Mapping files as MAP_SHARED is handled by the kernel as 'writable'
mapping. Always! Even with PROT_READ. Reason for that is,
mprotect(PROT_WRITE) could change the mapping underneath and currently
there is no kernel infrastructure to add protection there. This might
change in the future, but until then, map sealed files as MAP_PRIVATE so
we don't get EPERM.
Start jobs for Type=oneshot units are successful when the unit state
transition activating → inactive took place. In such a case all units
that BindsTo= on it previously would continue to run, even though the unit
they dependet on was actually already gone.
On systems without properly setup systemd, cg_get_root_path returns
-ENOENT. This means that busctl doesn't display much information.
busctl monitor also fails whenever it intercepts messages.
This fix fakes creates a fake "/" root cgroup which lets busctl work
on such systems.
The interface for creating tuntap devices should be ported to rtnl so it would support the same settings
as other kinds. In the meantime, the best one can do is to drop in a .link file to set the desired options.
DBus methods that retrieve information can be called by anyone.
DBus methods that modify state of units are verified via polkit
action: org.freedesktop.systemd1.manage-units
DBus methods that modify state of unit files are verified via polkit
action: org.freedesktop.systemd1.manage-unit-files
DBus methods that reload the entire daemon state are verified via polkit
action: org.freedesktop.systemd1.reload-daemon
DBus methods that modify job state are callable from the clients
that started the job.
root (ie: CAP_SYS_ADMIN) can continue to perform all calls, property
access etc. There are several DBus methods that can only be
called by root.
Open up the dbus1 policy for the above methods.
(Heavily modified by Lennart, making use of the new
bus_verify_polkit_async() version that doesn't force us to always
pass the original callback around. Also, interactive auhentication must
be opt-in, not unconditional, hence I turned this off.)
First, let's drop the "bus" argument, we can determine it from the
message anyway.
Secondly, determine the right callback/userdata pair automatically from
what is currently is being dispatched. This should simplify things a lot
for us, since it makes it unnecessary to pass pointers through the
original handlers through all functions when we process messages, which
might require authentication.
Remove the sd_ prefix from internal functions and get rid of the sd_memfd
type. As a memfd is now just a native file descriptor, we can get rid of our
own wrapper type, and also use close() and dup() on them directly.
We need to map sealed files as MAP_PRIVATE so far as the kernel treats
MAP_SHARED as writable mapping (you can run mprotect(PROT_WRITE) at any
time on those). However, unsealed files must be mapped as MAP_SHARED.
Otherwise, we never end up writing to the real file.
We use memfds for sealing. Lets not bother with memfds created without
MFD_ALLOW_SEALING for now. They're equivalent to random shmem files, so
don't bother treating them as sealable memfds.
This is a generalization of the vtable privilege check we already have,
but exported, and hence useful when preparing for a polkit change.
This will deal with the complexity that on dbus1 one cannot trust the
capability field we retrieve via the bus, since it is read via
/proc/$$/stat (and thus might be out-of-date) rather than directly from
the message (like on kdbus) or bus connection (as for uid creds on
dbus1).
Also, port over all code to this new API.
Previously, we ended up parsing some of them three times: in main.c when
processing the kernel cmdline, in main.c when processing the process
cmdline (only for containers), and in log.c again.
Let's streamline this, and only parse them in log.c
In PID 1 also make sure we parse "quiet" first, and then override this
with the more specific checks in log.c