summaryrefslogtreecommitdiff
path: root/src
Commit message (Collapse)AuthorAge
* test-ellipsize: add tests for ellipsize_mem, fix bugsZbigniew Jędrzejewski-Szmek2018-08-24
| | | | | | | | | | | | | | First, ellipsize() and ellipsize_mem() should not read past the input buffer. Those functions take an explicit length for the input data, so they should not assume that the buffer is terminated by a nul. Second, ellipsization was off in various cases where wide on multi-byte characters were used. We had some basic test for ellipsize(), but apparently it wasn't enough to catch more serious cases. Should fix https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=8686.
* basic/string-util: make ellipsize() inlineZbigniew Jędrzejewski-Szmek2018-08-24
| | | | | Once the redundant check is removed, it's a very simple wrapper around ellipsize_mem().
* login: log session state "closing" (as well as New/Removed)Alan Jenkins2018-08-24
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Let's show a message at the time of logout i.e. entering the "closing" state, not just e.g. once the user closes `tmux` and the session can be removed completely. (At least when KillUserProcesses=no applies. My thinking was we can spare the log noise if we're killing the processes anyway). These are two independent events. I think the logout event is quite significant in the session lifecycle. It will be easier for a user who does not know logind details to understand why "Removed session" doesn't appear at logout time, if we have a specific message we can show at this time :). Tested using tmux and KillUserProcesses=no. I can also confirm the extra message doesn't show when using KillUserProcesses=yes. Maybe it looks a bit mysterious when you use KillOnlyUsers= / KillExcludeUsers=, but hopefully not alarmingly so. I was looking at systemd-logind messages on my system, because I can reproduce two separate problems with Gnome on Fedora 28 where sessions are unexpectedly in state "closing". (One where a GUI session limps along in a degraded state[1], and another where spice-vdagent is left alive after logout, keeping the session around[2]). It logged when sessions were created and removed, but it didn't log when the session entered the "closing" state. [1] https://bugzilla.redhat.com/show_bug.cgi?id=1583240#c1 [2] https://bugzilla.redhat.com/show_bug.cgi?id=1583261 Closes #9096
* conf-parser: remove redundant utf8-validity checkYu Watanabe2018-08-24
|
* conf-parse: use free_and_replace()Yu Watanabe2018-08-24
| | | | Also removes unnecessary empty lines.
* conf-parser: reject utf8-invalid linesYu Watanabe2018-08-24
|
* conf-parse: use path_simplify_and_warn() in config_parse_path()Yu Watanabe2018-08-24
|
* path-util: introduce path_simplify_and_warn()Yu Watanabe2018-08-24
|
* path-util: make path_make_relative() support path including dotsYu Watanabe2018-08-24
|
* path-util: introduce path_simplify()Yu Watanabe2018-08-24
| | | | | | | | The function is similar to path_kill_slashes() but also removes initial './', trailing '/.', and '/./' in the path. When the second argument of path_simplify() is false, then it behaves as the same as path_kill_slashes(). Hence, this also replaces path_kill_slashes() with path_simplify().
* time-util: fix build with gcc8 -Werror=format-truncation=Martin Jansa2018-08-24
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | * it fails with gcc8 when -O1 or -Os is used (and -ftree-vrp which is added by -O2 and higher isn't used) ../git/src/basic/time-util.c: In function 'format_timespan': ../git/src/basic/time-util.c:508:46: error: '%0*llu' directive output between 1 and 2147483647 bytes may cause result to exceed 'INT_MAX' [-Werror=format-truncation=] "%s"USEC_FMT".%0*"PRI_USEC"%s", ^~~~ ../git/src/basic/time-util.c:508:60: note: format string is defined here "%s"USEC_FMT".%0*"PRI_USEC"%s", ../git/src/basic/time-util.c:508:46: note: directive argument in the range [0, 18446744073709551614] "%s"USEC_FMT".%0*"PRI_USEC"%s", ^~~~ ../git/src/basic/time-util.c:507:37: note: 'snprintf' output 4 or more bytes (assuming 2147483651) into a destination of size 4294967295 k = snprintf(p, l, ^~~~~~~~~~~~~~ "%s"USEC_FMT".%0*"PRI_USEC"%s", ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ p > buf ? " " : "", ~~~~~~~~~~~~~~~~~~~ a, ~~ j, ~~ b, ~~ table[i].suffix); ~~~~~~~~~~~~~~~~ cc1: some warnings being treated as errors [zj: change 'char' to 'signed char']
* basic: set errno in raw_clone() on sparcMike Gilbert2018-08-24
| | | | | | | | sparc sets the carry bit when a syscall fails. Use this information to set errno and return -1 as appropriate. The added test case calls raw_clone() with flags known to be invalid according to the clone(2) manpage.
