picnoir/Systemd
1
0
Fork 0
Code Issues Pull requests Projects Releases Wiki Activity
Systemd/src/libsystemd/libsystemd.sym
Lennart Poettering 1b630835df sd-bus: add API for connecting to a specific user's user bus of a specific container 
This is unfortunately harder to implement than it sounds. The user's bus
is bound a to the user's lifecycle after all (i.e. only exists as long
as the user has at least one PAM session), and the path dynamically (at
least theoretically, in practice it's going to be the same always)
generated via $XDG_RUNTIME_DIR in /run/.

To fix this properly, we'll thus go through PAM before connecting to a
user bus. Which is hard since we cannot just link against libpam in the
container, since the container might have been compiled entirely
differently. So our way out is to use systemd-run from outside, which
invokes a transient unit that does PAM from outside, doing so via D-Bus.
Inside the transient unit we then invoke systemd-stdio-bridge which
forwards D-Bus from the user bus to us. The systemd-stdio-bridge makes
up the PAM session and thus we can sure tht the bus exists at least as
long as the bus connection is kept.

Or so say this differently: if you use "systemctl -M lennart@foobar"
now, the bus connection works like this:

        1. sd-bus on the host forks off:

                systemd-run -M foobar -PGq --wait -pUser=lennart -pPAMName=login systemd-stdio-bridge

        2. systemd-run gets a connection to the "foobar" container's
           system bus, and invokes the "systemd-stdio-bridge" binary as
           transient service inside a PAM session for the user "lennart"

        3. The systemd-stdio-bridge then proxies our D-Bus traffic to
           the user bus.

sd-bus (on host) → systemd-run (on host) → systemd-stdio-bridge (in container)

Complicated? Well, to some point yes, but otoh it's actually nice in
various other ways, primarily as it makes the -H and -M codepaths more
alike. In the -H case (i.e. connect to remote host via SSH) a very
similar three steps are used. The only difference is that instead of
"systemd-run" the "ssh" binary is used to invoke the stdio bridge in a
PAM session of some other system. Thus we get similar implementation and
isolation for similar operations.

