This is really confusing, let's try to clean this up a bit, in
particular as there are two very similar concepts:
1. The boot loaders, i.e. the category you find systemd-boot, the
Windows and Apple boot loaders in. These may typically be listed in the
firmware's EFI variables.
2. The boot loader entries, as defined by the Boot Loader Spec. In this
category you find the various Linux kernels that are installed, i.e.
the stuff systemd-boot shows on screen. To make things confusing, the
Windows and Apple boot loaders can appear both as boot loaders and as
boot loader entries.
This tries to establish the following nomenclature: "boot loaders" and
"boot loader entries" for these two concepts.
boot_loader_read_conf(), boot_entries_find(), boot_entries_load_config()
all log their errors internally, hence no need to log a second or third
time about the same error when they return.
We do these checks only for the high-level calls as for the low-level
ones it might make sense in some exotic uses to read the host EFI data
from a container or so.
We already synchronize all files we write individually, as well as the
directories they are stored in. Let's also synchronize the ESP as a
whole after our work, just in case.
Note that this breaks compatibility with older versions, as the detach
code won't find unit files attached with older releases anymore. But
given that the portable service logic was not deemed stable so far, and
this was explicitly documented and enforced through portablectl's
installation to /usr/lib/systemd/ such a compat breakage should be fine.
Let's separate out the unit files copied from attached portable service
image files from the admin's own files. Let's introduce
/etc/systemd/system.attached/ + /run/systemd/system.attached/ for the
files of portable services, and leave /etc/systemd/system/ and
/run/systemd/system/ for the admin.
/etc/systemd/sleep.conf gains four new switches:
AllowSuspend=, AllowHibernation=, AllowSuspendThenHibernate=, AllowHybridSleep=.
Disabling specific modes was already possible by masking suspend.target,
hibernate.target, suspend-then-hibernate.target, or hybrid-sleep.target.
But this is not convenient for distributions, which want to set some defaults
based on what they want to support. Having those available as configuration
makes it easy to put a config file in /usr/lib/systemd/sleep.conf.d/ that
overrides the defaults and gives instructions how to undo that override.
Comes with tests.
Also add direct test for $SYSTEMD_PROC_CMDLINE.
In test-proc-cmdline, "true" was masquerading as PROC_CMDLINE_STRIP_RD_PREFIX,
fix that. Also, reorder functions to match call order.
For non-`seat0` seats, attaching a graphics card to a seat can
lead to it getting created. This is because the graphics device
is a "master device" which means that device is a seat-defining
device.
`seat0` may get created, even before the graphics driver is loaded,
though. This is because the graphics driver is loaded
asynchronously at startup, and `seat0` is the primary seat of
system, associated with the system VTs.
When a graphics card is attached to a seat the `CanGraphical`
property on that seat will flip to `true`.
For seats that haven't been created yet (non-`seat0` seats), this
leads to `seat_start` getting called which ultimately causes the
seat to get serialized to `/run/systemd/seats`.
For `seat0`, which is already created, `seat_start` will return
immediately, which means the updated `CanGraphical` state will
never get written to `/run/systemd/seats`.
The end result is that clients querying `sd_seat_can_graphical`
won't get the correct answer for `seat0` in cases where the
graphics device takes a long time to load until some other peice
of seat state is updated.
This commit fixes the problem by calling `seat_save` explicitly
for already running seats at the time a graphics device is
attached.
We are not the ones receiving an error here, but the ones generating it,
hence we shouldn't show it with %m, that's just confusing, as it
suggests we received an error from some other call.
Previously, together with kill_dots true, patch like
".", "./.", ".//.//" would all return an empty string.
That is wrong. There must be one "." left to reference
the current directory.
Also, the comment with examples was wrong.
When a link is configured, wait until there is a Router Advertisement before
attempting to start DHCPv6. The intended DHCPv6 mode will be evaluated in
ndisc_router_handler() in networkd-ndisc.c.
Arguably, libsystemd-network is (still) entirely internal API.
However there is the aim of maybe exposing it as public API.
For that reason, it cannot include internal headers from
"src/basic/".
Note how files "src/systemd/sd-*.h" don't include any systemd
headers which don't themself have an "sd-" prefix.
Fixes: d89a400ed6
This removes $RENAME_NOREPLACE_DIR and uses a command-line argument instead.
Logging is added, and tests are skipped if we get -EPERM or friends
(which happens on FAT and other filesystems).
0 can be a valid index returned by the BIOS, so allow that by using the
parsing function safe_atolu() to check for errors without excluding the
valid value "0".
