Compare commits

...

58 Commits

Author SHA1 Message Date
Lennart Poettering 47d0644e1a
Merge pull request #16833 from JackFangXN/master
analyze-verify: drop pointless zero initialization
2020-08-25 13:20:11 +02:00
Zbigniew Jędrzejewski-Szmek 3b9d671754
Merge pull request #16676 from poettering/repart-mkfs
repart: add new settings Format=, CopyFiles=, Encrypt= and teach --size= a new value "auto"
2020-08-25 12:19:46 +02:00
Alec Moskvin dd47b25220 rules: don't install 80-drivers.rules when kmod is disabled 2020-08-25 09:35:49 +02:00
Zbigniew Jędrzejewski-Szmek c3bbc90b4a
Merge pull request #16777 from DaanDeMeyer/kernel-install-followup
kernel-install: "Linux" => "Default" and reuse $BOOT/Default if it already exists
2020-08-25 09:30:44 +02:00
Ronan Pigott 45b156c155 zsh: correct journalctl command completion parsing 2020-08-25 09:29:13 +02:00
Zbigniew Jędrzejewski-Szmek 2c7d33d9e3
Merge pull request #16767 from keszybz/missing-syscall-cleanup
missing_syscall: verify our fallback numbers when possible
2020-08-25 09:21:32 +02:00
Zbigniew Jędrzejewski-Szmek b20f00599d
Merge pull request #16816 from keszybz/install-templated-presets
Fix preset operation for non-service templates
2020-08-25 09:20:07 +02:00
Zbigniew Jędrzejewski-Szmek 9f56c88aeb
Merge pull request #16819 from keszybz/seccomp-enosys
Return ENOSYS in nspawn for "unknown" syscalls
2020-08-25 09:18:46 +02:00
fangxiuning 05f7a0689e analyze: drop pointless zero initialization 2020-08-25 15:17:52 +08:00
Zbigniew Jędrzejewski-Szmek d521e6993d
Merge pull request #16824 from keszybz/no-such-unit-error
Add sd_bus_error_has_names() and use it to catch BUS_ERROR_NO_SUCH_UNIT
2020-08-25 09:16:25 +02:00
fangxiuning 6f32f8e037 analyze-verify: drop pointless zero initialization 2020-08-25 15:10:15 +08:00
Lennart Poettering f053c9477b core: drop redundant comment
Since 625a164069 we don't need to update
analyze-condition.c separately anymore, hence drop the comment
suggesting otherwise.
2020-08-25 07:47:50 +02:00
Lennart Poettering 6944adbbe0
Merge pull request #16681 from poettering/hidepid
core: introduce ProtectProc= unit file setting for exposing procfs' hidepid= mount option
2020-08-25 07:47:05 +02:00
Lennart Poettering bb2551bdcb loop-util: LOOP_CONFIGURE ignores lo_sizelimit
It appears LOOP_CONFIGURE in 5.8 is even more broken than initially
thought: it doesn't properly propgate lo_sizelimit to the block device
layer. :-(

Let's hence check the block device size immediately after issuing
LOOP_CONFIGURE, and if it doesn't match what we just set let's fallback
to the old ioctls.

This means LOOP_CONFIGURE currently works correctly only for the most
simply case: no partition table logic and no size limit. Sad!

(Kernel people should really be told about the concepts of tests and
even CI, one day!)
2020-08-24 22:01:13 +02:00
Lennart Poettering c2f418d595 update TODO 2020-08-24 22:01:09 +02:00
Lennart Poettering dfb4d0ae0d man: document new repart features 2020-08-24 22:00:52 +02:00
Lennart Poettering f7011e17f1 test: add test for new repart features 2020-08-24 22:00:49 +02:00
Lennart Poettering 170c982345 repart: if --size= is specified as "auto" determine minimal size for disk image
When assembling a disk image locally, using --size=auto can be used to
generate the minimal image based on the provided definitions. THis is
useful to prepare images that are grown on first boot.
2020-08-24 22:00:45 +02:00
Lennart Poettering b9df353689 repart: add support for optionally encrypting partitions we create 2020-08-24 22:00:42 +02:00
Lennart Poettering 8a794850e7 repart: add new CopyFiles= setting, for copying files into freshly made file systems
This makes the tool a lot more useful for streaming OS images onto
disks.
2020-08-24 22:00:38 +02:00
Lennart Poettering 1f0f82f131 dissect: create directories we want to mount on
This matches how we handle things everywhere else, i.e. in .mount units,
and similar: when a mount point dir is missing, we create it, let's do
so too when dealing with disk images.

This makes things a lot simpler, more robust, and systematic.
2020-08-24 22:00:35 +02:00
Lennart Poettering f0cb1b951c repart: wipe partition first, then discard
Wiping means writing zero sectors to disk. Hence it's better to do this
before we discard, so that the zeroes we use to overwrite are properly
discarded. If we'd do it the other way round we'd discard the data and
then reallocte it just to write zeroes.
2020-08-24 22:00:31 +02:00
Lennart Poettering 5b5109e225 repart: talk about future partitions
We initialize the partition contents before the partitions actually
exist, hence to reduce confusion let's talk about "future partitions" up
to the point where they are actually realized.
2020-08-24 22:00:28 +02:00
Lennart Poettering 81873a6b6c repart: let's wipe the partition table ourselves
Let's issue the wiping ourselves, so that we know it's done before we
write partition data onto the disk, and before the disk label
is written. Before this commit the writing of the disk label would imply
the wiping step, potentially overriding again what we just wrote into
the disk data section.

(Normally this shouldn't matter, since the partition table metadata
that the wiping process deletes is at the start and end of the disk
while we write our data to the middle, but you never know what kind of
weird signatures might exist that depart from that.)

(And effectively this ends up using the same wiping code, since that's
implemented in libblkkid, and libfdisk just acts as frontend to that
anyway. We now simply call it directly.)
2020-08-24 22:00:24 +02:00
Lennart Poettering f28d4f42f4 repart: split out code that mangles part table entries into function of its own
Just some refactoring, no actual code change.
2020-08-24 22:00:21 +02:00
Lennart Poettering 0f2b2c483f mkfs-util: add support for making vfat partitions
fat is a bit more limited in volume name length and UUID support. Let's
add some special support for it.

This is particularly useful to generate EFI system partitions.
2020-08-24 22:00:17 +02:00
Lennart Poettering 53171c0453 repart: add support for formatting newly created partitions 2020-08-24 22:00:14 +02:00
Lennart Poettering aa2a74ad9d repart: make error code when operating on non-existing file a bit more useful 2020-08-24 22:00:10 +02:00
Lennart Poettering da49710ef2 makefs: port to generic make_filesystem() call 2020-08-24 22:00:07 +02:00
Lennart Poettering c95f9a2351 shared: introduce mkfs-util.c/.h
Let's move the "mkfs" code from homed there, plus other related code.

This way we can easily reuse it from other places.
2020-08-24 21:59:49 +02:00
Lennart Poettering 8dbc208cc1 loop-util: define API for syncing loopback device 2020-08-24 21:59:35 +02:00
Lennart Poettering 0de3c4f4b7 mkdir: add new mkdir_p_root() helper 2020-08-24 21:59:21 +02:00
Lennart Poettering 15d43e3065 repart: don't unload data we configured explicitly, and fully free all data we match to disk
The context_unload_partition_table() call is supposed to remove all
data from the loaded partitions about how we mapped it to existing
partitions on disk, but it should leave everything we parsed from the
definition files in place.

We mostly got this right, except for two cases:

1. new_uuid is parsed from the definition files and should stay

2. current_label is read from the existing partition table and should be
   freed
2020-08-24 21:58:53 +02:00
Daan De Meyer 2c46d523ac kernel-install: Reuse $BOOT/Default if it already exists
Avoids duplicate installation problems when the machine ID is
initialized after a kernel is already installed under $BOOT/Default.
2020-08-24 19:24:19 +01:00
Daan De Meyer 6426c98ac5 kernel-install: Use "Default" as fallback instead of "Linux"
"Linux" conflicts /efi/Linux when /efi is the install location.
/efi/Linux is already reserved for unified kernel images so we can't use
it for type #1 images. Instead, we use "Default".
2020-08-24 19:22:11 +01:00
Lennart Poettering a54342b371 man: document ProtectProc= and ProcSubset= 2020-08-24 20:11:24 +02:00
Lennart Poettering 24da96a1bd units: turn on ProtectProc= wherever suitable 2020-08-24 20:11:14 +02:00
Lennart Poettering ed125c936c analyze-security: check for ProtectProc=/ProcSubset= 2020-08-24 20:11:10 +02:00
Lennart Poettering 4e39995371 core: introduce ProtectProc= and ProcSubset= to expose hidepid= and subset= procfs mount options
Kernel 5.8 gained a hidepid= implementation that is truly per procfs,
which allows us to mount a distinct once into every unit, with
individual hidepid= settings. Let's expose this via two new settings:
ProtectProc= (wrapping hidpid=) and ProcSubset= (wrapping subset=).

Replaces: #11670
2020-08-24 20:11:02 +02:00
Lennart Poettering df6b900a1b namespace: assert() first, use second 2020-08-24 20:10:58 +02:00
Lennart Poettering 52b3d6523f namespace: move protect_{home|system} into NamespaceInfo
it's not entirely clear what shall be passed via parameter and what via
struct, but these two definitely fit well with the other protect_xyz
fields, hence let's move them over.

We probably should move a lot more more fields into the structure
actuall (most? all even?).
2020-08-24 20:10:30 +02:00
Zbigniew Jędrzejewski-Szmek 8694114b80 generate-syscall-list: require python3
Python3.4 works, but 2.7 returns a tuple from os.uname().
2020-08-24 20:05:32 +02:00
Zbigniew Jędrzejewski-Szmek d75615f398 nspawn: turn on higher optimization level in seccomp
$ sudo ./dump_seccomp_filter $PIDOF_NSPAWN_PAYLOAD obj
$ ~/src/libseccomp/build/tools/scmp_bpf_disasm <obj

Before the addition of @known to filter:
 line  OP   JT   JF   K
=================================
 0000: 0x20 0x00 0x00 0x00000004   ld  $data[4]
 0001: 0x15 0x00 0x6d 0x40000003   jeq 1073741827 true:0002 false:0111
 0002: 0x20 0x00 0x00 0x00000000   ld  $data[0]
 0003: 0x15 0x6b 0x00 0x00000000   jeq 0    true:0111 false:0004
 0004: 0x15 0x6a 0x00 0x00000001   jeq 1    true:0111 false:0005
 0005: 0x15 0x69 0x00 0x00000002   jeq 2    true:0111 false:0006
 0006: 0x15 0x68 0x00 0x00000003   jeq 3    true:0111 false:0007
 0007: 0x15 0x67 0x00 0x00000004   jeq 4    true:0111 false:0008
 0008: 0x15 0x66 0x00 0x00000005   jeq 5    true:0111 false:0009
 0009: 0x15 0x65 0x00 0x00000006   jeq 6    true:0111 false:0010
 0010: 0x15 0x64 0x00 0x00000007   jeq 7    true:0111 false:0011
 0011: 0x15 0x63 0x00 0x00000008   jeq 8    true:0111 false:0012
 0012: 0x15 0x62 0x00 0x00000009   jeq 9    true:0111 false:0013
 0013: 0x15 0x61 0x00 0x0000000a   jeq 10   true:0111 false:0014
 0014: 0x15 0x60 0x00 0x0000000b   jeq 11   true:0111 false:0015
 0015: 0x15 0x5f 0x00 0x0000000c   jeq 12   true:0111 false:0016
 0016: 0x15 0x5e 0x00 0x0000000d   jeq 13   true:0111 false:0017
 0017: 0x15 0x5d 0x00 0x0000000e   jeq 14   true:0111 false:0018
 0018: 0x15 0x5c 0x00 0x0000000f   jeq 15   true:0111 false:0019
 0019: 0x15 0x5b 0x00 0x00000010   jeq 16   true:0111 false:0020
 0020: 0x15 0x5a 0x00 0x00000012   jeq 18   true:0111 false:0021
 0021: 0x15 0x59 0x00 0x00000013   jeq 19   true:0111 false:0022
 0022: 0x15 0x58 0x00 0x00000014   jeq 20   true:0111 false:0023
 0023: 0x15 0x57 0x00 0x00000015   jeq 21   true:0111 false:0024
 0024: 0x15 0x56 0x00 0x00000016   jeq 22   true:0111 false:0025
 0025: 0x15 0x55 0x00 0x00000017   jeq 23   true:0111 false:0026
 0026: 0x15 0x54 0x00 0x00000018   jeq 24   true:0111 false:0027
 0027: 0x15 0x53 0x00 0x0000001a   jeq 26   true:0111 false:0028
 0028: 0x15 0x52 0x00 0x0000001b   jeq 27   true:0111 false:0029
 0029: 0x15 0x51 0x00 0x0000001c   jeq 28   true:0111 false:0030
 0030: 0x15 0x50 0x00 0x0000001d   jeq 29   true:0111 false:0031
 0031: 0x15 0x4f 0x00 0x0000001e   jeq 30   true:0111 false:0032
 0032: 0x15 0x4e 0x00 0x00000021   jeq 33   true:0111 false:0033
 0033: 0x15 0x4d 0x00 0x00000022   jeq 34   true:0111 false:0034
 0034: 0x15 0x4c 0x00 0x00000024   jeq 36   true:0111 false:0035
 0035: 0x15 0x4b 0x00 0x00000025   jeq 37   true:0111 false:0036
 0036: 0x15 0x4a 0x00 0x00000026   jeq 38   true:0111 false:0037
 0037: 0x15 0x49 0x00 0x00000027   jeq 39   true:0111 false:0038
 0038: 0x15 0x48 0x00 0x00000028   jeq 40   true:0111 false:0039
 0039: 0x15 0x47 0x00 0x00000029   jeq 41   true:0111 false:0040
 0040: 0x15 0x46 0x00 0x0000002a   jeq 42   true:0111 false:0041
 0041: 0x15 0x45 0x00 0x0000002b   jeq 43   true:0111 false:0042
 0042: 0x15 0x44 0x00 0x0000002d   jeq 45   true:0111 false:0043
 0043: 0x15 0x43 0x00 0x0000002e   jeq 46   true:0111 false:0044
 0044: 0x15 0x42 0x00 0x0000002f   jeq 47   true:0111 false:0045
 0045: 0x15 0x41 0x00 0x00000030   jeq 48   true:0111 false:0046
 0046: 0x15 0x40 0x00 0x00000031   jeq 49   true:0111 false:0047
 0047: 0x15 0x3f 0x00 0x00000032   jeq 50   true:0111 false:0048
 0048: 0x15 0x3e 0x00 0x00000034   jeq 52   true:0111 false:0049
 0049: 0x15 0x3d 0x00 0x00000036   jeq 54   true:0111 false:0050
 0050: 0x15 0x3c 0x00 0x00000037   jeq 55   true:0111 false:0051
 0051: 0x15 0x3b 0x00 0x00000039   jeq 57   true:0111 false:0052
 0052: 0x15 0x3a 0x00 0x0000003b   jeq 59   true:0111 false:0053
 0053: 0x15 0x39 0x00 0x0000003c   jeq 60   true:0111 false:0054
 0054: 0x15 0x38 0x00 0x0000003d   jeq 61   true:0111 false:0055
 0055: 0x15 0x37 0x00 0x0000003f   jeq 63   true:0111 false:0056
 0056: 0x15 0x36 0x00 0x00000040   jeq 64   true:0111 false:0057
 0057: 0x15 0x35 0x00 0x00000041   jeq 65   true:0111 false:0058
 0058: 0x15 0x34 0x00 0x00000042   jeq 66   true:0111 false:0059
 0059: 0x15 0x33 0x00 0x00000043   jeq 67   true:0111 false:0060
 0060: 0x15 0x32 0x00 0x00000046   jeq 70   true:0111 false:0061
 0061: 0x15 0x31 0x00 0x00000047   jeq 71   true:0111 false:0062
 0062: 0x15 0x30 0x00 0x00000048   jeq 72   true:0111 false:0063
 0063: 0x15 0x2f 0x00 0x00000049   jeq 73   true:0111 false:0064
 0064: 0x15 0x2e 0x00 0x0000004a   jeq 74   true:0111 false:0065
 0065: 0x15 0x2d 0x00 0x0000004b   jeq 75   true:0111 false:0066
 0066: 0x15 0x2c 0x00 0x0000004c   jeq 76   true:0111 false:0067
 0067: 0x15 0x2b 0x00 0x0000004d   jeq 77   true:0111 false:0068
 0068: 0x15 0x2a 0x00 0x0000004e   jeq 78   true:0111 false:0069
 0069: 0x15 0x29 0x00 0x00000050   jeq 80   true:0111 false:0070
 0070: 0x15 0x28 0x00 0x00000051   jeq 81   true:0111 false:0071
 0071: 0x15 0x27 0x00 0x00000052   jeq 82   true:0111 false:0072
 0072: 0x15 0x26 0x00 0x00000053   jeq 83   true:0111 false:0073
 0073: 0x15 0x25 0x00 0x00000054   jeq 84   true:0111 false:0074
 0074: 0x15 0x24 0x00 0x00000055   jeq 85   true:0111 false:0075
 0075: 0x15 0x23 0x00 0x00000058   jeq 88   true:0111 false:0076
 0076: 0x15 0x22 0x00 0x00000059   jeq 89   true:0111 false:0077
 0077: 0x15 0x21 0x00 0x0000005a   jeq 90   true:0111 false:0078
 0078: 0x15 0x20 0x00 0x0000005b   jeq 91   true:0111 false:0079
 0079: 0x15 0x1f 0x00 0x0000005c   jeq 92   true:0111 false:0080
 0080: 0x15 0x1e 0x00 0x0000005d   jeq 93   true:0111 false:0081
 0081: 0x15 0x1d 0x00 0x0000005e   jeq 94   true:0111 false:0082
 0082: 0x15 0x1c 0x00 0x0000005f   jeq 95   true:0111 false:0083
 0083: 0x15 0x1b 0x00 0x00000060   jeq 96   true:0111 false:0084
 0084: 0x15 0x1a 0x00 0x00000061   jeq 97   true:0111 false:0085
 0085: 0x15 0x19 0x00 0x00000063   jeq 99   true:0111 false:0086
 0086: 0x15 0x18 0x00 0x00000064   jeq 100  true:0111 false:0087
 0087: 0x15 0x17 0x00 0x00000066   jeq 102  true:0111 false:0088
 0088: 0x15 0x16 0x00 0x00000068   jeq 104  true:0111 false:0089
 0089: 0x15 0x15 0x00 0x00000069   jeq 105  true:0111 false:0090
 0090: 0x15 0x14 0x00 0x0000006a   jeq 106  true:0111 false:0091
 0091: 0x15 0x13 0x00 0x0000006b   jeq 107  true:0111 false:0092
 0092: 0x15 0x12 0x00 0x0000006c   jeq 108  true:0111 false:0093
 0093: 0x15 0x11 0x00 0x0000006d   jeq 109  true:0111 false:0094
 0094: 0x15 0x10 0x00 0x0000006f   jeq 111  true:0111 false:0095
 0095: 0x15 0x0f 0x00 0x00000072   jeq 114  true:0111 false:0096
 0096: 0x15 0x0e 0x00 0x00000074   jeq 116  true:0111 false:0097
 0097: 0x15 0x0d 0x00 0x00000075   jeq 117  true:0111 false:0098
 0098: 0x15 0x0c 0x00 0x00000076   jeq 118  true:0111 false:0099
 0099: 0x15 0x0b 0x00 0x00000077   jeq 119  true:0111 false:0100
 0100: 0x15 0x0a 0x00 0x00000078   jeq 120  true:0111 false:0101
 0101: 0x15 0x09 0x00 0x00000079   jeq 121  true:0111 false:0102
 0102: 0x15 0x08 0x00 0x0000007a   jeq 122  true:0111 false:0103
 0103: 0x15 0x07 0x00 0x0000007d   jeq 125  true:0111 false:0104
 0104: 0x15 0x06 0x00 0x0000007e   jeq 126  true:0111 false:0105
 0105: 0x15 0x05 0x00 0x00000084   jeq 132  true:0111 false:0106
 0106: 0x15 0x04 0x00 0x00000085   jeq 133  true:0111 false:0107
 0107: 0x15 0x03 0x00 0x00000088   jeq 136  true:0111 false:0108
 0108: 0x15 0x02 0x00 0x0000008a   jeq 138  true:0111 false:0109
 0109: 0x15 0x01 0x00 0x0000008b   jeq 139  true:0111 false:0110
 0110: 0x15 0x00 0x01 0x0000008c   jeq 140  true:0111 false:0112
 0111: 0x06 0x00 0x00 0x7fff0000   ret ALLOW
 0112: 0x15 0xff 0x00 0x0000008d   jeq 141  true:0368 false:0113
 0113: 0x15 0xfe 0x00 0x0000008e   jeq 142  true:0368 false:0114
 0114: 0x15 0xfd 0x00 0x0000008f   jeq 143  true:0368 false:0115
 0115: 0x15 0xfc 0x00 0x00000090   jeq 144  true:0368 false:0116
 0116: 0x15 0xfb 0x00 0x00000091   jeq 145  true:0368 false:0117
 0117: 0x15 0xfa 0x00 0x00000092   jeq 146  true:0368 false:0118
 0118: 0x15 0xf9 0x00 0x00000093   jeq 147  true:0368 false:0119
 0119: 0x15 0xf8 0x00 0x00000094   jeq 148  true:0368 false:0120
 0120: 0x15 0xf7 0x00 0x0000009a   jeq 154  true:0368 false:0121
 0121: 0x15 0xf6 0x00 0x0000009b   jeq 155  true:0368 false:0122
 0122: 0x15 0xf5 0x00 0x0000009c   jeq 156  true:0368 false:0123
 0123: 0x15 0xf4 0x00 0x0000009d   jeq 157  true:0368 false:0124
 0124: 0x15 0xf3 0x00 0x0000009e   jeq 158  true:0368 false:0125
 0125: 0x15 0xf2 0x00 0x0000009f   jeq 159  true:0368 false:0126
 0126: 0x15 0xf1 0x00 0x000000a0   jeq 160  true:0368 false:0127
 0127: 0x15 0xf0 0x00 0x000000a1   jeq 161  true:0368 false:0128
 0128: 0x15 0xef 0x00 0x000000a2   jeq 162  true:0368 false:0129
 0129: 0x15 0xee 0x00 0x000000a3   jeq 163  true:0368 false:0130
 0130: 0x15 0xed 0x00 0x000000a4   jeq 164  true:0368 false:0131
 0131: 0x15 0xec 0x00 0x000000a5   jeq 165  true:0368 false:0132
 0132: 0x15 0xeb 0x00 0x000000a8   jeq 168  true:0368 false:0133
 0133: 0x15 0xea 0x00 0x000000aa   jeq 170  true:0368 false:0134
 0134: 0x15 0xe9 0x00 0x000000ab   jeq 171  true:0368 false:0135
 0135: 0x15 0xe8 0x00 0x000000ac   jeq 172  true:0368 false:0136
 0136: 0x15 0xe7 0x00 0x000000ad   jeq 173  true:0368 false:0137
 0137: 0x15 0xe6 0x00 0x000000ae   jeq 174  true:0368 false:0138
 0138: 0x15 0xe5 0x00 0x000000af   jeq 175  true:0368 false:0139
 0139: 0x15 0xe4 0x00 0x000000b0   jeq 176  true:0368 false:0140
 0140: 0x15 0xe3 0x00 0x000000b1   jeq 177  true:0368 false:0141
 0141: 0x15 0xe2 0x00 0x000000b2   jeq 178  true:0368 false:0142
 0142: 0x15 0xe1 0x00 0x000000b3   jeq 179  true:0368 false:0143
 0143: 0x15 0xe0 0x00 0x000000b4   jeq 180  true:0368 false:0144
 0144: 0x15 0xdf 0x00 0x000000b5   jeq 181  true:0368 false:0145
 0145: 0x15 0xde 0x00 0x000000b6   jeq 182  true:0368 false:0146
 0146: 0x15 0xdd 0x00 0x000000b7   jeq 183  true:0368 false:0147
 0147: 0x15 0xdc 0x00 0x000000b8   jeq 184  true:0368 false:0148
 0148: 0x15 0xdb 0x00 0x000000b9   jeq 185  true:0368 false:0149
 0149: 0x15 0xda 0x00 0x000000ba   jeq 186  true:0368 false:0150
 0150: 0x15 0xd9 0x00 0x000000bb   jeq 187  true:0368 false:0151
 0151: 0x15 0xd8 0x00 0x000000be   jeq 190  true:0368 false:0152
 0152: 0x15 0xd7 0x00 0x000000bf   jeq 191  true:0368 false:0153
 0153: 0x15 0xd6 0x00 0x000000c0   jeq 192  true:0368 false:0154
 0154: 0x15 0xd5 0x00 0x000000c1   jeq 193  true:0368 false:0155
 0155: 0x15 0xd4 0x00 0x000000c2   jeq 194  true:0368 false:0156
 0156: 0x15 0xd3 0x00 0x000000c3   jeq 195  true:0368 false:0157
 0157: 0x15 0xd2 0x00 0x000000c4   jeq 196  true:0368 false:0158
 0158: 0x15 0xd1 0x00 0x000000c5   jeq 197  true:0368 false:0159
 0159: 0x15 0xd0 0x00 0x000000c6   jeq 198  true:0368 false:0160
 0160: 0x15 0xcf 0x00 0x000000c7   jeq 199  true:0368 false:0161
 0161: 0x15 0xce 0x00 0x000000c8   jeq 200  true:0368 false:0162
 0162: 0x15 0xcd 0x00 0x000000c9   jeq 201  true:0368 false:0163
 0163: 0x15 0xcc 0x00 0x000000ca   jeq 202  true:0368 false:0164
 0164: 0x15 0xcb 0x00 0x000000cb   jeq 203  true:0368 false:0165
 0165: 0x15 0xca 0x00 0x000000cc   jeq 204  true:0368 false:0166
 0166: 0x15 0xc9 0x00 0x000000cd   jeq 205  true:0368 false:0167
 0167: 0x15 0xc8 0x00 0x000000ce   jeq 206  true:0368 false:0168
 0168: 0x15 0xc7 0x00 0x000000cf   jeq 207  true:0368 false:0169
 0169: 0x15 0xc6 0x00 0x000000d0   jeq 208  true:0368 false:0170
 0170: 0x15 0xc5 0x00 0x000000d1   jeq 209  true:0368 false:0171
 0171: 0x15 0xc4 0x00 0x000000d2   jeq 210  true:0368 false:0172
 0172: 0x15 0xc3 0x00 0x000000d3   jeq 211  true:0368 false:0173
 0173: 0x15 0xc2 0x00 0x000000d4   jeq 212  true:0368 false:0174
 0174: 0x15 0xc1 0x00 0x000000d5   jeq 213  true:0368 false:0175
 0175: 0x15 0xc0 0x00 0x000000d6   jeq 214  true:0368 false:0176
 0176: 0x15 0xbf 0x00 0x000000d7   jeq 215  true:0368 false:0177
 0177: 0x15 0xbe 0x00 0x000000d8   jeq 216  true:0368 false:0178
 0178: 0x15 0xbd 0x00 0x000000d9   jeq 217  true:0368 false:0179
 0179: 0x15 0xbc 0x00 0x000000da   jeq 218  true:0368 false:0180
 0180: 0x15 0xbb 0x00 0x000000db   jeq 219  true:0368 false:0181
 0181: 0x15 0xba 0x00 0x000000dc   jeq 220  true:0368 false:0182
 0182: 0x15 0xb9 0x00 0x000000dd   jeq 221  true:0368 false:0183
 0183: 0x15 0xb8 0x00 0x000000e0   jeq 224  true:0368 false:0184
 0184: 0x15 0xb7 0x00 0x000000e1   jeq 225  true:0368 false:0185
 0185: 0x15 0xb6 0x00 0x000000e2   jeq 226  true:0368 false:0186
 0186: 0x15 0xb5 0x00 0x000000e3   jeq 227  true:0368 false:0187
 0187: 0x15 0xb4 0x00 0x000000e4   jeq 228  true:0368 false:0188
 0188: 0x15 0xb3 0x00 0x000000e5   jeq 229  true:0368 false:0189
 0189: 0x15 0xb2 0x00 0x000000e6   jeq 230  true:0368 false:0190
 0190: 0x15 0xb1 0x00 0x000000e7   jeq 231  true:0368 false:0191
 0191: 0x15 0xb0 0x00 0x000000e8   jeq 232  true:0368 false:0192
 0192: 0x15 0xaf 0x00 0x000000e9   jeq 233  true:0368 false:0193
 0193: 0x15 0xae 0x00 0x000000ea   jeq 234  true:0368 false:0194
 0194: 0x15 0xad 0x00 0x000000eb   jeq 235  true:0368 false:0195
 0195: 0x15 0xac 0x00 0x000000ec   jeq 236  true:0368 false:0196
 0196: 0x15 0xab 0x00 0x000000ed   jeq 237  true:0368 false:0197
 0197: 0x15 0xaa 0x00 0x000000ee   jeq 238  true:0368 false:0198
 0198: 0x15 0xa9 0x00 0x000000ef   jeq 239  true:0368 false:0199
 0199: 0x15 0xa8 0x00 0x000000f0   jeq 240  true:0368 false:0200
 0200: 0x15 0xa7 0x00 0x000000f1   jeq 241  true:0368 false:0201
 0201: 0x15 0xa6 0x00 0x000000f2   jeq 242  true:0368 false:0202
 0202: 0x15 0xa5 0x00 0x000000f3   jeq 243  true:0368 false:0203
 0203: 0x15 0xa4 0x00 0x000000f4   jeq 244  true:0368 false:0204
 0204: 0x15 0xa3 0x00 0x000000f5   jeq 245  true:0368 false:0205
 0205: 0x15 0xa2 0x00 0x000000f6   jeq 246  true:0368 false:0206
 0206: 0x15 0xa1 0x00 0x000000f7   jeq 247  true:0368 false:0207
 0207: 0x15 0xa0 0x00 0x000000f8   jeq 248  true:0368 false:0208
 0208: 0x15 0x9f 0x00 0x000000f9   jeq 249  true:0368 false:0209
 0209: 0x15 0x9e 0x00 0x000000fa   jeq 250  true:0368 false:0210
 0210: 0x15 0x9d 0x00 0x000000fc   jeq 252  true:0368 false:0211
 0211: 0x15 0x9c 0x00 0x000000fe   jeq 254  true:0368 false:0212
 0212: 0x15 0x9b 0x00 0x000000ff   jeq 255  true:0368 false:0213
 0213: 0x15 0x9a 0x00 0x00000100   jeq 256  true:0368 false:0214
 0214: 0x15 0x99 0x00 0x00000101   jeq 257  true:0368 false:0215
 0215: 0x15 0x98 0x00 0x00000102   jeq 258  true:0368 false:0216
 0216: 0x15 0x97 0x00 0x00000103   jeq 259  true:0368 false:0217
 0217: 0x15 0x96 0x00 0x00000104   jeq 260  true:0368 false:0218
 0218: 0x15 0x95 0x00 0x00000105   jeq 261  true:0368 false:0219
 0219: 0x15 0x94 0x00 0x00000106   jeq 262  true:0368 false:0220
 0220: 0x15 0x93 0x00 0x00000107   jeq 263  true:0368 false:0221
 0221: 0x15 0x92 0x00 0x00000109   jeq 265  true:0368 false:0222
 0222: 0x15 0x91 0x00 0x0000010a   jeq 266  true:0368 false:0223
 0223: 0x15 0x90 0x00 0x0000010b   jeq 267  true:0368 false:0224
 0224: 0x15 0x8f 0x00 0x0000010c   jeq 268  true:0368 false:0225
 0225: 0x15 0x8e 0x00 0x0000010d   jeq 269  true:0368 false:0226
 0226: 0x15 0x8d 0x00 0x0000010e   jeq 270  true:0368 false:0227
 0227: 0x15 0x8c 0x00 0x0000010f   jeq 271  true:0368 false:0228
 0228: 0x15 0x8b 0x00 0x00000110   jeq 272  true:0368 false:0229
 0229: 0x15 0x8a 0x00 0x00000112   jeq 274  true:0368 false:0230
 0230: 0x15 0x89 0x00 0x00000113   jeq 275  true:0368 false:0231
 0231: 0x15 0x88 0x00 0x00000114   jeq 276  true:0368 false:0232
 0232: 0x15 0x87 0x00 0x00000115   jeq 277  true:0368 false:0233
 0233: 0x15 0x86 0x00 0x00000116   jeq 278  true:0368 false:0234
 0234: 0x15 0x85 0x00 0x00000117   jeq 279  true:0368 false:0235
 0235: 0x15 0x84 0x00 0x00000118   jeq 280  true:0368 false:0236
 0236: 0x15 0x83 0x00 0x00000119   jeq 281  true:0368 false:0237
 0237: 0x15 0x82 0x00 0x0000011a   jeq 282  true:0368 false:0238
 0238: 0x15 0x81 0x00 0x0000011c   jeq 284  true:0368 false:0239
 0239: 0x15 0x80 0x00 0x00000121   jeq 289  true:0368 false:0240
 0240: 0x15 0x7f 0x00 0x00000122   jeq 290  true:0368 false:0241
 0241: 0x15 0x7e 0x00 0x00000123   jeq 291  true:0368 false:0242
 0242: 0x15 0x7d 0x00 0x00000124   jeq 292  true:0368 false:0243
 0243: 0x15 0x7c 0x00 0x00000125   jeq 293  true:0368 false:0244
 0244: 0x15 0x7b 0x00 0x00000126   jeq 294  true:0368 false:0245
 0245: 0x15 0x7a 0x00 0x00000127   jeq 295  true:0368 false:0246
 0246: 0x15 0x79 0x00 0x00000128   jeq 296  true:0368 false:0247
 0247: 0x15 0x78 0x00 0x00000129   jeq 297  true:0368 false:0248
 0248: 0x15 0x77 0x00 0x0000012a   jeq 298  true:0368 false:0249
 0249: 0x15 0x76 0x00 0x0000012b   jeq 299  true:0368 false:0250
 0250: 0x15 0x75 0x00 0x0000012c   jeq 300  true:0368 false:0251
 0251: 0x15 0x74 0x00 0x0000012d   jeq 301  true:0368 false:0252
 0252: 0x15 0x73 0x00 0x0000012e   jeq 302  true:0368 false:0253
 0253: 0x15 0x72 0x00 0x0000012f   jeq 303  true:0368 false:0254
 0254: 0x15 0x71 0x00 0x00000130   jeq 304  true:0368 false:0255
 0255: 0x15 0x70 0x00 0x00000131   jeq 305  true:0368 false:0256
 0256: 0x15 0x6f 0x00 0x00000132   jeq 306  true:0368 false:0257
 0257: 0x15 0x6e 0x00 0x00000133   jeq 307  true:0368 false:0258
 0258: 0x15 0x6d 0x00 0x00000134   jeq 308  true:0368 false:0259
 0259: 0x15 0x6c 0x00 0x00000135   jeq 309  true:0368 false:0260
 0260: 0x15 0x6b 0x00 0x00000136   jeq 310  true:0368 false:0261
 0261: 0x15 0x6a 0x00 0x00000137   jeq 311  true:0368 false:0262
 0262: 0x15 0x69 0x00 0x00000138   jeq 312  true:0368 false:0263
 0263: 0x15 0x68 0x00 0x00000139   jeq 313  true:0368 false:0264
 0264: 0x15 0x67 0x00 0x0000013a   jeq 314  true:0368 false:0265
 0265: 0x15 0x66 0x00 0x0000013b   jeq 315  true:0368 false:0266
 0266: 0x15 0x65 0x00 0x0000013c   jeq 316  true:0368 false:0267
 0267: 0x15 0x64 0x00 0x0000013d   jeq 317  true:0368 false:0268
 0268: 0x15 0x63 0x00 0x0000013e   jeq 318  true:0368 false:0269
 0269: 0x15 0x62 0x00 0x0000013f   jeq 319  true:0368 false:0270
 0270: 0x15 0x61 0x00 0x00000140   jeq 320  true:0368 false:0271
 0271: 0x15 0x60 0x00 0x00000141   jeq 321  true:0368 false:0272
 0272: 0x15 0x5f 0x00 0x00000142   jeq 322  true:0368 false:0273
 0273: 0x15 0x5e 0x00 0x00000143   jeq 323  true:0368 false:0274
 0274: 0x15 0x5d 0x00 0x00000144   jeq 324  true:0368 false:0275
 0275: 0x15 0x5c 0x00 0x00000145   jeq 325  true:0368 false:0276
 0276: 0x15 0x5b 0x00 0x00000146   jeq 326  true:0368 false:0277
 0277: 0x15 0x5a 0x00 0x00000147   jeq 327  true:0368 false:0278
 0278: 0x15 0x59 0x00 0x00000148   jeq 328  true:0368 false:0279
 0279: 0x15 0x58 0x00 0x00000149   jeq 329  true:0368 false:0280
 0280: 0x15 0x57 0x00 0x0000014a   jeq 330  true:0368 false:0281
 0281: 0x15 0x56 0x00 0x0000014b   jeq 331  true:0368 false:0282
 0282: 0x15 0x55 0x00 0x0000014c   jeq 332  true:0368 false:0283
 0283: 0x15 0x54 0x00 0x0000014d   jeq 333  true:0368 false:0284
 0284: 0x15 0x53 0x00 0x0000014e   jeq 334  true:0368 false:0285
 0285: 0x15 0x52 0x00 0x0000014f   jeq 335  true:0368 false:0286
 0286: 0x15 0x51 0x00 0x00000151   jeq 337  true:0368 false:0287
 0287: 0x15 0x50 0x00 0x00000154   jeq 340  true:0368 false:0288
 0288: 0x15 0x4f 0x00 0x00000155   jeq 341  true:0368 false:0289
 0289: 0x15 0x4e 0x00 0x00000158   jeq 344  true:0368 false:0290
 0290: 0x15 0x4d 0x00 0x00000159   jeq 345  true:0368 false:0291
 0291: 0x15 0x4c 0x00 0x0000015a   jeq 346  true:0368 false:0292
 0292: 0x15 0x4b 0x00 0x0000015b   jeq 347  true:0368 false:0293
 0293: 0x15 0x4a 0x00 0x0000015c   jeq 348  true:0368 false:0294
 0294: 0x15 0x49 0x00 0x0000015d   jeq 349  true:0368 false:0295
 0295: 0x15 0x48 0x00 0x0000015f   jeq 351  true:0368 false:0296
 0296: 0x15 0x47 0x00 0x00000160   jeq 352  true:0368 false:0297
 0297: 0x15 0x46 0x00 0x00000161   jeq 353  true:0368 false:0298
 0298: 0x15 0x45 0x00 0x00000162   jeq 354  true:0368 false:0299
 0299: 0x15 0x44 0x00 0x00000163   jeq 355  true:0368 false:0300
 0300: 0x15 0x43 0x00 0x00000164   jeq 356  true:0368 false:0301
 0301: 0x15 0x42 0x00 0x00000166   jeq 358  true:0368 false:0302
 0302: 0x15 0x41 0x00 0x00000167   jeq 359  true:0368 false:0303
 0303: 0x15 0x40 0x00 0x00000168   jeq 360  true:0368 false:0304
 0304: 0x15 0x3f 0x00 0x00000169   jeq 361  true:0368 false:0305
 0305: 0x15 0x3e 0x00 0x0000016a   jeq 362  true:0368 false:0306
 0306: 0x15 0x3d 0x00 0x0000016b   jeq 363  true:0368 false:0307
 0307: 0x15 0x3c 0x00 0x0000016c   jeq 364  true:0368 false:0308
 0308: 0x15 0x3b 0x00 0x0000016d   jeq 365  true:0368 false:0309
 0309: 0x15 0x3a 0x00 0x0000016e   jeq 366  true:0368 false:0310
 0310: 0x15 0x39 0x00 0x0000016f   jeq 367  true:0368 false:0311
 0311: 0x15 0x38 0x00 0x00000170   jeq 368  true:0368 false:0312
 0312: 0x15 0x37 0x00 0x00000171   jeq 369  true:0368 false:0313
 0313: 0x15 0x36 0x00 0x00000172   jeq 370  true:0368 false:0314
 0314: 0x15 0x35 0x00 0x00000173   jeq 371  true:0368 false:0315
 0315: 0x15 0x34 0x00 0x00000174   jeq 372  true:0368 false:0316
 0316: 0x15 0x33 0x00 0x00000175   jeq 373  true:0368 false:0317
 0317: 0x15 0x32 0x00 0x00000176   jeq 374  true:0368 false:0318
 0318: 0x15 0x31 0x00 0x00000177   jeq 375  true:0368 false:0319
 0319: 0x15 0x30 0x00 0x00000179   jeq 377  true:0368 false:0320
 0320: 0x15 0x2f 0x00 0x0000017a   jeq 378  true:0368 false:0321
 0321: 0x15 0x2e 0x00 0x0000017b   jeq 379  true:0368 false:0322
 0322: 0x15 0x2d 0x00 0x0000017f   jeq 383  true:0368 false:0323
 0323: 0x15 0x2c 0x00 0x00000180   jeq 384  true:0368 false:0324
 0324: 0x15 0x2b 0x00 0x00000181   jeq 385  true:0368 false:0325
 0325: 0x15 0x2a 0x00 0x00000182   jeq 386  true:0368 false:0326
 0326: 0x15 0x29 0x00 0x00000189   jeq 393  true:0368 false:0327
 0327: 0x15 0x28 0x00 0x0000018a   jeq 394  true:0368 false:0328
 0328: 0x15 0x27 0x00 0x0000018b   jeq 395  true:0368 false:0329
 0329: 0x15 0x26 0x00 0x0000018c   jeq 396  true:0368 false:0330
 0330: 0x15 0x25 0x00 0x0000018d   jeq 397  true:0368 false:0331
 0331: 0x15 0x24 0x00 0x0000018e   jeq 398  true:0368 false:0332
 0332: 0x15 0x23 0x00 0x0000018f   jeq 399  true:0368 false:0333
 0333: 0x15 0x22 0x00 0x00000190   jeq 400  true:0368 false:0334
 0334: 0x15 0x21 0x00 0x00000191   jeq 401  true:0368 false:0335
 0335: 0x15 0x20 0x00 0x00000192   jeq 402  true:0368 false:0336
 0336: 0x15 0x1f 0x00 0x00000193   jeq 403  true:0368 false:0337
 0337: 0x15 0x1e 0x00 0x00000196   jeq 406  true:0368 false:0338
 0338: 0x15 0x1d 0x00 0x00000197   jeq 407  true:0368 false:0339
 0339: 0x15 0x1c 0x00 0x00000198   jeq 408  true:0368 false:0340
 0340: 0x15 0x1b 0x00 0x00000199   jeq 409  true:0368 false:0341
 0341: 0x15 0x1a 0x00 0x0000019a   jeq 410  true:0368 false:0342
 0342: 0x15 0x19 0x00 0x0000019b   jeq 411  true:0368 false:0343
 0343: 0x15 0x18 0x00 0x0000019c   jeq 412  true:0368 false:0344
 0344: 0x15 0x17 0x00 0x0000019d   jeq 413  true:0368 false:0345
 0345: 0x15 0x16 0x00 0x0000019e   jeq 414  true:0368 false:0346
 0346: 0x15 0x15 0x00 0x000001a0   jeq 416  true:0368 false:0347
 0347: 0x15 0x14 0x00 0x000001a1   jeq 417  true:0368 false:0348
 0348: 0x15 0x13 0x00 0x000001a2   jeq 418  true:0368 false:0349
 0349: 0x15 0x12 0x00 0x000001a3   jeq 419  true:0368 false:0350
 0350: 0x15 0x11 0x00 0x000001a4   jeq 420  true:0368 false:0351
 0351: 0x15 0x10 0x00 0x000001a5   jeq 421  true:0368 false:0352
 0352: 0x15 0x0f 0x00 0x000001a6   jeq 422  true:0368 false:0353
 0353: 0x15 0x0e 0x00 0x000001a8   jeq 424  true:0368 false:0354
 0354: 0x15 0x0d 0x00 0x000001a9   jeq 425  true:0368 false:0355
 0355: 0x15 0x0c 0x00 0x000001aa   jeq 426  true:0368 false:0356
 0356: 0x15 0x0b 0x00 0x000001ab   jeq 427  true:0368 false:0357
 0357: 0x15 0x0a 0x00 0x000001ac   jeq 428  true:0368 false:0358
 0358: 0x15 0x09 0x00 0x000001ad   jeq 429  true:0368 false:0359
 0359: 0x15 0x08 0x00 0x000001ae   jeq 430  true:0368 false:0360
 0360: 0x15 0x07 0x00 0x000001af   jeq 431  true:0368 false:0361
 0361: 0x15 0x06 0x00 0x000001b0   jeq 432  true:0368 false:0362
 0362: 0x15 0x05 0x00 0x000001b1   jeq 433  true:0368 false:0363
 0363: 0x15 0x04 0x00 0x000001b2   jeq 434  true:0368 false:0364
 0364: 0x15 0x03 0x00 0x000001b3   jeq 435  true:0368 false:0365
 0365: 0x15 0x02 0x00 0x000001b5   jeq 437  true:0368 false:0366
 0366: 0x15 0x01 0x00 0x000001b7   jeq 439  true:0368 false:0367
 0367: 0x06 0x00 0x00 0x00050001   ret ERRNO(1)
 0368: 0x06 0x00 0x00 0x7fff0000   ret ALLOW

