system/systemd
system/systemd
1
0
Fork 0
mirror of https://github.com/systemd/systemd synced 2024-10-14 20:17:52 +00:00
Code Issues Packages Projects Releases Wiki Activity
70735 commits 3 branches 390 tags 584 MiB
Commit graph

70735 commits

This branch
This branch
All branches
Author SHA1 Message Date
Luca Boccassi 9ca13d60db executor: really set POSIX_SPAWN_SETSIGDEF for posix_spawn 
posix_spawnattr_setflags() doesn't OR the input to the current set of flags,
it overwrites them, so we are currently losing POSIX_SPAWN_SETSIGDEF.

Follow-up for: 6ecdfe7d10
 2024-02-05 16:26:01 +00:00
Frantisek Sumsal 4e71714bca README: bump the gcc baseline to 8.4 
We already use __VA_OPT__ in multiple places, which was introduced in
gcc 8 [0], so let's bump the baseline to reflect that. I chose gcc 8.4,
as that was the lowest 8.x version I could easily get my hands on when I
verified this (on Ubuntu Focal with the gcc-8 package).

Closes: #31191

[0] https://gcc.gnu.org/gcc-8/changes.html
 2024-02-05 10:45:10 +00:00
Mike Yuan 9524c519a2
Merge pull request #31197 from YHNdnzj/protect-system-cred 
core/service: set up credentials for all start-post commands too
 2024-02-05 16:06:42 +08:00
Mike Yuan 39f4504de8
core/service: allow ExecStartPost= cmds to access creds 
Fixes #31194
 2024-02-05 00:57:06 +08:00
Mike Yuan a145623bc4
core/service: don't setup credentials for ExecCondition= and ExecReload= 
This seems to be a mistake in #27279. I believe credentials should
not be made available to condition or reload tasks. In most cases
they're irrelevant from the actual job of the service. Also, currently
the first ExecCondition= or ExecReload= cannot access creds anyway,
making the incompatibility introduced negligible.

If people actually come up with valid use cases, we can always
revisit this.
 2024-02-05 00:52:46 +08:00
Mike Yuan fe760177fe
core/service: don't give ExecStopPost= commands tty access 
All tasks spawned later than ExecStart= (e.g. ExecReload=, ExecStop=, ...)
don't get tty access. ExecStopPost= is the odd one out. Fix that.
 2024-02-05 00:47:07 +08:00
Mike Yuan 81006ebbd7
core/service: introduce service_exec_flags 
As suggested in
https://github.com/systemd/systemd/pull/31197#pullrequestreview-1861297477

Note that this slightly changes the behavior for
ExecReload=, ExecCondition= and ExecStartPost=. Will
be explained/corrected in later commits.
 2024-02-05 00:46:39 +08:00
Mike Yuan a5801e9714
core/unit: use ASSERT_PTR and strdup_or_null more 2024-02-05 00:37:00 +08:00
Mike Yuan d3131ea28c
core/exec-invoke: don't duplicate needs_sandboxing condition 2024-02-04 16:35:16 +08:00
Mike Yuan 881dbad1f1
core/exec-credential: make param const where appropriate 2024-02-04 16:35:13 +08:00
James Muir c0c852a8bb bulgarian: use "RateLimitIntervalSec" rather than "RateLimitInterval" 
Update Bulgarian translation.  "RateLimitIntervalSec" is the current option
name.  "RateLimitInterval" is the legacy option name.
 2024-02-04 02:42:09 +09:00
Frantisek Sumsal a0485e07b3 test_ukify: use raw string for the regex 
To get rid of the "invalid escape sequence" warning:

=============================== warnings summary ===============================
../src/ukify/test/test_ukify.py:876
  ../src/ukify/test/test_ukify.py:876: SyntaxWarning: invalid escape sequence '\s'
    assert re.search('Issuer: CN\s?=\s?SecureBoot signing key on host', out)
 2024-02-04 02:41:03 +09:00
Anders Jonsson 660be5c5af po: Translated using Weblate (Swedish) 
Currently translated at 100.0% (227 of 227 strings)

Co-authored-by: Anders Jonsson <anders.jonsson@norsjovallen.se>
Translate-URL: https://translate.fedoraproject.org/projects/systemd/master/sv/
Translation: systemd/main
 2024-02-03 12:47:07 +01:00
Ivan Shapovalov 00fcd79e65 nspawn: permit --ephemeral with --link-journal=try-* (treat as =no) 
Common sense says that to "try" something means "to not fail if
something turns out not to be possible", thus do not make this
combination a hard error.

The actual implementation ignores any --link-journal= setting when
--ephemeral is in effect, so the semantics are upheld.
 2024-02-03 03:03:41 +09:00
Vladimir Stoiakin 85686b37b0 cryptenroll: allow to use a public key on a token 
This patch allows systemd-cryptenroll to enroll directly with a public key if a certificate is missing on a token.