* process-util: also filter non-printable characters in get_process_com()Lennart Poettering2018-08-24
| | | | | | | | | | | | We already do that in get_process_cmdline(), which is very similar in behaviour otherwise. Hence, let's be safe and also filter them in get_process_comm(). Let's try to retain as much information as we can though and escape rather than suppress unprintable characters. Let's not increase comm names beyond the kernel limit on such names however. Also see discussion about this here: https://marc.info/?l=linux-api&m=152649570404881&w=2
* string-util: tweak cellescape() a bitLennart Poettering2018-08-24
| | | | | | | | | | | | | For short buffer sizes cellescape() was a bit wasteful, as it might suffice to to drop a single character to find enough place for the full four byte ellipsis, if that one character was a four character escape. With this rework we'll guarantee to drop the minimum number of characters from the end to fit in the ellipsis. If the buffers we write to are large this doesn't matter much. However, if they are short (as they are when talking about the process comm field) then it starts to matter that we put as much information as we can in the space we get.
* escape: add an explanatory comment about buffer sizesLennart Poettering2018-08-24
|
* missing: define kernel internal limit TASK_COMM_LEN in userspace tooLennart Poettering2018-08-24
| | | | | We already use it at two places, and we are about to add one too. Arbitrary literally hardcoded limits suck.
* process-util: mention that wait_for_terminate_with_timeout() should be ↵Lennart Poettering2018-08-24
| | | | called with SIGCHLD blocked
* Use const char* for timestamp strings which we don't plan to modifyZbigniew Jędrzejewski-Szmek2018-08-24
| | | | Makes the intent a bit clearer.
* Always allow timestamps to be printedZbigniew Jędrzejewski-Szmek2018-08-24
| | | | | | | | | | If the timestamp is above 9999-12-30, (or 2038-something-something on 32 bit), use XXXX-XX-XX XX:XX:XX as the replacement. The problem with refusing to print timestamps is that our code accepts such timestamps, so we can't really just refuse to process them afterwards. Also, it makes journal files non-portable, because suddently we might completely refuse to print entries which are totally OK on a different machine.
