| Commit message (Collapse) | Author | Age | Files | Lines |
| |
|
|
|
|
|
|
|
| |
yet (#3499)
Corrects: 1b566071
Also see: https://github.com/systemd/systemd/pull/3478#issuecomment-225008542
|
| |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch implements the new magic character '!'. By putting '!' in front
of a command, systemd executes it with full privileges ignoring paramters
such as User, Group, SupplementaryGroups, CapabilityBoundingSet,
AmbientCapabilities, SecureBits, SystemCallFilter, SELinuxContext,
AppArmorProfile, SmackProcessLabel, and RestrictAddressFamilies.
Fixes partially https://github.com/systemd/systemd/issues/3414
Related to https://github.com/coreos/rkt/issues/2482
Testing:
1. Create a user 'bob'
2. Create the unit file /etc/systemd/system/exec-perm.service
(You can use the example below)
3. sudo systemctl start ext-perm.service
4. Verify that the commands starting with '!' were not executed as bob,
4.1 Looking to the output of ls -l /tmp/exec-perm
4.2 Each file contains the result of the id command.
`````````````````````````````````````````````````````````````````
[Unit]
Description=ext-perm
[Service]
Type=oneshot
TimeoutStartSec=0
User=bob
ExecStartPre=!/usr/bin/sh -c "/usr/bin/rm /tmp/exec-perm*" ;
/usr/bin/sh -c "/usr/bin/id > /tmp/exec-perm-start-pre"
ExecStart=/usr/bin/sh -c "/usr/bin/id > /tmp/exec-perm-start" ;
!/usr/bin/sh -c "/usr/bin/id > /tmp/exec-perm-star-2"
ExecStartPost=/usr/bin/sh -c "/usr/bin/id > /tmp/exec-perm-start-post"
ExecReload=/usr/bin/sh -c "/usr/bin/id > /tmp/exec-perm-reload"
ExecStop=!/usr/bin/sh -c "/usr/bin/id > /tmp/exec-perm-stop"
ExecStopPost=/usr/bin/sh -c "/usr/bin/id > /tmp/exec-perm-stop-post"
[Install]
WantedBy=multi-user.target]
`````````````````````````````````````````````````````````````````
|
|
|
|
|
|
|
|
| |
Since the introduction of the whitelist in 60-persistent-storage.rules
block device symlinks are no longer created for scm block devices.
Add scm to the whitelist.
Signed-off-by: Sebastian Ott <sebott@linux.vnet.ibm.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This the patch implements a notificaiton mechanism from the init process
in the container to systemd-nspawn.
The switch --notify-ready=yes configures systemd-nspawn to wait the "READY=1"
message from the init process in the container to send its own to systemd.
--notify-ready=no is equivalent to the previous behavior before this patch,
systemd-nspawn notifies systemd with a "READY=1" message when the container is
created. This notificaiton mechanism uses socket file with path relative to the contanier
"/run/systemd/nspawn/notify". The default values it --notify-ready=no.
It is also possible to configure this mechanism from the .nspawn files using
NotifyReady. This parameter takes the same options of the command line switch.
Before this patch, systemd-nspawn notifies "ready" after the inner child was created,
regardless the status of the service running inside it. Now, with --notify-ready=yes,
systemd-nspawn notifies when the service is ready. This is really useful when
there are dependencies between different contaniers.
Fixes https://github.com/systemd/systemd/issues/1369
Based on the work from https://github.com/systemd/systemd/pull/3022
Testing:
Boot a OS inside a container with systemd-nspawn.
Note: modify the commands accordingly with your filesystem.
1. Create a filesystem where you can boot an OS.
2. sudo systemd-nspawn -D ${HOME}/distros/fedora-23/ sh
2.1. Create the unit file /etc/systemd/system/sleep.service inside the container
(You can use the example below)
2.2. systemdctl enable sleep
2.3 exit
3. sudo systemd-run --service-type=notify --unit=notify-test
${HOME}/systemd/systemd-nspawn --notify-ready=yes
-D ${HOME}/distros/fedora-23/ -b
4. In a different shell run "systemctl status notify-test"
When using --notify-ready=yes the service status is "activating" for 20 seconds
before being set to "active (running)". Instead, using --notify-ready=no
the service status is marked "active (running)" quickly, without waiting for
the 20 seconds.
This patch was also test with --private-users=yes, you can test it just adding it
at the end of the command at point 3.
------ sleep.service ------
[Unit]
Description=sleep
After=network.target
[Service]
Type=oneshot
ExecStart=/bin/sleep 20
[Install]
WantedBy=multi-user.target
------------ end ------------
|
|\
| |
| | |
networkd: add support to configure VLAN on bridge ports
|
| | |
|
| | |
|
| | |
|
|/
|
|
|
| |
Fix issue where the *Network passed via userdata is being offset
by offsetof(Network, matchmac) leading to incorrect values being
exposed in dbus.
|
|\
| |
| | |
networkd: rename IPv6AcceptRouterAdvertisements to IPv6AcceptRA
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
The long name is just too hard to type. We generally should avoid using
acronyms too liberally, if they aren't established enough, but it appears that
"RA" is known well enough. Internally we call the option "ipv6_accept_ra"
anyway, and the kernel also exposes it under this name. Hence, let's rename the
IPv6AcceptRouterAdvertisements= setting and the
[IPv6AcceptRouterAdvertisements] section to IPv6AcceptRA= and [IPv6AcceptRA].
