Compare commits
11 Commits
4096043f05
...
76410e9849
Author | SHA1 | Date |
---|---|---|
Lennart Poettering | 76410e9849 | |
Lennart Poettering | 04d1ee0f7e | |
Lennart Poettering | dcff2fa5d1 | |
Lennart Poettering | c98fef264b | |
Daan De Meyer | bac1b83217 | |
Zbigniew Jędrzejewski-Szmek | 2344aefccf | |
Daan De Meyer | 8653422b6a | |
Zbigniew Jędrzejewski-Szmek | c11428adf9 | |
Zbigniew Jędrzejewski-Szmek | 460e5af05d | |
Zbigniew Jędrzejewski-Szmek | 7009610ff5 | |
Zbigniew Jędrzejewski-Szmek | 6164ec4c93 |
9
TODO
9
TODO
|
@ -22,6 +22,9 @@ Janitorial Clean-ups:
|
||||||
|
|
||||||
Features:
|
Features:
|
||||||
|
|
||||||
|
* busctl: maybe expose a verb "ping" for pinging a dbus service to see if it
|
||||||
|
exists and responds.
|
||||||
|
|
||||||
* homed: add homed.conf setting DefaultStorage= or so
|
* homed: add homed.conf setting DefaultStorage= or so
|
||||||
|
|
||||||
* homed: maybe pre-create ~/.cache as subvol so that it can have separate quota
|
* homed: maybe pre-create ~/.cache as subvol so that it can have separate quota
|
||||||
|
@ -35,10 +38,6 @@ Features:
|
||||||
thus allows defining OS images which can be A/B updated and we default to the
|
thus allows defining OS images which can be A/B updated and we default to the
|
||||||
newest version automatically, both in nspawn and in sd-boot
|
newest version automatically, both in nspawn and in sd-boot
|
||||||
|
|
||||||
* drop sd_bus_message_set_priority() from sd-bus API and documentation as much
|
|
||||||
as we can, it's a kdbus left-over and unlikely to come back on AF_UNIX, since
|
|
||||||
it's not really implementable there.
|
|
||||||
|
|
||||||
* cryptsetup/homed: also support FIDO2 HMAC password logic for unlocking
|
* cryptsetup/homed: also support FIDO2 HMAC password logic for unlocking
|
||||||
devices. (see: https://github.com/mjec/fido2-hmac-secret)
|
devices. (see: https://github.com/mjec/fido2-hmac-secret)
|
||||||
|
|
||||||
|
@ -136,6 +135,8 @@ Features:
|
||||||
* userdb: allow username prefix searches in varlink API, allow realname and
|
* userdb: allow username prefix searches in varlink API, allow realname and
|
||||||
realname substr searches in varlink API
|
realname substr searches in varlink API
|
||||||
|
|
||||||
|
* userdb: allow uid/gid range checks
|
||||||
|
|
||||||
* userdb: allow existence checks
|
* userdb: allow existence checks
|
||||||
|
|
||||||
* pid: activation by journal search expression
|
* pid: activation by journal search expression
|
||||||
|
|
|
@ -359,7 +359,9 @@ manpages = [
|
||||||
['sd_bus_message_verify_type', '3', [], ''],
|
['sd_bus_message_verify_type', '3', [], ''],
|
||||||
['sd_bus_negotiate_fds',
|
['sd_bus_negotiate_fds',
|
||||||
'3',
|
'3',
|
||||||
['sd_bus_negotiate_creds', 'sd_bus_negotiate_timestamp'],
|
['sd_bus_get_creds_mask',
|
||||||
|
'sd_bus_negotiate_creds',
|
||||||
|
'sd_bus_negotiate_timestamp'],
|
||||||
''],
|
''],
|
||||||
['sd_bus_new',
|
['sd_bus_new',
|
||||||
'3',
|
'3',
|
||||||
|
@ -376,6 +378,7 @@ manpages = [
|
||||||
['sd_bus_path_decode', 'sd_bus_path_decode_many', 'sd_bus_path_encode_many'],
|
['sd_bus_path_decode', 'sd_bus_path_decode_many', 'sd_bus_path_encode_many'],
|
||||||
''],
|
''],
|
||||||
['sd_bus_process', '3', [], ''],
|
['sd_bus_process', '3', [], ''],
|
||||||
|
['sd_bus_query_sender_creds', '3', ['sd_bus_query_sender_privilege'], ''],
|
||||||
['sd_bus_reply_method_error',
|
['sd_bus_reply_method_error',
|
||||||
'3',
|
'3',
|
||||||
['sd_bus_reply_method_errno',
|
['sd_bus_reply_method_errno',
|
||||||
|
|
|
@ -74,6 +74,7 @@
|
||||||
<citerefentry><refentrytitle>sd_bus_get_address</refentrytitle><manvolnum>3</manvolnum></citerefentry>,
|
<citerefentry><refentrytitle>sd_bus_get_address</refentrytitle><manvolnum>3</manvolnum></citerefentry>,
|
||||||
<citerefentry><refentrytitle>sd_bus_get_allow_interactive_authorization</refentrytitle><manvolnum>3</manvolnum></citerefentry>,
|
<citerefentry><refentrytitle>sd_bus_get_allow_interactive_authorization</refentrytitle><manvolnum>3</manvolnum></citerefentry>,
|
||||||
<citerefentry><refentrytitle>sd_bus_get_bus_id</refentrytitle><manvolnum>3</manvolnum></citerefentry>,
|
<citerefentry><refentrytitle>sd_bus_get_bus_id</refentrytitle><manvolnum>3</manvolnum></citerefentry>,
|
||||||
|
<citerefentry><refentrytitle>sd_bus_get_creds_mask</refentrytitle><manvolnum>3</manvolnum></citerefentry>,
|
||||||
<citerefentry><refentrytitle>sd_bus_get_current_handler</refentrytitle><manvolnum>3</manvolnum></citerefentry>,
|
<citerefentry><refentrytitle>sd_bus_get_current_handler</refentrytitle><manvolnum>3</manvolnum></citerefentry>,
|
||||||
<citerefentry><refentrytitle>sd_bus_get_current_message</refentrytitle><manvolnum>3</manvolnum></citerefentry>,
|
<citerefentry><refentrytitle>sd_bus_get_current_message</refentrytitle><manvolnum>3</manvolnum></citerefentry>,
|
||||||
<citerefentry><refentrytitle>sd_bus_get_current_slot</refentrytitle><manvolnum>3</manvolnum></citerefentry>,
|
<citerefentry><refentrytitle>sd_bus_get_current_slot</refentrytitle><manvolnum>3</manvolnum></citerefentry>,
|
||||||
|
@ -138,6 +139,8 @@
|
||||||
<citerefentry><refentrytitle>sd_bus_new</refentrytitle><manvolnum>3</manvolnum></citerefentry>,
|
