Compare commits
No commits in common. "36296ae2ad0e629be9ba968b66a075213e662cd3" and "644af2628522e1c55e0ea111bea97ea2025590fa" have entirely different histories.
36296ae2ad
...
644af26285
|
|
@ -60,10 +60,10 @@
|
|||
device or file, or a specification of a block device via
|
||||
<literal>UUID=</literal> followed by the UUID.</para>
|
||||
|
||||
<para>The third field specifies an absolute path to a file with the encryption key. Optionally,
|
||||
<para>The third field specifies an absolute path to a file to read the encryption key from. Optionally,
|
||||
the path may be followed by <literal>:</literal> and an fstab device specification (e.g. starting with
|
||||
<literal>LABEL=</literal> or similar); in which case the path is taken relative to the device file system
|
||||
root. If the field is not present or is <literal>none</literal> or <literal>-</literal>, a key file
|
||||
<literal>LABEL=</literal> or similar); in which case, the path is relative to the device file system
|
||||
root. If the field is not present or set to <literal>none</literal> or <literal>-</literal>, a key file
|
||||
named after the volume to unlock (i.e. the first column of the line), suffixed with
|
||||
<filename>.key</filename> is automatically loaded from the <filename>/etc/cryptsetup-keys.d/</filename>
|
||||
and <filename>/run/cryptsetup-keys.d/</filename> directories, if present. Otherwise, the password has to
|
||||
|
|
@ -78,12 +78,12 @@
|
|||
<varlistentry>
|
||||
<term><option>cipher=</option></term>
|
||||
|
||||
<listitem><para>Specifies the cipher to use. See <citerefentry
|
||||
project='die-net'><refentrytitle>cryptsetup</refentrytitle><manvolnum>8</manvolnum></citerefentry>
|
||||
for possible values and the default value of this option. A cipher with unpredictable IV values, such
|
||||
as <literal>aes-cbc-essiv:sha256</literal>, is recommended. Embedded commas in the cipher
|
||||
specification need to be escaped by preceding them with a backslash, see example below.</para>
|
||||
</listitem>
|
||||
<listitem><para>Specifies the cipher to use. See
|
||||
<citerefentry project='die-net'><refentrytitle>cryptsetup</refentrytitle><manvolnum>8</manvolnum></citerefentry>
|
||||
for possible values and the default value of this option. A
|
||||
cipher with unpredictable IV values, such as
|
||||
<literal>aes-cbc-essiv:sha256</literal>, is
|
||||
recommended.</para></listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
|
|
@ -498,17 +498,15 @@
|
|||
<title>Examples</title>
|
||||
<example>
|
||||
<title>/etc/crypttab example</title>
|
||||
<para>Set up four encrypted block devices. One using LUKS for normal storage, another one for usage as
|
||||
a swap device and two TrueCrypt volumes. For the fourth device, the option string is interpreted as two
|
||||
options <literal>cipher=xchacha12,aes-adiantum-plain64</literal>,
|
||||
<literal>keyfile-timeout=10s</literal>.</para>
|
||||
<para>Set up four encrypted block devices. One using LUKS for
|
||||
normal storage, another one for usage as a swap device and two
|
||||
TrueCrypt volumes.</para>
|
||||
|
||||
<programlisting>luks UUID=2505567a-9e27-4efe-a4d5-15ad146c258b
|
||||
swap /dev/sda7 /dev/urandom swap
|
||||
truecrypt /dev/sda2 /etc/container_password tcrypt
|
||||
hidden /mnt/tc_hidden /dev/null tcrypt-hidden,tcrypt-keyfile=/etc/keyfile
|
||||
external /dev/sda3 keyfile:LABEL=keydev keyfile-timeout=10s,cipher=xchacha12\,aes-adiantum-plain64
|
||||
</programlisting>
|
||||
external /dev/sda3 keyfile:LABEL=keydev keyfile-timeout=10s</programlisting>
|
||||
</example>
|
||||
|
||||
<example>
|
||||
|
|
|
|||
|
|
@ -304,7 +304,7 @@
|
|||
setting. Example: <option>--timezone=Europe/Amsterdam</option> will result in the environment
|
||||
variable <literal>TZ=:Europe/Amsterdam</literal>. (<literal>:</literal> is used intentionally as part
|
||||
of the timezone specification, see
|
||||
<citerefentry project='man-pages'><refentrytitle>tzset</refentrytitle><manvolnum>3</manvolnum></citerefentry>.)
|
||||
<citerefentry><refentrytitle>tzset</refentrytitle><manvolnum>3</manvolnum></citerefentry>.)
|
||||
</para></listitem>
|
||||
</varlistentry>
|
||||
|
||||
|
|
|
|||
|
|
@ -13,7 +13,7 @@ target="man/$1.html"
|
|||
ninja -C "@BUILD_ROOT@" "$target"
|
||||
|
||||
fullname="@BUILD_ROOT@/$target"
|
||||
redirect="$(test -f "$fullname" && readlink "$fullname" || :)"
|
||||
redirect="$(readlink "$fullname" 2>/dev/null)"
|
||||
if [ -n "$redirect" ]; then
|
||||
ninja -C "@BUILD_ROOT@" "man/$redirect"
|
||||
|
||||
|
|
|
|||
|
|
@ -1036,14 +1036,12 @@ manpages = [
|
|||
''],
|
||||
['udev_device_has_tag',
|
||||
'3',
|
||||
['udev_device_get_current_tags_list_entry',
|
||||
'udev_device_get_devlinks_list_entry',
|
||||
['udev_device_get_devlinks_list_entry',
|
||||
'udev_device_get_properties_list_entry',
|
||||
'udev_device_get_property_value',
|
||||
'udev_device_get_sysattr_list_entry',
|
||||
'udev_device_get_sysattr_value',
|
||||
'udev_device_get_tags_list_entry',
|
||||
'udev_device_has_current_tag',
|
||||
'udev_device_set_sysattr_value'],
|
||||
''],
|
||||
['udev_device_new_from_syspath',
|
||||
|
|
|
|||
|
|
@ -70,10 +70,10 @@
|
|||
|
||||
<para>OS images may use any kind of Linux-supported file systems. In addition they may make use of LUKS
|
||||
disk encryption, and contain Verity integrity information. Note that qualifying OS images may be booted
|
||||
with <citerefentry><refentrytitle>systemd-nspawn</refentrytitle><manvolnum>1</manvolnum></citerefentry>'s
|
||||
with <citerefentry><refentrytitle>system-nspawn</refentrytitle><manvolnum>1</manvolnum></citerefentry>'s
|
||||
<option>--image=</option> switch, and be used as root file system for system service using the
|
||||
<varname>RootImage=</varname> unit file setting, see
|
||||
<citerefentry><refentrytitle>systemd.exec</refentrytitle><manvolnum>5</manvolnum></citerefentry>.</para>
|
||||
<citerefentry><refentrytitle>system.exec</refentrytitle><manvolnum>5</manvolnum></citerefentry>.</para>
|
||||
|
||||
<para>Note that the partition table shown when invoked without command switch (as listed below) does not
|
||||
necessarily show all partitions included in the image, but just the partitions that are understood and
|
||||
|
|
@ -252,8 +252,8 @@
|
|||
<title>See Also</title>
|
||||
<para>
|
||||
<citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
|
||||
<citerefentry><refentrytitle>systemd-nspawn</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
|
||||
<citerefentry><refentrytitle>systemd.exec</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
|
||||
<citerefentry><refentrytitle>system-nspawn</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
|
||||
<citerefentry><refentrytitle>system.exec</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
|
||||
<ulink url="https://systemd.io/DISCOVERABLE_PARTITIONS">Discoverable Partitions Specification</ulink>,
|
||||
<citerefentry project='man-pages'><refentrytitle>umount</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
|
||||
<citerefentry project='man-pages'><refentrytitle>fdisk</refentrytitle><manvolnum>8</manvolnum></citerefentry>
|
||||
|
|
|
|||
|
|
@ -153,9 +153,7 @@
|
|||
case the image has multiple partitions, otherwise partition name <literal>root</literal> is implied.
