Also, when we fail, don't clobber the return value.
This brings the call more in-line with our usual coding style, and
removes surprises.
None of the callers seemed to care about this behaviour.
That way we can pin a specific inode and analyze it and manipulate it
without it being swapped out beneath our hands.
Fixes a vulnerability originally found by Jann Horn from Google.
CVE-2018-15687
LP: #1796692https://bugzilla.redhat.com/show_bug.cgi?id=1639076
When we start a service process we pass the selected watchdog timeout to
it with the $WATCHDOG_USEC environment variable. If the unit file is
reconfigured later, we need to make sure to continue to honour the
original timeout, i.e. watch $WATCHDOG_USEC was set to, otherwise we'll
expect the ping at a different time as the service process is sending it
to us.
Hence, whenever we start a unit, save the watchdog timeout, and stick to
that for everything we do.
Fixes: #9467
Let's make sure we always use the right watchdog timeout: when a service
has overwritten it, then stick to it, also for follow-up processes of
the same service.
This was mostly prompted by seeing the expression "in_initrd() && flags
& PROC_CMDLINE_RD_STRICT", which uses & and && without any brackets.
Let's make that a bit more readable and hide all doubts about operator
precedence.
Let's be more careful with what we serialize: let's ensure we never
serialize strings that are longer than LONG_LINE_MAX, so that we know we
can read them back with read_line(…, LONG_LINE_MAX, …) safely.
In order to implement this all serialization functions are move to
serialize.[ch], and internally will do line size checks. We'd rather
skip a serialization line (with a loud warning) than write an overly
long line out. Of course, this is just a second level protection, after
all the data we serialize shouldn't be this long in the first place.
While we are at it also clean up logging: while serializing make sure to
always log about errors immediately. Also, (void)ify all calls we don't
expect errors in (or catch errors as part of the general
fflush_and_check() at the end.
The predicate function manager_timestamp_shall_serialize() simply says
whether to serialize or not serialize a timestamp, and should make
things a bit easier to read.
This should be much better than fgets(), as we can read substantially
longer lines and overly long lines result in proper errors.
Fixes a vulnerability discovered by Jann Horn at Google.
CVE-2018-15686
LP: #1796402https://bugzilla.redhat.com/show_bug.cgi?id=1639071
"killing" is very UNIX terminology, and not really what this is about.
Let's be more correct and say "send a UNIX signal" for the operation.
Otherwise things are really weird if users call "journalctl --rotate"
from the command line, which internally asks systemd to send SIGUSR2 to
to journald: when german locale is selected this asks the user — roughly
transliterated — whether they want to "eliminate" journald, which is
definitely not the intended meaning.
Before this when asked for rotation we'd only rotate files we have open
anyway. However there might be a number of other files on disk that are
active (i.e. not archived yet) but not open. Let's take care of those
too, so that rotation is always comprehensive, and the user gets the
guarantee that afterthe rotation all stored data is in archived files.
Fixes: #1017
journalctl --vacuum-*= only vacuums archived files. To archive all
active files the rotate operation is used. Let's add a new switch that
combines both, so that the user a single command to first move all
running journal files into archival and then vacuum them.
See: #1017
Let's split out the part that actually renames the file in case we can't
open it into a new function journal_file_dispose().
This way we can reuse the function in other cases where we want to open
a file but can't.
Let's split the function in three: the part where we archive the old
file into journal_file_archive(), and the part where we initiate the
deferred closing into journal_file_initiate_close().
journal_file_rotate() then simply becomes a wrapper around these two
calls, and the opening of the new journal file.
This useful so that we can archive journal files without having to open
new ones, i.e. to do only the archival part of the rotation, without the
rotation part.
Let's store array sizes and indexes in size_t. And let's count numbers
of files in uint64_t (simply because that is the type of the input
parameter for this of the function)
journald calls fd_get_path() a lot (it probably shouldn't, there's some
room for improvement there, but I'll leave that for another time), hence
it's worth optimizing the call a bit, in particular as it's easy.
Previously we'd open the dir /proc/self/fd/ first, before reading the
symlink inside it. This means the whole function requires three system
calls: open(), readlinkat(), close(). The reason for doing it this way
is to distinguish the case when we see ENOENT because /proc is not
mounted and the case when the fd doesn't exist.
With this change we'll directly go for the readlink(), and only if that
fails do an access() to see if /proc is mounted at all.
This optimizes the common case (where the fd is valid and /proc
mounted), in favour of the uncommon case (where the fd doesn#t exist or
/proc is not mounted).
I noticed while profiling journald that we invoke readlinkat() a ton on
open /proc/self/fd/<fd>, and that the returned paths are more often than
not longer than the 99 chars used before, when we look at archived
journal files. This means for these cases we generally need to execute
two rather than one syscalls.
Let's increase the buffer size a tiny bit, so that we reduce the number
of syscalls executed. This is really a low-hanging fruit of
optimization.
Our current set of flags allows an option to be either
use just in initrd or both in initrd and normal system.