<citerefentry><refentrytitle>sd_bus_new</refentrytitle><manvolnum>3</manvolnum></citerefentry>,
|
||||||
<citerefentry><refentrytitle>sd_bus_path_encode</refentrytitle><manvolnum>3</manvolnum></citerefentry>,
|
<citerefentry><refentrytitle>sd_bus_path_encode</refentrytitle><manvolnum>3</manvolnum></citerefentry>,
|
||||||
<citerefentry><refentrytitle>sd_bus_process</refentrytitle><manvolnum>3</manvolnum></citerefentry>,
|
<citerefentry><refentrytitle>sd_bus_process</refentrytitle><manvolnum>3</manvolnum></citerefentry>,
|
||||||
|
<citerefentry><refentrytitle>sd_bus_query_sender_creds</refentrytitle><manvolnum>3</manvolnum></citerefentry>,
|
||||||
|
<citerefentry><refentrytitle>sd_bus_query_sender_privilege</refentrytitle><manvolnum>3</manvolnum></citerefentry>,
|
||||||
<citerefentry><refentrytitle>sd_bus_reply_method_return</refentrytitle><manvolnum>3</manvolnum></citerefentry>,
|
<citerefentry><refentrytitle>sd_bus_reply_method_return</refentrytitle><manvolnum>3</manvolnum></citerefentry>,
|
||||||
<citerefentry><refentrytitle>sd_bus_reply_method_error</refentrytitle><manvolnum>3</manvolnum></citerefentry>,
|
<citerefentry><refentrytitle>sd_bus_reply_method_error</refentrytitle><manvolnum>3</manvolnum></citerefentry>,
|
||||||
<citerefentry><refentrytitle>sd_bus_request_name</refentrytitle><manvolnum>3</manvolnum></citerefentry>,
|
<citerefentry><refentrytitle>sd_bus_request_name</refentrytitle><manvolnum>3</manvolnum></citerefentry>,
|
||||||
|
|
|
@ -19,6 +19,7 @@
|
||||||
<refname>sd_bus_negotiate_fds</refname>
|
<refname>sd_bus_negotiate_fds</refname>
|
||||||
<refname>sd_bus_negotiate_timestamp</refname>
|
<refname>sd_bus_negotiate_timestamp</refname>
|
||||||
<refname>sd_bus_negotiate_creds</refname>
|
<refname>sd_bus_negotiate_creds</refname>
|
||||||
|
<refname>sd_bus_get_creds_mask</refname>
|
||||||
|
|
||||||
<refpurpose>Control feature negotiation on bus connections</refpurpose>
|
<refpurpose>Control feature negotiation on bus connections</refpurpose>
|
||||||
</refnamediv>
|
</refnamediv>
|
||||||
|
@ -45,69 +46,69 @@
|
||||||
<paramdef>int <parameter>b</parameter></paramdef>
|
<paramdef>int <parameter>b</parameter></paramdef>
|
||||||
<paramdef>uint64_t <parameter>mask</parameter></paramdef>
|
<paramdef>uint64_t <parameter>mask</parameter></paramdef>
|
||||||
</funcprototype>
|
</funcprototype>
|
||||||
|
|
||||||
|
<funcprototype>
|
||||||
|
<funcdef>int <function>sd_bus_get_creds_mask</function></funcdef>
|
||||||
|
<paramdef>sd_bus *<parameter>bus</parameter></paramdef>
|
||||||
|
<paramdef>uint64_t *<parameter>mask</parameter></paramdef>
|
||||||
|
</funcprototype>
|
||||||
</funcsynopsis>
|
</funcsynopsis>
|
||||||
</refsynopsisdiv>
|
</refsynopsisdiv>
|
||||||
|
|
||||||
<refsect1>
|
<refsect1>
|
||||||
<title>Description</title>
|
<title>Description</title>
|
||||||
|
|
||||||
<para><function>sd_bus_negotiate_fds()</function> controls whether
|
<para><function>sd_bus_negotiate_fds()</function> controls whether file descriptor passing shall be
|
||||||
file descriptor passing shall be negotiated for the specified bus
|
negotiated for the specified bus connection. It takes a bus object and a boolean, which, when true,
|
||||||
connection. It takes a bus object and a boolean, which, when true,
|
enables file descriptor passing, and, when false, disables it. Note that not all transports and servers
|
||||||
enables file descriptor passing, and, when false, disables
|
support file descriptor passing. In particular, networked transports generally do not support file
|
||||||
it. Note that not all transports and servers support file
|
descriptor passing. To find out whether file descriptor passing is available after negotiation, use
|
||||||
descriptor passing. In particular, networked transports generally
|
|
||||||
do not support file descriptor passing. To find out whether file
|
|
||||||
descriptor passing is available after negotiation, use
|
|
||||||
<citerefentry><refentrytitle>sd_bus_can_send</refentrytitle><manvolnum>3</manvolnum></citerefentry>
|
<citerefentry><refentrytitle>sd_bus_can_send</refentrytitle><manvolnum>3</manvolnum></citerefentry>
|
||||||
and pass <constant>SD_BUS_TYPE_UNIX_FD</constant>. Note that file
|
and pass <constant>SD_BUS_TYPE_UNIX_FD</constant>. Note that file descriptor passing is always enabled
|
||||||
descriptor passing is always enabled for both sending and
|
for both sending and receiving or for neither, but never only in one direction. By default, file
|
||||||
receiving or for neither, but never only in one direction. By
|
descriptor passing is negotiated for all connections.</para>
|
||||||
default, file descriptor passing is negotiated for all
|
|
||||||
connections.</para>
|
|
||||||
|
|
||||||
<para><function>sd_bus_negotiate_timestamp()</function> controls whether implicit sender
|
<para><function>sd_bus_negotiate_timestamp()</function> controls whether implicit sender timestamps shall
|
||||||
timestamps shall be attached automatically to all incoming messages. Takes a bus object and a
|
be attached automatically to all incoming messages. Takes a bus object and a boolean, which, when true,
|
||||||
boolean, which, when true, enables timestamping, and, when false, disables it. Use
|
