Let's use first_word() instead of startswith(), it's more explanatory
and a bit more correct. Also, let's use the return value instead of
adding +9 when looking for the second part of the directive.
conf-parser: let's explicitly deprecate .include in unit files
.include lines are already deprecated somewhat, and for example
explicitly not mentioned in the documentation for this reason. Let's get
one step further and generatea warning when we encounter them (but still
process them).
Why are they deprecated? Because they are semantically awful — they
complicate stat() based mtime checks for configuration files and they
allow arbitrary loops we currently have zero protection against and
really shouldn't have to have.
When mangling names, optionally emit a warning (#8400)
The warning is not emitted for absolute paths like /dev/sda or /home, which are
converted to .device and .mount unit names without any fuss.
Most of the time it's unlikely that users use invalid unit names on purpose,
so let's warn them. Warnings are silenced when --quiet is used.
$ build/systemctl show -p Id hello@foo-bar/baz
Invalid unit name "hello@foo-bar/baz" was escaped as "hello@foo-bar-baz" (maybe you should use systemd-escape?)
Id=hello@foo-bar-baz.service
$ build/systemd-run --user --slice foo-bar/baz --unit foo-bar/foo true
Invalid unit name "foo-bar/foo" was escaped as "foo-bar-foo" (maybe you should use systemd-escape?)
Invalid unit name "foo-bar/baz" was escaped as "foo-bar-baz" (maybe you should use systemd-escape?)
Running as unit: foo-bar-foo.service
move MANAGER_IS_RELOADING() check into manager_recheck_{dbus|journal}() (#8510)
Let's better check this inside of the call than before it, so that we
never issue this while reloading, even should these calls be called due
to other reasons than just the unit notify.
This makes sure the reload state is unset a bit earlier in
manager_reload() so that we can safely call this function from there and
they do the right thing.
Long Li [Wed, 21 Mar 2018 10:51:28 +0000 (03:51 -0700)]
v3: Properly parsing SCSI Hyperv devices (#8509)
Since 2016, Hyperv devices moved to using standard way to expose UUID to sysfs. Fix the parsing function to work with the newer format.
Change log:
v2: changed code to work with both old and new path format
v3: changed guid_str_len type to size_t, fixed length in char guid[] in handle_scsi_hyperv()
Yu Watanabe [Wed, 21 Mar 2018 04:39:03 +0000 (13:39 +0900)]
nss-systemd: make dynamic users enumerable by `getent`
This adds `setpwent()`, `getpwent_r()`, `endpwent()`, `setgrent()`,
`getgrent_r()`, and `endgrent()` interfaces to nss-systemd library.
Thus, dynamic users can be enumerated by e.g. `getent passwd` command.
core/load-fragment: reject overly long paths early
No need to go through the specifier_printf() if the path is already too long in
the unexpanded form (since specifiers increase the length of the string in all
practical cases).
In the oss-fuzz test case, valgrind reports:
total heap usage: 179,044 allocs, 179,044 frees, 72,687,755,703 bytes allocated
and the original config file is ~500kb. This isn't really a security issue,
since the config file has to be trusted any way, but just a matter of
preventing accidental resource exhaustion.
journal: don't insist that the journal file header's boot ID matches the last entry
We update the boot ID whenever the file is opened for writing (i.e. set
to ONLINE stat), even if we never write a single entry to it. Hence,
don't insist that the last entry's boot ID matches the file header.
Alex Gartrell [Tue, 27 Feb 2018 05:56:35 +0000 (21:56 -0800)]
journal: provide compress_threshold_bytes parameter
Previously the compression threshold was hardcoded to 512, which meant that
smaller values wouldn't be compressed. This left some storage savings on the
table, so instead, we make that number tunable.
basic/fs-util: skip fsync_directory_of_file() if /proc/self/fd/ is not available (#8386)
When systemd is running under lorax (in Fedora compose process), it'd think that
it failed to write /etc/machine-id, even though the write succeeded, because
fsync_directory_of_file() would fail, because /proc/self/fd/ is not available.
fsync_directory_of_file() is mostly an additional safety net, so I think it's best
to just silently ignore the error.
