Compare commits
11 Commits
4096043f05
...
76410e9849
Author | SHA1 | Date |
---|---|---|
Lennart Poettering | 76410e9849 | |
Lennart Poettering | 04d1ee0f7e | |
Lennart Poettering | dcff2fa5d1 | |
Lennart Poettering | c98fef264b | |
Daan De Meyer | bac1b83217 | |
Zbigniew Jędrzejewski-Szmek | 2344aefccf | |
Daan De Meyer | 8653422b6a | |
Zbigniew Jędrzejewski-Szmek | c11428adf9 | |
Zbigniew Jędrzejewski-Szmek | 460e5af05d | |
Zbigniew Jędrzejewski-Szmek | 7009610ff5 | |
Zbigniew Jędrzejewski-Szmek | 6164ec4c93 |
9
TODO
9
TODO
|
@ -22,6 +22,9 @@ Janitorial Clean-ups:
|
|||
|
||||
Features:
|
||||
|
||||
* busctl: maybe expose a verb "ping" for pinging a dbus service to see if it
|
||||
exists and responds.
|
||||
|
||||
* homed: add homed.conf setting DefaultStorage= or so
|
||||
|
||||
* homed: maybe pre-create ~/.cache as subvol so that it can have separate quota
|
||||
|
@ -35,10 +38,6 @@ Features:
|
|||
thus allows defining OS images which can be A/B updated and we default to the
|
||||
newest version automatically, both in nspawn and in sd-boot
|
||||
|
||||
* drop sd_bus_message_set_priority() from sd-bus API and documentation as much
|
||||
as we can, it's a kdbus left-over and unlikely to come back on AF_UNIX, since
|
||||
it's not really implementable there.
|
||||
|
||||
* cryptsetup/homed: also support FIDO2 HMAC password logic for unlocking
|
||||
devices. (see: https://github.com/mjec/fido2-hmac-secret)
|
||||
|
||||
|
@ -136,6 +135,8 @@ Features:
|
|||
* userdb: allow username prefix searches in varlink API, allow realname and
|
||||
realname substr searches in varlink API
|
||||
|
||||
* userdb: allow uid/gid range checks
|
||||
|
||||
* userdb: allow existence checks
|
||||
|
||||
* pid: activation by journal search expression
|
||||
|
|
|
@ -359,7 +359,9 @@ manpages = [
|
|||
['sd_bus_message_verify_type', '3', [], ''],
|
||||
['sd_bus_negotiate_fds',
|
||||
'3',
|
||||
['sd_bus_negotiate_creds', 'sd_bus_negotiate_timestamp'],
|
||||
['sd_bus_get_creds_mask',
|
||||
'sd_bus_negotiate_creds',
|
||||
'sd_bus_negotiate_timestamp'],
|
||||
''],
|
||||
['sd_bus_new',
|
||||
'3',
|
||||
|
@ -376,6 +378,7 @@ manpages = [
|
|||
['sd_bus_path_decode', 'sd_bus_path_decode_many', 'sd_bus_path_encode_many'],
|
||||
''],
|
||||
['sd_bus_process', '3', [], ''],
|
||||
['sd_bus_query_sender_creds', '3', ['sd_bus_query_sender_privilege'], ''],
|
||||
['sd_bus_reply_method_error',
|
||||
'3',
|
||||
['sd_bus_reply_method_errno',
|
||||
|
|
|
@ -74,6 +74,7 @@
|
|||
<citerefentry><refentrytitle>sd_bus_get_address</refentrytitle><manvolnum>3</manvolnum></citerefentry>,
|
||||
<citerefentry><refentrytitle>sd_bus_get_allow_interactive_authorization</refentrytitle><manvolnum>3</manvolnum></citerefentry>,
|
||||
<citerefentry><refentrytitle>sd_bus_get_bus_id</refentrytitle><manvolnum>3</manvolnum></citerefentry>,
|
||||
<citerefentry><refentrytitle>sd_bus_get_creds_mask</refentrytitle><manvolnum>3</manvolnum></citerefentry>,
|
||||
<citerefentry><refentrytitle>sd_bus_get_current_handler</refentrytitle><manvolnum>3</manvolnum></citerefentry>,
|
||||
<citerefentry><refentrytitle>sd_bus_get_current_message</refentrytitle><manvolnum>3</manvolnum></citerefentry>,
|
||||
<citerefentry><refentrytitle>sd_bus_get_current_slot</refentrytitle><manvolnum>3</manvolnum></citerefentry>,
|
||||
|
@ -138,6 +139,8 @@
|
|||
<citerefentry><refentrytitle>sd_bus_new</refentrytitle><manvolnum>3</manvolnum></citerefentry>,
|
||||
<citerefentry><refentrytitle>sd_bus_path_encode</refentrytitle><manvolnum>3</manvolnum></citerefentry>,
|
||||
<citerefentry><refentrytitle>sd_bus_process</refentrytitle><manvolnum>3</manvolnum></citerefentry>,
|
||||
<citerefentry><refentrytitle>sd_bus_query_sender_creds</refentrytitle><manvolnum>3</manvolnum></citerefentry>,
|
||||
<citerefentry><refentrytitle>sd_bus_query_sender_privilege</refentrytitle><manvolnum>3</manvolnum></citerefentry>,
|
||||
<citerefentry><refentrytitle>sd_bus_reply_method_return</refentrytitle><manvolnum>3</manvolnum></citerefentry>,
|
||||
<citerefentry><refentrytitle>sd_bus_reply_method_error</refentrytitle><manvolnum>3</manvolnum></citerefentry>,
|
||||
