As a follow-up for db3f45e2d2 let's do the
same for all other cases where we create a FILE* with local scope and
know that no other threads hence can have access to it.
For most cases this shouldn't change much really, but this should speed
dbus introspection and calender time formatting up a bit.
This moves pretty much all uses of getpid() over to getpid_raw(). I
didn't specifically check whether the optimization is worth it for each
replacement, but in order to keep things simple and systematic I
switched over everything at once.
During early boot, we'd call getrandom(), and immediately fall back to
reading from /dev/urandom unless we got the full requested number of bytes.
Those two sources are the same, so the most likely result is /dev/urandom
producing some pseudorandom numbers for us, complaining widely on the way.
Let's change our behaviour to be more conservative:
- if the numbers are only used to initialize a hash table, a short read is OK,
we don't really care if we get the first part of the seed truly random and
then some pseudorandom bytes. So just do that and return "success".
- if getrandom() returns -EAGAIN, fall back to rand() instead of querying
/dev/urandom again.
The idea with those two changes is to avoid generating a warning about
reading from an /dev/urandom when the kernel doesn't have enough entropy.
- only in the cases where we really need to make the best effort possible
(sd_id128_randomize and firstboot password hashing), fall back to
/dev/urandom.
When calling getrandom(), drop the checks whether the argument fits in an int —
getrandom() should do that for us already, and we call it with small arguments
only anyway.
Note that this does not really change the (relatively high) number of random
bytes we request from the kernel. On my laptop, during boot, PID 1 and all
other processes using this code through libsystemd request:
74780 bytes with high_quality_required == false
464 bytes with high_quality_required == true
and it does not eliminate reads from /dev/urandom completely. If the kernel was
short on entropy and getrandom() would fail, we would fall back to /dev/urandom
for those 464 bytes.
When falling back to /dev/urandom, don't lose the short read we already got,
and just read the remaining bytes.
If getrandom() syscall is not available, we fall back to /dev/urandom same
as before.
Fixes#4167 (possibly partially, let's see).
Newer D-Bus versions implement the GetConnectionCredentials() driver
call to get all connection creds in one go. Make use of that to reduce
the number of bus calls we do.
When only a single credential field is queried we will still use the old
calls, which we'll also use if the new call isn't implemented.
The bus driver service is always implemented by the owner of the bus,
hence let's shortcut the credential operation and use our cached data.
This makes sure things simply work, given that dbus itself doesn't
support GetConnectionSELinuxSecurityContext() on the bus driver name
itself.
Fixes: #6120
Previously we'd propagate errors returned by user callbacks configured
in vtables back to the users only for method handlers and property
get/set handlers. This does the same for child enumeration and when we
check whether a fallback unit exists.
Without this the failure will be treated as a non-recoverable connection
error and result in connection termination.
Fixes: #6059
This prevents udev from reading the data after freeing it.
See https://github.com/systemd/systemd/issues/6040#issuecomment-306589836
==264== Invalid read of size 1
==264== at 0x4C2E112: strlen (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==264== by 0x5943EBD: strdup (in /usr/lib/libc-2.25.so)
==264== by 0x13E263: device_add_property_aux (sd-device.c:122)
==264== by 0x14788C: device_add_property_internal (sd-device.c:150)
