| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This new setting permits restricting whether namespaces may be created and
managed by processes started by a unit. It installs a seccomp filter blocking
certain invocations of unshare(), clone() and setns().
RestrictNamespaces=no is the default, and does not restrict namespaces in any
way. RestrictNamespaces=yes takes away the ability to create or manage any kind
of namspace. "RestrictNamespaces=mnt ipc" restricts the creation of namespaces
so that only mount and IPC namespaces may be created/managed, but no other
kind of namespaces.
This setting should be improve security quite a bit as in particular user
namespacing was a major source of CVEs in the kernel in the past, and is
accessible to unprivileged processes. With this setting the entire attack
surface may be removed for system services that do not make use of namespaces.
|
| |
|
|
|
| |
/bin/kernel-install: line 143: return: can only `return' from a function or sourced script
https://bugzilla.redhat.com/show_bug.cgi?id=1391829
|
| | |
|
| |\
| |
| | |
systemd-analyze syscall-filter
|
| | | |
|
| | |
| |
| |
| | |
Just to make the whole thing easier for users.
|
| | |
| |
| |
| | |
Now that the list is user-visible, @default should be first.
|
| | |
| |
| |
| |
| | |
This should make it easier for users to understand what each filter
means as the list of syscalls is updated in subsequent systemd versions.
|
| | |
| |
| |
| | |
Setting no_new_privs does not stop UID changes, but rather blocks
gaining privileges through execve(). Also fixes a small typo.
|
| | |
| |
| |
| |
| |
| | |
Fixes build error on recent toolchains:
../src/test/test-seccomp.c:35: error: undefined reference to 'seccomp_arch_native'
collect2: error: ld returned 1 exit status
|
| |\ \
| | |
| | | |
Tree wide cleanups
|
| | | |
| | |
| | |
| | |
| | |
| | | |
If allocation fails, the value of the point is "undefined". In practice
this matters very little, but for consistency with rest of the code,
let's check the return value.
|
| | | | |
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
This makes strjoin and strjoina more similar and avoids the useless final
argument.
spatch -I . -I ./src -I ./src/basic -I ./src/basic -I ./src/shared -I ./src/shared -I ./src/network -I ./src/locale -I ./src/login -I ./src/journal -I ./src/journal -I ./src/timedate -I ./src/timesync -I ./src/nspawn -I ./src/resolve -I ./src/resolve -I ./src/systemd -I ./src/core -I ./src/core -I ./src/libudev -I ./src/udev -I ./src/udev/net -I ./src/udev -I ./src/libsystemd/sd-bus -I ./src/libsystemd/sd-event -I ./src/libsystemd/sd-login -I ./src/libsystemd/sd-netlink -I ./src/libsystemd/sd-network -I ./src/libsystemd/sd-hwdb -I ./src/libsystemd/sd-device -I ./src/libsystemd/sd-id128 -I ./src/libsystemd-network --sp-file coccinelle/strjoin.cocci --in-place $(git ls-files src/*.c)
git grep -e '\bstrjoin\b.*NULL' -l|xargs sed -i -r 's/strjoin\((.*), NULL\)/strjoin(\1)/'
This might have missed a few cases (spatch has a really hard time dealing
with _cleanup_ macros), but that's no big issue, they can always be fixed
later.
|
| | | |
| | |
| | |
| | | |
We always define those two in configure, so no need to provide a fallback.
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | | |
I think it's an antipattern to have to count the number of bytes in
the prefix by hand. We should do this automatically to avoid wasting
programmer time, and possible errors. I didn't any offsets that were
wrong, so this change is mostly to make future development easier.
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
This reverts commit 75ead2b753cb9586f3f208326446081baab70da1.
Follow up for #4546:
> @@ -848,8 +848,7 @@ static int bus_kernel_make_message(sd_bus *bus, struct kdbus_msg *k) {
if (k->src_id == KDBUS_SRC_ID_KERNEL)
bus_message_set_sender_driver(bus, m);
else {
- xsprintf(m->sender_buffer, ":1.%llu",
- (unsigned long long)k->src_id);
+ xsprintf(m->sender_buffer, ":1.%"PRIu64, k->src_id);
This produces:
src/libsystemd/sd-bus/bus-kernel.c: In function ‘bus_kernel_make_message’:
src/libsystemd/sd-bus/bus-kernel.c:851:44: warning: format ‘%lu’ expects argument of type ‘long
unsigned int’, but argument 4 has type ‘__u64 {aka long long unsigned int}’ [-Wformat=]
xsprintf(m->sender_buffer, ":1.%"PRIu64, k->src_id);
^
|
| | | | |
|
| | | |
| | |
| | | |
let's get this out today!
