| Commit message (Collapse) | Author | Age |
|---|
| ... | |
| |
|
|
|
|
| |
Let's add a common implementation for regular file checks, that are
careful to return the right error code (EISDIR/EISLNK/EBADFD) when we
are encountering a wrong file node.
|
| | |
|
| |
|
|
| |
Follow up for review of #8184.
|
| |
|
|
|
| |
We're moving towards unified cgroup hierarchy where this is not necessary.
This makes main.c a bit simpler.
|
| |
|
|
|
|
| |
config_parse_join_controllers would free the destination argument on failure,
which is contrary to our normal style, where failed parsing has no effect.
Moving it to shared also allows a test to be added.
|
| |
|
|
|
|
| |
The arguments have to be indentical everywhere, so let's use a macro to
make things more readable. But only in the headers, in the .c files let's
keep them verbose so that it's easy to see the argument list.
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
| |
Coverity now started warning about this ("Calling unlinkat without checking
return value (as is done elsewhere 12 out of 15 times).", and it is right:
most of the time we should at list print a log message so people can figure
out something is wrong when this happens.
v2:
- use warning level in journald too (this is unlikely to happen ever, so it
should be safe to something that is visible by default).
|
| |
|
|
|
|
|
| |
This usually is very annoying to users who then cannot log in, so
make sure we always warn if that happens (selinux, or whatever other reason).
This reverts a790812cb349c5cef95d1b4a20fc80ca08d3a145.
|
| |
|
|
|
| |
Those files don't contain any @variables@, so the configuration step was just
copying them to build/. Let's avoid that, and fix their suffixes while at it.
|
| |
|
|
|
| |
This file is now undergoing just one transformation, so drop the unnecessary
suffix.
|
| |
|
|
|
|
|
| |
* Don't merge translations into the files
* Add gettext-domain="systemd" to description and message
Closes #8162, replaces #8118.
|
| | |
|
| |
|
|
|
| |
This makes it easy to set the default for distributions and users which want to
default to off because they primarily use older kernels.
|
| | |
|
| |
|
|
|
| |
Let's normalize the behaviour: return a negative errno style error code,
and return the resolved string directly as argument.
|
| |
|
|
|
| |
Also, make sure when we run in a container, we don't use the data from
/sys at all, but immediately fall back to /dev/console itself.
|
| |
|
|
|
|
|
| |
The password prompt used to be highlighted, and that was a good thing.
Let's fix things to make the prompt highlighted again.
Fixes: #3853
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
terminal features
Let's forget all relevant terminal features we learnt when we make a
console or /dev/null stdin/stdout/stderr.
Also, while we are at it, let's drop the various _unlikely_ and
_likely_ annotiations around the terminal feature caches. In many cases
we call the relevant functions only once in which cases the annotations
are likely to do just harm and no good. After all we can't know if the
specific code will call us just once or many times...
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
This modernizes acquire_terminal() in a couple of ways:
1. The three boolean arguments are replaced by a flags parameter, that
should be more descriptive in what it does.
2. We now properly handle inotify queue overruns
3. We use _cleanup_ for closing the fds now, to shorten the code quite a
bit.
Behaviour should not be altered by this.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
units
This adds a new bus call to service and scope units called
AttachProcesses() that moves arbitrary processes into the cgroup of the
unit. The primary user for this new API is systemd itself: the systemd
--user instance uses this call of the systemd --system instance to
migrate processes if itself gets the request to migrate processes and
the kernel refuses this due to access restrictions.
The primary use-case of this is to make "systemd-run --scope --user …"
invoked from user session scopes work correctly on pure cgroupsv2
environments. There, the kernel refuses to migrate processes between two
unprivileged-owned cgroups unless the requestor as well as the ownership
of the closest parent cgroup all match. This however is not the case
between the session-XYZ.scope unit of a login session and the
user@ABC.service of the systemd --user instance.
The new logic always tries to move the processes on its own, but if
that doesn't work when being the user manager, then the system manager
is asked to do it instead.
The new operation is relatively restrictive: it will only allow to move
the processes like this if the caller is root, or the UID of the target
unit, caller and process all match. Note that this means that
unprivileged users cannot attach processes to scope units, as those do
not have "owning" users (i.e. they have now User= field).
Fixes: #3388
|
| |
|
|
|
| |
Let's make debugging easier, by synthesizing a name when we have some
indication what kind of bus this is.
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
| |
This reworks is_kernel_thread() a bit. Instead of checking whether
/proc/$pid/cmdline is entirely empty we now parse the 'flags' field from
/proc/$pid/stat and check the PF_KTHREAD flag, which directly encodes
whether something is a kernel thread.
Why all this? With current kernels userspace processes can set their
command line to empty too (through PR_SET_MM_ARG_START and friends), and
could potentially confuse us. Hence, let's use a more reliable way to
detect kernels like this.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
scope and service units only
Currently we allowed delegation for alluntis with cgroup backing
except for slices. Let's make this a bit more strict for now, and only
allow this in service and scope units.
Let's also add a generic accessor unit_cgroup_delegate() for checking
whether a unit has delegation turned on that checks the new bool first.
Also, when doing transient units, let's explcitly refuse turning on
delegation for unit types that don#t support it. This is mostly
cosmetical as we wouldn't act on the delegation request anyway, but
certainly helpful for debugging.
