| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |\
| |
| | |
core/namespace: make ProtectHome=tmpfs makes /home and friends read-only as documented
|
| | |
| |
| |
| | |
with .read_only = true
|
| | | |
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
entries
Otherwise, ProtectHome=tmpfs makes /home/ and friends not read-only.
Also, mount options for /run/ specified in MountAPIVFS=yes are not
applied.
The function append_static_mounts() was introduced in
5327c910d2fc1ae91bd0b891be92b30379c7467b, but at that time, there were
neither .read_only nor .options in the struct. But, when later the
struct is extended, the function was not updated and they were not
copied from the static table.
The fields has been used in static tables since
e4da7d8c796a1fd11ecfa80fb8a48eac9e823f06, and also in
94293d65cd4125347e21b3e423d0e245226b1be2.
Fixes #34825.
|
| |/
|
|
|
|
| |
Call setup_smack() also when only fallback_smack_process_label is set.
Fixes: 75689fb2d41f
|
| | |
|
| | |
|
| |
|
|
| |
Follow-up for 1f5a052963464755e87a075f6f4a8867b2199311.
|
| |
|
|
| |
Follow-up for 0005411352f9bda0d9887c37b9e75a2bce6c1133.
|
| |
|
|
| |
Follow-up for 63d4c4271ca529f8357a84cbc075170fffdb3de8.
|
| |\
| |
| | |
openat_report_new() tweaks
|
| | | |
|
| | |
| |
| |
| |
| | |
Let#s move it close to label_ops_set(), since it is somewhat symmetric
to it.
|
| | | |
|
| | |
| |
| |
| |
| |
| | |
Move the renaming function to reboot-util.h (since it writes out
/run/nologin at shutdown), and let's get rid of fileio-label.[ch] now
that it serves no purpose anymore.
|
| | |
| |
| |
| |
| |
| | |
This brings two benefits: we will label the created file only if it is
actually created, and we can correctly delete any file we create again
on failure.
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
WRITE_STRING_FILE_LABEL flag
Given that we have the LabelOps abstraction these days, we can teach
write_string_file() to use it, which means we can get rid of
fileio-label.[ch] as a separate concept.
(The only reason that fileio-label.[ch] exists independently of
fileio.[ch] was that the former linekd to libselinux potentially, and
thus had to be in src/shared/ while the other always was in src/basic/.
But the LabelOps vtable provides us with a nice work-around)
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
dangling symlink
One of the big mistakes of Linux is that when you create a file with
open() and O_CREAT and the file already exists as dangling symlink that
the symlink will be followed and the file created that it points to.
This has resulted in many vulnerabilities, and triggered the creation of
the O_MOFOLLOW flag, addressing the problem.
O_NOFOLLOW is less than ideal in many ways, but in particular one: when
actually creating a file it makes sense to set, because it is a problem
to follow final symlinks in that case. But if the file is already
existing, it actually does make sense to follow the symlinks. With
openat_report_new() we distinguish these two cases anyway (the whole
function exists only to distinguish the create and the exists-already
case after all), hence let's do something about this: let's simply never
create files "through symlinks".
This can be implemented very easily: just pass O_NOFOLLOW to the 2nd
openat() call, where we actually create files.
And then basically remove 0dd82dab91eaac5e7b17bd5e9a1e07c6d2b78dca
again, because we don't need to care anymore, we already will see ELOOP
when we touch a symlink.
Note that this change means that openat_report_new() will thus start to
deviate from plain openat() behaviour in this one small detail: when
actually creating files we will *never* follow the symlink. That should
be a systematic improvement of security.
Fixes: #34088
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
error path
For SELinux it is essential that we reset the file creation label both
in the success and in the error path, hence do so.
Moreover, when calling the label post ops do it if possible with the
opened fd of the inode itself, rather than always going via its path,
simply to reduce the attack surface.
|
| | |
| |
| |
| |
| |
| |
| | |
If openat_report_new() fails, then 'made_file' will be false, as no file
was created, hence there's no need to skip the unlinkat() explicitly
early, given that we check for 'made_file' anyway in the error path. The
extra error code checks are hence entirely redundant.
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
We have two distinct implementations of the post hook.
1. For SELinux we just reset the selinux label we told the kernel
earlier to use for new inodes.
2. For SMACK we might apply an xattr to the specified file.
The two calls are quite different: the first call we want to call in all
cases (failure or success), the latter only if we actually managed to
create an inode, in which case it is called on the inode.
|
| | |
| |
| |
| | |
We didn't go through it at all if label_ops_post() failed.
|
| | | |
|
| | |
| |
| |
| |
| | |
The only possible error return in this position is -ENODATA, which is
not interesting.
|
| |\ \
| | |
| | | |
logind: introduce CanIdle/CanLock properties on logind session dbus objects
|
| | | | |
|
| | | | |
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
Clients should be able to know if the idle logic is available on a
session without secondary knowledge about the session class. Let's hence
expose a property for that.
Similar for the screen lock concept.