After the addition of @known:
 line  OP   JT   JF   K
=================================
 0000: 0x20 0x00 0x00 0x00000004   ld  $data[4]
 0001: 0x15 0x00 0xa4 0x40000003   jeq 1073741827 true:0002 false:0166
 0002: 0x20 0x00 0x00 0x00000000   ld  $data[0]
 0003: 0x15 0xa2 0x00 0x00000000   jeq 0    true:0166 false:0004
 0004: 0x15 0xa1 0x00 0x00000001   jeq 1    true:0166 false:0005
 0005: 0x15 0xa0 0x00 0x00000002   jeq 2    true:0166 false:0006
 0006: 0x15 0x9f 0x00 0x00000003   jeq 3    true:0166 false:0007
 0007: 0x15 0x9e 0x00 0x00000004   jeq 4    true:0166 false:0008
 0008: 0x15 0x9d 0x00 0x00000005   jeq 5    true:0166 false:0009
 0009: 0x15 0x9c 0x00 0x00000006   jeq 6    true:0166 false:0010
 0010: 0x15 0x9b 0x00 0x00000007   jeq 7    true:0166 false:0011
 0011: 0x15 0x9a 0x00 0x00000008   jeq 8    true:0166 false:0012
 0012: 0x15 0x99 0x00 0x00000009   jeq 9    true:0166 false:0013
 0013: 0x15 0x98 0x00 0x0000000a   jeq 10   true:0166 false:0014
 0014: 0x15 0x97 0x00 0x0000000b   jeq 11   true:0166 false:0015
 0015: 0x15 0x96 0x00 0x0000000c   jeq 12   true:0166 false:0016
 0016: 0x15 0x95 0x00 0x0000000d   jeq 13   true:0166 false:0017
 0017: 0x15 0x94 0x00 0x0000000e   jeq 14   true:0166 false:0018
 0018: 0x15 0x93 0x00 0x0000000f   jeq 15   true:0166 false:0019
 0019: 0x15 0x92 0x00 0x00000010   jeq 16   true:0166 false:0020
 0020: 0x15 0x91 0x00 0x00000012   jeq 18   true:0166 false:0021
 0021: 0x15 0x90 0x00 0x00000013   jeq 19   true:0166 false:0022
 0022: 0x15 0x8f 0x00 0x00000014   jeq 20   true:0166 false:0023
 0023: 0x15 0x8e 0x00 0x00000015   jeq 21   true:0166 false:0024
 0024: 0x15 0x8d 0x00 0x00000016   jeq 22   true:0166 false:0025
 0025: 0x15 0x8c 0x00 0x00000017   jeq 23   true:0166 false:0026
 0026: 0x15 0x8b 0x00 0x00000018   jeq 24   true:0166 false:0027
 0027: 0x15 0x87 0x00 0x00000019   jeq 25   true:0163 false:0028
 0028: 0x15 0x89 0x00 0x0000001a   jeq 26   true:0166 false:0029
 0029: 0x15 0x88 0x00 0x0000001b   jeq 27   true:0166 false:0030
 0030: 0x15 0x87 0x00 0x0000001c   jeq 28   true:0166 false:0031
 0031: 0x15 0x86 0x00 0x0000001d   jeq 29   true:0166 false:0032
 0032: 0x15 0x85 0x00 0x0000001e   jeq 30   true:0166 false:0033
 0033: 0x15 0x84 0x00 0x00000021   jeq 33   true:0166 false:0034
 0034: 0x15 0x83 0x00 0x00000022   jeq 34   true:0166 false:0035
 0035: 0x15 0x82 0x00 0x00000024   jeq 36   true:0166 false:0036
 0036: 0x15 0x81 0x00 0x00000025   jeq 37   true:0166 false:0037
 0037: 0x15 0x80 0x00 0x00000026   jeq 38   true:0166 false:0038
 0038: 0x15 0x7f 0x00 0x00000027   jeq 39   true:0166 false:0039
 0039: 0x15 0x7e 0x00 0x00000028   jeq 40   true:0166 false:0040
 0040: 0x15 0x7d 0x00 0x00000029   jeq 41   true:0166 false:0041
 0041: 0x15 0x7c 0x00 0x0000002a   jeq 42   true:0166 false:0042
 0042: 0x15 0x7b 0x00 0x0000002b   jeq 43   true:0166 false:0043
 0043: 0x15 0x7a 0x00 0x0000002d   jeq 45   true:0166 false:0044
 0044: 0x15 0x79 0x00 0x0000002e   jeq 46   true:0166 false:0045
 0045: 0x15 0x78 0x00 0x0000002f   jeq 47   true:0166 false:0046
 0046: 0x15 0x77 0x00 0x00000030   jeq 48   true:0166 false:0047
 0047: 0x15 0x76 0x00 0x00000031   jeq 49   true:0166 false:0048
 0048: 0x15 0x75 0x00 0x00000032   jeq 50   true:0166 false:0049
 0049: 0x15 0x71 0x00 0x00000033   jeq 51   true:0163 false:0050
 0050: 0x15 0x73 0x00 0x00000034   jeq 52   true:0166 false:0051
 0051: 0x15 0x72 0x00 0x00000036   jeq 54   true:0166 false:0052
 0052: 0x15 0x71 0x00 0x00000037   jeq 55   true:0166 false:0053
 0053: 0x15 0x70 0x00 0x00000039   jeq 57   true:0166 false:0054
 0054: 0x15 0x6f 0x00 0x0000003b   jeq 59   true:0166 false:0055
 0055: 0x15 0x6e 0x00 0x0000003c   jeq 60   true:0166 false:0056
 0056: 0x15 0x6d 0x00 0x0000003d   jeq 61   true:0166 false:0057
 0057: 0x15 0x69 0x00 0x0000003e   jeq 62   true:0163 false:0058
 0058: 0x15 0x6b 0x00 0x0000003f   jeq 63   true:0166 false:0059
 0059: 0x15 0x6a 0x00 0x00000040   jeq 64   true:0166 false:0060
 0060: 0x15 0x69 0x00 0x00000041   jeq 65   true:0166 false:0061
 0061: 0x15 0x68 0x00 0x00000042   jeq 66   true:0166 false:0062
 0062: 0x15 0x67 0x00 0x00000043   jeq 67   true:0166 false:0063
 0063: 0x15 0x63 0x00 0x00000044   jeq 68   true:0163 false:0064
 0064: 0x15 0x62 0x00 0x00000045   jeq 69   true:0163 false:0065
 0065: 0x15 0x64 0x00 0x00000046   jeq 70   true:0166 false:0066
 0066: 0x15 0x63 0x00 0x00000047   jeq 71   true:0166 false:0067
 0067: 0x15 0x62 0x00 0x00000048   jeq 72   true:0166 false:0068
 0068: 0x15 0x61 0x00 0x00000049   jeq 73   true:0166 false:0069
 0069: 0x15 0x60 0x00 0x0000004a   jeq 74   true:0166 false:0070
 0070: 0x15 0x5f 0x00 0x0000004b   jeq 75   true:0166 false:0071
 0071: 0x15 0x5e 0x00 0x0000004c   jeq 76   true:0166 false:0072
 0072: 0x15 0x5d 0x00 0x0000004d   jeq 77   true:0166 false:0073
 0073: 0x15 0x5c 0x00 0x0000004e   jeq 78   true:0166 false:0074
 0074: 0x15 0x58 0x00 0x0000004f   jeq 79   true:0163 false:0075
 0075: 0x15 0x5a 0x00 0x00000050   jeq 80   true:0166 false:0076
 0076: 0x15 0x59 0x00 0x00000051   jeq 81   true:0166 false:0077
 0077: 0x15 0x58 0x00 0x00000052   jeq 82   true:0166 false:0078
 0078: 0x15 0x57 0x00 0x00000053   jeq 83   true:0166 false:0079
 0079: 0x15 0x56 0x00 0x00000054   jeq 84   true:0166 false:0080
 0080: 0x15 0x55 0x00 0x00000055   jeq 85   true:0166 false:0081
 0081: 0x15 0x51 0x00 0x00000056   jeq 86   true:0163 false:0082
 0082: 0x15 0x50 0x00 0x00000057   jeq 87   true:0163 false:0083
 0083: 0x15 0x52 0x00 0x00000058   jeq 88   true:0166 false:0084
 0084: 0x15 0x51 0x00 0x00000059   jeq 89   true:0166 false:0085
 0085: 0x15 0x50 0x00 0x0000005a   jeq 90   true:0166 false:0086
 0086: 0x15 0x4f 0x00 0x0000005b   jeq 91   true:0166 false:0087
 0087: 0x15 0x4e 0x00 0x0000005c   jeq 92   true:0166 false:0088
 0088: 0x15 0x4d 0x00 0x0000005d   jeq 93   true:0166 false:0089
 0089: 0x15 0x4c 0x00 0x0000005e   jeq 94   true:0166 false:0090
 0090: 0x15 0x4b 0x00 0x0000005f   jeq 95   true:0166 false:0091
 0091: 0x15 0x4a 0x00 0x00000060   jeq 96   true:0166 false:0092
 0092: 0x15 0x49 0x00 0x00000061   jeq 97   true:0166 false:0093
 0093: 0x15 0x48 0x00 0x00000063   jeq 99   true:0166 false:0094
 0094: 0x15 0x47 0x00 0x00000064   jeq 100  true:0166 false:0095
 0095: 0x15 0x43 0x00 0x00000065   jeq 101  true:0163 false:0096
 0096: 0x15 0x45 0x00 0x00000066   jeq 102  true:0166 false:0097
 0097: 0x15 0x41 0x00 0x00000067   jeq 103  true:0163 false:0098
 0098: 0x15 0x43 0x00 0x00000068   jeq 104  true:0166 false:0099
 0099: 0x15 0x42 0x00 0x00000069   jeq 105  true:0166 false:0100
 0100: 0x15 0x41 0x00 0x0000006a   jeq 106  true:0166 false:0101
 0101: 0x15 0x40 0x00 0x0000006b   jeq 107  true:0166 false:0102
 0102: 0x15 0x3f 0x00 0x0000006c   jeq 108  true:0166 false:0103
 0103: 0x15 0x3e 0x00 0x0000006d   jeq 109  true:0166 false:0104
 0104: 0x15 0x3a 0x00 0x0000006e   jeq 110  true:0163 false:0105
 0105: 0x15 0x3c 0x00 0x0000006f   jeq 111  true:0166 false:0106
 0106: 0x15 0x38 0x00 0x00000070   jeq 112  true:0163 false:0107
 0107: 0x15 0x37 0x00 0x00000071   jeq 113  true:0163 false:0108
 0108: 0x15 0x39 0x00 0x00000072   jeq 114  true:0166 false:0109
 0109: 0x15 0x35 0x00 0x00000073   jeq 115  true:0163 false:0110
 0110: 0x15 0x37 0x00 0x00000074   jeq 116  true:0166 false:0111
 0111: 0x15 0x36 0x00 0x00000075   jeq 117  true:0166 false:0112
 0112: 0x15 0x35 0x00 0x00000076   jeq 118  true:0166 false:0113
 0113: 0x15 0x34 0x00 0x00000077   jeq 119  true:0166 false:0114
 0114: 0x15 0x33 0x00 0x00000078   jeq 120  true:0166 false:0115
 0115: 0x15 0x32 0x00 0x00000079   jeq 121  true:0166 false:0116
 0116: 0x15 0x31 0x00 0x0000007a   jeq 122  true:0166 false:0117
 0117: 0x15 0x2d 0x00 0x0000007b   jeq 123  true:0163 false:0118
 0118: 0x15 0x2c 0x00 0x0000007c   jeq 124  true:0163 false:0119
 0119: 0x15 0x2e 0x00 0x0000007d   jeq 125  true:0166 false:0120
 0120: 0x15 0x2d 0x00 0x0000007e   jeq 126  true:0166 false:0121
 0121: 0x15 0x29 0x00 0x0000007f   jeq 127  true:0163 false:0122
 0122: 0x15 0x28 0x00 0x00000080   jeq 128  true:0163 false:0123
 0123: 0x15 0x27 0x00 0x00000081   jeq 129  true:0163 false:0124
 0124: 0x15 0x26 0x00 0x00000082   jeq 130  true:0163 false:0125
 0125: 0x15 0x25 0x00 0x00000083   jeq 131  true:0163 false:0126
 0126: 0x15 0x27 0x00 0x00000084   jeq 132  true:0166 false:0127
 0127: 0x15 0x26 0x00 0x00000085   jeq 133  true:0166 false:0128
 0128: 0x15 0x22 0x00 0x00000086   jeq 134  true:0163 false:0129
 0129: 0x15 0x21 0x00 0x00000087   jeq 135  true:0163 false:0130
 0130: 0x15 0x23 0x00 0x00000088   jeq 136  true:0166 false:0131
 0131: 0x15 0x22 0x00 0x0000008a   jeq 138  true:0166 false:0132
 0132: 0x15 0x21 0x00 0x0000008b   jeq 139  true:0166 false:0133
 0133: 0x15 0x20 0x00 0x0000008c   jeq 140  true:0166 false:0134
 0134: 0x15 0x1f 0x00 0x0000008d   jeq 141  true:0166 false:0135
 0135: 0x15 0x1e 0x00 0x0000008e   jeq 142  true:0166 false:0136
 0136: 0x15 0x1d 0x00 0x0000008f   jeq 143  true:0166 false:0137
 0137: 0x15 0x1c 0x00 0x00000090   jeq 144  true:0166 false:0138
 0138: 0x15 0x1b 0x00 0x00000091   jeq 145  true:0166 false:0139
 0139: 0x15 0x1a 0x00 0x00000092   jeq 146  true:0166 false:0140
 0140: 0x15 0x19 0x00 0x00000093   jeq 147  true:0166 false:0141
 0141: 0x15 0x18 0x00 0x00000094   jeq 148  true:0166 false:0142
 0142: 0x15 0x14 0x00 0x00000095   jeq 149  true:0163 false:0143
 0143: 0x15 0x13 0x00 0x00000096   jeq 150  true:0163 false:0144
 0144: 0x15 0x12 0x00 0x00000097   jeq 151  true:0163 false:0145
 0145: 0x15 0x11 0x00 0x00000098   jeq 152  true:0163 false:0146
 0146: 0x15 0x10 0x00 0x00000099   jeq 153  true:0163 false:0147
 0147: 0x15 0x12 0x00 0x0000009a   jeq 154  true:0166 false:0148
 0148: 0x15 0x11 0x00 0x0000009b   jeq 155  true:0166 false:0149
 0149: 0x15 0x10 0x00 0x0000009c   jeq 156  true:0166 false:0150
 0150: 0x15 0x0f 0x00 0x0000009d   jeq 157  true:0166 false:0151
 0151: 0x15 0x0e 0x00 0x0000009e   jeq 158  true:0166 false:0152
 0152: 0x15 0x0d 0x00 0x0000009f   jeq 159  true:0166 false:0153
 0153: 0x15 0x0c 0x00 0x000000a0   jeq 160  true:0166 false:0154
 0154: 0x15 0x0b 0x00 0x000000a1   jeq 161  true:0166 false:0155
 0155: 0x15 0x0a 0x00 0x000000a2   jeq 162  true:0166 false:0156
 0156: 0x15 0x09 0x00 0x000000a3   jeq 163  true:0166 false:0157
 0157: 0x15 0x08 0x00 0x000000a4   jeq 164  true:0166 false:0158
 0158: 0x15 0x07 0x00 0x000000a5   jeq 165  true:0166 false:0159
 0159: 0x15 0x03 0x00 0x000000a6   jeq 166  true:0163 false:0160
 0160: 0x15 0x02 0x00 0x000000a7   jeq 167  true:0163 false:0161
 0161: 0x15 0x04 0x00 0x000000a8   jeq 168  true:0166 false:0162
 0162: 0x15 0x00 0x01 0x000000a9   jeq 169  true:0163 false:0164
 0163: 0x06 0x00 0x00 0x00050001   ret ERRNO(1)
 0164: 0x15 0x01 0x00 0x000000aa   jeq 170  true:0166 false:0165
 0165: 0x15 0x00 0x01 0x000000ab   jeq 171  true:0166 false:0167
 0166: 0x06 0x00 0x00 0x7fff0000   ret ALLOW
 0167: 0x15 0xff 0x00 0x000000ac   jeq 172  true:0423 false:0168
 0168: 0x15 0xfe 0x00 0x000000ad   jeq 173  true:0423 false:0169
 0169: 0x15 0xfd 0x00 0x000000ae   jeq 174  true:0423 false:0170
 0170: 0x15 0xfc 0x00 0x000000af   jeq 175  true:0423 false:0171
 0171: 0x15 0xfb 0x00 0x000000b0   jeq 176  true:0423 false:0172
 0172: 0x15 0xfa 0x00 0x000000b1   jeq 177  true:0423 false:0173
 0173: 0x15 0xf9 0x00 0x000000b2   jeq 178  true:0423 false:0174
 0174: 0x15 0xf8 0x00 0x000000b3   jeq 179  true:0423 false:0175
 0175: 0x15 0xf7 0x00 0x000000b4   jeq 180  true:0423 false:0176
 0176: 0x15 0xf6 0x00 0x000000b5   jeq 181  true:0423 false:0177
 0177: 0x15 0xf5 0x00 0x000000b6   jeq 182  true:0423 false:0178
 0178: 0x15 0xf4 0x00 0x000000b7   jeq 183  true:0423 false:0179
 0179: 0x15 0xf3 0x00 0x000000b8   jeq 184  true:0423 false:0180
 0180: 0x15 0xf2 0x00 0x000000b9   jeq 185  true:0423 false:0181
 0181: 0x15 0xf1 0x00 0x000000ba   jeq 186  true:0423 false:0182
 0182: 0x15 0xf0 0x00 0x000000bb   jeq 187  true:0423 false:0183
 0183: 0x15 0xec 0x00 0x000000bc   jeq 188  true:0420 false:0184
 0184: 0x15 0xee 0x00 0x000000be   jeq 190  true:0423 false:0185
 0185: 0x15 0xed 0x00 0x000000bf   jeq 191  true:0423 false:0186
 0186: 0x15 0xec 0x00 0x000000c0   jeq 192  true:0423 false:0187
 0187: 0x15 0xeb 0x00 0x000000c1   jeq 193  true:0423 false:0188
 0188: 0x15 0xea 0x00 0x000000c2   jeq 194  true:0423 false:0189
 0189: 0x15 0xe9 0x00 0x000000c3   jeq 195  true:0423 false:0190
 0190: 0x15 0xe8 0x00 0x000000c4   jeq 196  true:0423 false:0191
 0191: 0x15 0xe7 0x00 0x000000c5   jeq 197  true:0423 false:0192
 0192: 0x15 0xe6 0x00 0x000000c6   jeq 198  true:0423 false:0193
 0193: 0x15 0xe5 0x00 0x000000c7   jeq 199  true:0423 false:0194
 0194: 0x15 0xe4 0x00 0x000000c8   jeq 200  true:0423 false:0195
 0195: 0x15 0xe3 0x00 0x000000c9   jeq 201  true:0423 false:0196
 0196: 0x15 0xe2 0x00 0x000000ca   jeq 202  true:0423 false:0197
 0197: 0x15 0xe1 0x00 0x000000cb   jeq 203  true:0423 false:0198
 0198: 0x15 0xe0 0x00 0x000000cc   jeq 204  true:0423 false:0199
 0199: 0x15 0xdf 0x00 0x000000cd   jeq 205  true:0423 false:0200
 0200: 0x15 0xde 0x00 0x000000ce   jeq 206  true:0423 false:0201
 0201: 0x15 0xdd 0x00 0x000000cf   jeq 207  true:0423 false:0202
 0202: 0x15 0xdc 0x00 0x000000d0   jeq 208  true:0423 false:0203
 0203: 0x15 0xdb 0x00 0x000000d1   jeq 209  true:0423 false:0204
 0204: 0x15 0xda 0x00 0x000000d2   jeq 210  true:0423 false:0205
 0205: 0x15 0xd9 0x00 0x000000d3   jeq 211  true:0423 false:0206
 0206: 0x15 0xd8 0x00 0x000000d4   jeq 212  true:0423 false:0207
 0207: 0x15 0xd7 0x00 0x000000d5   jeq 213  true:0423 false:0208
 0208: 0x15 0xd6 0x00 0x000000d6   jeq 214  true:0423 false:0209
 0209: 0x15 0xd5 0x00 0x000000d7   jeq 215  true:0423 false:0210
 0210: 0x15 0xd4 0x00 0x000000d8   jeq 216  true:0423 false:0211
 0211: 0x15 0xd3 0x00 0x000000d9   jeq 217  true:0423 false:0212
 0212: 0x15 0xd2 0x00 0x000000da   jeq 218  true:0423 false:0213
 0213: 0x15 0xd1 0x00 0x000000db   jeq 219  true:0423 false:0214
 0214: 0x15 0xd0 0x00 0x000000dc   jeq 220  true:0423 false:0215
 0215: 0x15 0xcf 0x00 0x000000dd   jeq 221  true:0423 false:0216
 0216: 0x15 0xce 0x00 0x000000e0   jeq 224  true:0423 false:0217
 0217: 0x15 0xcd 0x00 0x000000e1   jeq 225  true:0423 false:0218
 0218: 0x15 0xcc 0x00 0x000000e2   jeq 226  true:0423 false:0219
 0219: 0x15 0xcb 0x00 0x000000e3   jeq 227  true:0423 false:0220
 0220: 0x15 0xca 0x00 0x000000e4   jeq 228  true:0423 false:0221
 0221: 0x15 0xc9 0x00 0x000000e5   jeq 229  true:0423 false:0222
 0222: 0x15 0xc8 0x00 0x000000e6   jeq 230  true:0423 false:0223
 0223: 0x15 0xc7 0x00 0x000000e7   jeq 231  true:0423 false:0224
 0224: 0x15 0xc6 0x00 0x000000e8   jeq 232  true:0423 false:0225
 0225: 0x15 0xc5 0x00 0x000000e9   jeq 233  true:0423 false:0226
 0226: 0x15 0xc4 0x00 0x000000ea   jeq 234  true:0423 false:0227
 0227: 0x15 0xc3 0x00 0x000000eb   jeq 235  true:0423 false:0228
 0228: 0x15 0xc2 0x00 0x000000ec   jeq 236  true:0423 false:0229
 0229: 0x15 0xc1 0x00 0x000000ed   jeq 237  true:0423 false:0230
 0230: 0x15 0xc0 0x00 0x000000ee   jeq 238  true:0423 false:0231
 0231: 0x15 0xbf 0x00 0x000000ef   jeq 239  true:0423 false:0232
 0232: 0x15 0xbe 0x00 0x000000f0   jeq 240  true:0423 false:0233
 0233: 0x15 0xbd 0x00 0x000000f1   jeq 241  true:0423 false:0234
 0234: 0x15 0xbc 0x00 0x000000f2   jeq 242  true:0423 false:0235
 0235: 0x15 0xbb 0x00 0x000000f3   jeq 243  true:0423 false:0236
 0236: 0x15 0xba 0x00 0x000000f4   jeq 244  true:0423 false:0237
 0237: 0x15 0xb9 0x00 0x000000f5   jeq 245  true:0423 false:0238
 0238: 0x15 0xb8 0x00 0x000000f6   jeq 246  true:0423 false:0239
 0239: 0x15 0xb7 0x00 0x000000f7   jeq 247  true:0423 false:0240
 0240: 0x15 0xb6 0x00 0x000000f8   jeq 248  true:0423 false:0241
 0241: 0x15 0xb5 0x00 0x000000f9   jeq 249  true:0423 false:0242
 0242: 0x15 0xb4 0x00 0x000000fa   jeq 250  true:0423 false:0243
 0243: 0x15 0xb3 0x00 0x000000fc   jeq 252  true:0423 false:0244
 0244: 0x15 0xaf 0x00 0x000000fd   jeq 253  true:0420 false:0245
 0245: 0x15 0xb1 0x00 0x000000fe   jeq 254  true:0423 false:0246
 0246: 0x15 0xb0 0x00 0x000000ff   jeq 255  true:0423 false:0247
 0247: 0x15 0xaf 0x00 0x00000100   jeq 256  true:0423 false:0248
 0248: 0x15 0xae 0x00 0x00000101   jeq 257  true:0423 false:0249
 0249: 0x15 0xad 0x00 0x00000102   jeq 258  true:0423 false:0250
 0250: 0x15 0xac 0x00 0x00000103   jeq 259  true:0423 false:0251
 0251: 0x15 0xab 0x00 0x00000104   jeq 260  true:0423 false:0252
 0252: 0x15 0xaa 0x00 0x00000105   jeq 261  true:0423 false:0253
 0253: 0x15 0xa9 0x00 0x00000106   jeq 262  true:0423 false:0254
 0254: 0x15 0xa8 0x00 0x00000107   jeq 263  true:0423 false:0255
 0255: 0x15 0xa4 0x00 0x00000108   jeq 264  true:0420 false:0256
 0256: 0x15 0xa6 0x00 0x00000109   jeq 265  true:0423 false:0257
 0257: 0x15 0xa5 0x00 0x0000010a   jeq 266  true:0423 false:0258
 0258: 0x15 0xa4 0x00 0x0000010b   jeq 267  true:0423 false:0259
 0259: 0x15 0xa3 0x00 0x0000010c   jeq 268  true:0423 false:0260
 0260: 0x15 0xa2 0x00 0x0000010d   jeq 269  true:0423 false:0261
 0261: 0x15 0xa1 0x00 0x0000010e   jeq 270  true:0423 false:0262
 0262: 0x15 0xa0 0x00 0x0000010f   jeq 271  true:0423 false:0263
 0263: 0x15 0x9f 0x00 0x00000110   jeq 272  true:0423 false:0264
 0264: 0x15 0x9e 0x00 0x00000112   jeq 274  true:0423 false:0265
 0265: 0x15 0x9d 0x00 0x00000113   jeq 275  true:0423 false:0266
 0266: 0x15 0x9c 0x00 0x00000114   jeq 276  true:0423 false:0267
 0267: 0x15 0x9b 0x00 0x00000115   jeq 277  true:0423 false:0268
 0268: 0x15 0x9a 0x00 0x00000116   jeq 278  true:0423 false:0269
 0269: 0x15 0x99 0x00 0x00000117   jeq 279  true:0423 false:0270
 0270: 0x15 0x98 0x00 0x00000118   jeq 280  true:0423 false:0271
 0271: 0x15 0x97 0x00 0x00000119   jeq 281  true:0423 false:0272
 0272: 0x15 0x96 0x00 0x0000011a   jeq 282  true:0423 false:0273
 0273: 0x15 0x92 0x00 0x0000011b   jeq 283  true:0420 false:0274
 0274: 0x15 0x94 0x00 0x0000011c   jeq 284  true:0423 false:0275
 0275: 0x15 0x90 0x00 0x0000011e   jeq 286  true:0420 false:0276
 0276: 0x15 0x8f 0x00 0x0000011f   jeq 287  true:0420 false:0277
 0277: 0x15 0x8e 0x00 0x00000120   jeq 288  true:0420 false:0278
 0278: 0x15 0x90 0x00 0x00000121   jeq 289  true:0423 false:0279
 0279: 0x15 0x8f 0x00 0x00000122   jeq 290  true:0423 false:0280
 0280: 0x15 0x8e 0x00 0x00000123   jeq 291  true:0423 false:0281
 0281: 0x15 0x8d 0x00 0x00000124   jeq 292  true:0423 false:0282
 0282: 0x15 0x8c 0x00 0x00000125   jeq 293  true:0423 false:0283
 0283: 0x15 0x8b 0x00 0x00000126   jeq 294  true:0423 false:0284
 0284: 0x15 0x8a 0x00 0x00000127   jeq 295  true:0423 false:0285
 0285: 0x15 0x89 0x00 0x00000128   jeq 296  true:0423 false:0286
 0286: 0x15 0x88 0x00 0x00000129   jeq 297  true:0423 false:0287
 0287: 0x15 0x87 0x00 0x0000012a   jeq 298  true:0423 false:0288
 0288: 0x15 0x86 0x00 0x0000012b   jeq 299  true:0423 false:0289
 0289: 0x15 0x85 0x00 0x0000012c   jeq 300  true:0423 false:0290
 0290: 0x15 0x84 0x00 0x0000012d   jeq 301  true:0423 false:0291
 0291: 0x15 0x83 0x00 0x0000012e   jeq 302  true:0423 false:0292
 0292: 0x15 0x82 0x00 0x0000012f   jeq 303  true:0423 false:0293
 0293: 0x15 0x81 0x00 0x00000130   jeq 304  true:0423 false:0294
 0294: 0x15 0x80 0x00 0x00000131   jeq 305  true:0423 false:0295
 0295: 0x15 0x7f 0x00 0x00000132   jeq 306  true:0423 false:0296
 0296: 0x15 0x7e 0x00 0x00000133   jeq 307  true:0423 false:0297
 0297: 0x15 0x7d 0x00 0x00000134   jeq 308  true:0423 false:0298
 0298: 0x15 0x7c 0x00 0x00000135   jeq 309  true:0423 false:0299
 0299: 0x15 0x7b 0x00 0x00000136   jeq 310  true:0423 false:0300
 0300: 0x15 0x7a 0x00 0x00000137   jeq 311  true:0423 false:0301
 0301: 0x15 0x79 0x00 0x00000138   jeq 312  true:0423 false:0302
 0302: 0x15 0x78 0x00 0x00000139   jeq 313  true:0423 false:0303
 0303: 0x15 0x77 0x00 0x0000013a   jeq 314  true:0423 false:0304
 0304: 0x15 0x76 0x00 0x0000013b   jeq 315  true:0423 false:0305
 0305: 0x15 0x75 0x00 0x0000013c   jeq 316  true:0423 false:0306
 0306: 0x15 0x74 0x00 0x0000013d   jeq 317  true:0423 false:0307
 0307: 0x15 0x73 0x00 0x0000013e   jeq 318  true:0423 false:0308
 0308: 0x15 0x72 0x00 0x0000013f   jeq 319  true:0423 false:0309
 0309: 0x15 0x71 0x00 0x00000140   jeq 320  true:0423 false:0310
 0310: 0x15 0x70 0x00 0x00000141   jeq 321  true:0423 false:0311
 0311: 0x15 0x6f 0x00 0x00000142   jeq 322  true:0423 false:0312
 0312: 0x15 0x6e 0x00 0x00000143   jeq 323  true:0423 false:0313
 0313: 0x15 0x6d 0x00 0x00000144   jeq 324  true:0423 false:0314
 0314: 0x15 0x6c 0x00 0x00000145   jeq 325  true:0423 false:0315
 0315: 0x15 0x6b 0x00 0x00000146   jeq 326  true:0423 false:0316
 0316: 0x15 0x6a 0x00 0x00000147   jeq 327  true:0423 false:0317
 0317: 0x15 0x69 0x00 0x00000148   jeq 328  true:0423 false:0318
 0318: 0x15 0x68 0x00 0x00000149   jeq 329  true:0423 false:0319
 0319: 0x15 0x67 0x00 0x0000014a   jeq 330  true:0423 false:0320
 0320: 0x15 0x66 0x00 0x0000014b   jeq 331  true:0423 false:0321
 0321: 0x15 0x65 0x00 0x0000014c   jeq 332  true:0423 false:0322
 0322: 0x15 0x64 0x00 0x0000014d   jeq 333  true:0423 false:0323
 0323: 0x15 0x63 0x00 0x0000014e   jeq 334  true:0423 false:0324
 0324: 0x15 0x62 0x00 0x0000014f   jeq 335  true:0423 false:0325
 0325: 0x15 0x5e 0x00 0x00000150   jeq 336  true:0420 false:0326
 0326: 0x15 0x60 0x00 0x00000151   jeq 337  true:0423 false:0327
 0327: 0x15 0x5c 0x00 0x00000152   jeq 338  true:0420 false:0328
 0328: 0x15 0x5b 0x00 0x00000153   jeq 339  true:0420 false:0329
 0329: 0x15 0x5d 0x00 0x00000154   jeq 340  true:0423 false:0330
 0330: 0x15 0x5c 0x00 0x00000155   jeq 341  true:0423 false:0331
 0331: 0x15 0x58 0x00 0x00000156   jeq 342  true:0420 false:0332
 0332: 0x15 0x57 0x00 0x00000157   jeq 343  true:0420 false:0333
 0333: 0x15 0x59 0x00 0x00000158   jeq 344  true:0423 false:0334
 0334: 0x15 0x58 0x00 0x00000159   jeq 345  true:0423 false:0335
 0335: 0x15 0x57 0x00 0x0000015a   jeq 346  true:0423 false:0336
 0336: 0x15 0x56 0x00 0x0000015b   jeq 347  true:0423 false:0337
 0337: 0x15 0x55 0x00 0x0000015c   jeq 348  true:0423 false:0338
 0338: 0x15 0x54 0x00 0x0000015d   jeq 349  true:0423 false:0339
 0339: 0x15 0x50 0x00 0x0000015e   jeq 350  true:0420 false:0340
 0340: 0x15 0x52 0x00 0x0000015f   jeq 351  true:0423 false:0341
 0341: 0x15 0x51 0x00 0x00000160   jeq 352  true:0423 false:0342
 0342: 0x15 0x50 0x00 0x00000161   jeq 353  true:0423 false:0343
 0343: 0x15 0x4f 0x00 0x00000162   jeq 354  true:0423 false:0344
 0344: 0x15 0x4e 0x00 0x00000163   jeq 355  true:0423 false:0345
 0345: 0x15 0x4d 0x00 0x00000164   jeq 356  true:0423 false:0346
 0346: 0x15 0x49 0x00 0x00000165   jeq 357  true:0420 false:0347
 0347: 0x15 0x4b 0x00 0x00000166   jeq 358  true:0423 false:0348
 0348: 0x15 0x4a 0x00 0x00000167   jeq 359  true:0423 false:0349
 0349: 0x15 0x49 0x00 0x00000168   jeq 360  true:0423 false:0350
 0350: 0x15 0x48 0x00 0x00000169   jeq 361  true:0423 false:0351
 0351: 0x15 0x47 0x00 0x0000016a   jeq 362  true:0423 false:0352
 0352: 0x15 0x46 0x00 0x0000016b   jeq 363  true:0423 false:0353
 0353: 0x15 0x45 0x00 0x0000016c   jeq 364  true:0423 false:0354
 0354: 0x15 0x44 0x00 0x0000016d   jeq 365  true:0423 false:0355
 0355: 0x15 0x43 0x00 0x0000016e   jeq 366  true:0423 false:0356
 0356: 0x15 0x42 0x00 0x0000016f   jeq 367  true:0423 false:0357
 0357: 0x15 0x41 0x00 0x00000170   jeq 368  true:0423 false:0358
 0358: 0x15 0x40 0x00 0x00000171   jeq 369  true:0423 false:0359
 0359: 0x15 0x3f 0x00 0x00000172   jeq 370  true:0423 false:0360
 0360: 0x15 0x3e 0x00 0x00000173   jeq 371  true:0423 false:0361
 0361: 0x15 0x3d 0x00 0x00000174   jeq 372  true:0423 false:0362
 0362: 0x15 0x3c 0x00 0x00000175   jeq 373  true:0423 false:0363
 0363: 0x15 0x3b 0x00 0x00000176   jeq 374  true:0423 false:0364
 0364: 0x15 0x3a 0x00 0x00000177   jeq 375  true:0423 false:0365
 0365: 0x15 0x36 0x00 0x00000178   jeq 376  true:0420 false:0366
 0366: 0x15 0x38 0x00 0x00000179   jeq 377  true:0423 false:0367
 0367: 0x15 0x37 0x00 0x0000017a   jeq 378  true:0423 false:0368
 0368: 0x15 0x36 0x00 0x0000017b   jeq 379  true:0423 false:0369
 0369: 0x15 0x32 0x00 0x0000017c   jeq 380  true:0420 false:0370
 0370: 0x15 0x31 0x00 0x0000017d   jeq 381  true:0420 false:0371
 0371: 0x15 0x30 0x00 0x0000017e   jeq 382  true:0420 false:0372
 0372: 0x15 0x32 0x00 0x0000017f   jeq 383  true:0423 false:0373
 0373: 0x15 0x31 0x00 0x00000180   jeq 384  true:0423 false:0374
 0374: 0x15 0x30 0x00 0x00000181   jeq 385  true:0423 false:0375
 0375: 0x15 0x2f 0x00 0x00000182   jeq 386  true:0423 false:0376
 0376: 0x15 0x2e 0x00 0x00000189   jeq 393  true:0423 false:0377
 0377: 0x15 0x2d 0x00 0x0000018a   jeq 394  true:0423 false:0378
 0378: 0x15 0x2c 0x00 0x0000018b   jeq 395  true:0423 false:0379
 0379: 0x15 0x2b 0x00 0x0000018c   jeq 396  true:0423 false:0380
 0380: 0x15 0x2a 0x00 0x0000018d   jeq 397  true:0423 false:0381
 0381: 0x15 0x29 0x00 0x0000018e   jeq 398  true:0423 false:0382
 0382: 0x15 0x28 0x00 0x0000018f   jeq 399  true:0423 false:0383
 0383: 0x15 0x27 0x00 0x00000190   jeq 400  true:0423 false:0384
 0384: 0x15 0x26 0x00 0x00000191   jeq 401  true:0423 false:0385
 0385: 0x15 0x25 0x00 0x00000192   jeq 402  true:0423 false:0386
 0386: 0x15 0x24 0x00 0x00000193   jeq 403  true:0423 false:0387
 0387: 0x15 0x20 0x00 0x00000194   jeq 404  true:0420 false:0388
 0388: 0x15 0x1f 0x00 0x00000195   jeq 405  true:0420 false:0389
 0389: 0x15 0x21 0x00 0x00000196   jeq 406  true:0423 false:0390
 0390: 0x15 0x20 0x00 0x00000197   jeq 407  true:0423 false:0391
 0391: 0x15 0x1f 0x00 0x00000198   jeq 408  true:0423 false:0392
 0392: 0x15 0x1e 0x00 0x00000199   jeq 409  true:0423 false:0393
 0393: 0x15 0x1d 0x00 0x0000019a   jeq 410  true:0423 false:0394
 0394: 0x15 0x1c 0x00 0x0000019b   jeq 411  true:0423 false:0395
 0395: 0x15 0x1b 0x00 0x0000019c   jeq 412  true:0423 false:0396
 0396: 0x15 0x1a 0x00 0x0000019d   jeq 413  true:0423 false:0397
 0397: 0x15 0x19 0x00 0x0000019e   jeq 414  true:0423 false:0398
 0398: 0x15 0x18 0x00 0x000001a0   jeq 416  true:0423 false:0399
 0399: 0x15 0x17 0x00 0x000001a1   jeq 417  true:0423 false:0400
 0400: 0x15 0x16 0x00 0x000001a2   jeq 418  true:0423 false:0401
 0401: 0x15 0x15 0x00 0x000001a3   jeq 419  true:0423 false:0402
 0402: 0x15 0x14 0x00 0x000001a4   jeq 420  true:0423 false:0403
 0403: 0x15 0x13 0x00 0x000001a5   jeq 421  true:0423 false:0404
 0404: 0x15 0x12 0x00 0x000001a6   jeq 422  true:0423 false:0405
 0405: 0x15 0x0e 0x00 0x000001a7   jeq 423  true:0420 false:0406
 0406: 0x15 0x10 0x00 0x000001a8   jeq 424  true:0423 false:0407
 0407: 0x15 0x0f 0x00 0x000001a9   jeq 425  true:0423 false:0408
 0408: 0x15 0x0e 0x00 0x000001aa   jeq 426  true:0423 false:0409
 0409: 0x15 0x0d 0x00 0x000001ab   jeq 427  true:0423 false:0410
 0410: 0x15 0x0c 0x00 0x000001ac   jeq 428  true:0423 false:0411
 0411: 0x15 0x0b 0x00 0x000001ad   jeq 429  true:0423 false:0412
 0412: 0x15 0x0a 0x00 0x000001ae   jeq 430  true:0423 false:0413
 0413: 0x15 0x09 0x00 0x000001af   jeq 431  true:0423 false:0414
 0414: 0x15 0x08 0x00 0x000001b0   jeq 432  true:0423 false:0415
 0415: 0x15 0x07 0x00 0x000001b1   jeq 433  true:0423 false:0416
 0416: 0x15 0x06 0x00 0x000001b2   jeq 434  true:0423 false:0417
 0417: 0x15 0x05 0x00 0x000001b3   jeq 435  true:0423 false:0418
 0418: 0x15 0x04 0x00 0x000001b5   jeq 437  true:0423 false:0419
 0419: 0x15 0x00 0x01 0x000001b6   jeq 438  true:0420 false:0421
 0420: 0x06 0x00 0x00 0x00050001   ret ERRNO(1)
 0421: 0x15 0x01 0x00 0x000001b7   jeq 439  true:0423 false:0422
 0422: 0x06 0x00 0x00 0x00050026   ret ERRNO(38)
 0423: 0x06 0x00 0x00 0x7fff0000   ret ALLOW