enables timestamping, and, when false, disables it. Use
|
||||||
<citerefentry><refentrytitle>sd_bus_message_get_monotonic_usec</refentrytitle><manvolnum>3</manvolnum></citerefentry>,
|
<citerefentry><refentrytitle>sd_bus_message_get_monotonic_usec</refentrytitle><manvolnum>3</manvolnum></citerefentry>,
|
||||||
<citerefentry><refentrytitle>sd_bus_message_get_realtime_usec</refentrytitle><manvolnum>3</manvolnum></citerefentry>,
|
<citerefentry><refentrytitle>sd_bus_message_get_realtime_usec</refentrytitle><manvolnum>3</manvolnum></citerefentry>,
|
||||||
<citerefentry><refentrytitle>sd_bus_message_get_seqnum</refentrytitle><manvolnum>3</manvolnum></citerefentry>
|
<citerefentry><refentrytitle>sd_bus_message_get_seqnum</refentrytitle><manvolnum>3</manvolnum></citerefentry>
|
||||||
to query the timestamps of incoming messages. If negotiation is disabled or not supported, these
|
to query the timestamps of incoming messages. If negotiation is disabled or not supported, these calls
|
||||||
calls will fail with <constant>-ENODATA</constant>. Note that currently no transports support
|
will fail with <constant>-ENODATA</constant>. Note that currently no transports support timestamping of
|
||||||
timestamping of messages. By default, message timestamping is not negotiated for
|
messages. By default, message timestamping is not negotiated for connections.</para>
|
||||||
connections.</para>
|
|
||||||
|
|
||||||
<para><function>sd_bus_negotiate_creds()</function> controls whether and which implicit sender
|
<para><function>sd_bus_negotiate_creds()</function> controls whether and which implicit sender
|
||||||
credentials shall be attached automatically to all incoming messages. Takes a bus object and a
|
credentials shall be attached automatically to all incoming messages. Takes a bus object and a boolean
|
||||||
boolean indicating whether to enable or disable the credential parts encoded in the bit mask
|
indicating whether to enable or disable the credential parts encoded in the bit mask value argument. Note
|
||||||
value argument. Note that not all transports support attaching sender credentials to messages,
|
that not all transports support attaching sender credentials to messages, or do not support all types of
|
||||||
or do not support all types of sender credential parameters, or might suppress them under
|
sender credential parameters, or might suppress them under certain circumstances for individual messages.
|
||||||
certain circumstances for individual messages. Specifically, dbus1 only supports
|
Specifically, dbus1 only supports <constant>SD_BUS_CREDS_UNIQUE_NAME</constant>. The sender credentials
|
||||||
<constant>SD_BUS_CREDS_UNIQUE_NAME</constant>. The sender credentials are suitable for
|
are suitable for authorization decisions. By default, only
|
||||||
authorization decisions. By default, only <constant>SD_BUS_CREDS_WELL_KNOWN_NAMES</constant> and
|
<constant>SD_BUS_CREDS_WELL_KNOWN_NAMES</constant> and <constant>SD_BUS_CREDS_UNIQUE_NAME</constant> are
|
||||||
<constant>SD_BUS_CREDS_UNIQUE_NAME</constant> are enabled. In fact, these two credential fields
|
enabled. In fact, these two credential fields are always sent along and cannot be turned off.</para>
|
||||||
are always sent along and cannot be turned off.</para>
|
|
||||||
|
|
||||||
<para>The <function>sd_bus_negotiate_fds()</function> function may
|
<para><function>sd_bus_get_creds_mask()</function> returns the set of sender credentials that was
|
||||||
be called only before the connection has been started with
|
negotiated to be attached to all incoming messages in <parameter>mask</parameter>. This value is an
|
||||||
|
upper boundary only. Hence, always make sure to explicitly check which credentials are attached to a
|
||||||
|
specific message before using it.</para>
|
||||||
|
|
||||||
|
<para>The <function>sd_bus_negotiate_fds()</function> function may be called only before the connection
|
||||||
|
has been started with
|
||||||
<citerefentry><refentrytitle>sd_bus_start</refentrytitle><manvolnum>3</manvolnum></citerefentry>. Both
|
<citerefentry><refentrytitle>sd_bus_start</refentrytitle><manvolnum>3</manvolnum></citerefentry>. Both
|
||||||
<function>sd_bus_negotiate_timestamp()</function> and
|
<function>sd_bus_negotiate_timestamp()</function> and <function>sd_bus_negotiate_creds()</function> may
|
||||||
<function>sd_bus_negotiate_creds()</function> may also be called
|
also be called after a connection has been set up. Note that, when operating on a connection that is
|
||||||
after a connection has been set up. Note that, when operating on a
|
shared between multiple components of the same program (for example via
|
||||||
connection that is shared between multiple components of the same
|
<citerefentry><refentrytitle>sd_bus_default</refentrytitle><manvolnum>3</manvolnum></citerefentry>), it
|
||||||
program (for example via
|
is highly recommended to only enable additional per message metadata fields, but never disable them
|
||||||
<citerefentry><refentrytitle>sd_bus_default</refentrytitle><manvolnum>3</manvolnum></citerefentry>),
|
again, in order not to disable functionality needed by other components.</para>
|
||||||
it is highly recommended to only enable additional per message
