Commit Graph

292 Commits

Author SHA1 Message Date
Lennart Poettering
5aaeeffb5f man: document that PAMName= and NotifyAccess=all don't mix well.
See: #6045
2017-10-02 12:58:42 +02:00
Zbigniew Jędrzejewski-Szmek
3d7d3cbbda Merge pull request #6832 from poettering/keyring-mode
Add KeyringMode unit property to fix cryptsetup key caching
2017-09-15 21:24:48 +02:00
Lennart Poettering
b1edf4456e core: add new per-unit setting KeyringMode= for controlling kernel keyring setup
Usually, it's a good thing that we isolate the kernel session keyring
for the various services and disconnect them from the user keyring.
However, in case of the cryptsetup key caching we actually want that
multiple instances of the cryptsetup service can share the keys in the
root user's user keyring, hence we need to be able to disable this logic
for them.

This adds KeyringMode=inherit|private|shared:

    inherit: don't do any keyring magic (this is the default in systemd --user)
    private: a private keyring as before (default in systemd --system)
    shared: the new setting
2017-09-15 16:53:35 +02:00
Jan Synacek
91a8f867b6 doc: document service exit codes
(Heavily reworked by Lennart while rebasing)

Fixes: #3545
Replaces: #5159
2017-09-15 16:44:06 +02:00
Lennart Poettering
ab2116b140 core: make sure that $JOURNAL_STREAM prefers stderr over stdout information (#6824)
If two separate log streams are connected to stdout and stderr, let's
make sure $JOURNAL_STREAM points to the latter, as that's the preferred
log destination, and the environment variable has been created in order
to permit services to automatically upgrade from stderr based logging to
native journal logging.

Also, document this behaviour.

Fixes: #6800
2017-09-15 08:26:38 +02:00
Lennart Poettering
21f0669163 Merge pull request #6801 from johnlinp/master
man: explicitly distinguish "implicit dependencies" and "default dependencies"
2017-09-14 21:41:13 +02:00
Zbigniew Jędrzejewski-Szmek
8b5c528ce8 Merge pull request #6818 from poettering/nspawn-whitelist
convert nspawn syscall blacklist into a whitelist (and related stuff)
2017-09-14 19:47:59 +02:00
Lennart Poettering
cd0ddf6f75 seccomp: add four new syscall groups
These groups should be useful shortcuts for sets of closely related
syscalls where it usually makes more sense to allow them altogether or
not at all.
2017-09-14 15:45:21 +02:00
Lennart Poettering
00819cc151 core: add new UnsetEnvironment= setting for unit files
With this setting we can explicitly unset specific variables for
processes of a unit, as last step of assembling the environment block
for them. This is useful to fix #6407.

While we are at it, greatly expand the documentation on how the
environment block for forked off processes is assembled.
2017-09-14 15:17:40 +02:00
Zbigniew Jędrzejewski-Szmek
e124ccdf5b man: rework grammatical form of sentences in a table in systemd.exec(5)
"Currently, the following values are defined: xxx: in case <condition>" is
awkward because "xxx" is always defined unconditionally. It is _used_ in case
<condition> is true. Correct this and a bunch of other places where the
sentence structure makes it unclear what is the subject of the sentence.
2017-09-13 23:06:20 +02:00
John Lin
45f09f939b man: explicitly distinguish "implicit dependencies" and "default dependencies"
Fixes: #6793
2017-09-13 11:39:09 +08:00
Lennart Poettering
38a7c3c0bd man: complete and rework $SERVICE_RESULT documentation
This reworks the paragraph describing $SERVICE_RESULT into a table, and
adds two missing entries: "success" and "start-limit-hit".

These two entries are then also added to the table explaining the
$EXIT_CODE + $EXIT_STATUS variables.

