picnoir/Systemd
1
0
Fork 0
Code Issues Pull requests Projects Releases Wiki Activity
39430 commits 2 branches 0 tags 166 MiB
Commit graph

39430 commits

This branch
This branch
All branches
Author SHA1 Message Date
Zbigniew Jędrzejewski-Szmek afa4e4a9db docs: let's not close the milestone early 2019-04-03 16:23:43 +02:00
Lennart Poettering 3b4ce4b08c
Merge pull request #12202 from keszybz/seccomp-arm64 
Fixes for S[GU]ID filter on arm64
 2019-04-03 15:47:18 +02:00
Zbigniew Jędrzejewski-Szmek da4dc9a674 seccomp: rework how the S[UG]ID filter is installed 
If we know that a syscall is undefined on the given architecture, don't
even try to add it.

Try to install the filter even if some syscalls fail. Also use a helper
function to make the whole a bit less magic.

This allows the S[UG]ID test to pass on arm64.
 2019-04-03 13:33:06 +02:00
Zbigniew Jędrzejewski-Szmek dff6c6295b test-seccomp: fix compilation on arm64 
It has no open().
 2019-04-03 13:24:43 +02:00
Zbigniew Jędrzejewski-Szmek 51be9a8c41 kernel-install: add a check that the vmlinuz arg is sane 2019-04-03 11:25:40 +02:00
Zbigniew Jędrzejewski-Szmek f5a44d42af docs: update release steps for meson 2019-04-03 11:25:15 +02:00
Zbigniew Jędrzejewski-Szmek 7eb8a47e42 build-sys: bump package version 2019-04-03 10:00:14 +02:00
Zbigniew Jędrzejewski-Szmek d822bd4e26 Merge pull request #12121 from poettering/contrib 2019-04-03 09:53:51 +02:00
Lennart Poettering 570ee29ce1 docs: fix path to unit files 2019-04-03 13:47:12 +09:00
Davide Cavalca 639dd43a36 core: fix build failure if seccomp is disabled 2019-04-03 13:46:32 +09:00
Lennart Poettering b2b33eb064 Revert "build: install /etc/systemd/{system,user}-generators" 
This reverts commit 509276f2b7.
 2019-04-02 21:09:35 +02:00
Yu Watanabe 33ca308f38
Merge pull request #12188 from poettering/coccinelle-fixlets 
tree-wide: let's run coccinelle again
 2019-04-03 01:46:54 +09:00
Lennart Poettering 2eb466fc10 update NEWS 2019-04-02 17:31:41 +02:00
Lennart Poettering bfe6bb2007 meson: bump so versions 
Since we aren't quite ready for release v242 yet, let's not bump the
package version yet, but let's already bump the soversion.
 2019-04-02 17:31:41 +02:00
Lennart Poettering 5b2fc74fca NEWS: add preliminary contributor list 2019-04-02 17:31:41 +02:00
Lennart Poettering e67ccb54a2 update .mailmap 2019-04-02 17:31:00 +02:00
Lennart Poettering 82c604607f
Merge pull request #12056 from poettering/seccomp-suid-sgid 
Introduce RestrictSUIDSGID= for disabling SUID/SGID file creation
 2019-04-02 17:30:11 +02:00
Lennart Poettering 6d85ba7299 update TODO 2019-04-02 16:56:48 +02:00
Lennart Poettering bf65b7e0c9 core: imply NNP and SUID/SGID restriction for DynamicUser=yes service 
Let's be safe, rather than sorry. This way DynamicUser=yes services can
neither take benefit of, nor create SUID/SGID binaries.

