I don't think list is particularly useful here. The passed fds are
constant for the lifetime of service, and with this commit we track
the number of extra fds in a dedicated var anyway.
This is a new syscall provided by the kernel used to implement faster
uprobes. It's not supposed to be called by userspace, but only by kernel
generated uprobe code.
It should be fine to allow this, as the kernel authenticates the
invocation itself, and we shouldn't break compat with things.
Note that this allowlisting is not sufficient to make ureprobe() work.
libseccomp must be tought the syscall too, but this can happen
independently.
smbios: move validation of SMBIOS table sizes fully into get_smbios_table()
We do half a validation currently ourselves (i.e. check the header fits
into the rest of the data), and leave the other half to the
caller (i.e. check the table fits into the rest of the data).
get_smbios_table() is changed to accept the minimum object size and
validates it before returning a table.
Daan De Meyer [Thu, 10 Oct 2024 13:54:57 +0000 (15:54 +0200)]
stdio-bridge: Use customized log message for forwarding bus
Let's more clearly indicate that we failed to set up the server
which forwards messages from the remote client to the local bus
instead of logging a generic bus client message.
Daan De Meyer [Wed, 9 Oct 2024 10:10:44 +0000 (12:10 +0200)]
bus-util: Move geteuid() check out of bus_connect_system_systemd()
Let's move this check to bus_connect_transport_systemd() so that
bus_connect_system_systemd() will only ever connect to the manager
private manager bus instance and fail otherwise.
Daan De Meyer [Wed, 9 Oct 2024 09:44:34 +0000 (11:44 +0200)]
bus-util: Drop fallback to system/user bus if manager bus doesn't work
We have various callsites that explicitly need the manager bus and
won't work with the system bus, like daemon-reexec and friends which
can't properly wait until the operation has finished unless using the
manager bus.
If we silently fall back to the system bus for these operations, we
can end up with rather hard to debug issues so let's remove the fallback
as it was added back in 2013 in a6aa89122d2fa5e811a72200773068c13bfffea2
without a clear explanation of why it was needed (I expect as a fallback
if kdbus wasn't available but that's not a thing anymore these days).
Daan De Meyer [Wed, 9 Oct 2024 14:37:06 +0000 (16:37 +0200)]
update-utmp: Make reconnect logic more robust
We might also fail to connect to the private manager bus itself if
the daemon-reexec is still ongoing, so let's handle that as well by
retrying on ECONNREFUSED.
Daan De Meyer [Wed, 9 Oct 2024 12:49:07 +0000 (14:49 +0200)]
mkosi: Fix up ownership of testuser home directory on first boot
When building unprivileged, the testuser home directory ends up
owned by root:root because mkosi can't chown directories to other
owners when running unprivileged. So let's fix up the testuser
ownership on first boot with tmpfiles instead.
json: add builder/dispatcher for PidRef → JSON and back
So far, at the one place we sent a PID over Varlink we did so as a
simple numeric pid_t value. That's of course is racy, since classic PIDs
are recycled too eagerly.
Let's address that, by passing around JSON objects distantly resembling our
PidRef structure. Note that this JSON object does *not* contain the
pidfd, however, but just the pidfd inode number if known.
I originally planned to include the pidfd in some direct form, but I
figured that's not really the best idea, since we always need a
side-channel of some form for that (i.e. AF_UNIX/SCM_RIGHTS), but we
should be able to report about PIDs even without that.
Moreover, while sending the pid number and pidfd id around should always
be OK to do, it's a lot more problematic to always send a pidfd around,
since that implies that fd passing is on and it is OK to install fds
remotely in some IPC peers fd table. For example, when doing a wild dump
of service manager service state we really shouldn't end up with a bunch
of fds installed in our client's fd table.
Hence, all in all I think it is cleaner to define a structure carrying
pid number and pidfd inode id, wich is passed directly as JSON. And then
optionally, in a separate field also pass around a pidfd where it makes
sense.
Note that sending around pidfds is not that beneficial anymore if we
have the pidfd inode id, because we can always securely and reliably get
a pidfd back from a pair of pid + inode id: first we do pidfd_open() on
the pid, and then we check if it is really the right one by comparing
.st_ino after fstat().
This logic is implemented gracefully: if for some reason pidfd/pidfd
inode nrs are not available (too old kernel), we'll fall back to plain
PID numbers.
The dispatching logic knows two distinct levels of validation of the
provided PID data: if SD_JSON_STRICT is specified we'll acquire a pidfd
for the PID, thus verifying it currently exists and failing if it
doesn't. If the flag is not set, well just store the provided info
as-is, will try to acquire a pidfd for it, but not fail if we cannot.
Both modes are important in different contexts.
Also note that in addition to the pidfd inode nr we always store the
current boot ID of the system in the JSON object, since only the
combination of pidfd inode nr and boot ID of the system really is a
world-wide unique reference to a process.
When dispatching a JSON pid field we operate somewhat gracefully: we
either support the triplet structure of pid, pid inode nr, boot id, or
we accept a simple classic UNIX pid.
varlink-idl: introduce c/.h file for common varlink IDL structures
Some structures we'll use in various varlink interfaces, move them to a
common .c/.h file. For now this is only the dual timestamp object, but
there will be more soon.