Fixes: #6597
2017-09-12 18:04:26 +02:00
Yu Watanabe
de7070b49a man: add examples for CapabilityBoundingSet=
Follow-up for c792ec2e35.
2017-09-04 16:20:55 +09:00
Yu Watanabe
e8d85bc062 man: LockPersonality= takes a boolean argument (#6718)
Follow-up for 78e864e5b3.
2017-09-01 09:38:41 +02:00
Yu Watanabe
ada5e27657 core: StateDirectory= and friends imply RequiresMountsFor= 2017-08-31 18:19:35 +09:00
Topi Miettinen
78e864e5b3 seccomp: LockPersonality boolean (#6193)
Add LockPersonality boolean to allow locking down personality(2)
system call so that the execution domain can't be changed.
This may be useful to improve security because odd emulations
may be poorly tested and source of vulnerabilities, while
system services shouldn't need any weird personalities.
2017-08-29 15:54:50 +02:00
Diogo Pereira
c29ebc1a10 Fix typo in man/systemd.exec.xml (#6683) 2017-08-28 18:38:29 +02:00
Lennart Poettering
6eaaeee93a seccomp: add new @setuid seccomp group
This new group lists all UID/GID credential changing syscalls (which are
quite a number these days). This will become particularly useful in a
later commit, which uses this group to optionally permit user credential
changing to daemons in case ambient capabilities are not available.
2017-08-10 15:02:50 +02:00
Yu Watanabe
2d35b79cdc man: DynamicUser= does not imply PrivateDevices= (#6510)
Follow-up for effbd6d2ea.
2017-08-07 11:02:47 +02:00
Yu Watanabe
3536f49e8f core: add {State,Cache,Log,Configuration}Directory= (#6384)
This introduces {State,Cache,Log,Configuration}Directory= those are
similar to RuntimeDirectory=. They create the directories under
/var/lib, /var/cache/, /var/log, or /etc, respectively, with the mode
specified in {State,Cache,Log,Configuration}DirectoryMode=.

This also fixes #6391.
2017-07-18 14:34:52 +02:00
Lennart Poettering
7398320f9a Merge pull request #6328 from yuwata/runtime-preserve
core: Allow preserving contents of RuntimeDirectory over process restart
2017-07-17 10:02:19 +02:00
Yu Watanabe
23a7448efa core: support subdirectories in RuntimeDirectory= option 2017-07-17 16:30:53 +09:00
Yu Watanabe
53f47dfc7b core: allow preserving contents of RuntimeDirectory= over process restart
This introduces RuntimeDirectoryPreserve= option which takes a boolean
argument or 'restart'.

Closes #6087.
2017-07-17 16:22:25 +09:00
Lucas Werkmeister
ceabfb889d Fix spelling (#6378) 2017-07-15 12:29:09 -04:00
Lennart Poettering
6297d07b82 Merge pull request #6300 from keszybz/refuse-to-load-some-units
Refuse to load some units
2017-07-12 09:28:20 +02:00
Zbigniew Jędrzejewski-Szmek
b023856884 man: add warnings that Private*= settings are not always applied 2017-07-11 13:38:13 -04:00
Lennart Poettering
565dab8ef4 man: briefly document permitted user/group name syntax for User=/Group= and syusers.d (#6321)
As discussed here:

https://lists.freedesktop.org/archives/systemd-devel/2017-July/039237.html
2017-07-10 13:44:06 -04:00
Zbigniew Jędrzejewski-Szmek
189cd8c2ab man: describe RuntimeDirectoryMode=
Fixes #5509.
2017-06-17 15:23:02 -04:00
Zbigniew Jędrzejewski-Szmek
03c3c52040 man: update MemoryDenyWriteExecute description for executable stacks
Without going into details, mention that libraries are also covered by the
filters, and that executable stacks are a no no.

Closes #5970.
2017-05-30 16:44:48 -04:00
Zbigniew Jędrzejewski-Szmek
98e9d71022 man: fix links to external man pages
linkchecker ftw!
2017-05-07 11:29:40 -04:00
James Cowgill
a3645cc6dd seccomp: add clone syscall definitions for mips (#5880)
Also updates the documentation and adds a mention of ppc64 support
which was enabled by #5325.

Tested on Debian mipsel and mips64el. The other 4 mips architectures
should have an identical user <-> kernel ABI to one of the 2 tested
systems.
2017-05-03 18:35:45 +02:00
Mark Stosberg
b8e485faf1 man: document how to include an equals sign in a value provided to Environment= (#5710)
It wasn't clear before how an equals sign in an "Environment=" value might be
handled. Ref:
http://stackoverflow.com/questions/43278883/how-to-write-systemd-environment-variables-value-which-contains/43280157
2017-04-11 23:19:06 +02:00
Torstein Husebø
6cf5a96489 man: fix typo (#5556) 2017-03-08 07:54:22 -05:00
Lennart Poettering
525872bfab man: document that ProtectKernelTunables= and ProtectControlGroups= implies MountAPIVFS=
See: #5384
2017-02-21 21:55:43 +01:00
AsciiWolf
28a0ad81ee man: use https:// in URLs 2017-02-21 16:28:04 +01:00
Lennart Poettering
0b8fab97cf man: improve documentation on seccomp regarding alternative ABIs
Let's clarify that RestrictAddressFamilies= and MemoryDenyWriteExecute=
are only fully effective if non-native system call architectures are
disabled, since they otherwise may be used to circumvent the filters, as
the filters aren't equally effective on all ABIs.