With the optimization on:
 line  OP   JT   JF   K
=================================
 0000: 0x20 0x00 0x00 0x00000004   ld  $data[4]
 0001: 0x15 0x00 0x0d 0x40000003   jeq 1073741827 true:0002 false:0015
 0002: 0x20 0x00 0x00 0x00000000   ld  $data[0]
 0003: 0x25 0x01 0x00 0x000000a9   jgt 169  true:0005 false:0004
 0004: 0x05 0x00 0x00 0x00000143   jmp 0328
 0005: 0x25 0x00 0xa0 0x0000012f   jgt 303  true:0006 false:0166
 0006: 0x25 0x00 0x50 0x0000016f   jgt 367  true:0007 false:0087
 0007: 0x25 0x00 0x28 0x00000195   jgt 405  true:0008 false:0048
 0008: 0x25 0x00 0x14 0x000001a6   jgt 422  true:0009 false:0029
 0009: 0x25 0x00 0x0a 0x000001ae   jgt 430  true:0010 false:0020
 0010: 0x25 0x00 0x05 0x000001b2   jgt 434  true:0011 false:0016
 0011: 0x15 0x03 0x00 0x000001b7   jeq 439  true:0015 false:0012
 0012: 0x15 0xd9 0x00 0x000001b6   jeq 438  true:0230 false:0013
 0013: 0x15 0x01 0x00 0x000001b5   jeq 437  true:0015 false:0014
 0014: 0x15 0x00 0xfd 0x000001b3   jeq 435  true:0015 false:0268
 0015: 0x06 0x00 0x00 0x7fff0000   ret ALLOW
 0016: 0x15 0xff 0x00 0x000001b2   jeq 434  true:0272 false:0017
 0017: 0x15 0xfe 0x00 0x000001b1   jeq 433  true:0272 false:0018
 0018: 0x15 0xfd 0x00 0x000001b0   jeq 432  true:0272 false:0019
 0019: 0x15 0xfc 0xf8 0x000001af   jeq 431  true:0272 false:0268
 0020: 0x25 0x00 0x04 0x000001aa   jgt 426  true:0021 false:0025
 0021: 0x15 0xfa 0x00 0x000001ae   jeq 430  true:0272 false:0022
 0022: 0x15 0xf9 0x00 0x000001ad   jeq 429  true:0272 false:0023
 0023: 0x15 0xf8 0x00 0x000001ac   jeq 428  true:0272 false:0024
 0024: 0x15 0xf7 0xf3 0x000001ab   jeq 427  true:0272 false:0268
 0025: 0x15 0xf6 0x00 0x000001aa   jeq 426  true:0272 false:0026
 0026: 0x15 0xf5 0x00 0x000001a9   jeq 425  true:0272 false:0027
 0027: 0x15 0xf4 0x00 0x000001a8   jeq 424  true:0272 false:0028
 0028: 0x15 0xc9 0xef 0x000001a7   jeq 423  true:0230 false:0268
 0029: 0x25 0x00 0x09 0x0000019d   jgt 413  true:0030 false:0039
 0030: 0x25 0x00 0x04 0x000001a2   jgt 418  true:0031 false:0035
 0031: 0x15 0xf0 0x00 0x000001a6   jeq 422  true:0272 false:0032
 0032: 0x15 0xef 0x00 0x000001a5   jeq 421  true:0272 false:0033
 0033: 0x15 0xee 0x00 0x000001a4   jeq 420  true:0272 false:0034
 0034: 0x15 0xed 0xe9 0x000001a3   jeq 419  true:0272 false:0268
 0035: 0x15 0xec 0x00 0x000001a2   jeq 418  true:0272 false:0036
 0036: 0x15 0xeb 0x00 0x000001a1   jeq 417  true:0272 false:0037
 0037: 0x15 0xea 0x00 0x000001a0   jeq 416  true:0272 false:0038
 0038: 0x15 0xe9 0xe5 0x0000019e   jeq 414  true:0272 false:0268
 0039: 0x25 0x00 0x04 0x00000199   jgt 409  true:0040 false:0044
 0040: 0x15 0xe7 0x00 0x0000019d   jeq 413  true:0272 false:0041
 0041: 0x15 0xe6 0x00 0x0000019c   jeq 412  true:0272 false:0042
 0042: 0x15 0xe5 0x00 0x0000019b   jeq 411  true:0272 false:0043
 0043: 0x15 0xe4 0xe0 0x0000019a   jeq 410  true:0272 false:0268
 0044: 0x15 0xe3 0x00 0x00000199   jeq 409  true:0272 false:0045
 0045: 0x15 0xe2 0x00 0x00000198   jeq 408  true:0272 false:0046
 0046: 0x15 0xe1 0x00 0x00000197   jeq 407  true:0272 false:0047
 0047: 0x15 0xe0 0xdc 0x00000196   jeq 406  true:0272 false:0268
 0048: 0x25 0x00 0x13 0x0000017f   jgt 383  true:0049 false:0068
 0049: 0x25 0x00 0x09 0x0000018d   jgt 397  true:0050 false:0059
 0050: 0x25 0x00 0x04 0x00000191   jgt 401  true:0051 false:0055
 0051: 0x15 0xb2 0x00 0x00000195   jeq 405  true:0230 false:0052
 0052: 0x15 0xb1 0x00 0x00000194   jeq 404  true:0230 false:0053
 0053: 0x15 0xda 0x00 0x00000193   jeq 403  true:0272 false:0054
 0054: 0x15 0xd9 0xd5 0x00000192   jeq 402  true:0272 false:0268
 0055: 0x15 0xd8 0x00 0x00000191   jeq 401  true:0272 false:0056
 0056: 0x15 0xd7 0x00 0x00000190   jeq 400  true:0272 false:0057
 0057: 0x15 0xd6 0x00 0x0000018f   jeq 399  true:0272 false:0058
 0058: 0x15 0xd5 0xd1 0x0000018e   jeq 398  true:0272 false:0268
 0059: 0x25 0x00 0x04 0x00000189   jgt 393  true:0060 false:0064
 0060: 0x15 0xd3 0x00 0x0000018d   jeq 397  true:0272 false:0061
 0061: 0x15 0xd2 0x00 0x0000018c   jeq 396  true:0272 false:0062
 0062: 0x15 0xd1 0x00 0x0000018b   jeq 395  true:0272 false:0063
 0063: 0x15 0xd0 0xcc 0x0000018a   jeq 394  true:0272 false:0268
 0064: 0x15 0xcf 0x00 0x00000189   jeq 393  true:0272 false:0065
 0065: 0x15 0xce 0x00 0x00000182   jeq 386  true:0272 false:0066
 0066: 0x15 0xcd 0x00 0x00000181   jeq 385  true:0272 false:0067
 0067: 0x15 0xcc 0xc8 0x00000180   jeq 384  true:0272 false:0268
 0068: 0x25 0x00 0x09 0x00000177   jgt 375  true:0069 false:0078
 0069: 0x25 0x00 0x04 0x0000017b   jgt 379  true:0070 false:0074
 0070: 0x15 0xc9 0x00 0x0000017f   jeq 383  true:0272 false:0071
 0071: 0x15 0x9e 0x00 0x0000017e   jeq 382  true:0230 false:0072
 0072: 0x15 0x9d 0x00 0x0000017d   jeq 381  true:0230 false:0073
 0073: 0x15 0x9c 0xc2 0x0000017c   jeq 380  true:0230 false:0268
 0074: 0x15 0xc5 0x00 0x0000017b   jeq 379  true:0272 false:0075
 0075: 0x15 0xc4 0x00 0x0000017a   jeq 378  true:0272 false:0076
 0076: 0x15 0xc3 0x00 0x00000179   jeq 377  true:0272 false:0077
 0077: 0x15 0x98 0xbe 0x00000178   jeq 376  true:0230 false:0268
 0078: 0x25 0x00 0x04 0x00000173   jgt 371  true:0079 false:0083
 0079: 0x15 0xc0 0x00 0x00000177   jeq 375  true:0272 false:0080
 0080: 0x15 0xbf 0x00 0x00000176   jeq 374  true:0272 false:0081
 0081: 0x15 0xbe 0x00 0x00000175   jeq 373  true:0272 false:0082
 0082: 0x15 0xbd 0xb9 0x00000174   jeq 372  true:0272 false:0268
 0083: 0x15 0xbc 0x00 0x00000173   jeq 371  true:0272 false:0084
 0084: 0x15 0xbb 0x00 0x00000172   jeq 370  true:0272 false:0085
 0085: 0x15 0xba 0x00 0x00000171   jeq 369  true:0272 false:0086
 0086: 0x15 0xb9 0xb5 0x00000170   jeq 368  true:0272 false:0268
 0087: 0x25 0x00 0x27 0x0000014f   jgt 335  true:0088 false:0127
 0088: 0x25 0x00 0x13 0x0000015f   jgt 351  true:0089 false:0108
 0089: 0x25 0x00 0x09 0x00000167   jgt 359  true:0090 false:0099
 0090: 0x25 0x00 0x04 0x0000016b   jgt 363  true:0091 false:0095
 0091: 0x15 0xb4 0x00 0x0000016f   jeq 367  true:0272 false:0092
 0092: 0x15 0xb3 0x00 0x0000016e   jeq 366  true:0272 false:0093
 0093: 0x15 0xb2 0x00 0x0000016d   jeq 365  true:0272 false:0094
 0094: 0x15 0xb1 0xad 0x0000016c   jeq 364  true:0272 false:0268
 0095: 0x15 0xb0 0x00 0x0000016b   jeq 363  true:0272 false:0096
 0096: 0x15 0xaf 0x00 0x0000016a   jeq 362  true:0272 false:0097
 0097: 0x15 0xae 0x00 0x00000169   jeq 361  true:0272 false:0098
 0098: 0x15 0xad 0xa9 0x00000168   jeq 360  true:0272 false:0268
 0099: 0x25 0x00 0x04 0x00000163   jgt 355  true:0100 false:0104
 0100: 0x15 0xab 0x00 0x00000167   jeq 359  true:0272 false:0101
 0101: 0x15 0xaa 0x00 0x00000166   jeq 358  true:0272 false:0102
 0102: 0x15 0x7f 0x00 0x00000165   jeq 357  true:0230 false:0103
 0103: 0x15 0xa8 0xa4 0x00000164   jeq 356  true:0272 false:0268
 0104: 0x15 0xa7 0x00 0x00000163   jeq 355  true:0272 false:0105
 0105: 0x15 0xa6 0x00 0x00000162   jeq 354  true:0272 false:0106
 0106: 0x15 0xa5 0x00 0x00000161   jeq 353  true:0272 false:0107
 0107: 0x15 0xa4 0xa0 0x00000160   jeq 352  true:0272 false:0268
 0108: 0x25 0x00 0x09 0x00000157   jgt 343  true:0109 false:0118
 0109: 0x25 0x00 0x04 0x0000015b   jgt 347  true:0110 false:0114
 0110: 0x15 0xa1 0x00 0x0000015f   jeq 351  true:0272 false:0111
 0111: 0x15 0x76 0x00 0x0000015e   jeq 350  true:0230 false:0112
 0112: 0x15 0x9f 0x00 0x0000015d   jeq 349  true:0272 false:0113
 0113: 0x15 0x9e 0x9a 0x0000015c   jeq 348  true:0272 false:0268
 0114: 0x15 0x9d 0x00 0x0000015b   jeq 347  true:0272 false:0115
 0115: 0x15 0x9c 0x00 0x0000015a   jeq 346  true:0272 false:0116
 0116: 0x15 0x9b 0x00 0x00000159   jeq 345  true:0272 false:0117
 0117: 0x15 0x9a 0x96 0x00000158   jeq 344  true:0272 false:0268
 0118: 0x25 0x00 0x04 0x00000153   jgt 339  true:0119 false:0123
 0119: 0x15 0x6e 0x00 0x00000157   jeq 343  true:0230 false:0120
 0120: 0x15 0x6d 0x00 0x00000156   jeq 342  true:0230 false:0121
 0121: 0x15 0x96 0x00 0x00000155   jeq 341  true:0272 false:0122
 0122: 0x15 0x95 0x91 0x00000154   jeq 340  true:0272 false:0268
 0123: 0x15 0x6a 0x00 0x00000153   jeq 339  true:0230 false:0124
 0124: 0x15 0x69 0x00 0x00000152   jeq 338  true:0230 false:0125
 0125: 0x15 0x92 0x00 0x00000151   jeq 337  true:0272 false:0126
 0126: 0x15 0x67 0x8d 0x00000150   jeq 336  true:0230 false:0268
 0127: 0x25 0x00 0x13 0x0000013f   jgt 319  true:0128 false:0147
 0128: 0x25 0x00 0x09 0x00000147   jgt 327  true:0129 false:0138
 0129: 0x25 0x00 0x04 0x0000014b   jgt 331  true:0130 false:0134
 0130: 0x15 0x8d 0x00 0x0000014f   jeq 335  true:0272 false:0131
 0131: 0x15 0x8c 0x00 0x0000014e   jeq 334  true:0272 false:0132
 0132: 0x15 0x8b 0x00 0x0000014d   jeq 333  true:0272 false:0133
 0133: 0x15 0x8a 0x86 0x0000014c   jeq 332  true:0272 false:0268
 0134: 0x15 0x89 0x00 0x0000014b   jeq 331  true:0272 false:0135
 0135: 0x15 0x88 0x00 0x0000014a   jeq 330  true:0272 false:0136
 0136: 0x15 0x87 0x00 0x00000149   jeq 329  true:0272 false:0137
 0137: 0x15 0x86 0x82 0x00000148   jeq 328  true:0272 false:0268
 0138: 0x25 0x00 0x04 0x00000143   jgt 323  true:0139 false:0143
 0139: 0x15 0x84 0x00 0x00000147   jeq 327  true:0272 false:0140
 0140: 0x15 0x83 0x00 0x00000146   jeq 326  true:0272 false:0141
 0141: 0x15 0x82 0x00 0x00000145   jeq 325  true:0272 false:0142
 0142: 0x15 0x81 0x7d 0x00000144   jeq 324  true:0272 false:0268
 0143: 0x15 0x80 0x00 0x00000143   jeq 323  true:0272 false:0144
 0144: 0x15 0x7f 0x00 0x00000142   jeq 322  true:0272 false:0145
 0145: 0x15 0x7e 0x00 0x00000141   jeq 321  true:0272 false:0146
 0146: 0x15 0x7d 0x79 0x00000140   jeq 320  true:0272 false:0268
 0147: 0x25 0x00 0x09 0x00000137   jgt 311  true:0148 false:0157
 0148: 0x25 0x00 0x04 0x0000013b   jgt 315  true:0149 false:0153
 0149: 0x15 0x7a 0x00 0x0000013f   jeq 319  true:0272 false:0150
 0150: 0x15 0x79 0x00 0x0000013e   jeq 318  true:0272 false:0151
 0151: 0x15 0x78 0x00 0x0000013d   jeq 317  true:0272 false:0152
 0152: 0x15 0x77 0x73 0x0000013c   jeq 316  true:0272 false:0268
 0153: 0x15 0x76 0x00 0x0000013b   jeq 315  true:0272 false:0154
 0154: 0x15 0x75 0x00 0x0000013a   jeq 314  true:0272 false:0155
 0155: 0x15 0x74 0x00 0x00000139   jeq 313  true:0272 false:0156
 0156: 0x15 0x73 0x6f 0x00000138   jeq 312  true:0272 false:0268
 0157: 0x25 0x00 0x04 0x00000133   jgt 307  true:0158 false:0162
 0158: 0x15 0x71 0x00 0x00000137   jeq 311  true:0272 false:0159
 0159: 0x15 0x70 0x00 0x00000136   jeq 310  true:0272 false:0160
 0160: 0x15 0x6f 0x00 0x00000135   jeq 309  true:0272 false:0161
 0161: 0x15 0x6e 0x6a 0x00000134   jeq 308  true:0272 false:0268
 0162: 0x15 0x6d 0x00 0x00000133   jeq 307  true:0272 false:0163
 0163: 0x15 0x6c 0x00 0x00000132   jeq 306  true:0272 false:0164
 0164: 0x15 0x6b 0x00 0x00000131   jeq 305  true:0272 false:0165
 0165: 0x15 0x6a 0x66 0x00000130   jeq 304  true:0272 false:0268
 0166: 0x25 0x00 0x50 0x000000ec   jgt 236  true:0167 false:0247
 0167: 0x25 0x00 0x27 0x0000010d   jgt 269  true:0168 false:0207
 0168: 0x25 0x00 0x13 0x0000011f   jgt 287  true:0169 false:0188
 0169: 0x25 0x00 0x09 0x00000127   jgt 295  true:0170 false:0179
 0170: 0x25 0x00 0x04 0x0000012b   jgt 299  true:0171 false:0175
 0171: 0x15 0x64 0x00 0x0000012f   jeq 303  true:0272 false:0172
 0172: 0x15 0x63 0x00 0x0000012e   jeq 302  true:0272 false:0173
 0173: 0x15 0x62 0x00 0x0000012d   jeq 301  true:0272 false:0174
 0174: 0x15 0x61 0x5d 0x0000012c   jeq 300  true:0272 false:0268
 0175: 0x15 0x60 0x00 0x0000012b   jeq 299  true:0272 false:0176
 0176: 0x15 0x5f 0x00 0x0000012a   jeq 298  true:0272 false:0177
 0177: 0x15 0x5e 0x00 0x00000129   jeq 297  true:0272 false:0178
 0178: 0x15 0x5d 0x59 0x00000128   jeq 296  true:0272 false:0268
 0179: 0x25 0x00 0x04 0x00000123   jgt 291  true:0180 false:0184
 0180: 0x15 0x5b 0x00 0x00000127   jeq 295  true:0272 false:0181
 0181: 0x15 0x5a 0x00 0x00000126   jeq 294  true:0272 false:0182
 0182: 0x15 0x59 0x00 0x00000125   jeq 293  true:0272 false:0183
 0183: 0x15 0x58 0x54 0x00000124   jeq 292  true:0272 false:0268
 0184: 0x15 0x57 0x00 0x00000123   jeq 291  true:0272 false:0185
 0185: 0x15 0x56 0x00 0x00000122   jeq 290  true:0272 false:0186
 0186: 0x15 0x55 0x00 0x00000121   jeq 289  true:0272 false:0187
 0187: 0x15 0x2a 0x50 0x00000120   jeq 288  true:0230 false:0268
 0188: 0x25 0x00 0x09 0x00000116   jgt 278  true:0189 false:0198
 0189: 0x25 0x00 0x04 0x0000011a   jgt 282  true:0190 false:0194
 0190: 0x15 0x27 0x00 0x0000011f   jeq 287  true:0230 false:0191
 0191: 0x15 0x26 0x00 0x0000011e   jeq 286  true:0230 false:0192
 0192: 0x15 0x4f 0x00 0x0000011c   jeq 284  true:0272 false:0193
 0193: 0x15 0x24 0x4a 0x0000011b   jeq 283  true:0230 false:0268
 0194: 0x15 0x4d 0x00 0x0000011a   jeq 282  true:0272 false:0195
 0195: 0x15 0x4c 0x00 0x00000119   jeq 281  true:0272 false:0196
 0196: 0x15 0x4b 0x00 0x00000118   jeq 280  true:0272 false:0197
 0197: 0x15 0x4a 0x46 0x00000117   jeq 279  true:0272 false:0268
 0198: 0x25 0x00 0x04 0x00000112   jgt 274  true:0199 false:0203
 0199: 0x15 0x48 0x00 0x00000116   jeq 278  true:0272 false:0200
 0200: 0x15 0x47 0x00 0x00000115   jeq 277  true:0272 false:0201
 0201: 0x15 0x46 0x00 0x00000114   jeq 276  true:0272 false:0202
 0202: 0x15 0x45 0x41 0x00000113   jeq 275  true:0272 false:0268
 0203: 0x15 0x44 0x00 0x00000112   jeq 274  true:0272 false:0204
 0204: 0x15 0x43 0x00 0x00000110   jeq 272  true:0272 false:0205
 0205: 0x15 0x42 0x00 0x0000010f   jeq 271  true:0272 false:0206
 0206: 0x15 0x41 0x3d 0x0000010e   jeq 270  true:0272 false:0268
 0207: 0x25 0x00 0x13 0x000000fd   jgt 253  true:0208 false:0227
 0208: 0x25 0x00 0x09 0x00000105   jgt 261  true:0209 false:0218
 0209: 0x25 0x00 0x04 0x00000109   jgt 265  true:0210 false:0214
 0210: 0x15 0x3d 0x00 0x0000010d   jeq 269  true:0272 false:0211
 0211: 0x15 0x3c 0x00 0x0000010c   jeq 268  true:0272 false:0212
 0212: 0x15 0x3b 0x00 0x0000010b   jeq 267  true:0272 false:0213
 0213: 0x15 0x3a 0x36 0x0000010a   jeq 266  true:0272 false:0268
 0214: 0x15 0x39 0x00 0x00000109   jeq 265  true:0272 false:0215
 0215: 0x15 0x0e 0x00 0x00000108   jeq 264  true:0230 false:0216
 0216: 0x15 0x37 0x00 0x00000107   jeq 263  true:0272 false:0217
 0217: 0x15 0x36 0x32 0x00000106   jeq 262  true:0272 false:0268
 0218: 0x25 0x00 0x04 0x00000101   jgt 257  true:0219 false:0223
 0219: 0x15 0x34 0x00 0x00000105   jeq 261  true:0272 false:0220
 0220: 0x15 0x33 0x00 0x00000104   jeq 260  true:0272 false:0221
 0221: 0x15 0x32 0x00 0x00000103   jeq 259  true:0272 false:0222
 0222: 0x15 0x31 0x2d 0x00000102   jeq 258  true:0272 false:0268
 0223: 0x15 0x30 0x00 0x00000101   jeq 257  true:0272 false:0224
 0224: 0x15 0x2f 0x00 0x00000100   jeq 256  true:0272 false:0225
 0225: 0x15 0x2e 0x00 0x000000ff   jeq 255  true:0272 false:0226
 0226: 0x15 0x2d 0x29 0x000000fe   jeq 254  true:0272 false:0268
 0227: 0x25 0x00 0x0a 0x000000f4   jgt 244  true:0228 false:0238
 0228: 0x25 0x00 0x05 0x000000f8   jgt 248  true:0229 false:0234
 0229: 0x15 0x00 0x01 0x000000fd   jeq 253  true:0230 false:0231
 0230: 0x06 0x00 0x00 0x00050001   ret ERRNO(1)
 0231: 0x15 0x28 0x00 0x000000fc   jeq 252  true:0272 false:0232
 0232: 0x15 0x27 0x00 0x000000fa   jeq 250  true:0272 false:0233
 0233: 0x15 0x26 0x22 0x000000f9   jeq 249  true:0272 false:0268
 0234: 0x15 0x25 0x00 0x000000f8   jeq 248  true:0272 false:0235
 0235: 0x15 0x24 0x00 0x000000f7   jeq 247  true:0272 false:0236
 0236: 0x15 0x23 0x00 0x000000f6   jeq 246  true:0272 false:0237
 0237: 0x15 0x22 0x1e 0x000000f5   jeq 245  true:0272 false:0268
 0238: 0x25 0x00 0x04 0x000000f0   jgt 240  true:0239 false:0243
 0239: 0x15 0x20 0x00 0x000000f4   jeq 244  true:0272 false:0240
 0240: 0x15 0x1f 0x00 0x000000f3   jeq 243  true:0272 false:0241
 0241: 0x15 0x1e 0x00 0x000000f2   jeq 242  true:0272 false:0242
 0242: 0x15 0x1d 0x19 0x000000f1   jeq 241  true:0272 false:0268
 0243: 0x15 0x1c 0x00 0x000000f0   jeq 240  true:0272 false:0244
 0244: 0x15 0x1b 0x00 0x000000ef   jeq 239  true:0272 false:0245
 0245: 0x15 0x1a 0x00 0x000000ee   jeq 238  true:0272 false:0246
 0246: 0x15 0x19 0x15 0x000000ed   jeq 237  true:0272 false:0268
 0247: 0x25 0x00 0x29 0x000000ca   jgt 202  true:0248 false:0289
 0248: 0x25 0x00 0x14 0x000000da   jgt 218  true:0249 false:0269
 0249: 0x25 0x00 0x09 0x000000e4   jgt 228  true:0250 false:0259
 0250: 0x25 0x00 0x04 0x000000e8   jgt 232  true:0251 false:0255
 0251: 0x15 0x14 0x00 0x000000ec   jeq 236  true:0272 false:0252
 0252: 0x15 0x13 0x00 0x000000eb   jeq 235  true:0272 false:0253
 0253: 0x15 0x12 0x00 0x000000ea   jeq 234  true:0272 false:0254
 0254: 0x15 0x11 0x0d 0x000000e9   jeq 233  true:0272 false:0268
 0255: 0x15 0x10 0x00 0x000000e8   jeq 232  true:0272 false:0256
 0256: 0x15 0x0f 0x00 0x000000e7   jeq 231  true:0272 false:0257
 0257: 0x15 0x0e 0x00 0x000000e6   jeq 230  true:0272 false:0258
 0258: 0x15 0x0d 0x09 0x000000e5   jeq 229  true:0272 false:0268
 0259: 0x25 0x00 0x04 0x000000e0   jgt 224  true:0260 false:0264
 0260: 0x15 0x0b 0x00 0x000000e4   jeq 228  true:0272 false:0261
 0261: 0x15 0x0a 0x00 0x000000e3   jeq 227  true:0272 false:0262
 0262: 0x15 0x09 0x00 0x000000e2   jeq 226  true:0272 false:0263
 0263: 0x15 0x08 0x04 0x000000e1   jeq 225  true:0272 false:0268
 0264: 0x15 0x07 0x00 0x000000e0   jeq 224  true:0272 false:0265
 0265: 0x15 0x06 0x00 0x000000dd   jeq 221  true:0272 false:0266
 0266: 0x15 0x05 0x00 0x000000dc   jeq 220  true:0272 false:0267
 0267: 0x15 0x04 0x00 0x000000db   jeq 219  true:0272 false:0268
 0268: 0x06 0x00 0x00 0x00050026   ret ERRNO(38)
 0269: 0x25 0x00 0x0a 0x000000d2   jgt 210  true:0270 false:0280
 0270: 0x25 0x00 0x05 0x000000d6   jgt 214  true:0271 false:0276
 0271: 0x15 0x00 0x01 0x000000da   jeq 218  true:0272 false:0273
 0272: 0x06 0x00 0x00 0x7fff0000   ret ALLOW
 0273: 0x15 0xff 0x00 0x000000d9   jeq 217  true:0529 false:0274
 0274: 0x15 0xfe 0x00 0x000000d8   jeq 216  true:0529 false:0275
 0275: 0x15 0xfd 0xfc 0x000000d7   jeq 215  true:0529 false:0528
 0276: 0x15 0xfc 0x00 0x000000d6   jeq 214  true:0529 false:0277
 0277: 0x15 0xfb 0x00 0x000000d5   jeq 213  true:0529 false:0278
 0278: 0x15 0xfa 0x00 0x000000d4   jeq 212  true:0529 false:0279
 0279: 0x15 0xf9 0xf8 0x000000d3   jeq 211  true:0529 false:0528
 0280: 0x25 0x00 0x04 0x000000ce   jgt 206  true:0281 false:0285
 0281: 0x15 0xf7 0x00 0x000000d2   jeq 210  true:0529 false:0282
 0282: 0x15 0xf6 0x00 0x000000d1   jeq 209  true:0529 false:0283
 0283: 0x15 0xf5 0x00 0x000000d0   jeq 208  true:0529 false:0284
 0284: 0x15 0xf4 0xf3 0x000000cf   jeq 207  true:0529 false:0528
 0285: 0x15 0xf3 0x00 0x000000ce   jeq 206  true:0529 false:0286
 0286: 0x15 0xf2 0x00 0x000000cd   jeq 205  true:0529 false:0287
 0287: 0x15 0xf1 0x00 0x000000cc   jeq 204  true:0529 false:0288
 0288: 0x15 0xf0 0xef 0x000000cb   jeq 203  true:0529 false:0528
 0289: 0x25 0x00 0x13 0x000000b9   jgt 185  true:0290 false:0309
 0290: 0x25 0x00 0x09 0x000000c2   jgt 194  true:0291 false:0300
 0291: 0x25 0x00 0x04 0x000000c6   jgt 198  true:0292 false:0296
 0292: 0x15 0xec 0x00 0x000000ca   jeq 202  true:0529 false:0293
 0293: 0x15 0xeb 0x00 0x000000c9   jeq 201  true:0529 false:0294
 0294: 0x15 0xea 0x00 0x000000c8   jeq 200  true:0529 false:0295
 0295: 0x15 0xe9 0xe8 0x000000c7   jeq 199  true:0529 false:0528
 0296: 0x15 0xe8 0x00 0x000000c6   jeq 198  true:0529 false:0297
 0297: 0x15 0xe7 0x00 0x000000c5   jeq 197  true:0529 false:0298
 0298: 0x15 0xe6 0x00 0x000000c4   jeq 196  true:0529 false:0299
 0299: 0x15 0xe5 0xe4 0x000000c3   jeq 195  true:0529 false:0528
 0300: 0x25 0x00 0x04 0x000000be   jgt 190  true:0301 false:0305
 0301: 0x15 0xe3 0x00 0x000000c2   jeq 194  true:0529 false:0302
 0302: 0x15 0xe2 0x00 0x000000c1   jeq 193  true:0529 false:0303
 0303: 0x15 0xe1 0x00 0x000000c0   jeq 192  true:0529 false:0304
 0304: 0x15 0xe0 0xdf 0x000000bf   jeq 191  true:0529 false:0528
 0305: 0x15 0xdf 0x00 0x000000be   jeq 190  true:0529 false:0306
 0306: 0x15 0xc0 0x00 0x000000bc   jeq 188  true:0499 false:0307
 0307: 0x15 0xdd 0x00 0x000000bb   jeq 187  true:0529 false:0308
 0308: 0x15 0xdc 0xdb 0x000000ba   jeq 186  true:0529 false:0528
 0309: 0x25 0x00 0x09 0x000000b1   jgt 177  true:0310 false:0319
 0310: 0x25 0x00 0x04 0x000000b5   jgt 181  true:0311 false:0315
 0311: 0x15 0xd9 0x00 0x000000b9   jeq 185  true:0529 false:0312
 0312: 0x15 0xd8 0x00 0x000000b8   jeq 184  true:0529 false:0313
 0313: 0x15 0xd7 0x00 0x000000b7   jeq 183  true:0529 false:0314
 0314: 0x15 0xd6 0xd5 0x000000b6   jeq 182  true:0529 false:0528
 0315: 0x15 0xd5 0x00 0x000000b5   jeq 181  true:0529 false:0316
 0316: 0x15 0xd4 0x00 0x000000b4   jeq 180  true:0529 false:0317
 0317: 0x15 0xd3 0x00 0x000000b3   jeq 179  true:0529 false:0318
 0318: 0x15 0xd2 0xd1 0x000000b2   jeq 178  true:0529 false:0528
 0319: 0x25 0x00 0x04 0x000000ad   jgt 173  true:0320 false:0324
 0320: 0x15 0xd0 0x00 0x000000b1   jeq 177  true:0529 false:0321
 0321: 0x15 0xcf 0x00 0x000000b0   jeq 176  true:0529 false:0322
 0322: 0x15 0xce 0x00 0x000000af   jeq 175  true:0529 false:0323
 0323: 0x15 0xcd 0xcc 0x000000ae   jeq 174  true:0529 false:0528
 0324: 0x15 0xcc 0x00 0x000000ad   jeq 173  true:0529 false:0325
 0325: 0x15 0xcb 0x00 0x000000ac   jeq 172  true:0529 false:0326
 0326: 0x15 0xca 0x00 0x000000ab   jeq 171  true:0529 false:0327
 0327: 0x15 0xc9 0xc8 0x000000aa   jeq 170  true:0529 false:0528
 0328: 0x25 0x00 0x9f 0x00000022   jgt 34   true:0329 false:0488
 0329: 0x25 0x00 0x4f 0x00000068   jgt 104  true:0330 false:0409
 0330: 0x25 0x00 0x27 0x00000088   jgt 136  true:0331 false:0370
 0331: 0x25 0x00 0x13 0x00000099   jgt 153  true:0332 false:0351
 0332: 0x25 0x00 0x09 0x000000a1   jgt 161  true:0333 false:0342
 0333: 0x25 0x00 0x04 0x000000a5   jgt 165  true:0334 false:0338
 0334: 0x15 0xa4 0x00 0x000000a9   jeq 169  true:0499 false:0335
 0335: 0x15 0xc1 0x00 0x000000a8   jeq 168  true:0529 false:0336
 0336: 0x15 0xa2 0x00 0x000000a7   jeq 167  true:0499 false:0337
 0337: 0x15 0xa1 0xbe 0x000000a6   jeq 166  true:0499 false:0528
 0338: 0x15 0xbe 0x00 0x000000a5   jeq 165  true:0529 false:0339
 0339: 0x15 0xbd 0x00 0x000000a4   jeq 164  true:0529 false:0340
 0340: 0x15 0xbc 0x00 0x000000a3   jeq 163  true:0529 false:0341
 0341: 0x15 0xbb 0xba 0x000000a2   jeq 162  true:0529 false:0528
 0342: 0x25 0x00 0x04 0x0000009d   jgt 157  true:0343 false:0347
 0343: 0x15 0xb9 0x00 0x000000a1   jeq 161  true:0529 false:0344
 0344: 0x15 0xb8 0x00 0x000000a0   jeq 160  true:0529 false:0345
 0345: 0x15 0xb7 0x00 0x0000009f   jeq 159  true:0529 false:0346
 0346: 0x15 0xb6 0xb5 0x0000009e   jeq 158  true:0529 false:0528
 0347: 0x15 0xb5 0x00 0x0000009d   jeq 157  true:0529 false:0348
 0348: 0x15 0xb4 0x00 0x0000009c   jeq 156  true:0529 false:0349
 0349: 0x15 0xb3 0x00 0x0000009b   jeq 155  true:0529 false:0350
 0350: 0x15 0xb2 0xb1 0x0000009a   jeq 154  true:0529 false:0528
 0351: 0x25 0x00 0x09 0x00000091   jgt 145  true:0352 false:0361
 0352: 0x25 0x00 0x04 0x00000095   jgt 149  true:0353 false:0357
 0353: 0x15 0x91 0x00 0x00000099   jeq 153  true:0499 false:0354
 0354: 0x15 0x90 0x00 0x00000098   jeq 152  true:0499 false:0355
 0355: 0x15 0x8f 0x00 0x00000097   jeq 151  true:0499 false:0356
 0356: 0x15 0x8e 0xab 0x00000096   jeq 150  true:0499 false:0528
 0357: 0x15 0x8d 0x00 0x00000095   jeq 149  true:0499 false:0358
 0358: 0x15 0xaa 0x00 0x00000094   jeq 148  true:0529 false:0359
 0359: 0x15 0xa9 0x00 0x00000093   jeq 147  true:0529 false:0360
 0360: 0x15 0xa8 0xa7 0x00000092   jeq 146  true:0529 false:0528
 0361: 0x25 0x00 0x04 0x0000008d   jgt 141  true:0362 false:0366
 0362: 0x15 0xa6 0x00 0x00000091   jeq 145  true:0529 false:0363
 0363: 0x15 0xa5 0x00 0x00000090   jeq 144  true:0529 false:0364
 0364: 0x15 0xa4 0x00 0x0000008f   jeq 143  true:0529 false:0365
 0365: 0x15 0xa3 0xa2 0x0000008e   jeq 142  true:0529 false:0528
 0366: 0x15 0xa2 0x00 0x0000008d   jeq 141  true:0529 false:0367
 0367: 0x15 0xa1 0x00 0x0000008c   jeq 140  true:0529 false:0368
 0368: 0x15 0xa0 0x00 0x0000008b   jeq 139  true:0529 false:0369
 0369: 0x15 0x9f 0x9e 0x0000008a   jeq 138  true:0529 false:0528
 0370: 0x25 0x00 0x13 0x00000078   jgt 120  true:0371 false:0390
 0371: 0x25 0x00 0x09 0x00000080   jgt 128  true:0372 false:0381
 0372: 0x25 0x00 0x04 0x00000084   jgt 132  true:0373 false:0377
 0373: 0x15 0x9b 0x00 0x00000088   jeq 136  true:0529 false:0374
 0374: 0x15 0x7c 0x00 0x00000087   jeq 135  true:0499 false:0375
 0375: 0x15 0x7b 0x00 0x00000086   jeq 134  true:0499 false:0376
 0376: 0x15 0x98 0x97 0x00000085   jeq 133  true:0529 false:0528
 0377: 0x15 0x97 0x00 0x00000084   jeq 132  true:0529 false:0378
 0378: 0x15 0x78 0x00 0x00000083   jeq 131  true:0499 false:0379
 0379: 0x15 0x77 0x00 0x00000082   jeq 130  true:0499 false:0380
 0380: 0x15 0x76 0x93 0x00000081   jeq 129  true:0499 false:0528
 0381: 0x25 0x00 0x04 0x0000007c   jgt 124  true:0382 false:0386
 0382: 0x15 0x74 0x00 0x00000080   jeq 128  true:0499 false:0383
 0383: 0x15 0x73 0x00 0x0000007f   jeq 127  true:0499 false:0384
 0384: 0x15 0x90 0x00 0x0000007e   jeq 126  true:0529 false:0385
 0385: 0x15 0x8f 0x8e 0x0000007d   jeq 125  true:0529 false:0528
 0386: 0x15 0x70 0x00 0x0000007c   jeq 124  true:0499 false:0387
 0387: 0x15 0x6f 0x00 0x0000007b   jeq 123  true:0499 false:0388
 0388: 0x15 0x8c 0x00 0x0000007a   jeq 122  true:0529 false:0389
 0389: 0x15 0x8b 0x8a 0x00000079   jeq 121  true:0529 false:0528
 0390: 0x25 0x00 0x09 0x00000070   jgt 112  true:0391 false:0400
 0391: 0x25 0x00 0x04 0x00000074   jgt 116  true:0392 false:0396
 0392: 0x15 0x88 0x00 0x00000078   jeq 120  true:0529 false:0393
 0393: 0x15 0x87 0x00 0x00000077   jeq 119  true:0529 false:0394
 0394: 0x15 0x86 0x00 0x00000076   jeq 118  true:0529 false:0395
 0395: 0x15 0x85 0x84 0x00000075   jeq 117  true:0529 false:0528
 0396: 0x15 0x84 0x00 0x00000074   jeq 116  true:0529 false:0397
 0397: 0x15 0x65 0x00 0x00000073   jeq 115  true:0499 false:0398
 0398: 0x15 0x82 0x00 0x00000072   jeq 114  true:0529 false:0399
 0399: 0x15 0x63 0x80 0x00000071   jeq 113  true:0499 false:0528
 0400: 0x25 0x00 0x04 0x0000006c   jgt 108  true:0401 false:0405
 0401: 0x15 0x61 0x00 0x00000070   jeq 112  true:0499 false:0402
 0402: 0x15 0x7e 0x00 0x0000006f   jeq 111  true:0529 false:0403
 0403: 0x15 0x5f 0x00 0x0000006e   jeq 110  true:0499 false:0404
 0404: 0x15 0x7c 0x7b 0x0000006d   jeq 109  true:0529 false:0528
 0405: 0x15 0x7b 0x00 0x0000006c   jeq 108  true:0529 false:0406
 0406: 0x15 0x7a 0x00 0x0000006b   jeq 107  true:0529 false:0407
 0407: 0x15 0x79 0x00 0x0000006a   jeq 106  true:0529 false:0408
 0408: 0x15 0x78 0x77 0x00000069   jeq 105  true:0529 false:0528
 0409: 0x25 0x00 0x27 0x00000047   jgt 71   true:0410 false:0449
 0410: 0x25 0x00 0x13 0x00000057   jgt 87   true:0411 false:0430
 0411: 0x25 0x00 0x09 0x0000005f   jgt 95   true:0412 false:0421
 0412: 0x25 0x00 0x04 0x00000064   jgt 100  true:0413 false:0417
 0413: 0x15 0x73 0x00 0x00000068   jeq 104  true:0529 false:0414
 0414: 0x15 0x54 0x00 0x00000067   jeq 103  true:0499 false:0415
 0415: 0x15 0x71 0x00 0x00000066   jeq 102  true:0529 false:0416
 0416: 0x15 0x52 0x6f 0x00000065   jeq 101  true:0499 false:0528
 0417: 0x15 0x6f 0x00 0x00000064   jeq 100  true:0529 false:0418
 0418: 0x15 0x6e 0x00 0x00000063   jeq 99   true:0529 false:0419
 0419: 0x15 0x6d 0x00 0x00000061   jeq 97   true:0529 false:0420
 0420: 0x15 0x6c 0x6b 0x00000060   jeq 96   true:0529 false:0528
 0421: 0x25 0x00 0x04 0x0000005b   jgt 91   true:0422 false:0426
 0422: 0x15 0x6a 0x00 0x0000005f   jeq 95   true:0529 false:0423
 0423: 0x15 0x69 0x00 0x0000005e   jeq 94   true:0529 false:0424
 0424: 0x15 0x68 0x00 0x0000005d   jeq 93   true:0529 false:0425
 0425: 0x15 0x67 0x66 0x0000005c   jeq 92   true:0529 false:0528
 0426: 0x15 0x66 0x00 0x0000005b   jeq 91   true:0529 false:0427
 0427: 0x15 0x65 0x00 0x0000005a   jeq 90   true:0529 false:0428
 0428: 0x15 0x64 0x00 0x00000059   jeq 89   true:0529 false:0429
 0429: 0x15 0x63 0x62 0x00000058   jeq 88   true:0529 false:0528
 0430: 0x25 0x00 0x09 0x0000004f   jgt 79   true:0431 false:0440
 0431: 0x25 0x00 0x04 0x00000053   jgt 83   true:0432 false:0436
 0432: 0x15 0x42 0x00 0x00000057   jeq 87   true:0499 false:0433
 0433: 0x15 0x41 0x00 0x00000056   jeq 86   true:0499 false:0434
 0434: 0x15 0x5e 0x00 0x00000055   jeq 85   true:0529 false:0435
 0435: 0x15 0x5d 0x5c 0x00000054   jeq 84   true:0529 false:0528
 0436: 0x15 0x5c 0x00 0x00000053   jeq 83   true:0529 false:0437
 0437: 0x15 0x5b 0x00 0x00000052   jeq 82   true:0529 false:0438
 0438: 0x15 0x5a 0x00 0x00000051   jeq 81   true:0529 false:0439
 0439: 0x15 0x59 0x58 0x00000050   jeq 80   true:0529 false:0528
 0440: 0x25 0x00 0x04 0x0000004b   jgt 75   true:0441 false:0445
 0441: 0x15 0x39 0x00 0x0000004f   jeq 79   true:0499 false:0442
 0442: 0x15 0x56 0x00 0x0000004e   jeq 78   true:0529 false:0443
 0443: 0x15 0x55 0x00 0x0000004d   jeq 77   true:0529 false:0444
 0444: 0x15 0x54 0x53 0x0000004c   jeq 76   true:0529 false:0528
 0445: 0x15 0x53 0x00 0x0000004b   jeq 75   true:0529 false:0446
 0446: 0x15 0x52 0x00 0x0000004a   jeq 74   true:0529 false:0447
 0447: 0x15 0x51 0x00 0x00000049   jeq 73   true:0529 false:0448
 0448: 0x15 0x50 0x4f 0x00000048   jeq 72   true:0529 false:0528
 0449: 0x25 0x00 0x13 0x00000034   jgt 52   true:0450 false:0469
 0450: 0x25 0x00 0x09 0x0000003f   jgt 63   true:0451 false:0460
 0451: 0x25 0x00 0x04 0x00000043   jgt 67   true:0452 false:0456
 0452: 0x15 0x4c 0x00 0x00000047   jeq 71   true:0529 false:0453
 0453: 0x15 0x4b 0x00 0x00000046   jeq 70   true:0529 false:0454
 0454: 0x15 0x2c 0x00 0x00000045   jeq 69   true:0499 false:0455
 0455: 0x15 0x2b 0x48 0x00000044   jeq 68   true:0499 false:0528
 0456: 0x15 0x48 0x00 0x00000043   jeq 67   true:0529 false:0457
 0457: 0x15 0x47 0x00 0x00000042   jeq 66   true:0529 false:0458
 0458: 0x15 0x46 0x00 0x00000041   jeq 65   true:0529 false:0459
 0459: 0x15 0x45 0x44 0x00000040   jeq 64   true:0529 false:0528
 0460: 0x25 0x00 0x04 0x0000003b   jgt 59   true:0461 false:0465
 0461: 0x15 0x43 0x00 0x0000003f   jeq 63   true:0529 false:0462
 0462: 0x15 0x24 0x00 0x0000003e   jeq 62   true:0499 false:0463
 0463: 0x15 0x41 0x00 0x0000003d   jeq 61   true:0529 false:0464
 0464: 0x15 0x40 0x3f 0x0000003c   jeq 60   true:0529 false:0528
 0465: 0x15 0x3f 0x00 0x0000003b   jeq 59   true:0529 false:0466
 0466: 0x15 0x3e 0x00 0x00000039   jeq 57   true:0529 false:0467
 0467: 0x15 0x3d 0x00 0x00000037   jeq 55   true:0529 false:0468
 0468: 0x15 0x3c 0x3b 0x00000036   jeq 54   true:0529 false:0528
 0469: 0x25 0x00 0x09 0x0000002b   jgt 43   true:0470 false:0479
 0470: 0x25 0x00 0x04 0x00000030   jgt 48   true:0471 false:0475
 0471: 0x15 0x39 0x00 0x00000034   jeq 52   true:0529 false:0472
 0472: 0x15 0x1a 0x00 0x00000033   jeq 51   true:0499 false:0473
 0473: 0x15 0x37 0x00 0x00000032   jeq 50   true:0529 false:0474
 0474: 0x15 0x36 0x35 0x00000031   jeq 49   true:0529 false:0528
 0475: 0x15 0x35 0x00 0x00000030   jeq 48   true:0529 false:0476
 0476: 0x15 0x34 0x00 0x0000002f   jeq 47   true:0529 false:0477
 0477: 0x15 0x33 0x00 0x0000002e   jeq 46   true:0529 false:0478
 0478: 0x15 0x32 0x31 0x0000002d   jeq 45   true:0529 false:0528
 0479: 0x25 0x00 0x04 0x00000027   jgt 39   true:0480 false:0484
 0480: 0x15 0x30 0x00 0x0000002b   jeq 43   true:0529 false:0481
 0481: 0x15 0x2f 0x00 0x0000002a   jeq 42   true:0529 false:0482
 0482: 0x15 0x2e 0x00 0x00000029   jeq 41   true:0529 false:0483
 0483: 0x15 0x2d 0x2c 0x00000028   jeq 40   true:0529 false:0528
 0484: 0x15 0x2c 0x00 0x00000027   jeq 39   true:0529 false:0485
 0485: 0x15 0x2b 0x00 0x00000026   jeq 38   true:0529 false:0486
 0486: 0x15 0x2a 0x00 0x00000025   jeq 37   true:0529 false:0487
 0487: 0x15 0x29 0x28 0x00000024   jeq 36   true:0529 false:0528
 0488: 0x25 0x00 0x14 0x0000000f   jgt 15   true:0489 false:0509
 0489: 0x25 0x00 0x0a 0x00000018   jgt 24   true:0490 false:0500
 0490: 0x25 0x00 0x04 0x0000001c   jgt 28   true:0491 false:0495
 0491: 0x15 0x25 0x00 0x00000022   jeq 34   true:0529 false:0492
 0492: 0x15 0x24 0x00 0x00000021   jeq 33   true:0529 false:0493
 0493: 0x15 0x23 0x00 0x0000001e   jeq 30   true:0529 false:0494
 0494: 0x15 0x22 0x21 0x0000001d   jeq 29   true:0529 false:0528
 0495: 0x15 0x21 0x00 0x0000001c   jeq 28   true:0529 false:0496
 0496: 0x15 0x20 0x00 0x0000001b   jeq 27   true:0529 false:0497
 0497: 0x15 0x1f 0x00 0x0000001a   jeq 26   true:0529 false:0498
 0498: 0x15 0x00 0x1d 0x00000019   jeq 25   true:0499 false:0528
 0499: 0x06 0x00 0x00 0x00050001   ret ERRNO(1)
 0500: 0x25 0x00 0x04 0x00000014   jgt 20   true:0501 false:0505
 0501: 0x15 0x1b 0x00 0x00000018   jeq 24   true:0529 false:0502
 0502: 0x15 0x1a 0x00 0x00000017   jeq 23   true:0529 false:0503
 0503: 0x15 0x19 0x00 0x00000016   jeq 22   true:0529 false:0504
 0504: 0x15 0x18 0x17 0x00000015   jeq 21   true:0529 false:0528
 0505: 0x15 0x17 0x00 0x00000014   jeq 20   true:0529 false:0506
 0506: 0x15 0x16 0x00 0x00000013   jeq 19   true:0529 false:0507
 0507: 0x15 0x15 0x00 0x00000012   jeq 18   true:0529 false:0508
 0508: 0x15 0x14 0x13 0x00000010   jeq 16   true:0529 false:0528
 0509: 0x25 0x00 0x09 0x00000007   jgt 7    true:0510 false:0519
 0510: 0x25 0x00 0x04 0x0000000b   jgt 11   true:0511 false:0515
 0511: 0x15 0x11 0x00 0x0000000f   jeq 15   true:0529 false:0512
 0512: 0x15 0x10 0x00 0x0000000e   jeq 14   true:0529 false:0513
 0513: 0x15 0x0f 0x00 0x0000000d   jeq 13   true:0529 false:0514
 0514: 0x15 0x0e 0x0d 0x0000000c   jeq 12   true:0529 false:0528
 0515: 0x15 0x0d 0x00 0x0000000b   jeq 11   true:0529 false:0516
 0516: 0x15 0x0c 0x00 0x0000000a   jeq 10   true:0529 false:0517
 0517: 0x15 0x0b 0x00 0x00000009   jeq 9    true:0529 false:0518
 0518: 0x15 0x0a 0x09 0x00000008   jeq 8    true:0529 false:0528
 0519: 0x25 0x00 0x04 0x00000003   jgt 3    true:0520 false:0524
 0520: 0x15 0x08 0x00 0x00000007   jeq 7    true:0529 false:0521
 0521: 0x15 0x07 0x00 0x00000006   jeq 6    true:0529 false:0522
 0522: 0x15 0x06 0x00 0x00000005   jeq 5    true:0529 false:0523
 0523: 0x15 0x05 0x04 0x00000004   jeq 4    true:0529 false:0528
 0524: 0x15 0x04 0x00 0x00000003   jeq 3    true:0529 false:0525
 0525: 0x15 0x03 0x00 0x00000002   jeq 2    true:0529 false:0526
 0526: 0x15 0x02 0x00 0x00000001   jeq 1    true:0529 false:0527
 0527: 0x15 0x01 0x00 0x00000000   jeq 0    true:0529 false:0528
 0528: 0x06 0x00 0x00 0x00050026   ret ERRNO(38)
 0529: 0x06 0x00 0x00 0x7fff0000   ret ALLOW