|
||||
Options for multiple partitions can be specified in a single line with space separators. Assigning an empty
|
||||
string removes previous assignments. Duplicated options are ignored. For a list of valid mount options, please
|
||||
refer to
|
||||
<citerefentry project='man-pages'><refentrytitle>mount</refentrytitle><manvolnum>8</manvolnum></citerefentry>.
|
||||
</para>
|
||||
refer to <citerefentry><refentrytitle>mount</refentrytitle><manvolnum>8</manvolnum></citerefentry>.</para>
|
||||
|
||||
<para>Valid partition names follow the <ulink url="https://systemd.io/DISCOVERABLE_PARTITIONS">Discoverable
|
||||
Partitions Specification</ulink>.</para>
|
||||
|
|
@ -1011,7 +1009,7 @@ CapabilityBoundingSet=~CAP_B CAP_C</programlisting>
|
|||
|
||||
<listitem><para>Sets the CPU scheduling policy for executed processes. Takes one of <option>other</option>,
|
||||
<option>batch</option>, <option>idle</option>, <option>fifo</option> or <option>rr</option>. See
|
||||
<citerefentry project='man-pages'><refentrytitle>sched_setscheduler</refentrytitle><manvolnum>2</manvolnum></citerefentry> for
|
||||
<citerefentry><refentrytitle>sched_setscheduler</refentrytitle><manvolnum>2</manvolnum></citerefentry> for
|
||||
details.</para></listitem>
|
||||
</varlistentry>
|
||||
|
||||
|
|
@ -1021,7 +1019,7 @@ CapabilityBoundingSet=~CAP_B CAP_C</programlisting>
|
|||
<listitem><para>Sets the CPU scheduling priority for executed processes. The available priority range depends
|
||||
on the selected CPU scheduling policy (see above). For real-time scheduling policies an integer between 1
|
||||
(lowest priority) and 99 (highest priority) can be used. See
|
||||
<citerefentry project='man-pages'><refentrytitle>sched_setscheduler</refentrytitle><manvolnum>2</manvolnum></citerefentry> for
|
||||
<citerefentry><refentrytitle>sched_setscheduler</refentrytitle><manvolnum>2</manvolnum></citerefentry> for
|
||||
details. </para></listitem>
|
||||
</varlistentry>
|
||||
|
||||
|
|
@ -1032,7 +1030,7 @@ CapabilityBoundingSet=~CAP_B CAP_C</programlisting>
|
|||
will be reset when the executed processes call
|
||||
<citerefentry project='man-pages'><refentrytitle>fork</refentrytitle><manvolnum>2</manvolnum></citerefentry>,
|
||||
and can hence not leak into child processes. See
|
||||
<citerefentry project='man-pages'><refentrytitle>sched_setscheduler</refentrytitle><manvolnum>2</manvolnum></citerefentry>
|
||||
<citerefentry><refentrytitle>sched_setscheduler</refentrytitle><manvolnum>2</manvolnum></citerefentry>
|
||||
for details. Defaults to false.</para></listitem>
|
||||
</varlistentry>
|
||||
|
||||
|
|
@ -1045,7 +1043,7 @@ CapabilityBoundingSet=~CAP_B CAP_C</programlisting>
|
|||
are specified by the lower and upper CPU indices separated by a dash. This option may be specified more than
|
||||
once, in which case the specified CPU affinity masks are merged. If the empty string is assigned, the mask
|
||||
is reset, all assignments prior to this will have no effect. See
|
||||
<citerefentry project='man-pages'><refentrytitle>sched_setaffinity</refentrytitle><manvolnum>2</manvolnum></citerefentry> for
|
||||
<citerefentry><refentrytitle>sched_setaffinity</refentrytitle><manvolnum>2</manvolnum></citerefentry> for
|
||||
details.</para></listitem>
|
||||
</varlistentry>
|
||||
|
||||
|
|
|
|||
|
|
@ -270,8 +270,9 @@
|
|||
ideas behind systemd, please refer to the
|
||||
<ulink url="http://0pointer.de/blog/projects/systemd.html">Original Design Document</ulink>.</para>
|
||||
|
||||
<para>Note that some but not all interfaces provided by systemd are covered by the
|
||||
<ulink url="https://systemd.io/PORTABILITY_AND_STABILITY/">Interface Portability and Stability Promise</ulink>.</para>
|
||||
<para>Note that some but not all interfaces provided
|
||||
by systemd are covered by the
|
||||
<ulink url="Portability and">Interface Portability and Stability Promise</ulink>.</para>
|
||||
|
||||
<para>Units may be generated dynamically at boot and system
|
||||
manager reload time, for example based on other configuration
|
||||
|
|
|
|||
|
|
@ -267,39 +267,28 @@ int log_open(void) {
|
|||
return 0;
|
||||
}
|
||||
|
||||
if (getpid_cached() == 1 ||
|
||||
stderr_is_journal() ||
|
||||
IN_SET(log_target,
|
||||
LOG_TARGET_KMSG,
|
||||
LOG_TARGET_JOURNAL,
|
||||
LOG_TARGET_JOURNAL_OR_KMSG,
|
||||
LOG_TARGET_SYSLOG,
|
||||
LOG_TARGET_SYSLOG_OR_KMSG)) {
|
||||
if (log_target != LOG_TARGET_AUTO || getpid_cached() == 1 || stderr_is_journal()) {
|
||||
|
||||
if (!prohibit_ipc) {
|
||||
if (IN_SET(log_target,
|
||||
LOG_TARGET_AUTO,
|
||||
LOG_TARGET_JOURNAL_OR_KMSG,
|
||||
LOG_TARGET_JOURNAL)) {
|
||||
|
||||
r = log_open_journal();
|
||||
if (r >= 0) {
|
||||
log_close_syslog();
|
||||
log_close_console();
|
||||
return r;
|
||||
}
|
||||
if (!prohibit_ipc &&
|
||||
IN_SET(log_target, LOG_TARGET_AUTO,
|
||||
LOG_TARGET_JOURNAL_OR_KMSG,
|
||||
LOG_TARGET_JOURNAL)) {
|
||||
r = log_open_journal();
|
||||
if (r >= 0) {
|
||||
log_close_syslog();
|
||||
log_close_console();
|
||||
return r;
|
||||
}
|
||||
}
|
||||
|
||||
if (IN_SET(log_target,
|
||||
LOG_TARGET_SYSLOG_OR_KMSG,
|
||||
LOG_TARGET_SYSLOG)) {
|
||||
|
||||
r = log_open_syslog();
|
||||
if (r >= 0) {
|
||||
log_close_journal();
|
||||
log_close_console();
|
||||
return r;
|
||||
}
|
||||
if (!prohibit_ipc &&
|
||||
IN_SET(log_target, LOG_TARGET_SYSLOG_OR_KMSG,
|
||||
LOG_TARGET_SYSLOG)) {
|
||||
r = log_open_syslog();
|
||||
if (r >= 0) {
|
||||
log_close_journal();
|
||||
log_close_console();
|
||||
return r;
|
||||
}
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -30,7 +30,7 @@ typedef enum LogTarget{
|
|||
LOG_TARGET_JOURNAL_OR_KMSG,
|
||||
LOG_TARGET_SYSLOG,
|
||||
LOG_TARGET_SYSLOG_OR_KMSG,
|
||||
