The manpage of seccomp specify that using seccomp with
SECCOMP_SET_MODE_FILTER will return EACCES if the caller do not have
CAP_SYS_ADMIN set, or if the no_new_privileges bit is not set. Hence,
without NoNewPrivilege set, it is impossible to use a SystemCall*
directive with a User directive set in system mode.
Now, NoNewPrivileges is set if we are in user mode, or if we are in
system mode and we don't have CAP_SYS_ADMIN, and SystemCall*
directives are used.
Many subsystems define own pager_open_if_enabled() function which
checks '--no-pager' command line argument and open pager depends
on its value. All implementations of pager_open_if_enabled() are
the same. Let's merger this function with pager_open() from the
shared/pager.c and remove pager_open_if_enabled() from all subsytems
to prevent code duplication.
RFC 2131 Section 4.1 says that
"If the ’giaddr’ field in a DHCP message from a client is non-zero,
the server sends any return messages to the ’DHCP server’ port on the
BOOTP relay agent whose address appears in ’giaddr’."
Fix this by adding a destination port when sending unicast UDP packets
and provide the server port when a BOOTP relay agent is being used.
When running in XEN Dom0 the virtualization check:
1) detect_xen returns HYPERVISOR_NONE so next checks are executed
2) /proc/sys/hypervisor detects a XEN hypervisor
it is lacking the special Dom0 detection as in detect_xen
With this patch, at the end of all virtualization checks we double-check if running in XEN Dom0 or DomU.
So far we recommended placing "nss-mymachines" after "nss-resolve" in the order
of preference in /etc/nsswitch.conf. This change reverse this order.
Rationale: single-label names are resolved via LLMNR by resolved, which has to
time out if no peer by that name exists. By placing "nss-mymachines" first
(which always responds immediately) we avoid running into this timeout for most
containers. Both modules should return the same data if LLMNR is used by the
container anyway.
While we are at it, improve the man pages of the three NSS modules in other
ways a bit.
This commit rips out systemd-bootchart. It will be given a new home, outside
of the systemd repository. The code itself isn't actually specific to
systemd and can be used without systemd even, so let's put it somewhere
else.
Throughout the tree there's spurious use of spaces separating ++ and --
operators from their respective operands. Make ++ and -- operator
consistent with the majority of existing uses; discard the spaces.
Enabling router advertisement may even trigger SLAAC or DHCPv6 to be used to configure
IPv6 addresses on the link. It may not be obvious that only in the SLAAC case will the
Token have an effect. Clarify this in the man page.
Addresses issue #863.