|
|
||||||
metadata fields, but never disable them again, in order not to
|
|
||||||
disable functionality needed by other components.</para>
|
|
||||||
</refsect1>
|
</refsect1>
|
||||||
|
|
||||||
<refsect1>
|
<refsect1>
|
||||||
<title>Return Value</title>
|
<title>Return Value</title>
|
||||||
|
|
||||||
<para>On success, these functions return 0 or a
|
<para>On success, these functions return a non-negative integer. On failure, they return a negative
|
||||||
positive integer. On failure, they return a negative errno-style
|
errno-style error code.</para>
|
||||||
error code.</para>
|
|
||||||
|
|
||||||
<refsect2>
|
<refsect2>
|
||||||
<title>Errors</title>
|
<title>Errors</title>
|
||||||
|
@ -120,6 +121,24 @@
|
||||||
|
|
||||||
<listitem><para>The bus connection has already been started.</para></listitem>
|
<listitem><para>The bus connection has already been started.</para></listitem>
|
||||||
</varlistentry>
|
</varlistentry>
|
||||||
|
|
||||||
|
<varlistentry>
|
||||||
|
<term><constant>-EINVAL</constant></term>
|
||||||
|
|
||||||
|
<listitem><para>An argument is invalid.</para></listitem>
|
||||||
|
</varlistentry>
|
||||||
|
|
||||||
|
<varlistentry>
|
||||||
|
<term><constant>-ENOPKG</constant></term>
|
||||||
|
|
||||||
|
<listitem><para>The bus cannot be resolved.</para></listitem>
|
||||||
|
</varlistentry>
|
||||||
|
|
||||||
|
<varlistentry>
|
||||||
|
<term><constant>-ECHILD</constant></term>
|
||||||
|
|
||||||
|
<listitem><para>The bus was created in a different process.</para></listitem>
|
||||||
|
</varlistentry>
|
||||||
</variablelist>
|
</variablelist>
|
||||||
</refsect2>
|
</refsect2>
|
||||||
</refsect1>
|
</refsect1>
|
||||||
|
|
|
@ -0,0 +1,133 @@
|
||||||
|
<?xml version='1.0'?> <!--*-nxml-*-->
|
||||||
|
<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
|
||||||
|
"http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd">
|
||||||
|
<!-- SPDX-License-Identifier: LGPL-2.1+ -->
|
||||||
|
|
||||||
|
<refentry id="sd_bus_query_sender_creds" xmlns:xi="http://www.w3.org/2001/XInclude">
|
||||||
|
|
||||||
|
<refentryinfo>
|
||||||
|
<title>sd_bus_query_sender_creds</title>
|
||||||
|
<productname>systemd</productname>
|
||||||
|
</refentryinfo>
|
||||||
|
|
||||||
|
<refmeta>
|
||||||
|
<refentrytitle>sd_bus_query_sender_creds</refentrytitle>
|
||||||
|
<manvolnum>3</manvolnum>
|
||||||
|
</refmeta>
|
||||||
|
|
||||||
|
<refnamediv>
|
||||||
|
<refname>sd_bus_query_sender_creds</refname>
|
||||||
|
<refname>sd_bus_query_sender_privilege</refname>
|
||||||
|
|
||||||
|
<refpurpose>Query bus message sender credentials/privileges</refpurpose>
|
||||||
|
</refnamediv>
|
||||||
|
|
||||||
|
<refsynopsisdiv>
|
||||||
|
<funcsynopsis>
|
||||||
|
<funcsynopsisinfo>#include <systemd/sd-bus.h></funcsynopsisinfo>
|
||||||
|
|
||||||
|
<funcprototype>
|
||||||
|
<funcdef>int <function>sd_bus_query_sender_creds</function></funcdef>
|
||||||
|
<paramdef>sd_bus_message *<parameter>m</parameter></paramdef>
|
||||||
|
<paramdef>uint64_t <parameter>mask</parameter></paramdef>
|
||||||
|
<paramdef>sd_bus_creds **<parameter>creds</parameter></paramdef>
|
||||||
|
</funcprototype>
|
||||||
|
|
||||||
|
<funcprototype>
|
||||||
|
<funcdef>sd_bus_error* <function>sd_bus_query_sender_privilege</function></funcdef>
|
||||||
|
<paramdef>sd_bus_message *<parameter>m</parameter></paramdef>
|
||||||
|
<paramdef>int <parameter>capability</parameter></paramdef>
|
||||||
|
</funcprototype>
|
||||||
|
</funcsynopsis>
|
||||||
|
</refsynopsisdiv>
|
||||||
|
|
||||||
|
<refsect1>
|
||||||
|
<title>Description</title>
|
||||||
|
|
||||||
|
<para><function>sd_bus_query_sender_creds()</function> returns the credentials of the message
|
||||||
|
<parameter>m</parameter>. The <parameter>mask</parameter> parameter is a combo of
|
||||||
|
<constant index='false'>SD_BUS_CREDS_*</constant> flags that indicate which credential info the caller is
|
||||||
|
interested in. See
|
||||||
|
<citerefentry><refentrytitle>sd_bus_creds_new_from_pid</refentrytitle><manvolnum>3</manvolnum></citerefentry>
|
||||||
|
for a list of possible flags. First, this message checks if the requested credentials are attached to the
|
||||||
|
message itself. If not but the message contains the pid of the sender, this function tries to figure out
|
||||||
|
the missing credentials via other means (starting from the pid). If the pid isn't available but the
|
||||||
|
message has a sender, this function calls
|
||||||
|
<citerefentry><refentrytitle>sd_bus_get_name_creds</refentrytitle><manvolnum>3</manvolnum></citerefentry>
|
||||||
|
to get the requested credentials. If the message has no sender (when a direct connection is used), this
|
||||||
|
function calls
|
||||||
|
<citerefentry><refentrytitle>sd_bus_get_owner_creds</refentrytitle><manvolnum>3</manvolnum></citerefentry>
|
||||||
|
to get the requested credentials. On success, the requested credentials are stored in
|
||||||
|
<parameter>creds</parameter>. Ownership of the credentials object in <parameter>creds</parameter> is
|
||||||
|
transferred to the caller and should be freed by calling
|
||||||
|
<citerefentry><refentrytitle>sd_bus_creds_unref</refentrytitle><manvolnum>3</manvolnum></citerefentry>.