Given that DynamicUser= is a recent addition only we should be able to
get away with turning this on, even though this is strictly speaking a
binary compatibility breakage.
 2019-04-02 16:56:48 +02:00
Lennart Poettering 62aa29247c units: turn on RestrictSUIDSGID= in most of our long-running daemons 2019-04-02 16:56:48 +02:00
Lennart Poettering 7445db6eb7 man: document the new RestrictSUIDSGID= setting 2019-04-02 16:56:48 +02:00
Lennart Poettering 9d880b70ba analyze: check for RestrictSUIDSGID= in "systemd-analyze security" 
And let's give it a heigh weight, since it pretty much can be used for
bad things only.
 2019-04-02 16:56:48 +02:00
Lennart Poettering f69567cbe2 core: expose SUID/SGID restriction as new unit setting RestrictSUIDSGID= 2019-04-02 16:56:48 +02:00
Lennart Poettering 167fc10cb3 test: add test case for restrict_suid_sgid() 2019-04-02 16:56:48 +02:00
Lennart Poettering 3c27973b13 seccomp: introduce seccomp_restrict_suid_sgid() for blocking chmod() for suid/sgid files 2019-04-02 16:56:48 +02:00
Lennart Poettering 9e6e543c17 seccomp: add debug messages to seccomp_protect_hostname() 2019-04-02 16:56:48 +02:00
Lennart Poettering 42561fc99c core: add a generic helper that forwards per-unit method calls from Manager 
Quite often we have a method DoSomethingWithUnit() on the Manager object
that is the same as a function DoSomething() on a Unit object. Let's
shorten things by introducing a common function that forwards the
former to the latter, instead of writing this again and again.
 2019-04-02 16:38:20 +02:00
Zbigniew Jędrzejewski-Szmek 237ebf61e2
Merge pull request #12013 from yuwata/fix-switchroot-11997 
core: on switching root do not emit device state change based on enumeration results
 2019-04-02 16:06:07 +02:00
Lennart Poettering 568ee8fc46 udev: use strempty() where appropriate 2019-04-02 14:54:42 +02:00
Lennart Poettering 02dab76e93 json: use SYNTHETIC_ERRNO() where appropriate 2019-04-02 14:54:42 +02:00
Lennart Poettering bab4820ee2 sd-event: use DIV_ROUND_UP where appropriate 2019-04-02 14:54:42 +02:00
Lennart Poettering 39f2bc6e7e sd-device: use xsprintf() where appropriate 2019-04-02 14:54:42 +02:00
Lennart Poettering c614711386 tree-wide: use SYNTHETIC_ERRNO() where appropriate 2019-04-02 14:54:42 +02:00
Lennart Poettering c1db999eb8 boot: use TAKE_PTR() where appropriate 2019-04-02 14:54:42 +02:00
Lennart Poettering a7798cd81b tree-wide: use reallocarray() where appropriate 2019-04-02 14:54:42 +02:00
Lennart Poettering 0c21dafb54 util-lib: use FLAGS_SET() where appropriate 2019-04-02 14:54:38 +02:00
Lennart Poettering d737b451fe analyze: use empty_or_root() where appropriate 2019-04-02 14:53:25 +02:00
Zbigniew Jędrzejewski-Szmek 84ce204a93
Merge pull request #12185 from poettering/login-unstore-fd 
logind: remove unused fds from fdstore
 2019-04-02 14:27:27 +02:00
Zbigniew Jędrzejewski-Szmek 8a306989b3
Merge pull request #12186 from poettering/lgtm-updates 
lgtm ruleset updates
 2019-04-02 14:19:27 +02:00
Zbigniew Jędrzejewski-Szmek 2356d683f8
Merge pull request #12183 from poettering/askpwargv 
tty-ask-password: let's copy argv[] before forking
 2019-04-02 13:50:14 +02:00
Frantisek Sumsal 1a862e2151 journal: LGTM doesn't recognize suppressions in /* */ 2019-04-02 12:47:14 +02:00
Lennart Poettering f71611fed2 test: stop using dup() needlessly 2019-04-02 12:45:46 +02:00
Lennart Poettering 9b4805421e lgtm: beef up list of dangerous/questionnable API calls not to make 2019-04-02 12:45:46 +02:00
Lennart Poettering efc19ee485 logind: when we cannot attach a passed fd to a device, close it 
Replaces: #8532
 2019-04-02 11:52:58 +02:00
Lennart Poettering 883d1b01b0 logind: simplify removal of device fds 
let's use sd_notifyf(). Let's also stop validating the session ID here.
This is the destructor. if it contains a dash, we are already too late
here anyway.
 2019-04-02 11:51:50 +02:00
Chris Morin 924426a703 journal-remote: use source's boot-id 
systemd-journal-remote always wrote the boot-id of the device it was running on
to the header of its journal files. When the source had a different boot-id
(because it was generated on a different boot, or a different device), the
boot-ids in the file were inconsistent. The _BOOT_ID field was that of the
source, but the journal file header and each entry object header were that of
the device systemd-journal-remote ran on. This breaks journalctl --list-boots
on any of these files.

Set the boot-id in the header to be that of the source. This also fixes the
entry object headers.
 2019-04-02 10:32:21 +02:00
Yu Watanabe 52cf2b13a0 ipv4ll: do not reset seed generation counter on restart 
Fixes #12145.
 2019-04-02 10:27:30 +02:00
Lennart Poettering d9550542a8
Merge pull request #12007 from poettering/clock-change 
.timer OnClockChange= and OnTimezoneChange= settings
 2019-04-02 10:24:35 +02:00
Lennart Poettering 189b03779e tty-ask-password: re-break comment 2019-04-02 10:19:23 +02:00
Lennart Poettering d850296466 tty-ask-password: simplify signal handler installation 2019-04-02 10:19:22 +02:00