==264== by 0x14788C: device_rename (device-private.c:786)
==264== by 0x120DB6: udev_device_rename (libudev-device-private.c:213)
==264== by 0x120DB6: udev_event_execute_rules (udev-event.c:895)
==264== by 0x120DB6: worker_spawn (udevd.c:456)
==264== by 0x1216E5: event_run (udevd.c:584)
==264== by 0x1216E5: event_queue_start (udevd.c:823)
==264== by 0x122213: on_uevent (udevd.c:927)
==264== by 0x141F2F: source_dispatch (sd-event.c:2272)
==264== by 0x142D52: sd_event_dispatch (sd-event.c:2631)
==264== by 0x142D52: sd_event_run (sd-event.c:2690)
==264== by 0x142D52: sd_event_loop (sd-event.c:2710)
==264== by 0x1159CB: run (udevd.c:1643)
==264== by 0x1159CB: main (udevd.c:1772)
==264== Address 0x7b251a0 is 0 bytes inside a block of size 5 free'd
==264== at 0x4C2C14B: free (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==264== by 0x13E2A2: freep (alloc-util.h:57)
==264== by 0x13E2A2: device_add_property_aux (sd-device.c:111)
==264== by 0x147873: device_add_property_internal (sd-device.c:150)
==264== by 0x147873: device_rename (device-private.c:781)
==264== by 0x120DB6: udev_device_rename (libudev-device-private.c:213)
==264== by 0x120DB6: udev_event_execute_rules (udev-event.c:895)
==264== by 0x120DB6: worker_spawn (udevd.c:456)
==264== by 0x1216E5: event_run (udevd.c:584)
==264== by 0x1216E5: event_queue_start (udevd.c:823)
==264== by 0x122213: on_uevent (udevd.c:927)
==264== by 0x141F2F: source_dispatch (sd-event.c:2272)
==264== by 0x142D52: sd_event_dispatch (sd-event.c:2631)
==264== by 0x142D52: sd_event_run (sd-event.c:2690)
==264== by 0x142D52: sd_event_loop (sd-event.c:2710)
==264== by 0x1159CB: run (udevd.c:1643)
==264== by 0x1159CB: main (udevd.c:1772)
==264== Block was alloc'd at
==264== at 0x4C2AF1F: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==264== by 0x5943EC9: strdup (in /usr/lib/libc-2.25.so)
==264== by 0x13E263: device_add_property_aux (sd-device.c:122)
==264== by 0x143B45: device_add_property_internal (sd-device.c:150)
==264== by 0x143B45: device_amend.lto_priv.235 (device-private.c:454)
==264== by 0x1387B7: device_append (device-private.c:516)
==264== by 0x1387B7: device_new_from_nulstr (device-private.c:620)
==264== by 0x1387B7: udev_device_new_from_nulstr (libudev-device-private.c:268)
==264== by 0x1387B7: udev_monitor_receive_device (libudev-monitor.c:682)
==264== by 0x11FC69: worker_spawn (udevd.c:509)
==264== by 0x1216E5: event_run (udevd.c:584)
==264== by 0x1216E5: event_queue_start (udevd.c:823)
==264== by 0x122213: on_uevent (udevd.c:927)
==264== by 0x141F2F: source_dispatch (sd-event.c:2272)
==264== by 0x142D52: sd_event_dispatch (sd-event.c:2631)
==264== by 0x142D52: sd_event_run (sd-event.c:2690)
==264== by 0x142D52: sd_event_loop (sd-event.c:2710)
==264== by 0x1159CB: run (udevd.c:1643)
==264== by 0x1159CB: main (udevd.c:1772)
==264==
This prevents udev from double-freeing and crashing.
See https://github.com/systemd/systemd/issues/6040#issuecomment-306589836
==351== Invalid free() / delete / delete[] / realloc()
==351== at 0x4C2C14B: free (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==351== by 0x13CBE8: hashmap_clear_free_free (hashmap.c:900)
==351== by 0x13CBE8: hashmap_free_free_free (hashmap.c:852)
==351== by 0x147F4F: sd_device_unref (sd-device.c:88)
==351== by 0x130CCC: udev_device_unref (libudev-device.c:552)
==351== by 0x130CD5: udev_device_unref (libudev-device.c:553)
==351== by 0x11FBBB: worker_spawn (udevd.c:488)
==351== by 0x1216E5: event_run (udevd.c:584)
==351== by 0x1216E5: event_queue_start (udevd.c:823)
==351== by 0x122213: on_uevent (udevd.c:927)
==351== by 0x141F2F: source_dispatch (sd-event.c:2272)
==351== by 0x142D52: sd_event_dispatch (sd-event.c:2631)
==351== by 0x142D52: sd_event_run (sd-event.c:2690)
