Commit Graph

173 Commits

Author SHA1 Message Date
Lennart Poettering
f4170c671b execute: add a new easy-to-use RestrictRealtime= option to units
It takes a boolean value. If true, access to SCHED_RR, SCHED_FIFO and
SCHED_DEADLINE is blocked, which my be used to lock up the system.
2016-06-23 01:45:45 +02:00
Lennart Poettering
7bce046bcf core: set $JOURNAL_STREAM to the dev_t/ino_t of the journal stream of executed services
This permits services to detect whether their stdout/stderr is connected to the
journal, and if so talk to the journal directly, thus permitting carrying of
metadata.

As requested by the gtk folks: #2473
2016-06-15 23:00:27 +02:00
Lennart Poettering
1f9ac68b5b core: improve seccomp syscall grouping a bit
This adds three new seccomp syscall groups: @keyring for kernel keyring access,
@cpu-emulation for CPU emulation features, for exampe vm86() for dosemu and
suchlike, and @debug for ptrace() and related calls.

Also, the @clock group is updated with more syscalls that alter the system
clock. capset() is added to @privileged, and pciconfig_iobase() is added to
@raw-io.

Finally, @obsolete is a cleaned up. A number of syscalls that never existed on
Linux and have no number assigned on any architecture are removed, as they only
exist in the man pages and other operating sytems, but not in code at all.
create_module() is moved from @module to @obsolete, as it is an obsolete system
call. mem_getpolicy() is removed from the @obsolete list, as it is not
obsolete, but simply a NUMA API.
2016-06-13 16:25:54 +02:00
Alessandro Puccetti
cf677fe686 core/execute: add the magic character '!' to allow privileged execution (#3493)
This patch implements the new magic character '!'. By putting '!' in front
of a command, systemd executes it with full privileges ignoring paramters
such as User, Group, SupplementaryGroups, CapabilityBoundingSet,
AmbientCapabilities, SecureBits, SystemCallFilter, SELinuxContext,
AppArmorProfile, SmackProcessLabel, and RestrictAddressFamilies.

Fixes partially https://github.com/systemd/systemd/issues/3414
Related to https://github.com/coreos/rkt/issues/2482

Testing:
1. Create a user 'bob'
2. Create the unit file /etc/systemd/system/exec-perm.service
   (You can use the example below)
3. sudo systemctl start ext-perm.service
4. Verify that the commands starting with '!' were not executed as bob,
   4.1 Looking to the output of ls -l /tmp/exec-perm
   4.2 Each file contains the result of the id command.

`````````````````````````````````````````````````````````````````
[Unit]
Description=ext-perm

[Service]
Type=oneshot
TimeoutStartSec=0
User=bob
ExecStartPre=!/usr/bin/sh -c "/usr/bin/rm /tmp/exec-perm*" ;
    /usr/bin/sh -c "/usr/bin/id > /tmp/exec-perm-start-pre"
ExecStart=/usr/bin/sh -c "/usr/bin/id > /tmp/exec-perm-start" ;
    !/usr/bin/sh -c "/usr/bin/id > /tmp/exec-perm-star-2"
ExecStartPost=/usr/bin/sh -c "/usr/bin/id > /tmp/exec-perm-start-post"
ExecReload=/usr/bin/sh -c "/usr/bin/id > /tmp/exec-perm-reload"
ExecStop=!/usr/bin/sh -c "/usr/bin/id > /tmp/exec-perm-stop"
ExecStopPost=/usr/bin/sh -c "/usr/bin/id > /tmp/exec-perm-stop-post"

[Install]
WantedBy=multi-user.target]
`````````````````````````````````````````````````````````````````
2016-06-10 18:19:54 +02:00
Topi Miettinen
f3e4363593 core: Restrict mmap and mprotect with PAGE_WRITE|PAGE_EXEC (#3319) (#3379)
New exec boolean MemoryDenyWriteExecute, when set, installs
a seccomp filter to reject mmap(2) with PAGE_WRITE|PAGE_EXEC
and mprotect(2) with PAGE_EXEC.
2016-06-03 17:58:18 +02:00
Topi Miettinen
201c1cc22a core: add pre-defined syscall groups to SystemCallFilter= (#3053) (#3157)
Implement sets of system calls to help constructing system call
filters. A set starts with '@' to distinguish from a system call.

