Commit graph

73 commits

Author SHA1 Message Date
Lennart Poettering 6e9417f5b4 tree-wide: use newa() instead of alloca() wherever we can
Typesafety is nice. And this way we can take benefit of the new size
assert() the previous commit added.
2019-01-26 16:17:04 +01:00
Lennart Poettering 595225af7a tree-wide: invoke rlimit_nofile_safe() before various exec{v,ve,l}() invocations
Whenever we invoke external, foreign code from code that has
RLIMIT_NOFILE's soft limit bumped to high values, revert it to 1024
first. This is a safety precaution for compatibility with programs using
select() which cannot operate with fds > 1024.

This commit adds the call to rlimit_nofile_safe() to all invocations of
exec{v,ve,l}() and friends that either are in code that we know runs
with RLIMIT_NOFILE bumped up (which is PID 1 and all journal code for
starters) or that is part of shared code that might end up there.

The calls are placed as early as we can in processes invoking a flavour
of execve(), but after the last time we do fd manipulations, so that we
can still take benefit of the high fd limits for that.
2018-12-01 12:50:45 +01:00
Lennart Poettering 5cfa2c3dc0 tree-wide: use IOVEC_MAKE() at many places 2018-11-27 10:12:27 +01:00
Filipe Brandenburger 3f10c66270 bus-socket: Fix line_begins() to accept word matching full string
The switch to memory_startswith() changed the logic to only look for a space or
NUL byte after the matched word, but matching the full size should also be
acceptable.

This changed the behavior of parsing of "AUTH\r\n", where m will be set to 4,
since even though the word will match, the check for it being followed by ' '
or NUL will make line_begins() return false.

Tested:

- Using netcat to connect to the private socket directly:
  $ echo -ne '\0AUTH\r\n' | sudo nc -U /run/systemd/private
  REJECTED EXTERNAL ANONYMOUS

- Running the Ignition blackbox test:
  $ sudo sh -c 'PATH=$PWD/bin/amd64:$PATH ./tests.test'
  PASS

Fixes: d27b725abf
2018-07-17 21:42:20 +02:00
Yu Watanabe 8f5dd8c094 tree-wide: drop empty comments 2018-06-29 11:00:30 +09:00
Lennart Poettering a6887cc03e tree-wide: drop MSG_NOSIGNAL flag from recvmsg() invocations
MSG_NOSIGNAL is only defined for sendmsg(), not for recvmsg(), hence
let's drop it's use, in particular as it appears to create problems on
older kernels. See:

https://lists.freedesktop.org/archives/systemd-devel/2018-June/040869.html
2018-06-20 16:12:55 +02:00
Lennart Poettering 0c69794138 tree-wide: remove Lennart's copyright lines
These lines are generally out-of-date, incomplete and unnecessary. With
SPDX and git repository much more accurate and fine grained information
about licensing and authorship is available, hence let's drop the
per-file copyright notice. Of course, removing copyright lines of others
is problematic, hence this commit only removes my own lines and leaves
all others untouched. It might be nicer if sooner or later those could
go away too, making git the only and accurate source of authorship
information.
2018-06-14 10:20:20 +02:00
Lennart Poettering 818bf54632 tree-wide: drop 'This file is part of systemd' blurb
This part of the copyright blurb stems from the GPL use recommendations:

https://www.gnu.org/licenses/gpl-howto.en.html

The concept appears to originate in times where version control was per
file, instead of per tree, and was a way to glue the files together.
Ultimately, we nowadays don't live in that world anymore, and this
information is entirely useless anyway, as people are very welcome to
copy these files into any projects they like, and they shouldn't have to
change bits that are part of our copyright header for that.

hence, let's just get rid of this old cruft, and shorten our codebase a
bit.
2018-06-14 10:20:20 +02:00
Lennart Poettering d27b725abf tree-wide: make use of memory_startswith() at various places 2018-05-30 13:11:51 +02:00
Yu Watanabe 945403e6ed path-util: introduce empty_to_root() and use it many places 2018-05-11 01:47:33 +09:00
Zbigniew Jędrzejewski-Szmek 11a1589223 tree-wide: drop license boilerplate
Files which are installed as-is (any .service and other unit files, .conf
files, .policy files, etc), are left as is. My assumption is that SPDX
identifiers are not yet that well known, so it's better to retain the
extended header to avoid any doubt.