LOG_TARGET_AUTO, /* console if stderr is not journal, JOURNAL_OR_KMSG otherwise */
|
||||
LOG_TARGET_AUTO, /* console if stderr is tty, JOURNAL_OR_KMSG otherwise */
|
||||
LOG_TARGET_NULL,
|
||||
_LOG_TARGET_MAX,
|
||||
_LOG_TARGET_INVALID = -1
|
||||
|
|
|
|||
|
|
@ -367,7 +367,7 @@ int strv_split_colon_pairs(char ***t, const char *s) {
|
|||
return (int) n;
|
||||
}
|
||||
|
||||
char *strv_join_full(char * const *l, const char *separator, const char *prefix, bool unescape_separators) {
|
||||
char *strv_join_prefix(char * const *l, const char *separator, const char *prefix) {
|
||||
char * const *s;
|
||||
char *r, *e;
|
||||
size_t n, k, m;
|
||||
|
|
@ -378,17 +378,11 @@ char *strv_join_full(char * const *l, const char *separator, const char *prefix,
|
|||
k = strlen(separator);
|
||||
m = strlen_ptr(prefix);
|
||||
|
||||
if (unescape_separators) /* If there separator is multi-char, we won't know how to escape it. */
|
||||
assert(k == 1);
|
||||
|
||||
n = 0;
|
||||
STRV_FOREACH(s, l) {
|
||||
if (s != l)
|
||||
n += k;
|
||||
|
||||
bool needs_escaping = unescape_separators && strchr(*s, separator[0]);
|
||||
|
||||
n += m + strlen(*s) * (1 + needs_escaping);
|
||||
n += m + strlen(*s);
|
||||
}
|
||||
|
||||
r = new(char, n+1);
|
||||
|
|
@ -403,16 +397,7 @@ char *strv_join_full(char * const *l, const char *separator, const char *prefix,
|
|||
if (prefix)
|
||||
e = stpcpy(e, prefix);
|
||||
|
||||
bool needs_escaping = unescape_separators && strchr(*s, separator[0]);
|
||||
|
||||
if (needs_escaping)
|
||||
for (size_t i = 0; (*s)[i]; i++) {
|
||||
if ((*s)[i] == separator[0])
|
||||
*(e++) = '\\';
|
||||
*(e++) = (*s)[i];
|
||||
}
|
||||
else
|
||||
e = stpcpy(e, *s);
|
||||
e = stpcpy(e, *s);
|
||||
}
|
||||
|
||||
*e = 0;
|
||||
|
|
|
|||
|
|
@ -91,9 +91,9 @@ static inline char **strv_split(const char *s, const char *separators) {
|
|||
* string in the vector is an empty string. */
|
||||
int strv_split_colon_pairs(char ***t, const char *s);
|
||||
|
||||
char *strv_join_full(char * const *l, const char *separator, const char *prefix, bool escape_separtor);
|
||||
char *strv_join_prefix(char * const *l, const char *separator, const char *prefix);
|
||||
static inline char *strv_join(char * const *l, const char *separator) {
|
||||
return strv_join_full(l, separator, NULL, false);
|
||||
return strv_join_prefix(l, separator, NULL);
|
||||
}
|
||||
|
||||
char **strv_parse_nulstr(const char *s, size_t l);
|
||||
|
|
|
|||
|
|
@ -53,7 +53,6 @@ static BUS_DEFINE_PROPERTY_GET_ENUM(property_get_protect_home, protect_home, Pro
|
|||
static BUS_DEFINE_PROPERTY_GET_ENUM(property_get_protect_system, protect_system, ProtectSystem);
|
||||
static BUS_DEFINE_PROPERTY_GET_ENUM(property_get_personality, personality, unsigned long);
|
||||
static BUS_DEFINE_PROPERTY_GET(property_get_ioprio, "i", ExecContext, exec_context_get_effective_ioprio);
|
||||
static BUS_DEFINE_PROPERTY_GET(property_get_mount_apivfs, "b", ExecContext, exec_context_get_effective_mount_apivfs);
|
||||
static BUS_DEFINE_PROPERTY_GET2(property_get_ioprio_class, "i", ExecContext, exec_context_get_effective_ioprio, IOPRIO_PRIO_CLASS);
|
||||
static BUS_DEFINE_PROPERTY_GET2(property_get_ioprio_priority, "i", ExecContext, exec_context_get_effective_ioprio, IOPRIO_PRIO_DATA);
|
||||
static BUS_DEFINE_PROPERTY_GET_GLOBAL(property_get_empty_string, "s", NULL);
|
||||
|
|
@ -1144,7 +1143,7 @@ const sd_bus_vtable bus_exec_vtable[] = {
|
|||
SD_BUS_PROPERTY("BindPaths", "a(ssbt)", property_get_bind_paths, 0, SD_BUS_VTABLE_PROPERTY_CONST),
|
||||
SD_BUS_PROPERTY("BindReadOnlyPaths", "a(ssbt)", property_get_bind_paths, 0, SD_BUS_VTABLE_PROPERTY_CONST),
|
||||
SD_BUS_PROPERTY("TemporaryFileSystem", "a(ss)", property_get_temporary_filesystems, 0, SD_BUS_VTABLE_PROPERTY_CONST),
|
||||
SD_BUS_PROPERTY("MountAPIVFS", "b", property_get_mount_apivfs, 0, SD_BUS_VTABLE_PROPERTY_CONST),
|
||||
SD_BUS_PROPERTY("MountAPIVFS", "b", bus_property_get_bool, offsetof(ExecContext, mount_apivfs), SD_BUS_VTABLE_PROPERTY_CONST),
|
||||
SD_BUS_PROPERTY("KeyringMode", "s", property_get_exec_keyring_mode, offsetof(ExecContext, keyring_mode), SD_BUS_VTABLE_PROPERTY_CONST),
|
||||
SD_BUS_PROPERTY("ProtectProc", "s", property_get_protect_proc, offsetof(ExecContext, protect_proc), SD_BUS_VTABLE_PROPERTY_CONST),
|
||||
SD_BUS_PROPERTY("ProcSubset", "s", property_get_proc_subset, offsetof(ExecContext, proc_subset), SD_BUS_VTABLE_PROPERTY_CONST),
|
||||
|
|
@ -1806,6 +1805,9 @@ int bus_exec_context_set_transient_property(
|
|||
if (streq(name, "ProtectControlGroups"))
|
||||
return bus_set_transient_bool(u, name, &c->protect_control_groups, message, flags, error);
|
||||
|
||||
if (streq(name, "MountAPIVFS"))
|
||||
return bus_set_transient_bool(u, name, &c->mount_apivfs, message, flags, error);
|
||||
|
||||
if (streq(name, "CPUSchedulingResetOnFork"))
|
||||
return bus_set_transient_bool(u, name, &c->cpu_sched_reset_on_fork, message, flags, error);
|
||||
|
||||
|
|
@ -2633,20 +2635,6 @@ int bus_exec_context_set_transient_property(
|
|||
|
||||
return 1;
|
||||
|
||||
} else if (streq(name, "MountAPIVFS")) {
|
||||
bool b;
|
||||
|
||||
r = bus_set_transient_bool(u, name, &b, message, flags, error);
|
||||
if (r < 0)
|
||||
return r;
|
||||
|
||||
if (!UNIT_WRITE_FLAGS_NOOP(flags)) {
|
||||
c->mount_apivfs = b;
|
||||
c->mount_apivfs_set = true;
|
||||
}
|
||||
|
||||
return 1;
|
||||
|
||||
} else if (streq(name, "WorkingDirectory")) {
|
||||
const char *s;
|
||||
bool missing_ok;
|
||||
|
|
|
|||
|
|
@ -1927,7 +1927,7 @@ static int build_environment(
|
|||
if (!pre)
|
||||
return -ENOMEM;
|
||||
|
||||
joined = strv_join_full(c->directories[t].paths, ":", pre, true);
|
||||
joined = strv_join_prefix(c->directories[t].paths, ":", pre);
|
||||
if (!joined)
