| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
| |
Standard cgroup harness for bpf feature.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Add supported and install unit interface for socket-bind feature.
supported verifies that
- unified cgroup hierarchy (cgroup v2) is used
- BPF_FRAMEWORK (libbpf + clang + llvm + bpftool) was available in
compile time
- kernel supports BPF_PROG_TYPE_CGROUP_SOCK_ADDR
- bpf programs can be loaded into kernel
- bpf link can be used
install:
- load bpf_object from bpf skeleton
- resize rules map to fit socket_bind_allow and socket_bind deny rules
from cgroup context
- populate cgroup-bpf maps with rules
- get bpf programs from bpf skeleton
- attach programs to unit cgroup using bpf link
- save bpf link in the unit
|
| | |
|
| |
|
|
| |
add can_link_bpf_program and bpf_link_free helpers.
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
* Add `bpf-framework` feature gate with 'auto', 'true' and 'false' choices
* Add libbpf [0] dependency
* Search for clang llvm-strip and bpftool binaries in compile time to
generate bpf skeleton.
For libbpf [0], make 0.2.0 [1] the minimum required version.
If libbpf is satisfied, set HAVE_LIBBPF config option to 1.
If `bpf-framework` feature gate is set to 'auto', means that whether
bpf feature is enabled or now is defined by the presence of all of
libbpf, clang, llvm and bpftool in build
environment.
With 'auto' all dependencies are optional.
If the gate is set to `true`, make all of the libbpf, clang and llvm
dependencies mandatory.
If it's set to `false`, set `BPF_FRAMEWORK` to false and make libbpf
dependency optional.
libbpf dependency is dynamic followed by the common pattern in systemd.
meson, bpf: add build rule for socket_bind program
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Add a build script to compile bpf source code. A program in restricted
C is compiled into an object file. Object file is converted to BPF
skeleton [0] header file.
If build with custom meson build rule, the target header will reside in
build/ directory (not in source tree), e.g the path for socket_bind:
`build/src/core/bpf/socket_bind/socket-bind.skel.h`
Script runs the phases:
* clang to generate *.o from restricted C
* llvm-strip to remove useless DWARF info
* bpf skeleton generation with bpftool
These phases are logged to stderr for debug purposes.
To include BTF debug information, -g option is passed to clang.
[0] https://lwn.net/Articles/806911/
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Introduce BPF program compiled from BPF source code in
restricted C - socket-bind.
It addresses feature request [0].
The goal is to allow systemd services to bind(2) only to a predefined set
of ports. This prevents assigning socket address with unallowed port
to a socket and creating servers listening on that port.
This compliments firewalling feature presenting in systemd:
whereas cgroup/{egress|ingress} hooks act on packets, this doesn't
protect from untrusted service or payload hijacking an important port.
While ports in 0-1023 range are restricted to root only, 1024-65535
range is not protected by any mean.
Performance is another aspect of socket_bind feature since per-packet
cost can be eliminated for some port-based filtering policies.
The feature is implemented with cgroup/bind{4|6} hooks [1].
In contrast to the present systemd approach using raw bpf instructions,
this program is compiled from sources. Stretch goal is to
make bpf ecosystem in systemd more friendly for developer and to clear
path for more BPF programs.
[0] https://github.com/systemd/systemd/pull/13496#issuecomment-570573085
[1] https://www.spinics.net/lists/netdev/msg489054.html
|
| |\
| |
| | |
test: "detect" the test number automagically
|
| | | |
|
| | |
| |
| |
| |
| | |
So we don't have to duplicate the whole functions if we need to inject
some test-specific checks.
|
| |/
|
|
|
|
| |
Specifying the test number manually is tedious and prone to errors (as
recently proven). Since we have all the necessary data to work out the
test number, let's do it automagically.
|
| |\
| |
| | |
Fixes for TEST-58-REPART and ExecStart deserialization logic
|
| | |
| |
| |
| |
| |
| |
| | |
We should test both serialization and deserialization works properly.
But the serialization/deserialization code is deeply entwined with the
manager state, and I think quite a bit of refactoring will be required before
this is possible. But let's at least add this simple test for now.
|
| | |
| |
| |
| | |
I'm pretty sure that bad things would happen later on.
|
| | |
| |
| |
| |
| |
| |
| |
| |
| | |
We'd fail with:
Apr 23 10:58:26 systemd[1]: Deserializing state...