* basic/random-util: do not use getrandom() under msanEvgeny Vereshchagin2018-08-24
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | `fuzz-journal-remote` seems to be failing under `msan` as soon as it starts: $ sudo infra/helper.py run_fuzzer systemd fuzz-journal-remote Running: docker run --rm -i --privileged -e FUZZING_ENGINE=libfuzzer -v /home/vagrant/oss-fuzz/build/out/systemd:/out -t gcr.io/oss-fuzz-base/base-runner run_fuzzer fuzz-journal-remote Using seed corpus: fuzz-journal-remote_seed_corpus.zip /out/fuzz-journal-remote -rss_limit_mb=2048 -timeout=25 /tmp/fuzz-journal-remote_corpus -max_len=65536 < /dev/null INFO: Seed: 3380449479 INFO: Loaded 2 modules (36336 inline 8-bit counters): 36139 [0x7ff36ea31d39, 0x7ff36ea3aa64), 197 [0x9998c8, 0x99998d), INFO: Loaded 2 PC tables (36336 PCs): 36139 [0x7ff36ea3aa68,0x7ff36eac7d18), 197 [0x999990,0x99a5e0), INFO: 2 files found in /tmp/fuzz-journal-remote_corpus INFO: seed corpus: files: 2 min: 4657b max: 7790b total: 12447b rss: 97Mb Uninitialized bytes in __interceptor_pwrite64 at offset 24 inside [0x7fffdd4d7230, 240) ==15==WARNING: MemorySanitizer: use-of-uninitialized-value #0 0x7ff36e685e8a in journal_file_init_header /work/build/../../src/systemd/src/journal/journal-file.c:436:13 #1 0x7ff36e683a9d in journal_file_open /work/build/../../src/systemd/src/journal/journal-file.c:3333:21 #2 0x7ff36e68b8f6 in journal_file_open_reliably /work/build/../../src/systemd/src/journal/journal-file.c:3520:13 #3 0x4a3f35 in open_output /work/build/../../src/systemd/src/journal-remote/journal-remote.c:70:13 #4 0x4a34d0 in journal_remote_get_writer /work/build/../../src/systemd/src/journal-remote/journal-remote.c:136:21 #5 0x4a550f in get_source_for_fd /work/build/../../src/systemd/src/journal-remote/journal-remote.c:183:13 #6 0x4a46bd in journal_remote_add_source /work/build/../../src/systemd/src/journal-remote/journal-remote.c:235:13 #7 0x4a271c in LLVMFuzzerTestOneInput /work/build/../../src/systemd/src/fuzz/fuzz-journal-remote.c:36:9 #8 0x4f27cc in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/libfuzzer/FuzzerLoop.cpp:524:13 #9 0x4efa0b in fuzzer::Fuzzer::RunOne(unsigned char const*, unsigned long, bool, fuzzer::InputInfo*, bool*) /src/libfuzzer/FuzzerLoop.cpp:448:3 #10 0x4f8e96 in fuzzer::Fuzzer::ReadAndExecuteSeedCorpora(std::__1::vector<std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> >, fuzzer::fuzzer_allocator<std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > > > const&) /src/libfuzzer/FuzzerLoop.cpp:732:7 #11 0x4f9f73 in fuzzer::Fuzzer::Loop(std::__1::vector<std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> >, fuzzer::fuzzer_allocator<std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > > > const&) /src/libfuzzer/FuzzerLoop.cpp:752:3 #12 0x4bf329 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/libfuzzer/FuzzerDriver.cpp:756:6 #13 0x4ac391 in main /src/libfuzzer/FuzzerMain.cpp:20:10 #14 0x7ff36d14982f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f) #15 0x41f9d8 in _start (/out/fuzz-journal-remote+0x41f9d8) Uninitialized value was stored to memory at #0 0x7ff36e61cd41 in sd_id128_randomize /work/build/../../src/systemd/src/libsystemd/sd-id128/sd-id128.c:288:16 #1 0x7ff36e685cec in journal_file_init_header /work/build/../../src/systemd/src/journal/journal-file.c:426:13 #2 0x7ff36e683a9d in journal_file_open /work/build/../../src/systemd/src/journal/journal-file.c:3333:21 #3 0x7ff36e68b8f6 in journal_file_open_reliably /work/build/../../src/systemd/src/journal/journal-file.c:3520:13 #4 0x4a3f35 in open_output /work/build/../../src/systemd/src/journal-remote/journal-remote.c:70:13 #5 0x4a34d0 in journal_remote_get_writer /work/build/../../src/systemd/src/journal-remote/journal-remote.c:136:21 #6 0x4a550f in