Fixes: #30675
 2024-02-03 03:00:51 +09:00
Antonio Alvarez Feijoo e104d77da2 man/systemd-bsod: fix command path 2024-02-03 02:59:44 +09:00
Frantisek Sumsal ce45fe2a32 test: wait until the test binary starts the test aux scope 
Otherwise we might continue too early on slower machines:

[   53.777485] testsuite-07.sh[675]: + systemd-run --unit test-aux-scope.service -p Slice=aux.slice -p Type=exec -p TasksMax=99 -p CPUWeight=199 -p IPAccounting=yes /usr/lib/systemd/tests/unit-tests/manual/test-aux-scope
[   55.399526] testsuite-07.sh[679]: Running as unit: test-aux-scope.service; invocation ID: 375dc3e2d12f4af1bedfe80a23709e37
[   55.512917] testsuite-07.sh[691]: ++ systemctl show --value --property MainPID test-aux-scope.service
[   56.947713] testsuite-07.sh[675]: + kill -s USR1 680
[   56.947713] testsuite-07.sh[675]: + sleep 1
[   58.058809] testsuite-07.sh[675]: + systemctl status test-aux-scope.service
[   58.902808] testsuite-07.sh[695]: ● test-aux-scope.service - /usr/lib/systemd/tests/unit-tests/manual/test-aux-scope
[   58.902808] testsuite-07.sh[695]:      Loaded: loaded (/run/systemd/transient/test-aux-scope.service; transient)
[   58.902808] testsuite-07.sh[695]:   Transient: yes
[   58.902808] testsuite-07.sh[695]:      Active: active (running) since Thu 2024-02-01 04:53:57 UTC; 3s ago
[   58.902808] testsuite-07.sh[695]:    Main PID: 680 (test-aux-scope)
[   58.902808] testsuite-07.sh[695]:          IP: 0B in, 0B out
[   58.902808] testsuite-07.sh[695]:       Tasks: 11 (limit: 99)
[   58.902808] testsuite-07.sh[695]:      Memory: 3.2M (peak: 3.5M)
[   58.902808] testsuite-07.sh[695]:         CPU: 235ms
[   58.902808] testsuite-07.sh[695]:      CGroup: /aux.slice/test-aux-scope.service
[   58.902808] testsuite-07.sh[695]:              ├─680 /usr/lib/systemd/tests/unit-tests/manual/test-aux-scope
[   58.902808] testsuite-07.sh[695]:              ├─681 "(worker)"
[   58.902808] testsuite-07.sh[695]:              ├─682 "(worker)"
[   58.902808] testsuite-07.sh[695]:              ├─683 "(worker)"
[   58.902808] testsuite-07.sh[695]:              ├─684 "(worker)"
[   58.902808] testsuite-07.sh[695]:              ├─685 "(worker)"
[   58.902808] testsuite-07.sh[695]:              ├─686 "(worker)"
[   58.902808] testsuite-07.sh[695]:              ├─687 "(worker)"
[   58.902808] testsuite-07.sh[695]:              ├─688 "(worker)"
[   58.902808] testsuite-07.sh[695]:              ├─689 "(worker)"
[   58.902808] testsuite-07.sh[695]:              └─690 "(worker)"
[   58.902808] testsuite-07.sh[695]: Feb 01 04:53:57 H systemd[1]: test-aux-scope.service: Enqueued job test-aux-scope.service/start as 277
[   58.902808] testsuite-07.sh[695]: Feb 01 04:53:57 H systemd[1]: test-aux-scope.service: Will spawn child (service_enter_start): /usr/lib/systemd/tests/unit-tests/manual/test-aux-scope
[   58.902808] testsuite-07.sh[695]: Feb 01 04:53:57 H systemd[1]: test-aux-scope.service: Passing 0 fds to service
[   58.902808] testsuite-07.sh[695]: Feb 01 04:53:57 H systemd[1]: test-aux-scope.service: About to execute: /usr/lib/systemd/tests/unit-tests/manual/test-aux-scope
[   58.902808] testsuite-07.sh[695]: Feb 01 04:53:57 H systemd[1]: test-aux-scope.service: Forked /usr/lib/systemd/tests/unit-tests/manual/test-aux-scope as 680