==351== by 0x142D52: sd_event_loop (sd-event.c:2710)
==351== by 0x1159CB: run (udevd.c:1643)
==351== by 0x1159CB: main (udevd.c:1772)
==351== Address 0x81745b0 is 0 bytes inside a block of size 1 free'd
==351== at 0x4C2C14B: free (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==351== by 0x1447F0: freep (alloc-util.h:57)
==351== by 0x1447F0: sd_device_set_sysattr_value (sd-device.c:1859)
==351== by 0x132081: udev_device_set_sysattr_value (libudev-device.c:849)
==351== by 0x12E777: set_trackpoint_sensitivity (udev-builtin-keyboard.c:180)
==351== by 0x12E777: builtin_keyboard.lto_priv.170 (udev-builtin-keyboard.c:263)
==351== by 0x14D03F: udev_builtin_run.constprop.75 (udev-builtin.c:133)
==351== by 0x11FAEB: udev_event_execute_run (udev-event.c:957)
==351== by 0x11FAEB: worker_spawn (udevd.c:461)
==351== by 0x1216E5: event_run (udevd.c:584)
==351== by 0x1216E5: event_queue_start (udevd.c:823)
==351== by 0x122213: on_uevent (udevd.c:927)
==351== by 0x141F2F: source_dispatch (sd-event.c:2272)
==351== by 0x142D52: sd_event_dispatch (sd-event.c:2631)
==351== by 0x142D52: sd_event_run (sd-event.c:2690)
==351== by 0x142D52: sd_event_loop (sd-event.c:2710)
==351== by 0x1159CB: run (udevd.c:1643)
==351== by 0x1159CB: main (udevd.c:1772)
==351== Block was alloc'd at
==351== at 0x4C2CF35: calloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so)
==351== by 0x144853: sd_device_set_sysattr_value (sd-device.c:1888)
==351== by 0x132081: udev_device_set_sysattr_value (libudev-device.c:849)
==351== by 0x12E777: set_trackpoint_sensitivity (udev-builtin-keyboard.c:180)
==351== by 0x12E777: builtin_keyboard.lto_priv.170 (udev-builtin-keyboard.c:263)
==351== by 0x14D03F: udev_builtin_run.constprop.75 (udev-builtin.c:133)
==351== by 0x11FAEB: udev_event_execute_run (udev-event.c:957)
==351== by 0x11FAEB: worker_spawn (udevd.c:461)
==351== by 0x1216E5: event_run (udevd.c:584)
==351== by 0x1216E5: event_queue_start (udevd.c:823)
==351== by 0x122213: on_uevent (udevd.c:927)
==351== by 0x141F2F: source_dispatch (sd-event.c:2272)
==351== by 0x142D52: sd_event_dispatch (sd-event.c:2631)
==351== by 0x142D52: sd_event_run (sd-event.c:2690)
==351== by 0x142D52: sd_event_loop (sd-event.c:2710)
==351== by 0x1159CB: run (udevd.c:1643)
==351== by 0x1159CB: main (udevd.c:1772)
This adds /sys/firmware lookup for sysname when creating a new device,
which allows device-tree properties lookup. This look-up can then be
used in udev rules, allowing device-tree-based model detection.
The code is mostly correct, but gcc is trying to outsmart us, and emits a
warning for a "llu vs lu" mismatch, even though they are the same size (on alpha):
src/libsystemd/sd-bus/bus-control.c: In function ‘kernel_get_list’:
src/libsystemd/sd-bus/bus-control.c:267:42: error: format ‘%llu’ expects argument of type ‘long long unsigned int’, but argument 3 has type ‘__u64 {aka long unsigned int}’ [-Werror=format=]
if (asprintf(&n, ":1.%llu", name->id) < 0) {
^
src/libsystemd/sd-bus/bus-control.c: In function ‘bus_get_name_creds_kdbus’:
src/libsystemd/sd-bus/bus-control.c:714:47: error: format ‘%llu’ expects argument of type ‘long long unsigned int’, but argument 3 has type ‘__u64 {aka long unsigned int}’ [-Werror=format=]
if (asprintf(&c->unique_name, ":1.%llu", conn_info->id) < 0) {
^
This is hard to work around properly, because kdbus.h uses __u64 which is
defined-differently-despite-being-the-same-size then uint64_t. Thus the simple
solution of using %PRIu64 fails on amd64:
src/libsystemd/sd-bus/bus-control.c:714:47: error: format ‘%lu’ expects argument of type ‘long unsigned int’, but argument 3 has type ‘__u64 {aka long long unsigned int}’ [-Werror=format=]
if (asprintf(&c->unique_name, ":1.%"PRIu64, conn_info->id) < 0) {
^~~~~~
Let's just avoid the whole issue for now by silencing the warning.
