summaryrefslogtreecommitdiffstats
path: root/src/coredump (follow)
Commit message (Collapse)AuthorAgeFilesLines
* coredumpctl: propagate SIGTERM to the debugger processFrantisek Sumsal2023-11-071-1/+16
| | | | | | | | If we're waiting for the debugger process to exit and receive SIGTERM, propagate it to all processes in our process group, including the debugger, so we can follow it up with a proper cleanup. Resolves: #28772
* process-util: add new FORK_DEATHSIG_SIGKILL flag, rename FORK_DEATHSIG → ↵Lennart Poettering2023-11-022-2/+2
| | | | | | | | | | | | | | | | | | FORK_DEATHSIG_SIGTERM Sometimes it makes sense to hard kill a client if we die. Let's hence add a third FORK_DEATHSIG flag for this purpose: FORK_DEATHSIG_SIGKILL. To make things less confusing this also renames FORK_DEATHSIG to FORK_DEATHSIG_SIGTERM to make clear it sends SIGTERM. We already had FORK_DEATHSIG_SIGINT, hence this makes things nicely symmetric. A bunch of users are switched over for FORK_DEATHSIG_SIGKILL where we know it's safe to abort things abruptly. This should make some kernel cases more robust, since we cannot get confused by signal masks or such. While we are at it, also fix a bunch of bugs where we didn't take FORK_DEATHSIG_SIGINT into account in safe_fork()
* coredump: let's always drop privilegesLennart Poettering2023-11-011-42/+39
| | | | | | | | | | | Let's unconditionally drop privileges before submitting the coredump log message. Let's make the codepaths where we acquired a coredump and where we didn't more alike: let's drop privs in both cases. This is not only safer, but means that the coredump messages are always accessible by the owner of the aborted process.
* coredump: tweak coredump log messageLennart Poettering2023-11-011-8/+19
| | | | | | | | | | Let's not claim a process dumped core if that was disabled via resource limits. While we are at it, switch from stack to heap allocation for the log message, as it includes a stack trace which can be arbitrarily large. Fixes: #28559
* fd-uitl: rename PIPE_EBADF → EBADF_PAIR, and add EBADF_TRIPLETLennart Poettering2023-10-261-1/+1
| | | | | | | | We use it for more than just pipe() arrays. For example also for socketpair(). Hence let's give it a generic name. Also add EBADF_TRIPLET to mirror this for things like stdin/stdout/stderr arrays, which we use a bunch of times.
* Merge pull request #29601 from yuwata/mmap-check-overflowLuca Boccassi2023-10-241-3/+3
|\ | | | | mmap: check offset and size more carefully
| * tree-wide: check if return value of lseek() and friends is negativeYu Watanabe2023-10-191-3/+3
| | | | | | | | | | | | | | | | | | We usually check return value of syscalls or glibc functions by it is negative or not, something like that `if (stat(path, &st) < 0)`. Let's also use the same style for lseek() and friends even the type of their return value is off_t. Note, fseeko() returns int, instead of off_t.
* | io-util: split out "struct iovec" related calls into their own .c/.h filesLennart Poettering2023-10-201-1/+1
|/ | | | | | | | | This is preparation for #28891, which adds a bunch more helpers around "struct iovec", at which point this really deserves its own .c/.h file. The idea is that we sooner or later can consider "struct iovec" as an entirely generic mechanism to reference some binary blob, and is the go-to type for this purpose whenever we need one.
