Otherwise we get a (harmless) message like:
systemd-logind[30845]: Failed to process message [type=signal sender=:1.36 path=/org/freedesktop/systemd1/job/4674 interface=org.freedesktop.DBus.Properties member=PropertiesChanged signature=sa{sv}as]: Invalid argument
The session_send_create_reply() function which notifies clients about
session creation is used for both session and user units. Unify the
shared code in a new function session_jobs_reply().
The session_save() will be called unconditionally on sessions since it
does not make sense to only call it if '!session->started', this will
also allow to update the session state as soon as possible.
Simplify the shutdown logic a bit:
- Keep the session FIFO around in the PAM module, even after the session
shutdown hook has been finished. This allows logind to track precisely
when the PAM handler goes away.
- In the ReleaseSession() call start a timer, that will stop terminate
the session when elapsed.
- Never fiddle with the KillMode of scopes to configure whether user
processes should be killed or not. Instead, simply leave the scope
units around when we terminate a session whose processes should not be
killed.
- When killing is enabled, stop the session scope on FIFO EOF or after
the ReleaseSession() timeout. When killing is disabled, simply tell
PID 1 to abandon the scope.
Because the scopes stay around and hence all processes are always member
of a scope, the system shutdown logic should be more robust, as the
scopes can be shutdown as part of the usual shutdown logic.
This is initialized from XDG_SESSION_DESKTOP and is useful for GNOME
to recognize its own sessions. It's supposed to be set to a short string
identifying the session, such as "kde" or "gnome".
Introduces a new concept of "trusted" vs. "untrusted" busses. For the
latter libsystemd-bus will automatically do per-method access control,
for the former all access is automatically granted. Per-method access
control is encoded in the vtables: by default all methods are only
accessible to privileged clients. If the SD_BUS_VTABLE_UNPRIVILEGED flag
is set for a method it is accessible to unprivileged clients too. By
default whether a client is privileged is determined via checking for
its CAP_SYS_ADMIN capability, but this can be altered via the
SD_BUS_VTABLE_CAPABILITY() macro that can be ORed into the flags field
of the method.
Writable properties are also subject to SD_BUS_VTABLE_UNPRIVILEGED and
SD_BUS_VTABLE_CAPABILITY() for controlling write access to them. Note
however that read access is unrestricted, as PropertiesChanged messages
might send out the values anyway as an unrestricted broadcast.
By default the system bus is set to "untrusted" and the user bus is
"trusted" since per-method access control on the latter is unnecessary.
On dbus1 busses we check the UID of the caller rather than the
configured capability since the capability cannot be determined without
race. On kdbus the capability is checked if possible from the attached
meta-data of a message and otherwise queried from the sending peer.
This also decorates the vtables of the various daemons we ship with
these flags.
This way we can unify handling of credentials that are attached to
messages, or can be queried for bus name owners or connection peers.
This also adds the ability to extend incomplete credential information
with data from /proc,
Also, provide a convenience call that will automatically determine the
most appropriate credential object for an incoming message, by using the
the attached information if possible, the sending name information if
available and otherwise the peer's credentials.
This field is always false, drop it. If you want a reliable way to get
session state, call session_get_state(). Testing for any flags directly
doesn't work currently so don't pretend it would.
Sessions on seat0 must pass us a vtnr, otherwise, you shouldn't try
attaching it to seat0. For seats without VTs, we do the exact opposite: we
forbid VTs.
There can be odd situations if the session-files contain invalid
combinations. However, we try to keep sessions alive and restore state as
good as possible.
Fix the whole code to use "unsigned int" for vtnr. 0 is an invalid vtnr so
we don't need negative numbers at all.
Note that most code already assumes it's unsigned so in case there's a
negative vtnr, our code may, under special circumstances, silently break.
So this patch makes sure all sources of vtnrs verify the validity. Also
note that the dbus api already uses unsigned ints.
It's better not to set any XDG_RUNTIME_DIR at all rather than one of a
different user. So let's do this.