|
||||
return -ENOMEM;
|
||||
|
||||
|
|
@ -2027,7 +2027,7 @@ static bool exec_needs_mount_namespace(
|
|||
return true;
|
||||
|
||||
if (context->root_directory) {
|
||||
if (exec_context_get_effective_mount_apivfs(context))
|
||||
if (context->mount_apivfs)
|
||||
return true;
|
||||
|
||||
for (ExecDirectoryType t = 0; t < _EXEC_DIRECTORY_TYPE_MAX; t++) {
|
||||
|
|
@ -3147,7 +3147,7 @@ static int apply_mount_namespace(
|
|||
.protect_kernel_modules = context->protect_kernel_modules,
|
||||
.protect_kernel_logs = context->protect_kernel_logs,
|
||||
.protect_hostname = context->protect_hostname,
|
||||
.mount_apivfs = exec_context_get_effective_mount_apivfs(context),
|
||||
.mount_apivfs = context->mount_apivfs,
|
||||
.private_mounts = context->private_mounts,
|
||||
.protect_home = context->protect_home,
|
||||
.protect_system = context->protect_system,
|
||||
|
|
@ -5185,7 +5185,7 @@ void exec_context_dump(const ExecContext *c, FILE* f, const char *prefix) {
|
|||
prefix, yes_no(c->private_users),
|
||||
prefix, protect_home_to_string(c->protect_home),
|
||||
prefix, protect_system_to_string(c->protect_system),
|
||||
prefix, yes_no(exec_context_get_effective_mount_apivfs(c)),
|
||||
prefix, yes_no(c->mount_apivfs),
|
||||
prefix, yes_no(c->ignore_sigpipe),
|
||||
prefix, yes_no(c->memory_deny_write_execute),
|
||||
prefix, yes_no(c->restrict_realtime),
|
||||
|
|
@ -5650,20 +5650,6 @@ int exec_context_get_effective_ioprio(const ExecContext *c) {
|
|||
return p;
|
||||
}
|
||||
|
||||
bool exec_context_get_effective_mount_apivfs(const ExecContext *c) {
|
||||
assert(c);
|
||||
|
||||
/* Explicit setting wins */
|
||||
if (c->mount_apivfs_set)
|
||||
return c->mount_apivfs;
|
||||
|
||||
/* Default to "yes" if root directory or image are specified */
|
||||
if (c->root_image || !empty_or_root(c->root_directory))
|
||||
return true;
|
||||
|
||||
return false;
|
||||
}
|
||||
|
||||
void exec_context_free_log_extra_fields(ExecContext *c) {
|
||||
assert(c);
|
||||
|
||||
|
|
|
|||
|
|
@ -174,7 +174,6 @@ struct ExecContext {
|
|||
bool nice_set:1;
|
||||
bool ioprio_set:1;
|
||||
bool cpu_sched_set:1;
|
||||
bool mount_apivfs_set:1;
|
||||
|
||||
/* This is not exposed to the user but available internally. We need it to make sure that whenever we
|
||||
* spawn /usr/bin/mount it is run in the same process group as us so that the autofs logic detects
|
||||
|
|
@ -410,7 +409,6 @@ bool exec_context_may_touch_console(const ExecContext *c);
|
|||
bool exec_context_maintains_privileges(const ExecContext *c);
|
||||
|
||||
int exec_context_get_effective_ioprio(const ExecContext *c);
|
||||
bool exec_context_get_effective_mount_apivfs(const ExecContext *c);
|
||||
|
||||
void exec_context_free_log_extra_fields(ExecContext *c);
|
||||
|
||||
|
|
|
|||
|
|
@ -1349,44 +1349,6 @@ int config_parse_exec_cpu_sched_policy(const char *unit,
|
|||
return 0;
|
||||
}
|
||||
|
||||
int config_parse_exec_mount_apivfs(const char *unit,
|
||||
const char *filename,
|
||||
unsigned line,
|
||||
const char *section,
|
||||
unsigned section_line,
|
||||
const char *lvalue,
|
||||
int ltype,
|
||||
const char *rvalue,
|
||||
void *data,
|
||||
void *userdata) {
|
||||
|
||||
ExecContext *c = data;
|
||||
int k;
|
||||
|
||||
assert(filename);
|
||||
assert(lvalue);
|
||||
assert(rvalue);
|
||||
assert(data);
|
||||
|
||||
if (isempty(rvalue)) {
|
||||
c->mount_apivfs_set = false;
|
||||
c->mount_apivfs = false;
|
||||
return 0;
|
||||
}
|
||||
|
||||
k = parse_boolean(rvalue);
|
||||
if (k < 0) {
|
||||
log_syntax(unit, LOG_WARNING, filename, line, k,
|
||||
"Failed to parse boolean value, ignoring: %s",
|
||||
rvalue);
|
||||
return 0;
|
||||
}
|
||||
|
||||
c->mount_apivfs_set = true;
|
||||
c->mount_apivfs = k;
|
||||
return 0;
|
||||
}
|
||||
|
||||
int config_parse_numa_mask(const char *unit,
|
||||
const char *filename,
|
||||
unsigned line,
|
||||
|
|
|
|||
|
|
@ -43,7 +43,6 @@ CONFIG_PARSER_PROTOTYPE(config_parse_exec_io_priority);
|
|||
CONFIG_PARSER_PROTOTYPE(config_parse_exec_cpu_sched_policy);
|
||||
CONFIG_PARSER_PROTOTYPE(config_parse_exec_cpu_sched_prio);
|
||||
CONFIG_PARSER_PROTOTYPE(config_parse_exec_cpu_affinity);
|
||||
CONFIG_PARSER_PROTOTYPE(config_parse_exec_mount_apivfs);
|
||||
CONFIG_PARSER_PROTOTYPE(config_parse_exec_secure_bits);
|
||||
CONFIG_PARSER_PROTOTYPE(config_parse_root_image_options);
|
||||
CONFIG_PARSER_PROTOTYPE(config_parse_exec_root_hash);
|
||||
|
|
|
|||
|
|
@ -526,7 +526,8 @@ int socket_acquire_peer(Socket *s, int fd, SocketPeer **p) {
|
|||
assert(fd >= 0);
|
||||
assert(s);
|
||||
|
||||
if (getpeername(fd, &sa.peer.sa, &salen) < 0)
|
||||
r = getpeername(fd, &sa.peer.sa, &salen);
|
||||
if (r < 0)
|
||||
return log_unit_error_errno(UNIT(s), errno, "getpeername failed: %m");
|
||||
|
||||
if (!IN_SET(sa.peer.sa.sa_family, AF_INET, AF_INET6, AF_VSOCK)) {
|
||||
|
|
|
|||
|
|
@ -622,6 +622,7 @@ static int parse_proc_cmdline_item(const char *key, const char *value, void *dat
|
|||
static int add_crypttab_devices(void) {
|
||||
_cleanup_fclose_ FILE *f = NULL;
|
||||
unsigned crypttab_line = 0;
|
||||
struct stat st;
|
||||
int r;
|
||||
|
||||
if (!arg_read_crypttab)
|
||||
|
|
@ -634,6 +635,11 @@ static int add_crypttab_devices(void) {
|
|||
return 0;
|
||||
}
|
||||
|
||||
if (fstat(fileno(f), &st) < 0) {
|
||||
log_error_errno(errno, "Failed to stat %s: %m", arg_crypttab);
|
||||
return 0;
|
||||
}
|
||||
|
||||
for (;;) {
|
||||
_cleanup_free_ char *line = NULL, *name = NULL, *device = NULL, *keyspec = NULL, *options = NULL, *keyfile = NULL, *keydev = NULL;
|
||||
crypto_device *d = NULL;
|
||||
|
|
|
|||
|
|
@ -294,9 +294,9 @@ static int parse_options(const char *options) {
|
|||
_cleanup_free_ char *word = NULL;
|
||||
int r;