I also kept any copyright lines. We can probably remove them, but it'd nice to
obtain explicit acks from all involved authors before doing that.
2018-04-06 18:58:55 +02:00
Lennart Poettering 68b525d1d1 sd-bus: drop fd_nonblock() calls that are implied by rearrange_stdio() (#8514) 2018-03-21 11:46:49 +01:00
Yu Watanabe 280029d18f sd-bus: do not try to close already closed fd (#8392)
Fixes #8376, which is introduced by 2b33ab0957.
2018-03-08 14:19:35 +01:00
Lennart Poettering 6cc7e918ff
Merge pull request #8314 from poettering/rearrange-stdio
refactor how we rearrange fds for stdin/stdout/stderr
2018-03-02 15:42:03 +01:00
Lennart Poettering 62d74c78b5 coccinelle: add reallocarray() coccinelle script
Let's systematically make use of reallocarray() whereever we invoke
realloc() with a product of two values.
2018-03-02 12:39:07 +01:00
Lennart Poettering 2b33ab0957 tree-wide: port various places over to use new rearrange_stdio() 2018-03-02 11:42:10 +01:00
Lennart Poettering 7fe2903c23 fd-util: move certain fds above fd #2 (#8129)
This adds some paranoia code that moves some of the fds we allocate for
longer periods of times to fds > 2 if they are allocated below this
boundary. This is a paranoid safety thing, in order to avoid that
external code might end up erroneously use our fds under the assumption
they were valid stdin/stdout/stderr. Think: some app closes
stdin/stdout/stderr and then invokes 'fprintf(stderr, …' which causes
writes on our fds.

This both adds the helper to do the moving as well as ports over a
number of users to this new logic. Since we don't want to litter all our
code with invocations of this I tried to strictly focus on fds we keep
open for long periods of times only and only in code that is frequently
loaded into foreign programs (under the assumptions that in our own
codebase we are smart enough to always keep stdin/stdout/stderr
allocated to avoid this pitfall). Specifically this means all code used
by NSS and our sd-xyz API:

1. our logging APIs
2. sd-event
3. sd-bus
4. sd-resolve
5. sd-netlink

This changed was inspired by this:

https://github.com/systemd/systemd/issues/8075#issuecomment-363689755

This shows that apparently IRL there are programs that do close
stdin/stdout/stderr, and we should accomodate for that.

Note that this won't fix any bugs, this just makes sure that buggy
programs are less likely to interfere with out own code.
2018-02-09 17:53:28 +01:00
Shawn Landden 392cf1d05d sd-bus: cleanup ssh sessions (Closes: #8076)
we still invoke ssh unnecessarily when there in incompatible or erreneous input
The fallow-up to finish that would make the code a bit more verbose,
as it would require repeating this bit:
```
        r = bus_connect_transport(arg_transport, arg_host, false, &bus);
        if (r < 0) {
                log_error_errno(r, "Failed to create bus connection: %m");
                goto finish;
        }

        sd_bus_set_allow_interactive_authorization(bus, arg_ask_password);
```
in every verb, after parsing.

v2: add waitpid() to avoid a zombie process, switch to SIGTERM from SIGKILL
v3: refactor, wait in bus_start_address()
2018-02-08 10:14:48 -08:00
Zbigniew Jędrzejewski-Szmek 67ddb52432
Merge pull request #7855 from poettering/log-h-includes
log.h #include cleanups
2018-01-15 13:43:09 +04:00
Lennart Poettering dccca82b1a log: minimize includes in log.h
log.h really should only include the bare minimum of other headers, as
it is really pulled into pretty much everything else and already in
itself one of the most basic pieces of code we have.

Let's hence drop inclusion of:

1. sd-id128.h because it's entirely unneeded in current log.h
2. errno.h, dito.
3. sys/signalfd.h which we can replace by a simple struct forward
   declaration
4. process-util.h which was needed for getpid_cached() which we now hide
   in a funciton log_emergency_level() instead, which nicely abstracts
   the details away.
5. sys/socket.h which was needed for struct iovec, but a simple struct
   forward declaration suffices for that too.