This changes the bus call parameters of CreateSession(), but that is
explicitly an internal API hence should be fine. Note however, that a
logind restart (the way the RPM postinst scriptlets do it) is necessary
to make things work again.
Message handler callbacks can be simplified drastically if the
dispatcher automatically replies to method calls if errors are returned.
Thus: add an sd_bus_error argument to all message handlers. When we
dispatch a message handler and it returns negative or a set sd_bus_error
we send this as message error back to the client. This means errors
returned by handlers by default are given back to clients instead of
rippling all the way up to the event loop, which is desirable to make
things robust.
As a side-effect we can now easily turn the SELinux checks into normal
function calls, since the method call dispatcher will generate the right
error replies automatically now.
Also, make sure we always pass the error structure to all property and
method handlers as last argument to follow the usual style of passing
variables for return values as last argument.
This patch converts PID 1 to libsystemd-bus and thus drops the
dependency on libdbus. The only remaining code using libdbus is a test
case that validates our bus marshalling against libdbus' marshalling,
and this dependency can be turned off.
This patch also adds a couple of things to libsystem-bus, that are
necessary to make the port work:
- Synthesizing of "Disconnected" messages when bus connections are
severed.
- Support for attaching multiple vtables for the same interface on the
same path.
This patch also fixes the SetDefaultTarget() and GetDefaultTarget() bus
calls which used an inappropriate signature.
As a side effect we will now generate PropertiesChanged messages which
carry property contents, rather than just invalidation information.
Since the invention of read-only memory, write-only memory has been
considered deprecated. Where appropriate, either make use of the
value, or avoid writing it, to make it clear that it is not used.
We currently use seat_can_multi_session() to test for two things:
* whether the seat can handle session-switching
* whether the seat has VTs
As both are currently logically equivalent, we didn't care. However, we
want to allow session-switching on seats without VTs, so split this helper
into:
* seat_can_multi_session(): whether session-switching is supported
* seat_has_vts(): whether the seat has VTs
Note that only one seat on a system can have VTs. There is only one set of
them. We automatically assign them to seat0 as usual.
With this patch in place, we can easily add new session-switching/tracking
methods without breaking any VT code as it is now protected by has_vts(),
no longer by can_multi_session().
The seat->vtconsole member always points to the default seat seat0. Even
if VTs are disabled, it's used as default seat. Therefore, rename it to
seat0 to correctly state what it is.
This also changes the seat files in /run from IS_VTCONSOLE to IS_SEAT0. It
wasn't used by any code, yet, so this seems fine.
While we are at it, we also remove every "if (s->vtconsole)" as this
pointer is always valid!
A session usually has only a single compositor or other application that
controls graphics and input devices on it. To avoid multiple applications
from hijacking each other's devices or even using the devices in parallel,
we add session controllers.
A session controller is an application that manages a session. Specific
API calls may be limited to controllers to avoid others from getting
unprivileged access to restricted resources. A session becomes a
controller by calling the RequestControl() dbus API call. It can drop it
via ReleaseControl().
logind tracks bus-names to release the controller once an application
closes the bus. We use the new bus-name tracking to do that. Note that
during ReleaseControl() we need to check whether some other session also
tracks the name before we remove it from the bus-name tracking list.
Currently, we only allow one controller at a time. However, the public API
does not enforce this restriction. So if it makes sense, we can allow
multiple controllers in parallel later. Or we can add a "scope" parameter,
which allows a different controller for graphics-devices, sound-devices
and whatever you want.
Note that currently you get -EBUSY if there is already a controller. You
can force the RequestControl() call (root-only) to drop the current
controller and recover the session during an emergency. To recover a seat,
this is not needed, though. You can simply create a new session or
force-activate it.
To become a session controller, a dbus caller must either be root or the
same user as the user of the session. This allows us to run a session
compositor as user and we no longer need any CAP_SYS_ADMIN.