Fixes: #5277
2017-02-09 18:42:17 +01:00
Lennart Poettering
23deef88b9 Revert "core/execute: set HOME, USER also for root users"
This reverts commit 8b89628a10.

This broke #5246
2017-02-09 11:43:44 +01:00
Zbigniew Jędrzejewski-Szmek
fc6149a6ce Merge pull request #4962 from poettering/root-directory-2
Add new MountAPIVFS= boolean unit file setting + RootImage=
2017-02-08 23:05:05 -05:00
Zbigniew Jędrzejewski-Szmek
ef3116b5d4 man: add more commas for clarify and reword a few sentences 2017-02-08 22:53:16 -05:00
Lennart Poettering
ae9d60ce4e seccomp: on s390 the clone() parameters are reversed
Add a bit of code that tries to get the right parameter order in place
for some of the better known architectures, and skips
restrict_namespaces for other archs.

This also bypasses the test on archs where we don't know the right
order.

In this case I didn't bother with testing the case where no filter is
applied, since that is hopefully just an issue for now, as there's
nothing stopping us from supporting more archs, we just need to know
which order is right.

Fixes: #5241
2017-02-08 22:21:27 +01:00
Lennart Poettering
8a50cf6957 seccomp: MemoryDenyWriteExecute= should affect both mmap() and mmap2() (#5254)
On i386 we block the old mmap() call entirely, since we cannot properly
filter it. Thankfully it hasn't been used by glibc since quite some
time.

Fixes: #5240
2017-02-08 15:14:02 +01:00
Lennart Poettering
915e6d1676 core: add RootImage= setting for using a specific image file as root directory for a service
This is similar to RootDirectory= but mounts the root file system from a
block device or loopback file instead of another directory.

This reuses the image dissector code now used by nspawn and
gpt-auto-discovery.
2017-02-07 12:19:42 +01:00
Lennart Poettering
5d997827e2 core: add a per-unit setting MountAPIVFS= for mounting /dev, /proc, /sys in conjunction with RootDirectory=
This adds a boolean unit file setting MountAPIVFS=. If set, the three
main API VFS mounts will be mounted for the service. This only has an
effect on RootDirectory=, which it makes a ton times more useful.

(This is basically the /dev + /proc + /sys mounting code posted in the
original #4727, but rebased on current git, and with the automatic logic
replaced by explicit logic controlled by a unit file setting)
2017-02-07 11:22:05 +01:00
Lennart Poettering
142bd808a1 man: Document that RestrictAddressFamilies= doesn't work on s390/s390x/...
We already say that it doesn't work on i386, but there are more archs
like that apparently.
2017-02-06 14:17:12 +01:00
Zbigniew Jędrzejewski-Szmek
8b89628a10 core/execute: set HOME, USER also for root users
This changes the environment for services running as root from:

LANG=C.utf8
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin
INVOCATION_ID=ffbdec203c69499a9b83199333e31555
JOURNAL_STREAM=8:1614518

to

LANG=C.utf8
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin
HOME=/root
LOGNAME=root
USER=root
SHELL=/bin/sh
INVOCATION_ID=15a077963d7b4ca0b82c91dc6519f87c
JOURNAL_STREAM=8:1616718

Making the environment special for the root user complicates things
unnecessarily. This change simplifies both our logic (by making the setting
of the variables unconditional), and should also simplify the logic in
services (particularly scripts).

Fixes #5124.
2017-02-03 11:49:22 -05:00
Brandon Philips
9806301614 man: fix spelling error parth -> path 2017-02-02 00:54:42 +01:00
Jakub Wilk
301a21a880 man: fix typos (#5109) 2017-01-19 16:54:22 +01:00
Zbigniew Jędrzejewski-Szmek
5b3637b44a Merge pull request #4991 from poettering/seccomp-fix 2017-01-17 23:10:46 -05:00
Zbigniew Jędrzejewski-Szmek
374e692252 Merge pull request #5009 from ian-kelling/ian-mnt-namespace-doc 2017-01-11 15:23:00 -05:00
Ian Kelling
fa2a396620 doc: MountFlags= don't reference container which may not exist (#5011) 2017-01-03 21:32:31 +01:00