get_source_for_fd /work/build/../../src/systemd/src/journal-remote/journal-remote.c:183:13 #7 0x4a46bd in journal_remote_add_source /work/build/../../src/systemd/src/journal-remote/journal-remote.c:235:13 #8 0x4a271c in LLVMFuzzerTestOneInput /work/build/../../src/systemd/src/fuzz/fuzz-journal-remote.c:36:9 #9 0x4f27cc in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/libfuzzer/FuzzerLoop.cpp:524:13 #10 0x4efa0b in fuzzer::Fuzzer::RunOne(unsigned char const*, unsigned long, bool, fuzzer::InputInfo*, bool*) /src/libfuzzer/FuzzerLoop.cpp:448:3 #11 0x4f8e96 in fuzzer::Fuzzer::ReadAndExecuteSeedCorpora(std::__1::vector<std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> >, fuzzer::fuzzer_allocator<std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > > > const&) /src/libfuzzer/FuzzerLoop.cpp:732:7 #12 0x4f9f73 in fuzzer::Fuzzer::Loop(std::__1::vector<std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> >, fuzzer::fuzzer_allocator<std::__1::basic_string<char, std::__1::char_traits<char>, std::__1::allocator<char> > > > const&) /src/libfuzzer/FuzzerLoop.cpp:752:3 #13 0x4bf329 in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/libfuzzer/FuzzerDriver.cpp:756:6 #14 0x4ac391 in main /src/libfuzzer/FuzzerMain.cpp:20:10 #15 0x7ff36d14982f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f) Uninitialized value was created by an allocation of 't' in the stack frame of function 'sd_id128_randomize' #0 0x7ff36e61cb00 in sd_id128_randomize /work/build/../../src/systemd/src/libsystemd/sd-id128/sd-id128.c:274 SUMMARY: MemorySanitizer: use-of-uninitialized-value /work/build/../../src/systemd/src/journal/journal-file.c:436:13 in journal_file_init_header Exiting MS: 0 ; base unit: 0000000000000000000000000000000000000000 artifact_prefix='./'; Test unit written to ./crash-847911777b3096783f4ee70a69ab6d28380c810b [vagrant@localhost oss-fuzz]$ sudo infra/helper.py check_build --sanitizer=memory systemd Running: docker run --rm -i --privileged -e FUZZING_ENGINE=libfuzzer -e SANITIZER=memory -v /home/vagrant/oss-fuzz/build/out/systemd:/out -t gcr.io/oss-fuzz-base/base-runner test_all INFO: performing bad build checks for /out/fuzz-dhcp-server. INFO: performing bad build checks for /out/fuzz-journal-remote. INFO: performing bad build checks for /out/fuzz-unit-file. INFO: performing bad build checks for /out/fuzz-dns-packet. 4 fuzzers total, 0 seem to be broken (0%). Check build passed. It's a false positive which is most likely caused by https://github.com/google/sanitizers/issues/852. I think it could be got around by avoiding `getrandom` when the code is compiled with `msan`
* basic/journal-importer: escape & ellipsize bad data in log entriesZbigniew Jędrzejewski-Szmek2018-08-24
| | | | | | | We shouldn't just log arbitrary stuff, in particular newlines and control chars Now: Unknown dunder line __CURSORFACILITY=6\nSYSLOG_IDENTIFIER=/USR/SBIN/CRON\nMES…, ignoring. Unknown dunder line __REALTIME_TIME[TAMP=1404101101501874\n__MONOTONIC_TIMEST…, ignoring.
* basic/string-util: add a convenience function to cescape mostly-ascii fieldsZbigniew Jędrzejewski-Szmek2018-08-24
| | | | | | | | | It's not supposed to be the most efficient, but instead fast and simple to use. I kept the logic in ellipsize_mem() to use unicode ellipsis even in non-unicode locales. I'm not quite convinced things should be this way, especially that with this patch it'd actually be simpler to always use "…" in unicode locale and "..." otherwise, but Lennart wanted it this way for some reason.
* basic/journal-importer: do not write non-unicode char to logZbigniew Jędrzejewski-Szmek2018-08-24
| | | | | The type of cescape_char() is changed to int to make it easier to use in "%.*s". We know the value is between 1 and 4, so size_t is overkill.