|
||||
|
||||
r = extract_first_word(&options, &word, ",", EXTRACT_DONT_COALESCE_SEPARATORS | EXTRACT_UNESCAPE_SEPARATORS);
|
||||
r = extract_first_word(&options, &word, ",", EXTRACT_DONT_COALESCE_SEPARATORS);
|
||||
if (r < 0)
|
||||
return log_error_errno(r, "Failed to parse options: %m");
|
||||
return log_debug_errno(r, "Failed to parse options: %m");
|
||||
if (r == 0)
|
||||
break;
|
||||
|
||||
|
|
@ -874,9 +874,6 @@ static int run(int argc, char *argv[]) {
|
|||
return r;
|
||||
}
|
||||
|
||||
log_debug("%s %s ← %s type=%s cipher=%s", __func__,
|
||||
argv[2], argv[3], strempty(arg_type), strempty(arg_cipher));
|
||||
|
||||
/* A delicious drop of snake oil */
|
||||
(void) mlockall(MCL_FUTURE);
|
||||
|
||||
|
|
|
|||
|
|
@ -5134,12 +5134,9 @@ static int run(int argc, char *argv[]) {
|
|||
if (r <= 0)
|
||||
goto finish;
|
||||
|
||||
if (geteuid() != 0) {
|
||||
r = log_warning_errno(SYNTHETIC_ERRNO(EPERM),
|
||||
argc >= 2 ? "Need to be root." :
|
||||
"Need to be root (and some arguments are usually required).\nHint: try --help");
|
||||
r = must_be_root();
|
||||
if (r < 0)
|
||||
goto finish;
|
||||
}
|
||||
|
||||
r = cant_be_in_netns();
|
||||
if (r < 0)
|
||||
|
|
|
|||
|
|
@ -842,21 +842,19 @@ static int verify_esp_blkid(
|
|||
else if (r != 0)
|
||||
return log_error_errno(errno ?: SYNTHETIC_ERRNO(EIO), "Failed to probe file system \"%s\": %m", node);
|
||||
|
||||
errno = 0;
|
||||
r = blkid_probe_lookup_value(b, "TYPE", &v, NULL);
|
||||
if (r != 0)
|
||||
return log_full_errno(searching ? LOG_DEBUG : LOG_ERR,
|
||||
SYNTHETIC_ERRNO(searching ? EADDRNOTAVAIL : ENODEV),
|
||||
"No filesystem found on \"%s\": %m", node);
|
||||
return log_error_errno(errno ?: SYNTHETIC_ERRNO(EIO), "Failed to probe file system type of \"%s\": %m", node);
|
||||
if (!streq(v, "vfat"))
|
||||
return log_full_errno(searching ? LOG_DEBUG : LOG_ERR,
|
||||
SYNTHETIC_ERRNO(searching ? EADDRNOTAVAIL : ENODEV),
|
||||
"File system \"%s\" is not FAT.", node);
|
||||
|
||||
errno = 0;
|
||||
r = blkid_probe_lookup_value(b, "PART_ENTRY_SCHEME", &v, NULL);
|
||||
if (r != 0)
|
||||
return log_full_errno(searching ? LOG_DEBUG : LOG_ERR,
|
||||
SYNTHETIC_ERRNO(searching ? EADDRNOTAVAIL : ENODEV),
|
||||
"File system \"%s\" is not located on a partitioned block device.", node);
|
||||
return log_error_errno(errno ?: SYNTHETIC_ERRNO(EIO), "Failed to probe partition scheme of \"%s\": %m", node);
|
||||
if (!streq(v, "gpt"))
|
||||
return log_full_errno(searching ? LOG_DEBUG : LOG_ERR,
|
||||
SYNTHETIC_ERRNO(searching ? EADDRNOTAVAIL : ENODEV),
|
||||
|
|
|
|||
|
|
@ -95,19 +95,7 @@ int fstab_filter_options(const char *opts, const char *names,
|
|||
|
||||
if (!ret_filtered) {
|
||||
for (const char *word = opts;;) {
|
||||
const char *end = word;
|
||||
|
||||
/* Look for an *non-escaped* comma separator. Only commas can be escaped, so "\," is
|
||||
* the only valid escape sequence, so we can do a very simple test here. */
|
||||
for (;;) {
|
||||
size_t n = strcspn(end, ",");
|
||||
|
||||
end += n;
|
||||
if (n > 0 && end[-1] == '\\')
|
||||
end++;
|
||||
else
|
||||
break;
|
||||
}
|
||||
const char *end = word + strcspn(word, ",");
|
||||
|
||||
NULSTR_FOREACH(name, names) {
|
||||
if (end < word + strlen(name))
|
||||
|
|
@ -140,10 +128,9 @@ int fstab_filter_options(const char *opts, const char *names,
|
|||
break;
|
||||
}
|
||||
} else {
|
||||
r = strv_split_full(&stor, opts, ",", EXTRACT_DONT_COALESCE_SEPARATORS | EXTRACT_UNESCAPE_SEPARATORS);
|
||||
if (r < 0)
|
||||
return r;
|
||||
|
||||
stor = strv_split(opts, ",");
|
||||
if (!stor)
|
||||
return -ENOMEM;
|
||||
strv = memdup(stor, sizeof(char*) * (strv_length(stor) + 1));
|
||||
if (!strv)
|
||||
return -ENOMEM;
|
||||
|
|
@ -178,7 +165,7 @@ answer:
|
|||
if (ret_filtered) {
|
||||
char *f;
|
||||
|
||||
f = strv_join_full(strv, ",", NULL, true);
|
||||
f = strv_join(strv, ",");
|
||||
if (!f)
|
||||
return -ENOMEM;
|
||||
|
||||
|
|
|
|||
|
|
@ -4,7 +4,6 @@
|
|||
#include <unistd.h>
|
||||
|
||||
#include "alloc-util.h"
|
||||
#include "cgroup-util.h"
|
||||
#include "dropin.h"
|
||||
#include "escape.h"
|
||||
#include "fd-util.h"
|
||||
|
|
@ -621,11 +620,6 @@ int generator_write_cryptsetup_service_section(
|
|||
}
|
||||
|
||||
void log_setup_generator(void) {
|
||||
/* Disable talking to syslog/journal (i.e. the two IPC-based loggers) if we run in system context. */
|
||||
if (cg_pid_get_owner_uid(0, NULL) == -ENXIO /* not running in a per-user slice */)
|
||||
log_set_prohibit_ipc(true);
|
||||
|
||||
log_set_target(LOG_TARGET_JOURNAL_OR_KMSG); /* This effectively means: journal for per-user generators, kmsg otherwise */
|
||||
log_parse_environment();
|
||||
(void) log_open();
|
||||
log_set_prohibit_ipc(true);
|
||||
log_setup_service();
|
||||
}
|
||||
|
|
|
|||
|
|
@ -118,13 +118,12 @@ static int device_new_from_dev_path(const char *devlink, sd_device **ret_device)
|
|||
|
||||
assert(devlink);
|
||||
|
||||
if (stat(devlink, &st) < 0)
|
||||
return log_full_errno(errno == ENOENT ? LOG_DEBUG : LOG_ERR, errno,
|
||||
"Failed to stat() %s: %m", devlink);
|
||||
r = stat(devlink, &st);
|
||||
if (r < 0)
|
||||
return log_full_errno(errno == ENOENT ? LOG_DEBUG : LOG_ERR, errno, "Failed to stat() %s: %m", devlink);
|
||||
|
||||
if (!S_ISBLK(st.st_mode))
|
||||
return log_error_errno(SYNTHETIC_ERRNO(ENOTBLK),
|
||||
"%s does not point to a block device: %m", devlink);
|
||||
return log_error_errno(SYNTHETIC_ERRNO(ENOTBLK), "%s does not point to a block device: %m", devlink);
|
||||
|
||||
r = sd_device_new_from_devnum(ret_device, 'b', st.st_rdev);
|
||||
if (r < 0)
|
||||
|
|
|
|||
|
|
@ -13,11 +13,12 @@ int fstab_filter_options(const char *opts, const char *names,
|
|||
*/
|
||||
|
||||