Daan De Meyer [Thu, 10 Oct 2024 20:37:39 +0000 (22:37 +0200)]
rpm/systemd-update-helper: Use systemctl reload to reexec/reload user managers
Let's always use systemctl reload to reexec and reload user managers
now that it always implies a reexec. This moves all the job management
logic to pid 1 instead of bash and reduces the complexity of the logic
as we remove systemd-run, pam and systemd-stdio-bridge from the equation.
Mike Yuan [Thu, 10 Oct 2024 19:32:17 +0000 (21:32 +0200)]
units/{user,capsule}@.service: issue daemon-reexec when notify-reloading
Closes #28367 (but not really in the exact form, see below)
We have the problem of restarting all user manager instances
after upgrade. Current approaches involve systemctl kill
with SIGRTMIN+25, which is async and feels rather ugly [1][2];
or systemctl --machine=user@ --user, which requires entering
each user session. Neither is particularly elegant.
Instead, let's just signal daemon-reexec when user@.service
is reloaded from system manager. Our long goal of dropping
daemon-reload in favor of reexec (see TODO) is unlikely to happen
due to user dbus restrictions, but here the synchronization
is done via READY=1.
#28367 would not really work for us now I come to think about it,
because all processes will be reparented to pid1 as soon as
original user manager process exits. This alternative approach
seems good enough for our use case.
Mike Yuan [Thu, 10 Oct 2024 19:06:35 +0000 (21:06 +0200)]
core/manager-serialize: drop serialization for Manager.ready_sent
This field indicates whether READY=1 has been sent to
the service manager/supervisor. Whenever we reload/reexec/soft-reboot,
manager_send_reloading() always resets it to false first,
so that READY=1 is sent after reloading finishes. Hence
we utterly get "false" at all times. Kill it.
The offending commit wrongly assumed that the second READY=1
notification is for system scope only, but it also serves the purpose
of flushing out previous STATUS= containing user unit job status.
Uday Shankar [Thu, 10 Oct 2024 20:29:10 +0000 (14:29 -0600)]
udev: allow persistent storage rules for ublk devices
Tools such as lsblk which query the udev database instead of probing
devices directly fail when run on ublk devices. For instance, in the
following commands, the partition type is missing, despite the fact that
/dev/ublkb0 was just partitioned with a single Linux filesystem type
partition.
$ lsblk /dev/ublkb0
NAME MAJ:MIN RM SIZE RO TYPE MOUNTPOINTS
ublkb0 259:0 0 31.3G 0 disk
└─ublkb0p1 259:1 0 31.2G 0 part
$ lsblk -o pkname,parttype /dev/ublkb0
PKNAME PARTTYPE
ublkb0
This happens because ublk devices are missing from a couple of
whitelists in the udev rules which are responsible for populating the
database with the data lsblk is looking for. Add the ublk devices to
these whitelists.
David Rheinsberg [Fri, 11 Oct 2024 07:53:25 +0000 (09:53 +0200)]
docs/DESKTOP_ENVIRONMENTS: fix formatting
The annotation about omittance is meant to be about the `RANDOM` string.
However, the current formatting makes it look like the entire naming
scheme is optional. Fix this.
Yu Watanabe [Thu, 10 Oct 2024 03:30:41 +0000 (12:30 +0900)]
sd-netlink: various cleanups
- use uint8_t, uint16_t, and so on, rather than unsigned char, unsigned
short, and so on, respectively,
- rename output parameters to ret or ret_xyz,
- add several missing assertions.
man: reword comment a bit regarding ExecStartPre= multiple commands
The documentation claimed that ExecStartPre=/ExecStartPost= accepts
multiple command lines, in contrast to ExecStart=. This is half an
untruth, because ExecStart= allows that too – as long as Type=oneshot is
set.
Hence, reword this a bit, and do not emphasize the contrast.
Ivan Kruglov [Thu, 10 Oct 2024 09:51:57 +0000 (11:51 +0200)]
machine: switch to use PidRef when lookup machine by pid in dbus and varlink interfaces
This commit includes adding introduce manager_get_machine_by_pidref() as a replacement for manager_get_machine_by_pid()
and moving surrounding code to utilise PidRef.
Yu Watanabe [Wed, 9 Oct 2024 01:07:31 +0000 (10:07 +0900)]
login: provide delayed action in ScheduledShutdown property
Even though we can get the existence of delayed action through
PreparingForShutdownWithMetadata property or friends, for consistency
with CancelScheduledShutdown() method, it is better to also provide the
information through ScheduledShutdown property.
Tobias Fleig [Tue, 8 Oct 2024 14:54:43 +0000 (07:54 -0700)]
stub: Add support for .initrd addon files
Teaches systemd-stub how to load additional initrds from addon files.
This is very similar to the support for .ucode sections in addon files,
but with different ordering. Initrds from addons have a chance to
overwrite files from the base initrd in the UKI.
WilliButz [Fri, 4 Oct 2024 17:51:57 +0000 (19:51 +0200)]
repart: derive hash partition size from SizeMaxBytes= of data sibling
This change makes it possible for repart to create dm-verity hash
partitions for a custom amount of protected data. When the property
`SizeMaxBytes=` is specified for a dm-verity data partition, the size
of the corresponding hash partition is set to accommodate hash data
for this maximum size, rather than the actual contents its data
sibling. However, the contained hash data continues to be generated
from said sibling.
projects / thirdparty / systemd.git / log