|
||||||
|
</para>
|
||||||
|
|
||||||
|
<para><function>sd_bus_query_sender_privilege()</function> checks if the message <parameter>m</parameter>
|
||||||
|
has the requested privileges. If <parameter>capability</parameter> is a non-negative integer, this
|
||||||
|
function checks if the message has the capability with the same value. See
|
||||||
|
<citerefentry project='man-pages'><refentrytitle>capabilities</refentrytitle><manvolnum>7</manvolnum></citerefentry>
|
||||||
|
for a list of capabilities. If <parameter>capability</parameter> is a negative integer, this function
|
||||||
|
returns whether the sender of the message runs as the same user as the receiver of the message, or if the
|
||||||
|
sender of the message runs as root and the receiver of the message does not run as root. On success and
|
||||||
|
if the message has the requested privileges, this function returns a positive integer. If the message
|
||||||
|
does not have the requested privileges, this function returns zero.</para>
|
||||||
|
</refsect1>
|
||||||
|
|
||||||
|
<refsect1>
|
||||||
|
<title>Return Value</title>
|
||||||
|
|
||||||
|
<para>On success, these functions return a non-negative integer. On failure, they return a negative
|
||||||
|
errno-style error code.</para>
|
||||||
|
|
||||||
|
<refsect2>
|
||||||
|
<title>Errors</title>
|
||||||
|
|
||||||
|
<para>Returned errors may indicate the following problems:</para>
|
||||||
|
|
||||||
|
<variablelist>
|
||||||
|
<varlistentry>
|
||||||
|
<term><constant>-EINVAL</constant></term>
|
||||||
|
|
||||||
|
<listitem><para>The message <parameter>m</parameter> or an output parameter is
|
||||||
|
<constant>NULL</constant>.</para></listitem>
|
||||||
|
</varlistentry>
|
||||||
|
|
||||||
|
<varlistentry>
|
||||||
|
<term><constant>-ENOTCONN</constant></term>
|
||||||
|
|
||||||
|
<listitem><para>The bus of <parameter>m</parameter> is not connected.</para></listitem>
|
||||||
|
</varlistentry>
|
||||||
|
|
||||||
|
<varlistentry>
|
||||||
|
<term><constant>-ECHILD</constant></term>
|
||||||
|
|
||||||
|
<listitem><para>The bus of <parameter>m</parameter> was created in a different process.
|
||||||
|
</para></listitem>
|
||||||
|
</varlistentry>
|
||||||
|
|
||||||
|
<varlistentry>
|
||||||
|
<term><constant>-EPERM</constant></term>
|
||||||
|
|
||||||
|
<listitem><para>The message <parameter>m</parameter> is not sealed.</para></listitem>
|
||||||
|
</varlistentry>
|
||||||
|
</variablelist>
|
||||||
|
</refsect2>
|
||||||
|
</refsect1>
|
||||||
|
|
||||||
|
<xi:include href="libsystemd-pkgconfig.xml" />
|
||||||
|
|
||||||
|
<refsect1>
|
||||||
|
<title>See Also</title>
|
||||||
|
|
||||||
|
<para>
|
||||||
|
<citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
|
||||||
|
<citerefentry><refentrytitle>sd-bus</refentrytitle><manvolnum>3</manvolnum></citerefentry>,
|
||||||
|
<citerefentry><refentrytitle>sd_bus_creds_new_from_pid</refentrytitle><manvolnum>3</manvolnum></citerefentry>,
|
||||||
|
<citerefentry><refentrytitle>sd_bus_get_name_creds</refentrytitle><manvolnum>3</manvolnum></citerefentry>,
|
||||||
|
<citerefentry><refentrytitle>sd_bus_get_owner_creds</refentrytitle><manvolnum>3</manvolnum></citerefentry>,
|
||||||
|
<citerefentry><refentrytitle>sd_bus_creds_unref</refentrytitle><manvolnum>3</manvolnum></citerefentry>,
|
||||||
|
<citerefentry project='man-pages'><refentrytitle>capabilities</refentrytitle><manvolnum>7</manvolnum></citerefentry>
|
||||||
|
</para>
|
||||||
|
</refsect1>
|
||||||
|
</refentry>
|
389
meson.build
389
meson.build
File diff suppressed because it is too large
Load Diff
|
@ -1208,6 +1208,7 @@ static int bump_rlimit_nofile(struct rlimit *saved_rlimit) {
|
||||||
|
|
||||||
static int bump_rlimit_memlock(struct rlimit *saved_rlimit) {
|
static int bump_rlimit_memlock(struct rlimit *saved_rlimit) {
|
||||||
struct rlimit new_rlimit;
|
struct rlimit new_rlimit;
|
||||||
|
uint64_t mm;
|
||||||
int r;
|
int r;
|
||||||
|
|
||||||
/* BPF_MAP_TYPE_LPM_TRIE bpf maps are charged against RLIMIT_MEMLOCK, even if we have CAP_IPC_LOCK which should
|
/* BPF_MAP_TYPE_LPM_TRIE bpf maps are charged against RLIMIT_MEMLOCK, even if we have CAP_IPC_LOCK which should
|
||||||
|