The old setting IPv6AcceptRouterAdvertisements= is kept for compatibility with
older configuration. (However the section [IPv6AcceptRouterAdvertisements] is
not, as it was never available in a published version of systemd.
|
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Let's add a generic parser for VLAN ids, which should become handy as
preparation for PR #3428. Let's also make sure we use uint16_t for the vlan ID
type everywhere, and that validity checks are already applied at the time of
parsing, and not only whne we about to prepare a netdev.
Also, establish a common definition VLANID_INVALID we can use for
non-initialized VLAN id fields.
|
| | |
|
| |
| |
| |
| |
| | |
Now we don't support parsing double at map_basic.
when trying to use bus_message_map_all_properties with a double
this fails. Let's add it.
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
The flags check was accidentally placed in the ESP if block, but should be in
the root if block.
This corrects: 0238d4c660e732dd03ba0cdb54a29ec5870ee849
Fixes: #3440
Also see: #3441
|
| |
| |
| |
| |
| |
| |
| | |
an instance (#3451)
Corrects: 7aad67e7
Fixes: #3438
|
|\ \
| | |
| | | |
resolved: support IPv6 DNS servers on the local link
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
changed via bus calls
This also moves log message generation into manager_write_resolv_conf(), so
that it is shorter to invoke the function, given that we have to invoke it at a
couple of additional places now.
Fixes: #3225
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
Make sure we can parse DNS server addresses that use the "zone id" syntax for
local link addresses, i.e. "fe80::c256:27ff:febb:12f%wlp3s0", when reading
/etc/resolv.conf.
Also make sure we spit this out correctly again when writing /etc/resolv.conf
and via the bus.
Fixes: #3359
|
| | | |
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
it (#3457)
Let's add an extra safety check before we chmod/chown a TTY to the right user,
as we might end up having connected something to STDIN/STDOUT that is actually
not a TTY, even though this might have been requested, due to permissive
StandardInput= settings or transient service activation with fds passed in.
Fixes:
https://bugs.freedesktop.org/show_bug.cgi?id=85255
|
| | | |
|
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
Add a line
SystemCallFilter=~@clock @module @mount @obsolete @raw-io ptrace
for daemons shipped by systemd. As an exception, systemd-timesyncd
needs @clock system calls and systemd-localed is not privileged.
ptrace(2) is blocked to prevent seccomp escapes.
|
|\ \ \
| | | |
| | | | |
put limits on addresses and routers per link and per network
|
| | | | |
|
| | | |
| | | |
| | | |
| | | | |
This covers the address/routers acquire dynamically.
|
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
We generally only use "const" to constify the destination of pointers, but not
the pointers themselves, as they are copied anyway during C function
invocation. Hence, drop this usage of "const".
|
| | | |
| | | |
| | | |
| | | | |
Drop weird "const" usage, and use size_t for sizes.
|
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
addresses/routes/fdb entries
We should put a limit on everything, hence also on these resources.
|
|\ \ \ \
| | | | |
| | | | | |
Logind: fix handling of *KeyIgnoreInhibited options in logind.conf
|
| | | | | |
|
|/ / / / |
|
| | | |
| | | |
| | | |
| | | |
| | | | |
Secure daemons shipped by systemd by enabling MemoryDenyWriteExecute.
Closes: #3459
|
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
The changes in 788d2b088b13a2444b9eb2ea82c0cc57d9f0980f weren't complete, only
half the code that dealt with K links was removed. This is a follow-up patch
that removes the rest too.
No functional changes.
|
| |_|/
|/| |
| | |
| | |
| | |
| | |
| | |
| | | |
-bash-4.3# rm /etc/udev/hwdb.bin
-bash-4.3# systemd-hwdb update
-bash-4.3# ls -Z /etc/udev/hwdb.bin
system_u:object_r:systemd_hwdb_etc_t:s0 /etc/udev/hwdb.bin
Fixes: #3458
|
|\ \ \
| | | |
| | | | |
timestamping improvements and IPv6 RA revamp
|
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
This reworks sd-ndisc and networkd substantially to support IPv6 RA much more
comprehensively. Since the API is extended quite a bit networkd has been ported
over too, and the patch is not as straight-forward as one could wish. The
rework includes:
- Support for DNSSL, RDNSS and RA routing options in sd-ndisc and networkd. Two
new configuration options have been added to networkd to make this
configurable.
- sd-ndisc now exposes an sd_ndisc_router object that encapsulates a full RA
message, and has direct, friendly acessor functions for the singleton RA
properties, as well as an iterative interface to iterate through known and
unsupported options. The router object may either be retrieved from the wire,
or generated from raw data. In many ways the sd-ndisc API now matches the
sd-lldp API, except that no implicit database of seen data is kept. (Note
that sd-ndisc actually had a half-written, but unused implementaiton of such
a store, which is removed now.)
- sd-ndisc will now collect the reception timestamps of RA, which is useful to
make sd_ndisc_router fully descriptive of what it covers.
Fixes: #1079
|
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
serializing
Let's use the usual libc API for serializing IPv6 addresses, instead of the
NDISC-specific macro we should get rid of anyway.
|
| | | | |
|
| | | | |
|
| | | | |
|
| | | |
| | | |
| | | |
| | | | |
After all, we use clockid_t which is defined there.
|
| | | | |
|
| | | |
| | | |
| | | |
| | | | |
sd-ndisc has something like this, let's add this for sd-lldp, too.
|
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
It might very well return EAGAIN in case of packet checksum problems and
suchlike, hence let's better handle this nicely, the same way as we do it in
the other sd-network libraries for incoming datagrams.
|
| | | | |
|
| | | |
| | | |
| | | |
| | | |
| | | | |
Let's make sure the inline functions for retrieving TLV data actually carry TLV
in the name, so that we don#t assume they retrieve the whole, raw packet data.
|