Fixes: #14580
2020-12-15 18:00:15 +01:00

748 lines
21 KiB
Plaintext
Raw Blame History

/***
SPDX-License-Identifier: LGPL-2.1-or-later
systemd is free software; you can redistribute it and/or modify it
under the terms of the GNU Lesser General Public License as published by
the Free Software Foundation; either version 2.1 of the License, or
(at your option) any later version.
***/
LIBSYSTEMD_209 {
global:
/* sd-journal */
sd_journal_print;
sd_journal_printv;
sd_journal_send;
sd_journal_sendv;
sd_journal_stream_fd;
sd_journal_open;
sd_journal_close;
sd_journal_previous;
sd_journal_next;
sd_journal_previous_skip;
sd_journal_next_skip;
sd_journal_get_realtime_usec;
sd_journal_get_monotonic_usec;
sd_journal_get_data;
sd_journal_enumerate_data;
sd_journal_restart_data;
sd_journal_add_match;
sd_journal_flush_matches;
sd_journal_seek_head;
sd_journal_seek_tail;
sd_journal_seek_monotonic_usec;
sd_journal_seek_realtime_usec;
sd_journal_seek_cursor;
sd_journal_get_cursor;
sd_journal_get_fd;
sd_journal_process;
sd_journal_print_with_location;
sd_journal_printv_with_location;
sd_journal_send_with_location;
sd_journal_sendv_with_location;
sd_journal_get_cutoff_realtime_usec;
sd_journal_get_cutoff_monotonic_usec;
sd_journal_wait;
sd_journal_open_directory;
sd_journal_add_disjunction;
sd_journal_perror;
sd_journal_perror_with_location;
sd_journal_get_usage;
sd_journal_test_cursor;
sd_journal_query_unique;
sd_journal_enumerate_unique;
sd_journal_restart_unique;
sd_journal_get_catalog;
sd_journal_get_catalog_for_message_id;
sd_journal_set_data_threshold;
sd_journal_get_data_threshold;
sd_journal_reliable_fd;
sd_journal_get_events;
sd_journal_get_timeout;
sd_journal_add_conjunction;
sd_journal_open_files;
sd_journal_open_container;
/* sd-daemon */
sd_booted;
sd_is_fifo;
sd_is_mq;
sd_is_socket;
sd_is_socket_inet;
sd_is_socket_unix;
sd_is_special;
sd_listen_fds;
sd_notify;
sd_notifyf;
sd_watchdog_enabled;
/* sd-id128 */
sd_id128_to_string;
sd_id128_from_string;
sd_id128_randomize;
sd_id128_get_machine;
sd_id128_get_boot;
/* sd-login */
sd_get_seats;
sd_get_sessions;
sd_get_uids;
sd_login_monitor_flush;
sd_login_monitor_get_fd;
sd_login_monitor_new;
sd_login_monitor_unref;
sd_pid_get_owner_uid;
sd_pid_get_session;
sd_seat_can_multi_session;
sd_seat_get_active;
sd_seat_get_sessions;
sd_session_get_seat;
sd_session_get_uid;
sd_session_is_active;
sd_uid_get_seats;
sd_uid_get_sessions;
sd_uid_get_state;
sd_uid_is_on_seat;
sd_pid_get_unit;
sd_session_get_service;
sd_session_get_type;
sd_session_get_class;
sd_session_get_display;
sd_session_get_state;
sd_seat_can_tty;
sd_seat_can_graphical;
sd_session_get_tty;
sd_login_monitor_get_events;
sd_login_monitor_get_timeout;
sd_pid_get_user_unit;
sd_pid_get_machine_name;
sd_get_machine_names;
sd_pid_get_slice;
sd_session_get_vt;
sd_session_is_remote;
sd_session_get_remote_user;
sd_session_get_remote_host;
local:
*;
};
LIBSYSTEMD_211 {
global:
sd_machine_get_class;
sd_peer_get_session;
sd_peer_get_owner_uid;
sd_peer_get_unit;
sd_peer_get_user_unit;
sd_peer_get_machine_name;
sd_peer_get_slice;
} LIBSYSTEMD_209;
LIBSYSTEMD_213 {
global:
sd_uid_get_display;
} LIBSYSTEMD_211;
LIBSYSTEMD_214 {
global:
sd_pid_notify;
sd_pid_notifyf;
} LIBSYSTEMD_213;
LIBSYSTEMD_216 {
global:
sd_machine_get_ifindices;
} LIBSYSTEMD_214;
LIBSYSTEMD_217 {
global:
