The man page doesn't even mention errno. It just says that ferror() should
be used to check for errors. Those writes are unlikely to fail, but if they
do, errno might even be 0. Also, we have fflush_and_check() which does
additional paranoia around errno, because we apparently do not trust that
errno will always be set correctly.
This is a fancy wrapper around "cat <<EOF", but:
- the user doesn't need to figure out the file name,
- parent directories are created automatically,
- daemon-reload is implied,
so it's a convenient way to create units or drop-ins.
Luca Boccassi [Tue, 5 Dec 2023 15:43:12 +0000 (15:43 +0000)]
switch-root: also check that mount IDs are the same, not just inodes
If /run/nextroot/ has been set up, use it, even if the inodes are
the same. It could be a verity device that is reused, but with
different sub-mounts or other differences. Or the same / tmpfs with
different /usr/ mounts. If it was explicitly set up we should use it.
Use the new helper to check that the mount IDs are also the same,
not just the inodes.
If the user edits result in an empty file (after stripping), we would silently
not do anything, aborting the edit. This is rather confusing, let's emit a
notice:
$ build/systemctl --user edit asdf.service --full --stdin </dev/null
/home/zbyszek/.config/systemd/user/asdf.service: after editing, new contents are empty, not writing file.
(This also works with an editor, instead of --stdin. The message is printed on
the console and is visible after the editor exits.)
While at it, fix the condition to skip writing file after stripping. We had
"old_contents", but we modified that string. In some code flows, we would
compare the stripped old contents (i.e. a string which by defintion doesn't
have a newline at the end) with a string to which we just appended a newline
(i.e. a string which by defintion has a newline at the end).
shared/edit-util: split out function to populate temp file
In preparation for future changes: I want to add a mode where interactive
editing is not done, and when this preparation is moved to a helper, it's much
easier to skip it.
e->line is initialized to 1 and overwritten even if sync fails. Theoretically
this is against our style, but the alternative is to propagate a temporary
value of line through the layers, which adds a lot of noise. If we fail, this
EditFile object will not be used for anything, to the changed value of .line
has no effect.
HibernateInfo.from_efi is not actually useful. info.efi is only
set if the system identifier stored in EFI variable matches with
that of the running system, and thus the variable should be cleared
no matter whether resume= is set from kernel cmdline or not.
test: set correct group for systemd-journal-upload tests
We can't use the systemd-journal-upload user here, since it's created
dynamically by DynamicUser=yes. However, we can use the group specified
in SupplementaryGroups=, so do exactly that.
Revert "sysusers.d: create the user for systemd-journal-upload.service"
I have no idea what was my reasoning that led to this change, but it is
simply wrong: systemd-journal-upload.service uses
User=systemd-journal-upload together with DynamicUser=yes, so the user
doesn't have to (and shouldn't) exist before starting the service.
The original reason for deny-listing it was that it's flaky there. I'm
not sure if that's still the case, but the Ubuntu CI jobs for i*86 are
gone, so this file shouldn't be needed anymore anyway.
Yu Watanabe [Sun, 3 Dec 2023 12:56:26 +0000 (21:56 +0900)]
journald: also remove runtime journal directories with a different machine ID
Otherwise, even if the journal files in the directories are flushed to
the persistent storage, still they are opened by e.g. journalctl, and it
may show duplicated entries.
Also, the journal files may be flushed to the persistent storage more
than once.
The current system journal's seqnum ID will usually be different from
the seqnum ID of the current runtime journal. Therefore, to avoid
unnecessary rotations on boot, reset the runtime seqnum data when
switching to system journal so that systemd-journald will adopt the
system journal's seqnum ID and value on next write.
The regexp only worked if the sections were small enough for the size to
start with "0". I have an initrd that is 0x1078ec7e bytes, so the tests
would spuriously fail.
Note, currently, the function is always called with SCMP_ACT_ALLOW as
the default action, except for the test. So, this should not change
anything in the runtime code.
run: fix bad escaping and memory ownership confusion
arg_description was either set to arg_unit (i.e. a const char*), or to
char *description, the result of allocation in run(). But description
was decorated with _cleanup_, so it would be freed when going out of the
function. Nothing bad would happen, because the program would exit after
exiting from run(), but this is just all too messy.