Fixes: #34844
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
* 07a294d0c6 Do not mask systemd-gpt-auto-generator in upstream CI builds
* 5636398bf7 Backport patch to fix test failures with tzdata 2024b-1
* 354ded4946 Update changelog for 256.7-2 release
* e38c7c5345 Backport fixes for upstream autopkgtest suite
* 249676834c Disable utmp support, not y2038 safe
* 822d44da42 initramfs-tools: support missing /etc/udev/udev.conf
* ad71ebf700 systemd-boot: depend on systemd for kernel-install
* 5bf7008ef8 d/systemd.postinst: do not restart systemd-binfmt.service if masked
* 58d5aa1b41 d/rules: mask systemd-gpt-auto-generator on Ubuntu
* 481987d85c Update changelog for 256.7-1 release
* ce7f3d4b43 Revert "autopkgtest: skip TEST-64-UDEV-STORAGE due to qemu crash"
* 7007e73b22 Mark dependencies on clang and bpftool as :native
* 0e120cf704 Update upstream source from tag 'upstream/256.7'
|\
| * 914aae055c New upstream version 256.7
* fcea89cb00 d/t/upstream: honor /etc/apt configured by autopkgtest
|
| |\ \ \
| | | |
| | | | |
Fix varlinkctl output with `--more`
|
| | | | |
| | | |
| | | |
| | | | |
This makes it possible to process continuous replies with jq etc.
|
| | |/ /
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
Currently, when SD_JSON_FORMAT_OFF is set in verb_call, the json format
flags are set to SD_JSON_FORMAT_PRETTY_AUTO|SD_JSON_FORMAT_COLOR_AUTO,
rather than or'ing those flags in. This means that other flags that may
have been set, e.g. SD_JSON_FORMAT_SEQ when --more is set, will be
clobbered.
Fix this by masking SD_JSON_FORMAT_OFF out, and then or'ing the new
flags in.
|
| |/ /
| |
| |
| |
| | |
virtio console uses /dev/hvc* so we need access to write wall
messages
|
| |\ \
| | |
| | |
| | |
| | | |
yuwata/network-dhcpv6-do-not-request-ia-pd-on-info-req
network/dhcp6: do not request IA_PD on information requesting mode
|
| | | |
| | |
| | |
| | |
| | |
| | | |
bit unset
Follow-up for daf9f42f9183c206c0f8308efece019797e95e89.
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
This reverts the following commits:
- 180cc5421d9712fb95a6bbc725dc8ba459360c8b
"sd-dhcp6-client: allow to request IA_PD on information requesting mode"
- cf7a403e470368049165ecff7ac7686928778d7c
"sd-dhcp6-lease: adjust information refresh time with lifetime of IA_PD"
- 1918eda30d12e1ba3ee55921c18ec53267463e24
"network/dhcp6: process hostname and IA_PD on information requesting mode"
As per discussion in #34299,
https://github.com/systemd/systemd/issues/34299#issuecomment-2425153221
the offending commits violate RFC 8415 section 18.2.6:
> The client uses an Information-request message to obtain
> configuration information without having addresses and/or delegated
> prefixes assigned to it.
|
| | |/
|/|
| |
| |
| |
| |
| |
| |
| | |
CNAME doesn't exist at the zone apex. When we get an unsigned noerror
response to a direct query for a CNAME record, we don't yet know if this
name is zone apex. We already request the correct DS record in this
case, but previously skipped it at validation time, causing the answer
to appear bogus. Make sure to also consider the DS record for the query
name for negative replies.
|
| |\ \
| | |
| | | |
bus-util: Return ENOMEDIUM if XDG_RUNTIME_DIR is unset
|
| | | | |
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
XDG_RUNTIME_DIR isn't
We noticed some failures because we have code that connects to user
managers by setting DBUS_SESSION_BUS_ADDRESS without setting XDG_RUNTIME_DIR.
If that's the case, connect to the user session bus instead of the
private manager bus as we can't connect to the latter if XDG_RUNTIME_DIR
is not set.
|
| | |/
| |
| |
| | |
bus_log_connect_error() checks for ENOMEDIUM, not ENXIO.
|
| |\ \
| | |
| | | |
machine: add Addresses, OSRelease, and UIDShift fields in varlink io.systemd.Machine.List output
|
| | | |
| | |
| | |
| | | |
io.systemd.Machine.List output
|
| | | | |
|
| | | |
| | |
| | |
| | | |
This is equivalent to DBus implementation of GetMachineAddresses.
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
io.systemd.Machine.List output
This commit adds support of the above mentioned fields. This is equivalent to DBus implementation of:
- GetMachineOSRelease
- GetMachineUIDShift
|
| | | | |
|
| |\ \ \
| | | |
| | | | |
RFC9463: Discovery of Network-designated Resolvers
|
| | | | |
| | | |
| | | |
| | | |
| | | | |
This duplicates the svc param constants for the benefit of the
resolved-core library.
|
| | | | |
| | | |
| | | |
| | | | |
This is only used by the fuzzer so far.
|
