Guard the coverage-related shenanigans from g++ when building the one
C++ unit test we have, so we don't have to make it C++ compatible:
[1573/2109] Compiling C++ object test-bus-vtable-cc.p/src_libsystemd_sd-bus_test-bus-vtable-cc.cc.o
FAILED: test-bus-vtable-cc.p/src_libsystemd_sd-bus_test-bus-vtable-cc.cc.o
ccache c++ -Itest-bus-vtable-cc. ... -c ../src/libsystemd/sd-bus/test-bus-vtable-cc.cc
In file included from <command-line>:
../src/basic/coverage.h:17:15: error: ‘_Noreturn’ does not name a type
17 | static inline _Noreturn void _coverage__exit(int status) {
| ^~~~~~~~~
../src/basic/coverage.h:46:29: error: conflicting declaration of ‘int _coverage_execveat(int, const char*, char* const*, char* const*, int)’ with ‘C’ linkage
46 | #define execveat(d,p,a,e,f) _coverage_execveat(d, p, a, e, f)
| ^~~~~~~~~~~~~~~~~~
../src/basic/coverage.h:34:19: note: previous declaration with ‘C++’ linkage
34 | static inline int _coverage_execveat(
| ^~~~~~~~~~~~~~~~~~
../src/basic/coverage.h:46:29: error: declaration of ‘int _coverage_execveat(int, const char*, char* const*, char* const*, int) noexcept’ has a different exception specifier
46 | #define execveat(d,p,a,e,f) _coverage_execveat(d, p, a, e, f)
| ^~~~~~~~~~~~~~~~~~
../src/basic/coverage.h:34:19: note: from previous declaration ‘int _coverage_execveat(int, const char*, char* const*, char* const*, int)’
34 | static inline int _coverage_execveat(
| ^~~~~~~~~~~~~~~~~~
../src/basic/coverage.h:58:24: error: conflicting declaration of ‘int _coverage_execvpe(const char*, char* const*, char* const*)’ with ‘C’ linkage
58 | #define execvpe(f,a,e) _coverage_execvpe(f, a, e)
| ^~~~~~~~~~~~~~~~~
../src/basic/coverage.h:48:19: note: previous declaration with ‘C++’ linkage
48 | static inline int _coverage_execvpe(
| ^~~~~~~~~~~~~~~~~
../src/basic/coverage.h:58:24: error: declaration of ‘int _coverage_execvpe(const char*, char* const*, char* const*) noexcept’ has a different exception specifier
58 | #define execvpe(f,a,e) _coverage_execvpe(f, a, e)
| ^~~~~~~~~~~~~~~~~
../src/basic/coverage.h:48:19: note: from previous declaration ‘int _coverage_execvpe(const char*, char* const*, char* const*)’
48 | static inline int _coverage_execvpe(
| ^~~~~~~~~~~~~~~~~
[1582/2109] Compiling C object test-event.p/src_libsystemd_sd-event_test-event.c.o
ninja: build stopped: subcommand failed.
Doesn't really matter since the two unicode symbols are supposedly
equivalent, but let's better follow the unicode recommendations to
prefer greek small letter mu, as per:
https://www.unicode.org/reports/tr25
Apparently there are two µ symbols, accept both when parsing.
One is the greek small letter mu (μ) the other is the micro sign (µ).
Unicode recommendation considers both equivalent, and says use of greek
small letter mu is preferred. See:
https://www.unicode.org/reports/tr25
Hence accept both when parsing.
Inspired by: #28029
This is a rework of #24764 by Cristian Rodríguez
<crodriguez@owncloud.com>, which stalled.
Instead of assigning -1 we'll use a macro defined to INT_MAX however.
The kernel command line may contain newlines which kernel happily
accepts, but we'd ignore everything past the first newline. Let's fix
that by replacing read_one_line_file() with read_full_file().
This changes a boolean param into a proper bitflag field.
Given this only defines a single flag for now this doesn't look like
much of an improvement. But we'll add another flag shortly, where it
starts to make more sense.
Let's move this helper call from journald specific code to src/basic/,
so that we can use it from sd-journal.
While we are at it, slightly extend it to also cover container uids,
which are also routed to the system journal now.
This places the call in uid-alloc-range.[ch] which contains similar
functions that match UID ranges for specific purposes.
We recently codified in the coding style that for openat() style APIs,
an empty path can be passed both as the empty string and as NULL, so
let's make sure we follow that style in xopenat().
This adds support for KSM (kernel samepage merging). It adds a new
boolean parameter called MemoryKSM to enable the feature. The feature
can only be enabled with newer kernels.
The comment makes a reference to the function fchmod_path() but this
function does not exist in the source tree.