sd_session_get_desktop;
} LIBSYSTEMD_216;
LIBSYSTEMD_219 {
global:
sd_pid_notify_with_fds;
} LIBSYSTEMD_217;
LIBSYSTEMD_220 {
global:
sd_pid_get_user_slice;
sd_peer_get_user_slice;
} LIBSYSTEMD_219;
LIBSYSTEMD_221 {
global:
/* sd-bus */
sd_bus_default;
sd_bus_default_user;
sd_bus_default_system;
sd_bus_open;
sd_bus_open_user;
sd_bus_open_system;
sd_bus_open_system_remote;
sd_bus_open_system_machine;
sd_bus_new;
sd_bus_set_address;
sd_bus_set_fd;
sd_bus_set_exec;
sd_bus_get_address;
sd_bus_set_bus_client;
sd_bus_is_bus_client;
sd_bus_set_server;
sd_bus_is_server;
sd_bus_set_anonymous;
sd_bus_is_anonymous;
sd_bus_set_trusted;
sd_bus_is_trusted;
sd_bus_set_monitor;
sd_bus_is_monitor;
sd_bus_set_description;
sd_bus_get_description;
sd_bus_negotiate_creds;
sd_bus_negotiate_timestamp;
sd_bus_negotiate_fds;
sd_bus_can_send;
sd_bus_get_creds_mask;
sd_bus_set_allow_interactive_authorization;
sd_bus_get_allow_interactive_authorization;
sd_bus_start;
sd_bus_close;
sd_bus_try_close;
sd_bus_ref;
sd_bus_unref;
sd_bus_is_open;
sd_bus_get_bus_id;
sd_bus_get_scope;
sd_bus_get_tid;
sd_bus_get_owner_creds;
sd_bus_send;
sd_bus_send_to;
sd_bus_call;
sd_bus_call_async;
sd_bus_get_fd;
sd_bus_get_events;
sd_bus_get_timeout;
sd_bus_process;
sd_bus_process_priority;
sd_bus_wait;
sd_bus_flush;
sd_bus_get_current_slot;
sd_bus_get_current_message;
sd_bus_get_current_handler;
sd_bus_get_current_userdata;
sd_bus_attach_event;
sd_bus_detach_event;
sd_bus_get_event;
sd_bus_add_filter;
sd_bus_add_match;
sd_bus_add_object;
sd_bus_add_fallback;
sd_bus_add_object_vtable;
sd_bus_add_fallback_vtable;
sd_bus_add_node_enumerator;
sd_bus_add_object_manager;
sd_bus_slot_ref;
sd_bus_slot_unref;
sd_bus_slot_get_bus;
sd_bus_slot_get_userdata;
sd_bus_slot_set_userdata;
sd_bus_slot_get_description;
sd_bus_slot_set_description;
sd_bus_slot_get_current_message;
sd_bus_slot_get_current_handler;
sd_bus_slot_get_current_userdata;
sd_bus_message_new_signal;
sd_bus_message_new_method_call;
sd_bus_message_new_method_return;
sd_bus_message_new_method_error;
sd_bus_message_new_method_errorf;
sd_bus_message_new_method_errno;
sd_bus_message_new_method_errnof;
sd_bus_message_ref;
sd_bus_message_unref;
sd_bus_message_get_type;
sd_bus_message_get_cookie;
sd_bus_message_get_reply_cookie;
sd_bus_message_get_priority;
sd_bus_message_get_expect_reply;
sd_bus_message_get_auto_start;
sd_bus_message_get_allow_interactive_authorization;
sd_bus_message_get_signature;
sd_bus_message_get_path;
sd_bus_message_get_interface;
sd_bus_message_get_member;
sd_bus_message_get_destination;
sd_bus_message_get_sender;
sd_bus_message_get_error;
sd_bus_message_get_errno;
sd_bus_message_get_monotonic_usec;
sd_bus_message_get_realtime_usec;
sd_bus_message_get_seqnum;
sd_bus_message_get_bus;
sd_bus_message_get_creds;
sd_bus_message_is_signal;
sd_bus_message_is_method_call;
sd_bus_message_is_method_error;
sd_bus_message_is_empty;
sd_bus_message_has_signature;
sd_bus_message_set_expect_reply;
sd_bus_message_set_auto_start;
sd_bus_message_set_allow_interactive_authorization;
sd_bus_message_set_destination;
sd_bus_message_set_priority;
sd_bus_message_append;
sd_bus_message_append_basic;
sd_bus_message_append_array;
sd_bus_message_append_array_space;
sd_bus_message_append_array_iovec;
sd_bus_message_append_array_memfd;
sd_bus_message_append_string_space;
