According to the various man pages of "resolvconf" the -u switch is for:
"-u Just run the update scripts (if updating is enabled)."
"-u Force resolvconf to update all its subscribers. resolvconf does not
update the subscribers when adding a resolv.conf that matches what
it already has for that interface."
We have no "subscribers", we ourselves are the only "subscriber" we
support. Hence it's probably better to ignore such a request and make it
a NOP, then to fail.
Fixes: #20748
Also,
- drop unnecessary +1 from buffer size, as IF_NAMESIZE or IFNAMSIZ
includes the nul at the end.
- format_ifname() does not update buffer on failure,
- introduces format_ifname_alloc(), FORMAT_IFNAME(), and their friends.
Getting certificates for dm-verity roothash signing into the trusted
kernel keychain is a royal PITA (means recompiling or rebooting with
shim), hence let's add a minimal userspace PKCS7 validation as well.
The mechanism is really simple and compatible with the verification the
kernel does. The only difference is that the certificates are searched
in /etc/verity.d/*.crt (and similar dirs in /usr/lib/, …).
We'll first try validation by passing the PKCS#7 data to the kernel, but
if that doesn't work we'll see if one of the certificates found that way
works and then attempt to attach the image without passing the PKCS#7
data to the kernel.
This makes it very easy to have fully validated GPT disk images. For
example, just copy the 'mkosi.secure-boot.crt' file you have in your
mkosi build dir to /etc/verity.d/ and things should just work.
LLVM 13 introduced `-Wunused-but-set-variable` diagnostic flag, which
trips over some intentionally set-but-not-used variables or variables
attached to cleanup handlers with side effects (`_cleanup_umask_`,
`_cleanup_(notify_on_cleanup)`, `_cleanup_(restore_sigsetp)`, etc.):
```
../src/basic/process-util.c:1257:46: error: variable 'saved_ssp' set but not used [-Werror,-Wunused-but-set-variable]
_cleanup_(restore_sigsetp) sigset_t *saved_ssp = NULL;
^
1 error generated.
```
According to Coverity, 194 ouf of 227 times we check for snprintf return code.
Voidify the rest.
CID#1461512
CID#1461513
CID#1461514
CID#1461515
CID#1461516
CID#1461518
CID#1461519
CID#1461520
CID#1461522
The SERVFAIL RCODE can be generated for many reasons which may not be related
to lack of feature support. For example, the Stubby resolver generates
SERVFAIL when a request times out. Such transient failures can cause
unnecessary downgrades to both the transaction and the server's feature level.
The consequences of this are especially severe if the server is in DNSSEC
strict mode. In this case repeated downgrades eventually cause the server to
stop resolving entirely with the error "incompatible-server".
To avoid unnecessary downgrades the request should be retried once with the
current level before the transaction's feature level is downgraded.
In general we almost never hit those asserts in production code, so users see
them very rarely, if ever. But either way, we just need something that users
can pass to the developers.
We have quite a few of those asserts, and some have fairly nice messages, but
many are like "WTF?" or "???" or "unexpected something". The error that is
printed includes the file location, and function name. In almost all functions
there's at most one assert, so the function name alone is enough to identify
the failure for a developer. So we don't get much extra from the message, and
we might just as well drop them.
Dropping them makes our code a tiny bit smaller, and most importantly, improves
development experience by making it easy to insert such an assert in the code
without thinking how to phrase the argument.
dns_resource_record_copy() assumes that NSEC types bitmap is non-empty
which results in a null pointer dereference inside bitmap_copy() in some
cases. Fix this by calling bitmap_copy() conditionally.
Only treat interface names containing dots specially when resolvectl is
pretending to be resolvconf to fix
https://github.com/systemd/systemd/issues/20014 .
Move the special suffix-stripping behaviour of ifname_mangle out to the
new ifname_resolvconf_mangle to be called from resolvconf only.
This fixes repart's, systemctl's, sysusers' and tmpfiles' specifier
expansion to honour the root dir specified with --root=. This is
relevant for specifiers such as %m, %o, … which are directly sourced
from files on disk.
This doesn't try to be overly smart: specifiers referring to runtime
concepts (i.e. boot ID, architecture, hostname) rather than files on the
medium are left as is. There's certainly a point to be made that they
should fail in case --root= is specified, but I am not entirely convinced
about that, and it's certainly something we can look into later if
there's reason to.
I wondered for a while how to hook this up best, but given that quite a
large number of specifiers resolve to data from files on disks, and most
of our tools needs this, I ultimately decided to make the root dir a
first class parameter to specifier_printf().
Replaces: #16187Fixes: #16183
In dns_server_unlink_marked() and dns_server_mark_all() we done recursively.
People might have dozens of servers defined, and it's better to avoid recursion
when a simple loop suffices.
dns_server_unlink_marked() would only unmark the first marked server.