<citerefentry><refentrytitle>sd_bus_request_name</refentrytitle><manvolnum>3</manvolnum></citerefentry>,
|
||||
|
|
|
@ -19,6 +19,7 @@
|
|||
<refname>sd_bus_negotiate_fds</refname>
|
||||
<refname>sd_bus_negotiate_timestamp</refname>
|
||||
<refname>sd_bus_negotiate_creds</refname>
|
||||
<refname>sd_bus_get_creds_mask</refname>
|
||||
|
||||
<refpurpose>Control feature negotiation on bus connections</refpurpose>
|
||||
</refnamediv>
|
||||
|
@ -45,69 +46,69 @@
|
|||
<paramdef>int <parameter>b</parameter></paramdef>
|
||||
<paramdef>uint64_t <parameter>mask</parameter></paramdef>
|
||||
</funcprototype>
|
||||
|
||||
<funcprototype>
|
||||
<funcdef>int <function>sd_bus_get_creds_mask</function></funcdef>
|
||||
<paramdef>sd_bus *<parameter>bus</parameter></paramdef>
|
||||
<paramdef>uint64_t *<parameter>mask</parameter></paramdef>
|
||||
</funcprototype>
|
||||
</funcsynopsis>
|
||||
</refsynopsisdiv>
|
||||
|
||||
<refsect1>
|
||||
<title>Description</title>
|
||||
|
||||
<para><function>sd_bus_negotiate_fds()</function> controls whether
|
||||
file descriptor passing shall be negotiated for the specified bus
|
||||
connection. It takes a bus object and a boolean, which, when true,
|
||||
enables file descriptor passing, and, when false, disables
|
||||
it. Note that not all transports and servers support file
|
||||
descriptor passing. In particular, networked transports generally
|
||||
do not support file descriptor passing. To find out whether file
|
||||
descriptor passing is available after negotiation, use
|
||||
<para><function>sd_bus_negotiate_fds()</function> controls whether file descriptor passing shall be
|
||||
negotiated for the specified bus connection. It takes a bus object and a boolean, which, when true,
|
||||
enables file descriptor passing, and, when false, disables it. Note that not all transports and servers
|
||||
support file descriptor passing. In particular, networked transports generally do not support file
|
||||
descriptor passing. To find out whether file descriptor passing is available after negotiation, use
|
||||
<citerefentry><refentrytitle>sd_bus_can_send</refentrytitle><manvolnum>3</manvolnum></citerefentry>
|
||||
and pass <constant>SD_BUS_TYPE_UNIX_FD</constant>. Note that file
|
||||
descriptor passing is always enabled for both sending and
|
||||
receiving or for neither, but never only in one direction. By
|
||||
default, file descriptor passing is negotiated for all
|
||||
connections.</para>
|
||||
and pass <constant>SD_BUS_TYPE_UNIX_FD</constant>. Note that file descriptor passing is always enabled
|
||||
for both sending and receiving or for neither, but never only in one direction. By default, file
|
||||
descriptor passing is negotiated for all connections.</para>
|
||||
|
||||
<para><function>sd_bus_negotiate_timestamp()</function> controls whether implicit sender
|
||||
timestamps shall be attached automatically to all incoming messages. Takes a bus object and a
|
||||
boolean, which, when true, enables timestamping, and, when false, disables it. Use
|
||||
<para><function>sd_bus_negotiate_timestamp()</function> controls whether implicit sender timestamps shall
|
||||
be attached automatically to all incoming messages. Takes a bus object and a boolean, which, when true,
|
||||
enables timestamping, and, when false, disables it. Use
|
||||
<citerefentry><refentrytitle>sd_bus_message_get_monotonic_usec</refentrytitle><manvolnum>3</manvolnum></citerefentry>,
|
||||
<citerefentry><refentrytitle>sd_bus_message_get_realtime_usec</refentrytitle><manvolnum>3</manvolnum></citerefentry>,
|
||||
<citerefentry><refentrytitle>sd_bus_message_get_seqnum</refentrytitle><manvolnum>3</manvolnum></citerefentry>
|
||||
to query the timestamps of incoming messages. If negotiation is disabled or not supported, these
|
||||
calls will fail with <constant>-ENODATA</constant>. Note that currently no transports support
|
||||
timestamping of messages. By default, message timestamping is not negotiated for
|
||||
connections.</para>
|
||||
to query the timestamps of incoming messages. If negotiation is disabled or not supported, these calls
|
||||
will fail with <constant>-ENODATA</constant>. Note that currently no transports support timestamping of
