The error message is not always meaningful. Also, sometimes we care about the
sign of the value, and we ignore the sign of the error in the printing machinery.
The messages for errno are changed to say "errno" instead of "error". The problem with
the previous formalation is that our errors are always negative and errnos are
positive, so when we print the numerical value, we cannot use the word for both.
Example output:
src/test/test-tests.c:15: Assertion failed: Expected "-1" to succeed, but got error: -1/Operation not permitted
src/test/test-tests.c:16: Assertion failed: Expected "-ENOANO" to succeed, but got error: -55/No anode
src/test/test-tests.c:61: Assertion failed: Expected "0" to fail with error -2/"No such file or directory", but it succeeded
src/test/test-tests.c:62: Assertion failed: Expected "RET_NERRNO(mkdir("/i/will/fail/with/enoent", 666))" to fail with error -55/"No anode", but got the following error: -2/No such file or directory
src/test/test-tests.c:68: Assertion failed: Expected "0" to fail with errno 2/"No such file or directory", but it succeeded
src/test/test-tests.c:70: Assertion failed: Expected "mkdir("/i/will/fail/with/enoent", 666)" to fail with errno 55/"No anode", but got the following errno: 2/No such file or directory
We can do this for int types, i.e. the variants where we expect a
success/error code. The macros which do generating comparison operations
also support floats so we shouldn't use intmax_t there.
The code is shorter and calling printf once is certainly more efficient.
We use symbols provided by unistd.h without including it. E.g.
open(), close(), read(), write(), access(), symlink(), unlink(), rmdir(),
fsync(), syncfs(), lseek(), ftruncate(), fchown(), dup2(), pipe2(),
getuid(), getgid(), gettid(), getppid(), pipe2(), execv(), _exit(),
environ, STDIN_FILENO, STDOUT_FILENO, STDERR_FILENO, F_OK, and their
friends and variants, so on.
Currently, unistd.h is indirectly included mainly in the following two paths:
- through missing_syscall.h, which is planned to covert to .c file.
- through signal.h -> bits/sigstksz.h, which is new since glibc-2.34.
Note, signal.h is included by sd-eevent.h. So, many source files
indirectly include unistd.h if newer glibc is used.
Currently, our baseline on glibc is 2.31. We need to support glibc older
than 2.34, but unfortunately, we do not have any CI environments with
such old glibc. CIFuzz uses glibc-2.31, but it builds only fuzzers, and
many files are even not compiled.
[1] says:
> Since 0.60.0 the name argument is optional and defaults to the basename of
> the first output
We specify >= 0.62 as the supported version, so drop the duplicate name in all cases
where it is the same as outputs[0], i.e. almost all cases.
[1] https://mesonbuild.com/Reference-manual_functions.html#custom_target
Otherwise, the result may point to outside of the root directory.
This also sets CONF_FILES_REGULAR and CONF_FILES_FILTER_MASKED, as the
callers will call fopen() or friends for the result, thus the enumerated
results must be non-empty regular files.
The man page nss-systemd(8) says
> The contents of these files are currently not read, and the files
> should be created empty.
But previously we filtered out such files, as the CONF_FILES_FILTER_MASKED
flag checks if a file is empty (or symlink to null), thus any empty files
were ignored.
To accept empty .membership files, let's use CONF_FILES_FILTER_MASKED_BY_SYMLINK.
Fixes#37945.
TCSADRAIN means tcsetattr() will become blocking (waiting for ability to
write out queued bytes), which is problematic, if the referenced TTY is
dead for some reason.
Since all these calls just modify *input* parameters anyway (i.e. mostly
local echo, and canonical mode), forcing out queued output is kinda
pointless anyway, hence just don't do it: leave it in the queue and just
change the flags we want to change.
The tcsetattr(3) man page kinda hints that we want to use TCSANOW here,
because it documents for TCSADRAIN:
"This option should be used when changing parameters that affect
output."
Which one can read so that TCSADRAIN should not be used if it doesn't
affect output, which is the case here.
This probably fixes: #37854
The additional definitions provided by the header are
- EXT4_IOC_RESIZE_FS, used in resize-fs.c,
- FILEID_KERNFS, used in cgroup-util.c and pidfd-util.c.
Let's drop the inclusion at other places.
Some user record providers might want to implement case-insensitive user
record matching, or other forms of non-normalized matching. So far
uderdb didn't allow that, because client's typically revalidate the
returned user records against the search keys (at least our clients do)
– they check if the search user name is actually part of the user record
and its aliases.
