| Commit message (Collapse) | Author | Age |
|---|
| |
|
|
|
|
| |
This patch removes includes that are not used. The removals were found with
include-what-you-use which checks if any of the symbols from a header is
in use.
|
| |
|
|
|
|
|
|
|
|
| |
If we scale our buffer to be wide enough for the format string, we
should expect that the calculation was correct.
char_array_0() invocations are removed, since snprintf nul-terminates
the output in any case.
A similar wrapper is used for strftime calls, but only in timedatectl.c.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Whenever a process performs an action on an object, the kernel uses the
EUID of the process to do permission checks and to apply on any newly
created objects. The UID of a process is only used if someone *ELSE* acts
on the process. That is, the UID of a process defines who owns the
process, the EUID defines what privileges are used by this process when
performing an action.
Process limits, on the other hand, are always applied to the real UID, not
the effective UID. This is, because a process has a user object linked,
which always corresponds to its UID. A process never has a user object
linked for its EUID. Thus, accounting (and limits) is always done on the
real UID.
This commit fixes all sd-bus users to use the EUID when performing
privilege checks and alike. Furthermore, it fixes unix-creds to be parsed
as EUID, not UID (as the kernel always takes the EUID on UDS). Anyone
using UID (eg., to do user-accounting) has to fall back to the EUID as UDS
does not transmit the UID.
|
| |
|
|
|
| |
Using the same scripts as in f647962d64e "treewide: yet more log_*_errno
+ return simplifications".
|
| |
|
|
|
|
|
|
|
|
|
| |
If the format string contains %m, clearly errno must have a meaningful
value, so we might as well use log_*_errno to have ERRNO= logged.
Using:
find . -name '*.[ch]' | xargs sed -r -i -e \
's/log_(debug|info|notice|warning|error|emergency)\((".*%m.*")/log_\1_errno(errno, \2/'
Plus some whitespace, linewrap, and indent adjustments.
|
| | |
|
| |
|
|
|
|
|
|
|
|
| |
- Rename log_meta() → log_internal(), to follow naming scheme of most
other log functions that are usually invoked through macros, but never
directly.
- Rename log_info_object() to log_object_info(), simply because the
object should be before any other parameters, to follow OO-style
programming style.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
log_error_errno() as log calls that take error numbers
This change has two benefits:
- The format string %m will now resolve to the specified error (or to
errno if the specified error is 0. This allows getting rid of a ton of
strerror() invocations, a function that is not thread-safe.
- The specified error can be passed to the journal in the ERRNO= field.
Now of course, we just need somebody to convert all cases of this:
log_error("Something happened: %s", strerror(-r));
into thus:
log_error_errno(-r, "Something happened: %m");
|
| |
|
|
|
| |
Let's ask for the security relevant bits in a race-free way, and augment
the rest from /proc.
|
| | |
|
| |
|
|
|
|
|
|
|
| |
UID or GID of 0 is valid, so we cannot use that to distinguish whether
calls to sd_bus_creds_get_* succeeded, and the return value from the
function is the only way to know about missing fields. Print "n/a" if
the fields are missing.
CID #1238779
|
| |
|
|
| |
new mac_{smack,selinux,apparmor}_xyz() convention
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
This way we can unify handling of credentials that are attached to
messages, or can be queried for bus name owners or connection peers.
This also adds the ability to extend incomplete credential information
with data from /proc,
Also, provide a convenience call that will automatically determine the
most appropriate credential object for an incoming message, by using the
the attached information if possible, the sending name information if
available and otherwise the peer's credentials.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Message handler callbacks can be simplified drastically if the
dispatcher automatically replies to method calls if errors are returned.
Thus: add an sd_bus_error argument to all message handlers. When we
dispatch a message handler and it returns negative or a set sd_bus_error
we send this as message error back to the client. This means errors
returned by handlers by default are given back to clients instead of
rippling all the way up to the event loop, which is desirable to make
things robust.
As a side-effect we can now easily turn the SELinux checks into normal
function calls, since the method call dispatcher will generate the right
error replies automatically now.
Also, make sure we always pass the error structure to all property and
method handlers as last argument to follow the usual style of passing
variables for return values as last argument.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Fixes the following build errors on Fedora 20:
CC src/core/libsystemd_core_la-selinux-access.lo
src/core/selinux-access.c: In function 'get_audit_data':
src/core/selinux-access.c:245:22: error: storage size of 'ucred' isn't known
struct ucred ucred;
^
src/core/selinux-access.c:259:9: warning: implicit declaration of function 'getsockopt' [-Wimplicit-function-declaration]
r = getsockopt(fd, SOL_SOCKET, SO_PEERCRED, &ucred, &len);
^
src/core/selinux-access.c:259:28: error: 'SOL_SOCKET' undeclared (first use in this function)
r = getsockopt(fd, SOL_SOCKET, SO_PEERCRED, &ucred, &len);
^
src/core/selinux-access.c:259:28: note: each undeclared identifier is reported only once for each function it appears in
src/core/selinux-access.c:259:40: error: 'SO_PEERCRED' undeclared (first use in this function)
r = getsockopt(fd, SOL_SOCKET, SO_PEERCRED, &ucred, &len);
^
src/core/selinux-access.c:245:22: warning: unused variable 'ucred' [-Wunused-variable]
struct ucred ucred;
^
make[2]: *** [src/core/libsystemd_core_la-selinux-access.lo] Error 1
make[1]: *** [all-recursive] Error 1
make: *** [all] Error 2
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch converts PID 1 to libsystemd-bus and thus drops the
dependency on libdbus. The only remaining code using libdbus is a test
case that validates our bus marshalling against libdbus' marshalling,
and this dependency can be turned off.