static void do_fstab_filter_options(const char *opts,
|
||||
const char *remove,
|
||||
int r_expected,
|
||||
const char *name_expected,
|
||||
const char *value_expected,
|
||||
const char *filtered_expected) {
|
||||
const char *remove,
|
||||
int r_expected,
|
||||
const char *name_expected,
|
||||
const char *value_expected,
|
||||
const char *filtered_expected) {
|
||||
|
||||
int r;
|
||||
const char *name;
|
||||
_cleanup_free_ char *value = NULL, *filtered = NULL;
|
||||
|
|
@ -33,7 +34,7 @@ static void do_fstab_filter_options(const char *opts,
|
|||
|
||||
/* also test the malloc-less mode */
|
||||
r = fstab_filter_options(opts, remove, &name, NULL, NULL);
|
||||
log_info("\"%s\" → %d, \"%s\", expected %d, \"%s\"\n-",
|
||||
log_info("\"%s\" → %d, \"%s\", expected %d, \"%s\"",
|
||||
opts, r, name,
|
||||
r_expected, name_expected);
|
||||
assert_se(r == r_expected);
|
||||
|
|
@ -53,12 +54,6 @@ static void test_fstab_filter_options(void) {
|
|||
do_fstab_filter_options("opt,other", "x-opt\0opt\0", 1, "opt", NULL, "other");
|
||||
do_fstab_filter_options("x-opt,other", "opt\0x-opt\0", 1, "x-opt", NULL, "other");
|
||||
|
||||
do_fstab_filter_options("opt=0\\,1,other", "opt\0x-opt\0", 1, "opt", "0,1", "other");
|
||||
do_fstab_filter_options("opt=0,other,x-opt\\,foobar", "x-opt\0opt\0", 1, "opt", "0", "other,x-opt\\,foobar");
|
||||
do_fstab_filter_options("opt,other,x-opt\\,part", "opt\0x-opt\0", 1, "opt", NULL, "other,x-opt\\,part");
|
||||
do_fstab_filter_options("opt,other,part\\,x-opt", "x-opt\0opt\0", 1, "opt", NULL, "other,part\\,x-opt");
|
||||
do_fstab_filter_options("opt,other\\,\\,\\,opt,x-part", "opt\0x-opt\0", 1, "opt", NULL, "other\\,\\,\\,opt,x-part");
|
||||
|
||||
do_fstab_filter_options("opto=0,other", "opt\0x-opt\0", 0, NULL, NULL, NULL);
|
||||
do_fstab_filter_options("opto,other", "opt\0x-opt\0", 0, NULL, NULL, NULL);
|
||||
do_fstab_filter_options("x-opto,other", "opt\0x-opt\0", 0, NULL, NULL, NULL);
|
||||
|
|
|
|||
|
|
@ -162,84 +162,71 @@ static void test_strv_find_startswith(void) {
|
|||
}
|
||||
|
||||
static void test_strv_join(void) {
|
||||
_cleanup_free_ char *p = NULL, *q = NULL, *r = NULL, *s = NULL, *t = NULL, *v = NULL, *w = NULL;
|
||||
|
||||
log_info("/* %s */", __func__);
|
||||
|
||||
_cleanup_free_ char *p = strv_join((char **)input_table_multiple, ", ");
|
||||
p = strv_join((char **)input_table_multiple, ", ");
|
||||
assert_se(p);
|
||||
assert_se(streq(p, "one, two, three"));
|
||||
|
||||
_cleanup_free_ char *q = strv_join((char **)input_table_multiple, ";");
|
||||
q = strv_join((char **)input_table_multiple, ";");
|
||||
assert_se(q);
|
||||
assert_se(streq(q, "one;two;three"));
|
||||
|
||||
_cleanup_free_ char *r = strv_join((char **)input_table_multiple, NULL);
|
||||
r = strv_join((char **)input_table_multiple, NULL);
|
||||
assert_se(r);
|
||||
assert_se(streq(r, "one two three"));
|
||||
|
||||
_cleanup_free_ char *s = strv_join(STRV_MAKE("1", "2", "3,3"), ",");
|
||||
s = strv_join((char **)input_table_one, ", ");
|
||||
assert_se(s);
|
||||
assert_se(streq(s, "1,2,3,3"));
|
||||
assert_se(streq(s, "one"));
|
||||
|
||||
_cleanup_free_ char *t = strv_join((char **)input_table_one, ", ");
|
||||
t = strv_join((char **)input_table_none, ", ");
|
||||
assert_se(t);
|
||||
assert_se(streq(t, "one"));
|
||||
assert_se(streq(t, ""));
|
||||
|
||||
_cleanup_free_ char *u = strv_join((char **)input_table_none, ", ");
|
||||
assert_se(u);
|
||||
assert_se(streq(u, ""));
|
||||
|
||||
_cleanup_free_ char *v = strv_join((char **)input_table_two_empties, ", ");
|
||||
v = strv_join((char **)input_table_two_empties, ", ");
|
||||
assert_se(v);
|
||||
assert_se(streq(v, ", "));
|
||||
|
||||
_cleanup_free_ char *w = strv_join((char **)input_table_one_empty, ", ");
|
||||
w = strv_join((char **)input_table_one_empty, ", ");
|
||||
assert_se(w);
|
||||
assert_se(streq(w, ""));
|
||||
}
|
||||
|
||||
static void test_strv_join_full(void) {
|
||||
static void test_strv_join_prefix(void) {
|
||||
_cleanup_free_ char *p = NULL, *q = NULL, *r = NULL, *s = NULL, *t = NULL, *v = NULL, *w = NULL;
|
||||
|
||||
log_info("/* %s */", __func__);
|
||||
|
||||
_cleanup_free_ char *p = strv_join_full((char **)input_table_multiple, ", ", "foo", false);
|
||||
p = strv_join_prefix((char **)input_table_multiple, ", ", "foo");
|
||||
assert_se(p);
|
||||
assert_se(streq(p, "fooone, footwo, foothree"));
|
||||
|
||||
_cleanup_free_ char *q = strv_join_full((char **)input_table_multiple, ";", "foo", false);
|
||||
q = strv_join_prefix((char **)input_table_multiple, ";", "foo");
|
||||
assert_se(q);
|
||||
assert_se(streq(q, "fooone;footwo;foothree"));
|
||||
|
||||
_cleanup_free_ char *r = strv_join_full(STRV_MAKE("a", "a;b", "a:c"), ";", NULL, true);
|
||||
r = strv_join_prefix((char **)input_table_multiple, NULL, "foo");
|
||||
assert_se(r);
|
||||
assert_se(streq(r, "a;a\\;b;a:c"));
|
||||
assert_se(streq(r, "fooone footwo foothree"));
|
||||
|
||||
_cleanup_free_ char *s = strv_join_full(STRV_MAKE("a", "a;b", "a;;c", ";", ";x"), ";", NULL, true);
|
||||
s = strv_join_prefix((char **)input_table_one, ", ", "foo");
|
||||
assert_se(s);
|
||||
assert_se(streq(s, "a;a\\;b;a\\;\\;c;\\;;\\;x"));
|
||||
assert_se(streq(s, "fooone"));
|
||||
|
||||
_cleanup_free_ char *t = strv_join_full(STRV_MAKE("a", "a;b", "a:c", ";"), ";", "=", true);
|
||||
t = strv_join_prefix((char **)input_table_none, ", ", "foo");
|
||||
assert_se(t);
|
||||
assert_se(streq(t, "=a;=a\\;b;=a:c;=\\;"));
|
||||
t = mfree(t);
|
||||
assert_se(streq(t, ""));
|
||||
|
||||
_cleanup_free_ char *u = strv_join_full((char **)input_table_multiple, NULL, "foo", false);
|
||||
assert_se(u);
|
||||
assert_se(streq(u, "fooone footwo foothree"));
|
||||
|
||||
