| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
| |
json_dispatch_pidref() now
The calls are now unused, and we generally prefer if people send a PID
triplet rather than a single PID, hence stop supporting a high-level
dispacher for pid_t.
|
| |
|
|
|
|
| |
The PID_AUTOMATIC value is now properly recognized by the PidRef logic
too. This needed some massaging of header includes, to ensure pidref.h
can access process-util.h's definitions and vice versa.
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
|
|
| |
This is useful for situations where an array of FDs is to be passed into
a child process (i.e. by passing it through safe_fork). This function
can be called in the child (before calling exec) to pack the FDs to all
be next to each-other starting from SD_LISTEN_FDS_START (i.e. 3)
|
| |
|
|
| |
And fix the man page reference as well.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The personality() syscall returns a 32-bit value where the top three
bytes are reserved for flags that emulate historical or architectural
quirks, and only the least significant byte reflects the actual
personality we're interested in (in opinionated_personality()).
Use the newly defined mask in the corresponding test as well, otherwise
the test fails on some more "exotic" architectures that set some of the
"quirk" flags:
~# uname -m
armv7l
~# build/test-seccomp
...
/* test_lock_personality */
current personality=0x0
safe_personality(PERSONALITY_INVALID)=0x800000
Assertion '(unsigned long) safe_personality(current) == current' failed at src/test/test-seccomp.c:970, function test_lock_personality(). Aborting.
lockpersonalityseccomp terminated by signal ABRT.
Assertion 'wait_for_terminate_and_check("lockpersonalityseccomp", pid, WAIT_LOG) == EXIT_SUCCESS' failed at src/test/test-seccomp.c:996, function test_lock_personality(). Aborting.
Aborted (core dumped)
See: personality(2) and comments in sys/personality.h
|
| | |
|
| |
|
|
|
|
|
|
|
|
| |
Added in glibc 2.39, allows cloning into a cgroup and to get
a pid fd back instead of a pid. Removes race conditions for
both changing cgroups and getting a reliable reference for the
child process.
Fixes https://github.com/systemd/systemd/pull/18843
Replaces https://github.com/systemd/systemd/pull/16706
|
| | |
|
| |
|
|
| |
Similar to FORK_NEW_MOUNTNS or FORK_NEW_USERNS.
|
| |
|
|
|
| |
This also adds a test case that test pidref_safe_fork(), pidref_wait()
and related calls.
|
| |
|
|
|
|
|
|
|
|
|
| |
This combines safe_fork() with pidref_set_pid().
Eventually we really should switch this to use CLONE_PIDFD, but as that
is not wrapped by glibc yet, it's hard. But this is not crucial anyway,
as a child we just forked off can always safely be referenced also by
PID, given the reaping is under our own control.
A simple test case is added in a follow-up commit.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
FORK_DEATHSIG_SIGTERM
Sometimes it makes sense to hard kill a client if we die. Let's hence
add a third FORK_DEATHSIG flag for this purpose: FORK_DEATHSIG_SIGKILL.
To make things less confusing this also renames FORK_DEATHSIG to
FORK_DEATHSIG_SIGTERM to make clear it sends SIGTERM. We already had
FORK_DEATHSIG_SIGINT, hence this makes things nicely symmetric.
A bunch of users are switched over for FORK_DEATHSIG_SIGKILL where we
know it's safe to abort things abruptly. This should make some kernel
cases more robust, since we cannot get confused by signal masks or such.
While we are at it, also fix a bunch of bugs where we didn't take
FORK_DEATHSIG_SIGINT into account in safe_fork()
|
| |
|
|
| |
via PidRef
|
| | |
|
| | |
|
| |
|
|
|
|
| |
pidref_is_alive()
Let's no eat up errors, but propagate unexpected ones.
|
| |
|
|
| |
pidref_get_uid()
|
| |
|
|
| |
pid_get_comm()
|
| | |
|
| | |
|
| |\
| |
| | |
coredump: support forwarding coredumps to containers
|
| | |
| |
| |
| |
| |
| |
| |
| | |
For a given PID and namespace type, this helper function gives the PID
of the leader of the namespace containing the given PID. Use this in
systemd-coredump instead of using the existing get_mount_namespace_leader.
This helper will be used again in a later commit.
|
| |/
|
|
|
|
| |
This provides CLONE_VM + CLONE_VFORK semantics, so it is useful to
avoid CoW traps and other issues around doing work between fork()
and exec().
|
| |
|
|
| |
Let's a simple helper that knows how to deal with PID == 1.
|
| |
|
|
|
| |
A test for this is later added indirectly, via aynchronous_rm_rf() that
uses this and comes with a suitable test.
|
| |
|
|
| |
child
|
| |
|
|
|
|
| |
This wraps glibc's clone() but deals with the 'stack' parameter in a
sensible way. Only supports invocations without CLONE_VM, i.e. when
child is a CoW copy of parent.
|
| | |
|
| |
|
|
|
|
|
|
| |
Propagating $NOTIFY_SOCKET is typically dangerous. Let's unset it unless
explicitly requested to keep it.
Fixes #27288.
Replaces #27291.
|
| |
|
|
|
|
|
|
|
|
|
|
| |
The reason why get_process_cmdline() is so complicated is that we
need to escape and quote arguments for building a single result
string.
That's necessary when we want to log or print the command line.
However, when we want to parse the command line, it is not necessary
that the result is a single string, but can be strv.
This will be used when we parse the command line.
|
| |
|
|
| |
And make safe_fork_full() takes fds to be assigned to stdio.
|
| |
|
|
|
| |
Let's add a proper helper for querying the number of threads in a
process.
|
| | |
|
| | |
|
| |
|
|
|
|
| |
Let's propagate the actual error code up, as we usual do.
Inspired by: #25168
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
If the flag is set, we mount /tmp/ in a way that is suitable for generators and
other quick jobs.
Unfortunately I had to move some code from shared/mount-util.c to
basic/mountpoint-util.c. The functions that are moved are very thin wrappers
around mount(2), so this doesn't actually change much in the code split between
libbasic and libshared.
Implications for the host would be weird if a private mount namespace is not
used, so assert on FORK_NEW_MOUNTNS when the flag is used.
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
I wanted to move saved_arg[cv] to process-util.c+h, but this causes problems:
process-util.h includes format-util.h which includes net/if.h, which conflicts
with linux/if.h. So we can't include process-util.h in some files.
But process-util.c is very long anyway, so it seems nice to create a new file.
rename_process(), invoked_as(), invoked_by_systemd(), and argv_looks_like_help()
which lived in process-util.c refer to saved_argc and saved_argv, so it seems
reasonable to move them to the new file too.
util.c is now empty, so it is removed. util.h remains.
|
| |
|
|
|
| |
basic/util.[ch] is a grab-bag of unrelated functions. Let's move a few
of the remaning functions to better locations.
|
| |
|
|
|
|
|
|
| |
remaining fds
Often the fds that shall stay around in the child shall be passed
to a process over execve(), hence add an option to explicitly disable
O_CLOEXEC on them in the child.
|
| | |
|
| | |
|
| | |
|
| |
|
|
| |
No actual code changes, just some splitting out.
|
| | |
|
| |
|
|
| |
This reverts commit 9c46228b7deb53d6384545535b37b2844a102b2b.
|
| |
|
|
|
| |
That way we can use it in other code from basic/. It fits into both
headers equally well or badly, hence let's just move this one function.
|
| | |
|