Ultimately this actually makes our source tree larger (since users of
the functionality above must now include it themselves, log.h won't do
that for them), but I think it helps to untangle our web of includes a
tiny bit.

(Background: I'd like to isolate the generic bits of src/basic/ enough
so that we can do a git submodule import into casync for it)
2018-01-11 14:44:31 +01:00
Zbigniew Jędrzejewski-Szmek c599b325b6 bus-socket: slight simplification in bus_get_peercred() 2018-01-11 13:04:11 +01:00
Lennart Poettering 3e0e196efd sd-bus: log about bus state changes
Let's unify all state changes in a new helper function, from which we
can then debug log all state changes
2018-01-05 13:58:32 +01:00
Lennart Poettering c7db1984d0 sd-bus: get rid of kdbus flags cruft
We only need three bits from the old kdbus flags cruft, hence let's make
them proper booleans.
2018-01-05 13:55:08 +01:00
Lennart Poettering 8a5cd31e5f sd-bus: optionally, use inotify to wait for bus sockets to appear
This adds a "watch-bind" feature to sd-bus connections. If set and the
AF_UNIX socket we are connecting to doesn't exist yet, we'll establish
an inotify watch instead, and wait for the socket to appear. In other
words, a missing AF_UNIX just makes connecting slower.

This is useful for daemons such as networkd or resolved that shall be
able to run during early-boot, before dbus-daemon is up, and want to
connect to dbus-daemon as soon as it becomes ready.
2018-01-05 13:55:08 +01:00
Lennart Poettering 6ae22ffb72 sd-bus: cast some syscall invocations explicitly to (void)
Let's clarify that we knowingly ignore the return values.
2018-01-05 13:55:08 +01:00
Lennart Poettering 18ac4643cb sd-bus: use SO_PEERGROUPS when available to identify groups of peer 2018-01-04 13:28:24 +01:00
Lennart Poettering 4c253ed1ca tree-wide: introduce new safe_fork() helper and port everything over
This adds a new safe_fork() wrapper around fork() and makes use of it
everywhere. The new wrapper does a couple of things we previously did
manually and separately in a safer, more correct and automatic way:

1. Optionally resets signal handlers/mask in the child

2. Sets a name on all processes we fork off right after forking off (and
   the patch assigns useful names for all processes we fork off now,
   following a systematic naming scheme: always enclosed in () – in order
   to indicate that these are not proper, exec()ed processes, but only
   forked off children, and if the process is long-running with only our
   own code, without execve()'ing something else, it gets am "sd-" prefix.)

3. Optionally closes all file descriptors in the child

4. Optionally sets a PR_SET_DEATHSIG to SIGTERM in the child, in a safe
   way so that the parent dying before this happens being handled
   safely.

5. Optionally reopens the logs

6. Optionally connects stdin/stdout/stderr to /dev/null

7. Debug logs about the forked off processes.
2017-12-25 11:48:21 +01:00
Zbigniew Jędrzejewski-Szmek db7d1dcae6 sd-bus: drop check for selinux before calling getsockopt(SO_PEERSEC)
Quoting Lennart Poettering in
https://github.com/systemd/systemd/pull/6464#issuecomment-319029293:
> If the kernel allows us to query that data we should also be Ok with passing
> it on to our own caller, regardless if selinux is technically on or off...

The advantage is that this allows gcc to be smarter and reduce linkage:
(before)$ ldd build/libnss_systemd.so.2
	linux-vdso.so.1 (0x00007ffeb46ff000)
	librt.so.1 => /lib64/librt.so.1 (0x00007f2f60da6000)
	libcap.so.2 => /lib64/libcap.so.2 (0x00007f2f60ba1000)
	libselinux.so.1 => /lib64/libselinux.so.1 (0x00007f2f60978000)
	libpthread.so.0 => /lib64/libpthread.so.0 (0x00007f2f60759000)
	libc.so.6 => /lib64/libc.so.6 (0x00007f2f60374000)
	/lib64/ld-linux-x86-64.so.2 (0x00007f2f61294000)
	libpcre2-8.so.0 => /lib64/libpcre2-8.so.0 (0x00007f2f600f0000)
	libdl.so.2 => /lib64/libdl.so.2 (0x00007f2f5feec000)
(after )$ ldd build/libnss_systemd.so.2
	linux-vdso.so.1 (0x00007ffe5f543000)
	librt.so.1 => /lib64/librt.so.1 (0x00007f427dcaa000)
	libcap.so.2 => /lib64/libcap.so.2 (0x00007f427daa5000)
	libpthread.so.0 => /lib64/libpthread.so.0 (0x00007f427d886000)
	libc.so.6 => /lib64/libc.so.6 (0x00007f427d4a1000)
	/lib64/ld-linux-x86-64.so.2 (0x00007f427e196000)