Fixes#19651.
We recently started making more use of malloc_usable_size() and rely on
it (see the string_erase() story). Given that we don't really support
sytems where malloc_usable_size() cannot be trusted beyond statistics
anyway, let's go fully in and rework GREEDY_REALLOC() on top of it:
instead of passing around and maintaining the currenly allocated size
everywhere, let's just derive it automatically from
malloc_usable_size().
I am mostly after this for the simplicity this brings. It also brings
minor efficiency improvements I guess, but things become so much nicer
to look at if we can avoid these allocation size variables everywhere.
Note that the malloc_usable_size() man page says relying on it wasn't
"good programming practice", but I think it does this for reasons that
don't apply here: the greedy realloc logic specifically doesn't rely on
the returned extra size, beyond the fact that it is equal or larger than
what was requested.
(This commit was supposed to be a quick patch btw, but apparently we use
the greedy realloc stuff quite a bit across the codebase, so this ends
up touching *a*lot* of code.)
In 0e0fd08fc8 I added reference counts to keep
track of the DnsQueryCandidate objects. Unfortunately, dns_query_unref_candidates()
was written as
while (q->candidates)
dns_query_candidate_unref(q->candidates);
i.e. it would keep dropping the reference count as many times as needed for it
to hit 0, making the patch less than fully effective.
dns_query_unref_candidates() is renamed to dns_query_detach_candidates() and
changed to drop exactly one reference from each of the linked candidates.
Example failure:
==463== Invalid read of size 8
==463== at 0x419C93: dns_query_candidate_go (resolved-dns-query.c:159)
==463== by 0x41A143: dns_query_candidate_notify (resolved-dns-query.c:304)
==463== by 0x434BD6: dns_transaction_complete (resolved-dns-transaction.c:437)
==463== by 0x436A0F: dns_transaction_process_dnssec (resolved-dns-transaction.c:976)
==463== by 0x4378C1: dns_transaction_process_reply (resolved-dns-transaction.c:1387)
==463== by 0x437CE9: on_dns_packet (resolved-dns-transaction.c:1444)
==463== by 0x4B2DC9B: source_dispatch (sd-event.c:3512)
==463== by 0x4B2FB1F: sd_event_dispatch (sd-event.c:4077)
==463== by 0x4B2FFFA: sd_event_run (sd-event.c:4138)
==463== by 0x4B301D6: sd_event_loop (sd-event.c:4159)
==463== by 0x464A24: run (resolved.c:92)
==463== by 0x464B3C: main (resolved.c:99)
==463== Address 0x5f409d0 is 32 bytes inside a block of size 72 free'd
==463== at 0x48410E4: free (vg_replace_malloc.c:755)
==463== by 0x418EDF: mfree (alloc-util.h:48)
==463== by 0x4197E8: dns_query_candidate_free (resolved-dns-query.c:67)
==463== by 0x4198B7: dns_query_candidate_unref (resolved-dns-query.c:70)
==463== by 0x41A2E3: dns_query_unref_candidates (resolved-dns-query.c:337)
==463== by 0x41C5FE: dns_query_cname_redirect (resolved-dns-query.c:1028)
==463== by 0x41CA04: dns_query_process_cname_one (resolved-dns-query.c:1128)
==463== by 0x41CA80: dns_query_process_cname_many (resolved-dns-query.c:1157)
==463== by 0x40C0BD: bus_method_resolve_hostname_complete (resolved-bus.c:198)
==463== by 0x41B312: dns_query_complete (resolved-dns-query.c:562)
==463== by 0x41C1AC: dns_query_accept (resolved-dns-query.c:922)
==463== by 0x41C2C4: dns_query_ready (resolved-dns-query.c:955)
==463== by 0x41A162: dns_query_candidate_notify (resolved-dns-query.c:314)
==463== by 0x434BD6: dns_transaction_complete (resolved-dns-transaction.c:437)
==463== by 0x438995: dns_transaction_prepare (resolved-dns-transaction.c:1728)
==463== by 0x43921D: dns_transaction_go (resolved-dns-transaction.c:1928)
==463== by 0x419C7C: dns_query_candidate_go (resolved-dns-query.c:163)
==463== by 0x41A143: dns_query_candidate_notify (resolved-dns-query.c:304)
==463== by 0x434BD6: dns_transaction_complete (resolved-dns-transaction.c:437)
==463== by 0x436A0F: dns_transaction_process_dnssec (resolved-dns-transaction.c:976)
==463== by 0x4378C1: dns_transaction_process_reply (resolved-dns-transaction.c:1387)
==463== by 0x437CE9: on_dns_packet (resolved-dns-transaction.c:1444)
==463== by 0x4B2DC9B: source_dispatch (sd-event.c:3512)
==463== by 0x4B2FB1F: sd_event_dispatch (sd-event.c:4077)
==463== by 0x4B2FFFA: sd_event_run (sd-event.c:4138)
==463== by 0x4B301D6: sd_event_loop (sd-event.c:4159)