Also, strv_join(" ") + shell_escape() is not a good way to escape command
lines. In particular, one the join has happened, we cannot distinguish
empty arguments, or arguments with whitespace, etc. We have a helper
function to do the escaping properly, so let's use that.
core: when applying syscall filters, use ENOSYS for unknown calls
glibc starting using fchmodat2 to implement fchmod with flags [1], but
current version of libseccomp does not support fchmodat2 [2]. This is
causing problems with programs sandboxed by systemd. libseccomp needs to know
a syscall to be able to set any kind of filter for it, so for syscalls unknown
by libseccomp we would always do the default action, i.e. either return the
errno set by SystemCallErrorNumber or send a fatal signal. For glibc to ignore
the unknown syscall and gracefully fall back to the older implementation,
we need to return ENOSYS. In particular, tar now fails with the default
SystemCallFilter="@system-service" sandbox [3].
This is of course a wider problem: any time the kernel gains new syscalls,
before libseccomp and systemd have caught up, we'd behave incorrectly. Let's
do the same as we already were doing in nspawn since 3573e032f26724949e86626eace058d006b8bf70, and do the "default action" only
for syscalls which are known by us and libseccomp, and return ENOSYS for
anything else. This means that users can start using a sandbox with the new
syscalls only after libseccomp and systemd have been updated, but before that
happens they behaviour that is backwards-compatible.
In seccomp_restrict_sxid() there's a chunk conditionalized with
'#if defined(__SNR_fchmodat2)'. We need to kep that because seccomp_restrict_sxid()
seccomp_restrict_suid_sgid() uses SCMP_ACT_ALLOW as the default action.
DeprecationWarning: datetime.datetime.utcnow() is deprecated and scheduled for
removal in a future version. Use timezone-aware objects to
represent datetimes in UTC: datetime.datetime.now(datetime.UTC).
The difference between the two is that .now(datetime.UTC) returns an object with
a timezone attached, "the numbers" are the same.
This value is fed to cryptography's x509.CertificateBuilder object, so as long
as it can accept a datetime object with tzinfo, the result should be identical.
Takashi Sakamoto [Wed, 29 Nov 2023 13:39:50 +0000 (22:39 +0900)]
hwdb: ieee1394-unit-function: arrangement for Sony DVMC-DA1
A commit 6a42bdb37e39 ("hwdb: ieee1394-unit-function: add Sony
DVMC-DA1") is based on kernel feature unreleased yet (furthermore, not
merged yet). The original intension of new entry is to configure permission
of special file for FireWire character device, so this commit changes the
entry so that it can covers the issued case in existent version of Linux
kernel as out best effort.
When the new version of Linux kernel is released with the new feature,
then following commits would fulfill the hwdb with vendor and model names.
Yu Watanabe [Mon, 27 Nov 2023 02:55:49 +0000 (11:55 +0900)]
sd-journal: fix corrupted journal handling of generic_array_bisect()
Let's consider the following case:
- the direction is down,
- no cached entry,
- the array has 5 entry objects,
- the function test_object() reutns TEST_LEFT for the 1st object,
- the 2nd, 3rd, and 4th objects are broken, so generic_array_bisect_step()
returns TEST_RIGHT for the object.
Then, previously, generic_array_bisect_step() updated the values like the following:
0th: (m = 5, left = 0, right = 4, i = 4) -> (m = 4, left = 0, right = 3, RIGHT)
1st: (m = 4, left = 0, right = 3, i = 1) -> (m = 4, left = 2, right = 3, LEFT)
2nd: (m = 4, left = 2, right = 3, i = 2) -> (m = 2, left = 2, right = 1, RIGHT) <- ouch!!
So, assert(left < right) in generic_array_bisect() was triggered.
See issue #30210.
In such situation, there is no matching entry in the array. By returning
TEST_GOTO_PREVIOUS, generic_array_bisect() handles the result so.
Yu Watanabe [Wed, 29 Nov 2023 21:46:21 +0000 (06:46 +0900)]
sd-journal: ignore failure in testing cached corrupted entry
Let's consider the case that the 1st entry in an array is broken, but
n-th entry is valid. Then, if generic_array_get() is called to read
n-th object, the offset of the broken entry is cached by the function.
If generic_array_bisect() is followed, even if the matching entry is
valid, it always fail with -EBADMSG or friends, as the function test the
cached entry at the beginnning. Let's ignore the failure in testing the
cached entry.
Mike Yuan [Thu, 30 Nov 2023 12:09:29 +0000 (20:09 +0800)]
core/exec-invoke: prevent potential double-close of exec_fd
If exec_fd is closed in add_shifted_fd() by close_and_replace(),
but something goes wrong later, we may close exec_fd twice
in exec_params_shallow_clear().
I see myself frequently typing in "journalctl --file=…". That's a lot to
type. Let's add a short switch too. Unfortunately, "-f" and "-F" are
already taken, hence let's pick "-i".