|
||||
messages. By default, message timestamping is not negotiated for connections.</para>
|
||||
|
||||
<para><function>sd_bus_negotiate_creds()</function> controls whether and which implicit sender
|
||||
credentials shall be attached automatically to all incoming messages. Takes a bus object and a
|
||||
boolean indicating whether to enable or disable the credential parts encoded in the bit mask
|
||||
value argument. Note that not all transports support attaching sender credentials to messages,
|
||||
or do not support all types of sender credential parameters, or might suppress them under
|
||||
certain circumstances for individual messages. Specifically, dbus1 only supports
|
||||
<constant>SD_BUS_CREDS_UNIQUE_NAME</constant>. The sender credentials are suitable for
|
||||
authorization decisions. By default, only <constant>SD_BUS_CREDS_WELL_KNOWN_NAMES</constant> and
|
||||
<constant>SD_BUS_CREDS_UNIQUE_NAME</constant> are enabled. In fact, these two credential fields
|
||||
are always sent along and cannot be turned off.</para>
|
||||
credentials shall be attached automatically to all incoming messages. Takes a bus object and a boolean
|
||||
indicating whether to enable or disable the credential parts encoded in the bit mask value argument. Note
|
||||
that not all transports support attaching sender credentials to messages, or do not support all types of
|
||||
sender credential parameters, or might suppress them under certain circumstances for individual messages.
|
||||
Specifically, dbus1 only supports <constant>SD_BUS_CREDS_UNIQUE_NAME</constant>. The sender credentials
|
||||
are suitable for authorization decisions. By default, only
|
||||
<constant>SD_BUS_CREDS_WELL_KNOWN_NAMES</constant> and <constant>SD_BUS_CREDS_UNIQUE_NAME</constant> are
|
||||
enabled. In fact, these two credential fields are always sent along and cannot be turned off.</para>
|
||||
|
||||
<para>The <function>sd_bus_negotiate_fds()</function> function may
|
||||
be called only before the connection has been started with
|
||||
<para><function>sd_bus_get_creds_mask()</function> returns the set of sender credentials that was
|
||||
negotiated to be attached to all incoming messages in <parameter>mask</parameter>. This value is an
|
||||
upper boundary only. Hence, always make sure to explicitly check which credentials are attached to a
|
||||
specific message before using it.</para>
|
||||
|
||||
<para>The <function>sd_bus_negotiate_fds()</function> function may be called only before the connection
|
||||
has been started with
|
||||
<citerefentry><refentrytitle>sd_bus_start</refentrytitle><manvolnum>3</manvolnum></citerefentry>. Both
|
||||
<function>sd_bus_negotiate_timestamp()</function> and
|
||||
<function>sd_bus_negotiate_creds()</function> may also be called
|
||||
after a connection has been set up. Note that, when operating on a
|
||||
connection that is shared between multiple components of the same
|
||||
program (for example via
|
||||
<citerefentry><refentrytitle>sd_bus_default</refentrytitle><manvolnum>3</manvolnum></citerefentry>),
|
||||
it is highly recommended to only enable additional per message
|
||||
metadata fields, but never disable them again, in order not to
|
||||
disable functionality needed by other components.</para>
|
||||
<function>sd_bus_negotiate_timestamp()</function> and <function>sd_bus_negotiate_creds()</function> may
|
||||
also be called after a connection has been set up. Note that, when operating on a connection that is
|
||||
shared between multiple components of the same program (for example via
|
||||
<citerefentry><refentrytitle>sd_bus_default</refentrytitle><manvolnum>3</manvolnum></citerefentry>), it
|
||||
is highly recommended to only enable additional per message metadata fields, but never disable them
|
||||
again, in order not to disable functionality needed by other components.</para>
|
||||
</refsect1>
|
||||
|
||||
<refsect1>
|
||||
<title>Return Value</title>
|
||||
|
||||
<para>On success, these functions return 0 or a
|
||||
positive integer. On failure, they return a negative errno-style
|
||||
error code.</para>
|
||||
