| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| | |
|
| |
|
|
| |
(#34893)
|
| |
|
|
|
| |
This makes use of the infra introduced in 229d4a980607e9478cf1935793652ddd9a14618b to indicate visually on each prompt that we are in superuser mode temporarily.
pick ad5de3222f userdbctl: add some basic client-side filtering
|
| | |
|
| |\
| |
| | |
core: follow-ups for live mount
|
| | | |
|
| | | |
|
| | | |
|
| | |
| |
| |
| |
| | |
Let#s move it close to label_ops_set(), since it is somewhat symmetric
to it.
|
| | | |
|
| | |
| |
| |
| |
| |
| | |
This brings two benefits: we will label the created file only if it is
actually created, and we can correctly delete any file we create again
on failure.
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
WRITE_STRING_FILE_LABEL flag
Given that we have the LabelOps abstraction these days, we can teach
write_string_file() to use it, which means we can get rid of
fileio-label.[ch] as a separate concept.
(The only reason that fileio-label.[ch] exists independently of
fileio.[ch] was that the former linekd to libselinux potentially, and
thus had to be in src/shared/ while the other always was in src/basic/.
But the LabelOps vtable provides us with a nice work-around)
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
dangling symlink
One of the big mistakes of Linux is that when you create a file with
open() and O_CREAT and the file already exists as dangling symlink that
the symlink will be followed and the file created that it points to.
This has resulted in many vulnerabilities, and triggered the creation of
the O_MOFOLLOW flag, addressing the problem.
O_NOFOLLOW is less than ideal in many ways, but in particular one: when
actually creating a file it makes sense to set, because it is a problem
to follow final symlinks in that case. But if the file is already
existing, it actually does make sense to follow the symlinks. With
openat_report_new() we distinguish these two cases anyway (the whole
function exists only to distinguish the create and the exists-already
case after all), hence let's do something about this: let's simply never
create files "through symlinks".
This can be implemented very easily: just pass O_NOFOLLOW to the 2nd
openat() call, where we actually create files.
And then basically remove 0dd82dab91eaac5e7b17bd5e9a1e07c6d2b78dca
again, because we don't need to care anymore, we already will see ELOOP
when we touch a symlink.
Note that this change means that openat_report_new() will thus start to
deviate from plain openat() behaviour in this one small detail: when
actually creating files we will *never* follow the symlink. That should
be a systematic improvement of security.
Fixes: #34088
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
error path
For SELinux it is essential that we reset the file creation label both
in the success and in the error path, hence do so.
Moreover, when calling the label post ops do it if possible with the
opened fd of the inode itself, rather than always going via its path,
simply to reduce the attack surface.
|
| | |
| |
| |
| |
| |
| |
| | |
If openat_report_new() fails, then 'made_file' will be false, as no file
was created, hence there's no need to skip the unlinkat() explicitly
early, given that we check for 'made_file' anyway in the error path. The
extra error code checks are hence entirely redundant.
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
We have two distinct implementations of the post hook.
1. For SELinux we just reset the selinux label we told the kernel
earlier to use for new inodes.
2. For SMACK we might apply an xattr to the specified file.
The two calls are quite different: the first call we want to call in all
cases (failure or success), the latter only if we actually managed to
create an inode, in which case it is called on the inode.
|
| | |
| |
| |
| | |
We didn't go through it at all if label_ops_post() failed.
|
| |/ |
|
| |\
| |
| | |
modernize the ask-password logic, and add unpriv askpw agents to the concept
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Previously, we were using touch(), which usually works fine, because the
path should always refer to an existing directory, in which case it just
updates the timestamp. However, if the dir does not exist yet (which
shouldn't happen), it would be created as regular file, which is just
wrong.
Hence, let's instead create the dir as dir if it is missing, and then
update its timestamp.
|
| |/
|
|
|
|
|
|
|
|
| |
to a TTY
Let's provide a mechanism to select the number of screen columns for
rebreaking comments in Varlink IDL connected to a TTY, by honouring the
$COLUMNS env var then too. Previously we'd only honour when connected to
a TTY, but it's also useful otherwise for rebreaking ridiculously long
comments, hence honour it in this case too.
|
| | |
|
| |
|
|
|
|
|
| |
Previously, GREEDY_REALLOC_APPEND would compile perfectly fine and cause
subtle memory corruption if the caller messes up the type they're passing
in (i.e. by forgetting to pass-by-reference when appending a Type* to an
array of Type*). Now this will lead to compilation failure
|
| | |
|
| |
|
|
| |
Follow-up for de34ec188c4d4f682a337445aa7753259cd7f821.
|
| |\
| |
| | |
fileio: write_string_file() naming clean-ups
|
| | |
| |
| |
| |
| |
| |
| |
| |
| | |
let's rename the "_ts" flavour of these calls "_full" instead, exposing
the full functionality. And then keep two more minimal versions around:
one "_at" (which has the ts parameter suppressed, but keeps the dir_fd
one). And one without suffix (which supresses both).
Do the same for the label versions of these calls.
|
| |/
|
|
|
|
|
|
|
|
| |
This PidRef just track some data, but cannot be used for any active
operation.
Background: for https://github.com/systemd/systemd/pull/34703 it makes
sense to track explicitly if some PidRef is not a local one, so that we
never attempt to for example "kill a remote process" and thus
acccidentally hit the wrong process (i.e. a local one by the same PID).
|
| | |
|
| |\
| |
| | |
machined: switch remaining Varlink overs over to use json_dispatch_pidref() and friends
|
| | |
| |
| |
| |
| |
| |
| |
| | |
json_dispatch_pidref() now
The calls are now unused, and we generally prefer if people send a PID
triplet rather than a single PID, hence stop supporting a high-level
dispacher for pid_t.
|
| | |
| |
| |
| |
| |
| | |
The PID_AUTOMATIC value is now properly recognized by the PidRef logic
too. This needed some massaging of header includes, to ensure pidref.h
can access process-util.h's definitions and vice versa.
|
| |\ \
| | |
| | | |
network: wait for IPv6 MTU being synced to link MTU
|
| | |/
| |
| |
| | |
Currently not used, but will be used later.
|
| | | |
|
| |/ |
|
| |\
| |
| | |
network: several cleanups for conf parsers
|
| | |
| |
| |
| |
| | |
The function is also used in other source files. Hence, not internal.
No functional change, just refactoring.
|
| |/ |
|
| | |
|
| | |
|
| |\
| |
| | |
fd-util: use F_DUPFD_QUERY for same_fd()
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Catch up with the nice little toys the kernel fs developers have added
for us. Preferably, let's make use of the new F_DUPFD_QUERY fcntl() call
that checks whether two fds are just duplicates of each other
(duplicates as in dup(), not as in open() of the same inode, i.e.
whether they share a single file offset and so on).
This API is much nicer, since it is a core kernel feature, unlike the
kcmp() call we so far used, which is part of the (optional)
checkpoint/restore stuff.
F_DUPFD_QUERY is available since kernel 6.10.
|
| | |
| |
| |
| |
| | |
It just uses F_GETFD to validate an fd. it's a bit easier to read
though, and handles the < 0 case internally.
|
| |\ \
| | |
| | | |
tree-wide: replace reallocarray() with GREEDY_REALLOC()
|
| | |/
| |
| |
| | |
No functional change, just refactoring.
|
| | |
| |
| |
| | |
Fixes #34670.
|
| |/
|
|
| |
Fixes a bug caused by ef658a63f8163607d9e04f710cd26c0d36ff68ce.
|
| | |
|
| |
|
|
|
| |
So that sd_path_lookup() can be utilized to replace
duplicate functions.
|