* sd-id128: return -ENOMEDIUM on null idZbigniew Jędrzejewski-Szmek2018-08-24
| | | | | | | | | We currently return -ENOMEDIUM when /etc/machine-id is empty, and -EINVAL when it is all zeros. But -EINVAL is also used for invalid args. The distinction between empty and all-zero is not very important, let's use the same return code. Also document -ENOENT and -ENOMEDIUM since they can be a bit surprising.
* tree-wide: make use of memory_startswith() at various placesLennart Poettering2018-08-24
|
* string-util: add new memory_startswith() helperLennart Poettering2018-08-24
| | | | | We have code like this at various placer, let's make things shorter and more readable with a helper for it.
* socket-util: rename parse_socket_address_bind_ipv6_only_or_bool() to ↵Yu Watanabe2018-08-24
| | | | | | | socket_address_bind_ipv6_only_or_bool_from_string() Hence, we can define config_parse_socket_bind() by using DEFINE_CONFIG_PARSE_ENUM() macro.
* conf-parser: introduce DEFINE_CONFIG_PARSE*() macrosYu Watanabe2018-08-24
| | | | | | | | This introduces several macros for defining config parsers. Also this fixes errno in DEFINE_CONFIG_PARSE_ENUM() and _ENUMV() and makes the log level lower when a duplicated item is specified to the settings parsed by the function defined by DEFINE_CONFIG_PARSE_ENUMV().
* smack: make mac_smack_fix() deal somewhat sensible with non-absolute pathsLennart Poettering2018-08-24
| | | | | | | | | | | This tries to improve the mac_smack_fix() logic a bit, by properly handling non-absolute paths. It's still pretty broken though, which is sad for security technology: non-normalized paths (for example "/usr/../dev/sda") will still not be treated correctly. I am not sure how to fix that properly though, and I don't understand SMACK well enough to do so. This fix hence just fixes to most obvious glaring issue.
* sd-bus: make add match method callback slot "floating"Lennart Poettering2018-08-24
| | | | | | | | | | | | | | | | When we allocate an asynchronous match object we will allocate an asynchronous bus call object to install the match server side. Previously the call slot would be created as regular slot, i.e. non-floating which meant installing the match even if it was itself floating would result in a non-floating slot to be created internally, which ultimately would mean the sd_bus object would be referenced by it, and thus never be freed. Let's fix that by making the match method callback floating in any case as we have no interest in leaving the bus allocated beyond the match slot. Fixes: #8551
* bus-slot: for bus slot objects with no explicit description use the match ↵Lennart Poettering2018-08-24
| | | | | | | string as description Let's make debugging a but easier with implicit descriptions for some match objects.
* sd-bus: add new sd_bus_slot_set_floating() callLennart Poettering2018-08-24
| | | | | | | | | | This new call allows explicit control of the "floating" state of a bus slot object. This is useful for creating a bus slot object first, retaining a reference to it, using it for making changes to the slot object (for example, set a description) and then handing it over to sd-bus for lifecycle management. It's also useful to fix #8551.
* tree-wide: fix typo in comments and NEWSYu Watanabe2018-08-24
|
* conf-parser: add a bit more whitespaceLennart Poettering2018-08-24
| | | | | | | | We usually seperate case statements within a switch from each other by empty lines. We also often add an empty line after multi-line function prototypes, let's do so here too Also, no trailing ; after }...
* meson: test out headers with more standard versionsZbigniew Jędrzejewski-Szmek2018-08-24
| | | | They all pass fine, but let's keep testing regularly.
* sd-bus: use _cleanup_ moreZbigniew Jędrzejewski-Szmek2018-08-24
|
* journalctl: add with-unit modeLuca Boccassi2018-08-24
| | | | | | | | | | When dealing with a large number of template instances, for example when launching daemons per VRF, it is hard for operators to correlate log lines to arguments. Add a new with-unit mode which, if available, prefixes unit and user unit names when displaying its log messages instead of the syslog identifier. It will also use the full timestamp with timezones, like the short-full mode.