_cleanup_free_ char *v = strv_join_full((char **)input_table_one, ", ", "foo", false);
|
||||
v = strv_join_prefix((char **)input_table_two_empties, ", ", "foo");
|
||||
assert_se(v);
|
||||
assert_se(streq(v, "fooone"));
|
||||
assert_se(streq(v, "foo, foo"));
|
||||
|
||||
_cleanup_free_ char *w = strv_join_full((char **)input_table_none, ", ", "foo", false);
|
||||
w = strv_join_prefix((char **)input_table_one_empty, ", ", "foo");
|
||||
assert_se(w);
|
||||
assert_se(streq(w, ""));
|
||||
|
||||
_cleanup_free_ char *x = strv_join_full((char **)input_table_two_empties, ", ", "foo", false);
|
||||
assert_se(x);
|
||||
assert_se(streq(x, "foo, foo"));
|
||||
|
||||
_cleanup_free_ char *y = strv_join_full((char **)input_table_one_empty, ", ", "foo", false);
|
||||
assert_se(y);
|
||||
assert_se(streq(y, "foo"));
|
||||
assert_se(streq(w, "foo"));
|
||||
}
|
||||
|
||||
static void test_strv_unquote(const char *quoted, char **list) {
|
||||
|
|
@ -1008,7 +995,7 @@ int main(int argc, char *argv[]) {
|
|||
test_strv_find_prefix();
|
||||
test_strv_find_startswith();
|
||||
test_strv_join();
|
||||
test_strv_join_full();
|
||||
test_strv_join_prefix();
|
||||
|
||||
test_strv_unquote(" foo=bar \"waldo\" zzz ", STRV_MAKE("foo=bar", "waldo", "zzz"));
|
||||
test_strv_unquote("", STRV_MAKE_EMPTY);
|
||||
|
|
|
|||
|
|
@ -110,8 +110,10 @@ static const char* parse_token(const char *current, int32_t *val_out) {
|
|||
static int override_abs(sd_device *dev, int fd, unsigned evcode, const char *value) {
|
||||
struct input_absinfo absinfo;
|
||||
const char *next;
|
||||
int r;
|
||||
|
||||
if (ioctl(fd, EVIOCGABS(evcode), &absinfo) < 0)
|
||||
r = ioctl(fd, EVIOCGABS(evcode), &absinfo);
|
||||
if (r < 0)
|
||||
return log_device_error_errno(dev, errno, "Failed to call EVIOCGABS");
|
||||
|
||||
next = parse_token(value, &absinfo.minimum);
|
||||
|
|
@ -120,12 +122,12 @@ static int override_abs(sd_device *dev, int fd, unsigned evcode, const char *val
|
|||
next = parse_token(next, &absinfo.fuzz);
|
||||
next = parse_token(next, &absinfo.flat);
|
||||
if (!next)
|
||||
return log_device_error_errno(dev, SYNTHETIC_ERRNO(EINVAL),
|
||||
"Failed to parse EV_ABS override '%s'", value);
|
||||
return log_device_error_errno(dev, SYNTHETIC_ERRNO(EINVAL), "Failed to parse EV_ABS override '%s'", value);
|
||||
|
||||
log_device_debug(dev, "keyboard: %x overridden with %"PRIi32"/%"PRIi32"/%"PRIi32"/%"PRIi32"/%"PRIi32,
|
||||
evcode, absinfo.minimum, absinfo.maximum, absinfo.resolution, absinfo.fuzz, absinfo.flat);
|
||||
if (ioctl(fd, EVIOCSABS(evcode), &absinfo) < 0)
|
||||
r = ioctl(fd, EVIOCSABS(evcode), &absinfo);
|
||||
if (r < 0)
|
||||
return log_device_error_errno(dev, errno, "Failed to call EVIOCSABS");
|
||||
|
||||
return 0;
|
||||
|
|
|
|||
|
|
@ -60,12 +60,11 @@ fi
|
|||
umount ${image_dir}/mount
|
||||
umount ${image_dir}/mount2
|
||||
|
||||
systemd-run -t -p RootImage=${image}.raw cat /usr/lib/os-release | grep -q -F "MARKER=1"
|
||||
systemd-run -t --property RootImage=${image}.raw /usr/bin/cat /usr/lib/os-release | grep -q -F "MARKER=1"
|
||||
mv ${image}.verity ${image}.fooverity
|
||||
mv ${image}.roothash ${image}.foohash
|
||||
systemd-run -t -p RootImage=${image}.raw -p RootHash=${image}.foohash -p RootVerity=${image}.fooverity cat /usr/lib/os-release | grep -q -F "MARKER=1"
|
||||
# Let's use the long option name just here as a test
|
||||
systemd-run -t --property RootImage=${image}.raw --property RootHash=${roothash} --property RootVerity=${image}.fooverity cat /usr/lib/os-release | grep -q -F "MARKER=1"
|
||||
systemd-run -t --property RootImage=${image}.raw --property RootHash=${image}.foohash --property RootVerity=${image}.fooverity /usr/bin/cat /usr/lib/os-release | grep -q -F "MARKER=1"
|
||||
systemd-run -t --property RootImage=${image}.raw --property RootHash=${roothash} --property RootVerity=${image}.fooverity /usr/bin/cat /usr/lib/os-release | grep -q -F "MARKER=1"
|
||||
mv ${image}.fooverity ${image}.verity
|
||||
mv ${image}.foohash ${image}.roothash
|
||||
|
||||
|
|
@ -129,19 +128,19 @@ cat ${image_dir}/mount/etc/os-release | grep -q -F -f $os_release
|
|||
cat ${image_dir}/mount/usr/lib/os-release | grep -q -F "MARKER=1"
|
||||
umount ${image_dir}/mount
|
||||
|
||||
# add explicit -p MountAPIVFS=yes once to test the parser
|
||||
systemd-run -t -p RootImage=${image}.gpt -p RootHash=${roothash} -p MountAPIVFS=yes cat /usr/lib/os-release | grep -q -F "MARKER=1"
|
||||
systemd-run -t --property RootImage=${image}.gpt --property RootHash=${roothash} /usr/bin/cat /usr/lib/os-release | grep -q -F "MARKER=1"
|
||||
|
||||
systemd-run -t -p RootImage=${image}.raw -p RootImageOptions="root:nosuid,dev home:ro,dev ro,noatime" mount | grep -F "squashfs" | grep -q -F "nosuid"
|
||||
systemd-run -t -p RootImage=${image}.gpt -p RootImageOptions="root:ro,noatime root:ro,dev" mount | grep -F "squashfs" | grep -q -F "noatime"
|
||||
systemd-run -t --property RootImage=${image}.raw --property RootImageOptions="root:nosuid,dev home:ro,dev ro,noatime" --property MountAPIVFS=yes mount | grep -F "squashfs" | grep -q -F "nosuid"
|
||||
systemd-run -t --property RootImage=${image}.gpt --property RootImageOptions="root:ro,noatime root:ro,dev" --property MountAPIVFS=yes mount | grep -F "squashfs" | grep -q -F "noatime"
|
||||
|
||||
mkdir -p mkdir -p ${image_dir}/result
|
||||
cat >/run/systemd/system/testservice-50a.service <<EOF
|
||||
cat > /run/systemd/system/testservice-50a.service <<EOF
|
||||
[Service]
|
||||
Type=oneshot
|
||||
ExecStart=bash -c "mount >/run/result/a"
|
||||
ExecStart=bash -c "mount > /run/result/a"
|
||||
BindPaths=${image_dir}/result:/run/result
|
||||
TemporaryFileSystem=/run
|
||||
MountAPIVFS=yes
|
||||
RootImage=${image}.raw
|
||||