* process-util: add pidref_get_comm() and rename get_process_comm() to ↵Lennart Poettering2023-10-181-1/+1
| | | | pid_get_comm()
* process-util: add pidref_get_cmdline()Lennart Poettering2023-10-181-2/+2
|
* meson: add build option for install path of main config filesFranck Bui2023-10-171-1/+1
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | This allows distros to install configuration file templates in /usr/lib/systemd for example. Currently we install "empty" config files in /etc/systemd/. They serve two purposes: - The file contains commented-out values that show the default settings. - It is easier to edit the right file if it is already there, the user doesn't have to type in the path correctly, and the basic file structure is already in place so it's easier to edit. Things that have happened since this approach was put in place: - We started supporting drop-ins for config files, and drop-ins are the recommended way to create local configuration overrides. - We have systemd-analyze cat-config which takes care of iterating over all possible locations (/etc, /run, /usr, /usr/local) and figuring out the right file. - Because of the first two points, systemd-analyze cat-config is much better, because it takes care of finding all the drop-ins and figuring out the precedence. Looking at files manually is still possible of course, but not very convenient. The disadvantages of the current approach with "empty" files in /etc: - We clutter up /etc so it's harder to see what the local configuration actually is. - If a user edits the file, package updates will not override the file (e.g. systemd.rpm uses %config(noreplace). This means that the "documented defaults" will become stale over time, if the user ever edits the main config file. Thus, I think that it's reasonable to: - Install the main config file to /usr/lib so that it serves as reference for syntax and option names and default values and is properly updated on package upgrades. - Recommend to users to always use drop-ins for configuration and systemd-analyze cat-config to view the documentation. This setting makes this change opt-in. Fixes #18420. [zjs: add more text to the description]
* Merge pull request #29242 from fbuihuu/update-main-config-file-headersZbigniew Jędrzejewski-Szmek2023-10-171-3/+5
|\ | | | | config files: update their header to reflect that they can be install…
| * config files: update their header to reflect that they can be installed in /usrFranck Bui2023-09-211-3/+5
| | | | | | | | Follow-up for c76f2fb0e59340222ce21f85c17d384c114db9de.
* | coredump: add support for forwarding coredump to containersNick Rosbrook2023-10-131-3/+247
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | If a process crashes within a container, try and forward the coredump to that container. To do this, check if the crashing process is in a different pidns, and if so, find the PID of the namespace leader. We only proceed with forwarding if that PID belongs to a cgroup that is descendant of another cgroup with user.delegate=1 and user.coredump_receive=1 (i.e. Delegate=yes and CoredumpReceive=yes). If we proceed, attach to the namespaces of the leader, and send the coredump to systemd-coredump.socket in the container. Before this is done, we need to translate the PID, UID, and GID, and also re-gather procfs metadata. Translate the PID, UID, and GID to the perspective of the container by sending an SCM_CREDENTIALS message over a socket pair from the original systemd-coredump process, to the process forked in the container. If we cannot successfully forward the coredump, fallback to the current behavior so that there is still a record of the crash on the host.
* | process-util: introduce namespace_get_leader helperNick Rosbrook2023-10-131-51/+1
| | | | | | | | | | | | | | | | For a given PID and namespace type, this helper function gives the PID of the leader of the namespace containing the given PID. Use this in systemd-coredump instead of using the existing get_mount_namespace_leader. This helper will be used again in a later commit.
* | coredump: store crashing process UID and GID in ContextNick Rosbrook2023-10-131-19/+15
|/ | | | | | | | | | For convenience, store the crashing process's UID and GID in Context (as uid_t and gid_t, respectively), as is currently done for the PID. This means we can just parse the UID/GID once in save_context(), and use those values in other places. This is just re-factoring, and is a preparation commit for container support.
* coredump: fix various invalid memory accessYu Watanabe2023-08-101-19/+14
| | | | | | | | | Previously, we did not check error from iovw_put(). If it fails, the target iovw may have no iov or partial iovs from the journal importar. So, the finalization may cause underflow and may access and free invalid memory. Follow-up for 946dc7c635f050129896d1515c08a81504af2421.
* coredump: let's use FOREACH_ARRAY() at once very obvious placeLennart Poettering2023-08-101-4/+1
|
* coredump: fix error pathLennart Poettering2023-08-101-1/+1
| | | | | We must go through finish, to undo the destruction of the final elements of the iovw properly.
* coredump: rename gather_pid_metadata() → gather_pid_metadata_from_procfs()Lennart Poettering2023-08-101-3/+3
| | | | | Let's make clear what this function does, and what it distinguishes with the more precisely named gather_pid_metadata_from_argv().