Note that this only works in conjuction with the previous commit: either
of the two commits alone does not have the desired effect on linkage.

Replaces #6464.
2017-12-19 15:24:31 +01:00
Lennart Poettering fbd0b64f44
tree-wide: make use of new STRLEN() macro everywhere (#7639)
Let's employ coccinelle to do this for us.

Follow-up for #7625.
2017-12-14 19:02:29 +01:00
Zbigniew Jędrzejewski-Szmek 53e1b68390 Add SPDX license identifiers to source files under the LGPL
This follows what the kernel is doing, c.f.
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=5fd54ace4721fc5ce2bb5aef6318fcf17f421460.
2017-11-19 19:08:15 +01:00
Yu Watanabe 945c2931bb libsystemd: use IN_SET macro 2017-09-28 17:37:59 +09:00
Lennart Poettering 036d61b32e sd-bus: extend D-Bus authentication timeout considerably (#6813)
As it turns out the authentication phase times out too often than is
good, mostly due to PRNG pools not being populated during boot. Hence,
let's increase the authentication timeout from 25s to 90s, to cover for
that.

(Note that we leave the D-Bus method call timeout at 25s, matching the
reference implementation's value. And if the auth phase managed to
complete then the pools should be populated enough and mehtod calls
shouldn't take needlessly long anymore).

Fixes: #6418
2017-09-13 19:08:26 +02:00
Tom Gundersen f29eef2e90 sd-bus: socket - only transmit auxillary FDs once (#6603)
If a message is too large to fit into the output buffer, it will be
transmitted to the kernel in several chunks. However, the FDs must
only ever be transmitted once or they will bereceived by the remote
end repeatedly.

The D-Bus specification disallows several sets of FDs attached to
one message, however, the reference implementation of D-Bus will
not reject such a message, rather it will reassign the duplicate
FDs to subsequent FD-carrying messages.

This attaches the FD array only to the first byte of the message.
2017-08-30 13:09:03 +02:00
Zbigniew Jędrzejewski-Szmek a132bef023 Drop kdbus bits
Some kdbus_flag and memfd related parts are left behind, because they
are entangled with the "legacy" dbus support.

test-bus-benchmark is switched to "manual". It was already broken before
(in the non-kdbus mode) but apparently nobody noticed. Hopefully it can
be fixed later.
2017-07-23 12:01:54 -04:00
Gary Tierney 6d395665e5 Revert "selinux: split up mac_selinux_have() from mac_selinux_use()"
This reverts commit 6355e75610.

The previously mentioned commit inadvertently broke a lot of SELinux related
functionality for both unprivileged users and systemd instances running as
MANAGER_USER.  In particular, setting the correct SELinux context after a User=
directive is used would fail to work since we attempt to set the security
context after changing UID.  Additionally, it causes activated socket units to
be mislabeled for systemd --user processes since setsockcreatecon() would never
be called.