If we want to track bus-names to allow exclusive resource-access, we need
a way to get notified when a bus-name is gone. We make logind watch for
NameOwnerChanged dbus events and check whether the name is currently
watched. If it is, we remove it from the watch-list (notification for
other objects can be added in follow-up patches).
bash ignores SIGTERM, and can only be terminated cleanly via SIGHUP.
Hence make sure that we the scope unit for the session is created with
SendSIGHUP enabled.
As we want to centralized cgroup access we should stop killing the user
sessions directly from the systemd-user-sessions service. Instead, rely
on PID 1 doing this by adding the right ordering dependencies to the
session scope units.
When PID 1 reloads the units logind/machined will see UnitRemoved
signals for all units. Instead of trusting these immediately, let's
check the actual unit state before considering a unit gone, so that
reloading PID 1 is not mistaken as the end of all sessions.
Embedded folks don't need the machine registration stuff, hence it's
nice to make this optional. Also, I'd expect that machinectl will grow
additional commands quickly, for example to join existing containers and
suchlike, hence it's better keeping that separate from loginctl.
In order to prepare things for the single-writer cgroup scheme, let's
make logind use systemd's own primitives for cgroup management.
Every login user now gets his own private slice unit, in which his sessions
live in a scope unit each. Also, add user@$UID.service to the same
slice, and implicitly start it on first login.
- This changes all logind cgroup objects to use slice objects rather
than fixed croup locations.
- logind can now collect minimal information about running
VMs/containers. As fixed cgroup locations can no longer be used we
need an entity that keeps track of machine cgroups in whatever slice
they might be located. Since logind already keeps track of users,
sessions and seats this is a trivial addition.
- nspawn will now register with logind and pass various bits of metadata
along. A new option "--slice=" has been added to place the container
in a specific slice.
- loginctl gained commands to list, introspect and terminate machines.
- user.slice and machine.slice will now be pulled in by logind.service,
since only logind.service requires this slice.
A new config file /etc/systemd/sleep.conf is added.
It is parsed by systemd-sleep and logind. The strings written
to /sys/power/disk and /sys/power/state can be configured.
This allows people to use different modes of suspend on
systems with broken or special hardware.
Configuration is shared between systemd-sleep and logind
to enable logind to answer the question "can the system be
put to sleep" as correctly as possible without actually
invoking the action. If the user configured systemd-sleep
to only use 'freeze', but current kernel does not support it,
logind will properly report that the system cannot be put
to sleep.
https://bugs.freedesktop.org/show_bug.cgi?id=57793https://git.kernel.org/?p=linux/kernel/git/torvalds/linux.git;a=commit;h=7e73c5ae6e7991a6c01f6d096ff8afaef4458c36http://lists.freedesktop.org/archives/systemd-devel/2013-February/009238.html
SYSTEM_CONFIG_FILE and USER_CONFIG_FILE defines were removed
since they were used in only a few places and with the
addition of /etc/systemd/sleep.conf it becomes easier to just
append the name of each file to the dir name.
Containers will now carry a label (normally derived from the root
directory name, but configurable by the user), and the container's root
cgroup is /machine/<label>. This label is called "machine name", and can
cover both containers and VMs (as soon as libvirt also makes use of
/machine/).
libsystemd-login can be used to query the machine name from a process.
This patch also includes numerous clean-ups for the cgroup code.
Previously for cases like "su" or "sudo" where a session is attempted to
be created from within an existing one we used the audit session ID to
detect this and in such a case we simple returned the session data of
the original session a second time.
With this change we will now use the cgroup path of the calling path to
determine the old session, i.e. we only rely on our own session
identification scheme, instead of audits.
We will continue to keep the audit session ID and ours in sync however,
to avoid unnecessary confusion.
Occasionally people report problem with reboot/poweroff operations hanging in
the middle. One known cause is when a new transaction to start a unit is
enqueued while the shutdown is going on. The start of the unit conflicts with
the shutdown jobs, so they get cancelled. The failure case can be quite unpleasant,
becase getty and sshd may already be stopped.