* coredump: add four assert()sLennart Poettering2023-08-101-0/+6
|
* coredump: use a cleanup handler for destroying iovw objectsLennart Poettering2023-08-101-9/+5
|
* meson: merge declarations of normal and test executablesYu Watanabe2023-08-031-9/+6
|
* meson: move declarations of coredumpd and friendsYu Watanabe2023-08-011-1/+29
|
* coredumpctl: cleanup use of ERRNO_IS_PRIVILEGE()Dmitry V. Levin2023-07-281-7/+8
| | | | | | | | | | | Given that ERRNO_IS_PRIVILEGE() also matches positive values, make sure this macro is not called with arguments that do not have errno semantics. In this case the argument passed to ERRNO_IS_PRIVILEGE() is the value returned by access_fd() which is not expected to return any positive values, but let's be consistent anyway and move the ERRNO_IS_PRIVILEGE() invocation to the branch where the return value is known to be negative.
* coredump: use RET_NERRNO and RET_GATHERZbigniew Jędrzejewski-Szmek2023-07-131-5/+3
| | | | No functional change indended.
* tree-wide: "<n>bit" → "<n>-bit"Zbigniew Jędrzejewski-Szmek2023-07-021-1/+1
| | | | In some places, "<n> bits" is used when more appropriate.
* coredump: clamp JournalSizeMax= to maximum journald would acceptLennart Poettering2023-06-231-3/+21
| | | | See: #26748
* coredump: use loop_read() for reading coredump into memoryLennart Poettering2023-06-231-5/+6
| | | | Fixes: #26748
* tree-wide: when in doubt use greek small letter mu rather than micro symbolLennart Poettering2023-06-141-2/+2
| | | | | | | | Doesn't really matter since the two unicode symbols are supposedly equivalent, but let's better follow the unicode recommendations to prefer greek small letter mu, as per: https://www.unicode.org/reports/tr25
* coredump: port over code to new LINK_TMPFILE_SYNC flagLennart Poettering2023-06-131-5/+1
|
* tmpfile-util: turn last parameter of link_tmpfile() into a proper flagsLennart Poettering2023-06-131-1/+1
| | | | | | | | This changes a boolean param into a proper bitflag field. Given this only defines a single flag for now this doesn't look like much of an improvement. But we'll add another flag shortly, where it starts to make more sense.
* tree-wide: use memstream-utilYu Watanabe2023-05-311-18/+7
|
* Merge pull request #27770 from mrc0mmand/more-nallocfuzz-shenanigansYu Watanabe2023-05-251-0/+3
|\ | | | | A couple of fixes for potential issues during OOM situations
| * tree-wide: check memstream buffer after closing the handleFrantisek Sumsal2023-05-241-0/+3
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | When closing the FILE handle attached to a memstream, it may attempt to do a realloc() that may fail during OOM situations, in which case we are left with the buffer pointer pointing to NULL and buffer size > 0. For example: ``` #include <errno.h> #include <stdio.h> #include <stdlib.h> void *realloc(void *ptr, size_t size) { return NULL; } int main(int argc, char *argv[]) { FILE *f; char *buf; size_t sz = 0; f = open_memstream(&buf, &sz); if (!f) return -ENOMEM; fputs("Hello", f); fflush(f); printf("buf: 0x%lx, sz: %lu, errno: %d\n", (unsigned long) buf, sz, errno); fclose(f); printf("buf: 0x%lx, sz: %lu, errno: %d\n", (unsigned long) buf, sz, errno); return 0; } ``` ``` $ gcc -o main main.c $ ./main buf: 0x74d4a0, sz: 5, errno: 0 buf: 0x0, sz: 5, errno: 0 ``` This might do unexpected things if the underlying code expects a valid pointer to the memstream buffer after closing the handle. Found by Nallocfuzz.
* | tree-wide: use free_and_replace() moreDavid Tardon2023-05-241-2/+1
|/
* dissect-image: port mount_image_privately_interactively() to use ↵Lennart Poettering2023-05-161-1/+1
| | | | | | | | | | /run/systemd/mount-rootfs/ too Let's use the same common directory as the unit logic uses. This means we have less to clean up, and opens the door to eventually allow unprivileged operation of the mount_image_privately_interactively() logic.