<para>On success, these functions return a non-negative integer. On failure, they return a negative
|
||||
errno-style error code.</para>
|
||||
|
||||
<refsect2>
|
||||
<title>Errors</title>
|
||||
|
@ -120,6 +121,24 @@
|
|||
|
||||
<listitem><para>The bus connection has already been started.</para></listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><constant>-EINVAL</constant></term>
|
||||
|
||||
<listitem><para>An argument is invalid.</para></listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><constant>-ENOPKG</constant></term>
|
||||
|
||||
<listitem><para>The bus cannot be resolved.</para></listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><constant>-ECHILD</constant></term>
|
||||
|
||||
<listitem><para>The bus was created in a different process.</para></listitem>
|
||||
</varlistentry>
|
||||
</variablelist>
|
||||
</refsect2>
|
||||
</refsect1>
|
||||
|
|
|
@ -0,0 +1,133 @@
|
|||
<?xml version='1.0'?> <!--*-nxml-*-->
|
||||
<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
|
||||
"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd">
|
||||
<!-- SPDX-License-Identifier: LGPL-2.1+ -->
|
||||
|
||||
<refentry id="sd_bus_query_sender_creds" xmlns:xi="http://www.w3.org/2001/XInclude">
|
||||
|
||||
<refentryinfo>
|
||||
<title>sd_bus_query_sender_creds</title>
|
||||
<productname>systemd</productname>
|
||||
</refentryinfo>
|
||||
|
||||
<refmeta>
|
||||
<refentrytitle>sd_bus_query_sender_creds</refentrytitle>
|
||||
<manvolnum>3</manvolnum>
|
||||
</refmeta>
|
||||
|
||||
<refnamediv>
|
||||
<refname>sd_bus_query_sender_creds</refname>
|
||||
<refname>sd_bus_query_sender_privilege</refname>
|
||||
|
||||
<refpurpose>Query bus message sender credentials/privileges</refpurpose>
|
||||
</refnamediv>
|
||||
|
||||
<refsynopsisdiv>
|
||||
<funcsynopsis>
|
||||
<funcsynopsisinfo>#include <systemd/sd-bus.h></funcsynopsisinfo>
|
||||
|
||||
<funcprototype>
|
||||
<funcdef>int <function>sd_bus_query_sender_creds</function></funcdef>
|
||||
<paramdef>sd_bus_message *<parameter>m</parameter></paramdef>
|
||||
<paramdef>uint64_t <parameter>mask</parameter></paramdef>
|
||||
<paramdef>sd_bus_creds **<parameter>creds</parameter></paramdef>
|
||||
</funcprototype>
|
||||
|
||||
<funcprototype>
|
||||
<funcdef>sd_bus_error* <function>sd_bus_query_sender_privilege</function></funcdef>
|
||||
<paramdef>sd_bus_message *<parameter>m</parameter></paramdef>
|
||||
<paramdef>int <parameter>capability</parameter></paramdef>
|
||||
</funcprototype>
|
||||
</funcsynopsis>
|
||||
</refsynopsisdiv>
|
||||
|
||||
<refsect1>
|
||||
<title>Description</title>
|
||||
|
||||
<para><function>sd_bus_query_sender_creds()</function> returns the credentials of the message
|
||||
<parameter>m</parameter>. The <parameter>mask</parameter> parameter is a combo of
|
||||
<constant index='false'>SD_BUS_CREDS_*</constant> flags that indicate which credential info the caller is
|
||||
interested in. See
|
||||
<citerefentry><refentrytitle>sd_bus_creds_new_from_pid</refentrytitle><manvolnum>3</manvolnum></citerefentry>
|
||||
for a list of possible flags. First, this message checks if the requested credentials are attached to the
|
||||
message itself. If not but the message contains the pid of the sender, this function tries to figure out
|
||||
the missing credentials via other means (starting from the pid). If the pid isn't available but the
|
||||
message has a sender, this function calls
|
||||
<citerefentry><refentrytitle>sd_bus_get_name_creds</refentrytitle><manvolnum>3</manvolnum></citerefentry>
|
||||
to get the requested credentials. If the message has no sender (when a direct connection is used), this
|
||||
function calls
|
||||
<citerefentry><refentrytitle>sd_bus_get_owner_creds</refentrytitle><manvolnum>3</manvolnum></citerefentry>
|
||||
to get the requested credentials. On success, the requested credentials are stored in
|
||||
<parameter>creds</parameter>. Ownership of the credentials object in <parameter>creds</parameter> is
|
||||
transferred to the caller and should be freed by calling
|
||||
<citerefentry><refentrytitle>sd_bus_creds_unref</refentrytitle><manvolnum>3</manvolnum></citerefentry>.
