Commit Graph

27394 Commits

Author SHA1 Message Date
Lennart Poettering
31887c73b9 Merge pull request #4456 from keszybz/stored-fds
Preserve stored fds over service restart
2016-11-02 16:29:04 -06:00
Lucas Werkmeister
5b9635d166 systemctl: fix incorrect "need reload" on cat (#4535)
Reported by @evverx in #4493.
2016-11-02 16:12:03 -06:00
Lennart Poettering
32e134c19f Merge pull request #4483 from poettering/exec-order
more seccomp fixes, and change of order of selinux/aa/smack and seccomp application on exec
2016-11-02 16:09:59 -06:00
Zbigniew Jędrzejewski-Szmek
b09246352f pid1: fix fd memleak when we hit FileDescriptorStoreMax limit
Since service_add_fd_store() already does the check, remove the redundant check
from service_add_fd_store_set().

Also, print a warning when repopulating FDStore after daemon-reexec and we hit
the limit. This is a user visible issue, so we should not discard fds silently.
(Note that service_deserialize_item is impacted by the return value from
service_add_fd_store(), but we rely on the general error message, so the caller
does not need to be modified, and does not show up in the diff.)
2016-11-02 15:07:17 -04:00
Djalal Harouni
bbeea27117 core: initialize groups list before checking SupplementaryGroups= of a unit (#4533)
Always initialize the supplementary groups of caller before checking the
unit SupplementaryGroups= option.

Fixes https://github.com/systemd/systemd/issues/4531
2016-11-02 10:51:35 -06:00
Lennart Poettering
999a6c5d9c tests: make sure tests pass when invoked in "sudo"
This is a follow-up for 6309e51ea3 and makes sure
we compare test results with the right user identifier.
2016-11-02 08:55:24 -06:00
Lennart Poettering
2ca8dc15f9 man: document that too strict system call filters may affect the service manager
If execve() or socket() is filtered the service manager might get into trouble
executing the service binary, or handling any failures when this fails. Mention
this in the documentation.

The other option would be to implicitly whitelist all system calls that are
required for these codepaths. However, that appears less than desirable as this
would mean socket() and many related calls have to be whitelisted
unconditionally. As writing system call filters requires a certain level of
expertise anyway it sounds like the better option to simply document these
issues and suggest that the user disables system call filters in the service
temporarily in order to debug any such failures.

See: #3993.
2016-11-02 08:55:24 -06:00
Lennart Poettering
5cd9cd3537 execute: apply seccomp filters after changing selinux/aa/smack contexts
Seccomp is generally an unprivileged operation, changing security contexts is
most likely associated with some form of policy. Moreover, while seccomp may
influence our own flow of code quite a bit (much more than the security context
change) make sure to apply the seccomp filters immediately before executing the
binary to invoke.

This also moves enforcement of NNP after the security context change, so that
NNP cannot affect it anymore. (However, the security policy now has to permit
the NNP change).

This change has a good chance of breaking current SELinux/AA/SMACK setups, because
the policy might not expect this change of behaviour. However, it's technically
the better choice I think and should hence be applied.

Fixes: #3993
2016-11-02 08:55:00 -06:00
Lennart Poettering
133ddbbeae seccomp: add two new syscall groups
@resources contains various syscalls that alter resource limits and memory and
scheduling parameters of processes. As such they are good candidates to block
for most services.

@basic-io contains a number of basic syscalls for I/O, similar to the list
seccomp v1 permitted but slightly more complete. It should be useful for
building basic whitelisting for minimal sandboxes
2016-11-02 08:50:00 -06:00
Lennart Poettering
aa6b9cec88 man: two minor fixes 2016-11-02 08:50:00 -06:00
Lennart Poettering
cd5bfd7e60 seccomp: include pipes and memfd in @ipc
These system calls clearly fall in the @ipc category, hence should be listed
there, simply to avoid confusion and surprise by the user.
2016-11-02 08:50:00 -06:00
Lennart Poettering
a8c157ff30 seccomp: drop execve() from @process list
The system call is already part in @default hence implicitly allowed anyway.
Also, if it is actually blocked then systemd couldn't execute the service in
question anymore, since the application of seccomp is immediately followed by
it.
2016-11-02 08:49:59 -06:00
Lennart Poettering
c79aff9a82 seccomp: add clock query and sleeping syscalls to "@default" group
Timing and sleep are so basic operations, it makes very little sense to ever
block them, hence don't.
2016-11-02 08:49:59 -06:00
Lennart Poettering
67234d218b update TODO 2016-11-02 08:49:59 -06:00
Jiří Pírko
4887b656c2 udev: net_id: add support for phys_port_name attribute (#4506)
Switch drivers uses phys_port_name attribute to pass front panel port
name to user. Use it to generate netdev names.