RootImageOptions=root:ro,noatime home:ro,dev relatime,dev
|
||||
RootImageOptions=nosuid,dev
|
||||
|
|
@ -150,34 +149,33 @@ systemctl start testservice-50a.service
|
|||
grep -F "squashfs" ${image_dir}/result/a | grep -q -F "noatime"
|
||||
grep -F "squashfs" ${image_dir}/result/a | grep -q -F -v "nosuid"
|
||||
|
||||
cat >/run/systemd/system/testservice-50b.service <<EOF
|
||||
cat > /run/systemd/system/testservice-50b.service <<EOF
|
||||
[Service]
|
||||
Type=oneshot
|
||||
ExecStart=bash -c "mount >/run/result/b"
|
||||
ExecStart=bash -c "mount > /run/result/b"
|
||||
BindPaths=${image_dir}/result:/run/result
|
||||
TemporaryFileSystem=/run
|
||||
MountAPIVFS=yes
|
||||
RootImage=${image}.gpt
|
||||
RootImageOptions=root:ro,noatime,nosuid home:ro,dev nosuid,dev
|
||||
RootImageOptions=home:ro,dev nosuid,dev,%%foo
|
||||
# this is the default, but let's specify once to test the parser
|
||||
MountAPIVFS=yes
|
||||
EOF
|
||||
systemctl start testservice-50b.service
|
||||
grep -F "squashfs" ${image_dir}/result/b | grep -q -F "noatime"
|
||||
|
||||
# Check that specifier escape is applied %%foo → %foo
|
||||
# Check that specifier escape is applied %%foo -> %foo
|
||||
busctl get-property org.freedesktop.systemd1 /org/freedesktop/systemd1/unit/testservice_2d50b_2eservice org.freedesktop.systemd1.Service RootImageOptions | grep -F "nosuid,dev,%foo"
|
||||
|
||||
# Now do some checks with MountImages, both by itself, with options and in combination with RootImage, and as single FS or GPT image
|
||||
systemd-run -t -p MountImages="${image}.gpt:/run/img1 ${image}.raw:/run/img2" cat /run/img1/usr/lib/os-release | grep -q -F "MARKER=1"
|
||||
systemd-run -t -p MountImages="${image}.gpt:/run/img1 ${image}.raw:/run/img2" cat /run/img2/usr/lib/os-release | grep -q -F "MARKER=1"
|
||||
systemd-run -t -p MountImages="${image}.gpt:/run/img1 ${image}.raw:/run/img2:nosuid,dev" mount | grep -F "squashfs" | grep -q -F "nosuid"
|
||||
systemd-run -t -p MountImages="${image}.gpt:/run/img1:root:nosuid ${image}.raw:/run/img2:home:suid" mount | grep -F "squashfs" | grep -q -F "nosuid"
|
||||
systemd-run -t -p MountImages="${image}.raw:/run/img2\:3" cat /run/img2:3/usr/lib/os-release | grep -q -F "MARKER=1"
|
||||
systemd-run -t -p MountImages="${image}.raw:/run/img2\:3:nosuid" mount | grep -F "squashfs" | grep -q -F "nosuid"
|
||||
systemd-run -t -p TemporaryFileSystem=/run -p RootImage=${image}.raw -p MountImages="${image}.gpt:/run/img1 ${image}.raw:/run/img2" cat /usr/lib/os-release | grep -q -F "MARKER=1"
|
||||
systemd-run -t -p TemporaryFileSystem=/run -p RootImage=${image}.raw -p MountImages="${image}.gpt:/run/img1 ${image}.raw:/run/img2" cat /run/img1/usr/lib/os-release | grep -q -F "MARKER=1"
|
||||
systemd-run -t -p TemporaryFileSystem=/run -p RootImage=${image}.gpt -p RootHash=${roothash} -p MountImages="${image}.gpt:/run/img1 ${image}.raw:/run/img2" cat /run/img2/usr/lib/os-release | grep -q -F "MARKER=1"
|
||||
systemd-run -t --property MountImages="${image}.gpt:/run/img1 ${image}.raw:/run/img2" /usr/bin/cat /run/img1/usr/lib/os-release | grep -q -F "MARKER=1"
|
||||
systemd-run -t --property MountImages="${image}.gpt:/run/img1 ${image}.raw:/run/img2" /usr/bin/cat /run/img2/usr/lib/os-release | grep -q -F "MARKER=1"
|
||||
systemd-run -t --property MountImages="${image}.gpt:/run/img1 ${image}.raw:/run/img2:nosuid,dev" --property MountAPIVFS=yes mount | grep -F "squashfs" | grep -q -F "nosuid"
|
||||
systemd-run -t --property MountImages="${image}.gpt:/run/img1:root:nosuid ${image}.raw:/run/img2:home:suid" --property MountAPIVFS=yes mount | grep -F "squashfs" | grep -q -F "nosuid"
|
||||
systemd-run -t --property MountImages="${image}.raw:/run/img2\:3" /usr/bin/cat /run/img2:3/usr/lib/os-release | grep -q -F "MARKER=1"
|
||||
systemd-run -t --property MountImages="${image}.raw:/run/img2\:3:nosuid" --property MountAPIVFS=yes mount | grep -F "squashfs" | grep -q -F "nosuid"
|
||||
systemd-run -t --property TemporaryFileSystem=/run --property RootImage=${image}.raw --property MountImages="${image}.gpt:/run/img1 ${image}.raw:/run/img2" /usr/bin/cat /usr/lib/os-release | grep -q -F "MARKER=1"
|
||||
systemd-run -t --property TemporaryFileSystem=/run --property RootImage=${image}.raw --property MountImages="${image}.gpt:/run/img1 ${image}.raw:/run/img2" /usr/bin/cat /run/img1/usr/lib/os-release | grep -q -F "MARKER=1"
|
||||
systemd-run -t --property TemporaryFileSystem=/run --property RootImage=${image}.gpt --property RootHash=${roothash} --property MountImages="${image}.gpt:/run/img1 ${image}.raw:/run/img2" /usr/bin/cat /run/img2/usr/lib/os-release | grep -q -F "MARKER=1"
|
||||
cat >/run/systemd/system/testservice-50c.service <<EOF
|
||||
[Service]
|
||||
MountAPIVFS=yes
|
||||
|
|
@ -185,9 +183,9 @@ TemporaryFileSystem=/run
|
|||
RootImage=${image}.raw
|
||||
MountImages=${image}.gpt:/run/img1:root:noatime:home:relatime
|
||||
MountImages=${image}.raw:/run/img2\:3:nosuid
|
||||
ExecStart=bash -c "cat /run/img1/usr/lib/os-release >/run/result/c"
|
||||
ExecStart=bash -c "cat /run/img2:3/usr/lib/os-release >>/run/result/c"
|
||||
ExecStart=bash -c "mount >>/run/result/c"
|
||||
ExecStart=bash -c "cat /run/img1/usr/lib/os-release > /run/result/c"
|
||||
ExecStart=bash -c "cat /run/img2:3/usr/lib/os-release >> /run/result/c"
|
||||
ExecStart=bash -c "mount >> /run/result/c"
|
||||
BindPaths=${image_dir}/result:/run/result
|
||||
Type=oneshot
|
||||
EOF
|
||||
|
|
@ -196,6 +194,6 @@ grep -q -F "MARKER=1" ${image_dir}/result/c
|
|||
grep -F "squashfs" ${image_dir}/result/c | grep -q -F "noatime"
|
||||
grep -F "squashfs" ${image_dir}/result/c | grep -q -F -v "nosuid"
|
||||
|
||||
echo OK >/testok
|
||||
echo OK > /testok
|
||||
|
||||
exit 0
|
||||
|
|
|
|||
Loading…
Reference in New Issue