|
||||
</para>
|
||||
|
||||
<para><function>sd_bus_query_sender_privilege()</function> checks if the message <parameter>m</parameter>
|
||||
has the requested privileges. If <parameter>capability</parameter> is a non-negative integer, this
|
||||
function checks if the message has the capability with the same value. See
|
||||
<citerefentry project='man-pages'><refentrytitle>capabilities</refentrytitle><manvolnum>7</manvolnum></citerefentry>
|
||||
for a list of capabilities. If <parameter>capability</parameter> is a negative integer, this function
|
||||
returns whether the sender of the message runs as the same user as the receiver of the message, or if the
|
||||
sender of the message runs as root and the receiver of the message does not run as root. On success and
|
||||
if the message has the requested privileges, this function returns a positive integer. If the message
|
||||
does not have the requested privileges, this function returns zero.</para>
|
||||
</refsect1>
|
||||
|
||||
<refsect1>
|
||||
<title>Return Value</title>
|
||||
|
||||
<para>On success, these functions return a non-negative integer. On failure, they return a negative
|
||||
errno-style error code.</para>
|
||||
|
||||
<refsect2>
|
||||
<title>Errors</title>
|
||||
|
||||
<para>Returned errors may indicate the following problems:</para>
|
||||
|
||||
<variablelist>
|
||||
<varlistentry>
|
||||
<term><constant>-EINVAL</constant></term>
|
||||
|
||||
<listitem><para>The message <parameter>m</parameter> or an output parameter is
|
||||
<constant>NULL</constant>.</para></listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><constant>-ENOTCONN</constant></term>
|
||||
|
||||
<listitem><para>The bus of <parameter>m</parameter> is not connected.</para></listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><constant>-ECHILD</constant></term>
|
||||
|
||||
<listitem><para>The bus of <parameter>m</parameter> was created in a different process.
|
||||
</para></listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><constant>-EPERM</constant></term>
|
||||
|
||||
<listitem><para>The message <parameter>m</parameter> is not sealed.</para></listitem>
|
||||
</varlistentry>
|
||||
</variablelist>
|
||||
</refsect2>
|
||||
</refsect1>
|
||||
|
||||
<xi:include href="libsystemd-pkgconfig.xml" />
|
||||
|
||||
<refsect1>
|
||||
<title>See Also</title>
|
||||
|
||||
<para>
|
||||
<citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
|
||||
<citerefentry><refentrytitle>sd-bus</refentrytitle><manvolnum>3</manvolnum></citerefentry>,
|
||||
<citerefentry><refentrytitle>sd_bus_creds_new_from_pid</refentrytitle><manvolnum>3</manvolnum></citerefentry>,
|
||||
<citerefentry><refentrytitle>sd_bus_get_name_creds</refentrytitle><manvolnum>3</manvolnum></citerefentry>,
|
||||
<citerefentry><refentrytitle>sd_bus_get_owner_creds</refentrytitle><manvolnum>3</manvolnum></citerefentry>,
|
||||
<citerefentry><refentrytitle>sd_bus_creds_unref</refentrytitle><manvolnum>3</manvolnum></citerefentry>,
|
||||
<citerefentry project='man-pages'><refentrytitle>capabilities</refentrytitle><manvolnum>7</manvolnum></citerefentry>
|
||||
</para>
|
||||
</refsect1>
|
||||
</refentry>
|
2115
meson.build
2115
meson.build
File diff suppressed because it is too large
Load Diff
|
@ -1208,6 +1208,7 @@ static int bump_rlimit_nofile(struct rlimit *saved_rlimit) {
|
|||
|
||||
static int bump_rlimit_memlock(struct rlimit *saved_rlimit) {
|
||||
struct rlimit new_rlimit;
|
||||
uint64_t mm;
|
||||
int r;
|
||||
|
||||