Sizes: 2952, 3392, 4240 bytes.
Addition of @known results only in a small growth. "Optimization" makes the
filter longer, but it should run more quickly. We probably want to enable this
everywhere. There is clear potential futher optmization though.
2020-08-24 20:05:25 +02:00
Zbigniew Jędrzejewski-Szmek 3573e032f2 nspawn: return ENOSYS by default, EPERM for "known" calls 2020-08-24 20:05:17 +02:00
Zbigniew Jędrzejewski-Szmek 000c05207d shared/seccomp-util: added functionality to make list of filtred syscalls
While at it, start removing the "seccomp_" prefix from our
own functions. It is used by libseccomp.
2020-08-24 20:05:09 +02:00
Zbigniew Jędrzejewski-Szmek 752fedbea7 shared/syscall-list: filter out some obviously platform-specific syscalls 2020-08-24 20:05:02 +02:00
Zbigniew Jędrzejewski-Szmek 077e8fc0ca shared/seccomp: reduce scope of indexing variables 2020-08-24 20:04:54 +02:00
Zbigniew Jędrzejewski-Szmek 95aac01259 shared: add @known syscall list 2020-08-24 20:04:17 +02:00
Zbigniew Jędrzejewski-Szmek 955a632971 tree-wide: use sd_bus_error_has_names() in more places 2020-08-24 19:48:26 +02:00
Zbigniew Jędrzejewski-Szmek 8e34f4cc62 nss-resolve: treat BUS_ERROR_NO_SUCH_UNIT the same as SD_BUS_ERROR_SERVICE_UNKNOWN too
Seems safer to do so.
2020-08-24 19:48:26 +02:00
Zbigniew Jędrzejewski-Szmek 73d3ac8e24 various: treat BUS_ERROR_NO_SUCH_UNIT the same as SD_BUS_ERROR_SERVICE_UNKNOWN
We return BUS_ERROR_NO_SUCH_UNIT a.k.a. org.freedesktop.systemd1.NoSuchUnit
in various places. In #16813:
Aug 22 06:14:48 core sudo[2769199]: pam_systemd_home(sudo:account): Failed to query user record: Unit dbus-org.freedesktop.home1.service not found.
Aug 22 06:14:48 core dbus-daemon[5311]: [system] Activation via systemd failed for unit 'dbus-org.freedesktop.home1.service': Unit dbus-org.freedesktop.home1.service not found.
Aug 22 06:14:48 core dbus-daemon[5311]: [system] Activating via systemd: service name='org.freedesktop.home1' unit='dbus-org.freedesktop.home1.service' requested by ':1.6564' (uid=0 pid=2769199 comm="sudo su ")

This particular error comes from bus_unit_validate_load_state() in pid1:
  case UNIT_NOT_FOUND:
       return sd_bus_error_setf(error, BUS_ERROR_NO_SUCH_UNIT, "Unit %s not found.", u->id);

It seems possible that we should return a different error, but it doesn't really
matter: if we change pid1 to return a different error, we still need to handle
BUS_ERROR_NO_SUCH_UNIT as in this patch to handle pid1 with current code.
2020-08-24 19:48:26 +02:00
Zbigniew Jędrzejewski-Szmek 2b07ec316a sd-bus: add a variant of sd_bus_error_has_name() that takes multiple names 2020-08-24 19:48:22 +02:00
Zbigniew Jędrzejewski-Szmek b6ce3d2c01 basic/missing_syscall: fix syscall numbers for arm64 :( 2020-08-24 19:27:52 +02:00
Zbigniew Jędrzejewski-Szmek af513d512f basic/missing_syscall: add missing calls for s390x/ppc64el/arm64 2020-08-24 19:27:06 +02:00
Zbigniew Jędrzejewski-Szmek 5134e18eed missing_syscall: verify our fallback numbers when possible
Instead of defining the numbers only as fallback, always define our fallback
number, and if we have the real __NR_foo define, assert that our number matches
the real one.

This will result in warnings when our fallback number is not defined, even if
the kernel headers are new enough to define __NR_foo. This will probably annoy
people compiling for seldom-used architectures, but hopefully it'll provide
motivation to add the missing fallback defines.

The upside is that we have a higher chance of catching the cases where we got
the number wrong. Calling the wrong syscall is quite problematic, and with some
back luck, it might take us a long time to notice that we got the number wrong
on some rarely used architecture.

Also, rework some of the fallback wrappers to not call the syscall with a
negative number (that'd fail, but we'd got to the kernel and back). It seems
nicer to let the compiler know that this can never succeed.
2020-08-24 19:22:05 +02:00
Zbigniew Jędrzejewski-Szmek 47ab95fe43 shared/install: fix preset operations for non-service instantiated units
Fixes https://github.com/coreos/ignition/issues/1064.
2020-08-22 12:00:19 +02:00
Zbigniew Jędrzejewski-Szmek de8be28e03 shared/install: reduce scope of iterator variables 2020-08-22 12:00:19 +02:00
Zbigniew Jędrzejewski-Szmek 47354b440e meson: add syscall-names-update target
The calls to find_program("tools/*") are moved earlier so they can be used
in libshared/ (and it doesn't make sense to split them).
2020-08-19 15:30:24 +02:00
74 changed files with 2800 additions and 726 deletions

7
TODO
View File

@ -234,9 +234,6 @@ Features:
* systemd-repart: allow sizing partitions as factor of available RAM, so that * systemd-repart: allow sizing partitions as factor of available RAM, so that
we can reasonably size swap partitions for hibernation. we can reasonably size swap partitions for hibernation.
* systemd-repart: allow running mkfs before making partitions pop up +
encryption via LUKS to allow booting into an empty root with only /usr mounted in
* systemd-repart: allow managing the gpt read-only partition flag + auto-mount flag * systemd-repart: allow managing the gpt read-only partition flag + auto-mount flag
* systemd-repart: allow boolean option that ensures that if existing partition * systemd-repart: allow boolean option that ensures that if existing partition
@ -252,10 +249,6 @@ Features:
* systemd-repart: add per-partition option to fail if partition already exist, * systemd-repart: add per-partition option to fail if partition already exist,
i.e. is not added new. Similar, add option to fail if partition does not exist yet. i.e. is not added new. Similar, add option to fail if partition does not exist yet.
* systemd-repart: add --size=auto for generating/resizing images of minimal
size, i.e. where the image file is sized exactly as large as necessary taking
SizeMin= into account, but not a single byte larger.
* systemd-repart: allow disabling growing of specific partitions, or making * systemd-repart: allow disabling growing of specific partitions, or making
them (think ESP: we don't ever want to grow it, since we cannot resize vfat) them (think ESP: we don't ever want to grow it, since we cannot resize vfat)

View File

@ -151,6 +151,8 @@ All execution-related settings are available for transient units.
✓ TimerSlackNSec= ✓ TimerSlackNSec=
✓ NoNewPrivileges= ✓ NoNewPrivileges=
✓ KeyringMode= ✓ KeyringMode=
✓ ProtectProc=
✓ ProcSubset=
✓ SystemCallFilter= ✓ SystemCallFilter=
✓ SystemCallArchitectures= ✓ SystemCallArchitectures=
✓ SystemCallErrorNumber= ✓ SystemCallErrorNumber=

View File

@ -55,11 +55,11 @@
partition slot greater than the highest slot number currently in use. Any existing partitions that have partition slot greater than the highest slot number currently in use. Any existing partitions that have
no matching partition file are left as they are.</para> no matching partition file are left as they are.</para>
<para>Note that these partition definition files do not describe the contents of the partitions, such as <para>Note that these definitions may only be used to created and initialize new partitions or grow
the file system used. Separate mechanisms, such as existing ones. In the latter case it will not grow the contained files systems however; separate
<citerefentry><refentrytitle>systemd-growfs</refentrytitle><manvolnum>8</manvolnum></citerefentry> and mechanisms, such as
<command>systemd-makefs</command> maybe be used to initialize or grow the file systems inside of these <citerefentry><refentrytitle>systemd-growfs</refentrytitle><manvolnum>8</manvolnum></citerefentry> may be
partitions.</para> used to grow the file systems inside of these partitions.</para>
</refsect1> </refsect1>
<refsect1> <refsect1>
@ -327,7 +327,72 @@
data is never overwritten. Note that the data is copied in before the partition table is updated, data is never overwritten. Note that the data is copied in before the partition table is updated,
i.e. before the partition actually is persistently created. This provides robustness: it is i.e. before the partition actually is persistently created. This provides robustness: it is
guaranteed that the partition either doesn't exist or exists fully populated; it is not possible that guaranteed that the partition either doesn't exist or exists fully populated; it is not possible that
the partition exists but is not or only partially populated.</para></listitem> the partition exists but is not or only partially populated.</para>
<para>This option cannot be combined with <varname>Format=</varname> or
<varname>CopyFiles=</varname>.</para></listitem>
</varlistentry>
<varlistentry>
<term><varname>Format=</varname></term>
<listitem><para>Takes a file system name, such as <literal>ext4</literal>, <literal>btrfs</literal>,
<literal>xfs</literal> or <literal>vfat</literal>, or the special value <literal>swap</literal>. If
specified and the partition is newly created it is formatted with the specified file system (or as
swap device). The file system UUID and label are automatically derived from the partition UUID and
label. If this option is used, the size allocation algorithm is slightly altered: the partition is
created as least as big as required for the minimal file system of the specified type (or 4KiB if the
minimal size is not known).</para>
<para>This option has no effect if the partition already exists.</para>
<para>Similar to the behaviour of <varname>CopyBlocks=</varname> the file system is formatted before
the partition is created, ensuring that the partition only ever exists with a fully initialized
file system.</para>
<para>This option cannot be combined with <varname>CopyBlocks=</varname>.</para></listitem>
</varlistentry>
<varlistentry>
<term><varname>CopyFiles=</varname></term>
<listitem><para>Takes a pair of colon separated absolute file system paths. The first path refers to
a source file or directory on the host, the second path refers to a target in the file system of the
newly created partition and formatted file system. This setting may be used to copy files or
directories from the host into the file system that is created due to the <varname>Format=</varname>
option. If <varname>CopyFiles=</varname> is used without <varname>Format=</varname> specified
explicitly, <literal>Format=</literal> with a suitable default is implied (currently
<literal>ext4</literal>, but this may change in the future). This option may be used multiple times
to copy multiple files or directories from host into the newly formatted file system. The colon and
second path may be omitted in which case the source path is also used as the target path (relative to
the root of the newly created file system). If the source path refers to a directory it is copied
recursively.</para>
<para>This option has no effect if the partition already exists: it cannot be used to copy additional
files into an existing partition, it may only be used to populate a file system created anew.</para>
<para>The copy operation is executed before the file system is registered in the partition table,
thus ensuring that a file system populated this way only ever exists fully initialized.</para>
<para>This option cannot be combined with <varname>CopyBlocks=</varname>.</para></listitem>
</varlistentry>
<varlistentry>
<term><varname>Encrypt=</varname></term>
<listitem><para>Takes a boolean parameter, defaulting to false. If true the partition will be
formatted with a LUKS2 superblock, before the blocks configured with <varname>CopyBlocks=</varname>
are copied in or the file system configured with <varname>Format=</varname> is created.</para>
<para>The LUKS2 UUID is automatically derived from the partition UUID in a stable fashion. A single
key is added to the LUKS2 superblock, configurable with the <option>--key-file=</option> switch to
<command>systemd-repart</command>.</para>
<para>When used this slightly alters the size allocation logic as the implicit, minimal size limits
of <varname>Format=</varname> and <varname>CopyBlocks=</varname> are increased by the space necessary
for the LUKS2 superblock (see above).</para>
<para>This option has no effect if the partition already exists.</para></listitem>
</varlistentry> </varlistentry>
<varlistentry> <varlistentry>

