| Commit message (Collapse) | Author | Files | Lines |
|---|
|
Fixes: #20801
|
|
Let's downgrade log messages which are not fatal for the service to
LOG_WARNING.
And let's simplify clean-up by using _cleanup_(unlink_and_freep).
|
|
DNSSD service definitions
Fixes: #21142
|
|
NSS mostly knows four error cases: SUCCESS, NOTFOUND, UNAVAIL, TRYAGAIN,
and they can all be used in nsswitch.conf to route requests.
So far nss-resolve would return SUCCESS + NOTFOUND + UNAVAIL. Let's also
return TRYAGAIN in some cases, specifically the ones where we are
currntly unable to resolve a request but likely could later. i.e.
errors caused by networking issues or such.
Fixes: #20786
|
|
Let's eat up special returns of dns_query_process_cname_many() when
storing hostname resolution results.
The rest of the code assumes only == 0 means success and != 0 means
error, but so far > 0 also could mean success, let's fix that.
Fixes: #21365 #21140
(This was originally broken in 1db8e6d1db0880de240e5598e28d24d708479434)
|
|
|
|
This beefs up the DNS stub logic to listen on two IP addresses:
127.0.0.53 (as before) + 127.0.0.54 (new). When the latter is contact
our stub will operate in "bypass" mode only, i.e we'll try to pass DNS
requests as unmodified upstream as we can (and not do mDNS/LLMNR and
such, also no DNSSEC validation – but we'll still do DNS-over-TLS
wrapping).
This is supposed to be useful for container environments or tethering:
this stub could be exposed (via NAT redirect) to clients of this system
and we'll try to stay out of the way with doing too much DNS magic
ourselves, but still expose whatever the current DNS server is from
upstream under a stable address/port.
How to use this:
# iptables -t nat -I PREROUTING -p udp -i <interface> --dport 53 -j DNAT --to 127.0.0.54:53
# echo 1 > /proc/sys/net/ipv4/conf/<interface>/route_localnet
|
|
in_addr_union
|
|
|
|
|
|
|
|
* man: document FIDO2 device removal
Indicate to users how to remove FIDO2 device in the --fido2-device=path section by setting path to an empty string (""). Tested on systemd 249 (249.6-3-arch)
|
|
When a timeout occurs we actually can't see when the test started/stopped. Print the time.
|
|
Since 8b8024f1c231c166f5c450905c8fd91d11704ae7 and the follow-up commits, the
main config file may be located in /usr or in other paths. But the code in
analyze.c was still assuming that it must be in /etc. Things mostly worked for
our own config files because we usually install a comments-only file in /etc,
but was not correct in the general case.
This fixes in particular 'systemd-analyze cat-config systemd/zram-generator.conf'.
In Fedora we distribute a config file in zram-generator-defaults.rpm that is in
/usr/lib, and 'cat-config' would refuse to show it because
/etc/systemd/zram-generator.conf does not exist.
The main config file is optional, but let's print an informative message
because this is a slightly unusual case.
The file paths that we printed were missing the root prefix.
|
|
|
|
The function name `method_reload` is used both in dbus-unit.c and
dbus-manager.c for static functions.
With the previous addition of adding the function name to the audit
information on SELinux denials, rename the one (and its relatives) in
dbus-unit.c as most of the functions in src/core/dbus-unit.c are already
prefixed with `bus_unit_`.
|
|
`mac_selinux_generic_access_check()` should not be called directly, only
via the wrapper macros `mac_selinux_access_check` and
`mac_selinux_unit_access_check`.
|
|
path might be NULL when checking against the system permissions, so wrap
with strna().
The command line might not be available over D-Bus and thus cl might be
empty. Print "n/a" instead of the empty string.
|
|
Include the systemd C function name in the audit message to improve the
debug ability on denials.
Similar like kernel denial messages include the syscall name.
|
|
Mostly mechanical renaming of mmap-cache functions that now
operate exclusively on the MMapFileDescriptor.
|
|
MMapFileDescriptor carries a reference to its originating
MMapCache, there's no value in supplying the
MMapFileDescriptor-centric functions a separate MMapCache.
A future commit will rename these functions to consistently use
an mmap_cache_fd_* prefix for improved clarity.
|
|
Mention 'usrhash' and 'systemd.verity_usr_*' kernel command line
parameters in the man pages for veritysetup-generator and
kernel-command-line
|
|
If 'usrhash' is present as a kernel command line parameter, use the usr
mapper device for usr mount
|
|
If 'usrhash' is present as a kernel command line parameter, generate a
veritysetup service for usr.
Also recognize systemd.verity_usr_* parameters.
|
|
Similar to the kmsg handler, let's also limit the number of fields
we parse from audit messages.
Fixes #19799
|
|
|
|
|
|
|
|
|
|
4e767154891083069a58c5c960f386974ad87fb4 added a slightly different UUID
in the header and in the docs. This makes the code match the docs.
> As some downstream projects are already using the UUID as in the docs, most
> notably util-linux [1], we should adjust code to match doc; no shipping
> LoongArch systems are using upstream systemd, and no open-source distro is
> merging LoongArch support yet, so the change should break no one. This also
> matches the work being done by @yetist at loongarch64/systemd#7.