/* BPF_MAP_TYPE_LPM_TRIE bpf maps are charged against RLIMIT_MEMLOCK, even if we have CAP_IPC_LOCK which should
|
||||
|
@ -1218,9 +1219,12 @@ static int bump_rlimit_memlock(struct rlimit *saved_rlimit) {
|
|||
* must be unsigned, hence this is a given, but let's make this clear here. */
|
||||
assert_cc(RLIM_INFINITY > 0);
|
||||
|
||||
mm = physical_memory() / 8; /* Let's scale how much we allow to be locked by the amount of physical
|
||||
* RAM. We allow an eigth to be locked by us, just to pick a value. */
|
||||
|
||||
new_rlimit = (struct rlimit) {
|
||||
.rlim_cur = MAX(HIGH_RLIMIT_MEMLOCK, saved_rlimit->rlim_cur),
|
||||
.rlim_max = MAX(HIGH_RLIMIT_MEMLOCK, saved_rlimit->rlim_max),
|
||||
.rlim_cur = MAX3(HIGH_RLIMIT_MEMLOCK, saved_rlimit->rlim_cur, mm),
|
||||
.rlim_max = MAX3(HIGH_RLIMIT_MEMLOCK, saved_rlimit->rlim_max, mm),
|
||||
};
|
||||
|
||||
if (saved_rlimit->rlim_max >= new_rlimit.rlim_cur &&
|
||||
|
|
|
@ -190,9 +190,9 @@ static int list_homes(int argc, char *argv[], void *userdata) {
|
|||
|
||||
if (arg_legend && !arg_json) {
|
||||
if (table_get_rows(table) > 1)
|
||||
printf("\n%zu homes listed.\n", table_get_rows(table) - 1);
|
||||
printf("\n%zu home areas listed.\n", table_get_rows(table) - 1);
|
||||
else
|
||||
printf("No homes.\n");
|
||||
printf("No home areas.\n");
|
||||
}
|
||||
|
||||
return 0;
|
||||
|
@ -2134,20 +2134,20 @@ static int help(int argc, char *argv[], void *userdata) {
|
|||
printf("%1$s [OPTIONS...] COMMAND ...\n\n"
|
||||
"%2$sCreate, manipulate or inspect home directories.%3$s\n"
|
||||
"\n%4$sCommands:%5$s\n"
|
||||
" list List homes\n"
|
||||
" activate USER… Activate home\n"
|
||||
" deactivate USER… Deactivate home\n"
|
||||
" inspect USER… Inspect home\n"
|
||||
" authenticate USER… Authenticate home\n"
|
||||
" list List home areas\n"
|
||||
" activate USER… Activate a home area\n"
|
||||
" deactivate USER… Deactivate a home area\n"
|
||||
" inspect USER… Inspect a home area\n"
|
||||
" authenticate USER… Authenticate a home area\n"
|
||||
" create USER Create a home area\n"
|
||||
" remove USER… Remove a home area\n"
|
||||
" update USER Update a home area\n"
|
||||
" passwd USER Change password of a home area\n"
|
||||
" resize USER SIZE Resize a home area\n"
|
||||
" lock USER… Temporarily lock an active home\n"
|
||||
" unlock USER… Unlock a temporarily locked home\n"
|
||||
" lock-all Lock all suitable homes\n"
|
||||
" with USER [COMMAND…] Run shell or command with access to home\n"
|
||||
" lock USER… Temporarily lock an active home area\n"
|
||||
" unlock USER… Unlock a temporarily locked home area\n"
|
||||
" lock-all Lock all suitable home areas\n"
|
||||
" with USER [COMMAND…] Run shell or command with access to a home area\n"
|
||||
"\n%4$sOptions:%5$s\n"
|
||||
" -h --help Show this help\n"
|
||||
" --version Show package version\n"
|
||||
|
@ -2248,7 +2248,7 @@ static int help(int argc, char *argv[], void *userdata) {
|
|||
"\n%4$sCIFS User Record Properties:%5$s\n"
|
||||
" --cifs-domain=DOMAIN CIFS (Windows) domain\n"
|
||||
" --cifs-user-name=USER CIFS (Windows) user name\n"
|
||||
" --cifs-service=SERVICE CIFS (Windows) service to mount as home\n"
|
||||
" --cifs-service=SERVICE CIFS (Windows) service to mount as home area\n"
|
||||
"\n%4$sLogin Behaviour User Record Properties:%5$s\n"
|
||||
" --stop-delay=SECS How long to leave user services running after\n"
|
||||
" logout\n"
|
||||
|
|
|
@ -569,7 +569,7 @@ int mount_all(const char *dest,
|
|||
static const MountPoint mount_table[] = {
|
||||
/* First we list inner child mounts (i.e. mounts applied *after* entering user namespacing) */
