| Commit message (Collapse) | Author | Files | Lines |
|---|
|
|
|
We use it for more than just pipe() arrays. For example also for
socketpair(). Hence let's give it a generic name.
Also add EBADF_TRIPLET to mirror this for things like
stdin/stdout/stderr arrays, which we use a bunch of times.
|
|
|
|
When a mount is gracefully skipped (e.g.: BindReadOnlyPaths=-/nonexistent)
we still post-process it, like making it read-only. Except if nothing
has been mounted, the mount point will be made read-only for no reason.
Track when mounts are skipped and avoid post-processing.
One day we'll switch all of this to the new mount api and do these
operations atomically or not at all.
Fixes https://github.com/systemd/systemd/issues/29725
|
|
|
|
|
|
If `--tpm2-public-key=` is not specified, but `tpm2-pcr-public-key.pem` exists
in /{etc,run,usr/lib}/systemd/, it's being ignored.
Fixes 9e437994
|
|
On rpm-ostree distributions such as Fedora SilverBlue /mnt
(and other well known paths) will be a symlink to a location
under /var. The fstab generator emits correct output in this
case, however, the data does not match the expected output
stored in the source tree.
Rather than trying to adapt the test data, just skip this
single test scenario when we see /mnt is a symlink.
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
|
|
The systemd-tmpfiles binary will report a fatal error if /tmp is not owned
either by root, or by the current user:
Detected unsafe path transition /tmp (owned by nobody) →
/tmp/test-systemd-tmpfiles.a8qc6n18 (owned by berrange)
during canonicalization of
tmp/test-systemd-tmpfiles.a8qc6n18/test-content.7chd7rdi
When doing development inside a 'toolbox' container (which is required
on a Fedora SilverBlue distro), /tmp is owned by 'nobody', because it
has been passed through from the host and host UID 0 gets mapped to
UID 65536 by usernamespaces. This triggers the unsafe path transition
error message.
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
|
|
On rpm-ostree distributions like Fedora SilverBlue /home (and various
other well known locations) are symlinks to somewhere beneath /var.
The path_is_encrypted() method uses O_NOFOLLOW and as a result will
return ELOOP on /home. This causes test-blockdev-util to abort.
Add ELOOP to the ignorable set of errnos for testing.
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
|
|
This new D-Bus API uses pidfd to refer to the session leader. Also,
pam_systemd will try to make use of it when pidfd support is available.
|
|
If `--tpm2-public-key=` is not specified, but `tpm2-pcr-public-key.pem` exists
in /{etc,run,usr/lib}/systemd/, the default PCR 11 is not being set.
Fixes 9e437994
|
|
This field is optional, it only makes sense for user records that
actually have a privileged part to set.
|
|
|
|
If we do not have enough privilege to mount a new instance of sysfs or
procfs, units e.g. with PrivateNetwork=yes may fail.
Let's first try to mount sysfs or procfs anyway to check if we have enough
privilege.
Fixes #29526.
|
|
No functional change, just refactoring.
|
|
This restores display of the "delegate" flag of a cgroup. Previously we
erroneously passed a full fs path where a cgroup path was expected (the
difference being the /sys/fs/cgroup/ prefix), which meant we never read
the xattr properly. Let's fix that by simply operating by fd on the
cgroup and using it for all operations.
|
|
This is just like cg_is_delegate() but operates on an fd instead of a
cgroup path.
Sooner or later we should access cgroupfs mostly via fds rather than
paths, but we aren't there yet. But let's at least get started.
|
|
|
|
This carefully combines getxattr_at_malloc() and parse_bool(), which is
something we use at multiple places.
|
|
Partially fixes: #29678
|
|
Otherwise a lock is taken, which can be taken by multiple units at the
same time, depending on each other, causing a deadlock.
Fixes https://github.com/systemd/systemd/issues/29682
|
|
Hopefully fixes many Coverity issues.
|
|
|
|
Follow-up for 0f9efffaeb84964a3ab0f32271fba38f3bee2394.
|
|
Otherwise, received information, e.g. DNS servers, may not be saved in
the state file, and will not be propagated to clients like resolved.
Fixes the first issue of #29678.
|
|
|
|
So we don't crash on invalid options:
$ build/systemd-random-seed --foo
Segmentation fault (core dumped)
|
|
|
|
|
|
Since systemd-tpm2-setup doesn't expect any arguments.
|
|
Otherwise bad things happen:
$ build/systemd-tpm2-setup --foo
Segmentation fault (core dumped)
|
|
|
|
Don't hardcode the event number, so the test works correctly even if
someone wrote to the event log before us. Also, explicitly pick the
sha256 bank when checking digests, as the indexing may vary depending on
current TPM's capabilities.
|
|
Same idea as with bootctl, we might be doing image builds from a
system that doesn't boot with UEFI but we still might want to measure
stuff for the image we're building so let's not gate this behind
ENABLE_BOOTLOADER.
|
|
bootctl is rather useful to have, even if on a system without UEFI,
as it has a number of verbs that are unrelated to UEFI (e.g kernel-identify),
and more importantly, it supports --root to operate on directory trees
(which could be intended to be deployed on UEFI) so let's make sure we
always build it.
|
|
Introduce the environment variable SYSTEMD_NSPAWN_NETWORK_MAC to allow
user-specified MAC address on container side.
|
|
|
|
The immediately preceeding check already covered that.
This removes and addition made back in aae6eb96117acd54ce5ac572aac6a11b34c4ad99.
cc @williamcroberts
|
|
|
|
|
|
|
|
|
|
As the result is a bit funky (but still valid), i.e.:
static inline void iovec_done_erase(struct iovec *iovec) {
assert(iovec);
- iovec->iov_base = erase_and_free(iovec->iov_base);
- iovec->iov_len = 0;
+ *iovec = IOVEC_MAKE(erase_and_free(iovec->iov_base), 0);
}
|
|
|
|
Let's switch the order in which we process positional arguments and
analyze/tweak detail parameters. Let's look at the positional arguments
first (i.e. the "big picture") and then look at the switches (i.e.
"little details").
THis doesn't matter much, but makes for better error messages I think.
At least I was very confused that a completely borked cmdline I passed
to cryptenrolled complained about some detail and let the major fuckup
pass...
|
|
|
|
|
|
This replicates what 475c473d328c12f5e9fd43cee959154a0d0c78a4 did for
cryptenroll for repart, which has very similar code for this.
|
|
|
