| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
|
| |
When using "capture : true" in custom_target()s the mode of the source
file is not preserved when the generated file is not installed and so
needs to be tweaked manually. Switch from output capture to creating the
target file and copy the permissions from the input file.
Signed-off-by: Christian Brauner <christian.brauner@ubuntu.com>
|
| | |
|
| |\
| |
| | |
A coding style tweak and checking of sd_notify() calls and voidification of pager_open()
|
| | | |
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
I got the logic reversed in 6d9326595592f98e8126eacb4176acd8c3516d5c.
Let's just remove the conditionalization of the status message: if we're
sending something, we might just as well always attach READY=1, the extra
few bytes don't make much of a difference.
FWIW, it seems that this bug didn't cause problems, probably because we'd send
READY=1 either from user_manager_send_ready() or from a later call to
manager_send_ready().
|
| | |
| |
| |
| | |
If we don't need to do any formatting, let's optimize things a bit.
|
| | |
| |
| |
| |
| |
| |
| |
| | |
Most sd_notify() calls are like log_info() — the result is only informative
and if they fail, it's best ignore this. But if a call with READY=1 fails,
the unit may enter a failed state, so we should warn about this. Similarly
for FSTOREREMOVE=1: the manager may be left with a stale fd, at least wasting
resources.
|
| |\ \
| | |
| | | |
core: Propagate condition failed state from service to path unit.
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
Alternative to https://github.com/systemd/systemd/pull/20531.
Whenever a service triggered by another unit fails condition checks,
stop the triggering unit to prevent systemd busy looping trying to
start the triggered unit.
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | | |
Doing start rate limit checks before doing condition checks made
condition check failures count towards the start rate limit which
broke existing assumptions (see #21025). Run the rate limit checks
after the condition checks again to restore the previous behaviour.
|
| | | | |
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
rearrange_stdio() invalidates specified fds even on failure, which means
we should always invalidate the fds we pass in no matter what. Let's
make this explicit by using TAKE_FD() for that everywhere.
Note that in many places we such invalidation doesnt get us much
behaviour-wise, since we don't use the variables anymore later. But
TAKE_FD() in a way is also documentation, it encodes explicitly that the
fds are invalidated here, so I think it's a good thing to always make
this explicit here.
|
| | |/
|/| |
|
| | | |
|
| |/
|
|
|
|
|
|
|
|
| |
When `SELinuxContext=` parameter is prefixed with `-`, the documentation states
that any errors determining or changing context should be ignored, but this
doesn't actually happen and the service may fail with `229/SELINUX_CONTEXT`.
Fix by adding checks to `context->selinux_context_ignore`.
Closes: #21057
|
| |\
| |
| | |
pid1: fail scope unit activation if all PIDs to add already died
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
If all processes we are supposed to add are gone by the time we are
ready to do so, let's fail.
THis is heavily based on Cunlong Li's work, who thankfully tracked this
down.
Replaces: #20577
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
The 'r' variable is our "go-to" variable for error return codes, all
across our codebase. In unit_attach_pids_to_cgroup() it was so far used
in a strange way for most of the function: instead of directly storing
the error codes of functions we call we'd store it in a local variable
'q' instead, and propagate it to 'r' only in some cases finally we'd
return the ultimate result of 'r'.
Let's normalize this a bit: let's always store error return values in
'r', and then use 'ret' as the variable to sometimes propagate errors
to, and then return that.
This also allows us to get rid of one local variable.
No actual codeflow changes, just some renaming of variables that allows
us to remove one.
|
| |\ \
| | |
| | | |
core: add [State|Runtime|Cache|Logs]DirectorySymlink
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
When combined with a tmpfs on /run or /var/lib, allows to create
arbitrary and ephemeral symlinks for StateDirectory or RuntimeDirectory.
This is especially useful when sharing these directories between
different services, to make the same state/runtime directory 'backend'
appear as different names to each service, so that they can be added/removed
to a sharing agreement transparently, without code changes.
An example (simplified, but real) use case:
foo.service:
StateDirectory=foo
bar.service:
StateDirectory=bar
foo.service.d/shared.conf:
StateDirectory=
StateDirectory=shared:foo
bar.service.d/shared.conf:
StateDirectory=
StateDirectory=shared:bar
foo and bar use respectively /var/lib/foo and /var/lib/bar. Then
the orchestration layer decides to stop this sharing, the drop-in
can be removed. The services won't need any update and will keep
working and being able to store state, transparently.
To keep backward compatibility, new DBUS messages are added.
|
| | |/
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
TemporaryFileSystem=/var/lib
The /var/lib/private/foo -> /var/lib/foo symlink for StateDirectory and
DynamicUser is set up on the host filesystem, before the mount namespacing
is brought up. If an empty /var/lib is used, to ensure the service does not
see other services data, the symlink is then not available despite
/var/lib/private being set up as expected.