However, the function fchmod_opath() exists; it was introduced by the
commit 4dfaa528d4.
As the comment tells, the function futimens_opath() introduced by the
commit f25bff5eaf is similar to the
function fchmod_opath(); therefore, it should reference it.
This fixes the typo in the comment by referencing the proper function
fchmod_opath().
This adds a new mechanism for rebooting, a form of "userspace reboot"
hereby dubbed "soft-reboot". It will stop all services as in a usual
shutdown, possibly transition into a new root fs and then issue a fresh
initial transaction. The kernel is not replaced.
File descriptors can be passed over, thus opening the door for leaving
certain resources around between such reboots.
Usecase: this is an extremely quick way to reset userspace fully when
updating image based systems, without going through a full
hardware/firmware/boot loader/kernel/initrd cycle. It minimizes "grayout time"
for OS updates. (In particular when combined with kernel live patching)
By default, label_ops is initialized with a NULL pointer which translates
to noop labelling operations. In mac_selinux_init() and the new mac_smack_init(),
we initialize label_ops with a MAC specific LabelOps pointer.
We also introduce mac_init() to initialize any configured MACs and replace all
usages of mac_selinux_init() with mac_init().
When closing the FILE handle attached to a memstream, it may attempt to
do a realloc() that may fail during OOM situations, in which case we are
left with the buffer pointer pointing to NULL and buffer size > 0. For
example:
```
#include <errno.h>
#include <stdio.h>
#include <stdlib.h>
void *realloc(void *ptr, size_t size) {
return NULL;
}
int main(int argc, char *argv[])
{
FILE *f;
char *buf;
size_t sz = 0;
f = open_memstream(&buf, &sz);
if (!f)
return -ENOMEM;
fputs("Hello", f);
fflush(f);
printf("buf: 0x%lx, sz: %lu, errno: %d\n",
(unsigned long) buf, sz, errno);
fclose(f);
printf("buf: 0x%lx, sz: %lu, errno: %d\n",
(unsigned long) buf, sz, errno);
return 0;
}
```
```
$ gcc -o main main.c
$ ./main
buf: 0x74d4a0, sz: 5, errno: 0
buf: 0x0, sz: 5, errno: 0
```
This might do unexpected things if the underlying code expects a valid
pointer to the memstream buffer after closing the handle.
Found by Nallocfuzz.
Notifications from /proc/self/mountinfo are async, so if we stop a
service (and while doing so get rid of the credentials mount point of
it), then it will take a while until the notification reaches us and we
actually scan the table again. In particular as we nowadays ratelimit
notifications on the table, since it's so inefficient. And as I learnt
the ratelimiting is actually quite regularly hit during shutdown, where
a flurry of umount events are genreated. Hence, let's check if a mount
point is actually a mountpoint before trying to unmount it. And if it
isn't let's wait for the notification to come in.
(This race might be triggred not just by us on ourselves btw: there are
other daemons that unmount stuff when stopping where the race also
exists, but might simply be harder to trigger: if during service
shutdown these services remove some mount then they might collide with
us doing the same. After all, we have the rule to unmount everything
mounted automatically for you during shutdown.)
In the long run we should also start making us of this when it becomes
available: https://github.com/util-linux/util-linux/issues/2132 With
that we can make issues like this go away entirely from our side of
things at least.
Fixes: #25527
Follow-up for: #27734
It makes sense to propagate the select log level we maintain also into
glibc, so that any code that uses syslog() directly that ends up in our
processes (libraries and such) are affected by our settings the same way
as we are ourselves.
We would create root account from sysusers or from firstboot, depending on
which one ran earlier. Since firstboot offers more options, in particular can
set the root password, we needed to order it earlier. This created an ugly
ordering requirement:
systemd-sysusers.service > systemd-firstboot.service > ... >
systemd-remount-fs.service > systemd-tmpfiles-setup-dev.service >
systemd-sysusers.service
We want sysusers.service to create basic users, so we can create nodes in dev,
so we can operate on block devices and such, so that we can resize and remount
things. But at the same time, systemd-firstboot.service can only work if it is
run early, before systemd-sysusers.service has created /etc/passwd. We can't
have it both ways: the units that want to have a fully writable root file
system cannot be ordered before units which are required to do file system
preparation.
Instead of trying to order firstboot very early, let's let it do its thing even
if it is started later. Instead of refusing to create to the root account if
/etc/passwd and /etc/shadow exist, actually check if the account is configured.
Now sysusers writes root account with password PASSWORD_UNPROVISIONED
("!unprovisioned"), and then firstboot checks for this, and will configure root
in this case.
This allows sysusers to be executed earlier (or accounts to be set up earlier
in another way).
This effectively reverts b825ab1a99.