Strace of pid1:
35791 stat("/etc", {st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0
35791 openat(AT_FDCWD, "/etc/machine-id", O_RDWR|O_CREAT|O_NOCTTY|O_CLOEXEC, 0444) = 3
35791 umask(022) = 000
35791 read(3, "", 38) = 0
35791 openat(AT_FDCWD, "/var/lib/dbus/machine-id", O_RDONLY|O_NOCTTY|O_NOFOLLOW|O_CLOEXEC) = -1 ENOENT (No such file o
r directory)
35791 openat(AT_FDCWD, "/sys/class/dmi/id/product_name", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
35791 openat(AT_FDCWD, "/sys/class/dmi/id/sys_vendor", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
35791 openat(AT_FDCWD, "/sys/class/dmi/id/board_vendor", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
35791 openat(AT_FDCWD, "/sys/class/dmi/id/bios_vendor", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
35791 access("/proc/xen", F_OK) = -1 ENOENT (No such file or directory)
35791 openat(AT_FDCWD, "/sys/hypervisor/type", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
35791 openat(AT_FDCWD, "/proc/cpuinfo", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
35791 getrandom("\xb8\x82\xed\xd4\x35\x11\xd0\xeb\xa6\x79\xd7\x31\x6e\x7b\x99\xce", 16, GRND_NONBLOCK) = 16
35791 writev(2, [{iov_base="Initializing machine ID from random generator.", iov_len=46}, {iov_base="\n", iov_len=1}],
2) = 47
35791 lseek(3, 0, SEEK_SET) = 0
35791 ftruncate(3, 0) = 0
35791 write(3, "b882edd4351140eba679d7316e7b99ce\n", 33) = 33
35791 fsync(3) = 0
35791 fstat(3, {st_mode=S_IFREG|0444, st_size=33, ...}) = 0
35791 readlinkat(AT_FDCWD, "/proc/self/fd/3", 0x564df8c694c0, 99) = -1 ENOENT (No such file or directory)
35791 close(3) = 0
35791 umask(022) = 022
35791 openat(AT_FDCWD, "/run/machine-id", O_WRONLY|O_CREAT|O_NOCTTY|O_TRUNC|O_CLOEXEC, 0444) = 3
35791 write(3, "b882edd4351140eba679d7316e7b99ce\n", 33) = 33
35791 close(3) = 0
35791 umask(022) = 022
35791 mount("/run/machine-id", "/etc/machine-id", NULL, MS_BIND, NULL) = 0
35791 writev(2, [{iov_base="Installed transient /etc/machine-id file.", iov_len=41}, {iov_base="\n", iov_len=1}], 2) = 42
35791 mount(NULL, "/etc/machine-id", NULL, MS_RDONLY|MS_REMOUNT|MS_BIND, NULL) = 0
nspawn: move network namespace creation to a separate step (#8430)
Fixes #8427.
Unsharing the namespace in a separate step changes the ownership of
/proc/net/ip_tables_names (and related files) from nobody:nobody to
root:root. See [1] and [2] for all the details.
mkosi: set file permissions in copy of source tree (#8370)
Meson keeps permissions around during the build, so details of how umask
was set when cloning the original git tree will leak all the way to the
installed files in the mkosi image.
So reset the permissions of the files in the copy of the tree before
starting the build.
Also set the umask explicitly.
Tested by creating a mkosi image and booting it on a tree that was
cloned with a umask of 027, confirmed that the *.target files were not
created as world-unreadable anymore.
seccomp: enable RestrictAddressFamilies on ppc (#8505)
In commit da1921a5c3 ppc64/ppc64el were added as supported architectures for
socketcall() for the POWER family. Extend the support for the 32bits
architectures.
Franck Bui [Tue, 20 Mar 2018 08:32:05 +0000 (09:32 +0100)]
sysusers: also add support for NIS entries in /etc/shadow
Commit 563dc6f8e2cda4114dd20f32655890ed378c3740 added support for
/etc/{passwd,group} only but since nsswitch.conf(5) appears to document the NIS
entries also for shadow, let's support this case too.
hwdb: ThinkPad T560 doesn't have a caps lock led (#8490)
Similar to 16bed3afa1b916ace5e927392a1baab9dd9ff963, this model also doesn't have the
LED.