Reverting this fixes the issues with labeling outlined above, and reinstates
SELinux access checks on unprivileged user services.
2017-05-12 14:43:39 +01:00
Zbigniew Jędrzejewski-Szmek f97b34a629 Rename formats-util.h to format-util.h
We don't have plural in the name of any other -util files and this
inconsistency trips me up every time I try to type this file name
from memory. "formats-util" is even hard to pronounce.
2016-11-07 10:15:08 -05:00
Lennart Poettering 3bbaff3e08 tree-wide: use sd_id128_is_null() instead of sd_id128_equal where appropriate
It's a bit easier to read because shorter. Also, most likely a tiny bit faster.
2016-07-22 12:38:08 +02:00
Vito Caputo 313cefa1d9 tree-wide: make ++/-- usage consistent WRT spacing
Throughout the tree there's spurious use of spaces separating ++ and --
operators from their respective operands.  Make ++ and -- operator
consistent with the majority of existing uses; discard the spaces.
2016-02-22 20:32:04 -08:00
Lennart Poettering 91ba5ac7d0 Merge pull request #2589 from keszybz/resolve-tool-2
Better support of OPENPGPKEY, CAA, TLSA packets and tests
2016-02-13 11:15:41 +01:00
Zbigniew Jędrzejewski-Szmek 75f32f047c Add memcpy_safe
ISO/IEC 9899:1999 §7.21.1/2 says:
Where an argument declared as size_t n specifies the length of the array
for a function, n can have the value zero on a call to that
function. Unless explicitly stated otherwise in the description of a
particular function in this subclause, pointer arguments on such a call
shall still have valid values, as described in 7.1.4.

In base64_append_width memcpy was called as memcpy(x, NULL, 0).  GCC 4.9
started making use of this and assumes This worked fine under -O0, but
does something strange under -O3.

This patch fixes a bug in base64_append_width(), fixes a possible bug in
journal_file_append_entry_internal(), and makes use of the new function
to simplify the code in other places.
2016-02-11 13:07:02 -05:00
Daniel Mack b26fa1a2fb tree-wide: remove Emacs lines from all files
This should be handled fine now by .dir-locals.el, so need to carry that
stuff in every file.
2016-02-10 13:41:57 +01:00
Lennart Poettering 6355e75610 selinux: split up mac_selinux_have() from mac_selinux_use()
Let's distuingish the cases where our code takes an active role in
selinux management, or just passively reports whatever selinux
properties are set.

mac_selinux_have() now checks whether selinux is around for the passive
stuff, and mac_selinux_use() for the active stuff. The latter checks the
former, plus also checks UID == 0, under the assumption that only when
we run priviliged selinux management really makes sense.

Fixes: #1941
2015-11-27 20:28:13 +01:00
Lennart Poettering 7fc04b12e0 sd-bus: don't try to acquire connection selinux label unless selinux is actually enabled
Otherwise we might end up mistaking a SMACK label for an selinux label.

Also, fixes unexpect debug messages:

http://lists.freedesktop.org/archives/systemd-devel/2015-November/034913.html
2015-11-11 12:55:32 +01:00
Lennart Poettering b5efdb8af4 util-lib: split out allocation calls into alloc-util.[ch] 2015-10-27 13:45:53 +01:00
Lennart Poettering 15a5e95075 util-lib: split out printf() helpers to stdio-util.h 2015-10-27 13:25:57 +01:00
Lennart Poettering e4e73a6325 util-lib: split out hex/dec/oct encoding/decoding into its own file 2015-10-27 13:25:55 +01:00
Lennart Poettering b1d4f8e154 util-lib: split out user/group/uid/gid calls into user-util.[ch] 2015-10-26 01:24:38 +01:00
Lennart Poettering 3ffd4af220 util-lib: split out fd-related operations into fd-util.[ch]
There are more than enough to deserve their own .c file, hence move them
over.
2015-10-25 13:19:18 +01:00
Lennart Poettering 07630cea1f util-lib: split our string related calls from util.[ch] into its own file string-util.[ch]
There are more than enough calls doing string manipulations to deserve
its own files, hence do something about it.

This patch also sorts the #include blocks of all files that needed to be
updated, according to the sorting suggestions from CODING_STYLE. Since
pretty much every file needs our string manipulation functions this
effectively means that most files have sorted #include blocks now.

Also touches a few unrelated include files.
2015-10-24 23:05:02 +02:00
Michal Schmidt a0f5ab70f3 sd-bus: correct size calculation in DBus fd receive
The size of the allocated array for received file descriptors was
incorrectly calculated. This did not matter when a single file
descriptor was received, but for more descriptors the allocation was
insufficient.
2015-09-16 23:53:32 +02:00