Closes: #3053, #3157
2016-06-01 11:56:01 +02:00
Alessandro Puccetti
043cc71512 doc: clarify systemd.exec's paths definition (#3368)
Definitions of ReadWriteDirectories=, ReadOnlyDirectories=, InaccessibleDirectories=,
WorkingDirectory=, and RootDirecory= were not clear. This patch specifies when
they are relative to the host's root directory and when they are relative to the service's
root directory.

Fixes #3248
2016-05-30 16:37:07 +02:00
Luca Bruno
008dce3875
man: fix recurring typo 2016-05-30 13:43:53 +02:00
topimiettinen
737ba3c82c namespace: Make private /dev noexec and readonly (#3263)
Private /dev will not be managed by udev or others, so we can make it
noexec and readonly after we have made all device nodes. As /dev/shm
needs to be writable, we can't use bind_remount_recursive().
2016-05-15 22:34:05 -04:00
Lennart Poettering
2985700185 core: make parsing of RLIMIT_NICE aware of actual nice levels 2016-04-29 16:27:49 +02:00
Lennart Poettering
dfe85b38d2 man: minor wording fixes
As suggested in:

https://github.com/systemd/systemd/pull/3124#discussion_r61068789
2016-04-29 12:23:34 +02:00
Lennart Poettering
28c75e2501 man: elaborate on the automatic systemd-journald.socket service dependencies
Fixes: #1603
2016-04-26 12:00:49 +02:00
Nicolas Braud-Santoni
b50a16af8e man: systemd.exec: Clarify InaccessibleDirectories (#3048) (#3048) 2016-04-17 14:22:17 +02:00
Ronny Chevalier
19c0b0b9a5 core: set NoNewPrivileges for seccomp if we don't have CAP_SYS_ADMIN
The manpage of seccomp specify that using seccomp with
SECCOMP_SET_MODE_FILTER will return EACCES if the caller do not have
CAP_SYS_ADMIN set, or if the no_new_privileges bit is not set. Hence,
without NoNewPrivilege set, it is impossible to use a SystemCall*
directive with a User directive set in system mode.

Now, NoNewPrivileges is set if we are in user mode, or if we are in
system mode and we don't have CAP_SYS_ADMIN, and SystemCall*
directives are used.
2016-02-28 14:44:26 +01:00
Lennart Poettering
7882632d5a man: extend the Personality= documentation
Among other fixes, add information about more architectures that are supported
these days.
2016-02-22 23:23:06 +01:00
Lennart Poettering
479050b363 core: drop Capabilities= setting
The setting is hardly useful (since its effect is generally reduced to zero due
to file system caps), and with the advent of ambient caps an actually useful
replacement exists, hence let's get rid of this.

I am pretty sure this was unused and our man page already recommended against
its use, hence this should be a safe thing to remove.
2016-02-13 11:59:34 +01:00
Ismo Puustinen
ece87975a9 man: add AmbientCapabilities entry. 2016-01-12 12:14:50 +02:00
Karel Zak
91518d20dd core: support <soft:hard> ranges for RLIMIT options
The new parser supports:

 <value>       - specify both limits to the same value
 <soft:hard>   - specify both limits

the size or time specific suffixes are supported, for example

  LimitRTTIME=1sec
  LimitAS=4G:16G

The patch introduces parse_rlimit_range() and rlim type (size, sec,
usec, etc.) specific parsers. No code is duplicated now.

The patch also sync docs for DefaultLimitXXX= and LimitXXX=.

References: https://github.com/systemd/systemd/issues/1769
2015-11-25 12:03:32 +01:00
Evgeny Vereshchagin
5c019cf260 man: systemd.exec: add missing variables 2015-11-19 13:37:16 +00:00
Tom Gundersen
fb5c8184a9 Merge pull request #1854 from poettering/unit-deps
Dependency engine improvements
2015-11-11 23:14:12 +01:00
Lennart Poettering
c129bd5df3 man: document automatic dependencies
For all units ensure there's an "Automatic Dependencies" section in the
man page, and explain which dependencies are automatically added in all
cases, and which ones are added on top if DefaultDependencies=yes is
set.

This is also done for systemd.exec(5), systemd.resource-control(5) and
systemd.unit(5) as these pages describe common behaviour of various unit
types.
2015-11-11 20:47:07 +01:00
Filipe Brandenburger
b4c14404b3 execute: Add new PassEnvironment= directive
This directive allows passing environment variables from the system
manager to spawned services. Variables in the system manager can be set
inside a container by passing `--set-env=...` options to systemd-spawn.

Tested with an on-disk test.service unit. Tested using multiple variable
names on a single line, with an empty setting to clear the current list
of variables, with non-existing variables.