Signed-off-by: Jiri Pirko <jiri@mellanox.com>
2016-11-01 20:46:01 -06:00
Evgeny Vereshchagin
bff653e397 tests: add test that journald keeps fds over termination by signal
This test fails before previous commit, and passes with it.
2016-11-01 21:20:26 -04:00
Zbigniew Jędrzejewski-Szmek
f0bfbfac43 core: when restarting services, don't close fds
We would close all the stored fds in service_release_resources(), which of
course broke the whole concept of storing fds over service restart.

Fixes #4408.
2016-11-01 21:20:21 -04:00
Zbigniew Jędrzejewski-Szmek
aa34055ffb seccomp: allow specifying arm64, mips, ppc (#4491)
"Secondary arch" table for mips is entirely speculative…
2016-11-01 09:33:18 -06:00
Brian J. Murrell
67ae43665e Recognise Lustre as a remote file system (#4530)
Lustre is also a remote file system that wants the network to be up before it is mounted.
2016-11-01 04:48:00 +01:00
Jakub Wilk
b17649ee5e man: fix typos (#4527) 2016-10-31 08:08:08 -04:00
George Hilliard
52028838a1 Implement VeraCrypt volume handling in crypttab (#4501)
This introduces a new option, `tcrypt-veracrypt`, that sets the
corresponding VeraCrypt flag in the flags passed to cryptsetup.
2016-10-30 10:25:31 -04:00
Zbigniew Jędrzejewski-Szmek
0470289b6e tests: clarify test_path_startswith return value (#4508)
A pendant for #4481.
2016-10-30 10:21:29 -04:00
Zbigniew Jędrzejewski-Szmek
87b6ba21b5 Merge pull request #4520 from lucaswerkmeister/systemd-escape-man
systemd-escape manpage improvements
2016-10-29 21:11:05 -04:00
Lucas Werkmeister
8bb36a1122 man: make systemd-escape examples more consistent
The first example wasn't phrased with "To ..." as the other three are,
and the last example was lacking the colon.
2016-10-30 02:44:07 +02:00
Lucas Werkmeister
918737f365 man: add missing period 2016-10-30 02:43:17 +02:00
Lucas Werkmeister
c7a7f78bb0 man: improve systemd-escape --path description
The option does more than the documentation gave it credit for.
2016-10-30 02:42:22 +02:00
Zbigniew Jędrzejewski-Szmek
99bdcdc7fc man: add a note that FDSTORE=1 requires epoll-compatible fds
Let's say that this was not obvious from our man page.
2016-10-28 22:45:05 -04:00
Zbigniew Jędrzejewski-Szmek
16f70d6362 pid1: nicely log when doing operation on stored fds
Should help with debugging #4408.
2016-10-28 22:45:05 -04:00
Zbigniew Jędrzejewski-Szmek
9021ff17e2 pid1: only log about added fd if it was really added
If it was a duplicate, log nothing.
2016-10-28 22:45:05 -04:00
Daniel Mack
e50e60b474 .gitignore: ignore precompiled GCC headers (#4516)
Not sure since when this is the default behavior, but my local tree is full
of such files. Let's ignore them for clarity.
2016-10-28 13:03:01 -04:00
Djalal Harouni
fa1f250d6f Merge pull request #4495 from topimiettinen/block-shmat-exec
seccomp: also block shmat(..., SHM_EXEC) for MemoryDenyWriteExecute
2016-10-28 15:41:07 +02:00
Martin Pitt
1740c5a807 Merge pull request #4458 from keszybz/man-nonewprivileges
Document NoNewPrivileges default value
2016-10-28 15:35:29 +02:00
Michal Sekletar
4f985bd802 udev: allow substitutions for SECLABEL key (#4505) 2016-10-28 12:09:14 +02:00
Lucas Werkmeister
e100155dcc systemctl: warn when cat shows changed unit files (#4493)
Suggested by @keszybz in #4488.
2016-10-27 09:28:10 -04:00
Zbigniew Jędrzejewski-Szmek
ed06fa6203 Merge pull request #4485 from endocode/djalal/portable-branch-v1
core: improve mount namespace and working directory setup
2016-10-27 09:17:14 -04:00
Evgeny Vereshchagin
492466c1b5 Merge pull request #4442 from keszybz/detect-virt-userns
detect-virt: add --private-users switch to check if a userns is active; add Condition=private-users
2016-10-27 13:16:16 +03:00
Djalal Harouni
59e856c7d3 core: make unit argument const for apply seccomp functions 2016-10-27 09:40:22 +02:00
Djalal Harouni
50b3dfb9d6 core: lets apply working directory just after mount namespaces
This makes applying groups after applying the working directory, this
may allow some flexibility but at same it is not a big deal since we
don't execute or do anything between applying working directory and
droping groups.
2016-10-27 09:40:21 +02:00
Djalal Harouni
2b3c1b9e9d core: get the working directory value inside apply_working_directory()
Improve apply_working_directory() and lets get the current working directory
inside of it.
2016-10-27 09:40:21 +02:00
Djalal Harouni
e7f1e7c6e2 core: move apply working directory code into its own apply_working_directory() 2016-10-27 09:40:21 +02:00
Djalal Harouni
93c6bb51b6 core: move the code that setups namespaces on its own function 2016-10-27 09:40:21 +02:00
Thomas H. P. Andersen
342d3ac165 hwdb: fix error check of wrong variable (#4499)
We updated 'fn' but checked 'v' instead.