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
| |
This new helper not only removes a file from a directory but also
ensures its space on disk is deallocated, by either punching a hole over
the full file or truncating the file afterwards if the file's link
counter is 0. This is useful in "vacuuming" algorithms to ensure that
client's can't keep the disk space the vacuuming is supposed to recover
pinned simply by keeping an fd open to it.
|
| | |
|
| |
|
|
|
|
| |
path
Let's make use of our new hash_ops!
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This is similar to string_hash_ops but operates one file system paths
specifically. It will ensure that "/foo//bar" and "///foo/bar" are
considered to be the same path for hashmap purposes.
This makes use of the existing path_compare() API, and adds a matching
hashing function for it.
Note that relative and absolute paths will hash to different values,
however whether the path is suffixed with a slash or not is not
detected. This matches the existing path_compare() behaviour, and
follows the logic that on Linux there can't be two different objects at
path /foo/bar and /foo/bar/ either.
|
| |
|
|
|
| |
We should assign a value only in the .c file, not in both the .c and .h
file.
|
| |
|
|
|
| |
We have similar code in stat-util.[ch] and managing this at a central
place almost definitely is the better choice.
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
|
|
| |
The only use of socknameinfo_pretty() is in src/journal-remote/journal-remote.c,
to determine the output filename.
Replaces #8120.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This adds some paranoia code that moves some of the fds we allocate for
longer periods of times to fds > 2 if they are allocated below this
boundary. This is a paranoid safety thing, in order to avoid that
external code might end up erroneously use our fds under the assumption
they were valid stdin/stdout/stderr. Think: some app closes
stdin/stdout/stderr and then invokes 'fprintf(stderr, …' which causes
writes on our fds.
This both adds the helper to do the moving as well as ports over a
number of users to this new logic. Since we don't want to litter all our
code with invocations of this I tried to strictly focus on fds we keep
open for long periods of times only and only in code that is frequently
loaded into foreign programs (under the assumptions that in our own
codebase we are smart enough to always keep stdin/stdout/stderr
allocated to avoid this pitfall). Specifically this means all code used
by NSS and our sd-xyz API:
1. our logging APIs
2. sd-event
3. sd-bus
4. sd-resolve
5. sd-netlink
This changed was inspired by this:
https://github.com/systemd/systemd/issues/8075#issuecomment-363689755
This shows that apparently IRL there are programs that do close
stdin/stdout/stderr, and we should accomodate for that.
Note that this won't fix any bugs, this just makes sure that buggy
programs are less likely to interfere with out own code.
|
| |
|
|
|
|
|
|
| |
This change adds support for controlling the suspend-on-lid-close
behaviour based on the power status as well as whether the machine is
docked or has an external monitor. For backwards compatibility the new
configuration file variable is ignored completely by default, and must
be set explicitly before being considered in any decisions.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
we still invoke ssh unnecessarily when there in incompatible or erreneous input
The fallow-up to finish that would make the code a bit more verbose,
as it would require repeating this bit:
```
r = bus_connect_transport(arg_transport, arg_host, false, &bus);
if (r < 0) {
log_error_errno(r, "Failed to create bus connection: %m");
goto finish;
}
sd_bus_set_allow_interactive_authorization(bus, arg_ask_password);
```
in every verb, after parsing.
v2: add waitpid() to avoid a zombie process, switch to SIGTERM from SIGKILL
v3: refactor, wait in bus_start_address()
|
| | |
|
| | |
|
| | |
|
| |
|
|
|
| |
This is very similar to d16a1c1bb6. For tmpfiles this is much less useful
compared to sysusers, but let's add this anyway for consistency.
|
| |
|
|
|
|
|
|
|
| |
We have the raw_getpid() definition in place anyway, and it's certainly
beneficial to expose the same semantics on pre glibc 2.24 and after it
too, hence always bypass glibc for this, and always cache things on our
side.
Fixes: #8113
|
| |
|
|
| |
Also make functions static if possible.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
When used in a package installation script, we want to invoke systemd-sysusers
before that package is installed (so it can contain files owned by the newly
created user), so the configuration to use is specified on the command
line. This should be a copy of the configuration that will be installed as
/usr/lib/sysusers.d/package.conf. We still want to obey any overrides in
/etc/sysusers.d or /run/sysusers.d in the usual fashion. Otherwise, we'd get a
different result when systemd-sysusers is run with a copy of the new config on
the command line and when systemd-sysusers is run at boot after package
instalation. In the second case any files in /etc or /run have higher priority,
so the same should happen when the configuration is given on the command line.
More generally, we want the behaviour in this special case to be as close to
the case where the file is finally on disk as possible, so we have to read all
configuration files, since they all might contain overrides and additional
configuration that matters. Even files that have lower priority might specify
additional groups for the user we are creating. Thus, we need to read all
configuration, but insert our new configuration somewhere with the right
priority.
If --target=/path/to/file.conf is given on the command line, we gather the list
of files, and pretend that the command-line config is read from
/path/to/file.conf (doesn't matter if the file on disk actually exists or
not). All package scripts should use this option to obtain consistent and
idempotent behaviour.
The corner case when --target= is specified and there are no positional
arguments is disallowed.
v1:
- version with --config-name=
v2:
- disallow --config-name= and no positional args
v3:
- remove --config-name=
v4:
- add --target= and rework the code completely
v5:
- fix argcounting bug and add example in man page
v6:
- rename --target to --replace
|