Fix it by using irreversible jobs for shutdown (reboot/poweroff/...) actions.
This applies to commands like "reboot", "telinit 6", "systemctl reboot". Should
someone desire to use reversible jobs, they can say "systemctl start reboot.target".`
- Don't allow any locks to be taken while we are in the process of
executing the specific operation, so that apps are not surprised if a
suspend/shutdown happens while they rely on their inhibitor.
- Get rid of the Resumed signal, it was a bad idea, and redundant due to
PrepareForSleep(false), see below.
- Always send out PrepareFor{Shutdown,Sleep} signals, instead of only if
a delay lock is taken.
- Move PrepareForSleep(false) after we come back from the suspend, so
that apps can use this as "Resumed" notification. This also has the
benefit that apps know when to take a new lock.
This allows clients to get asynchronous notifications for user-requested
suspend/hibernate cycles. Kernel-triggered automatic suspending is not
covered.
[Tested in latest gnome-ostree; if accepted, I'll look at a followup
patch which fixes the other dbus_connection_send(reply, ...) calls
besides logind]
DBus messages can have a flag NO_REPLY associated that means "I don't
need a reply". This is for efficiency reasons - for one-off requests
that can't return an error, etc.
However, it's up to users to manually check
dbus_message_get_no_reply() from a message. libdbus will happily send
out a reply if you don't.
Unfortunately, doing so is not just less efficient - it also triggers
a security error, for complex reasons. This is something that will
eventually be fixed in dbus, but it's also correct to handle it in
client applications.
This new helper API is slightly nicer in that you don't have to pass
NULL to say you don't want a reply serial for your reply.
This patch also tweaks logind to use the API - there are more areas of
the code that need this treatment too.
The MESSAGE_ID=... stanza will appear in countless number of places.
It is just too long to write it out in full each time.
Incidentally, this also fixes a typo of MESSSAGE is three places.
The "$action-multiple-sessions" polkit actions are defined as
"$action while other users are logged in". To me this implies that the
following sessions should not count:
- greeter sessions
- user sessions belonging to the same user as the one who's asking
Not sure how to treat class SESSION_LOCK_SCREEN. I never have these.
I just ignore every class that's not SESSION_USER.
https://bugzilla.redhat.com/show_bug.cgi?id=814424
This takes handling of chassis power and sleep keys as well as the lid
switch over from acpid.
This logic is enabled by default for power and sleep keys, but not for
the lid switch.
If a graphical session is in the foreground no action is taken under the
assumption that the graphical session does this.
We finally got the OK from all contributors with non-trivial commits to
relicense systemd from GPL2+ to LGPL2.1+.
Some udev bits continue to be GPL2+ for now, but we are looking into
relicensing them too, to allow free copy/paste of all code within
systemd.
The bits that used to be MIT continue to be MIT.
The big benefit of the relicensing is that closed source code may now
link against libsystemd-login.so and friends.
For clean session endings ask logind explicitly to get rid of the FIFO
before closing it so that the FIFO logic doesn't result in su/sudo to be
terminated immediately.
This introduces the new PAM environment variable XDG_SESSION_CLASS. If
not set, defaults to "user".
This is useful for apps that want to distuingish real user logins from
"fake" ones which just exist to show a gdm login screen or a lock
screen.
The way the various properties[] arrays are initialized is inefficient:
- only the .data members change at runtime, yet the whole arrays of
properties with all the fields are constructed on the stack one by
one by the code.
- there's duplication, eg. the properties of "org.freedesktop.systemd1.Unit"
are repeated in several unit types.
Fix it by moving the information about properties into static const
sections. Instead of storing the .data directly in the property, store
a constant offset from a run-time base.
The small arrays of struct BusBoundProperties bind together the constant
information with the right runtime information (the base pointer).
On my system the code shrinks by 60 KB, data increases by 10 KB.