* tree-wide: drop unused variablesYu Watanabe2018-08-24
| | | | Follow-ups for #8620.
* add new portable service frameworkLennart Poettering2018-08-24
| | | | | | | | | | | This adds a small service "systemd-portabled" and a matching client "portablectl", which implement the "portable service" concept. The daemon implements the actual operations, is PolicyKit-enabled and is activated on demand with exit-on-idle. Both the daemon and the client are an optional build artifact, enabled by default rhough.
* machined: move bus_reply_pair_array() into generic utilitiesLennart Poettering2018-08-24
| | | | This way, we can reuse it in portabled.
* conf-files: beef up conf-files.[ch] a bitLennart Poettering2018-08-24
| | | | | | | | | | | | | | | | | | | | | | | | | | | This adds fozr new flags: - If CONF_FILES_DIRECTORY is specified conf_file_list() and friends will look for directories only. - Similar CONF_FILES_REGULAR means we'll look only for regular files. - If CONF_FILES_BASENAME is specified the resulting list will contain only the basenames of all discovered files or directories, not the full paths. - If CONF_FILES_FILTER_MASKED is specified the resulting list will have masked entries removed (i.e. those symlinked to /dev/null and suchlike) These four flags are useful for discovering portable service profile information. While we are at it, also improve a couple of other things: - More debug logging - use path_hash_ops instead of string_hash_ops when putting together the path lists
* fileio: make sure read_full_stream() works on memory-backed streamsLennart Poettering2018-08-24
|
* os-util: add helpers for finding /etc/os-releaseLennart Poettering2018-08-24
| | | | | Place this new helpers in a new source file os-util.[ch], and move the existing and related call path_is_os_tree() to it as well.
* fileio: add parse_env_filev() that is like parse_env_file() but takes a va_listLennart Poettering2018-08-24
|
* fileio: accept FILE* in addition to path in parse_env_file()Lennart Poettering2018-08-24
| | | | | | | Most our other parsing functions do this, let's do this here too, internally we accept that anyway. Also, the closely related load_env_file() and load_env_file_pairs() also do this, so let's be systematic.
* process-util: add a new FORK_MOUNTNS_SLAVE flag for safe_fork()Lennart Poettering2018-08-24
| | | | | | | | We already have a flag for creating a new mount namespace for the child. Let's add an extension to that: a new FORK_MOUNTNFS_SLAVE flag. When used in combination will mark all mounts in the child namespace as MS_SLAVE so that the child can freely mount or unmount stuff but it won't leak into the parent.
* fd-util: add new helper call fd_duplicate_data_fd()Lennart Poettering2018-08-24
| | | | | | | | | | | | This call creates an fd from another fd containing the same data. Specifically, repeated read() on the returned fd should return the same data as the original fd. This call is useful when we want to copy data out of disk images and suchlike, and want to be pass fds with the data around without having to keep the disk image continously mounted. The implementation tries to be somewhat smart and tries to prefer memfds/pipes over files in /tmp or /var/tmp based on the size of the data, but has appropropriate fallbacks in place.
* basic: fix raw_clone() on 32-bit sparcMike Gilbert2018-08-24
| | | | | | | The clone syscall uses the same semantics as on 64-bit. The trap number for syscall entry is different. Bug: https://bugs.gentoo.org/656368
* load-fragment: allow to specify RestrictNamespaces= multiple timesYu Watanabe2018-08-24
| | | | | If multiple RestrictNamespaces= settings are set, then merge the settings. This also drops supporting "~yes" and "~no".
* nsflsgs: drop namespace_flag_{from,to}_string()Yu Watanabe2018-08-24
| | | | | | This also drops namespace_flag_to_string_many_with_check(), and renames namespace_flag_{from,to}_string_many() to namespace_flags_{from,to}_string().