Tested using `systemd-run -p PassEnvironment=VARNAME` to confirm it
works with transient units.

Confirmed that `systemctl show` will display the PassEnvironment
settings.

Checked that man pages are generated correctly.

No regressions in `make check`.
2015-11-11 07:55:23 -08:00
Lennart Poettering
a4c1800284 core: accept time units for time-based resource limits
Let's make sure "LimitCPU=30min" can be parsed properly, following the
usual logic how we parse time values. Similar for LimitRTTIME=.

While we are at it, extend a bit on the man page section about resource
limits.

Fixes: #1772
2015-11-10 17:36:46 +01:00
Lennart Poettering
6c9e781eba Merge pull request #1799 from jengelh/doc
doc: typo and ortho fixes
2015-11-09 18:16:21 +01:00
Jan Engelhardt
a8eaaee72a doc: correct orthography, word forms and missing/extraneous words 2015-11-06 13:45:21 +01:00
Jan Engelhardt
b938cb902c doc: correct punctuation and improve typography in documentation 2015-11-06 13:00:02 +01:00
Karel Zak
412ea7a936 core: support IEC suffixes for RLIMIT stuff
Let's make things more user-friendly and support for example

  LimitAS=16G

rather than force users to always use LimitAS=16106127360.

The change is relevant for options:

  [Default]Limit{FSIZE,DATA,STACK,CORE,RSS,AS,MEMLOCK,MSGQUEUE}

The patch introduces config_parse_bytes_limit(), it's the same as
config_parse_limit() but uses parse_size() tu support the suffixes.

Addresses: https://github.com/systemd/systemd/issues/1772
2015-11-06 11:06:52 +01:00
Thomas Hindoe Paaboel Andersen
f2c624cb8b man: various typos 2015-11-02 23:18:20 +01:00
Filipe Brandenburger
71b1c27a40 man: Update man page documentation for CPUAffinity
Document support for commas as a separator and possibility of specifying
ranges of CPU indices.

Tested by regenerating the manpages locally and reading them on man.
2015-10-27 17:56:26 -07:00
Lennart Poettering
5f5d8eab1f core: allow setting WorkingDirectory= to the special value ~
If set to ~ the working directory is set to the home directory of the
user configured in User=.

This change also exposes the existing switch for the working directory
that allowed making missing working directories non-fatal.

This also changes "machinectl shell" to make use of this to ensure that
the invoked shell is by default in the user's home directory.

Fixes #1268.
2015-09-29 21:55:51 +02:00
Lennart Poettering
6cd16034fc man: add hyphen to improve man text 2015-08-25 18:37:53 +02:00
Lennart Poettering
023a4f6701 core: optionally create LOGIN_PROCESS or USER_PROCESS utmp entries
When generating utmp/wtmp entries, optionally add both LOGIN_PROCESS and
INIT_PROCESS entries or even all three of LOGIN_PROCESS, INIT_PROCESS
and USER_PROCESS entries, instead of just a single INIT_PROCESS entry.

With this change systemd may be used to not only invoke a getty directly
in a SysV-compliant way but alternatively also a login(1) implementation
or even forego getty and login entirely, and invoke arbitrary shells in
a way that they appear in who(1) or w(1).

This is preparation for a later commit that adds a "machinectl shell"
operation to invoke a shell in a container, in a way that is compatible
with who(1) and w(1).
2015-08-24 22:46:45 +02:00
Richard Maw
8f0d2981ca man: Document invalid lines in EnvironmentFile
If a line doesn't contain an = separator, it is skipped, rather than
raising an error.

This is potentially useful, so let's document this behaviour.
2015-08-04 09:58:50 +00:00
Christian Hesse
5833143708 man: ProtectHome= protects /root as well 2015-06-30 19:12:20 +02:00
Tom Gundersen
12b42c7667 man: revert dynamic paths for split-usr setups
This did not really work out as we had hoped. Trying to do this upstream
introduced several problems that probably makes it better suited as a
downstream patch after all. At any rate, it is not releaseable in the
current state, so we at least need to revert this before the release.

 * by adjusting the path to binaries, but not do the same thing to the
   search path we end up with inconsistent man-pages. Adjusting the search
   path too would be quite messy, and it is not at all obvious that this is
   worth the effort, but at any rate it would have to be done before we
   could ship this.

 * this means that distributed man-pages does not make sense as they depend
   on config options, and for better or worse we are still distributing
   man pages, so that is something that definitely needs sorting out before
   we could ship with this patch.