Signed-off-by: Joe Hershberger <joe.hershberger@ni.com>
Request prefix delegation for a new downstream link that is enabled
after any number of upstream DHCPv6 links. Submit the request after
the link has been configured with a link-local address.
If the upstream DHCPv6 client has already been configured to request
prefixes, attempt to re-assign any possible prefixes between the
already existing links and the new one. If no prefixes are yet
acquired, nothing will happen right away and any prefixes will be
distributed after a reply from the DHCPv6 server.
If none of the already existing downstream links have requested
DHCPv6 prefixes to be assigned, enable prefix delegation for each
client and restart them one by one if they are already running. This
causes the DHCPv6 clients to re-acquire addresses and prefixes and
to re-distribute them to all links when receiving an updated
response from their respective DHCPv6 servers. If the DHCPv6 client
in question was not already running, it is set to request prefixes
but not restarted.
When an error occurs while setting or restarting the DHCPv6 client,
log the incident and move over to the next link.
Fixes#9758.
Let's remove redundancy and not advertise "journalctl --new-id128"
anymore, now that we have "systemd-id128 new" in a proper tool.
This allows us to reduce the overly large journalctl command set a bit.
Note that this just removes the --help and man text, the call remains
available for compat reasons.
According to our CODING_STYLE our library code should generally not log
beyond LOG_DEBUG. Let's hence get rid of log_radv_warning_errno() and
just use log_radv_errno() instead.
Apparently FAT on some recent kernels can't do RENAME_NOREPLACE, and of
course cannot do linkat()/unlinkat() either (as the hard link concept
does not exist on FAT). Add a fallback using an explicit beforehand
faccessat() check. This sucks, but what we can do if the safe operations
are not available?
Fixes: #10063
While the config parser correctly handles the case of multiple IPs,
bus_append_cgroup_property was only parsing one IP,
and it would fail with "Failed to parse IP address prefix" when given
a list of IPs.
LGMT complains:
> The size argument of this snprintf call is derived from its return value,
> which may exceed the size of the buffer and overflow.
Let's make sure that r is non-negative. (This shouldn't occur unless the format
string is borked, so let's just add an assert.)
Then, let's reorder the comparison to avoid the potential overflow.
We want to store either the first error or the total number of changes in 'r'.
Instead, we were overwriting this with the return value from
install_info_traverse().
LGTM complained later in the loop that:
> Comparison is always true because r >= 0.
The raison d'etre for this program is printing machine-app-specific IDs. We
provide a library function for that, but not a convenient API. We can hardly
ask people to quickly hack their own C programs or call libsystemd through CFFI
in python or another scripting language if they just want to print an ID.
Verb 'new' was already available as 'journalctl --new-id128', but this makes
it more discoverable.
v2:
- rename binary to systemd-id128
- make --app-specific= into a switch that applies to boot-id and machine-id
The code handling the errors was originally part of ndisc_recv, which,
being an event handler, would be simply turned off if it returned a negative
error code. It's no longer necessary. Plus, it helps avoid passing
an uninitialized value to radv_send.
Closes https://github.com/systemd/systemd/issues/10223.
LGTM was complaining:
> Multiplication result may overflow 'int' before it is converted to 'long'.
Fix this by changing all types to ssize_t and add a check for overflow
while at it.
We would read (-1), and then add 1 to it, call message_peek_body(..., 0, ...),
and when trying to make use of the data.
The fuzzer test case is just for one site, but they all look similar.
v2: fix two UINT8_MAX/UINT32_MAX mismatches founds by LGTM
We copied part of the string into a buffer that was off by two.
If the element signature had length one, we'd copy 0 bytes and crash when
looking at the "first" byte. Otherwise, we would crash because strncpy would
not terminate the string.
This is similar to the grandparent commit 'fix calculation of offsets table',
except that now the change is for array elements. Same story as before: we need
to make sure that the offsets increase enough taking alignment into account.
While at it, rename 'p' to 'previous' to match similar code in other places.
The offsets specify the ends of variable length data. We would trust the
incoming data, putting the offsets specified in our message
into the offsets tables after doing some superficial verification.
But when actually reading the data we apply alignment, so we would take
the previous offset, align it, making it bigger then current offset, and
then we'd try to read data of negative length.
In the attached example, the message specifies the following offsets:
[1, 4]
but the alignment of those items is
[1, 8]
so we'd calculate the second item as starting at 8 and ending at 4.
The alternative would be to treat gvariant and !gvariant messages differently.
But this is a problem because we check signatures is variuos places before we
have an actual message, for example in sd_bus_add_object_vtable(). It seems
better to treat things consistent (i.e. follow the lowest common denominator)
and disallow empty structures everywhere.