In order to support such lookups we thus need to allow the looup keys to
be part of the user record, but also not be persisted in it, because
the number of casings/spellings of a username might be ridiculously
high.
A nice way out is to allow "aliases" not only in the main part of the
record, but also in the "status" part, that contains information
dynamically determined at query time. We can insert a second "aliases"
field there, which the parser will then merge with the primary "aliases"
field, but the existing rules around "status" ensure tha the data is
never persisted.
Follow-up: e2e1f38f5a
Then, make parse_cpu_set() as a tiny wrapper of it.
Note, previously when an invalid CPU range, e.g. "3-0", is specified,
we ignore the range but allocate an empty set. But, with this commit,
now the conf parser simply ignore it without no side effect.
This potentially changes behavior of a system with such invalid setting,
but the change should be favorable for consistency with other parsers.
- introduce CPU_SET_MAX_NCPU and check overflow several more places,
- use GREEDY_REALLOC0(),
- introduce cpu_set_add_range() helper function,
- explicitly (re)alloc first before setting multiple bits.
No functional change, just refactoring.
Some configuration files that need updates are directly under in /etc. To
update them atomically, we need write access to /etc. For Ubuntu Core this is
an issue as /etc is not writable. Only a selection of subdirectories can be
writable. The general solution is symlinks or bind mounts to writable places.
But for atomic writes in /etc, that does not work. So Ubuntu has had a patch
for that that did not age well.
Instead we would like to introduce some environment variables for alternate
paths.
* SYSTEMD_ETC_HOSTNAME: /etc/hostname
* SYSTEMD_ETC_MACHINE_INFO: /etc/machine-info
* SYSTEMD_ETC_LOCALTIME: /etc/localtime
* SYSTEMD_ETC_LOCALE_CONF: /etc/locale.conf
* SYSTEMD_ETC_VCONSOLE_CONF: /etc/vconsole.conf
* SYSTEMD_ETC_ADJTIME: /etc/adjtime
While it is for now expected that there is a symlink from the standard, we
still try to read them from that alternate path. This is important for
`/etc/localtime`, which is a symlink, so we cannot have an indirect symlink or
bind mount for it.
Since machine-id is typically written only once and not updated. This commit
does not cover it. An initrd can properly create it and bind mount it.
When we load a user record we retain a reference to the original JSON.
Thus the loaded objects might live at least as long as our user record
object, hence we better make sure we set the 'sensitive' flag for the
'secret' section if it's not marked like that yet.
This is paranoia only: we already should be setting this flag properly
earlier, when acquiring the json variant in the first place. But it's
better to be safe than sorry.
This could mean that we hit EOF, or it could mean that somebody punched
a hole concurrently where we are currently looking. Let's figure this
out by simply trying to copy a single byte, which will give us a
definitive answer.
Fixes: #35569
Now that we have recognizable errors, let's print clear error messages
when we try to unlock a TPM slot. And in case of the token plugin
propagate this as ENOANO so that libcryptsetup recognizes this as bad
PIN. (ENOANO is documented as the error to return in that case)
Fixes: #32260
When we create the policy session the previously passed PIN will be
checked. This means we'll see PIN errors here, in case the PIN is wrong
or if DA lockout mode has been triggered.
Recognize these two errors, and bubble up recognizable errors.
The check existed for musl. Let's remove it, as we explicitly request glibc.
While removing the check, this also drops generic_mallinfo, introduces
a tiny converter from struct mallinfo to struct mallinfo2 if mallinfo2()
does not exist, and renames mallinfo-util.h to malloc.h.
With this change, we can drop many ifdefs and casts in .c files.
Let's make more use of label_ops_pre()/label_ops_post(), and replace
write_env_file_label() by a flag to write_env_file().
This simplifies and normalizes the code.
This also makes one relevant change: it sets the new
WRITE_ENV_FILE_LABEL flag in firstboot.c when we write locale.conf,
where we previously did not (but should have). This should address one
detail of #37857.
More porting work to label_ops_pre()/label_ops_post()
This also enables labelling of the /etc/localtime symlink in
systemd-firstboot, which should address one small facet of #37857
This controls the new SO_PASSRIGHTS socket option in kernel v6.16.
Note that I intentionally choose a different naming scheme than
Pass*=, since all other Pass*= options controls whether some extra
bits are attached to the message, while this one's about denying
file descriptor transfer and it feels more explicit this way.
And diverging from underlying socket option name is precedented
by Timestamping=. But happy to change it to just say PassRights=
if people disagree.