From 698c5a17

Spotted with PVS
2016-10-26 21:22:26 -04:00
Zbigniew Jędrzejewski-Szmek
a5eebcff37 Merge pull request #4448 from msoltyspl/vcfix
Fix some formatting details in the merge.
2016-10-26 20:55:18 -04:00
Zbigniew Jędrzejewski-Szmek
4bb30aeaf8 units: disable /dev/hugepages in private user namespaces
The mount fails, even though CAP_SYS_ADMIN is granted.
2016-10-26 20:12:52 -04:00
Zbigniew Jędrzejewski-Szmek
0809d7740c condition: simplify condition_test_virtualization
Rewrite the function to be slightly simpler. In particular, if a specific
match is found (like ConditionVirtualization=yes), simply return an answer
immediately, instead of relying that "yes" will not be matched by any of
the virtualization names below.

No functional change.
2016-10-26 20:12:52 -04:00
Zbigniew Jędrzejewski-Szmek
d09f968657 test-tables: test ConditionVirtualization 2016-10-26 20:12:52 -04:00
Zbigniew Jędrzejewski-Szmek
239a5707e1 shared/condition: add ConditionVirtualization=[!]private-users
This can be useful to silence warnings about units which fail in userns
container.
2016-10-26 20:12:52 -04:00
Zbigniew Jędrzejewski-Szmek
299a34c11a detect-virt: add --private-users switch to check if a userns is active
Various things don't work when we're running in a user namespace, but it's
pretty hard to reliably detect if that is true.

A function is added which looks at /proc/self/uid_map and returns false
if the default "0 0 UINT32_MAX" is found, and true if it finds anything else.
This misses the case where an 1:1 mapping with the full range was used, but
I don't know how to distinguish this case.

'systemd-detect-virt --private-users' is very similar to
'systemd-detect-virt --chroot', but we check for a user namespace instead.
2016-10-26 20:12:51 -04:00
Thomas H. P. Andersen
6328c51a5d gitignore: add test-seccomp (#4498) 2016-10-26 19:40:25 -04:00
Susant Sahani
5325382440 networkd : verify dns ip address when parsing configuration (#4492)
Invalid IP addresses would be passed through as-is:
$ networkctl status wlp3s0:
● 2: wlp3s0
       Link File: /usr/lib/systemd/network/99-default.link
    Network File: /etc/systemd/network/wlp3s0.network
            Type: wlan
           State: routable (configured)
            Path: pci-0000:03:00.0
          Driver: iwlwifi
          Vendor: Intel Corporation
           Model: Centrino Advanced-N 6205 [Taylor Peak] (Centrino Advanced-N 6205 AGN)
      HW Address: XXXXXXXXXX (Intel Corporate)
         Address: 192.168.2.103
                  XXXXXXXXXXX
         Gateway: 192.168.2.1 (Arcadyan Technology Corporation)
             DNS: 127.0.0.5553

Instead verify that DNS= has a valid list of addresses when parsing configuration.

Fixes #4462.
2016-10-26 19:31:04 -04:00