 * we have long held that split-usr is only minimally supported in order
   to boot, and something we hope will eventually go away. So before we start
   adding even more magic/effort in order to make this work nicely, we should
   probably question if it makes sense at all.
2015-06-18 19:47:44 +02:00
Filipe Brandenburger
681eb9cf2b man: generate configured paths in manpages
In particular, use /lib/systemd instead of /usr/lib/systemd in distributions
like Debian which still have not adopted a /usr merge setup.

Use XML entities from man/custom-entities.ent to replace configured paths while
doing XSLT processing of the original XML files. There was precedent of some
files (such as systemd.generator.xml) which were already using this approach.

This addresses most of the (manual) fixes from this patch:
http://anonscm.debian.org/cgit/pkg-systemd/systemd.git/tree/debian/patches/Fix-paths-in-man-pages.patch?h=experimental-220

The idea of using generic XML entities was presented here:
http://lists.freedesktop.org/archives/systemd-devel/2015-May/032240.html

This patch solves almost all the issues, with the exception of:
- Path to /bin/mount and /bin/umount.
- Generic statements about preference of /lib over /etc.

These will be handled separately by follow up patches.

Tested:
- With default configure settings, ran "make install" to two separate
  directories and compared the output to confirm they matched exactly.
- Used a set of configure flags including $CONFFLAGS from Debian:
  http://anonscm.debian.org/cgit/pkg-systemd/systemd.git/tree/debian/rules
  Installed the tree and confirmed the paths use /lib/systemd instead of
  /usr/lib/systemd and that no other unexpected differences exist.
- Confirmed that `make distcheck` still passes.
2015-05-28 19:28:19 +02:00
Zbigniew Jędrzejewski-Szmek
b5c7d097ec man: link to freebsd.org for inetd(8) 2015-03-13 23:42:18 -04:00
Zbigniew Jędrzejewski-Szmek
3ba3a79df4 man: fix a bunch of links
All hail linkchecker!
2015-03-13 23:42:18 -04:00
David Herrmann
f407824d75 man: split paragraph
Explicitly put the "multiple EnvironmentFile=" description into its own
paragraph to make it much easier to find.
2015-03-12 12:48:22 +01:00
Zbigniew Jędrzejewski-Szmek
b975b0d514 man: boilerplate unification 2015-02-10 23:24:27 -05:00
Zbigniew Jędrzejewski-Szmek
798d3a524e Reindent man pages to 2ch 2015-02-03 23:11:35 -05:00
Lennart Poettering
c51cbfdcc7 man: document that ProtectSystem= also covers /boot 2015-01-27 02:19:33 +01:00
Ronny Chevalier
6067b34a1f man: document that we set both soft and hard limits for Limit directives
See
http://cgit.freedesktop.org/systemd/systemd/tree/src/core/load-fragment.c#n1100
2014-11-30 20:45:01 +01:00
Ronny Chevalier
536256fc91 man: fix typos 2014-11-30 20:20:59 +01:00
Ronny Chevalier
b8825fff7b man: document equivalence between Limit directives and ulimit
See https://bugs.freedesktop.org/show_bug.cgi?id=80341
2014-11-30 20:17:00 +01:00
WaLyong Cho
2ca620c4ed smack: introduce new SmackProcessLabel option
In service file, if the file has some of special SMACK label in
ExecStart= and systemd has no permission for the special SMACK label
then permission error will occurred. To resolve this, systemd should
be able to set its SMACK label to something accessible of ExecStart=.
So introduce new SmackProcessLabel. If label is specified with
SmackProcessLabel= then the child systemd will set its label to
that. To successfully execute the ExecStart=, accessible label should
be specified with SmackProcessLabel=.
Additionally, by SMACK policy, if the file in ExecStart= has no
SMACK64EXEC then the executed process will have given label by
SmackProcessLabel=. But if the file has SMACK64EXEC then the
SMACK64EXEC label will be overridden.

[zj: reword man page]
2014-11-24 10:20:53 -05:00
Lennart Poettering
2134b5ef6b man: SyslogIdentifier= has an effect on journal logging too 2014-10-09 11:37:01 +02:00
Zbigniew Jędrzejewski-Szmek
e060073a8f man: say that SecureBits= are space separated 2014-10-03 21:06:52 -04:00
Michael Biebl
67826132ad man: fix references to systemctl man page which is now in section 1
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=760613
2014-09-06 13:45:18 +02:00
Ruben Kerkhof
06b643e7f5 Fix a few more typos 2014-08-30 13:46:07 -04:00