Make a list of symlinks that need to be set up, and create them after all
the namespaced filesystems have been created, but before any eventual
read-only switch is flipped.
|
| |\ \
| | |
| | | |
core: Try to prevent infinite recursive template instantiation
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
To prevent situations like in #17602 from happening, let's drop
direct recursive template dependencies. These will almost certainly
lead to infinite recursion so let's drop them immediately to avoid
instantiating potentially thousands of irrelevant units.
Example of a template that would lead to infinite recursion which
is caught by this check:
notify@.service:
```
[Unit]
Wants=notify@%n.service
```
|
| | |/
|/|
| |
| |
| |
| |
| | |
Label the service root credential directory so write_credential() will
create entries with the label of their parent directory.
Resolves: #21134
|
| | |
| |
| |
| | |
Fixes #21113.
|
| | |
| |
| |
| |
| |
| |
| |
| | |
Talking to external daemons we ourselves maintain is a job for the
integration tests, not the unit tests. This communication is likely to
fail hence don#t even bother.
This makes our tests a bit cleaner.
|
| | | |
|
| |/
|
|
|
|
|
|
| |
We are using this for creating userns namespaces, and we really
shouldn't try to sync there. Moreover the use of free() in shutdown code
doesn't need it anyway, since it just sync()ed right before anyway. Only
the third user of freeze() we have actually needs the syc(), hence do it
there and nowhere else.
|
| | |
|
| |
|
|
|
|
| |
utmp(5) says `ut_line` is the device name minus the leading "/dev/". Therefore,
remove it. Without that, when using UtmpMode=user, we get `/dev/tty` in the
output of `last`/`w`.
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Let's define two helpers strdupa_safe() + strndupa_safe() which do the
same as their non-safe counterparts, except that they abort if called
with allocations larger than ALLOCA_MAX.
This should ensure that all our alloca() based allocations are subject
to this limit.
afaics glibc offers three alloca() based APIs: alloca() itself,
strndupa() + strdupa(). With this we have now replacements for all of
them, that take the limit into account.
|
| | |
|
| |
|
|
|
|
|
|
| |
Right now we already understand "default" as special string for enabling
the watchdog but not reconfiguring its timeout (it is internally mapped
to USEC_MAX). To be systematic this adds "off" as special string for
disabling the watchdog logic (it is internally mapped to 0, which is how
this behaviour was previously requested).
|
| |\
| |
| | |
Watchdog more rework
|
| | |
| |
| |
| | |
options to "default"
|
| | | |
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Passing 0 meant "disable the watchdog although still kept it opened". However
this case didn't seem to be useful especially since PID1 closes the device if
it is passed the nul timeout.
Hence let's change the meaning of watchdog_setup(0) to match PID1's behavior
which allows to simplify the code a bit.
Hence this patch also drops enable_watchdog().
|
| | |
| |
| |
| | |
Fixes CID#1464627.
|
| | |
| |
| |
| |
| |
| | |
Follows what was done in b57d75232615f98aefcf41cb145ec2ea3262857d and
adds a test that verifies the device BPF program is not detached during
reload/reexec.
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Currently ref count of bpf-program is kept in user space. However, the
kernel already implements its own ref count. Thus the ref count we keep for
bpf-program is redundant.
This PR removes ref count for bpf program as part of a task to simplify
bpf-program and remove redundancies, which will make the switch to
code-compiled BPF programs easier.
Part of #19270
|
| | |
| |
| |
| |
| | |
We use __func__ almost everywhere, but there are some holdouts. Fix
that.
|
| | | |
|
| |\ \
| | |
| | | |
Fix #20933
|
| | | | |
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
This verifies that the argv part of any exec_command parameters that
are sent through dbus is not empty at deserialization time.
There is an additional check in service.c service_verify() that again
checks if all exec_commands are correctly populated, after the service
has been loaded, whether through dbus or otherwise.
Fixes #20933.
|
| | | | |
|
| | | |
| | |
| | |
| | |
| | | |
It takes an allow or deny list of filesystems services should have
access to.
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
It attaches the LSM BPF program when the system manager starts up.
It populates the hash of maps BPF map when services that have
RestrictFileSystems= set start.
It cleans up the hash of maps when the unit cgroup is pruned.
To pass the file descriptor of the BPF map we add it to the keep_fds
array.
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
This adds 6 functions to implement RestrictFileSystems=
* lsm_bpf_supported() checks if LSM BPF is supported. It checks that
cgroupv2 is used, that BPF LSM is enabled, and tries to load the BPF
LSM program which makes sure BTF and hash of maps are supported, and
BPF LSM programs can be loaded.
* lsm_bpf_setup() loads and attaches the LSM BPF program.
* lsm_bpf_unit_restrict_filesystems() populates the hash of maps BPF map with the
cgroupID and the set of allowed or denied filesystems.
* lsm_bpf_cleanup() removes a cgroupID entry from the hash of maps.
* lsm_bpf_map_restrict_fs_fd() is a helper function to get the file
descriptor of the BPF map.
* lsm_bpf_destroy() is a wrapper around the destroy function of the BPF
skeleton file.
|