|
| |\ \ \
| | | |
| | | |
| | | |
| | | | |
endocode/djalal/fix-dynamicuser-supplementary-groups
core: intialize user aux groups and SupplementaryGroups= when DynamicUser= is set
|
| | | | | |
|
| | | | | |
|
| |/ / /
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
is set
Make sure that when DynamicUser= is set that we intialize the user
supplementary groups and that we also support SupplementaryGroups=
Fixes: https://github.com/systemd/systemd/issues/4539
Thanks Evgeny Vereshchagin (@evverx)
|
| |\ \ \
| | | |
| | | | |
Two testsuite tweaks
|
| | | | | |
|
| | | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
I'm seeing strange decompression errors with lz4, which
might be content-dependent. Extend test-compression to allow
testing specific content.
(Edit: PEBKAC: lzcat and lz4cat are not the same beast.
Nevertheless, the test might still be useful in the future.)
|
| |\ \ \ \
| |_|_|/
|/| | | |
xsprintf revert
|
| | | | | |
|
| | | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
If we encounter the (unlikely) situation where the combined path to the
new root and a path to a mount to be moved together exceed maximum path length,
we shouldn't crash, but fail this path instead.
|
| | | | | |
|
| |/ / /
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
This reverts some changes introduced in d054f0a4d4.
xsprintf should be used in cases where we calculated the right buffer
size by hand (using DECIMAL_STRING_MAX and such), and never in cases where
we are printing externally specified strings of arbitrary length.
Fixes #4534.
|
| |\ \ \
| | | |
| | | | |
Add "perpetual" unit concept, sysctl fixes, networkd fixes, systemctl color fixes, nspawn discard.
|
| | | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
Let's propagate the error here, instead of eating it up early.
In a later change we should probably also change mount_enumerate() to propagate
errors up, but that would mean we'd have to change the unit vtable, and thus
change all unit types, hence is quite an invasive change.
|
| | | | |
| | | |
| | | |
| | | | |
Fixes: #3870
|
| | | | | |
|
| | | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
Let's make sure that our loopback files remain sparse, hence let's set
"discard" as mount option on file systems that support it if the backing device
is a loopback.
|
| | | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
Make the underlining between the header and the body and between the units of
different types span the whole width of the table.
Let's never make the table wider than necessary (which is relevant due the
above).
When space is limited and we can't show the full ID or description string
prefer showing the full ID over the full description. The ID is after all
something people might want to copy/paste, while the description is mostly just
helpful decoration.
|
| | | | |
| | | |
| | | |
| | | |
| | | | |
If we turn on red color for the active column and it is not combined with
underlining, then we need to turn it off explicitly afterwards. Do that.
|
| | | | |
| | | |
| | | |
| | | | |
Let's place only one ternary operator.
|
| | | | |
| | | |
| | | |
| | | |
| | | | |
Let's only check for eof once after the fgets(). There's no point in checking
EOF before the first read, and twice in each loop.
|
| | | | | |
|
| | | | |
| | | |
| | | |
| | | | |
This way, we can get rid of a label/goto.
|
| | | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
Let's make missing write access to /proc/sys non-fatal to the sysctl service.
This is a follow-up to 411e869f497c7c7bd0688f1e3500f9043bc56e48 which altered
the condition for running the sysctl service to check for /proc/sys/net being
writable, accepting that /proc/sys might be read-only. In order to ensure the
boot-up stays clean in containers lower the log level for the EROFS errors
generated due to this.
|
| | | | | |
|
| | | | |
| | | |
| | | |
| | | |
| | | | |
Now that have a proper concept of "perpetual" units, let's make the root mount
one too, since it also cannot go away.
|
| | | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
So far "no_gc" was set on -.slice and init.scope, to units that are always
running, cannot be stopped and never exist in an "inactive" state. Since these
units are the only users of this flag, let's remodel it and rename it
"perpetual" and let's derive more funcitonality off it. Specifically, refuse
enqueing stop jobs for these units, and report that they are "unstoppable" in
the CanStop bus property.
|
| |\ \ \ \
| | | | |
| | | | | |
preparation for 232
|
| | | | | | |
|
| | | | | | |
|
| | |/ / /
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
Unfortunately, github drops the original commiter when a PR is "squashed" (even
if it is only a single commit) and replaces it with some rubbish
github-specific user id. Thus, to make the contributors list somewhat useful,
update the .mailmap file and undo all the weirdness github applied there.
|