sd_bus_message_append_string_iovec;
sd_bus_message_append_string_memfd;
sd_bus_message_append_strv;
sd_bus_message_open_container;
sd_bus_message_close_container;
sd_bus_message_copy;
sd_bus_message_read;
sd_bus_message_read_basic;
sd_bus_message_read_array;
sd_bus_message_read_strv;
sd_bus_message_skip;
sd_bus_message_enter_container;
sd_bus_message_exit_container;
sd_bus_message_peek_type;
sd_bus_message_verify_type;
sd_bus_message_at_end;
sd_bus_message_rewind;
sd_bus_get_unique_name;
sd_bus_request_name;
sd_bus_release_name;
sd_bus_list_names;
sd_bus_get_name_creds;
sd_bus_get_name_machine_id;
sd_bus_call_method;
sd_bus_call_method_async;
sd_bus_get_property;
sd_bus_get_property_trivial;
sd_bus_get_property_string;
sd_bus_get_property_strv;
sd_bus_set_property;
sd_bus_reply_method_return;
sd_bus_reply_method_error;
sd_bus_reply_method_errorf;
sd_bus_reply_method_errno;
sd_bus_reply_method_errnof;
sd_bus_emit_signal;
sd_bus_emit_properties_changed_strv;
sd_bus_emit_properties_changed;
sd_bus_emit_interfaces_added_strv;
sd_bus_emit_interfaces_added;
sd_bus_emit_interfaces_removed_strv;
sd_bus_emit_interfaces_removed;
sd_bus_query_sender_creds;
sd_bus_query_sender_privilege;
sd_bus_creds_new_from_pid;
sd_bus_creds_ref;
sd_bus_creds_unref;
sd_bus_creds_get_mask;
sd_bus_creds_get_augmented_mask;
sd_bus_creds_get_pid;
sd_bus_creds_get_ppid;
sd_bus_creds_get_tid;
sd_bus_creds_get_uid;
sd_bus_creds_get_euid;
sd_bus_creds_get_suid;
sd_bus_creds_get_fsuid;
sd_bus_creds_get_gid;
sd_bus_creds_get_egid;
sd_bus_creds_get_sgid;
sd_bus_creds_get_fsgid;
sd_bus_creds_get_supplementary_gids;
sd_bus_creds_get_comm;
sd_bus_creds_get_tid_comm;
sd_bus_creds_get_exe;
sd_bus_creds_get_cmdline;
sd_bus_creds_get_cgroup;
sd_bus_creds_get_unit;
sd_bus_creds_get_slice;
sd_bus_creds_get_user_unit;
sd_bus_creds_get_user_slice;
sd_bus_creds_get_session;
sd_bus_creds_get_owner_uid;
sd_bus_creds_has_effective_cap;
sd_bus_creds_has_permitted_cap;
sd_bus_creds_has_inheritable_cap;
sd_bus_creds_has_bounding_cap;
sd_bus_creds_get_selinux_context;
sd_bus_creds_get_audit_session_id;
sd_bus_creds_get_audit_login_uid;
sd_bus_creds_get_tty;
sd_bus_creds_get_unique_name;
sd_bus_creds_get_well_known_names;
sd_bus_creds_get_description;
sd_bus_error_free;
sd_bus_error_set;
sd_bus_error_setf;
sd_bus_error_set_const;
sd_bus_error_set_errno;
sd_bus_error_set_errnof;
sd_bus_error_set_errnofv;
sd_bus_error_get_errno;
sd_bus_error_copy;
sd_bus_error_is_set;
sd_bus_error_has_name;
sd_bus_error_add_map;
sd_bus_path_encode;
sd_bus_path_decode;
sd_bus_track_new;
sd_bus_track_ref;
sd_bus_track_unref;
sd_bus_track_get_bus;
sd_bus_track_get_userdata;
sd_bus_track_set_userdata;
sd_bus_track_add_sender;
sd_bus_track_remove_sender;
sd_bus_track_add_name;
sd_bus_track_remove_name;
sd_bus_track_count;
sd_bus_track_contains;
sd_bus_track_first;
sd_bus_track_next;
/* sd-event */
sd_event_default;
sd_event_new;
sd_event_ref;
sd_event_unref;
sd_event_add_io;
sd_event_add_time;
sd_event_add_signal;
sd_event_add_child;
sd_event_add_defer;
sd_event_add_post;
sd_event_add_exit;
sd_event_prepare;
sd_event_wait;
sd_event_dispatch;
sd_event_run;
sd_event_loop;
sd_event_exit;
sd_event_now;
sd_event_get_fd;
sd_event_get_state;
sd_event_get_tid;
sd_event_get_exit_code;
sd_event_set_watchdog;
sd_event_get_watchdog;
sd_event_source_ref;
sd_event_source_unref;