View File

@ -241,6 +241,8 @@ manpages = [
'sd_bus_error_free', 'sd_bus_error_free',
'sd_bus_error_get_errno', 'sd_bus_error_get_errno',
'sd_bus_error_has_name', 'sd_bus_error_has_name',
'sd_bus_error_has_names',
'sd_bus_error_has_names_sentinel',
'sd_bus_error_is_set', 'sd_bus_error_is_set',
'sd_bus_error_move', 'sd_bus_error_move',
'sd_bus_error_set', 'sd_bus_error_set',

View File

@ -31,6 +31,8 @@
<refname>sd_bus_error_move</refname> <refname>sd_bus_error_move</refname>
<refname>sd_bus_error_is_set</refname> <refname>sd_bus_error_is_set</refname>
<refname>sd_bus_error_has_name</refname> <refname>sd_bus_error_has_name</refname>
<refname>sd_bus_error_has_names_sentinel</refname>
<refname>sd_bus_error_has_names</refname>
<refpurpose>sd-bus error handling</refpurpose> <refpurpose>sd-bus error handling</refpurpose>
</refnamediv> </refnamediv>
@ -128,6 +130,16 @@
<paramdef>const sd_bus_error *<parameter>e</parameter></paramdef> <paramdef>const sd_bus_error *<parameter>e</parameter></paramdef>
<paramdef>const char *<parameter>name</parameter></paramdef> <paramdef>const char *<parameter>name</parameter></paramdef>
</funcprototype> </funcprototype>
<funcprototype>
<funcdef>int <function>sd_bus_error_has_names_sentinel</function></funcdef>
<paramdef>const sd_bus_error *<parameter>e</parameter></paramdef>
<paramdef>...</paramdef>
</funcprototype>
<para>
&#35;define sd_bus_error_has_names(e, ...) sd_bus_error_has_names_sentinel(e, ..., NULL)
</para>
</funcsynopsis> </funcsynopsis>
</refsynopsisdiv> </refsynopsisdiv>
@ -268,6 +280,12 @@
<parameter>name</parameter> has been set, <parameter>name</parameter> has been set,
<constant>false</constant> otherwise.</para> <constant>false</constant> otherwise.</para>
<para><function>sd_bus_error_has_names_sentinel()</function> is similar to
<function>sd_bus_error_has_name()</function>, but takes multiple names to check against. The list must be
terminated with <constant>NULL</constant>. <function>sd_bus_error_has_names()</function>
is a macro wrapper around <function>sd_bus_error_has_names_sentinel()</function> that adds the
<constant>NULL</constant> sentinel automatically.</para>
<para><function>sd_bus_error_free()</function> will destroy <para><function>sd_bus_error_free()</function> will destroy
resources held by <parameter>e</parameter>. The parameter itself resources held by <parameter>e</parameter>. The parameter itself
will not be deallocated, and must be <citerefentry will not be deallocated, and must be <citerefentry
@ -307,11 +325,10 @@
<structfield>name</structfield> field are <structfield>name</structfield> field are
non-<constant>NULL</constant>, zero otherwise.</para> non-<constant>NULL</constant>, zero otherwise.</para>
<para><function>sd_bus_error_has_name()</function> returns a <para><function>sd_bus_error_has_name()</function>, <function>sd_bus_error_has_names()</function>, and
non-zero value when <parameter>e</parameter> is <function>sd_bus_error_has_names_sentinel()</function> return a non-zero value when <parameter>e</parameter> is
non-<constant>NULL</constant> and the non-<constant>NULL</constant> and the <structfield>name</structfield> field is equal to one of the given
<structfield>name</structfield> field is equal to names, zero otherwise.</para>
<parameter>name</parameter>, zero otherwise.</para>
</refsect1> </refsect1>
<refsect1> <refsect1>

View File

@ -202,13 +202,26 @@
<varlistentry> <varlistentry>
<term><option>--size=</option></term> <term><option>--size=</option></term>
<listitem><para>Takes a size in bytes, using the usual K, M, G, T suffixes. If used the specified <listitem><para>Takes a size in bytes, using the usual K, M, G, T suffixes, or the special value
device node path must refer to a regular file, which is then grown to the specified size if smaller, <literal>auto</literal>. If used the specified device node path must refer to a regular file, which
before any change is made to the partition table. This is not supported if the specified node is a is then grown to the specified size if smaller, before any change is made to the partition table. If
block device. This switch has no effect if the file is already as large as the specified size or specified as <literal>auto</literal> the minimal size for the disk image is automatically determined
larger. The specified size is implicitly rounded up to multiples of 4096. When used with (i.e. the minimal sizes of all partitions are summed up, taking space for additional metadata into
<option>--empty=create</option> this specifies the initial size of the loopback file to account). This switch is not supported if the specified node is a block device. This switch has no
create.</para></listitem> effect if the file is already as large as the specified size or larger. The specified size is
implicitly rounded up to multiples of 4096. When used with <option>--empty=create</option> this
specifies the initial size of the loopback file to create.</para>
<para>The <option>--size=auto</option> option takes the sizes of pre-existing partitions into
account. However, it does not accomodate for partition tables that are not tightly packed: the
configured partitions might still not fit into the backing device if empty space exists between
pre-existing partitions (or before the first partition) that cannot be fully filled by partitions to
grow or create.</para>
<para>Also note that the automatic size determination does not take files or directories specified
with <option>CopyFiles=</option> into account: operation might fail if the specified files or
directories require more disk space then the configured per-partition minimal size
limit.</para></listitem>
</varlistentry> </varlistentry>
<varlistentry> <varlistentry>
@ -283,6 +296,18 @@
<filename>/run/repart.d/*.conf</filename>.</para></listitem> <filename>/run/repart.d/*.conf</filename>.</para></listitem>
</varlistentry> </varlistentry>
<varlistentry>
<term><option>--key-file=</option></term>
<listitem><para>Takes a file system path. Configures the encryption key to use when setting up LUKS2
volumes configured with the <varname>Encrypt=</varname> setting in partition files. Should refer to a
regular file containing the key, or an <constant>AF_UNIX</constant> stream socket in the file
system. In the latter case a connection is made to it and the key read from it. If this switch is not
specified the empty key (i.e. zero length key) is used. This behaviour is useful for setting up encrypted
partitions during early first boot that receive their user-supplied password only in a later setup
step.</para></listitem>
</varlistentry>
<xi:include href="standard-options.xml" xpointer="help" /> <xi:include href="standard-options.xml" xpointer="help" />
<xi:include href="standard-options.xml" xpointer="version" /> <xi:include href="standard-options.xml" xpointer="version" />
</variablelist> </variablelist>

View File

@ -267,6 +267,55 @@
<xi:include href="system-only.xml" xpointer="singular"/></listitem> <xi:include href="system-only.xml" xpointer="singular"/></listitem>
</varlistentry> </varlistentry>
<varlistentry>
<term><varname>ProtectProc=</varname></term>
<listitem><para>Takes one of <literal>noaccess</literal>, <literal>invisible</literal>,
<literal>ptraceable</literal> or <literal>default</literal> (which it defaults to). When set, this
controls the <literal>hidepid=</literal> mount option of the <literal>procfs</literal> instance for
the unit that controls which directories with process metainformation
(<filename>/proc/<replaceable>PID</replaceable></filename>) are visible and accessible: when set to
<literal>noaccess</literal> the ability to access most of other users' process metadata in
<filename>/proc/</filename> is taken away for processes of the service. When set to
<literal>invisible</literal> processes owned by other users are hidden from
<filename>/proc/</filename>. If <literal>ptraceable</literal> all processes that cannot be
<function>ptrace()</function>'ed by a process are hidden to it. If <literal>default</literal> no
restrictions on <filename>/proc/</filename> access or visibility are made. For further details see
<ulink url="https://www.kernel.org/doc/html/latest/filesystems/proc.html#mount-options">The /proc
Filesystem</ulink>. It is generally recommended to run most system services with this option set to
<literal>invisible</literal>. This option is implemented via file system namespacing, and thus cannot
be used with services that shall be able to install mount points in the host file system
hierarchy. It also cannot be used for services that need to access metainformation about other users'
processes. This option implies <varname>MountAPIVFS=</varname>.</para>
<para>If the kernel doesn't support per-mount point <option>hidepid=</option> mount options this
setting remains without effect, and the unit's processes will be able to access and see other process
as if the option was not used.</para>
<xi:include href="system-only.xml" xpointer="singular"/></listitem>
</varlistentry>
<varlistentry>
<term><varname>ProcSubset=</varname></term>
<listitem><para>Takes one of <literal>all</literal> (the default) and <literal>pid</literal>. If
the latter all files and directories not directly associated with process management and introspection
are made invisible in the <filename>/proc/</filename> file system configured for the unit's
processes. This controls the <literal>subset=</literal> mount option of the <literal>procfs</literal>
instance for the unit. For further details see <ulink
url="https://www.kernel.org/doc/html/latest/filesystems/proc.html#mount-options">The /proc
Filesystem</ulink>. Note that Linux exposes various kernel APIs via <filename>/proc/</filename>,
which are made unavailable with this setting. Since these APIs are used frequently this option is
useful only in a few, specific cases, and is not suitable for most non-trivial programs.</para>
<para>Much like <varname>ProtectProc=</varname> above, this is implemented via file system mount
namespacing, and hence the same restrictions apply: it is only available to system services, it
disables mount propagation to the host mount table, and it implies
<varname>MountAPIVFS=</varname>. Also, like <varname>ProtectProc=</varname> this setting is gracefully
disabled if the used kernel does not support the <literal>subset=</literal> mount option of
<literal>procfs</literal>.</para></listitem>
</varlistentry>
<varlistentry> <varlistentry>
<term><varname>BindPaths=</varname></term> <term><varname>BindPaths=</varname></term>
<term><varname>BindReadOnlyPaths=</varname></term> <term><varname>BindReadOnlyPaths=</varname></term>
@ -1981,6 +2030,10 @@ RestrictNamespaces=~cgroup net</programlisting>
<entry>@timer</entry> <entry>@timer</entry>
<entry>System calls for scheduling operations by time (<citerefentry project='man-pages'><refentrytitle>alarm</refentrytitle><manvolnum>2</manvolnum></citerefentry>, <citerefentry project='man-pages'><refentrytitle>timer_create</refentrytitle><manvolnum>2</manvolnum></citerefentry>, …)</entry> <entry>System calls for scheduling operations by time (<citerefentry project='man-pages'><refentrytitle>alarm</refentrytitle><manvolnum>2</manvolnum></citerefentry>, <citerefentry project='man-pages'><refentrytitle>timer_create</refentrytitle><manvolnum>2</manvolnum></citerefentry>, …)</entry>
</row> </row>
<row>
<entry>@known</entry>
<entry>All system calls defined by the kernel. This list is defined statically in systemd based on a kernel version that was available when this systmed version was released. It will become progressively more out-of-date as the kernel is updated.</entry>
</row>
</tbody> </tbody>
</tgroup> </tgroup>
</table> </table>

View File

@ -1625,8 +1625,15 @@ install_libsystemd_static = static_library(
libgcrypt], libgcrypt],
c_args : libsystemd_c_args + (static_libsystemd_pic ? [] : ['-fno-PIC'])) c_args : libsystemd_c_args + (static_libsystemd_pic ? [] : ['-fno-PIC']))
# Generate autosuspend rules ############################################################
autosuspend_update_sh = find_program('tools/autosuspend-update.sh')
hwdb_update_sh = find_program('tools/hwdb-update.sh')
make_autosuspend_rules_py = find_program('tools/make-autosuspend-rules.py') make_autosuspend_rules_py = find_program('tools/make-autosuspend-rules.py')
make_directive_index_py = find_program('tools/make-directive-index.py')
make_man_index_py = find_program('tools/make-man-index.py')
syscall_names_update_sh = find_program('tools/syscall-names-update.sh')
xml_helper_py = find_program('tools/xml_helper.py')
############################################################ ############################################################
@ -3329,12 +3336,6 @@ run_target(
############################################################ ############################################################
make_directive_index_py = find_program('tools/make-directive-index.py')
make_man_index_py = find_program('tools/make-man-index.py')
xml_helper_py = find_program('tools/xml_helper.py')
hwdb_update_sh = find_program('tools/hwdb-update.sh')
autosuspend_update_sh = find_program('tools/autosuspend-update.sh')
subdir('sysctl.d') subdir('sysctl.d')
subdir('sysusers.d') subdir('sysusers.d')
subdir('tmpfiles.d') subdir('tmpfiles.d')

View File

@ -21,10 +21,13 @@ rules = files('''
75-net-description.rules 75-net-description.rules
75-probe_mtd.rules 75-probe_mtd.rules
78-sound-card.rules 78-sound-card.rules
80-drivers.rules
80-net-setup-link.rules 80-net-setup-link.rules
'''.split()) '''.split())
if conf.get('HAVE_KMOD') == 1
rules += files('80-drivers.rules')
endif
install_data(rules, install_data(rules,
install_dir : udevrulesdir) install_dir : udevrulesdir)

View File

@ -26,11 +26,11 @@ _journalctl_fields() {
_journalctl_none() { _journalctl_none() {
local -a _commands _files _jrnl_none local -a _commands _files _jrnl_none
# Setting use-cache will slow this down considerably # Setting use-cache will slow this down considerably
_commands=( ${"$(_call_program commands "$service $_sys_service_mgr -F _EXE" 2>/dev/null)"} ) _commands=( ${(f)"$(_call_program commands "$service $_sys_service_mgr -F _EXE" 2>/dev/null)"} )
_jrnl_none='yes' _jrnl_none='yes'
_alternative : \ _alternative : \
'files:/dev files:_files -W /dev -P /dev/' \ 'files:/dev files:_files -W /dev -P /dev/' \
"commands:commands:($_commands[@])" \ 'commands:commands:compadd -a _commands' \
'fields:fields:_journalctl_fields' 'fields:fields:_journalctl_fields'
} }

View File

@ -50,6 +50,8 @@ struct security_info {
bool ip_filters_custom_egress; bool ip_filters_custom_egress;
char *keyring_mode; char *keyring_mode;
char *protect_proc;
char *proc_subset;
bool lock_personality; bool lock_personality;
bool memory_deny_write_execute; bool memory_deny_write_execute;
bool no_new_privileges; bool no_new_privileges;
@ -135,6 +137,8 @@ static void security_info_free(struct security_info *i) {
free(i->root_image); free(i->root_image);
free(i->keyring_mode); free(i->keyring_mode);
free(i->protect_proc);
free(i->proc_subset);
free(i->notify_access); free(i->notify_access);
free(i->device_policy); free(i->device_policy);
@ -388,6 +392,44 @@ static int assess_keyring_mode(
return 0; return 0;
} }
static int assess_protect_proc(
const struct security_assessor *a,
const struct security_info *info,
const void *data,
uint64_t *ret_badness,
char **ret_description) {
assert(ret_badness);
assert(ret_description);
if (streq_ptr(info->protect_proc, "noaccess"))
*ret_badness = 1;
else if (STRPTR_IN_SET(info->protect_proc, "invisible", "ptraceable"))
*ret_badness = 0;
else
*ret_badness = 3;
*ret_description = NULL;
return 0;
}
static int assess_proc_subset(
const struct security_assessor *a,
const struct security_info *info,
const void *data,
uint64_t *ret_badness,
char **ret_description) {
assert(ret_badness);
assert(ret_description);
*ret_badness = !streq_ptr(info->proc_subset, "pid");
*ret_description = NULL;
return 0;
}
static int assess_notify_access( static int assess_notify_access(
const struct security_assessor *a, const struct security_assessor *a,
const struct security_info *info, const struct security_info *info,
@ -1149,6 +1191,24 @@ static const struct security_assessor security_assessor_table[] = {
.range = 1, .range = 1,
.assess = assess_keyring_mode, .assess = assess_keyring_mode,
}, },
{
.id = "ProtectProc=",
.url = "https://www.freedesktop.org/software/systemd/man/systemd.exec.html#ProtectProc=",
.description_good = "Service has restricted access to process tree (/proc hidepid=)",
.description_bad = "Service has full access to process tree (/proc hidepid=)",
.weight = 1000,
.range = 3,
.assess = assess_protect_proc,
},
{
.id = "ProcSubset=",
.url = "https://www.freedesktop.org/software/systemd/man/systemd.exec.html#ProcSubset=",
.description_good = "Service has no access to non-process /proc files (/proc subset=)",
.description_bad = "Service has full access to non-process /proc files (/proc subset=)",
.weight = 10,
.range = 1,
.assess = assess_proc_subset,
},
{ {
.id = "NotifyAccess=", .id = "NotifyAccess=",
.url = "https://www.freedesktop.org/software/systemd/man/systemd.exec.html#NotifyAccess=", .url = "https://www.freedesktop.org/software/systemd/man/systemd.exec.html#NotifyAccess=",
@ -1908,6 +1968,8 @@ static int acquire_security_info(sd_bus *bus, const char *name, struct security_
{ "IPEgressFilterPath", "as", property_read_ip_filters, 0 }, { "IPEgressFilterPath", "as", property_read_ip_filters, 0 },
{ "Id", "s", NULL, offsetof(struct security_info, id) }, { "Id", "s", NULL, offsetof(struct security_info, id) },
{ "KeyringMode", "s", NULL, offsetof(struct security_info, keyring_mode) }, { "KeyringMode", "s", NULL, offsetof(struct security_info, keyring_mode) },
{ "ProtectProc", "s", NULL, offsetof(struct security_info, protect_proc) },
{ "ProcSubset", "s", NULL, offsetof(struct security_info, proc_subset) },
{ "LoadState", "s", NULL, offsetof(struct security_info, load_state) }, { "LoadState", "s", NULL, offsetof(struct security_info, load_state) },
{ "LockPersonality", "b", NULL, offsetof(struct security_info, lock_personality) }, { "LockPersonality", "b", NULL, offsetof(struct security_info, lock_personality) },
{ "MemoryDenyWriteExecute", "b", NULL, offsetof(struct security_info, memory_deny_write_execute) }, { "MemoryDenyWriteExecute", "b", NULL, offsetof(struct security_info, memory_deny_write_execute) },

View File

@ -223,7 +223,7 @@ int verify_units(char **filenames, UnitFileScope scope, bool check_man, bool run
_cleanup_(manager_freep) Manager *m = NULL; _cleanup_(manager_freep) Manager *m = NULL;
Unit *units[strv_length(filenames)]; Unit *units[strv_length(filenames)];
_cleanup_free_ char *var = NULL; _cleanup_free_ char *var = NULL;
int r = 0, k, i, count = 0; int r, k, i, count = 0;
char **filename; char **filename;
if (strv_isempty(filenames)) if (strv_isempty(filenames))

View File

@ -899,7 +899,7 @@ static bool times_in_range(const struct unit_times *times, const struct boot_tim
static int list_dependencies_one(sd_bus *bus, const char *name, unsigned level, char ***units, unsigned branches) { static int list_dependencies_one(sd_bus *bus, const char *name, unsigned level, char ***units, unsigned branches) {
_cleanup_strv_free_ char **deps = NULL; _cleanup_strv_free_ char **deps = NULL;
char **c; char **c;
int r = 0; int r;
usec_t service_longest = 0; usec_t service_longest = 0;
int to_print = 0; int to_print = 0;
struct unit_times *times; struct unit_times *times;

View File

@ -33,39 +33,49 @@ static inline int missing_pivot_root(const char *new_root, const char *put_old)
/* ======================================================================= */ /* ======================================================================= */
#if !HAVE_MEMFD_CREATE #if defined __x86_64__
# define systemd_NR_memfd_create 319
#elif defined __arm__
# define systemd_NR_memfd_create 385
#elif defined __aarch64__
# define systemd_NR_memfd_create 279
#elif defined(__powerpc__)
# define systemd_NR_memfd_create 360
#elif defined __s390__
# define systemd_NR_memfd_create 350
#elif defined _MIPS_SIM
# if _MIPS_SIM == _MIPS_SIM_ABI32
# define systemd_NR_memfd_create 4354
# endif
# if _MIPS_SIM == _MIPS_SIM_NABI32
# define systemd_NR_memfd_create 6318
# endif
# if _MIPS_SIM == _MIPS_SIM_ABI64
# define systemd_NR_memfd_create 5314
# endif
#elif defined __i386__
# define systemd_NR_memfd_create 356
#elif defined __arc__
# define systemd_NR_memfd_create 279
#else
# warning "memfd_create() syscall number unknown for your architecture"
#endif
/* may be (invalid) negative number due to libseccomp, see PR 13319 */ /* may be (invalid) negative number due to libseccomp, see PR 13319 */
# if ! (defined __NR_memfd_create && __NR_memfd_create >= 0) #if defined __NR_memfd_create && __NR_memfd_create >= 0
# if defined systemd_NR_memfd_create
assert_cc(__NR_memfd_create == systemd_NR_memfd_create);
# endif
#else
# if defined __NR_memfd_create # if defined __NR_memfd_create
# undef __NR_memfd_create # undef __NR_memfd_create
# endif # endif
# if defined __x86_64__ # if defined systemd_NR_memfd_create
# define __NR_memfd_create 319 # define __NR_memfd_create systemd_NR_memfd_create
# elif defined __arm__
# define __NR_memfd_create 385
# elif defined __aarch64__
# define __NR_memfd_create 279
# elif defined __s390__
# define __NR_memfd_create 350
# elif defined _MIPS_SIM
# if _MIPS_SIM == _MIPS_SIM_ABI32
# define __NR_memfd_create 4354
# endif
# if _MIPS_SIM == _MIPS_SIM_NABI32
# define __NR_memfd_create 6318
# endif
# if _MIPS_SIM == _MIPS_SIM_ABI64
# define __NR_memfd_create 5314
# endif
# elif defined __i386__
# define __NR_memfd_create 356
# elif defined __arc__
# define __NR_memfd_create 279
# else
# warning "__NR_memfd_create unknown for your architecture"
# endif # endif
#endif #endif
#if !HAVE_MEMFD_CREATE
static inline int missing_memfd_create(const char *name, unsigned int flags) { static inline int missing_memfd_create(const char *name, unsigned int flags) {
# ifdef __NR_memfd_create # ifdef __NR_memfd_create
return syscall(__NR_memfd_create, name, flags); return syscall(__NR_memfd_create, name, flags);
@ -80,45 +90,53 @@ static inline int missing_memfd_create(const char *name, unsigned int flags) {
/* ======================================================================= */ /* ======================================================================= */
#if !HAVE_GETRANDOM #if defined __x86_64__
# define systemd_NR_getrandom 318
#elif defined(__i386__)
# define systemd_NR_getrandom 355
#elif defined(__arm__)
# define systemd_NR_getrandom 384
#elif defined(__aarch64__)
# define systemd_NR_getrandom 278
#elif defined(__ia64__)
# define systemd_NR_getrandom 1339
#elif defined(__m68k__)
# define systemd_NR_getrandom 352
#elif defined(__s390x__)
# define systemd_NR_getrandom 349
#elif defined(__powerpc__)
# define systemd_NR_getrandom 359
#elif defined _MIPS_SIM
# if _MIPS_SIM == _MIPS_SIM_ABI32
# define systemd_NR_getrandom 4353
# endif
# if _MIPS_SIM == _MIPS_SIM_NABI32
# define systemd_NR_getrandom 6317
# endif
# if _MIPS_SIM == _MIPS_SIM_ABI64
# define systemd_NR_getrandom 5313
# endif
#elif defined(__arc__)
# define systemd_NR_getrandom 278
#else
# warning "getrandom() syscall number unknown for your architecture"
#endif
/* may be (invalid) negative number due to libseccomp, see PR 13319 */ /* may be (invalid) negative number due to libseccomp, see PR 13319 */
# if ! (defined __NR_getrandom && __NR_getrandom >= 0) #if defined __NR_getrandom && __NR_getrandom >= 0
# if defined systemd_NR_getrandom
assert_cc(__NR_getrandom == systemd_NR_getrandom);
# endif
#else
# if defined __NR_getrandom # if defined __NR_getrandom
# undef __NR_getrandom # undef __NR_getrandom
# endif # endif
# if defined __x86_64__ # if defined systemd_NR_getrandom
# define __NR_getrandom 318 # define __NR_getrandom systemd_NR_getrandom
# elif defined(__i386__)
# define __NR_getrandom 355
# elif defined(__arm__)
# define __NR_getrandom 384
# elif defined(__aarch64__)
# define __NR_getrandom 278
# elif defined(__ia64__)
# define __NR_getrandom 1339
# elif defined(__m68k__)
# define __NR_getrandom 352
# elif defined(__s390x__)
# define __NR_getrandom 349
# elif defined(__powerpc__)
# define __NR_getrandom 359
# elif defined _MIPS_SIM
# if _MIPS_SIM == _MIPS_SIM_ABI32
# define __NR_getrandom 4353
# endif
# if _MIPS_SIM == _MIPS_SIM_NABI32
# define __NR_getrandom 6317
# endif
# if _MIPS_SIM == _MIPS_SIM_ABI64
# define __NR_getrandom 5313
# endif
# elif defined(__arc__)
# define __NR_getrandom 278
# else
# warning "__NR_getrandom unknown for your architecture"
# endif # endif
#endif #endif
#if !HAVE_GETRANDOM
static inline int missing_getrandom(void *buffer, size_t count, unsigned flags) { static inline int missing_getrandom(void *buffer, size_t count, unsigned flags) {
# ifdef __NR_getrandom # ifdef __NR_getrandom
return syscall(__NR_getrandom, buffer, count, flags); return syscall(__NR_getrandom, buffer, count, flags);
@ -133,9 +151,14 @@ static inline int missing_getrandom(void *buffer, size_t count, unsigned flags)
/* ======================================================================= */ /* ======================================================================= */
/* The syscall has been defined since forever, but the glibc wrapper was missing. */
#if !HAVE_GETTID #if !HAVE_GETTID
static inline pid_t missing_gettid(void) { static inline pid_t missing_gettid(void) {
# if defined __NR_gettid && __NR_gettid >= 0
return (pid_t) syscall(__NR_gettid); return (pid_t) syscall(__NR_gettid);
# else
# error "__NR_gettid not defined"
# endif
} }
# define gettid missing_gettid # define gettid missing_gettid
@ -143,27 +166,39 @@ static inline pid_t missing_gettid(void) {
/* ======================================================================= */ /* ======================================================================= */
#if !HAVE_NAME_TO_HANDLE_AT #if defined(__x86_64__)
# define systemd_NR_name_to_handle_at 303
#elif defined(__i386__)
# define systemd_NR_name_to_handle_at 341
#elif defined(__arm__)
# define systemd_NR_name_to_handle_at 370
#elif defined __aarch64__
# define systemd_NR_name_to_handle_at 264
#elif defined(__powerpc__)
# define systemd_NR_name_to_handle_at 345
#elif defined __s390__ || defined __s390x__
# define systemd_NR_name_to_handle_at 335
#elif defined(__arc__)
# define systemd_NR_name_to_handle_at 264
#else
# warning "name_to_handle_at number is not defined"
#endif
/* may be (invalid) negative number due to libseccomp, see PR 13319 */ /* may be (invalid) negative number due to libseccomp, see PR 13319 */
# if ! (defined __NR_name_to_handle_at && __NR_name_to_handle_at >= 0) #if defined __NR_name_to_handle_at && __NR_name_to_handle_at >= 0
# if defined systemd_NR_name_to_handle_at
assert_cc(__NR_name_to_handle_at == systemd_NR_name_to_handle_at);
# endif
#else
# if defined __NR_name_to_handle_at # if defined __NR_name_to_handle_at
# undef __NR_name_to_handle_at # undef __NR_name_to_handle_at
# endif # endif
# if defined(__x86_64__) # if defined systemd_NR_name_to_handle_at
# define __NR_name_to_handle_at 303 # define __NR_name_to_handle_at systemd_NR_name_to_handle_at
# elif defined(__i386__)
# define __NR_name_to_handle_at 341
# elif defined(__arm__)
# define __NR_name_to_handle_at 370
# elif defined(__powerpc__)
# define __NR_name_to_handle_at 345
# elif defined(__arc__)
# define __NR_name_to_handle_at 264
# else
# error "__NR_name_to_handle_at is not defined"
# endif # endif
#endif #endif
#if !HAVE_NAME_TO_HANDLE_AT
struct file_handle { struct file_handle {
unsigned int handle_bytes; unsigned int handle_bytes;
int handle_type; int handle_type;
@ -184,23 +219,39 @@ static inline int missing_name_to_handle_at(int fd, const char *name, struct fil
/* ======================================================================= */ /* ======================================================================= */
#if !HAVE_SETNS #if defined __aarch64__
# define systemd_NR_setns 268
#elif defined __arm__
# define systemd_NR_setns 375
#elif defined(__x86_64__)
# define systemd_NR_setns 308
#elif defined(__i386__)
# define systemd_NR_setns 346
#elif defined(__powerpc__)
# define systemd_NR_setns 350
#elif defined __s390__ || defined __s390x__
# define systemd_NR_setns 339
#elif defined(__arc__)
# define systemd_NR_setns 268
#else
# warning "setns() syscall number unknown for your architecture"
#endif
/* may be (invalid) negative number due to libseccomp, see PR 13319 */ /* may be (invalid) negative number due to libseccomp, see PR 13319 */
# if ! (defined __NR_setns && __NR_setns >= 0) #if defined __NR_setns && __NR_setns >= 0
# if defined systemd_NR_setns
assert_cc(__NR_setns == systemd_NR_setns);
# endif
#else
# if defined __NR_setns # if defined __NR_setns
# undef __NR_setns # undef __NR_setns
# endif # endif
# if defined(__x86_64__) # if defined systemd_NR_setns
# define __NR_setns 308 # define __NR_setns systemd_NR_setns
# elif defined(__i386__)
# define __NR_setns 346
# elif defined(__arc__)
# define __NR_setns 268
# else
# error "__NR_setns is not defined"
# endif # endif
#endif #endif
#if !HAVE_SETNS
static inline int missing_setns(int fd, int nstype) { static inline int missing_setns(int fd, int nstype) {
# ifdef __NR_setns # ifdef __NR_setns
return syscall(__NR_setns, fd, nstype); return syscall(__NR_setns, fd, nstype);
@ -225,41 +276,49 @@ static inline pid_t raw_getpid(void) {
/* ======================================================================= */ /* ======================================================================= */
#if !HAVE_RENAMEAT2 #if defined __x86_64__
# define systemd_NR_renameat2 316
#elif defined __arm__
# define systemd_NR_renameat2 382
#elif defined __aarch64__
# define systemd_NR_renameat2 276
#elif defined _MIPS_SIM
# if _MIPS_SIM == _MIPS_SIM_ABI32
# define systemd_NR_renameat2 4351
# endif
# if _MIPS_SIM == _MIPS_SIM_NABI32
# define systemd_NR_renameat2 6315
# endif
# if _MIPS_SIM == _MIPS_SIM_ABI64
# define systemd_NR_renameat2 5311
# endif
#elif defined __i386__
# define systemd_NR_renameat2 353
#elif defined __powerpc64__
# define systemd_NR_renameat2 357
#elif defined __s390__ || defined __s390x__
# define systemd_NR_renameat2 347
#elif defined __arc__
# define systemd_NR_renameat2 276
#else
# warning "renameat2() syscall number unknown for your architecture"
#endif
/* may be (invalid) negative number due to libseccomp, see PR 13319 */ /* may be (invalid) negative number due to libseccomp, see PR 13319 */
# if ! (defined __NR_renameat2 && __NR_renameat2 >= 0) #if defined __NR_renameat2 && __NR_renameat2 >= 0
# if defined systemd_NR_renameat2
assert_cc(__NR_renameat2 == systemd_NR_renameat2);
# endif
#else
# if defined __NR_renameat2 # if defined __NR_renameat2
# undef __NR_renameat2 # undef __NR_renameat2
# endif # endif
# if defined __x86_64__ # if defined systemd_NR_renameat2
# define __NR_renameat2 316 # define __NR_renameat2 systemd_NR_renameat2
# elif defined __arm__
# define __NR_renameat2 382
# elif defined __aarch64__
# define __NR_renameat2 276
# elif defined _MIPS_SIM
# if _MIPS_SIM == _MIPS_SIM_ABI32
# define __NR_renameat2 4351
# endif
# if _MIPS_SIM == _MIPS_SIM_NABI32
# define __NR_renameat2 6315
# endif
# if _MIPS_SIM == _MIPS_SIM_ABI64
# define __NR_renameat2 5311
# endif
# elif defined __i386__
# define __NR_renameat2 353
# elif defined __powerpc64__
# define __NR_renameat2 357
# elif defined __s390__ || defined __s390x__
# define __NR_renameat2 347
# elif defined __arc__
# define __NR_renameat2 276
# else
# warning "__NR_renameat2 unknown for your architecture"
# endif # endif
#endif #endif
#if !HAVE_RENAMEAT2
static inline int missing_renameat2(int oldfd, const char *oldname, int newfd, const char *newname, unsigned flags) { static inline int missing_renameat2(int oldfd, const char *oldname, int newfd, const char *newname, unsigned flags) {
# ifdef __NR_renameat2 # ifdef __NR_renameat2
return syscall(__NR_renameat2, oldfd, oldname, newfd, newname, flags); return syscall(__NR_renameat2, oldfd, oldname, newfd, newname, flags);
@ -326,31 +385,39 @@ static inline key_serial_t missing_request_key(const char *type, const char *des
/* ======================================================================= */ /* ======================================================================= */
#if !HAVE_COPY_FILE_RANGE #if defined(__x86_64__)
# define systemd_NR_copy_file_range 326
#elif defined(__i386__)
# define systemd_NR_copy_file_range 377
#elif defined __s390__
# define systemd_NR_copy_file_range 375
#elif defined __arm__
# define systemd_NR_copy_file_range 391
#elif defined __aarch64__
# define systemd_NR_copy_file_range 285
#elif defined __powerpc__
# define systemd_NR_copy_file_range 379
#elif defined __arc__
# define systemd_NR_copy_file_range 285
#else
# warning "copy_file_range() syscall number unknown for your architecture"
#endif
/* may be (invalid) negative number due to libseccomp, see PR 13319 */ /* may be (invalid) negative number due to libseccomp, see PR 13319 */
# if ! (defined __NR_copy_file_range && __NR_copy_file_range >= 0) #if defined __NR_copy_file_range && __NR_copy_file_range >= 0
# if defined systemd_NR_copy_file_range
assert_cc(__NR_copy_file_range == systemd_NR_copy_file_range);
# endif
#else
# if defined __NR_copy_file_range # if defined __NR_copy_file_range
# undef __NR_copy_file_range # undef __NR_copy_file_range
# endif # endif
# if defined(__x86_64__) # if defined systemd_NR_copy_file_range
# define __NR_copy_file_range 326 # define __NR_copy_file_range systemd_NR_copy_file_range
# elif defined(__i386__)
# define __NR_copy_file_range 377
# elif defined __s390__
# define __NR_copy_file_range 375
# elif defined __arm__
# define __NR_copy_file_range 391
# elif defined __aarch64__
# define __NR_copy_file_range 285
# elif defined __powerpc__
# define __NR_copy_file_range 379
# elif defined __arc__
# define __NR_copy_file_range 285
# else
# warning "__NR_copy_file_range not defined for your architecture"
# endif # endif
#endif #endif
#if !HAVE_COPY_FILE_RANGE
static inline ssize_t missing_copy_file_range(int fd_in, loff_t *off_in, static inline ssize_t missing_copy_file_range(int fd_in, loff_t *off_in,
int fd_out, loff_t *off_out, int fd_out, loff_t *off_out,
size_t len, size_t len,
@ -368,31 +435,41 @@ static inline ssize_t missing_copy_file_range(int fd_in, loff_t *off_in,
/* ======================================================================= */ /* ======================================================================= */
#if !HAVE_BPF #if defined __i386__
# define systemd_NR_bpf 357
#elif defined __x86_64__
# define systemd_NR_bpf 321
#elif defined __aarch64__
# define systemd_NR_bpf 280
#elif defined __arm__
# define systemd_NR_bpf 386
#elif defined(__powerpc__)
# define systemd_NR_bpf 361
#elif defined __sparc__
# define systemd_NR_bpf 349
#elif defined __s390__
# define systemd_NR_bpf 351
#elif defined __tilegx__
# define systemd_NR_bpf 280
#else
# warning "bpf() syscall number unknown for your architecture"
#endif
/* may be (invalid) negative number due to libseccomp, see PR 13319 */ /* may be (invalid) negative number due to libseccomp, see PR 13319 */
# if ! (defined __NR_bpf && __NR_bpf >= 0) #if defined __NR_bpf && __NR_bpf >= 0
# if defined systemd_NR_bpf
assert_cc(__NR_bpf == systemd_NR_bpf);
# endif
#else
# if defined __NR_bpf # if defined __NR_bpf
# undef __NR_bpf # undef __NR_bpf
# endif # endif
# if defined __i386__ # if defined systemd_NR_bpf
# define __NR_bpf 357 # define __NR_bpf systemd_NR_bpf
# elif defined __x86_64__
# define __NR_bpf 321
# elif defined __aarch64__
# define __NR_bpf 280
# elif defined __arm__
# define __NR_bpf 386
# elif defined __sparc__
# define __NR_bpf 349
# elif defined __s390__
# define __NR_bpf 351
# elif defined __tilegx__
# define __NR_bpf 280
# else
# warning "__NR_bpf not defined for your architecture"
# endif # endif
#endif #endif
#if !HAVE_BPF
union bpf_attr; union bpf_attr;
static inline int missing_bpf(int cmd, union bpf_attr *attr, size_t size) { static inline int missing_bpf(int cmd, union bpf_attr *attr, size_t size) {
@ -410,69 +487,84 @@ static inline int missing_bpf(int cmd, union bpf_attr *attr, size_t size) {
/* ======================================================================= */ /* ======================================================================= */
#ifndef __IGNORE_pkey_mprotect #ifndef __IGNORE_pkey_mprotect
# if defined __i386__
# define systemd_NR_pkey_mprotect 380
# elif defined __x86_64__
# define systemd_NR_pkey_mprotect 329
# elif defined __aarch64__
# define systemd_NR_pkey_mprotect 288
# elif defined __arm__
# define systemd_NR_pkey_mprotect 394
# elif defined __powerpc__
# define systemd_NR_pkey_mprotect 386
# elif defined __s390__
# define systemd_NR_pkey_mprotect 384
# elif defined _MIPS_SIM
# if _MIPS_SIM == _MIPS_SIM_ABI32
# define systemd_NR_pkey_mprotect 4363
# endif
# if _MIPS_SIM == _MIPS_SIM_NABI32
# define systemd_NR_pkey_mprotect 6327
# endif
# if _MIPS_SIM == _MIPS_SIM_ABI64
# define systemd_NR_pkey_mprotect 5323
# endif
# else
# warning "pkey_mprotect() syscall number unknown for your architecture"
# endif
/* may be (invalid) negative number due to libseccomp, see PR 13319 */ /* may be (invalid) negative number due to libseccomp, see PR 13319 */
# if ! (defined __NR_pkey_mprotect && __NR_pkey_mprotect >= 0) # if defined __NR_pkey_mprotect && __NR_pkey_mprotect >= 0
# if defined systemd_NR_pkey_mprotect
assert_cc(__NR_pkey_mprotect == systemd_NR_pkey_mprotect);
# endif
# else
# if defined __NR_pkey_mprotect # if defined __NR_pkey_mprotect
# undef __NR_pkey_mprotect # undef __NR_pkey_mprotect
# endif # endif
# if defined __i386__ # if defined systemd_NR_pkey_mprotect
# define __NR_pkey_mprotect 380 # define __NR_pkey_mprotect systemd_NR_pkey_mprotect
# elif defined __x86_64__
# define __NR_pkey_mprotect 329
# elif defined __arm__
# define __NR_pkey_mprotect 394
# elif defined __aarch64__
# define __NR_pkey_mprotect 394
# elif defined __powerpc__
# define __NR_pkey_mprotect 386
# elif defined __s390__
# define __NR_pkey_mprotect 384
# elif defined _MIPS_SIM
# if _MIPS_SIM == _MIPS_SIM_ABI32
# define __NR_pkey_mprotect 4363
# endif
# if _MIPS_SIM == _MIPS_SIM_NABI32
# define __NR_pkey_mprotect 6327
# endif
# if _MIPS_SIM == _MIPS_SIM_ABI64
# define __NR_pkey_mprotect 5323
# endif
# else
# warning "__NR_pkey_mprotect not defined for your architecture"
# endif # endif
# endif # endif
#endif #endif
/* ======================================================================= */ /* ======================================================================= */
#if !HAVE_STATX #if defined __aarch64__
# define systemd_NR_statx 291
#elif defined __arm__
# define systemd_NR_statx 397
#elif defined __alpha__
# define systemd_NR_statx 522
#elif defined __i386__ || defined __powerpc64__
# define systemd_NR_statx 383
#elif defined __s390__ || defined __s390x__
# define systemd_NR_statx 379
#elif defined __sparc__
# define systemd_NR_statx 360
#elif defined __x86_64__
# define systemd_NR_statx 332
#else
# warning "statx() syscall number unknown for your architecture"
#endif
/* may be (invalid) negative number due to libseccomp, see PR 13319 */ /* may be (invalid) negative number due to libseccomp, see PR 13319 */
# if ! (defined __NR_statx && __NR_statx >= 0) #if defined __NR_statx && __NR_statx >= 0
# if defined systemd_NR_statx
assert_cc(__NR_statx == systemd_NR_statx);
# endif
#else
# if defined __NR_statx # if defined __NR_statx
# undef __NR_statx # undef __NR_statx
# endif # endif
# if defined __aarch64__ || defined __arm__ # if defined systemd_NR_statx
# define __NR_statx 397 # define __NR_statx systemd_NR_statx
# elif defined __alpha__
# define __NR_statx 522
# elif defined __i386__ || defined __powerpc64__
# define __NR_statx 383
# elif defined __sparc__
# define __NR_statx 360
# elif defined __x86_64__
# define __NR_statx 332
# else
# warning "__NR_statx not defined for your architecture"
# endif # endif
#endif #endif
struct statx;
#endif
/* This typedef is supposed to be always defined. */
typedef struct statx struct_statx;
#if !HAVE_STATX #if !HAVE_STATX
struct statx;
static inline ssize_t missing_statx(int dfd, const char *filename, unsigned flags, unsigned int mask, struct statx *buffer) { static inline ssize_t missing_statx(int dfd, const char *filename, unsigned flags, unsigned int mask, struct statx *buffer) {
# ifdef __NR_statx # ifdef __NR_statx
return syscall(__NR_statx, dfd, filename, flags, mask, buffer); return syscall(__NR_statx, dfd, filename, flags, mask, buffer);
@ -481,12 +573,18 @@ static inline ssize_t missing_statx(int dfd, const char *filename, unsigned flag
return -1; return -1;
# endif # endif
} }
#endif
/* This typedef is supposed to be always defined. */
typedef struct statx struct_statx;
#if !HAVE_STATX
# define statx(dfd, filename, flags, mask, buffer) missing_statx(dfd, filename, flags, mask, buffer) # define statx(dfd, filename, flags, mask, buffer) missing_statx(dfd, filename, flags, mask, buffer)
#endif #endif
#if !HAVE_SET_MEMPOLICY /* ======================================================================= */
#if !HAVE_SET_MEMPOLICY
enum { enum {
MPOL_DEFAULT, MPOL_DEFAULT,
MPOL_PREFERRED, MPOL_PREFERRED,
@ -527,19 +625,28 @@ static inline long missing_get_mempolicy(int *mode, unsigned long *nodemask,
# define get_mempolicy missing_get_mempolicy # define get_mempolicy missing_get_mempolicy
#endif #endif
#if !HAVE_PIDFD_SEND_SIGNAL /* ======================================================================= */
/* should be always defined, see kernel 39036cd2727395c3369b1051005da74059a85317 */
#if defined(__alpha__)
# define systemd_NR_pidfd_send_signal 534
#else
# define systemd_NR_pidfd_send_signal 424
#endif
/* may be (invalid) negative number due to libseccomp, see PR 13319 */ /* may be (invalid) negative number due to libseccomp, see PR 13319 */
# if ! (defined __NR_pidfd_send_signal && __NR_pidfd_send_signal >= 0) #if defined __NR_pidfd_send_signal && __NR_pidfd_send_signal >= 0
# if defined systemd_NR_pidfd_send_signal
assert_cc(__NR_pidfd_send_signal == systemd_NR_pidfd_send_signal);
# endif
#else
# if defined __NR_pidfd_send_signal # if defined __NR_pidfd_send_signal
# undef __NR_pidfd_send_signal # undef __NR_pidfd_send_signal
# endif # endif
/* should be always defined, see kernel 39036cd2727395c3369b1051005da74059a85317 */ # define __NR_pidfd_send_signal systemd_NR_pidfd_send_signal
# if defined(__alpha__)
# define __NR_pidfd_send_signal 534
# else
# define __NR_pidfd_send_signal 424
# endif
#endif #endif
#if !HAVE_PIDFD_SEND_SIGNAL
static inline int missing_pidfd_send_signal(int fd, int sig, siginfo_t *info, unsigned flags) { static inline int missing_pidfd_send_signal(int fd, int sig, siginfo_t *info, unsigned flags) {
# ifdef __NR_pidfd_open # ifdef __NR_pidfd_open
return syscall(__NR_pidfd_send_signal, fd, sig, info, flags); return syscall(__NR_pidfd_send_signal, fd, sig, info, flags);
@ -552,19 +659,26 @@ static inline int missing_pidfd_send_signal(int fd, int sig, siginfo_t *info, un
# define pidfd_send_signal missing_pidfd_send_signal # define pidfd_send_signal missing_pidfd_send_signal
#endif #endif
#if !HAVE_PIDFD_OPEN /* should be always defined, see kernel 7615d9e1780e26e0178c93c55b73309a5dc093d7 */
#if defined(__alpha__)
# define systemd_NR_pidfd_open 544
#else
# define systemd_NR_pidfd_open 434
#endif
/* may be (invalid) negative number due to libseccomp, see PR 13319 */ /* may be (invalid) negative number due to libseccomp, see PR 13319 */
# if ! (defined __NR_pidfd_open && __NR_pidfd_open >= 0) #if defined __NR_pidfd_open && __NR_pidfd_open >= 0
# if defined systemd_NR_pidfd_open
assert_cc(__NR_pidfd_open == systemd_NR_pidfd_open);
# endif
#else
# if defined __NR_pidfd_open # if defined __NR_pidfd_open
# undef __NR_pidfd_open # undef __NR_pidfd_open
# endif # endif
/* should be always defined, see kernel 7615d9e1780e26e0178c93c55b73309a5dc093d7 */ # define __NR_pidfd_open systemd_NR_pidfd_open
# if defined(__alpha__)
# define __NR_pidfd_open 544
# else
# define __NR_pidfd_open 434
# endif
#endif #endif
#if !HAVE_PIDFD_OPEN
static inline int missing_pidfd_open(pid_t pid, unsigned flags) { static inline int missing_pidfd_open(pid_t pid, unsigned flags) {
# ifdef __NR_pidfd_open # ifdef __NR_pidfd_open
return syscall(__NR_pidfd_open, pid, flags); return syscall(__NR_pidfd_open, pid, flags);
@ -577,9 +691,15 @@ static inline int missing_pidfd_open(pid_t pid, unsigned flags) {
# define pidfd_open missing_pidfd_open # define pidfd_open missing_pidfd_open
#endif #endif
/* ======================================================================= */
#if !HAVE_RT_SIGQUEUEINFO #if !HAVE_RT_SIGQUEUEINFO
static inline int missing_rt_sigqueueinfo(pid_t tgid, int sig, siginfo_t *info) { static inline int missing_rt_sigqueueinfo(pid_t tgid, int sig, siginfo_t *info) {
# if defined __NR_rt_sigqueueinfo && __NR_rt_sigqueueinfo >= 0
return syscall(__NR_rt_sigqueueinfo, tgid, sig, info); return syscall(__NR_rt_sigqueueinfo, tgid, sig, info);
# else
# error "__NR_rt_sigqueueinfo not defined"
# endif
} }
# define rt_sigqueueinfo missing_rt_sigqueueinfo # define rt_sigqueueinfo missing_rt_sigqueueinfo