@ -1218,9 +1219,12 @@ static int bump_rlimit_memlock(struct rlimit *saved_rlimit) {
|
||||||
* must be unsigned, hence this is a given, but let's make this clear here. */
|
* must be unsigned, hence this is a given, but let's make this clear here. */
|
||||||
assert_cc(RLIM_INFINITY > 0);
|
assert_cc(RLIM_INFINITY > 0);
|
||||||
|
|
||||||
|
mm = physical_memory() / 8; /* Let's scale how much we allow to be locked by the amount of physical
|
||||||
|
* RAM. We allow an eigth to be locked by us, just to pick a value. */
|
||||||
|
|
||||||
new_rlimit = (struct rlimit) {
|
new_rlimit = (struct rlimit) {
|
||||||
.rlim_cur = MAX(HIGH_RLIMIT_MEMLOCK, saved_rlimit->rlim_cur),
|
.rlim_cur = MAX3(HIGH_RLIMIT_MEMLOCK, saved_rlimit->rlim_cur, mm),
|
||||||
.rlim_max = MAX(HIGH_RLIMIT_MEMLOCK, saved_rlimit->rlim_max),
|
.rlim_max = MAX3(HIGH_RLIMIT_MEMLOCK, saved_rlimit->rlim_max, mm),
|
||||||
};
|
};
|
||||||
|
|
||||||
if (saved_rlimit->rlim_max >= new_rlimit.rlim_cur &&
|
if (saved_rlimit->rlim_max >= new_rlimit.rlim_cur &&
|
||||||
|
|
|
@ -190,9 +190,9 @@ static int list_homes(int argc, char *argv[], void *userdata) {
|
||||||
|
|
||||||
if (arg_legend && !arg_json) {
|
if (arg_legend && !arg_json) {
|
||||||
if (table_get_rows(table) > 1)
|
if (table_get_rows(table) > 1)
|
||||||
printf("\n%zu homes listed.\n", table_get_rows(table) - 1);
|
printf("\n%zu home areas listed.\n", table_get_rows(table) - 1);
|
||||||
else
|
else
|
||||||
printf("No homes.\n");
|
printf("No home areas.\n");
|
||||||
}
|
}
|
||||||
|
|
||||||
return 0;
|
return 0;
|
||||||
|
@ -2134,20 +2134,20 @@ static int help(int argc, char *argv[], void *userdata) {
|
||||||
printf("%1$s [OPTIONS...] COMMAND ...\n\n"
|
printf("%1$s [OPTIONS...] COMMAND ...\n\n"
|
||||||
"%2$sCreate, manipulate or inspect home directories.%3$s\n"
|
"%2$sCreate, manipulate or inspect home directories.%3$s\n"
|
||||||
"\n%4$sCommands:%5$s\n"
|
"\n%4$sCommands:%5$s\n"
|
||||||
" list List homes\n"
|
" list List home areas\n"
|
||||||
" activate USER… Activate home\n"
|
" activate USER… Activate a home area\n"
|
||||||
" deactivate USER… Deactivate home\n"
|
" deactivate USER… Deactivate a home area\n"
|
||||||
" inspect USER… Inspect home\n"
|
" inspect USER… Inspect a home area\n"
|
||||||
" authenticate USER… Authenticate home\n"
|
" authenticate USER… Authenticate a home area\n"
|
||||||
" create USER Create a home area\n"
|
" create USER Create a home area\n"
|
||||||
" remove USER… Remove a home area\n"
|
" remove USER… Remove a home area\n"
|
||||||
" update USER Update a home area\n"
|
" update USER Update a home area\n"
|
||||||
" passwd USER Change password of a home area\n"
|
" passwd USER Change password of a home area\n"
|
||||||
" resize USER SIZE Resize a home area\n"
|
" resize USER SIZE Resize a home area\n"
|
||||||
" lock USER… Temporarily lock an active home\n"
|
" lock USER… Temporarily lock an active home area\n"
|
||||||
" unlock USER… Unlock a temporarily locked home\n"
|
" unlock USER… Unlock a temporarily locked home area\n"
|
||||||
" lock-all Lock all suitable homes\n"
|
" lock-all Lock all suitable home areas\n"
|
||||||
" with USER [COMMAND…] Run shell or command with access to home\n"
|
" with USER [COMMAND…] Run shell or command with access to a home area\n"
|
||||||
"\n%4$sOptions:%5$s\n"
|
"\n%4$sOptions:%5$s\n"
|
||||||
" -h --help Show this help\n"
|
" -h --help Show this help\n"
|
||||||
" --version Show package version\n"
|
" --version Show package version\n"
|
||||||
|
@ -2248,7 +2248,7 @@ static int help(int argc, char *argv[], void *userdata) {
|
||||||
"\n%4$sCIFS User Record Properties:%5$s\n"
|
"\n%4$sCIFS User Record Properties:%5$s\n"
|
||||||
" --cifs-domain=DOMAIN CIFS (Windows) domain\n"
|
" --cifs-domain=DOMAIN CIFS (Windows) domain\n"
|
||||||
" --cifs-user-name=USER CIFS (Windows) user name\n"
|
" --cifs-user-name=USER CIFS (Windows) user name\n"
|
||||||
" --cifs-service=SERVICE CIFS (Windows) service to mount as home\n"
|
" --cifs-service=SERVICE CIFS (Windows) service to mount as home area\n"
|
||||||
"\n%4$sLogin Behaviour User Record Properties:%5$s\n"
|
"\n%4$sLogin Behaviour User Record Properties:%5$s\n"
|
||||||
" --stop-delay=SECS How long to leave user services running after\n"