```
cat /sys/class/dmi/id/modalias
dmi:bvnLENOVO:bvrN1KET16W(1.03):bd01/20/2016:svnLENOVO:pn20FH001AMX:pvrThinkPadT560:rvnLENOVO:rn20FH001AMX:rvrSDK0J40705WIN:cvnLENOVO:ct10:cvrNone:
```
Yu Watanabe [Wed, 14 Mar 2018 08:48:29 +0000 (17:48 +0900)]
tree-wide: voidify pager_open()
Even if pager_open() fails, in general, we should continue the operations.
All erroneous cases in pager_open() show log message in the function.
So, it is not necessary to check the returned value.
Once upon a time shutdown.c didn't have the logic to check whether any
unmount attempts succeeded or not. So instead it kept looping for
a fixed amount and hoped all was right. Nowadays, we do know if we
changed anything during a iteration and also stop looping then, but
we still limit ourselves to FINALIZE_ATTEMPTS.
But, theoretically, we could have such a complicated and nested
setup that would survive that limit, leaving stuff around we
might actually be able to unmount. And we could also end up in a
situation where the extra loop with raised unmount error level could
be skipped too.
So let's just drop the retries logic and rely fully on the changed
flag.
It's common for sysusers files to contain quotes (in particular around the
comment/GECOS field), and using echo "..." is very likely to not work properly
in that case. Let's use <<EOF redirection. It's not bulletproof, but should
work in general.
core/unit: delay creating a stack variable until after length has been checked
path_is_normalized() will reject paths longer than 4095 bytes, so it's better
to not create a stack variable of unbounded size, but instead do the check first
and only then do that allocation.
fuzz-unit-file: simply do not test ListenNetlink= at all
msan doesn't understand sscanf with %ms, so it falsely reports unitialized
memory. Using sscanf with %ms is quite convenient in
socket_address_parse_netlink(), so let's just not run the fuzzer for
ListenNetlink= at all for now. If msan is fixed, we can remove this.
fuzz: add test case for oss-fuzz #6897 and a work-around
The orignal reproducer from oss-fuzz depends on the hostname (via %H and %c).
The hostname needs a dash for msan to report this, so a simpler case from
@evverx with the dash hardcoded is also added.
The issue is a false positive from msan, which does not instruct stpncpy
(https://github.com/google/sanitizers/issues/926). Let's add a work-around
until this is fixed.
unit-file: do not allow bogus IOSchedulingClass values
We have only three bits of space, i.e. 8 possible classes. Immediately reject
anything outside of that range. Add the fuzzer test case and an additional
unit test.
basic/calendarspec: set a limit on length of calendarspec component chains
We probably should allow very deep calls of our recursive functions. Let's add
a limit to avoid resource exhaustion. 240 is 10 per hour (if somebody is using
this for time based triggers...), so it should be more than enough for most use
cases, and is conveniently below the 250 stack limit in msan.
core: when reloading, delay any actions on journal and dbus connections
manager_recheck_journal() and manager_recheck_dbus() would be called to early
while we were deserialiazing units, before the systemd-journald.service and
dbus.service have been deserialized. In effect we'd disable logging to the
journald and close the bus connection. The first is not very noticable, it
mostly means that logs emitted during deserialization are lost. The second is
more noticeable, because manager_recheck_dbus() would call bus_done_api() and
bus_done_system() and close dbus connections. Logging and bus connection would
then be restored later after the respective units have been deserialized.
This is easily reproduced by calling:
$ sudo gdbus call --system --dest org.freedesktop.systemd1 --object-path /org/freedesktop/systemd1 --method "org.freedesktop.systemd1.Manager.Reload"
which works fine before 8559b3b75cb, and then starts failing with:
Error: GDBus.Error:org.freedesktop.DBus.Error.NoReply: Remote peer disconnected
None of this should happen, and we should delay changing state until after
deserialization is complete when reloading. manager_reload() already included
the calls to manager_recheck_journal() and manager_recheck_dbus(), so the
connection state will be updated after deserialization during reloading is done.
projects / thirdparty / systemd.git / log