|
||||
{ "proc", "/proc", "proc", NULL, MS_NOSUID|MS_NOEXEC|MS_NODEV,
|
||||
MOUNT_FATAL|MOUNT_IN_USERNS },
|
||||
MOUNT_FATAL|MOUNT_IN_USERNS|MOUNT_MKDIR },
|
||||
|
||||
{ "/proc/sys", "/proc/sys", NULL, NULL, MS_BIND,
|
||||
MOUNT_FATAL|MOUNT_IN_USERNS|MOUNT_APPLY_APIVFS_RO }, /* Bind mount first ... */
|
||||
|
@ -599,23 +599,23 @@ int mount_all(const char *dest,
|
|||
PROC_READ_ONLY("/proc/scsi"),
|
||||
|
||||
{ "mqueue", "/dev/mqueue", "mqueue", NULL, MS_NOSUID|MS_NOEXEC|MS_NODEV,
|
||||
MOUNT_IN_USERNS },
|
||||
MOUNT_IN_USERNS|MOUNT_MKDIR },
|
||||
|
||||
/* Then we list outer child mounts (i.e. mounts applied *before* entering user namespacing) */
|
||||
{ "tmpfs", "/tmp", "tmpfs", "mode=1777", MS_NOSUID|MS_NODEV|MS_STRICTATIME,
|
||||
MOUNT_FATAL|MOUNT_APPLY_TMPFS_TMP },
|
||||
MOUNT_FATAL|MOUNT_APPLY_TMPFS_TMP|MOUNT_MKDIR },
|
||||
{ "tmpfs", "/sys", "tmpfs", "mode=555", MS_NOSUID|MS_NOEXEC|MS_NODEV,
|
||||
MOUNT_FATAL|MOUNT_APPLY_APIVFS_NETNS },
|
||||
MOUNT_FATAL|MOUNT_APPLY_APIVFS_NETNS|MOUNT_MKDIR },
|
||||
{ "sysfs", "/sys", "sysfs", NULL, MS_RDONLY|MS_NOSUID|MS_NOEXEC|MS_NODEV,
|
||||
MOUNT_FATAL|MOUNT_APPLY_APIVFS_RO }, /* skipped if above was mounted */
|
||||
MOUNT_FATAL|MOUNT_APPLY_APIVFS_RO|MOUNT_MKDIR }, /* skipped if above was mounted */
|
||||
{ "sysfs", "/sys", "sysfs", NULL, MS_NOSUID|MS_NOEXEC|MS_NODEV,
|
||||
MOUNT_FATAL }, /* skipped if above was mounted */
|
||||
MOUNT_FATAL|MOUNT_MKDIR }, /* skipped if above was mounted */
|
||||
{ "tmpfs", "/dev", "tmpfs", "mode=755", MS_NOSUID|MS_STRICTATIME,
|
||||
MOUNT_FATAL },
|
||||
MOUNT_FATAL|MOUNT_MKDIR },
|
||||
{ "tmpfs", "/dev/shm", "tmpfs", "mode=1777", MS_NOSUID|MS_NODEV|MS_STRICTATIME,
|
||||
MOUNT_FATAL },
|
||||
MOUNT_FATAL|MOUNT_MKDIR },
|
||||
{ "tmpfs", "/run", "tmpfs", "mode=755", MS_NOSUID|MS_NODEV|MS_STRICTATIME,
|
||||
MOUNT_FATAL },
|
||||
MOUNT_FATAL|MOUNT_MKDIR },
|
||||
|
||||
#if HAVE_SELINUX
|
||||
{ "/sys/fs/selinux", "/sys/fs/selinux", NULL, NULL, MS_BIND,
|
||||
|
@ -663,17 +663,19 @@ int mount_all(const char *dest,
|
|||
continue;
|
||||
}
|
||||
|
||||
r = mkdir_userns_p(dest, where, 0755, (use_userns && !in_userns) ? uid_shift : UID_INVALID);
|
||||
if (r < 0 && r != -EEXIST) {
|
||||
if (fatal && r != -EROFS)
|
||||
return log_error_errno(r, "Failed to create directory %s: %m", where);
|
||||
if (FLAGS_SET(mount_table[k].mount_settings, MOUNT_MKDIR)) {
|
||||
r = mkdir_userns_p(dest, where, 0755, (use_userns && !in_userns) ? uid_shift : UID_INVALID);
|
||||
if (r < 0 && r != -EEXIST) {
|
||||
if (fatal && r != -EROFS)
|
||||
return log_error_errno(r, "Failed to create directory %s: %m", where);
|
||||
|
||||
log_debug_errno(r, "Failed to create directory %s: %m", where);
|
||||
/* If we failed mkdir() or chown() due to the root
|
||||
* directory being read only, attempt to mount this fs
|
||||
* anyway and let mount_verbose log any errors */
|
||||
if (r != -EROFS)
|
||||
continue;
|
||||
log_debug_errno(r, "Failed to create directory %s: %m", where);
|
||||
|
||||
/* If we failed mkdir() or chown() due to the root directory being read only,
|
||||
* attempt to mount this fs anyway and let mount_verbose log any errors */
|
||||
if (r != -EROFS)
|
||||
continue;
|
||||
}
|
||||
}
|
||||
|
||||
o = mount_table[k].options;
|
||||
|
|
|
@ -16,6 +16,7 @@ typedef enum MountSettingsMask {
|
|||
MOUNT_APPLY_TMPFS_TMP = 1 << 5, /* if set, /tmp will be mounted as tmpfs */
|
||||
MOUNT_ROOT_ONLY = 1 << 6, /* if set, only root mounts are mounted */
|
||||
