| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| | |
|
| | |
|
| |\
| |
| | |
hwbd: update once again for 233
|
| | | |
|
| |/ |
|
| |\
| |
| | |
Add new MountAPIVFS= boolean unit file setting + RootImage=
|
| | | |
|
| |/ |
|
| |\
| |
| | |
man: document that sd_notify() is racy in some cases
|
| | | |
|
| | | |
|
| | | |
|
| |/ |
|
| | |
|
| |\ |
|
| |/ |
|
| | |
|
| | |
|
| |\
| |
| | |
A prettification of the dissect code, mkosi and TODO updates
|
| | | |
|
| |\ \
| | |
| | | |
Various specifier resolution fixes.
|
| | |/ |
|
| |/ |
|
| |
|
|
|
| |
1. Listed in TODO.
2. Tree wide replace safe_atou16 with parse_ip_port incase
it's used for ports.
|
| |
|
|
|
|
|
|
| |
"*-*~1" => The last day of every month
"*-02~3..5" => The third, fourth, and fifth last days in February
"Mon 05~07/1" => The last Monday in May
Resolves #3861
|
| | |
|
| | |
|
| |\
| |
| |
| |
| | |
core: add new RestrictNamespaces= unit file setting
Merging, not rebasing, because this touches many files and there were tree-wide cleanups in the mean time.
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
This new setting permits restricting whether namespaces may be created and
managed by processes started by a unit. It installs a seccomp filter blocking
certain invocations of unshare(), clone() and setns().
RestrictNamespaces=no is the default, and does not restrict namespaces in any
way. RestrictNamespaces=yes takes away the ability to create or manage any kind
of namspace. "RestrictNamespaces=mnt ipc" restricts the creation of namespaces
so that only mount and IPC namespaces may be created/managed, but no other
kind of namespaces.
This setting should be improve security quite a bit as in particular user
namespacing was a major source of CVEs in the kernel in the past, and is
accessible to unprivileged processes. With this setting the entire attack
surface may be removed for system services that do not make use of namespaces.
|
| |/ |
|
| | |
|
| | |
|
| | |
|
| |\
| |
| | |
Add an "invocation ID" concept to the service manager
|
| | | |
|
| |/ |
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
| |
[Unit]
Before=foobar.device
[Service]
ExecStart=/bin/true
Type=oneshot
$ systemd-analyze verify before-device.service
before-device.service: Dependency Before=foobar.device ignored (.device units cannot be delayed)
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
coredump had code to check if copy_bytes() hit the max_bytes limit,
and refuse further processing in that case.
But in 84ee0960443, the return convention for copy_bytes() was changed
from -EFBIG to 1 for the case when the limit is hit, so the condition
check in coredump couldn't ever trigger.
But it seems that *do* want to process such truncated cores [1].
So change the code to detect truncation properly, but instead of
returning an error, give a nice log entry.
[1] https://github.com/systemd/systemd/issues/3883#issuecomment-239106337
Should fix (or at least alleviate) #3883.
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
We were already unconditionally using the unicode character when the
input string was not pure ASCII, leading to different behaviour in
depending on the input string.
systemd[1]: Starting printit.service.
python3[19962]: foooooooooooooooooooooooooooooooooooo…oooo
python3[19964]: fooąęoooooooooooooooooooooooooooooooo…oooo
python3[19966]: fooąęoooooooooooooooooooooooooooooooo…ąęąę
python3[19968]: fooąęoooooooooooooooooąęąęąęąęąęąęąęą…ąęąę
systemd[1]: Started printit.service.
|
| |
|
|
|
| |
I believe the remaining call sites are legitimate uses which cannot be
easily replaced with %m.
|
| |
|
|
|
|
|
|
|
|
| |
This splits the OS field in two : one for the distribution name
and one for the the version id.
Dashes are written for missing fields.
This also prints ip addresses of known machines. The `--max-addresses`
option specifies how much ip addresses we want to see. The default is 1.
When more than one address is written for a machine, a `,` follows it.
If there are more ips than `--max-addresses`, `...` follows the last
address.
|
| | |
|
| |\ |
|
| | | |
|
| |/ |
|
