This way we can unify handling of credentials that are attached to
messages, or can be queried for bus name owners or connection peers.
This also adds the ability to extend incomplete credential information
with data from /proc,
Also, provide a convenience call that will automatically determine the
most appropriate credential object for an incoming message, by using the
the attached information if possible, the sending name information if
available and otherwise the peer's credentials.
This reverts commit adcf4c81c5.
We have a better solution for the problem of making two processes run in
the same namespace, and --listener is not needed hence and should be
dropped.
Conflicts:
man/systemd-socket-proxyd.xml
This field is always false, drop it. If you want a reliable way to get
session state, call session_get_state(). Testing for any flags directly
doesn't work currently so don't pretend it would.
Sessions on seat0 must pass us a vtnr, otherwise, you shouldn't try
attaching it to seat0. For seats without VTs, we do the exact opposite: we
forbid VTs.
There can be odd situations if the session-files contain invalid
combinations. However, we try to keep sessions alive and restore state as
good as possible.
Fix the whole code to use "unsigned int" for vtnr. 0 is an invalid vtnr so
we don't need negative numbers at all.
Note that most code already assumes it's unsigned so in case there's a
negative vtnr, our code may, under special circumstances, silently break.
So this patch makes sure all sources of vtnrs verify the validity. Also
note that the dbus api already uses unsigned ints.
EPOLLET enables edge-triggered mode (see epoll(7) for more). For most
use-cases, level-triggered is just fine, but for master-TTYs we need
edge-triggered to catch EPOLLHUP. master-TTYs signal EPOLLHUP if no client
is connected, but a client may connect some time later (same happens
during vhangup(2)).
However, epoll doesn't allow masking EPOLLHUP so it's signaled constantly.
To avoid this, edge-triggered mode is needed.
If a session process calls TakeControl(), we now put the VT into
KD_GRAPHICS+K_OFF mode. This way, the new session controller can solely
rely on the logind-dbus API to manage the session.
Once the controller exits or calls ReleaseControl(), we restore the VT. We
also restore it, if we lost a controller during crash/restart (but only if
there really *was* a controller previously).
Note that we also must put the VT into VT_PROCESS mode. We want VT_AUTO
semantics, but VT_AUTO+KD_GRAPHICS actually disables *all* VT switches
(who came up with that great idea?). Hence, we set VT_PROCESS for logind
but acknowledge *all* requests immediately.
If a compositor wants custom VT setups, they can still get this by *first*
calling TakeControl() and afterwards setting up the VT. logind doesn't
touch the VT during controller runtime, only during setup/teardown. This
is actually what weston already does.
We now save the unique bus-name of a session-controller as CONTROLLER=%s
in the session files. This allows us to restore the controller after a
crash or restart.
Note that we test whether the name is still valid (dbus guarantees that
the name is unique as long as the machine is up and running). If it is,
we know that the controller still exists and can safely restore it. Our
dbus-name-tracking guarantees that we're notified once it exits.
Also note that session-devices are *not* restored. We have no way to know
which devices where used before the crash. We could store all these on
disk, too, or mark them via udev. However, this seems to be rather
cumbersome. Instead, we expect controllers to listen for NewSession
signals for their own session. This is sent on session_load() and they can
then re-request all devices.
The only race I could find is if logind crashes, then the session
controller tries calling ReleaseControl() (which will fail as logind is
down) but keeps the bus-connection valid for other independent requests.
If logind is restarted, it will restore the old controller and thus block
the session.
However, this seems unlikely for several reasons:
- The ReleaseControl() call must occur exactly in the timespan where
logind is dead.
- A process which calls ReleaseControl() usually closes the
bus-connection afterwards. Especially if ReleaseControl() fails, the
process should notice that something is wrong and close the bus.
- A process calling ReleaseControl() usually exits afterwards. There may
be any cleanup pending, but other than that, usual compositors exit.
- If a session-controller calls ReleaseControl(), a session is usually
considered closing. There is no known use-case where we hand-over
session-control in a single session. So we don't care whether the
controller is locked afterwards.
So this seems negligible.
Unfortunately, close() on a revoked/removed character-device fails with
ENODEV. I tried tracking this down in the kernel, but couldn't figure out
were exactly it comes from. However, can be easily reproduced with:
fd = open("/dev/input/event0", O_RDWR);
ioctl(fd, EVIOCREVOKE, 0);
r = close(fd);
A second close on @fd would return EBADF so the close is actually valid.
We simply ignore close() errors for all session-devices as their access
may be revoked asynchronously, or the device might get unplugged.
We use close_nointr() in case anyone ever looks at the return value (or
anyone runs "grep 'close(' -r src/" to find broken close() calls).
Fixes:
systemd-logind[31992]: Assertion 'close_nointr(fd) == 0' failed at src/shared/util.c:185, function close_nointr_nofail(). Aborting.
Existing applications like gdm already depend on new sessions to get
immediately activated on seats without VTs. Fixes a bug reported as:
[systemd-devel] systemd 208:trouble with inactive user sessions at non-seat0 seats
This patch restores the original behavior. We either need to add a new
flag for session-creation or some other heuristic to avoid activating new
sessions in the future.
This reverts commit adcf4c81c5.
We have a better solution for the problem of making two processes run in
the same namespace, and --listener is not needed hence and should be
dropped.
Conflicts:
man/systemd-socket-proxyd.xml
* library support for setns() system call was added to glibc
version 2.14 (setns() call is use in src/machine/machinectl.c
and src/libsystemd-bus-container.c)
* utf8 validation call are already exported (via sd-utf8.c file) -
commit - 369c583b3f
let's just do a single fallocate() as far as possible, and don't
distuingish between allocated space and file size.
This way we can save a syscall for each append, which makes quite some
benefits.
It's better not to set any XDG_RUNTIME_DIR at all rather than one of a
different user. So let's do this.
This changes the bus call parameters of CreateSession(), but that is
explicitly an internal API hence should be fine. Note however, that a
logind restart (the way the RPM postinst scriptlets do it) is necessary
to make things work again.
Lennart Poettering