[   58.902808] testsuite-07.sh[695]: Feb 01 04:53:57 H systemd[1]: test-aux-scope.service: Changed dead -> start
[   58.902808] testsuite-07.sh[695]: Feb 01 04:53:57 H systemd[1]: Starting test-aux-scope.service...
[   58.902808] testsuite-07.sh[695]: Feb 01 04:53:57 H systemd-executor[680]: SELinux enabled state cached to: disabled
[   58.902808] testsuite-07.sh[695]: Feb 01 04:53:57 H (ux-scope)[680]: Found cgroup2 on /sys/fs/cgroup/, full unified hierarchy
[   58.902808] testsuite-07.sh[695]: Feb 01 04:53:57 H (ux-scope)[680]: Found cgroup2 on /sys/fs/cgroup/, full unified hierarchy
[   58.979659] testsuite-07.sh[701]: ++ ps -eo pid,unit
[   59.014968] testsuite-07.sh[702]: ++ grep -c test-aux-scope.service
[   59.729453] systemd[1]: Cannot find unit for notify message of PID 691, ignoring.
[   60.321547] testsuite-07.sh[675]: + test 11 = 1
[   60.332496] testsuite-07.sh[669]: + echo 'Subtest /usr/lib/systemd/tests/testdata/units/testsuite-07.aux-scope.sh failed'
 2024-02-03 02:57:52 +09:00
Yu Watanabe 2933881ea5
Merge pull request #31032 from yuwata/pam-session-close 
pam: fix warning "Attempted to close sd-bus after fork, this should not happen." on session close
 2024-02-02 09:51:08 +09:00
Harald Brinkmann 2a9b1a76ee coredump: log minimal metadata early 2024-02-02 09:43:50 +09:00
Yu Watanabe 25d2376052
Merge pull request #31166 from mrc0mmand/vpick-tweaks 
vpick: make a working copy of the current dname
 2024-02-02 09:37:13 +09:00
Yu Watanabe 68676af60d test-network: fix typo 
Follow-up for d4c8de21a0.
 2024-02-02 09:29:14 +09:00
Yu Watanabe 58125c1920 test: fix typo 
Follow-up for fa8ff98ea4.
 2024-02-02 09:27:52 +09:00
Yu Watanabe 04a755466b man/creds: fix typo 
Follow-up for 7704c3474d.
 2024-02-02 09:25:57 +09:00
Yu Watanabe 49d6e3c8a8 man: fix typo 
Follow-up for 34bbda18a5.
 2024-02-02 09:24:25 +09:00
Yu Watanabe 35dab29d58 sd-bus: fix typo 
Follow-up for 25fd5343ca.
 2024-02-02 09:22:43 +09:00
Yu Watanabe 431042e901 sd-bus: fix typo 
Follow-up for 71be64064c.
 2024-02-02 09:21:18 +09:00
Yu Watanabe 9d7f6b3db4 creds: fix typo 
Follow-up for 8464f7cbd6.
 2024-02-02 09:20:05 +09:00
Yu Watanabe 14f95de8da local-addresses: fix typo 
Follow-up for 5cb56068d0.
 2024-02-02 09:18:38 +09:00
Yu Watanabe 77924eab17 tpm2-util: fix typo 
Follow-up for d37c312b87.
 2024-02-02 09:17:25 +09:00
Yu Watanabe 6a8026e8ae network/ndisc: fix typo 
Follow-up for d4c8de21a0.
 2024-02-02 09:16:02 +09:00
Yu Watanabe e53fcb0932 repart: fix typo 
Follow-up for a575f2148f.
 2024-02-02 09:14:50 +09:00
Yu Watanabe 197e77c527 core/unit: fix typo 
Follow-up for 16b6af6ade.
 2024-02-02 09:13:05 +09:00
Yu Watanabe d282d55d4f cgroup-util: fix typo 
Follow-up for 677e6c14b1.
 2024-02-02 09:11:42 +09:00
Yu Watanabe a4f1a3087a user-util: fix typo 
Follow-up for 75673cd8ae.
 2024-02-02 09:10:02 +09:00
Yu Watanabe 3600b0f401 TODO: fix typo 
Follow-up for fd40e7da6e.
 2024-02-02 09:07:31 +09:00
Luca Boccassi 556d2bc4a1 core: use PidRef in exec_spawn 2024-02-01 21:06:14 +00:00
Frantisek Sumsal d049bffc50 vpick: use prefix_roota() to avoid double slash in log messages 
If the toplevel_path is empty we end up with doubled leading slash,
which looks weird:

[ 4737.028985] testsuite-74.sh[102]: Inode '//var/lib/machines/mytree.v/mytree_37.0_arm64+2-3' has wrong type, found 'dir'.
[ 4737.028985] testsuite-74.sh[102]: Failed to pick version for '/var/lib/machines/mytree.v': Is a directory
...
[ 4316.957536] testsuite-74.sh[99]: Failed to open '//var/lib/machines/mytree.v/mytree_37.0': No such file or directory
...
 2024-02-01 14:54:06 +01:00
Frantisek Sumsal 9258784762 vpick: make a working copy of the current dname 
Since we might edit the string later on by inserting NULs, which then
leads up to using an invalid dname when opening the potential chosen
directory:

[ 4316.957536] testsuite-74.sh[99]: make_choice: entry: mytree_37.0_arm64+2-3
[ 4316.957536] testsuite-74.sh[99]: make_choice: best_version: 37.0
[ 4316.957536] testsuite-74.sh[99]: make_choice: best_filename: mytree_37.0
[ 4316.957536] testsuite-74.sh[99]: Failed to open '//var/lib/machines/mytree.v/mytree_37.0': No such file or directory

Uncovered by vpick tests from TEST-74-AUX-UTILS when run on aarch64.
 2024-02-01 14:54:06 +01:00
Ondrej Kozina 7a87d01f28 homework: Use minimal pbkdf2 parameters without benchmark. 2024-02-01 12:32:31 +00:00
dependabot[bot] f6f00383ff build(deps): bump actions/upload-artifact from 4.0.0 to 4.3.0 
Bumps [actions/upload-artifact](https://github.com/actions/upload-artifact) from 4.0.0 to 4.3.0.
- [Release notes](https://github.com/actions/upload-artifact/releases)
- [Commits](c7d193f32e...26f96dfa69)

---
updated-dependencies:
- dependency-name: actions/upload-artifact
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
 2024-02-01 12:18:13 +01:00
Mike Yuan 75971cd68a
Merge pull request #31107 from yuwata/pam-setcred-vs-close-session 
core/exec-invoke: call pam_setcred(PAM_DELETE_CRED) after pam_close_session()
 2024-02-01 19:02:40 +08:00
dependabot[bot] 12d1e448b2 build(deps): bump redhat-plumbers-in-action/advanced-issue-labeler 
Bumps [redhat-plumbers-in-action/advanced-issue-labeler](https://github.com/redhat-plumbers-in-action/advanced-issue-labeler) from 2.0.6 to 3.0.0.
- [Release notes](https://github.com/redhat-plumbers-in-action/advanced-issue-labeler/releases)
- [Commits](71bcf99aef...9e55064634)

---
updated-dependencies:
- dependency-name: redhat-plumbers-in-action/advanced-issue-labeler
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
 2024-02-01 10:57:02 +01:00
Yu Watanabe 88b8d08276 test: check pam warning message 2024-02-01 18:00:54 +09:00
Yu Watanabe 34e4ad1796 pam: do not warn closing bus connection which is opened after the fork 
In pam_systemd.so and pam_systemd_home.so, we open a bus connection on
session close, which is called after fork. Closing the connection is
harmless, and should not warn about that.

This suppresses the following log message:
===
(sd-pam)[127]: PAM Attempted to close sd-bus after fork, this should not happen.
===
 2024-02-01 17:59:39 +09:00
Yu Watanabe e1effd2974 exec-invoke: update log message a bit 2024-02-01 17:45:47 +09:00
Yu Watanabe 41ad015205 core/exec-invoke: call pam_setcred(PAM_DELETE_CRED) after pam_close_session() 
The man page pam_setcred(3) states:
> The credentials should be deleted after the session has been closed
> (with pam_close_session(3)).

Follow-up for 3bb39ea936.
 2024-02-01 17:45:47 +09:00
networkException de39202426 resolve: include interface name in org.freedesktop.resolve1 polkit checks 
this patch adds the interface name of the interface to be modified
to *details* when verifying dbus calls to the `org.freedesktop.resolve1`
D-Bus interface for all `Set*` and the `Revert` method.

when defining a polkit rule, this allows limiting the access to a specific
interface:

```js
// This rule prevents the user "vpn" to disable DNSoverTLS for any
// other interface than "vpn0". The vpn service should be allowed
// to disable DNSoverTLS on its own as it provides a local DNS
// server with search domains on the interface and this server does
// not support DNSoverTLS.
polkit.addRule(function(action, subject) {
  if (action.id == "org.freedesktop.resolve1.set-dns-over-tls" &&
      action.lookup("interface") == "vpn0" &&
      subject.user == "vpn") {
    return polkit.Result.YES;
  }
});
```
 2024-01-31 19:06:45 +00:00
Lennart Poettering cd2f649dc6
Merge pull request #31141 from poettering/resolvectl-more-json 
resolvectl: add JSON output support for "resolvectl query"
 2024-01-31 18:59:11 +01:00
Lennart Poettering 700f5b18e3 resolvectl: add basic ANSI markup to --help text 
Underline the sections, as we nowadays do.
 2024-01-31 16:13:16 +01:00
Lennart Poettering 3557f1a62a resolvectl: add JSON output support for "resolvectl query" 
It's easy to add. Let's do so.

This only covers record lookups, i.e. with the --type= switch.

The higher level lookups are not covered, I opted instead to print a
message there to use --type= instead.

I am a bit reluctant to defining a new JSON format for the high-level
lookups, hence I figured for now a helpful error is good enough, that
points people to the right use.

Fixes: #29755
 2024-01-31 16:13:16 +01:00