After the next release, we should just get rid of the kdbus code.
Fixes#5561.
Other functions in sd-login generally allow the output parameter to be NULL, in
which case only the number of items that would be stored in the array is returned.
Be nice and do the same here.
C.f. 0543105b0f.
This makes if /run/systemd/{seats,sessions,users} are missing, then
sd_get_seats(), sd_get_sessions() and sd_get_uids() return 0, that is,
an empty list, instead of -ENOENT.
The -ENOMEDIUM return value was introduced in v232-1001-g2977724b09,
('core: make hybrid cgroup unified mode keep compat /sys/fs/cgroup/systemd hierarchy'),
and would be returned by cg_pid_get_path_shifted(), but the documented and
expected return value is -ENODATA. Let's just catch ENXIO/ENOMEDIUM and translate
it to ENODATA in all cases.
Complements 171f8f591f, fixes#6012.
All those uses were correct, but I think it's better to be explicit.
Using implicit errno is too error prone, and with this change we can require
(in the sense of a style guideline) that the code is always specified.
Helpful query: git grep -n -P 'log_[^s][a-z]+\(.*%m'
test-login.c is largely rewritten to use _cleanup_ and give more meaningful
messages (function names are used instead of creative terms like "active
session", so that when something unexpected is returned, it's much easier to
see what function is responsible).
The monitoring part is only activated if '-m' is passed on the command line.
It runs against the information from /run/systemd/ in the live system, but that
should be OK: logind/sd-login interface is supposed to be stable and both
backwards and forwards compatible.
If not running in a login session, some tests are skipped.
Those two changes together mean that it's possible to run test-login in the
test suite.
Tests for sd_pid_get_{unit,user_unit,slice} are added.
sd_seat_get_sessions returns two arrays, that in principle should always match:
the session names and corresponding uids. The second array could be shorter only
if parsing or uid conversion fails. But in that case there is no way to tell
*which* uid is wrong, so they are *all* useless. It's better to simplify things and
just return an error if parsing fails.
As described by Luke Shumaker:
sd_seat_get_sessions looks at /run/systemd/seats/${seat_name}:SESSIONS to get
the list of sessions (which I believe is correct), and at
/run/systemd/seats/${seat_name}:ACTIVE_SESSIONS for the list of users (which
I believe is incorrect); I believe that it should look at the UIDS field for
the list of users. As far as I can tell, the ACTIVE_SESSIONS field is never
even present in the seats file. I also believe that this has been broken
since the function was first committed almost 6 years ago.
Fixes#5743.
Without cc9daff228, this results in:
src/libsystemd/sd-bus/test-bus-vtable-cc.cc:56:1: sorry, unimplemented: non-trivial designated initializers not supported
};
^
This test is mostly a compilation test that checks that various defines in
sd-bus-vtable.h are valid C++. The code is executed, but the results are not
checked (apart from sd-bus functions not returning an error). test-bus-objects
contains pretty extensive tests for this functionality.
The C++ version is only added to meson, since it's simpler there.
Because of the .cc extension, meson will compile the executable with c++.
This test is necessary to properly check the macros in sd-bus-vtable.h. Just
running the headers through g++ is not enough, because the macros are not
exercised.
Follow-up for #5941.
This reverts commit 6355e75610.
The previously mentioned commit inadvertently broke a lot of SELinux related
functionality for both unprivileged users and systemd instances running as
MANAGER_USER. In particular, setting the correct SELinux context after a User=
directive is used would fail to work since we attempt to set the security
context after changing UID. Additionally, it causes activated socket units to
be mislabeled for systemd --user processes since setsockcreatecon() would never
be called.
Reverting this fixes the issues with labeling outlined above, and reinstates
SELinux access checks on unprivileged user services.
We already report builtin interfaces with InterfacesAdded and InterfacesRemoved. However,
we never reported them in GetManagedObjects(). This might end up confusing callers that
want to use those interfaces (or simply rely on the interface count to be coherent).
Report the builtins for all objects that are queried.
The indentation for emacs'es meson-mode is added .dir-locals.
All files are reindented automatically, using the lasest meson-mode from git.
Indentation should now be fairly consistent.