Apr 23 10:58:26 systemd[1]: testsuite-01.service: Failed to parse serialized command "ExecStart 0 sh "sh" "-e" "-x" "-c" "systemctl --state=failed --no-legend --no-pager >/failed ; systemctl daemon-reload ; echo OK >/testok"": Invalid argument
Apr 23 10:58:26 systemd[1]: testsuite-01.service: Reinstalled deserialized job testsuite-01.service/start as 209
This was missed in 5008da1ec1, and apparently nobody noticed until now :(
|
| | |
| |
| |
| | |
Debian disables systemd-repart at config time.
|
| | |
| |
| |
| | |
In a container, /dev/loop* will most likely be inaccessible.
|
| | |
| |
| |
| |
| |
| | |
The logic to query test state was rather complex. I don't quite grok the point
of ret=$((ret+1))… But afaics, the precise result was always ignored by the
caller anyway.
|
| | | |
|
| | | |
|
| | | |
|
| | |
| |
| |
| |
| |
| |
| | |
We would remove stuff only if successful, so repeated invocations would
trivially fail.
Also drop "-f", so that if we expect to remove something, it must be there.
|
| | |
| |
| |
| |
| | |
This allows TEST-58-REPART to at least start. It fails later with with loopback
device errors.
|
| | | |
|
| | | |
|
| |\ \
| | |
| | | |
network: dhcp4: set gateway for route to dns server if it is not in the same network
|
| | | |
| | |
| | |
| | | |
This removes static-route option from the default dnsmasq command.
|
| | | | |
|
| | | |
| | |
| | |
| | |
| | |
| | | |
network
Fixes #19077.
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | | |
or in the same network
This also configures routes to gateways in static routes if the
destination is not in the same network.
|
| | | | |
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
After 4b30f2e135ee84041bb597edca7225858f4ef4fb, reading stable_secret
sysctl property fails with -ENOMEM, instead of -EIO.
This is due to read_full_virtual_file() uses read() as the backend while
read_one_line_file() uses fgetc(). And each functions return different
error on fails.
Anyway, the failure is harmless here. So, the log message and comment is
updated.
Closes one of the issues in #19410.
|
| |\ \ \
| | | |
| | | | |
core, network: Fix typo
|
| | | | |
| | | |
| | | |
| | | | |
Follow-up for bbe19f68846bb3cd5fcf3e4f612268064df53b53.
|
| | | | |
| | | |
| | | |
| | | | |
Follow-up for 4b409e855b18c263b0526c826fdca16215a4cf2e.
|
| |/ / /
| | |
| | |
| | |
| | |
| | | |
Follow-up for 4e26a5baa0045c8bbb899f0c72f07ac630692bd3.
Fixes one of issues in #19410.
|
| |\ \ \
| | | |
| | | | |
homectl password caching fixes
|
| | | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
first request
Previously, we'd generally attempt the operation first, without any
passwords, and only query for a password if that operation then fails
and asks for one. This is done to improve compatibility with
password-less authentication schemes, such as security tokens and
similar.
This patch modifies this slightly: if a password can be acquired cheaply
via the keyring password cache, the $CREDENTIALS_PATH credential store,
or the $PASSWORD/$PIN environment variables, acquire it *before* issuing
the first requested.
This should save us a pointless roundtrip, and should never hurt.
|
| | | | | |
|
| |/ / /
| | |
| | |
| | |
| | |
| | | |
Asking repeatedly for a password is pointless if we always use the same
cached one. Let's thus disable cache use whenever we failed already
once.
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
We want to use the result in a shell pipeline hence use -P mode (pipe
mode) instead of -t mode (interactive tty mode) for systemd-run.
This shouldn't change much about the test, but is slightly more correct
(and quicker).
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
We have to invoke the tests as superuser, and not being able to read
the journal as the invoking user is annoying. I don't think there are
any security considerations here, since the invoking user can already
put arbitrary code in the Makefile and test scripts which get executed
with root privileges.
|
| |\ \ \
| | | |
| | | | |
install: warn if WantedBy targets don't exist
|
| | | | | |
|
| | | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
Currently, if [Install] section contains WantedBy=target that doesn't exist,
systemd creates the symlinks anyway. That is just user-unfriendly.
Let's be nice and warn about installing non-existent targets.
Fixes https://bugzilla.redhat.com/show_bug.cgi?id=1835351.
Replaces: #15834
|
| | |/ / |
|
| | |/
|/|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Let's rename MountpointsFlags → MountPointFlags. In most of our codebase
we name things mount_point/MountPoint rather than mountpoint/Mountpoint,
do so here too.
Also, prefix the enum values with "MOUNT_". The fact the enum values
weren#t prefixed was pretty unique in our codebase, and pretty
surprising. Let's fix that.
This is just refactoring, no actual change in behaviour
|
| | |
| |
| |
| |
| |
| | |
oomd works way better with swap, so let's make the test less flaky by
configuring a swap device for it. This also allows us to drop the ugly
`cat`s from the load-generating script.
|
| | | |
|