This new flag is intended to be used in the case where
you want apply some settings just in initrd or just
in normal system.
Don't add an implicit RequiresMountsFor depenency for the
WorkingDirectory of a unit if the "-" character was used to
indicate that "a missing working directory is not considered fatal"
(see systemd.exec(5)). Otherwise systemd might fail the unit
because of missing dependencies.
This doesn't change anything in the generated source, but I think makes
semantically more sense, as these structures have undefined size, and we
only want to know the size up to the data field in these cases.
First of all, let's fix logging: let's simply log the same message as we
do on success, so that there's always the same pair of these messages
around, regardless if the suspend was successful or not. To distuingish
a successful suspend from a failed one, check the ERRNO= field of the
structured message.
In most ways a failed suspend cycle is not distuingishable from a
successful one that took no time, hence let's treat it this way, and
always pair the success message with a failure message.
This also changes a more important concept: the post-suspend callouts
are now called also called on failure, following the same logic: let's
always run them in pairs: for every pre callout a post callout has to
follow.
Let's be a tiny bit more careful here.
Also, let's rearrange things to simplify them a bit, and to not use "r"
outside of its immediate scope of validity.
Also, let's rename it to rtc_write_wake_alarm(). Both changes together
make sure rtc_write_wake_alarm() and rtc_read_time() are more alike in
their naming and semantics.
Follow-up for 1fd2786161.
This fixes the following warning when built by clang:
```
../src/reply-password/reply-password.c:76:21 warning: variable 'length' is used uninitialized whenever 'if' condition is true [-Wsometimes-uninitialized]
```
Fixes CID#1396281 and CID#1396277.
This fixes the following journal layout issue:
```
Oct 22 15:26:02 systemd-udevd[348]: RUN '/usr/sbin/setregdomain' /usr/lib/udev/rules.d/85-regulatory.rules:5
Oct 22 15:26:02 [439]: Starting '/usr/sbin/setregdomain'
Oct 22 15:26:02 systemd-udevd[348]: Process '/usr/sbin/setregdomain' succeeded.
```
This is useful for a couple of cases, I'm mostly interested in case #1:
1. Verifying "reasonable" values in a trivially scriptable way
2. Debugging unexpected time span parsing directly
Test Plan:
```
% build/systemd-analyze timespan 20
Original: 20
μs: 20
Human: 20us
% build/systemd-analyze timespan 20ms
Original: 20ms
μs: 20000
Human: 20ms
% build/systemd-analyze timespan 20z
Failed to parse time span '20z': Invalid argument
```
When running a read-only file system, we might not be able to create
/var/log/journal. Do not fail on this, unless actually requested by the
--link-journal options.
$ systemd-nspawn --image=image.squashfs ...
This is might be useful in some cases, but it's primarily an example for
a boot check service that can be plugged before boot-complete.target.
It's disabled by default.
All it does is check whether the failed unit count is zero
This makes two changes:
1. When called for "remove" any drop-ins with "+" suffix are removed
too, so that the logic works for entries with boot counting enabled
too and we don't lose track of configuration snippets created that
way.
2. When called for "add" we optionally generate a "+" suffix, based on
the data in /etc/kernel/tries if it exists.
This basically means after "echo 5 > /etc/kernel/tries" any installed
kernels will automatically set up for 5 boot tries before older
kernels will be tried.
This is the counterpiece to the boot counting implemented in
systemd-boot: if a boot is detected as successful we mark drop the
counter again from the booted snippet or kernel image.
When journald reaches the maximum number of active streams, it,
basically, starts to decline new connections. On the client
side it can be detected by getting EPIPE and, if the writing
process isn't lucky enough, getting SIGPIPE soon afterwards.
systemd has always ignored EPIPE, which makes it very hard
to keep track of services losing logs. This patch should make
it easier to detect such services by just staring at the logs
carefully.
In case anyone is interested, the following one-liner run as any user
can be used to paralyze all the stream logging on a machine:
for i in {1..4096}; do systemd-cat -t HEY-$i & done
Since both LLVM and gcc supported this for a long time, we are not
adding a fallback compat kludge. And even if there's some relevant
compiler that doesn't know this concept, it'll fail with a compiler
error, and we'll fix it then.
As suggested by @keszybz:
https://github.com/systemd/systemd/pull/10174#discussion_r226266540
For the definition of assert_cc() we try to use static_assert and check
for it with "#ifdef". But that can only work if assert.h is imported
before. Hence let's do so.
This is a nice little optimization when using static const strings: we
can now use them directly as JsonVariant objecs, without any additional
allocation.
Simply as a safety precaution so that json objects we read are not
arbitrary amounts deep, so that code that processes json objects
recursively can't be easily exploited (by hitting stack limits).
Follow-up for oss-fuzz#10908
(Nice is that we can accomodate for this counter without increasing the
size of the JsonVariant object.)
Let's move things around a bit, so that the trailing unused whitespace
within the structure due to padding is placed together, so that it is
easier to use for new fields. (Found with pahole)
