To avoid having "#if HAVE_PCRE2" all throughout the code, let's
confine the pcre2 header specific stuff to pcre2-util.c. Instead of
exposing all the individual symbols from pcre2, let's only expose
three high level functions that do all we need:
- pcre2_pattern_compile(): Compile the regex
- pcre2_pattern_matches(): Check if the compiled regex matches a message
- pcre2_pattern_free(): Free the compiled regex
We expose the compiled pcre2 pattern (which is of type pcre2_code *) as
a void pointer to avoid having to include pcre2.h in all code where we
work with compiled pcre2 patterns. For readability, we typedef void
to pcre2_pattern and use that as the type specifier for compiled pcre2
patterns.
We always should use size_t for sizes of arrays (and any size of memory,
in fact), unless there's a strong reason to use something else. Hence,
let's fix these cases where we sloppily used "unsigned" or "int"
instead.
No change in behaviour, this is just to make things less surprising for
the random reader.
systemd-sysctl currently fails silently under any of these conditions:
- Missing permission to write a sysctl.
- Invalid sysctl (path doesn't exists).
- Ignore failure flag ('-' in front of the sysctl name).
Because of this behaviour, configuration issues can go unnoticed as
there is no way to detect those unless going through the logs.
--strict option forces systemd-sysctl to fail if a sysctl is invalid or
if permission are insufficient. Errors on sysctl marked as "ignore
failure" will still be ignored.
And this makes the new merged function `sd_nfnl_nft_message_new_setelems()`
not open container, as containers should be opened and closed in the
same function in general. Otherwise, it is hard to understand which
level we are in the nested attribute tree.
- rename family -> nfproto, and other arguments,
- check specified nfproto,
- change type of several function arguments that specify data length,
- add several assertions,
- drop unnecessary headers.
This makes udevd reload rules only when the timestamp is updated,
even on SIGHUP or `udevadm control --reload`.
So, we can call `udevadm control --reload` without huge performance
penalty when no rules, .link files, and so on are changed.
Previously, if activation failed, link did not enter the failed state,
but still Link.activated flag not set. Hence, nothing processed even if
the interface is manually brought up later.
Partially fixes#23649.
For the system manager, /run/systemd/private is publicly accessible, because
/run/systemd is 0755, and /run/systemd/private is 0777. For the user manager,
/run/user/<uid> is 0700, and /run/user/<uid>/systemd/private is 0777. This
does not directly cause any security issue because we check the sender in
bus_check_peercred (ucred.uid != 0 && ucred.uid != geteuid()).
But it makes sense to limit access to the socket to avoid wasting time in PID1.
Somebody could send messages there that'd we'd reject anyway. It also makes
things more explicit.
This can be easily used to show that the issue described in
ceedbf8185 is still reproduced:
$ strace -e execveat build/test-execve /bin/grep Name /proc/self/status
execveat(3, "", ["/bin/grep", "Name", "/proc/self/status"], NULL, AT_EMPTY_PATH) = 0
Name: 3
libblkid gained new tags - FSSIZE, FSLASTBLOCK and FSBLOCKSIZE.
These tags are filesystem related properties probed from superblock.
All of them are enabled by BLKID_SUBLKS_FSINFO flag.
Set the flag to allow these tags to be cached in udev db.