MOUNT_NON_ROOT_ONLY = 1 << 7, /* if set, only non-root mounts are mounted */
|
||||
MOUNT_MKDIR = 1 << 8, /* if set, make directory to mount over first */
|
||||
} MountSettingsMask;
|
||||
|
||||
typedef enum CustomMountType {
|
||||
|
|
|
@ -385,8 +385,8 @@ int sd_bus_emit_interfaces_added(sd_bus *bus, const char *path, const char *inte
|
|||
int sd_bus_emit_interfaces_removed_strv(sd_bus *bus, const char *path, char **interfaces);
|
||||
int sd_bus_emit_interfaces_removed(sd_bus *bus, const char *path, const char *interface, ...) _sd_sentinel_;
|
||||
|
||||
int sd_bus_query_sender_creds(sd_bus_message *call, uint64_t mask, sd_bus_creds **creds);
|
||||
int sd_bus_query_sender_privilege(sd_bus_message *call, int capability);
|
||||
int sd_bus_query_sender_creds(sd_bus_message *m, uint64_t mask, sd_bus_creds **creds);
|
||||
int sd_bus_query_sender_privilege(sd_bus_message *m, int capability);
|
||||
|
||||
int sd_bus_match_signal(sd_bus *bus, sd_bus_slot **ret, const char *sender, const char *path, const char *interface, const char *member, sd_bus_message_handler_t callback, void *userdata);
|
||||
int sd_bus_match_signal_async(sd_bus *bus, sd_bus_slot **ret, const char *sender, const char *path, const char *interface, const char *member, sd_bus_message_handler_t match_callback, sd_bus_message_handler_t add_callback, void *userdata);
|
||||
|
|
|
@ -581,24 +581,24 @@ static int help(int argc, char *argv[], void *userdata) {
|
|||
printf("%s [OPTIONS...] COMMAND ...\n\n"
|
||||
"%sShow user and group information.%s\n"
|
||||
"\nCommands:\n"
|
||||
" user [USER…] Inspect user\n"
|
||||
" group [GROUP…] Inspect group\n"
|
||||
" users-in-group [GROUP…] Show users that are members of specified group(s)\n"
|
||||
" groups-of-user [USER…] Show groups the specified user(s) is a member of\n"
|
||||
" services Show enabled database services\n"
|
||||
" user [USER…] Inspect user\n"
|
||||
" group [GROUP…] Inspect group\n"
|
||||
" users-in-group [GROUP…] Show users that are members of specified group(s)\n"
|
||||
" groups-of-user [USER…] Show groups the specified user(s) is a member of\n"
|
||||
" services Show enabled database services\n"
|
||||
"\nOptions:\n"
|
||||
" -h --help Show this help\n"
|
||||
" --version Show package version\n"
|
||||
" --no-pager Do not pipe output into a pager\n"
|
||||
" --no-legend Do not show the headers and footers\n"
|
||||
" --output=MODE Select output mode (classic, friendly, table, json)\n"
|
||||
" -j Equivalent to --output=json\n"
|
||||
" -h --help Show this help\n"
|
||||
" --version Show package version\n"
|
||||
" --no-pager Do not pipe output into a pager\n"
|
||||
" --no-legend Do not show the headers and footers\n"
|
||||
" --output=MODE Select output mode (classic, friendly, table, json)\n"
|
||||
" -j Equivalent to --output=json\n"
|
||||
" -s --service=SERVICE[:SERVICE…]\n"
|
||||
" Query the specified service\n"
|
||||
" --with-nss=BOOL Control whether to include glibc NSS data\n"
|
||||
" -N Disable inclusion of glibc NSS data and disable synthesizing\n"
|
||||
" (Same as --with-nss=no --synthesize=no)\n"
|
||||
" --synthesize=BOOL Synthesize root/nobody user\n"
|
||||
" Query the specified service\n"
|
||||
" --with-nss=BOOL Control whether to include glibc NSS data\n"
|
||||
" -N Do not synthesize or include glibc NSS data\n"
|
||||
" (Same as --synthesize=no --with-nss=no)\n"
|
||||
" --synthesize=BOOL Synthesize root/nobody user\n"
|
||||
"\nSee the %s for details.\n"
|
||||
, program_invocation_short_name
|
||||
, ansi_highlight(), ansi_normal()
|
||||
|
|
Loading…
Reference in New Issue