==463== by 0x464A24: run (resolved.c:92)
==463== by 0x464B3C: main (resolved.c:99)
==463== Block was alloc'd at
==463== at 0x483E86F: malloc (vg_replace_malloc.c:380)
==463== by 0x418F81: malloc_multiply (alloc-util.h:96)
==463== by 0x419378: dns_query_candidate_new (resolved-dns-query.c:23)
==463== by 0x41B42C: dns_query_add_candidate (resolved-dns-query.c:582)
==463== by 0x41BB7A: dns_query_go (resolved-dns-query.c:762)
==463== by 0x40CE3A: bus_method_resolve_hostname (resolved-bus.c:464)
==463== by 0x4A84B86: method_callbacks_run (bus-objects.c:414)
==463== by 0x4A87961: object_find_and_run (bus-objects.c:1323)
==463== by 0x4A87FEE: bus_process_object (bus-objects.c:1443)
==463== by 0x4AA3434: process_message (sd-bus.c:2964)
==463== by 0x4AA3623: process_running (sd-bus.c:3006)
==463== by 0x4AA4110: bus_process_internal (sd-bus.c:3226)
==463== by 0x4AA41EF: sd_bus_process (sd-bus.c:3253)
==463== by 0x4AA5343: io_callback (sd-bus.c:3604)
==463== by 0x4B2DC9B: source_dispatch (sd-event.c:3512)
==463== by 0x4B2FB1F: sd_event_dispatch (sd-event.c:4077)
==463== by 0x4B2FFFA: sd_event_run (sd-event.c:4138)
==463== by 0x4B301D6: sd_event_loop (sd-event.c:4159)
==463== by 0x464A24: run (resolved.c:92)
==463== by 0x464B3C: main (resolved.c:99)
Fixes#19376.
We obviously have lots of those, so even small savings add up.
Bitfields are dropped because they don't give any memory savings due to
alignment requirements (but would still require more complex to access).
/* size: 184, cachelines: 3, members: 28 */
/* sum members: 172, holes: 1, sum holes: 4 */
/* sum bitfield members: 4 bits (0 bytes) */
/* padding: 7 */
/* bit_padding: 4 bits */
↓
/* size: 176, cachelines: 3, members: 28 */
The structure is rearranged to have less holes. Also fields in the union
are rearranged not to have holes (though most variants of the union still
have some padding at the end).
The full size does not decrease a lot, but the compiler should be able to
copy less bytes when it knows the specific type of the union.
Bitfields are dropped because they don't give any memory savings due to
alignment requirements (but would still require more complex to access).
The change from the this and previous commit:
/* size: 128, cachelines: 2, members: 13 */
/* sum members: 112, holes: 3, sum holes: 15 */
/* sum bitfield members: 2 bits, bit holes: 1, sum bit holes: 6 bits */
↓
/* size: 112, cachelines: 2, members: 13 */
/* sum members: 108, holes: 1, sum holes: 4 */
Change from the last three commits:
/* size: 312, cachelines: 5, members: 46 */
/* sum members: 296, holes: 5, sum holes: 16 */
↓
/* size: 288, cachelines: 5, members: 46 */
/* sum members: 286, holes: 1, sum holes: 1 */
It's not a big difference, but we might have quite a few queries in flight,
so let' make this a bit more efficient.
Apparently CAN links will show up in rtnetlink with very low MTUs. We
shouldn't consider them relevant if no IP is spoken over them, since
these MTUs are irrelevant for us then.
Hence, let's check if there's an address assigned to the link before
considering its MTU.
As additional safety net filter out MTUs smaller than the minimum DNS
packet size, too.
Finally, in case we don't find any suitable interface MTU, let's default
to 1500 as the generic Ethernet MTU.
Fixes: #19396
We usually call specifier_printf() and then check the validity of
the result. In many cases, validity checkers, e.g. path_is_valid(),
refuse too long strings. This makes specifier_printf() refuse such
long results earlier.
Moreover, unit_full_string() and description field in sysuser now
refuse results longer than LONG_LINE_MAX. config_parse() already
refuses the line longer than LONG_LINE_MAX. Hence, it should be ok
to set the same value as the maximum length of the resolved string.
During an update of RRs, the records of each DNS-SD service are
replaced with new ones. However the old RRs can only be removed from
the mDNS scopes as long as they remain accessible from the DnssdService
structures, otherwise they remain stuck there.
Therefore the removal must take place before the update.
With some versions of the compiler, the _cleanup_ attr makes it think
the variable might be freed/closed when uninitialized, even though it
cannot happen. The added cost is small enough to be worth the benefit,
and optimized builds will help reduce it even further.
