SD_EVENT_OFF currently does
nothing. The condition logic is flawed. Move the state update *below* the
test for the previous state.
Fixes a crash if you call:
sd_event_source_set_enabled(source, SD_EVENT_ON);
sd_event_source_unref(source);
on a child-source in its own callback.
Dave Reisner [Tue, 18 Feb 2014 19:44:14 +0000 (14:44 -0500)]
nspawn: allow 32-bit chroots from 64-bit hosts
Arch Linux uses nspawn as a container for building packages and needs
to be able to start a 32bit chroot from a 64bit host. 24fb11120756
disrupted this feature when seccomp handling was added.
SECCOMP_CFLAGS must be in the global CFLAGS as <seccomp.h> is
included in core/execute.h. when seccomp.h is not in the standard
path.(i.e openSUSE has it in /usr/include/pkg/libseccomp/, precisely to
catch this kind of bugs) compiling systemd fails.
Patrik Flykt [Tue, 18 Feb 2014 14:07:40 +0000 (16:07 +0200)]
libsystemd-dhcp: Add a full DHCP address acquisition test case
Upon startup the DHCP library will immediately send a DHCP Discover.
Handle the additional DHCP Discover checking and DHCP Offer sending
in test_addr_acq_recv_discover(). Write a zero UDP checksum, the
received XID and the faked MAC address into place to create a DHCP
message the library can accept.
Follow exactly the same steps when receiving a DHCP Request in
test_addr_acq_recv_request() and send the Ack. Check that the proper
addresses have been found by the DHCP library before exiting the
main loop and finishing the test.