View File

@ -5,6 +5,7 @@
#include <string.h> #include <string.h>
#include "alloc-util.h" #include "alloc-util.h"
#include "fd-util.h"
#include "format-util.h" #include "format-util.h"
#include "fs-util.h" #include "fs-util.h"
#include "macro.h" #include "macro.h"
@ -187,3 +188,54 @@ int mkdir_p(const char *path, mode_t mode) {
int mkdir_p_safe(const char *prefix, const char *path, mode_t mode, uid_t uid, gid_t gid, MkdirFlags flags) { int mkdir_p_safe(const char *prefix, const char *path, mode_t mode, uid_t uid, gid_t gid, MkdirFlags flags) {
return mkdir_p_internal(prefix, path, mode, uid, gid, flags, mkdir_errno_wrapper); return mkdir_p_internal(prefix, path, mode, uid, gid, flags, mkdir_errno_wrapper);
} }
int mkdir_p_root(const char *root, const char *p, uid_t uid, gid_t gid, mode_t m) {
_cleanup_free_ char *pp = NULL;
_cleanup_close_ int dfd = -1;
const char *bn;
int r;
pp = dirname_malloc(p);
if (!pp)
return -ENOMEM;
/* Not top-level? */
if (!(path_equal(pp, "/") || isempty(pp) || path_equal(pp, "."))) {
/* Recurse up */
r = mkdir_p_root(root, pp, uid, gid, m);
if (r < 0)
return r;
}
bn = basename(p);
if (path_equal(bn, "/") || isempty(bn) || path_equal(bn, "."))
return 0;
if (!filename_is_valid(bn))
return -EINVAL;
dfd = chase_symlinks_and_open(pp, root, CHASE_PREFIX_ROOT, O_RDONLY|O_CLOEXEC|O_DIRECTORY, NULL);
if (dfd < 0)
return dfd;
if (mkdirat(dfd, bn, m) < 0) {
if (errno == EEXIST)
return 0;
return -errno;
}
if (uid_is_valid(uid) || gid_is_valid(gid)) {
_cleanup_close_ int nfd = -1;
nfd = openat(dfd, bn, O_RDONLY|O_CLOEXEC|O_DIRECTORY);
if (nfd < 0)
return -errno;
if (fchown(nfd, uid, gid) < 0)
return -errno;
}
return 1;
}

View File

@ -26,3 +26,5 @@ typedef int (*mkdir_func_t)(const char *pathname, mode_t mode);
int mkdir_safe_internal(const char *path, mode_t mode, uid_t uid, gid_t gid, MkdirFlags flags, mkdir_func_t _mkdir); int mkdir_safe_internal(const char *path, mode_t mode, uid_t uid, gid_t gid, MkdirFlags flags, mkdir_func_t _mkdir);
int mkdir_parents_internal(const char *prefix, const char *path, mode_t mode, uid_t uid, gid_t gid, MkdirFlags flags, mkdir_func_t _mkdir); int mkdir_parents_internal(const char *prefix, const char *path, mode_t mode, uid_t uid, gid_t gid, MkdirFlags flags, mkdir_func_t _mkdir);
int mkdir_p_internal(const char *prefix, const char *path, mode_t mode, uid_t uid, gid_t gid, MkdirFlags flags, mkdir_func_t _mkdir); int mkdir_p_internal(const char *prefix, const char *path, mode_t mode, uid_t uid, gid_t gid, MkdirFlags flags, mkdir_func_t _mkdir);
int mkdir_p_root(const char *root, const char *p, uid_t uid, gid_t gid, mode_t m);

View File

@ -726,18 +726,6 @@ int fsck_exists(const char *fstype) {
return binary_is_good(checker); return binary_is_good(checker);
} }
int mkfs_exists(const char *fstype) {
const char *mkfs;
assert(fstype);
if (streq(fstype, "auto"))
return -EINVAL;
mkfs = strjoina("mkfs.", fstype);
return binary_is_good(mkfs);
}
int parse_path_argument_and_warn(const char *path, bool suppress_root, char **arg) { int parse_path_argument_and_warn(const char *path, bool suppress_root, char **arg) {
char *p; char *p;
int r; int r;

View File

@ -85,7 +85,6 @@ int find_binary(const char *name, char **filename);
bool paths_check_timestamp(const char* const* paths, usec_t *paths_ts_usec, bool update); bool paths_check_timestamp(const char* const* paths, usec_t *paths_ts_usec, bool update);
int fsck_exists(const char *fstype); int fsck_exists(const char *fstype);
int mkfs_exists(const char *fstype);
/* Iterates through the path prefixes of the specified path, going up /* Iterates through the path prefixes of the specified path, going up
* the tree, to root. Also returns "" (and not "/"!) for the root * the tree, to root. Also returns "" (and not "/"!) for the root

View File

@ -47,6 +47,8 @@ static BUS_DEFINE_PROPERTY_GET_ENUM(property_get_exec_input, exec_input, ExecInp
static BUS_DEFINE_PROPERTY_GET_ENUM(property_get_exec_utmp_mode, exec_utmp_mode, ExecUtmpMode); static BUS_DEFINE_PROPERTY_GET_ENUM(property_get_exec_utmp_mode, exec_utmp_mode, ExecUtmpMode);
static BUS_DEFINE_PROPERTY_GET_ENUM(property_get_exec_preserve_mode, exec_preserve_mode, ExecPreserveMode); static BUS_DEFINE_PROPERTY_GET_ENUM(property_get_exec_preserve_mode, exec_preserve_mode, ExecPreserveMode);
static BUS_DEFINE_PROPERTY_GET_ENUM(property_get_exec_keyring_mode, exec_keyring_mode, ExecKeyringMode); static BUS_DEFINE_PROPERTY_GET_ENUM(property_get_exec_keyring_mode, exec_keyring_mode, ExecKeyringMode);
static BUS_DEFINE_PROPERTY_GET_ENUM(property_get_protect_proc, protect_proc, ProtectProc);
static BUS_DEFINE_PROPERTY_GET_ENUM(property_get_proc_subset, proc_subset, ProcSubset);
static BUS_DEFINE_PROPERTY_GET_ENUM(property_get_protect_home, protect_home, ProtectHome); static BUS_DEFINE_PROPERTY_GET_ENUM(property_get_protect_home, protect_home, ProtectHome);
static BUS_DEFINE_PROPERTY_GET_ENUM(property_get_protect_system, protect_system, ProtectSystem); static BUS_DEFINE_PROPERTY_GET_ENUM(property_get_protect_system, protect_system, ProtectSystem);
static BUS_DEFINE_PROPERTY_GET_ENUM(property_get_personality, personality, unsigned long); static BUS_DEFINE_PROPERTY_GET_ENUM(property_get_personality, personality, unsigned long);
@ -1016,6 +1018,8 @@ const sd_bus_vtable bus_exec_vtable[] = {
SD_BUS_PROPERTY("TemporaryFileSystem", "a(ss)", property_get_temporary_filesystems, 0, SD_BUS_VTABLE_PROPERTY_CONST), SD_BUS_PROPERTY("TemporaryFileSystem", "a(ss)", property_get_temporary_filesystems, 0, SD_BUS_VTABLE_PROPERTY_CONST),
SD_BUS_PROPERTY("MountAPIVFS", "b", bus_property_get_bool, offsetof(ExecContext, mount_apivfs), SD_BUS_VTABLE_PROPERTY_CONST), SD_BUS_PROPERTY("MountAPIVFS", "b", bus_property_get_bool, offsetof(ExecContext, mount_apivfs), SD_BUS_VTABLE_PROPERTY_CONST),
SD_BUS_PROPERTY("KeyringMode", "s", property_get_exec_keyring_mode, offsetof(ExecContext, keyring_mode), SD_BUS_VTABLE_PROPERTY_CONST), SD_BUS_PROPERTY("KeyringMode", "s", property_get_exec_keyring_mode, offsetof(ExecContext, keyring_mode), SD_BUS_VTABLE_PROPERTY_CONST),
SD_BUS_PROPERTY("ProtectProc", "s", property_get_protect_proc, offsetof(ExecContext, protect_proc), SD_BUS_VTABLE_PROPERTY_CONST),
SD_BUS_PROPERTY("ProcSubset", "s", property_get_proc_subset, offsetof(ExecContext, proc_subset), SD_BUS_VTABLE_PROPERTY_CONST),
SD_BUS_PROPERTY("ProtectHostname", "b", bus_property_get_bool, offsetof(ExecContext, protect_hostname), SD_BUS_VTABLE_PROPERTY_CONST), SD_BUS_PROPERTY("ProtectHostname", "b", bus_property_get_bool, offsetof(ExecContext, protect_hostname), SD_BUS_VTABLE_PROPERTY_CONST),
SD_BUS_PROPERTY("NetworkNamespacePath", "s", NULL, offsetof(ExecContext, network_namespace_path), SD_BUS_VTABLE_PROPERTY_CONST), SD_BUS_PROPERTY("NetworkNamespacePath", "s", NULL, offsetof(ExecContext, network_namespace_path), SD_BUS_VTABLE_PROPERTY_CONST),
@ -1354,6 +1358,8 @@ static BUS_DEFINE_SET_TRANSIENT_PARSE(utmp_mode, ExecUtmpMode, exec_utmp_mode_fr
static BUS_DEFINE_SET_TRANSIENT_PARSE(protect_system, ProtectSystem, protect_system_from_string); static BUS_DEFINE_SET_TRANSIENT_PARSE(protect_system, ProtectSystem, protect_system_from_string);
static BUS_DEFINE_SET_TRANSIENT_PARSE(protect_home, ProtectHome, protect_home_from_string); static BUS_DEFINE_SET_TRANSIENT_PARSE(protect_home, ProtectHome, protect_home_from_string);
static BUS_DEFINE_SET_TRANSIENT_PARSE(keyring_mode, ExecKeyringMode, exec_keyring_mode_from_string); static BUS_DEFINE_SET_TRANSIENT_PARSE(keyring_mode, ExecKeyringMode, exec_keyring_mode_from_string);
static BUS_DEFINE_SET_TRANSIENT_PARSE(protect_proc, ProtectProc, protect_proc_from_string);
static BUS_DEFINE_SET_TRANSIENT_PARSE(proc_subset, ProcSubset, proc_subset_from_string);
static BUS_DEFINE_SET_TRANSIENT_PARSE(preserve_mode, ExecPreserveMode, exec_preserve_mode_from_string); static BUS_DEFINE_SET_TRANSIENT_PARSE(preserve_mode, ExecPreserveMode, exec_preserve_mode_from_string);
static BUS_DEFINE_SET_TRANSIENT_PARSE_PTR(personality, unsigned long, parse_personality); static BUS_DEFINE_SET_TRANSIENT_PARSE_PTR(personality, unsigned long, parse_personality);
static BUS_DEFINE_SET_TRANSIENT_TO_STRING_ALLOC(secure_bits, "i", int32_t, int, "%" PRIi32, secure_bits_to_string_alloc_with_check); static BUS_DEFINE_SET_TRANSIENT_TO_STRING_ALLOC(secure_bits, "i", int32_t, int, "%" PRIi32, secure_bits_to_string_alloc_with_check);
@ -1706,6 +1712,12 @@ int bus_exec_context_set_transient_property(
if (streq(name, "KeyringMode")) if (streq(name, "KeyringMode"))
return bus_set_transient_keyring_mode(u, name, &c->keyring_mode, message, flags, error); return bus_set_transient_keyring_mode(u, name, &c->keyring_mode, message, flags, error);
if (streq(name, "ProtectProc"))
return bus_set_transient_protect_proc(u, name, &c->protect_proc, message, flags, error);
if (streq(name, "ProcSubset"))
return bus_set_transient_proc_subset(u, name, &c->proc_subset, message, flags, error);
if (streq(name, "RuntimeDirectoryPreserve")) if (streq(name, "RuntimeDirectoryPreserve"))
return bus_set_transient_preserve_mode(u, name, &c->runtime_directory_preserve_mode, message, flags, error); return bus_set_transient_preserve_mode(u, name, &c->runtime_directory_preserve_mode, message, flags, error);

View File

@ -1948,7 +1948,9 @@ static bool exec_needs_mount_namespace(
context->protect_kernel_tunables || context->protect_kernel_tunables ||
context->protect_kernel_modules || context->protect_kernel_modules ||
context->protect_kernel_logs || context->protect_kernel_logs ||
context->protect_control_groups) context->protect_control_groups ||
context->protect_proc != PROTECT_PROC_DEFAULT ||
context->proc_subset != PROC_SUBSET_ALL)
return true; return true;
if (context->root_directory) { if (context->root_directory) {
@ -2650,6 +2652,10 @@ static int apply_mount_namespace(
.protect_hostname = context->protect_hostname, .protect_hostname = context->protect_hostname,
.mount_apivfs = context->mount_apivfs, .mount_apivfs = context->mount_apivfs,
.private_mounts = context->private_mounts, .private_mounts = context->private_mounts,
.protect_home = context->protect_home,
.protect_system = context->protect_system,
.protect_proc = context->protect_proc,
.proc_subset = context->proc_subset,
}; };
} else if (!context->dynamic_user && root_dir) } else if (!context->dynamic_user && root_dir)
/* /*
@ -2680,8 +2686,6 @@ static int apply_mount_namespace(
tmp_dir, tmp_dir,
var_tmp_dir, var_tmp_dir,
context->log_namespace, context->log_namespace,
needs_sandboxing ? context->protect_home : PROTECT_HOME_NO,
needs_sandboxing ? context->protect_system : PROTECT_SYSTEM_NO,
context->mount_flags, context->mount_flags,
context->root_hash, context->root_hash_size, context->root_hash_path, context->root_hash, context->root_hash_size, context->root_hash_path,
context->root_hash_sig, context->root_hash_sig_size, context->root_hash_sig_path, context->root_hash_sig, context->root_hash_sig_size, context->root_hash_sig_path,
@ -4601,7 +4605,9 @@ void exec_context_dump(const ExecContext *c, FILE* f, const char *prefix) {
"%sRestrictRealtime: %s\n" "%sRestrictRealtime: %s\n"
"%sRestrictSUIDSGID: %s\n" "%sRestrictSUIDSGID: %s\n"
"%sKeyringMode: %s\n" "%sKeyringMode: %s\n"
"%sProtectHostname: %s\n", "%sProtectHostname: %s\n"
"%sProtectProc: %s\n"
"%sProcSubset: %s\n",
prefix, c->umask, prefix, c->umask,
prefix, c->working_directory ? c->working_directory : "/", prefix, c->working_directory ? c->working_directory : "/",
prefix, c->root_directory ? c->root_directory : "/", prefix, c->root_directory ? c->root_directory : "/",
@ -4623,7 +4629,9 @@ void exec_context_dump(const ExecContext *c, FILE* f, const char *prefix) {
prefix, yes_no(c->restrict_realtime), prefix, yes_no(c->restrict_realtime),
prefix, yes_no(c->restrict_suid_sgid), prefix, yes_no(c->restrict_suid_sgid),
prefix, exec_keyring_mode_to_string(c->keyring_mode), prefix, exec_keyring_mode_to_string(c->keyring_mode),
prefix, yes_no(c->protect_hostname)); prefix, yes_no(c->protect_hostname),
prefix, protect_proc_to_string(c->protect_proc),
prefix, proc_subset_to_string(c->proc_subset));
if (c->root_image) if (c->root_image)
fprintf(f, "%sRootImage: %s\n", prefix, c->root_image); fprintf(f, "%sRootImage: %s\n", prefix, c->root_image);

View File

@ -260,6 +260,9 @@ struct ExecContext {
char *log_namespace; char *log_namespace;
ProtectProc protect_proc; /* hidepid= */
ProcSubset proc_subset; /* subset= */
bool private_tmp; bool private_tmp;
bool private_network; bool private_network;
bool private_devices; bool private_devices;

View File

@ -73,6 +73,8 @@ $1.AmbientCapabilities, config_parse_capability_set, 0,
$1.TimerSlackNSec, config_parse_nsec, 0, offsetof($1, exec_context.timer_slack_nsec) $1.TimerSlackNSec, config_parse_nsec, 0, offsetof($1, exec_context.timer_slack_nsec)
$1.NoNewPrivileges, config_parse_bool, 0, offsetof($1, exec_context.no_new_privileges) $1.NoNewPrivileges, config_parse_bool, 0, offsetof($1, exec_context.no_new_privileges)
$1.KeyringMode, config_parse_exec_keyring_mode, 0, offsetof($1, exec_context.keyring_mode) $1.KeyringMode, config_parse_exec_keyring_mode, 0, offsetof($1, exec_context.keyring_mode)
$1.ProtectProc, config_parse_protect_proc, 0, offsetof($1, exec_context.protect_proc)
$1.ProcSubset, config_parse_proc_subset, 0, offsetof($1, exec_context.proc_subset)
m4_ifdef(`HAVE_SECCOMP', m4_ifdef(`HAVE_SECCOMP',
`$1.SystemCallFilter, config_parse_syscall_filter, 0, offsetof($1, exec_context) `$1.SystemCallFilter, config_parse_syscall_filter, 0, offsetof($1, exec_context)
$1.SystemCallArchitectures, config_parse_syscall_archs, 0, offsetof($1, exec_context.syscall_archs) $1.SystemCallArchitectures, config_parse_syscall_archs, 0, offsetof($1, exec_context.syscall_archs)
@ -265,7 +267,6 @@ Unit.SuccessAction, config_parse_emergency_action, 0,
Unit.FailureActionExitStatus, config_parse_exit_status, 0, offsetof(Unit, failure_action_exit_status) Unit.FailureActionExitStatus, config_parse_exit_status, 0, offsetof(Unit, failure_action_exit_status)
Unit.SuccessActionExitStatus, config_parse_exit_status, 0, offsetof(Unit, success_action_exit_status) Unit.SuccessActionExitStatus, config_parse_exit_status, 0, offsetof(Unit, success_action_exit_status)
Unit.RebootArgument, config_parse_unit_string_printf, 0, offsetof(Unit, reboot_arg) Unit.RebootArgument, config_parse_unit_string_printf, 0, offsetof(Unit, reboot_arg)
m4_dnl Also add any conditions to condition_definitions[] in src/analyze/analyze-condition.c.
Unit.ConditionPathExists, config_parse_unit_condition_path, CONDITION_PATH_EXISTS, offsetof(Unit, conditions) Unit.ConditionPathExists, config_parse_unit_condition_path, CONDITION_PATH_EXISTS, offsetof(Unit, conditions)
Unit.ConditionPathExistsGlob, config_parse_unit_condition_path, CONDITION_PATH_EXISTS_GLOB, offsetof(Unit, conditions) Unit.ConditionPathExistsGlob, config_parse_unit_condition_path, CONDITION_PATH_EXISTS_GLOB, offsetof(Unit, conditions)
Unit.ConditionPathIsDirectory, config_parse_unit_condition_path, CONDITION_PATH_IS_DIRECTORY, offsetof(Unit, conditions) Unit.ConditionPathIsDirectory, config_parse_unit_condition_path, CONDITION_PATH_IS_DIRECTORY, offsetof(Unit, conditions)

View File

@ -118,6 +118,8 @@ DEFINE_CONFIG_PARSE(config_parse_exec_secure_bits, secure_bits_from_string, "Fai
DEFINE_CONFIG_PARSE_ENUM(config_parse_collect_mode, collect_mode, CollectMode, "Failed to parse garbage collection mode"); DEFINE_CONFIG_PARSE_ENUM(config_parse_collect_mode, collect_mode, CollectMode, "Failed to parse garbage collection mode");
DEFINE_CONFIG_PARSE_ENUM(config_parse_device_policy, cgroup_device_policy, CGroupDevicePolicy, "Failed to parse device policy"); DEFINE_CONFIG_PARSE_ENUM(config_parse_device_policy, cgroup_device_policy, CGroupDevicePolicy, "Failed to parse device policy");
DEFINE_CONFIG_PARSE_ENUM(config_parse_exec_keyring_mode, exec_keyring_mode, ExecKeyringMode, "Failed to parse keyring mode"); DEFINE_CONFIG_PARSE_ENUM(config_parse_exec_keyring_mode, exec_keyring_mode, ExecKeyringMode, "Failed to parse keyring mode");
DEFINE_CONFIG_PARSE_ENUM(config_parse_protect_proc, protect_proc, ProtectProc, "Failed to parse /proc/ protection mode");
DEFINE_CONFIG_PARSE_ENUM(config_parse_proc_subset, proc_subset, ProcSubset, "Failed to parse /proc/ subset mode");
DEFINE_CONFIG_PARSE_ENUM(config_parse_exec_utmp_mode, exec_utmp_mode, ExecUtmpMode, "Failed to parse utmp mode"); DEFINE_CONFIG_PARSE_ENUM(config_parse_exec_utmp_mode, exec_utmp_mode, ExecUtmpMode, "Failed to parse utmp mode");
DEFINE_CONFIG_PARSE_ENUM(config_parse_job_mode, job_mode, JobMode, "Failed to parse job mode"); DEFINE_CONFIG_PARSE_ENUM(config_parse_job_mode, job_mode, JobMode, "Failed to parse job mode");
DEFINE_CONFIG_PARSE_ENUM(config_parse_notify_access, notify_access, NotifyAccess, "Failed to parse notify access specifier"); DEFINE_CONFIG_PARSE_ENUM(config_parse_notify_access, notify_access, NotifyAccess, "Failed to parse notify access specifier");

View File

@ -108,6 +108,8 @@ CONFIG_PARSER_PROTOTYPE(config_parse_user_group_strv_compat);
CONFIG_PARSER_PROTOTYPE(config_parse_restrict_namespaces); CONFIG_PARSER_PROTOTYPE(config_parse_restrict_namespaces);
CONFIG_PARSER_PROTOTYPE(config_parse_bind_paths); CONFIG_PARSER_PROTOTYPE(config_parse_bind_paths);
CONFIG_PARSER_PROTOTYPE(config_parse_exec_keyring_mode); CONFIG_PARSER_PROTOTYPE(config_parse_exec_keyring_mode);
CONFIG_PARSER_PROTOTYPE(config_parse_protect_proc);
CONFIG_PARSER_PROTOTYPE(config_parse_proc_subset);
CONFIG_PARSER_PROTOTYPE(config_parse_job_timeout_sec); CONFIG_PARSER_PROTOTYPE(config_parse_job_timeout_sec);
CONFIG_PARSER_PROTOTYPE(config_parse_job_running_timeout_sec); CONFIG_PARSER_PROTOTYPE(config_parse_job_running_timeout_sec);
CONFIG_PARSER_PROTOTYPE(config_parse_log_extra_fields); CONFIG_PARSER_PROTOTYPE(config_parse_log_extra_fields);