|
" --stop-delay=SECS How long to leave user services running after\n"
|
||||||
" logout\n"
|
" logout\n"
|
||||||
|
|
|
@ -569,7 +569,7 @@ int mount_all(const char *dest,
|
||||||
static const MountPoint mount_table[] = {
|
static const MountPoint mount_table[] = {
|
||||||
/* First we list inner child mounts (i.e. mounts applied *after* entering user namespacing) */
|
/* First we list inner child mounts (i.e. mounts applied *after* entering user namespacing) */
|
||||||
{ "proc", "/proc", "proc", NULL, MS_NOSUID|MS_NOEXEC|MS_NODEV,
|
{ "proc", "/proc", "proc", NULL, MS_NOSUID|MS_NOEXEC|MS_NODEV,
|
||||||
MOUNT_FATAL|MOUNT_IN_USERNS },
|
MOUNT_FATAL|MOUNT_IN_USERNS|MOUNT_MKDIR },
|
||||||
|
|
||||||
{ "/proc/sys", "/proc/sys", NULL, NULL, MS_BIND,
|
{ "/proc/sys", "/proc/sys", NULL, NULL, MS_BIND,
|
||||||
MOUNT_FATAL|MOUNT_IN_USERNS|MOUNT_APPLY_APIVFS_RO }, /* Bind mount first ... */
|
MOUNT_FATAL|MOUNT_IN_USERNS|MOUNT_APPLY_APIVFS_RO }, /* Bind mount first ... */
|
||||||
|
@ -599,23 +599,23 @@ int mount_all(const char *dest,
|
||||||
PROC_READ_ONLY("/proc/scsi"),
|
PROC_READ_ONLY("/proc/scsi"),
|
||||||
|
|
||||||
{ "mqueue", "/dev/mqueue", "mqueue", NULL, MS_NOSUID|MS_NOEXEC|MS_NODEV,
|
{ "mqueue", "/dev/mqueue", "mqueue", NULL, MS_NOSUID|MS_NOEXEC|MS_NODEV,
|
||||||
MOUNT_IN_USERNS },
|
MOUNT_IN_USERNS|MOUNT_MKDIR },
|
||||||
|
|
||||||
/* Then we list outer child mounts (i.e. mounts applied *before* entering user namespacing) */
|
/* Then we list outer child mounts (i.e. mounts applied *before* entering user namespacing) */
|
||||||
{ "tmpfs", "/tmp", "tmpfs", "mode=1777", MS_NOSUID|MS_NODEV|MS_STRICTATIME,
|
{ "tmpfs", "/tmp", "tmpfs", "mode=1777", MS_NOSUID|MS_NODEV|MS_STRICTATIME,
|
||||||
MOUNT_FATAL|MOUNT_APPLY_TMPFS_TMP },
|
MOUNT_FATAL|MOUNT_APPLY_TMPFS_TMP|MOUNT_MKDIR },
|
||||||
{ "tmpfs", "/sys", "tmpfs", "mode=555", MS_NOSUID|MS_NOEXEC|MS_NODEV,
|
{ "tmpfs", "/sys", "tmpfs", "mode=555", MS_NOSUID|MS_NOEXEC|MS_NODEV,
|
||||||
MOUNT_FATAL|MOUNT_APPLY_APIVFS_NETNS },
|
MOUNT_FATAL|MOUNT_APPLY_APIVFS_NETNS|MOUNT_MKDIR },
|
||||||
{ "sysfs", "/sys", "sysfs", NULL, MS_RDONLY|MS_NOSUID|MS_NOEXEC|MS_NODEV,
|
{ "sysfs", "/sys", "sysfs", NULL, MS_RDONLY|MS_NOSUID|MS_NOEXEC|MS_NODEV,
|
||||||
MOUNT_FATAL|MOUNT_APPLY_APIVFS_RO }, /* skipped if above was mounted */
|
MOUNT_FATAL|MOUNT_APPLY_APIVFS_RO|MOUNT_MKDIR }, /* skipped if above was mounted */
|
||||||
{ "sysfs", "/sys", "sysfs", NULL, MS_NOSUID|MS_NOEXEC|MS_NODEV,
|
{ "sysfs", "/sys", "sysfs", NULL, MS_NOSUID|MS_NOEXEC|MS_NODEV,
|
||||||
MOUNT_FATAL }, /* skipped if above was mounted */
|
MOUNT_FATAL|MOUNT_MKDIR }, /* skipped if above was mounted */
|
||||||
{ "tmpfs", "/dev", "tmpfs", "mode=755", MS_NOSUID|MS_STRICTATIME,
|
{ "tmpfs", "/dev", "tmpfs", "mode=755", MS_NOSUID|MS_STRICTATIME,
|
||||||
MOUNT_FATAL },
|
MOUNT_FATAL|MOUNT_MKDIR },
|
||||||
{ "tmpfs", "/dev/shm", "tmpfs", "mode=1777", MS_NOSUID|MS_NODEV|MS_STRICTATIME,
|
{ "tmpfs", "/dev/shm", "tmpfs", "mode=1777", MS_NOSUID|MS_NODEV|MS_STRICTATIME,
|
||||||
MOUNT_FATAL },
|
MOUNT_FATAL|MOUNT_MKDIR },
|
||||||
{ "tmpfs", "/run", "tmpfs", "mode=755", MS_NOSUID|MS_NODEV|MS_STRICTATIME,
|
{ "tmpfs", "/run", "tmpfs", "mode=755", MS_NOSUID|MS_NODEV|MS_STRICTATIME,
|
||||||
MOUNT_FATAL },
|
MOUNT_FATAL|MOUNT_MKDIR },
|
||||||
|
|
||||||
#if HAVE_SELINUX
|
#if HAVE_SELINUX
|
||||||
{ "/sys/fs/selinux", "/sys/fs/selinux", NULL, NULL, MS_BIND,
|
{ "/sys/fs/selinux", "/sys/fs/selinux", NULL, NULL, MS_BIND,
|
||||||
|
@ -663,18 +663,20 @@ int mount_all(const char *dest,
|
||||||
continue;
|
continue;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
if (FLAGS_SET(mount_table[k].mount_settings, MOUNT_MKDIR)) {
|
||||||
r = mkdir_userns_p(dest, where, 0755, (use_userns && !in_userns) ? uid_shift : UID_INVALID);
|
r = mkdir_userns_p(dest, where, 0755, (use_userns && !in_userns) ? uid_shift : UID_INVALID);
|
||||||
if (r < 0 && r != -EEXIST) {
|
if (r < 0 && r != -EEXIST) {
|
||||||
if (fatal && r != -EROFS)
|
if (fatal && r != -EROFS)
|
||||||
return log_error_errno(r, "Failed to create directory %s: %m", where);
|
return log_error_errno(r, "Failed to create directory %s: %m", where);
|
||||||
|
|
||||||