We didn't free one of the fields in two of the places.
$ valgrind --show-leak-kinds=all --leak-check=full \
build/fuzz-bus-message \
test/fuzz/fuzz-bus-message/leak-c09c0e2256d43bc5e2d02748c8d8760e7bc25d20
...
==14457== HEAP SUMMARY:
==14457== in use at exit: 3 bytes in 1 blocks
==14457== total heap usage: 509 allocs, 508 frees, 51,016 bytes allocated
==14457==
==14457== 3 bytes in 1 blocks are definitely lost in loss record 1 of 1
==14457== at 0x4C2EBAB: malloc (vg_replace_malloc.c:299)
==14457== by 0x53AFE79: strndup (in /usr/lib64/libc-2.27.so)
==14457== by 0x4F52EB8: free_and_strndup (string-util.c:1039)
==14457== by 0x4F8E1AB: sd_bus_message_peek_type (bus-message.c:4193)
==14457== by 0x4F76CB5: bus_message_dump (bus-dump.c:144)
==14457== by 0x108F12: LLVMFuzzerTestOneInput (fuzz-bus-message.c:24)
==14457== by 0x1090F7: main (fuzz-main.c:34)
==14457==
==14457== LEAK SUMMARY:
==14457== definitely lost: 3 bytes in 1 blocks
v2: fix error in free_and_strndup()
When the orignal and copied message were the same, but shorter than specified
length l, memory read past the end of the buffer would be performed. A test
case is included: a string that had an embedded NUL ("q\0") is used to replace
"q".
v3: Fix one more bug in free_and_strndup and add tests.
v4: Some style fixed based on review, one more use of free_and_replace, and
make the tests more comprehensive.
cross building systemd to arm64 presently fails, because the build
system uses plain gcc and plain ld (build architecture compiler and
linker respectively) for building src/boot/efi. These values come from
the efi-cc and efi-ld options respectively. It rather should be using
host tools here.
Fixes: b710072da4 ("add support for building efi modules")
With this change almost all log messages that are suppressed through
--quiet are not actually suppressed anymore, but simply downgraded to
LOG_DEBUG. Previously we did it this way for some log messages and fully
suppressed them for others. With this it's pretty much systematic.
Inspired by #10122.
Allows configuring the watchdog signal (with a default of SIGABRT).
This allows an alternative to SIGABRT when coredumps are not desirable.
Appropriate references to SIGABRT or aborting were renamed to reflect
more liberal watchdog signals.
Closes#8658
Start with route set to NULL should there be no route created. Remove
the explicit route_free as the _cleanup_ will take care of that after
the continue;.
This is an implementation that covers making errors encountered when writing
file content optionally fatal. If this is something that folks would want I'll
add handling of this for all the other directives. I'd appreciate suggestions
on how this might better be structured as well (use of a goto fail or such) as
I'm not super happy with the approach.
Let's change utf16_to_utf8() prototype to refer to utf16 chars with char16_t rather than void
Let's not cast away a "const" needlessly.
Let's add a few comments.
Let's fix the calculations of the buffer size to allocate, and how long
to run the loop in case of uneven byte numbers
Let's fix an indentation issue.
Let's avoid yoda comparisons.
Let's drop unnecessary ().
Let's make sure we convert 16bit values to 32bit before shifting them by
10bit to the left, to avoid overflows.
Let's avoid comparisons between signed literals and unsigned variables,
in particular if the literals are outside of the minimum range C
requires for "int".
Let's avoid a few casts in the function. Also, let's drop the "const"
when returning the string, for similar reasons as strchr() and friends
drop it: so that we don't add a const if the user passes in a non-const
string.
Yes, there are still a lot of users of bzip2, but it's fallen out of
favour after LZMA/xz, which can compress a lot more and often
decompresses faster than bzip2 too.
We use strtoul() which returns an "unsigned long", but then assign this
to int or unsigned in, i.e. drop 32bit silently on 64bit systems. Let's
clean this up a bit, and retain the right types.
This stuff is likely to fail in many setups (for example when quota is
not supported by the btrfs version), hence only log at debug
level. Previously we'd silently ignore things altogether which makes
things pretty hard to debug.
This changes the output a bit, as the previous multi-line output of each
inhibitor is changed to a single line, but it does unify the output look
with the one of our other tools. Moreover this adds proper sorting.
When we parse an "u" from an sd_bus_message then we need to do that into
a uint32_t, not a pid_t or uid_t, even if this is likely the same.
Also, let's count objects we keep in memory as size_t as usual.
Lennart Poettering