This patch enables IFNAME_VALID_ALTERNATIVE for checks guarding the
parsing of RestrictNetworkInterfaces=.
The underlying implementation for this option already supports
altnames.
* Use a unified struct to store accounting fields/suffixes
* Use strextendf_with_separator where appropriate
* Don't mix stack and heap allocation for one iovec array
This is the common case in --user instances, hence handle this
gracefully.
This should be safe since user instances won't get access to
/dev/console-related ttys anyway, but only their own ptys.
Currently, start/stop messages for device units are not used, since
job_perform_on_unit() does nothing and we simply wait for unit status
change. I think we still want some nice log messages explaining what
the start jobs for devices are doing, so let's fix this.
Just use ExecParam directly, as these are all internal to sd-exec now
anyway. Avoids double close when execution fails after FDs are set up
for inheritance and were already re-arranged.
Fixes https://github.com/systemd/systemd/issues/30412
Follow-up for 5b6319dcee (gosh this is
ancient), and effectively reverts 3dead8d925.
sigwait() is documented to "suspend execution of the calling thread
until one of the signals specified in the signal set becomes pending".
And the only error it returns is EINVAL, when "set contains an invalid
signal number". Therefore, there's no need to run it in a loop or
to check for runtime error.
I was wondering why I couldn't trigger the assertion in safe_fclose()
when submitting #30251. It turned out that the static destructor was
not run at all :/
Replace main() with a minimized version of main-func.h. This also
prevents emitting negative exit codes.
Currently, memory accounting values are only cached if it was queued
at least once before destroying cgroup. Let's always cache it like
what we already do for CPU usage.
Preparation for later changes.
So far we created the target directory, and the source for bind mounts,
but not workdir/upperdir for overlays, so it has to be done separately
and strictly before the unit is started, which is annoying. Check the
options when creating directories, and if upper/work directories are
specified, create them.
If a unit is running in an image and wants to survive a soft-reboot,
then it can't be deactivated by the storage of the image going away.
Relax the dependency to a Wants=. Access to the image is not needed
when the unit is running anyway, so downgrade to Wants=.
The read-only bit is flipped after setting up all the mounts, so that
bind mounts can be added. Remove the early config, and add a unit
test.
Fixes https://github.com/systemd/systemd/issues/30372
This is similar to #30183 but focusses on the status output rather than
the log output.
Since the status output always goes to a TTY we don't have to
conditionalize things on isatty().
Fixes: #30184
This adds a new ProtectSystem= setting that mirrors the option of the
same of services, but in a more restrictive way. If enabled will remount
/usr/ to read-only, very early at boot. Takes a special value "auto"
(which is the default) which is equivalent to true in the initrd, and
false otherwise.
Unlike the per-service option we don't support full/strict modes, but
the door is open to eventually support that too if it makes sense. It's
not entirely trivial though as we have very little mounted this early,
and hence the mechanism might not apply 1:1. Hence in this PR is a
conservative first step.
My primary goal with this is to lock down initrds a bit, since they
conceptually are mostly immutable, but they are unpacked into a mutable
tmpfs. let's tighten the screws a bit on that, and at least make /usr/
immutable.
This is particularly nice on USIs (i.e. Unified System Images, that pack
a whole OS into a UKI without transitioning out of it), such as
diskomator.
SELinux logs before we have a chance to apply it, move it up as it
breaks TEST-04-JOURNAL:
[ 408.578624] testsuite-04.sh[11463]: ++ journalctl -b -q -u silent-success.service
[ 408.578743] testsuite-04.sh[11098]: + [[ -z Dec 03 13:38:41 H systemd-executor[11459]: SELinux enabled state cached to: disabled ]]
Follow-up for: bb5232b6a3
If exec_fd is closed in add_shifted_fd() by close_and_replace(),
but something goes wrong later, we may close exec_fd twice
in exec_params_shallow_clear().
Before this commit, between fdopen() (in parse_argv()) and fdset_remove(),
the serialization fd is owned by both arg_serialization FILE stream and fdset.
Therefore, if something wrong happens between the two calls, or if --deserialize=
is specified more than once, we end up closing the serialization fd twice.
Normally this doesn't matter much, but I still think it's better to fix this.
Let's call fdset_new_fill() after parsing serialization fd hence.
We set the fd to CLOEXEC in parse_argv(), so it will be filtered
when the fdset is created.
While at it, also move fdset_new_fill() under the second log_open(), so
that we always log to the log target specified in arguments.
log_setup() will open the console in systemd-executor because it's
not pid 1 and it's not connected to the journal. So if the log target
is later changed to kmsg, we have to reopen the log.
But since log_open() won't open the same log twice, let's just call it
unconditionally since it will be a noop if we try to reopen the same log.
This makes sure that systemd-executor will log to the log target passed
via --log-target= after parsing arguments.
This is the equivalent of RequiresMountsFor=, but adds Wants= instead
of Requires=. It will be useful for example for the autogenerated
systemd-cryptsetup units.
Fixes https://github.com/systemd/systemd/issues/11646
With gcc-13,
```
CFLAGS="-O3 -fno-semantic-interposition" meson setup build
```
triggers the following error:
```
../src/core/cgroup.c: In function ‘cgroup_context_dump’:
../src/core/cgroup.c:633:44: error: ‘%s’ directive argument is null [-Werror=format-overflow=]
633 | "%sDeviceAllow: %s %s\n",
| ^~
cc1: some warnings being treated as errors
```
Fixes#30223.