* Merge pull request #27254 from poettering/cmsg-align-checkYu Watanabe2023-04-141-1/+1
|\ | | | | socket-util: tighten CMSG_TYPED_DATA() alignment checks
| * tree-wide: port more code over to CMSG_TYPED_DATA()Lennart Poettering2023-04-131-1/+1
| |
* | image-policy: introduce parse_image_policy_argument() helperYu Watanabe2023-04-131-14/+8
|/ | | | | | | | | Addresses https://github.com/systemd/systemd/pull/25608/commits/84be0c710d9d562f6d2cf986cc2a8ff4c98a138b#r1060130312, https://github.com/systemd/systemd/pull/25608/commits/84be0c710d9d562f6d2cf986cc2a8ff4c98a138b#r1067927293, and https://github.com/systemd/systemd/pull/25608/commits/84be0c710d9d562f6d2cf986cc2a8ff4c98a138b#r1067926416. Follow-up for 84be0c710d9d562f6d2cf986cc2a8ff4c98a138b.
* tree-wide: hook up image dissection policy logic everywhereLennart Poettering2023-04-051-18/+36
|
* chase-symlinks: Rename chase_symlinks() to chase()Daan De Meyer2023-03-241-4/+4
| | | | | | | | | Chasing symlinks is a core function that's used in a lot of places so it deservers a less verbose names so let's rename it to chase() and chaseat(). We also slightly change the pattern used for the chaseat() helpers so we get chase_and_openat() and similar.
* coredump: split out parse_auxv() to src/shared/Zbigniew Jędrzejewski-Szmek2023-03-231-69/+5
| | | | | | No functional change. (We already checked for ELFCLASS32 or ELFCLASS64 before, so even though there's a new check for other architectures, the only caller only passes ELFCLASS32 or ELFCLASS64.)
* coredump: use unaligned_read_ne{32,64}() to parse auxvYu Watanabe2023-03-221-89/+60
| | | | | | | | | | | | | Fixes a bug introduced by 3e4d0f6cf99f8677edd6a237382a65bfe758de03. The auxv metadata is unaligned, as the length of the prefix "COREDUMP_PROC_AUXV=" is 19. Hence, parse_auxv{32,64}() may triger an undefined behavior (or at least cause slow down), which can be detected when running on an undefined behavior sanitizer. This also introduces a macro to define `parse_auxv{32,64}()`. Fixes #26912.
* tree-wide: simplify x ? x : y to x ?: y where applicableFrantisek Sumsal2023-03-181-1/+1
|
* Merge pull request #26784 from DaanDeMeyer/chase-fixDaan De Meyer2023-03-151-1/+1
|\ | | | | Allow creating files and directories with chase_symlinks_open() and further improvements
| * chase-symlinks: Remove unused ret_fd argumentsDaan De Meyer2023-03-141-1/+1
| |
* | conf: replace config_parse_many_nulstr() with config_parse_config_file()Franck Bui2023-03-131-8/+3
|/ | | | | | | | | | | | | | | | | All daemons use a similar scheme to read their main config files and theirs drop-ins. The main config files are always stored in /etc/systemd directory and it's easy enough to construct the name of the drop-in directories based on the name of the main config file. Hence the new helper does that internally, which allows to reduce and simplify the args passed previously to config_parse_many_nulstr(). Besides the overall code simplification it results: 16 files changed, 87 insertions(+), 159 deletions(-) it allows to identify clearly the locations in the code where configuration files are parsed.
* tmpfile-util: teach link_tmpfile() to optionally replace filesLennart Poettering2023-03-031-1/+1
|
* meson: Use dicts for test definitionsJan Janssen2023-02-211-3/+7
| | | | | | | Although this slightly more verbose it makes it much easier to reason about. The code that produces the tests heavily benefits from this. Test lists are also now sorted by test name.
generated by cgit v1.2.3 (git 2.39.1) at 2024-11-30 17:45:24 +0100