[1] https://github.com/util-linux/util-linux/commit/2d29fccaad267d1b003dc0ed2bb9634ff76f3e49
|
|
This adds a helper script:
$ python3 tools/list-discoverable-partitions.py <src/shared/gpt.h
<!-- generated with tools/list-discoverable-partitions.py -->
| Partition Type UUID | Name | Allowed File Systems | Explanation |
|---------------------|------|----------------------|-------------|
| _Root Partition (Alpha)_ | `6523f8ae-3eb1-4e2a-a05a-18b695ae656f` | [Root Partition] | [Root Partition more] |
| _Root Partition (ARC)_ | `d27f46ed-2919-4cb8-bd25-9531f3c16534` | ditto | ditto |
...
The output can be pasted into the markdown file. I think this works better than
trying to match the two lists by hand.
|
|
"arm64" is generally written without the underscore.
|
|
I don't think we want people to send us pull requests over the next two years.
Let's just make something up ourselves, this is going to have at least as good
results, and will be much quicker.
Note that this only includes architectures for which there's some indication
that they are in active use. In architecture.h there are some more esoteric
ones like ARC_BE. We can add those if there's some actual user demand.
In particular, I included everything on the Debian "List of official ports" [1]
and a few other arches that we have received patches for in recent times.
[1] https://www.debian.org/ports/#portlist-released
|
|
|
|
The existing verify_hash_table() function is renamed to
verify_data_hash_table() since it only verifies the data hash table.
The verify information is also made a little more detailed by splitting
one of the checks in two.
|
|
|
|
|
|
|
|
|
|
It's just too annoying to add new ones otherwise.
|
|
|
|
|
|
Readers are most likely to want to go from a partition id to the uuid,
so puts the uuid second
|
|
This is based on the information in #14311 and
https://refspecs.linuxfoundation.org/LSB_3.2.0/LSB-Core-S390X/LSB-Core-S390X.pdf
and https://wiki.debian.org/Multiarch/Tuples.
Fixes #14311.
|
|
|
|
$ ls -l /lib /lib64
ls: cannot access '/lib64': No such file or directory
lrwxrwxrwx. 1 root root 7 Jan 26 2021 /lib -> usr/lib
$ ldd /bin/sh|grep ld
/lib/ld-linux-armhf.so.3 (0xb6f80000)
|
|
https://wiki.debian.org/ArchitectureSpecificsMemo shows the triplet, but no the
linker paths. I used the linker path from Fedora.
$ ls -l /lib /lib64
lrwxrwxrwx. 1 root root 7 Aug 13 2020 /lib -> usr/lib
lrwxrwxrwx. 1 root root 9 Aug 13 2020 /lib64 -> usr/lib64
$ ldd /bin/sh|grep ld
/lib/ld-linux-riscv64-lp64d.so.1 (0x0000003fb8185000)
$ ls -l /lib/ld-linux-riscv64-lp64d.so.1
lrwxrwxrwx 1 root root 19 Aug 4 19:28 /lib/ld-linux-riscv64-lp64d.so.1 -> ../lib64/ld-2.32.so
$ uname -r
5.10.6+
So even though the canonical linker path uses /lib/, we need the /lib64 symlink
to be present.
|
|
https://wiki.debian.org/ArchitectureSpecificsMemo shows the triplet, but no the
linker paths. I used the linker path from Fedora, but I can't look up the
linker paths for BE and 32 bit. At least the ifdef scaffolding is provided, so
it should be trivial to fill in if somebody has access to such a system.
$ ls -l /lib /lib64
lrwxrwxrwx. 1 root root 7 Jan 26 2021 /lib -> usr/lib
lrwxrwxrwx. 1 root root 9 Jan 26 2021 /lib64 -> usr/lib64
$ ldd /bin/sh|grep ld
/lib64/ld64.so.2 (0x00007fffa0a90000)
$ uname -r
5.14.9-200.fc34.ppc64le
Note that the macro defines listed in the wiki page don't match what I get
on Fedora: __PPC64__ vs. __ppc64__.
$ cpp -dM < /dev/null |grep -iE '__(powerpc|ppc)'|sort
#define __powerpc__ 1
#define __powerpc64__ 1
#define __PPC__ 1
#define __PPC64__ 1
First half of the fix for #14311.
|
|
https://wiki.debian.org/ArchitectureSpecificsMemo:
> arm64 aarch64-linux-gnu 64 AARCH64 /lib/ld-linux-aarch64.so.1 aarch64 aarch64
Fedora:
$ ls -l /lib /lib64
lrwxrwxrwx. 1 root root 7 Jul 27 2020 /lib -> usr/lib
lrwxrwxrwx. 1 root root 9 Jul 27 2020 /lib64 -> usr/lib64
$ ldd /bin/sh|grep ld
/lib/ld-linux-aarch64.so.1 (0x0000ffff8c905000)
$ ls -l /lib/ld-linux-aarch64.so.1 /lib64/ld-2.32.so
lrwxrwxrwx. 1 root root 19 Jul 13 07:28 /lib/ld-linux-aarch64.so.1 -> ../lib64/ld-2.32.so
-rwxr-xr-x. 1 root root 961248 Jul 13 07:56 /lib64/ld-2.32.so
$ uname -r
5.14.16-101.fc33.aarch64
So we need both /lib and /lib64 to be present, even though the canonical linker
path uses /lib.
|
|
I think this is going to be very annoying for our downstream maintainers.
Let's at least provide the ifdef scaffolding so that only filling in the
actual entries remains. The structure is copied from missing_syscall.h.
|