sd_event_source_get_event;
sd_event_source_get_userdata;
sd_event_source_set_userdata;
sd_event_source_set_description;
sd_event_source_get_description;
sd_event_source_set_prepare;
sd_event_source_get_pending;
sd_event_source_get_priority;
sd_event_source_set_priority;
sd_event_source_get_enabled;
sd_event_source_set_enabled;
sd_event_source_get_io_fd;
sd_event_source_set_io_fd;
sd_event_source_get_io_events;
sd_event_source_set_io_events;
sd_event_source_get_io_revents;
sd_event_source_get_time;
sd_event_source_set_time;
sd_event_source_set_time_accuracy;
sd_event_source_get_time_accuracy;
sd_event_source_get_time_clock;
sd_event_source_get_signal;
sd_event_source_get_child_pid;
} LIBSYSTEMD_220;
LIBSYSTEMD_222 {
global:
/* sd-bus */
sd_bus_emit_object_added;
sd_bus_emit_object_removed;
sd_bus_flush_close_unref;
} LIBSYSTEMD_221;
LIBSYSTEMD_226 {
global:
sd_pid_get_cgroup;
sd_peer_get_cgroup;
} LIBSYSTEMD_222;
LIBSYSTEMD_227 {
global:
sd_bus_default_flush_close;
sd_bus_path_decode_many;
sd_bus_path_encode_many;
sd_listen_fds_with_names;
} LIBSYSTEMD_226;
LIBSYSTEMD_229 {
global:
sd_journal_has_runtime_files;
sd_journal_has_persistent_files;
sd_journal_enumerate_fields;
sd_journal_restart_fields;
} LIBSYSTEMD_227;
LIBSYSTEMD_230 {
global:
sd_journal_open_directory_fd;
sd_journal_open_files_fd;
} LIBSYSTEMD_229;
LIBSYSTEMD_231 {
global:
sd_event_get_iteration;
} LIBSYSTEMD_230;
LIBSYSTEMD_232 {
global:
sd_bus_track_set_recursive;
sd_bus_track_get_recursive;
sd_bus_track_count_name;
sd_bus_track_count_sender;
sd_bus_set_exit_on_disconnect;
sd_bus_get_exit_on_disconnect;
sd_id128_get_invocation;
} LIBSYSTEMD_231;
LIBSYSTEMD_233 {
global:
sd_id128_get_machine_app_specific;
sd_is_socket_sockaddr;
} LIBSYSTEMD_232;
LIBSYSTEMD_234 {
global:
sd_bus_message_appendv;
} LIBSYSTEMD_233;
LIBSYSTEMD_236 {
global:
sd_bus_message_new;
sd_bus_message_seal;
} LIBSYSTEMD_234;
LIBSYSTEMD_237 {
global:
sd_bus_set_watch_bind;
sd_bus_get_watch_bind;
sd_bus_request_name_async;
sd_bus_release_name_async;
sd_bus_add_match_async;
sd_bus_match_signal;
sd_bus_match_signal_async;
sd_bus_is_ready;
sd_bus_set_connected_signal;
sd_bus_get_connected_signal;
sd_bus_set_sender;
sd_bus_get_sender;
sd_bus_message_set_sender;
sd_event_source_get_io_fd_own;
sd_event_source_set_io_fd_own;
} LIBSYSTEMD_236;
LIBSYSTEMD_238 {
global:
sd_bus_get_n_queued_read;
sd_bus_get_n_queued_write;
} LIBSYSTEMD_237;
LIBSYSTEMD_239 {
global:
sd_bus_open_with_description;
sd_bus_open_user_with_description;
sd_bus_open_system_with_description;
sd_bus_slot_get_floating;
sd_bus_slot_set_floating;
sd_bus_slot_get_destroy_callback;
sd_bus_slot_set_destroy_callback;
sd_bus_track_get_destroy_callback;
sd_bus_track_set_destroy_callback;
sd_event_add_inotify;
sd_event_source_get_inotify_mask;
sd_event_source_set_destroy_callback;
sd_event_source_get_destroy_callback;
} LIBSYSTEMD_238;
LIBSYSTEMD_240 {
global:
sd_bus_message_readv;
sd_bus_set_method_call_timeout;
sd_bus_get_method_call_timeout;
sd_bus_error_move;
sd_bus_set_close_on_exit;
sd_bus_get_close_on_exit;
sd_device_ref;
sd_device_unref;
sd_device_new_from_syspath;
sd_device_new_from_devnum;
sd_device_new_from_subsystem_sysname;
sd_device_new_from_device_id;
sd_device_get_parent;
sd_device_get_parent_with_subsystem_devtype;
sd_device_get_syspath;
sd_device_get_subsystem;