View File

@ -97,7 +97,7 @@ static const MountEntry protect_kernel_tunables_table[] = {
{ "/proc/latency_stats", READONLY, true }, { "/proc/latency_stats", READONLY, true },
{ "/proc/mtrr", READONLY, true }, { "/proc/mtrr", READONLY, true },
{ "/proc/scsi", READONLY, true }, { "/proc/scsi", READONLY, true },
{ "/proc/sys", READONLY, false }, { "/proc/sys", READONLY, true },
{ "/proc/sysrq-trigger", READONLY, true }, { "/proc/sysrq-trigger", READONLY, true },
{ "/proc/timer_stats", READONLY, true }, { "/proc/timer_stats", READONLY, true },
{ "/sys", READONLY, false }, { "/sys", READONLY, false },
@ -863,33 +863,66 @@ static int mount_sysfs(const MountEntry *m) {
return 1; return 1;
} }
static int mount_procfs(const MountEntry *m) { static int mount_procfs(const MountEntry *m, const NamespaceInfo *ns_info) {
int r; const char *entry_path;
assert(m); assert(m);
assert(ns_info);
(void) mkdir_p_label(mount_entry_path(m), 0755); entry_path = mount_entry_path(m);
r = path_is_mount_point(mount_entry_path(m), NULL, 0); /* Mount a new instance, so that we get the one that matches our user namespace, if we are running in
if (r < 0) * one. i.e we don't reuse existing mounts here under any condition, we want a new instance owned by
return log_debug_errno(r, "Unable to determine whether /proc is already mounted: %m"); * our user namespace and with our hidepid= settings applied. Hence, let's get rid of everything
if (r > 0) /* make this a NOP if /proc is already a mount point */ * mounted on /proc/ first. */
return 0;
/* Mount a new instance, so that we get the one that matches our user namespace, if we are running in one */ (void) mkdir_p_label(entry_path, 0755);
if (mount("proc", mount_entry_path(m), "proc", MS_NOSUID|MS_NOEXEC|MS_NODEV, NULL) < 0) (void) umount_recursive(entry_path, 0);
return log_debug_errno(errno, "Failed to mount %s: %m", mount_entry_path(m));
if (ns_info->protect_proc != PROTECT_PROC_DEFAULT ||
ns_info->proc_subset != PROC_SUBSET_ALL) {
_cleanup_free_ char *opts = NULL;
/* Starting with kernel 5.8 procfs' hidepid= logic is truly per-instance (previously it
* pretended to be per-instance but actually was per-namespace), hence let's make use of it
* if requested. To make sure this logic succeeds only on kernels where hidepid= is
* per-instance, we'll exclusively use the textual value for hidepid=, since support was
* added in the same commit: if it's supported it is thus also per-instance. */
opts = strjoin("hidepid=",
ns_info->protect_proc == PROTECT_PROC_DEFAULT ? "off" :
protect_proc_to_string(ns_info->protect_proc),
ns_info->proc_subset == PROC_SUBSET_PID ? ",subset=pid" : "");
if (!opts)
return -ENOMEM;
if (mount("proc", entry_path, "proc", MS_NOSUID|MS_NOEXEC|MS_NODEV, opts) < 0) {
if (errno != EINVAL)
return log_debug_errno(errno, "Failed to mount %s (options=%s): %m", mount_entry_path(m), opts);
/* If this failed with EINVAL then this likely means the textual hidepid= stuff is
* not supported by the kernel, and thus the per-instance hidepid= neither, which
* means we really don't want to use it, since it would affect our host's /proc
* mount. Hence let's gracefully fallback to a classic, unrestricted version. */
} else
return 1;
}
if (mount("proc", entry_path, "proc", MS_NOSUID|MS_NOEXEC|MS_NODEV, NULL) < 0)
return log_debug_errno(errno, "Failed to mount %s (no options): %m", mount_entry_path(m));
return 1; return 1;
} }
static int mount_tmpfs(const MountEntry *m) { static int mount_tmpfs(const MountEntry *m) {
const char *entry_path, *inner_path;
int r; int r;
const char *entry_path = mount_entry_path(m);
const char *source_path = m->path_const;
assert(m); assert(m);
entry_path = mount_entry_path(m);
inner_path = m->path_const;
/* First, get rid of everything that is below if there is anything. Then, overmount with our new tmpfs */ /* First, get rid of everything that is below if there is anything. Then, overmount with our new tmpfs */
(void) mkdir_p_label(entry_path, 0755); (void) mkdir_p_label(entry_path, 0755);
@ -898,9 +931,9 @@ static int mount_tmpfs(const MountEntry *m) {
if (mount("tmpfs", entry_path, "tmpfs", m->flags, mount_entry_options(m)) < 0) if (mount("tmpfs", entry_path, "tmpfs", m->flags, mount_entry_options(m)) < 0)
return log_debug_errno(errno, "Failed to mount %s: %m", entry_path); return log_debug_errno(errno, "Failed to mount %s: %m", entry_path);
r = label_fix_container(entry_path, source_path, 0); r = label_fix_container(entry_path, inner_path, 0);
if (r < 0) if (r < 0)
return log_debug_errno(r, "Failed to fix label of '%s' as '%s': %m", entry_path, source_path); return log_debug_errno(r, "Failed to fix label of '%s' as '%s': %m", entry_path, inner_path);
return 1; return 1;
} }
@ -995,7 +1028,8 @@ static int follow_symlink(
static int apply_mount( static int apply_mount(
const char *root_directory, const char *root_directory,
MountEntry *m) { MountEntry *m,
const NamespaceInfo *ns_info) {
_cleanup_free_ char *inaccessible = NULL; _cleanup_free_ char *inaccessible = NULL;
bool rbind = true, make = false; bool rbind = true, make = false;
@ -1003,6 +1037,7 @@ static int apply_mount(
int r; int r;
assert(m); assert(m);
assert(ns_info);
log_debug("Applying namespace mount on %s", mount_entry_path(m)); log_debug("Applying namespace mount on %s", mount_entry_path(m));
@ -1107,7 +1142,7 @@ static int apply_mount(
return mount_sysfs(m); return mount_sysfs(m);
case PROCFS: case PROCFS:
return mount_procfs(m); return mount_procfs(m, ns_info);
case MOUNT_IMAGES: case MOUNT_IMAGES:
return mount_images(m); return mount_images(m);
@ -1219,7 +1254,9 @@ static bool namespace_info_mount_apivfs(const NamespaceInfo *ns_info) {
return ns_info->mount_apivfs || return ns_info->mount_apivfs ||
ns_info->protect_control_groups || ns_info->protect_control_groups ||
ns_info->protect_kernel_tunables; ns_info->protect_kernel_tunables ||
ns_info->protect_proc != PROTECT_PROC_DEFAULT ||
ns_info->proc_subset != PROC_SUBSET_ALL;
} }
static size_t namespace_calculate_mounts( static size_t namespace_calculate_mounts(
@ -1233,25 +1270,23 @@ static size_t namespace_calculate_mounts(
size_t n_mount_images, size_t n_mount_images,
const char* tmp_dir, const char* tmp_dir,
const char* var_tmp_dir, const char* var_tmp_dir,
const char* log_namespace, const char* log_namespace) {
ProtectHome protect_home,
ProtectSystem protect_system) {
size_t protect_home_cnt; size_t protect_home_cnt;
size_t protect_system_cnt = size_t protect_system_cnt =
(protect_system == PROTECT_SYSTEM_STRICT ? (ns_info->protect_system == PROTECT_SYSTEM_STRICT ?
ELEMENTSOF(protect_system_strict_table) : ELEMENTSOF(protect_system_strict_table) :
((protect_system == PROTECT_SYSTEM_FULL) ? ((ns_info->protect_system == PROTECT_SYSTEM_FULL) ?
ELEMENTSOF(protect_system_full_table) : ELEMENTSOF(protect_system_full_table) :
((protect_system == PROTECT_SYSTEM_YES) ? ((ns_info->protect_system == PROTECT_SYSTEM_YES) ?
ELEMENTSOF(protect_system_yes_table) : 0))); ELEMENTSOF(protect_system_yes_table) : 0)));
protect_home_cnt = protect_home_cnt =
(protect_home == PROTECT_HOME_YES ? (ns_info->protect_home == PROTECT_HOME_YES ?
ELEMENTSOF(protect_home_yes_table) : ELEMENTSOF(protect_home_yes_table) :
((protect_home == PROTECT_HOME_READ_ONLY) ? ((ns_info->protect_home == PROTECT_HOME_READ_ONLY) ?
ELEMENTSOF(protect_home_read_only_table) : ELEMENTSOF(protect_home_read_only_table) :
((protect_home == PROTECT_HOME_TMPFS) ? ((ns_info->protect_home == PROTECT_HOME_TMPFS) ?
ELEMENTSOF(protect_home_tmpfs_table) : 0))); ELEMENTSOF(protect_home_tmpfs_table) : 0)));
return !!tmp_dir + !!var_tmp_dir + return !!tmp_dir + !!var_tmp_dir +
@ -1355,8 +1390,6 @@ int setup_namespace(
const char* tmp_dir, const char* tmp_dir,
const char* var_tmp_dir, const char* var_tmp_dir,
const char *log_namespace, const char *log_namespace,
ProtectHome protect_home,
ProtectSystem protect_system,
unsigned long mount_flags, unsigned long mount_flags,
const void *root_hash, const void *root_hash,
size_t root_hash_size, size_t root_hash_size,
@ -1389,10 +1422,10 @@ int setup_namespace(
/* Make the whole image read-only if we can determine that we only access it in a read-only fashion. */ /* Make the whole image read-only if we can determine that we only access it in a read-only fashion. */
if (root_read_only(read_only_paths, if (root_read_only(read_only_paths,
protect_system) && ns_info->protect_system) &&
home_read_only(read_only_paths, inaccessible_paths, empty_directories, home_read_only(read_only_paths, inaccessible_paths, empty_directories,
bind_mounts, n_bind_mounts, temporary_filesystems, n_temporary_filesystems, bind_mounts, n_bind_mounts, temporary_filesystems, n_temporary_filesystems,
protect_home) && ns_info->protect_home) &&
strv_isempty(read_write_paths)) strv_isempty(read_write_paths))
dissect_image_flags |= DISSECT_IMAGE_READ_ONLY; dissect_image_flags |= DISSECT_IMAGE_READ_ONLY;
@ -1461,8 +1494,7 @@ int setup_namespace(
n_temporary_filesystems, n_temporary_filesystems,
n_mount_images, n_mount_images,
tmp_dir, var_tmp_dir, tmp_dir, var_tmp_dir,
log_namespace, log_namespace);
protect_home, protect_system);
if (n_mounts > 0) { if (n_mounts > 0) {
m = mounts = new0(MountEntry, n_mounts); m = mounts = new0(MountEntry, n_mounts);
@ -1559,11 +1591,11 @@ int setup_namespace(
}; };
} }
r = append_protect_home(&m, protect_home, ns_info->ignore_protect_paths); r = append_protect_home(&m, ns_info->protect_home, ns_info->ignore_protect_paths);
if (r < 0) if (r < 0)
goto finish; goto finish;
r = append_protect_system(&m, protect_system, false); r = append_protect_system(&m, ns_info->protect_system, false);
if (r < 0) if (r < 0)
goto finish; goto finish;
@ -1720,7 +1752,7 @@ int setup_namespace(
break; break;
} }
r = apply_mount(root, m); r = apply_mount(root, m, ns_info);
if (r < 0) { if (r < 0) {
if (error_path && mount_entry_path(m)) if (error_path && mount_entry_path(m))
*error_path = strdup(mount_entry_path(m)); *error_path = strdup(mount_entry_path(m));
@ -2240,3 +2272,19 @@ static const char* const namespace_type_table[] = {
}; };
DEFINE_STRING_TABLE_LOOKUP(namespace_type, NamespaceType); DEFINE_STRING_TABLE_LOOKUP(namespace_type, NamespaceType);
static const char* const protect_proc_table[_PROTECT_PROC_MAX] = {
[PROTECT_PROC_DEFAULT] = "default",
[PROTECT_PROC_NOACCESS] = "noaccess",
[PROTECT_PROC_INVISIBLE] = "invisible",
[PROTECT_PROC_PTRACEABLE] = "ptraceable",
};
DEFINE_STRING_TABLE_LOOKUP(protect_proc, ProtectProc);
static const char* const proc_subset_table[_PROC_SUBSET_MAX] = {
[PROC_SUBSET_ALL] = "all",
[PROC_SUBSET_PID] = "pid",
};
DEFINE_STRING_TABLE_LOOKUP(proc_subset, ProcSubset);

View File

@ -47,6 +47,22 @@ typedef enum ProtectSystem {
_PROTECT_SYSTEM_INVALID = -1 _PROTECT_SYSTEM_INVALID = -1
} ProtectSystem; } ProtectSystem;
typedef enum ProtectProc {
PROTECT_PROC_DEFAULT,
PROTECT_PROC_NOACCESS, /* hidepid=noaccess */
PROTECT_PROC_INVISIBLE, /* hidepid=invisible */
PROTECT_PROC_PTRACEABLE, /* hidepid=ptraceable */
_PROTECT_PROC_MAX,
_PROTECT_PROC_INVALID = -1,
} ProtectProc;
typedef enum ProcSubset {
PROC_SUBSET_ALL,
PROC_SUBSET_PID, /* subset=pid */
_PROC_SUBSET_MAX,
_PROC_SUBSET_INVALID = -1,
} ProcSubset;
struct NamespaceInfo { struct NamespaceInfo {
bool ignore_protect_paths:1; bool ignore_protect_paths:1;
bool private_dev:1; bool private_dev:1;
@ -57,6 +73,10 @@ struct NamespaceInfo {
bool protect_kernel_logs:1; bool protect_kernel_logs:1;
bool mount_apivfs:1; bool mount_apivfs:1;
bool protect_hostname:1; bool protect_hostname:1;
ProtectHome protect_home;
ProtectSystem protect_system;
ProtectProc protect_proc;
ProcSubset proc_subset;
}; };
struct BindMount { struct BindMount {
@ -98,8 +118,6 @@ int setup_namespace(
const char *tmp_dir, const char *tmp_dir,
const char *var_tmp_dir, const char *var_tmp_dir,
const char *log_namespace, const char *log_namespace,
ProtectHome protect_home,
ProtectSystem protect_system,
unsigned long mount_flags, unsigned long mount_flags,
const void *root_hash, const void *root_hash,
size_t root_hash_size, size_t root_hash_size,
@ -135,6 +153,12 @@ ProtectHome protect_home_from_string(const char *s) _pure_;
const char* protect_system_to_string(ProtectSystem p) _const_; const char* protect_system_to_string(ProtectSystem p) _const_;
ProtectSystem protect_system_from_string(const char *s) _pure_; ProtectSystem protect_system_from_string(const char *s) _pure_;
const char* protect_proc_to_string(ProtectProc i) _const_;
ProtectProc protect_proc_from_string(const char *s) _pure_;
const char* proc_subset_to_string(ProcSubset i) _const_;
ProcSubset proc_subset_from_string(const char *s) _pure_;
void bind_mount_free_many(BindMount *b, size_t n); void bind_mount_free_many(BindMount *b, size_t n);
int bind_mount_add(BindMount **b, size_t *n, const BindMount *item); int bind_mount_add(BindMount **b, size_t *n, const BindMount *item);

View File

@ -24,6 +24,7 @@
#include "memory-util.h" #include "memory-util.h"
#include "missing_magic.h" #include "missing_magic.h"
#include "mkdir.h" #include "mkdir.h"
#include "mkfs-util.h"
#include "mount-util.h" #include "mount-util.h"
#include "openssl-util.h" #include "openssl-util.h"
#include "parse-util.h" #include "parse-util.h"
@ -1371,71 +1372,6 @@ int home_trim_luks(UserRecord *h) {
return 0; return 0;
} }
static int run_mkfs(
const char *node,
const char *fstype,
const char *label,
sd_id128_t uuid,
bool discard) {
int r;
assert(node);
assert(fstype);
assert(label);
r = mkfs_exists(fstype);
if (r < 0)
return log_error_errno(r, "Failed to check if mkfs for file system %s exists: %m", fstype);
if (r == 0)
return log_error_errno(SYNTHETIC_ERRNO(EPROTONOSUPPORT), "No mkfs for file system %s installed.", fstype);
r = safe_fork("(mkfs)", FORK_RESET_SIGNALS|FORK_RLIMIT_NOFILE_SAFE|FORK_DEATHSIG|FORK_LOG|FORK_WAIT|FORK_STDOUT_TO_STDERR, NULL);
if (r < 0)
return r;
if (r == 0) {
const char *mkfs;
char suuid[37];
/* Child */
mkfs = strjoina("mkfs.", fstype);
id128_to_uuid_string(uuid, suuid);
if (streq(fstype, "ext4"))
execlp(mkfs, mkfs,
"-L", label,
"-U", suuid,
"-I", "256",
"-O", "has_journal",
"-m", "0",
"-E", discard ? "lazy_itable_init=1,discard" : "lazy_itable_init=1,nodiscard",
node, NULL);
else if (streq(fstype, "btrfs")) {
if (discard)
execlp(mkfs, mkfs, "-L", label, "-U", suuid, node, NULL);
else
execlp(mkfs, mkfs, "-L", label, "-U", suuid, "--nodiscard", node, NULL);
} else if (streq(fstype, "xfs")) {
const char *j;
j = strjoina("uuid=", suuid);
if (discard)
execlp(mkfs, mkfs, "-L", label, "-m", j, "-m", "reflink=1", node, NULL);
else
execlp(mkfs, mkfs, "-L", label, "-m", j, "-m", "reflink=1", "-K", node, NULL);
} else {
log_error("Cannot make file system: %s", fstype);
_exit(EXIT_FAILURE);
}
log_error_errno(errno, "Failed to execute %s: %m", mkfs);
_exit(EXIT_FAILURE);
}
return 0;
}
static struct crypt_pbkdf_type* build_good_pbkdf(struct crypt_pbkdf_type *buffer, UserRecord *hr) { static struct crypt_pbkdf_type* build_good_pbkdf(struct crypt_pbkdf_type *buffer, UserRecord *hr) {
assert(buffer); assert(buffer);
assert(hr); assert(hr);
@ -2083,7 +2019,7 @@ int home_create_luks(
log_info("Setting up LUKS device %s completed.", dm_node); log_info("Setting up LUKS device %s completed.", dm_node);
r = run_mkfs(dm_node, fstype, user_record_user_name_and_realm(h), fs_uuid, user_record_luks_discard(h)); r = make_filesystem(dm_node, fstype, user_record_user_name_and_realm(h), fs_uuid, user_record_luks_discard(h));
if (r < 0) if (r < 0)
goto fail; goto fail;

View File

@ -7,6 +7,7 @@
#include "bus-common-errors.h" #include "bus-common-errors.h"
#include "bus-locator.h" #include "bus-locator.h"
#include "bus-util.h"
#include "errno-util.h" #include "errno-util.h"
#include "fd-util.h" #include "fd-util.h"
#include "home-util.h" #include "home-util.h"
@ -153,8 +154,7 @@ static int acquire_user_record(
r = bus_call_method(bus, bus_home_mgr, "GetUserRecordByName", &error, &reply, "s", username); r = bus_call_method(bus, bus_home_mgr, "GetUserRecordByName", &error, &reply, "s", username);
if (r < 0) { if (r < 0) {
if (sd_bus_error_has_name(&error, SD_BUS_ERROR_SERVICE_UNKNOWN) || if (bus_error_is_unknown_service(&error)) {
sd_bus_error_has_name(&error, SD_BUS_ERROR_NAME_HAS_NO_OWNER)) {
pam_syslog(handle, LOG_DEBUG, "systemd-homed is not available: %s", bus_error_message(&error, r)); pam_syslog(handle, LOG_DEBUG, "systemd-homed is not available: %s", bus_error_message(&error, r));
goto user_unknown; goto user_unknown;
} }

View File

@ -85,10 +85,13 @@ fi
KERNEL_VERSION="$1" KERNEL_VERSION="$1"
KERNEL_IMAGE="$2" KERNEL_IMAGE="$2"
if [[ -f /etc/machine-id ]]; then # Reuse directory created without a machine ID present if it exists.
if [[ -d /efi/Default ]] || [[ -d /boot/Default ]] || [[ -d /boot/efi/Default ]]; then
MACHINE_ID="Default"
elif [[ -f /etc/machine-id ]]; then
read MACHINE_ID < /etc/machine-id read MACHINE_ID < /etc/machine-id
else else
MACHINE_ID="Linux" MACHINE_ID="Default"
fi fi
if [[ ! $COMMAND ]] || [[ ! $KERNEL_VERSION ]]; then if [[ ! $COMMAND ]] || [[ ! $KERNEL_VERSION ]]; then

View File

@ -727,3 +727,8 @@ global:
sd_event_add_time_relative; sd_event_add_time_relative;
sd_event_source_set_time_relative; sd_event_source_set_time_relative;
} LIBSYSTEMD_246; } LIBSYSTEMD_246;
LIBSYSTEMD_248 {
global:
sd_bus_error_has_names_sentinel;
} LIBSYSTEMD_247;

View File

@ -13,6 +13,7 @@
#include "errno-list.h" #include "errno-list.h"
#include "errno-util.h" #include "errno-util.h"
#include "string-util.h" #include "string-util.h"
#include "strv.h"
#include "util.h" #include "util.h"
BUS_ERROR_MAP_ELF_REGISTER const sd_bus_error_map bus_standard_errors[] = { BUS_ERROR_MAP_ELF_REGISTER const sd_bus_error_map bus_standard_errors[] = {
@ -355,11 +356,23 @@ _public_ int sd_bus_error_has_name(const sd_bus_error *e, const char *name) {
return streq_ptr(e->name, name); return streq_ptr(e->name, name);
} }
_public_ int sd_bus_error_get_errno(const sd_bus_error* e) { _public_ int sd_bus_error_has_names_sentinel(const sd_bus_error *e, ...) {
if (!e) if (!e || !e->name)
return 0; return 0;
if (!e->name) va_list ap;
const char *p;
va_start(ap, e);
while ((p = va_arg(ap, const char *)))
if (streq(p, e->name))
break;
va_end(ap);
return !!p;
}
_public_ int sd_bus_error_get_errno(const sd_bus_error* e) {
if (!e || !e->name)
return 0; return 0;
return bus_error_name_to_errno(e->name); return bus_error_name_to_errno(e->name);

View File

@ -22,6 +22,11 @@ static void test_error(void) {
assert_se(streq(error.name, SD_BUS_ERROR_NOT_SUPPORTED)); assert_se(streq(error.name, SD_BUS_ERROR_NOT_SUPPORTED));
assert_se(streq(error.message, "xxx")); assert_se(streq(error.message, "xxx"));
assert_se(sd_bus_error_has_name(&error, SD_BUS_ERROR_NOT_SUPPORTED)); assert_se(sd_bus_error_has_name(&error, SD_BUS_ERROR_NOT_SUPPORTED));
assert_se(sd_bus_error_has_names_sentinel(&error, SD_BUS_ERROR_NOT_SUPPORTED, NULL));
assert_se(sd_bus_error_has_names(&error, SD_BUS_ERROR_NOT_SUPPORTED));
assert_se(sd_bus_error_has_names(&error, SD_BUS_ERROR_NOT_SUPPORTED, SD_BUS_ERROR_FILE_NOT_FOUND));
assert_se(sd_bus_error_has_names(&error, SD_BUS_ERROR_FILE_NOT_FOUND, SD_BUS_ERROR_NOT_SUPPORTED, NULL));
assert_se(!sd_bus_error_has_names(&error, SD_BUS_ERROR_FILE_NOT_FOUND));
assert_se(sd_bus_error_get_errno(&error) == EOPNOTSUPP); assert_se(sd_bus_error_get_errno(&error) == EOPNOTSUPP);
assert_se(sd_bus_error_is_set(&error)); assert_se(sd_bus_error_is_set(&error));
sd_bus_error_free(&error); sd_bus_error_free(&error);
@ -32,6 +37,7 @@ static void test_error(void) {
assert_se(error.name == NULL); assert_se(error.name == NULL);
assert_se(error.message == NULL); assert_se(error.message == NULL);
assert_se(!sd_bus_error_has_name(&error, SD_BUS_ERROR_FILE_NOT_FOUND)); assert_se(!sd_bus_error_has_name(&error, SD_BUS_ERROR_FILE_NOT_FOUND));
assert_se(!sd_bus_error_has_names(&error, SD_BUS_ERROR_FILE_NOT_FOUND));
assert_se(sd_bus_error_get_errno(&error) == 0); assert_se(sd_bus_error_get_errno(&error) == 0);
assert_se(!sd_bus_error_is_set(&error)); assert_se(!sd_bus_error_is_set(&error));
@ -39,6 +45,7 @@ static void test_error(void) {
assert_se(streq(error.name, SD_BUS_ERROR_FILE_NOT_FOUND)); assert_se(streq(error.name, SD_BUS_ERROR_FILE_NOT_FOUND));
assert_se(streq(error.message, "yyy -1")); assert_se(streq(error.message, "yyy -1"));
assert_se(sd_bus_error_has_name(&error, SD_BUS_ERROR_FILE_NOT_FOUND)); assert_se(sd_bus_error_has_name(&error, SD_BUS_ERROR_FILE_NOT_FOUND));
assert_se(sd_bus_error_has_names(&error, SD_BUS_ERROR_FILE_NOT_FOUND));
assert_se(sd_bus_error_get_errno(&error) == ENOENT); assert_se(sd_bus_error_get_errno(&error) == ENOENT);
assert_se(sd_bus_error_is_set(&error)); assert_se(sd_bus_error_is_set(&error));
@ -51,6 +58,7 @@ static void test_error(void) {
assert_se(streq(error.message, second.message)); assert_se(streq(error.message, second.message));
assert_se(sd_bus_error_get_errno(&second) == ENOENT); assert_se(sd_bus_error_get_errno(&second) == ENOENT);
assert_se(sd_bus_error_has_name(&second, SD_BUS_ERROR_FILE_NOT_FOUND)); assert_se(sd_bus_error_has_name(&second, SD_BUS_ERROR_FILE_NOT_FOUND));
assert_se(sd_bus_error_has_names(&second, SD_BUS_ERROR_FILE_NOT_FOUND));
assert_se(sd_bus_error_is_set(&second)); assert_se(sd_bus_error_is_set(&second));
sd_bus_error_free(&error); sd_bus_error_free(&error);

View File

@ -4093,8 +4093,8 @@ int manager_stop_unit(Manager *manager, const char *unit, sd_bus_error *error, c
&reply, &reply,
"ss", unit, "fail"); "ss", unit, "fail");
if (r < 0) { if (r < 0) {
if (sd_bus_error_has_name(error, BUS_ERROR_NO_SUCH_UNIT) || if (sd_bus_error_has_names(error, BUS_ERROR_NO_SUCH_UNIT,
sd_bus_error_has_name(error, BUS_ERROR_LOAD_FAILED)) { BUS_ERROR_LOAD_FAILED)) {
*job = NULL; *job = NULL;
sd_bus_error_free(error); sd_bus_error_free(error);
@ -4129,9 +4129,9 @@ int manager_abandon_scope(Manager *manager, const char *scope, sd_bus_error *ret
NULL, NULL,
NULL); NULL);
if (r < 0) { if (r < 0) {
if (sd_bus_error_has_name(&error, BUS_ERROR_NO_SUCH_UNIT) || if (sd_bus_error_has_names(&error, BUS_ERROR_NO_SUCH_UNIT,
sd_bus_error_has_name(&error, BUS_ERROR_LOAD_FAILED) || BUS_ERROR_LOAD_FAILED,
sd_bus_error_has_name(&error, BUS_ERROR_SCOPE_NOT_RUNNING)) BUS_ERROR_SCOPE_NOT_RUNNING))
return 0; return 0;
sd_bus_error_move(ret_error, &error); sd_bus_error_move(ret_error, &error);
@ -4180,14 +4180,14 @@ int manager_unit_is_active(Manager *manager, const char *unit, sd_bus_error *ret
if (r < 0) { if (r < 0) {
/* systemd might have dropped off momentarily, let's /* systemd might have dropped off momentarily, let's
* not make this an error */ * not make this an error */
if (sd_bus_error_has_name(&error, SD_BUS_ERROR_NO_REPLY) || if (sd_bus_error_has_names(&error, SD_BUS_ERROR_NO_REPLY,
sd_bus_error_has_name(&error, SD_BUS_ERROR_DISCONNECTED)) SD_BUS_ERROR_DISCONNECTED))
return true; return true;
/* If the unit is already unloaded then it's not /* If the unit is already unloaded then it's not
* active */ * active */
if (sd_bus_error_has_name(&error, BUS_ERROR_NO_SUCH_UNIT) || if (sd_bus_error_has_names(&error, BUS_ERROR_NO_SUCH_UNIT,
sd_bus_error_has_name(&error, BUS_ERROR_LOAD_FAILED)) BUS_ERROR_LOAD_FAILED))
return false; return false;
sd_bus_error_move(ret_error, &error); sd_bus_error_move(ret_error, &error);
@ -4219,8 +4219,8 @@ int manager_job_is_active(Manager *manager, const char *path, sd_bus_error *ret_
&reply, &reply,
"s"); "s");
if (r < 0) { if (r < 0) {
if (sd_bus_error_has_name(&error, SD_BUS_ERROR_NO_REPLY) || if (sd_bus_error_has_names(&error, SD_BUS_ERROR_NO_REPLY,
sd_bus_error_has_name(&error, SD_BUS_ERROR_DISCONNECTED)) SD_BUS_ERROR_DISCONNECTED))
return true; return true;
if (sd_bus_error_has_name(&error, SD_BUS_ERROR_UNKNOWN_OBJECT)) if (sd_bus_error_has_name(&error, SD_BUS_ERROR_UNKNOWN_OBJECT))

View File

@ -1464,8 +1464,8 @@ int manager_stop_unit(Manager *manager, const char *unit, sd_bus_error *error, c
r = bus_call_method(manager->bus, bus_systemd_mgr, "StopUnit", error, &reply, "ss", unit, "fail"); r = bus_call_method(manager->bus, bus_systemd_mgr, "StopUnit", error, &reply, "ss", unit, "fail");
if (r < 0) { if (r < 0) {
if (sd_bus_error_has_name(error, BUS_ERROR_NO_SUCH_UNIT) || if (sd_bus_error_has_names(error, BUS_ERROR_NO_SUCH_UNIT,
sd_bus_error_has_name(error, BUS_ERROR_LOAD_FAILED)) { BUS_ERROR_LOAD_FAILED)) {
if (job) if (job)
*job = NULL; *job = NULL;
@ -1526,12 +1526,12 @@ int manager_unit_is_active(Manager *manager, const char *unit) {
&reply, &reply,
"s"); "s");
if (r < 0) { if (r < 0) {
if (sd_bus_error_has_name(&error, SD_BUS_ERROR_NO_REPLY) || if (sd_bus_error_has_names(&error, SD_BUS_ERROR_NO_REPLY,
sd_bus_error_has_name(&error, SD_BUS_ERROR_DISCONNECTED)) SD_BUS_ERROR_DISCONNECTED))
return true; return true;
if (sd_bus_error_has_name(&error, BUS_ERROR_NO_SUCH_UNIT) || if (sd_bus_error_has_names(&error, BUS_ERROR_NO_SUCH_UNIT,
sd_bus_error_has_name(&error, BUS_ERROR_LOAD_FAILED)) BUS_ERROR_LOAD_FAILED))
return false; return false;
return r; return r;
@ -1562,8 +1562,8 @@ int manager_job_is_active(Manager *manager, const char *path) {
&reply, &reply,
"s"); "s");
if (r < 0) { if (r < 0) {
if (sd_bus_error_has_name(&error, SD_BUS_ERROR_NO_REPLY) || if (sd_bus_error_has_names(&error, SD_BUS_ERROR_NO_REPLY,
sd_bus_error_has_name(&error, SD_BUS_ERROR_DISCONNECTED)) SD_BUS_ERROR_DISCONNECTED))
return true; return true;
if (sd_bus_error_has_name(&error, SD_BUS_ERROR_UNKNOWN_OBJECT)) if (sd_bus_error_has_name(&error, SD_BUS_ERROR_UNKNOWN_OBJECT))

View File

@ -510,8 +510,8 @@ static int acquire_link_bitrates(sd_bus *bus, LinkInfo *link) {
r = link_get_property(bus, link, &error, &reply, "org.freedesktop.network1.Link", "BitRates"); r = link_get_property(bus, link, &error, &reply, "org.freedesktop.network1.Link", "BitRates");
if (r < 0) { if (r < 0) {
bool quiet = sd_bus_error_has_name(&error, SD_BUS_ERROR_UNKNOWN_PROPERTY) || bool quiet = sd_bus_error_has_names(&error, SD_BUS_ERROR_UNKNOWN_PROPERTY,
sd_bus_error_has_name(&error, BUS_ERROR_SPEED_METER_INACTIVE); BUS_ERROR_SPEED_METER_INACTIVE);
return log_full_errno(quiet ? LOG_DEBUG : LOG_WARNING, return log_full_errno(quiet ? LOG_DEBUG : LOG_WARNING,
r, "Failed to query link bit rates: %s", bus_error_message(&error, r)); r, "Failed to query link bit rates: %s", bus_error_message(&error, r));

View File

@ -21,7 +21,7 @@
#if HAVE_SECCOMP #if HAVE_SECCOMP
static int seccomp_add_default_syscall_filter( static int add_syscall_filters(
scmp_filter_ctx ctx, scmp_filter_ctx ctx,
uint32_t arch, uint32_t arch,
uint64_t cap_list_retain, uint64_t cap_list_retain,
@ -139,6 +139,7 @@ static int seccomp_add_default_syscall_filter(
*/ */
}; };
_cleanup_strv_free_ char **added = NULL;
char **p; char **p;
int r; int r;
@ -146,18 +147,37 @@ static int seccomp_add_default_syscall_filter(
if (allow_list[i].capability != 0 && (cap_list_retain & (1ULL << allow_list[i].capability)) == 0) if (allow_list[i].capability != 0 && (cap_list_retain & (1ULL << allow_list[i].capability)) == 0)
continue; continue;
r = seccomp_add_syscall_filter_item(ctx, allow_list[i].name, SCMP_ACT_ALLOW, syscall_deny_list, false); r = seccomp_add_syscall_filter_item(ctx,
allow_list[i].name,
SCMP_ACT_ALLOW,
syscall_deny_list,
false,
&added);
if (r < 0) if (r < 0)
return log_error_errno(r, "Failed to add syscall filter item %s: %m", allow_list[i].name); return log_error_errno(r, "Failed to add syscall filter item %s: %m", allow_list[i].name);
} }
STRV_FOREACH(p, syscall_allow_list) { STRV_FOREACH(p, syscall_allow_list) {
r = seccomp_add_syscall_filter_item(ctx, *p, SCMP_ACT_ALLOW, syscall_deny_list, true); r = seccomp_add_syscall_filter_item(ctx, *p, SCMP_ACT_ALLOW, syscall_deny_list, true, &added);
if (r < 0) if (r < 0)
log_warning_errno(r, "Failed to add rule for system call %s on %s, ignoring: %m", log_warning_errno(r, "Failed to add rule for system call %s on %s, ignoring: %m",
*p, seccomp_arch_to_string(arch)); *p, seccomp_arch_to_string(arch));
} }
/* The default action is ENOSYS. Respond with EPERM to all other "known" but not allow-listed
* syscalls. */
r = seccomp_add_syscall_filter_item(ctx, "@known", SCMP_ACT_ERRNO(EPERM), added, true, NULL);
if (r < 0)
log_warning_errno(r, "Failed to add rule for @known set on %s, ignoring: %m",
seccomp_arch_to_string(arch));
#if (SCMP_VER_MAJOR == 2 && SCMP_VER_MINOR >= 5) || SCMP_VER_MAJOR > 2
/* We have a large filter here, so let's turn on the binary tree mode if possible. */
r = seccomp_attr_set(ctx, SCMP_FLTATR_CTL_OPTIMIZE, 2);
if (r < 0)
return r;
#endif
return 0; return 0;
} }
@ -175,11 +195,13 @@ int setup_seccomp(uint64_t cap_list_retain, char **syscall_allow_list, char **sy
log_debug("Applying allow list on architecture: %s", seccomp_arch_to_string(arch)); log_debug("Applying allow list on architecture: %s", seccomp_arch_to_string(arch));
r = seccomp_init_for_arch(&seccomp, arch, SCMP_ACT_ERRNO(EPERM)); /* We install ENOSYS as the default action, but it will only apply to syscalls which are not
* in the @known set, see above. */
r = seccomp_init_for_arch(&seccomp, arch, SCMP_ACT_ERRNO(ENOSYS));
if (r < 0) if (r < 0)
return log_error_errno(r, "Failed to allocate seccomp object: %m"); return log_error_errno(r, "Failed to allocate seccomp object: %m");
r = seccomp_add_default_syscall_filter(seccomp, arch, cap_list_retain, syscall_allow_list, syscall_deny_list); r = add_syscall_filters(seccomp, arch, cap_list_retain, syscall_allow_list, syscall_deny_list);
if (r < 0) if (r < 0)
return r; return r;

View File

@ -23,12 +23,14 @@ NSS_GETHOSTBYNAME_PROTOTYPES(resolve);
NSS_GETHOSTBYADDR_PROTOTYPES(resolve); NSS_GETHOSTBYADDR_PROTOTYPES(resolve);
static bool bus_error_shall_fallback(sd_bus_error *e) { static bool bus_error_shall_fallback(sd_bus_error *e) {
return sd_bus_error_has_name(e, SD_BUS_ERROR_SERVICE_UNKNOWN) || return sd_bus_error_has_names(e,
sd_bus_error_has_name(e, SD_BUS_ERROR_NAME_HAS_NO_OWNER) || SD_BUS_ERROR_SERVICE_UNKNOWN,
sd_bus_error_has_name(e, SD_BUS_ERROR_NO_REPLY) || SD_BUS_ERROR_NAME_HAS_NO_OWNER,
sd_bus_error_has_name(e, SD_BUS_ERROR_ACCESS_DENIED) || SD_BUS_ERROR_NO_REPLY,
sd_bus_error_has_name(e, SD_BUS_ERROR_DISCONNECTED) || SD_BUS_ERROR_ACCESS_DENIED,
sd_bus_error_has_name(e, SD_BUS_ERROR_TIMEOUT); SD_BUS_ERROR_DISCONNECTED,
SD_BUS_ERROR_TIMEOUT,
BUS_ERROR_NO_SUCH_UNIT);
} }
static int count_addresses(sd_bus_message *m, int af, const char **canonical) { static int count_addresses(sd_bus_message *m, int af, const char **canonical) {