This patch also adds a couple of things to libsystem-bus, that are
necessary to make the port work:
- Synthesizing of "Disconnected" messages when bus connections are
severed.
- Support for attaching multiple vtables for the same interface on the
same path.
This patch also fixes the SetDefaultTarget() and GetDefaultTarget() bus
calls which used an inappropriate signature.
As a side effect we will now generate PropertiesChanged messages which
carry property contents, rather than just invalidation information.
|
| |
|
|
| |
Always use our own macros, and name all our own macros the same style.
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
On Wed, Aug 14, 2013 at 10:31 PM, Daniel J Walsh <dwalsh@redhat.com> wrote:
> On 08/14/2013 04:17 PM, Kay Sievers wrote:
> >
> > this patch added GPL code to systemd, which otherwise is all LGPL. We need
> > to make sure we can always split out any code to a separate shared library
> > ...
> >
> > Mind if I switch your src/core/selinux-access.[ch] files to LGPL?
> I have no problem with it. Should be LGPL anyways.
|
| |
|
|
|
|
|
|
| |
I'm assuming that it's fine if a _const_ or _pure_ function
calls assert. It is assumed that the assert won't trigger,
and even if it does, it can only trigger on the first call
with a given set of parameters, and we don't care if the
compiler moves the order of calls.
|
| |
|
|
| |
https://bugzilla.redhat.com/show_bug.cgi?id=883043
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
==6129== Syscall param socketcall.getsockopt(optlen) points to uninitialised byte(s)
==6129== at 0x312D0F325A: getsockopt (syscall-template.S:81)
==6129== by 0x4615E6: get_audit_data (selinux-access.c:268)
==6129== by 0x461A81: selinux_access_check (selinux-access.c:394)
==6129== by 0x453B23: bus_manager_message_handler (dbus-manager.c:1395)
==6129== by 0x313581D9C4: _dbus_object_tree_dispatch_and_unlock (dbus-object-tree.c:862)
==6129== by 0x313580FC1F: dbus_connection_dispatch (dbus-connection.c:4672)
==6129== by 0x44CD4C: bus_dispatch (dbus.c:528)
==6129== by 0x41292F: manager_loop (manager.c:1573)
==6129== by 0x40CD8E: main (main.c:1735)
==6129== Address 0x7fefff2c0 is on thread 1's stack
|
| | |
|
| |
|
|
| |
I don't see why this should be logged at all, so let's delete it.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
specified
New file output.h with output flags and modes.
--full parameter also for cgls and loginctl.
Include 'all' parameter in flags (show_cgroup_by_path, show_cgroup,
show_cgroup_and_extra, show_cgroup_and_extra_by_spec).
get_process_cmdline with max_length == 0 will not ellipsize output.
Replace LINE_MAX with 0 in some calls of get_process_cmdline.
[zj: Default to --full when under pager for clgs.
Drop '-f' since it wasn't documented and didn't actually work.
Reindent a bit.
]
|
| |
|
|
|
| |
Information which unit a log entry pertains to enables systemctl
status to display more log messages.
|
| |
|
|
|
|
| |
context.
This patch does the dbus calls correctly.
|
| | |
|
| |
|
|
| |
can reuse it in logind
|
| |
|
|
|
|
|
|
| |
As audit is pretty much just a special kind of logging we should treat
it similar, and manage the audit fd in a static variable.
This simplifies the audit fd sharing with the SELinux access checking
code quite a bit.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
a) Instead of parsing the bus messages inside of selinux-access.c
simply pass everything pre-parsed in the functions
b) implement the access checking with a macro that resolves to nothing
on non-selinux builds
c) split out the selinux checks into their own sources
selinux-util.[ch]
d) this unifies the job creation code behind the D-Bus calls
Manager.StartUnit() and Unit.Start().
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
| | |
|
|
|
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
This patch adds the ability to look at the calling process that is trying to
do dbus calls into systemd, then it checks with the SELinux policy to see if
the calling process is allowed to do the activity.
The basic idea is we want to allow NetworkManager_t to be able to start and
stop ntpd.service, but not necessarly mysqld.service.
Similarly we want to allow a root admin webadm_t that can only manage the
apache environment. systemctl enable httpd.service, systemctl disable
iptables.service bad.
To make this code cleaner, we really need to refactor the dbus-manager.c code.
This has just become a huge if-then-else blob, which makes doing the correct
check difficult.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://www.enigmail.net/
iEYEARECAAYFAlBJBi8ACgkQrlYvE4MpobOzTwCdEUikbvRWUCwOb83KlVF0Nuy5
lRAAnjZZNuc19Z+aNxm3k3nwD4p/JYco
=yops
-----END PGP SIGNATURE-----
|