sd_device_get_devtype;
sd_device_get_devnum;
sd_device_get_ifindex;
sd_device_get_driver;
sd_device_get_devpath;
sd_device_get_devname;
sd_device_get_sysname;
sd_device_get_sysnum;
sd_device_get_is_initialized;
sd_device_get_usec_since_initialized;
sd_device_get_tag_first;
sd_device_get_tag_next;
sd_device_get_devlink_first;
sd_device_get_devlink_next;
sd_device_get_property_first;
sd_device_get_property_next;
sd_device_get_sysattr_first;
sd_device_get_sysattr_next;
sd_device_has_tag;
sd_device_get_property_value;
sd_device_get_sysattr_value;
sd_device_set_sysattr_value;
sd_device_enumerator_new;
sd_device_enumerator_ref;
sd_device_enumerator_unref;
sd_device_enumerator_get_device_first;
sd_device_enumerator_get_device_next;
sd_device_enumerator_get_subsystem_first;
sd_device_enumerator_get_subsystem_next;
sd_device_enumerator_add_match_subsystem;
sd_device_enumerator_add_match_sysattr;
sd_device_enumerator_add_match_property;
sd_device_enumerator_add_match_sysname;
sd_device_enumerator_add_match_tag;
sd_device_enumerator_add_match_parent;
sd_device_enumerator_allow_uninitialized;
sd_hwdb_ref;
sd_hwdb_unref;
sd_hwdb_new;
sd_hwdb_get;
sd_hwdb_seek;
sd_hwdb_enumerate;
sd_id128_get_boot_app_specific;
sd_device_monitor_new;
sd_device_monitor_ref;
sd_device_monitor_unref;
sd_device_monitor_set_receive_buffer_size;
sd_device_monitor_attach_event;
sd_device_monitor_detach_event;
sd_device_monitor_get_event;
sd_device_monitor_get_event_source;
sd_device_monitor_start;
sd_device_monitor_stop;
sd_device_monitor_filter_add_match_subsystem_devtype;
sd_device_monitor_filter_add_match_tag;
sd_device_monitor_filter_update;
sd_device_monitor_filter_remove;
sd_event_source_get_floating;
sd_event_source_set_floating;
} LIBSYSTEMD_239;
LIBSYSTEMD_241 {
global:
sd_bus_close_unref;
} LIBSYSTEMD_240;
LIBSYSTEMD_243 {
global:
sd_bus_object_vtable_format;
sd_event_source_disable_unref;
} LIBSYSTEMD_241;
LIBSYSTEMD_245 {
global:
sd_bus_enqueue_for_read;
sd_bus_message_dump;
sd_bus_message_sensitive;
sd_event_add_child_pidfd;
sd_event_source_get_child_pidfd;
sd_event_source_get_child_pidfd_own;
sd_event_source_set_child_pidfd_own;
sd_event_source_get_child_process_own;
sd_event_source_set_child_process_own;
sd_event_source_send_child_signal;
sd_journal_open_namespace;
} LIBSYSTEMD_243;
LIBSYSTEMD_246 {
global:
sd_bus_interface_name_is_valid;
sd_bus_service_name_is_valid;
sd_bus_member_name_is_valid;
sd_bus_object_path_is_valid;
sd_bus_call_methodv;
sd_bus_call_method_asyncv;
sd_bus_emit_signalv;
sd_bus_reply_method_errnofv;
sd_bus_reply_method_errorfv;
sd_bus_reply_method_returnv;
sd_bus_set_propertyv;
sd_path_lookup;
sd_path_lookup_strv;
sd_notify_barrier;
sd_journal_enumerate_available_data;
sd_journal_enumerate_available_unique;
} LIBSYSTEMD_245;
LIBSYSTEMD_247 {
global:
sd_event_add_time_relative;
sd_event_source_set_time_relative;
sd_event_source_get_exit_on_failure;
sd_event_source_set_exit_on_failure;
sd_bus_error_has_names_sentinel;
sd_device_get_current_tag_first;
sd_device_get_current_tag_next;
sd_device_has_current_tag;
sd_device_set_sysattr_valuef;
} LIBSYSTEMD_246;
LIBSYSTEMD_248 {
global:
sd_bus_open_user_machine;
sd_event_source_set_ratelimit;
sd_event_source_get_ratelimit;
sd_event_source_is_ratelimited;
} LIBSYSTEMD_246;
Reference in a new issue View git blame Copy permalink