log_debug_errno(r, "Failed to create directory %s: %m", where);
|
log_debug_errno(r, "Failed to create directory %s: %m", where);
|
||||||
/* If we failed mkdir() or chown() due to the root
|
|
||||||
* directory being read only, attempt to mount this fs
|
/* If we failed mkdir() or chown() due to the root directory being read only,
|
||||||
* anyway and let mount_verbose log any errors */
|
* attempt to mount this fs anyway and let mount_verbose log any errors */
|
||||||
if (r != -EROFS)
|
if (r != -EROFS)
|
||||||
continue;
|
continue;
|
||||||
}
|
}
|
||||||
|
}
|
||||||
|
|
||||||
o = mount_table[k].options;
|
o = mount_table[k].options;
|
||||||
if (streq_ptr(mount_table[k].type, "tmpfs")) {
|
if (streq_ptr(mount_table[k].type, "tmpfs")) {
|
||||||
|
|
|
@ -16,6 +16,7 @@ typedef enum MountSettingsMask {
|
||||||
MOUNT_APPLY_TMPFS_TMP = 1 << 5, /* if set, /tmp will be mounted as tmpfs */
|
MOUNT_APPLY_TMPFS_TMP = 1 << 5, /* if set, /tmp will be mounted as tmpfs */
|
||||||
MOUNT_ROOT_ONLY = 1 << 6, /* if set, only root mounts are mounted */
|
MOUNT_ROOT_ONLY = 1 << 6, /* if set, only root mounts are mounted */
|
||||||
MOUNT_NON_ROOT_ONLY = 1 << 7, /* if set, only non-root mounts are mounted */
|
MOUNT_NON_ROOT_ONLY = 1 << 7, /* if set, only non-root mounts are mounted */
|
||||||
|
MOUNT_MKDIR = 1 << 8, /* if set, make directory to mount over first */
|
||||||
} MountSettingsMask;
|
} MountSettingsMask;
|
||||||
|
|
||||||
typedef enum CustomMountType {
|
typedef enum CustomMountType {
|
||||||
|
|
|
@ -385,8 +385,8 @@ int sd_bus_emit_interfaces_added(sd_bus *bus, const char *path, const char *inte
|
||||||
int sd_bus_emit_interfaces_removed_strv(sd_bus *bus, const char *path, char **interfaces);
|
int sd_bus_emit_interfaces_removed_strv(sd_bus *bus, const char *path, char **interfaces);
|
||||||
int sd_bus_emit_interfaces_removed(sd_bus *bus, const char *path, const char *interface, ...) _sd_sentinel_;
|
int sd_bus_emit_interfaces_removed(sd_bus *bus, const char *path, const char *interface, ...) _sd_sentinel_;
|
||||||
|
|
||||||
int sd_bus_query_sender_creds(sd_bus_message *call, uint64_t mask, sd_bus_creds **creds);
|
int sd_bus_query_sender_creds(sd_bus_message *m, uint64_t mask, sd_bus_creds **creds);
|
||||||
int sd_bus_query_sender_privilege(sd_bus_message *call, int capability);
|
int sd_bus_query_sender_privilege(sd_bus_message *m, int capability);
|
||||||
|
|
||||||
int sd_bus_match_signal(sd_bus *bus, sd_bus_slot **ret, const char *sender, const char *path, const char *interface, const char *member, sd_bus_message_handler_t callback, void *userdata);
|
int sd_bus_match_signal(sd_bus *bus, sd_bus_slot **ret, const char *sender, const char *path, const char *interface, const char *member, sd_bus_message_handler_t callback, void *userdata);
|
||||||
int sd_bus_match_signal_async(sd_bus *bus, sd_bus_slot **ret, const char *sender, const char *path, const char *interface, const char *member, sd_bus_message_handler_t match_callback, sd_bus_message_handler_t add_callback, void *userdata);
|
int sd_bus_match_signal_async(sd_bus *bus, sd_bus_slot **ret, const char *sender, const char *path, const char *interface, const char *member, sd_bus_message_handler_t match_callback, sd_bus_message_handler_t add_callback, void *userdata);
|
||||||
|
|
|
@ -596,8 +596,8 @@ static int help(int argc, char *argv[], void *userdata) {
|
||||||
" -s --service=SERVICE[:SERVICE…]\n"
|
" -s --service=SERVICE[:SERVICE…]\n"
|
||||||
" Query the specified service\n"
|
" Query the specified service\n"
|
||||||
" --with-nss=BOOL Control whether to include glibc NSS data\n"
|
" --with-nss=BOOL Control whether to include glibc NSS data\n"
|
||||||
" -N Disable inclusion of glibc NSS data and disable synthesizing\n"
|
" -N Do not synthesize or include glibc NSS data\n"
|
||||||
" (Same as --with-nss=no --synthesize=no)\n"
|
" (Same as --synthesize=no --with-nss=no)\n"
|
||||||
" --synthesize=BOOL Synthesize root/nobody user\n"
|
" --synthesize=BOOL Synthesize root/nobody user\n"
|
||||||
"\nSee the %s for details.\n"
|
"\nSee the %s for details.\n"
|
||||||
, program_invocation_short_name
|
, program_invocation_short_name
|
||||||
|
|
Loading…
Reference in New Issue