View File

@ -11,40 +11,15 @@
#include "dissect-image.h" #include "dissect-image.h"
#include "fd-util.h" #include "fd-util.h"
#include "main-func.h" #include "main-func.h"
#include "mkfs-util.h"
#include "process-util.h" #include "process-util.h"
#include "signal-util.h" #include "signal-util.h"
#include "string-util.h" #include "string-util.h"
static int makefs(const char *type, const char *device) {
const char *mkfs;
pid_t pid;
int r;
if (streq(type, "swap"))
mkfs = "/sbin/mkswap";
else
mkfs = strjoina("/sbin/mkfs.", type);
if (access(mkfs, X_OK) != 0)
return log_error_errno(errno, "%s is not executable: %m", mkfs);
r = safe_fork("(mkfs)", FORK_RESET_SIGNALS|FORK_DEATHSIG|FORK_RLIMIT_NOFILE_SAFE|FORK_LOG, &pid);
if (r < 0)
return r;
if (r == 0) {
const char *cmdline[3] = { mkfs, device, NULL };
/* Child */
execv(cmdline[0], (char**) cmdline);
_exit(EXIT_FAILURE);
}
return wait_for_terminate_and_check(mkfs, pid, WAIT_LOG);
}
static int run(int argc, char *argv[]) { static int run(int argc, char *argv[]) {
_cleanup_free_ char *device = NULL, *type = NULL, *detected = NULL; _cleanup_free_ char *device = NULL, *fstype = NULL, *detected = NULL;
_cleanup_close_ int lock_fd = -1; _cleanup_close_ int lock_fd = -1;
sd_id128_t uuid;
struct stat st; struct stat st;
int r; int r;
@ -55,8 +30,8 @@ static int run(int argc, char *argv[]) {
"This program expects two arguments."); "This program expects two arguments.");
/* type and device must be copied because makefs calls safe_fork, which clears argv[] */ /* type and device must be copied because makefs calls safe_fork, which clears argv[] */
type = strdup(argv[1]); fstype = strdup(argv[1]);
if (!type) if (!fstype)
return log_oom(); return log_oom();
device = strdup(argv[2]); device = strdup(argv[2]);
@ -85,7 +60,11 @@ static int run(int argc, char *argv[]) {
return 0; return 0;
} }
return makefs(type, device); r = sd_id128_randomize(&uuid);
if (r < 0)
return log_error_errno(r, "Failed to generate UUID for file system: %m");
return make_filesystem(device, fstype, basename(device), uuid, true);
} }
DEFINE_MAIN_FUNCTION(run); DEFINE_MAIN_FUNCTION(run);

File diff suppressed because it is too large Load Diff

View File

@ -154,6 +154,57 @@ EOF
cmp --bytes=41943040 --ignore-initial=0:$((512*4194264)) $D/block-copy $D/zzz cmp --bytes=41943040 --ignore-initial=0:$((512*4194264)) $D/block-copy $D/zzz
if [ `id -u` == 0 ] && type -P cryptsetup diff losetup > /dev/null ; then
echo "### Testing Format=/Encrypt=/CopyFiles="
# These tests require privileges unfortunately
cat >$D/definitions/extra3.conf <<EOF
[Partition]
Type=linux-generic
Label=luks-format-copy
UUID=7b93d1f2-595d-4ce3-b0b9-837fbd9e63b0
Format=ext4
Encrypt=yes
CopyFiles=$D/definitions:/def
SizeMinBytes=48M
EOF
$repart $D/zzz --size=auto --dry-run=no --seed=$SEED --definitions=$D/definitions
sfdisk -d $D/zzz | grep -v -e 'sector-size' -e '^$' >$D/populated5
cmp $D/populated5 - <<EOF
label: gpt
label-id: EF7F7EE2-47B3-4251-B1A1-09EA8BF12D5D
device: $D/zzz
unit: sectors
first-lba: 2048
last-lba: 6389726
$D/zzz1 : start= 2048, size= 591856, type=933AC7E1-2EB4-4F13-B844-0E14E2AEF915, uuid=A6005774-F558-4330-A8E5-D6D2C01C01D6, name="home-first"
$D/zzz2 : start= 593904, size= 591856, type=4F68BCE3-E8CD-4DB1-96E7-FBCAF984B709, uuid=CE9C76EB-A8F1-40FF-813C-11DCA6C0A55B, name="root-x86-64"
$D/zzz3 : start= 1185760, size= 591864, type=4F68BCE3-E8CD-4DB1-96E7-FBCAF984B709, uuid=AC60A837-550C-43BD-B5C4-9CB73B884E79, name="root-x86-64-2"
$D/zzz4 : start= 1777624, size= 131072, type=0657FD6D-A4AB-43C4-84E5-0933C84B4F4F, uuid=2AA78CDB-59C7-4173-AF11-C7453737A5D1, name="swap"
$D/zzz5 : start= 1908696, size= 2285568, type=0FC63DAF-8483-4772-8E79-3D69D8477DE4, uuid=A0A1A2A3-A4A5-A6A7-A8A9-AAABACADAEAF, name="custom_label"
$D/zzz6 : start= 4194264, size= 2097152, type=0FC63DAF-8483-4772-8E79-3D69D8477DE4, uuid=2A1D97E1-D0A3-46CC-A26E-ADC643926617, name="block-copy"
$D/zzz7 : start= 6291416, size= 98304, type=0FC63DAF-8483-4772-8E79-3D69D8477DE4, uuid=7B93D1F2-595D-4CE3-B0B9-837FBD9E63B0, name="luks-format-copy"
EOF
LOOP=`losetup -P --show --find $D/zzz`
VOLUME=test-repart-$RANDOM
touch $D/empty-password
cryptsetup open --type=luks2 --key-file=$D/empty-password ${LOOP}p7 $VOLUME
mkdir $D/mount
mount -t ext4 /dev/mapper/$VOLUME $D/mount
diff -r $D/mount/def $D/definitions > /dev/null
umount $D/mount
cryptsetup close $VOLUME
losetup -d $LOOP
else
echo "### Skipping Format=/Encrypt=/CopyFiles= test, lacking privileges or missing cryptsetup/diff/losetup"
fi
echo "### Testing json output ###" echo "### Testing json output ###"
$repart $D/zzz --size=3G --dry-run=no --seed=$SEED --definitions=$D/definitions --json=help $repart $D/zzz --size=3G --dry-run=no --seed=$SEED --definitions=$D/definitions --json=help
$repart $D/zzz --size=3G --dry-run=no --seed=$SEED --definitions=$D/definitions --json=pretty $repart $D/zzz --size=3G --dry-run=no --seed=$SEED --definitions=$D/definitions --json=pretty

View File

@ -3,6 +3,7 @@
#include "bus-internal.h" #include "bus-internal.h"
#include "bus-message.h" #include "bus-message.h"
#include "bus-polkit.h" #include "bus-polkit.h"
#include "bus-util.h"
#include "strv.h" #include "strv.h"
#include "user-util.h" #include "user-util.h"
@ -123,7 +124,7 @@ int bus_test_polkit(
r = sd_bus_call(call->bus, request, 0, ret_error, &reply); r = sd_bus_call(call->bus, request, 0, ret_error, &reply);
if (r < 0) { if (r < 0) {
/* Treat no PK available as access denied */ /* Treat no PK available as access denied */
if (sd_bus_error_has_name(ret_error, SD_BUS_ERROR_SERVICE_UNKNOWN)) { if (bus_error_is_unknown_service(ret_error)) {
sd_bus_error_free(ret_error); sd_bus_error_free(ret_error);
return -EACCES; return -EACCES;
} }
@ -296,8 +297,7 @@ int bus_verify_polkit_async(
e = sd_bus_message_get_error(q->reply); e = sd_bus_message_get_error(q->reply);
/* Treat no PK available as access denied */ /* Treat no PK available as access denied */
if (sd_bus_error_has_name(e, SD_BUS_ERROR_SERVICE_UNKNOWN) || if (bus_error_is_unknown_service(e))
sd_bus_error_has_name(e, SD_BUS_ERROR_NAME_HAS_NO_OWNER))
return -EACCES; return -EACCES;
/* Copy error from polkit reply */ /* Copy error from polkit reply */

View File

@ -855,6 +855,8 @@ static int bus_append_execute_property(sd_bus_message *m, const char *field, con
"RuntimeDirectoryPreserve", "RuntimeDirectoryPreserve",
"Personality", "Personality",
"KeyringMode", "KeyringMode",
"ProtectProc",
"ProcSubset",
"NetworkNamespacePath", "NetworkNamespacePath",
"LogNamespace")) "LogNamespace"))
return bus_append_string(m, field, eq); return bus_append_string(m, field, eq);

View File

@ -14,14 +14,13 @@
#include "sd-event.h" #include "sd-event.h"
#include "sd-id128.h" #include "sd-id128.h"
/* #include "alloc-util.h" */ #include "bus-common-errors.h"
#include "bus-internal.h" #include "bus-internal.h"
#include "bus-label.h" #include "bus-label.h"
#include "bus-util.h" #include "bus-util.h"
#include "path-util.h" #include "path-util.h"
#include "socket-util.h" #include "socket-util.h"
#include "stdio-util.h" #include "stdio-util.h"
/* #include "string-util.h" */
static int name_owner_change_callback(sd_bus_message *m, void *userdata, sd_bus_error *ret_error) { static int name_owner_change_callback(sd_bus_message *m, void *userdata, sd_bus_error *ret_error) {
sd_event *e = userdata; sd_event *e = userdata;
@ -153,6 +152,13 @@ int bus_name_has_owner(sd_bus *c, const char *name, sd_bus_error *error) {
return has_owner; return has_owner;
} }
bool bus_error_is_unknown_service(const sd_bus_error *error) {
return sd_bus_error_has_names(error,
SD_BUS_ERROR_SERVICE_UNKNOWN,
SD_BUS_ERROR_NAME_HAS_NO_OWNER,
BUS_ERROR_NO_SUCH_UNIT);
}
int bus_check_peercred(sd_bus *c) { int bus_check_peercred(sd_bus *c) {
struct ucred ucred; struct ucred ucred;
int fd, r; int fd, r;

View File

@ -28,6 +28,7 @@ typedef bool (*check_idle_t)(void *userdata);
int bus_event_loop_with_idle(sd_event *e, sd_bus *bus, const char *name, usec_t timeout, check_idle_t check_idle, void *userdata); int bus_event_loop_with_idle(sd_event *e, sd_bus *bus, const char *name, usec_t timeout, check_idle_t check_idle, void *userdata);
int bus_name_has_owner(sd_bus *c, const char *name, sd_bus_error *error); int bus_name_has_owner(sd_bus *c, const char *name, sd_bus_error *error);
bool bus_error_is_unknown_service(const sd_bus_error *error);
int bus_check_peercred(sd_bus *c); int bus_check_peercred(sd_bus *c);

View File

@ -1017,6 +1017,13 @@ static int mount_partition(
} }
if (directory) { if (directory) {
if (!FLAGS_SET(flags, DISSECT_IMAGE_READ_ONLY)) {
/* Automatically create missing mount points, if necessary. */
r = mkdir_p_root(where, directory, uid_shift, (gid_t) uid_shift, 0755);
if (r < 0)
return r;
}
r = chase_symlinks(directory, where, CHASE_PREFIX_ROOT, &chased, NULL); r = chase_symlinks(directory, where, CHASE_PREFIX_ROOT, &chased, NULL);
if (r < 0) if (r < 0)
return r; return r;
@ -1062,7 +1069,7 @@ static int mount_partition(
} }
int dissected_image_mount(DissectedImage *m, const char *where, uid_t uid_shift, DissectImageFlags flags) { int dissected_image_mount(DissectedImage *m, const char *where, uid_t uid_shift, DissectImageFlags flags) {
int r, boot_mounted; int r, xbootldr_mounted;
assert(m); assert(m);
assert(where); assert(where);
@ -1116,32 +1123,50 @@ int dissected_image_mount(DissectedImage *m, const char *where, uid_t uid_shift,
if (r < 0) if (r < 0)
return r; return r;
boot_mounted = mount_partition(m->partitions + PARTITION_XBOOTLDR, where, "/boot", uid_shift, flags); xbootldr_mounted = mount_partition(m->partitions + PARTITION_XBOOTLDR, where, "/boot", uid_shift, flags);
if (boot_mounted < 0) if (xbootldr_mounted < 0)
return boot_mounted; return xbootldr_mounted;
if (m->partitions[PARTITION_ESP].found) { if (m->partitions[PARTITION_ESP].found) {
int esp_done = false;
/* Mount the ESP to /efi if it exists. If it doesn't exist, use /boot instead, but only if it /* Mount the ESP to /efi if it exists. If it doesn't exist, use /boot instead, but only if it
* exists and is empty, and we didn't already mount the XBOOTLDR partition into it. */ * exists and is empty, and we didn't already mount the XBOOTLDR partition into it. */
r = chase_symlinks("/efi", where, CHASE_PREFIX_ROOT, NULL, NULL); r = chase_symlinks("/efi", where, CHASE_PREFIX_ROOT, NULL, NULL);
if (r >= 0) { if (r < 0) {
r = mount_partition(m->partitions + PARTITION_ESP, where, "/efi", uid_shift, flags); if (r != -ENOENT)
if (r < 0)
return r; return r;
} else if (boot_mounted <= 0) { /* /efi doesn't exist. Let's see if /boot is suitable then */
if (!xbootldr_mounted) {
_cleanup_free_ char *p = NULL; _cleanup_free_ char *p = NULL;
r = chase_symlinks("/boot", where, CHASE_PREFIX_ROOT, &p, NULL); r = chase_symlinks("/boot", where, CHASE_PREFIX_ROOT, &p, NULL);
if (r >= 0 && dir_is_empty(p) > 0) { if (r < 0) {
if (r != -ENOENT)
return r;
} else if (dir_is_empty(p) > 0) {
/* It exists and is an empty directory. Let's mount the ESP there. */
r = mount_partition(m->partitions + PARTITION_ESP, where, "/boot", uid_shift, flags); r = mount_partition(m->partitions + PARTITION_ESP, where, "/boot", uid_shift, flags);
if (r < 0) if (r < 0)
return r; return r;
esp_done = true;
} }
} }
} }
if (!esp_done) {
/* OK, let's mount the ESP now to /efi (possibly creating the dir if missing) */
r = mount_partition(m->partitions + PARTITION_ESP, where, "/efi", uid_shift, flags);
if (r < 0)
return r;
}
}
return 0; return 0;
} }

View File

@ -0,0 +1,14 @@
#!/usr/bin/env python3
import sys
import os
s390 = 's390' in os.uname().machine
arm = 'arm' in os.uname().machine
for line in open(sys.argv[1]):
if line.startswith('s390_') and not s390:
continue
if line.startswith('arm_') and not arm:
continue
print('"{}\\0"'.format(line.strip()))

View File

@ -76,12 +76,10 @@ static bool unit_file_install_info_has_also(const UnitFileInstallInfo *i) {
} }
void unit_file_presets_freep(UnitFilePresets *p) { void unit_file_presets_freep(UnitFilePresets *p) {
size_t i;
if (!p) if (!p)
return; return;
for (i = 0; i < p->n_rules; i++) { for (size_t i = 0; i < p->n_rules; i++) {
free(p->rules[i].pattern); free(p->rules[i].pattern);
strv_free(p->rules[i].instances); strv_free(p->rules[i].instances);
} }
@ -290,11 +288,9 @@ int unit_file_changes_add(
} }
void unit_file_changes_free(UnitFileChange *changes, size_t n_changes) { void unit_file_changes_free(UnitFileChange *changes, size_t n_changes) {
size_t i;
assert(changes || n_changes == 0); assert(changes || n_changes == 0);
for (i = 0; i < n_changes; i++) { for (size_t i = 0; i < n_changes; i++) {
free(changes[i].path); free(changes[i].path);
free(changes[i].source); free(changes[i].source);
} }
@ -303,14 +299,13 @@ void unit_file_changes_free(UnitFileChange *changes, size_t n_changes) {
} }
void unit_file_dump_changes(int r, const char *verb, const UnitFileChange *changes, size_t n_changes, bool quiet) { void unit_file_dump_changes(int r, const char *verb, const UnitFileChange *changes, size_t n_changes, bool quiet) {
size_t i;
bool logged = false; bool logged = false;
assert(changes || n_changes == 0); assert(changes || n_changes == 0);
/* If verb is not specified, errors are not allowed! */ /* If verb is not specified, errors are not allowed! */
assert(verb || r >= 0); assert(verb || r >= 0);
for (i = 0; i < n_changes; i++) { for (size_t i = 0; i < n_changes; i++) {
assert(verb || changes[i].type >= 0); assert(verb || changes[i].type >= 0);
switch(changes[i].type) { switch(changes[i].type) {
@ -3055,20 +3050,17 @@ static int pattern_match_multiple_instances(
/* Compose a list of specified instances when unit name is a template */ /* Compose a list of specified instances when unit name is a template */
if (unit_name_is_valid(unit_name, UNIT_NAME_TEMPLATE)) { if (unit_name_is_valid(unit_name, UNIT_NAME_TEMPLATE)) {
_cleanup_free_ char *prefix = NULL;
_cleanup_strv_free_ char **out_strv = NULL; _cleanup_strv_free_ char **out_strv = NULL;
char **iter; char **iter;
r = unit_name_to_prefix(unit_name, &prefix);
if (r < 0)
return r;
STRV_FOREACH(iter, rule.instances) { STRV_FOREACH(iter, rule.instances) {
_cleanup_free_ char *name = NULL; _cleanup_free_ char *name = NULL;
r = unit_name_build(prefix, *iter, ".service", &name);
r = unit_name_replace_instance(unit_name, *iter, &name);
if (r < 0) if (r < 0)
return r; return r;
r = strv_extend(&out_strv, name);
r = strv_consume(&out_strv, TAKE_PTR(name));
if (r < 0) if (r < 0)
return r; return r;
} }
@ -3091,12 +3083,11 @@ static int pattern_match_multiple_instances(
static int query_presets(const char *name, const UnitFilePresets *presets, char ***instance_name_list) { static int query_presets(const char *name, const UnitFilePresets *presets, char ***instance_name_list) {
PresetAction action = PRESET_UNKNOWN; PresetAction action = PRESET_UNKNOWN;
size_t i;
char **s;
if (!unit_name_is_valid(name, UNIT_NAME_ANY)) if (!unit_name_is_valid(name, UNIT_NAME_ANY))
return -EINVAL; return -EINVAL;
for (i = 0; i < presets->n_rules; i++) for (size_t i = 0; i < presets->n_rules; i++)
if (pattern_match_multiple_instances(presets->rules[i], name, instance_name_list) > 0 || if (pattern_match_multiple_instances(presets->rules[i], name, instance_name_list) > 0 ||
fnmatch(presets->rules[i].pattern, name, FNM_NOESCAPE) == 0) { fnmatch(presets->rules[i].pattern, name, FNM_NOESCAPE) == 0) {
action = presets->rules[i].action; action = presets->rules[i].action;
@ -3108,10 +3099,11 @@ static int query_presets(const char *name, const UnitFilePresets *presets, char
log_debug("Preset files don't specify rule for %s. Enabling.", name); log_debug("Preset files don't specify rule for %s. Enabling.", name);
return 1; return 1;
case PRESET_ENABLE: case PRESET_ENABLE:
if (instance_name_list && *instance_name_list) if (instance_name_list && *instance_name_list) {
char **s;
STRV_FOREACH(s, *instance_name_list) STRV_FOREACH(s, *instance_name_list)
log_debug("Preset files say enable %s.", *s); log_debug("Preset files say enable %s.", *s);
else } else
log_debug("Preset files say enable %s.", name); log_debug("Preset files say enable %s.", name);
return 1; return 1;
case PRESET_DISABLE: case PRESET_DISABLE:

View File

@ -47,17 +47,41 @@ static int loop_configure(int fd, const struct loop_config *c) {
if (!ERRNO_IS_NOT_SUPPORTED(errno) && errno != EINVAL) if (!ERRNO_IS_NOT_SUPPORTED(errno) && errno != EINVAL)
return -errno; return -errno;
} else { } else {
if (!FLAGS_SET(c->info.lo_flags, LO_FLAGS_PARTSCAN)) bool good = true;
return 0;
if (c->info.lo_sizelimit != 0) {
/* Kernel 5.8 vanilla doesn't properly propagate the size limit into the block
* device. If it's used, let's immediately check if it had the desired effect
* hence. And if not use classic LOOP_SET_STATUS64. */
uint64_t z;
if (ioctl(fd, BLKGETSIZE64, &z) < 0) {
r = -errno;
goto fail;
}
if (z != c->info.lo_sizelimit) {
log_debug("LOOP_CONFIGURE is broken, doesn't honour .lo_sizelimit. Falling back to LOOP_SET_STATUS64.");
good = false;
}
}
if (FLAGS_SET(c->info.lo_flags, LO_FLAGS_PARTSCAN)) {
/* Kernel 5.8 vanilla doesn't properly propagate the partition scanning flag into the /* Kernel 5.8 vanilla doesn't properly propagate the partition scanning flag into the
* block device. Let's hence verify if things work correctly here before returning. */ * block device. Let's hence verify if things work correctly here before
* returning. */
r = blockdev_partscan_enabled(fd); r = blockdev_partscan_enabled(fd);
if (r < 0) if (r < 0)
goto fail; goto fail;
if (r > 0) if (r == 0) {
return 0; /* All is good. */ log_debug("LOOP_CONFIGURE is broken, doesn't honour LO_FLAGS_PARTSCAN. Falling back to LOOP_SET_STATUS64.");
good = false;
}
}
if (good)
return 0;
/* Otherwise, undo the attachment and use the old APIs */ /* Otherwise, undo the attachment and use the old APIs */
(void) ioctl(fd, LOOP_CLR_FD); (void) ioctl(fd, LOOP_CLR_FD);
@ -472,3 +496,18 @@ int loop_device_flock(LoopDevice *d, int operation) {
return 0; return 0;
} }
int loop_device_sync(LoopDevice *d) {
assert(d);
/* We also do this implicitly in loop_device_unref(). Doing this explicitly here has the benefit that
* we can check the return value though. */
if (d->fd < 0)
return -EBADF;
if (fsync(d->fd) < 0)
return -errno;
return 0;
}

View File

@ -26,3 +26,4 @@ void loop_device_relinquish(LoopDevice *d);
int loop_device_refresh_size(LoopDevice *d, uint64_t offset, uint64_t size); int loop_device_refresh_size(LoopDevice *d, uint64_t offset, uint64_t size);
int loop_device_flock(LoopDevice *d, int operation); int loop_device_flock(LoopDevice *d, int operation);
int loop_device_sync(LoopDevice *d);

View File

@ -166,6 +166,8 @@ shared_sources = files('''
macvlan-util.c macvlan-util.c
macvlan-util.h macvlan-util.h
main-func.h main-func.h
mkfs-util.c
mkfs-util.h
module-util.h module-util.h
mount-util.c mount-util.c
mount-util.h mount-util.h
@ -264,6 +266,16 @@ endif
test_tables_h = files('test-tables.h') test_tables_h = files('test-tables.h')
shared_sources += test_tables_h shared_sources += test_tables_h
generate_syscall_list = find_program('generate-syscall-list.py')
fname = 'syscall-list.h'
syscall_list_h = custom_target(
fname,
input : 'syscall-names.text',
output : fname,
command : [generate_syscall_list,
'@INPUT@'],
capture : true)
if conf.get('HAVE_ACL') == 1 if conf.get('HAVE_ACL') == 1
shared_sources += files('acl-util.c') shared_sources += files('acl-util.c')
endif endif
@ -274,6 +286,7 @@ endif
if conf.get('HAVE_SECCOMP') == 1 if conf.get('HAVE_SECCOMP') == 1
shared_sources += files('seccomp-util.c') shared_sources += files('seccomp-util.c')
shared_sources += syscall_list_h
endif endif
if conf.get('HAVE_LIBIPTC') == 1 if conf.get('HAVE_LIBIPTC') == 1
@ -378,3 +391,9 @@ libshared = shared_library(
dependencies : libshared_deps, dependencies : libshared_deps,
install : true, install : true,
install_dir : rootlibexecdir) install_dir : rootlibexecdir)
############################################################
run_target(
'syscall-names-update',
command : [syscall_names_update_sh, meson.current_source_dir()])

135
src/shared/mkfs-util.c Normal file
View File

@ -0,0 +1,135 @@
/* SPDX-License-Identifier: LGPL-2.1+ */
#include "id128-util.h"
#include "mkfs-util.h"
#include "path-util.h"
#include "process-util.h"
#include "stdio-util.h"
#include "string-util.h"
int mkfs_exists(const char *fstype) {
const char *mkfs;
int r;
assert(fstype);
if (STR_IN_SET(fstype, "auto", "swap")) /* these aren't real file system types, refuse early */
return -EINVAL;
mkfs = strjoina("mkfs.", fstype);
if (!filename_is_valid(mkfs)) /* refuse file system types with slashes and similar */
return -EINVAL;
r = find_binary(mkfs, NULL);
if (r == -ENOENT)
return false;
if (r < 0)
return r;
return true;
}
int make_filesystem(
const char *node,
const char *fstype,
const char *label,
sd_id128_t uuid,
bool discard) {
_cleanup_free_ char *mkfs = NULL;
int r;
assert(node);
assert(fstype);
assert(label);
if (streq(fstype, "swap")) {
r = find_binary("mkswap", &mkfs);
if (r == -ENOENT)
return log_error_errno(SYNTHETIC_ERRNO(EPROTONOSUPPORT), "mkswap binary not available.");
if (r < 0)
return log_error_errno(r, "Failed to determine whether mkswap binary exists: %m");
} else {
r = mkfs_exists(fstype);
if (r < 0)
return log_error_errno(r, "Failed to determine whether mkfs binary for %s exists: %m", fstype);
if (r == 0)
return log_error_errno(SYNTHETIC_ERRNO(EPROTONOSUPPORT), "mkfs binary for %s is not available.", fstype);
mkfs = strjoin("mkfs.", fstype);
if (!mkfs)
return log_oom();
}
r = safe_fork("(mkfs)", FORK_RESET_SIGNALS|FORK_RLIMIT_NOFILE_SAFE|FORK_DEATHSIG|FORK_LOG|FORK_WAIT|FORK_STDOUT_TO_STDERR, NULL);
if (r < 0)
return r;
if (r == 0) {
char suuid[ID128_UUID_STRING_MAX];
/* Child */
id128_to_uuid_string(uuid, suuid);
if (streq(fstype, "ext4"))
(void) execlp(mkfs, mkfs,
"-L", label,
"-U", suuid,
"-I", "256",
"-O", "has_journal",
"-m", "0",
"-E", discard ? "lazy_itable_init=1,discard" : "lazy_itable_init=1,nodiscard",
node, NULL);
else if (streq(fstype, "btrfs")) {
if (discard)
(void) execlp(mkfs, mkfs, "-L", label, "-U", suuid, node, NULL);
else
(void) execlp(mkfs, mkfs, "-L", label, "-U", suuid, "--nodiscard", node, NULL);
} else if (streq(fstype, "xfs")) {
const char *j;
j = strjoina("uuid=", suuid);
if (discard)
(void) execlp(mkfs, mkfs, "-L", label, "-m", j, "-m", "reflink=1", node, NULL);
else
(void) execlp(mkfs, mkfs, "-L", label, "-m", j, "-m", "reflink=1", "-K", node, NULL);
} else if (streq(fstype, "vfat")) {
char mangled_label[8 + 3 + 1], vol_id[8 + 1];
/* Classic FAT only allows 11 character uppercase labels */
strncpy(mangled_label, label, sizeof(mangled_label)-1);
mangled_label[sizeof(mangled_label)-1] = 0;
ascii_strupper(mangled_label);
xsprintf(vol_id, "%08" PRIx32,
((uint32_t) uuid.bytes[0] << 24) |
((uint32_t) uuid.bytes[1] << 16) |
((uint32_t) uuid.bytes[2] << 8) |
((uint32_t) uuid.bytes[3])); /* Take first 32 byte of UUID */
(void) execlp(mkfs, mkfs,
"-i", vol_id,
"-n", mangled_label,
"-F", "32", /* yes, we force FAT32 here */
node, NULL);
} else if (streq(fstype, "swap")) {
(void) execlp(mkfs, mkfs,
"-L", label,
"-U", suuid,
node, NULL);
} else
/* Generic fallback for all other file systems */
(void) execlp(mkfs, mkfs, node, NULL);
log_error_errno(errno, "Failed to execute %s: %m", mkfs);
_exit(EXIT_FAILURE);
}
return 0;
}

10
src/shared/mkfs-util.h Normal file
View File

@ -0,0 +1,10 @@
/* SPDX-License-Identifier: LGPL-2.1+ */
#pragma once
#include <stdbool.h>
#include "sd-id128.h"
int mkfs_exists(const char *fstype);
int make_filesystem(const char *node, const char *fstype, const char *label, sd_id128_t uuid, bool discard);

View File

@ -902,30 +902,50 @@ const SyscallFilterSet syscall_filter_sets[_SYSCALL_FILTER_SET_MAX] = {
"timerfd_settime64\0" "timerfd_settime64\0"
"times\0" "times\0"
}, },
[SYSCALL_FILTER_SET_KNOWN] = {
.name = "@known",
.help = "All known syscalls declared in the kernel",
.value =
#include "syscall-list.h"
},
}; };
const SyscallFilterSet *syscall_filter_set_find(const char *name) { const SyscallFilterSet *syscall_filter_set_find(const char *name) {
unsigned i;
if (isempty(name) || name[0] != '@') if (isempty(name) || name[0] != '@')
return NULL; return NULL;
for (i = 0; i < _SYSCALL_FILTER_SET_MAX; i++) for (unsigned i = 0; i < _SYSCALL_FILTER_SET_MAX; i++)
if (streq(syscall_filter_sets[i].name, name)) if (streq(syscall_filter_sets[i].name, name))
return syscall_filter_sets + i; return syscall_filter_sets + i;
return NULL; return NULL;
} }
static int seccomp_add_syscall_filter_set(scmp_filter_ctx seccomp, const SyscallFilterSet *set, uint32_t action, char **exclude, bool log_missing); static int add_syscall_filter_set(
scmp_filter_ctx seccomp,
const SyscallFilterSet *set,
uint32_t action,
char **exclude,
bool log_missing,
char ***added);
int seccomp_add_syscall_filter_item(
scmp_filter_ctx *seccomp,
const char *name,
uint32_t action,
char **exclude,
bool log_missing,
char ***added) {
int seccomp_add_syscall_filter_item(scmp_filter_ctx *seccomp, const char *name, uint32_t action, char **exclude, bool log_missing) {
assert(seccomp); assert(seccomp);
assert(name); assert(name);
if (strv_contains(exclude, name)) if (strv_contains(exclude, name))
return 0; return 0;
/* Any syscalls that are handled are added to the *added strv. The pointer
* must be either NULL or point to a valid pre-initialized possibly-empty strv. */
if (name[0] == '@') { if (name[0] == '@') {
const SyscallFilterSet *other; const SyscallFilterSet *other;
@ -935,7 +955,7 @@ int seccomp_add_syscall_filter_item(scmp_filter_ctx *seccomp, const char *name,
"Filter set %s is not known!", "Filter set %s is not known!",
name); name);
return seccomp_add_syscall_filter_set(seccomp, other, action, exclude, log_missing); return add_syscall_filter_set(seccomp, other, action, exclude, log_missing, added);
} else { } else {
int id, r; int id, r;
@ -959,25 +979,34 @@ int seccomp_add_syscall_filter_item(scmp_filter_ctx *seccomp, const char *name,
return r; return r;
} }
if (added) {
r = strv_extend(added, name);
if (r < 0)
return r;
}
return 0; return 0;
} }
} }
static int seccomp_add_syscall_filter_set( static int add_syscall_filter_set(
scmp_filter_ctx seccomp, scmp_filter_ctx seccomp,
const SyscallFilterSet *set, const SyscallFilterSet *set,
uint32_t action, uint32_t action,
char **exclude, char **exclude,
bool log_missing) { bool log_missing,
char ***added) {
const char *sys; const char *sys;
int r; int r;
/* Any syscalls that are handled are added to the *added strv. It needs to be initialized. */
assert(seccomp); assert(seccomp);
assert(set); assert(set);
NULSTR_FOREACH(sys, set->value) { NULSTR_FOREACH(sys, set->value) {
r = seccomp_add_syscall_filter_item(seccomp, sys, action, exclude, log_missing); r = seccomp_add_syscall_filter_item(seccomp, sys, action, exclude, log_missing, added);
if (r < 0) if (r < 0)
return r; return r;
} }
@ -1003,7 +1032,7 @@ int seccomp_load_syscall_filter_set(uint32_t default_action, const SyscallFilter
if (r < 0) if (r < 0)
return r; return r;
r = seccomp_add_syscall_filter_set(seccomp, set, action, NULL, log_missing); r = add_syscall_filter_set(seccomp, set, action, NULL, log_missing, NULL);
if (r < 0) if (r < 0)
return log_debug_errno(r, "Failed to add filter set: %m"); return log_debug_errno(r, "Failed to add filter set: %m");
@ -1160,7 +1189,6 @@ int seccomp_restrict_namespaces(unsigned long retain) {
SECCOMP_FOREACH_LOCAL_ARCH(arch) { SECCOMP_FOREACH_LOCAL_ARCH(arch) {
_cleanup_(seccomp_releasep) scmp_filter_ctx seccomp = NULL; _cleanup_(seccomp_releasep) scmp_filter_ctx seccomp = NULL;
unsigned i;
log_debug("Operating on architecture: %s", seccomp_arch_to_string(arch)); log_debug("Operating on architecture: %s", seccomp_arch_to_string(arch));
@ -1190,7 +1218,7 @@ int seccomp_restrict_namespaces(unsigned long retain) {
continue; continue;
} }
for (i = 0; namespace_flag_map[i].name; i++) { for (unsigned i = 0; namespace_flag_map[i].name; i++) {
unsigned long f; unsigned long f;
f = namespace_flag_map[i].flag; f = namespace_flag_map[i].flag;
@ -1384,7 +1412,7 @@ int seccomp_restrict_address_families(Set *address_families, bool allow_list) {
return r; return r;
if (allow_list) { if (allow_list) {
int af, first = 0, last = 0; int first = 0, last = 0;
void *afp; void *afp;
/* If this is an allow list, we first block the address families that are out of /* If this is an allow list, we first block the address families that are out of
@ -1392,7 +1420,7 @@ int seccomp_restrict_address_families(Set *address_families, bool allow_list) {
* highest address family in the set. */ * highest address family in the set. */
SET_FOREACH(afp, address_families, i) { SET_FOREACH(afp, address_families, i) {
af = PTR_TO_INT(afp); int af = PTR_TO_INT(afp);
if (af <= 0 || af >= af_max()) if (af <= 0 || af >= af_max())
continue; continue;
@ -1446,7 +1474,7 @@ int seccomp_restrict_address_families(Set *address_families, bool allow_list) {
} }
/* Block everything between the first and last entry */ /* Block everything between the first and last entry */
for (af = 1; af < af_max(); af++) { for (int af = 1; af < af_max(); af++) {
if (set_contains(address_families, INT_TO_PTR(af))) if (set_contains(address_families, INT_TO_PTR(af)))
continue; continue;
@ -1473,7 +1501,6 @@ int seccomp_restrict_address_families(Set *address_families, bool allow_list) {
* then combined in OR checks. */ * then combined in OR checks. */
SET_FOREACH(af, address_families, i) { SET_FOREACH(af, address_families, i) {
r = seccomp_rule_add_exact( r = seccomp_rule_add_exact(
seccomp, seccomp,
SCMP_ACT_ERRNO(EAFNOSUPPORT), SCMP_ACT_ERRNO(EAFNOSUPPORT),

View File

@ -21,7 +21,7 @@ typedef struct SyscallFilterSet {
} SyscallFilterSet; } SyscallFilterSet;
enum { enum {
/* Please leave DEFAULT first, but sort the rest alphabetically */ /* Please leave DEFAULT first and KNOWN last, but sort the rest alphabetically */
SYSCALL_FILTER_SET_DEFAULT, SYSCALL_FILTER_SET_DEFAULT,
SYSCALL_FILTER_SET_AIO, SYSCALL_FILTER_SET_AIO,
SYSCALL_FILTER_SET_BASIC_IO, SYSCALL_FILTER_SET_BASIC_IO,
@ -50,6 +50,7 @@ enum {
SYSCALL_FILTER_SET_SYNC, SYSCALL_FILTER_SET_SYNC,
SYSCALL_FILTER_SET_SYSTEM_SERVICE, SYSCALL_FILTER_SET_SYSTEM_SERVICE,
SYSCALL_FILTER_SET_TIMER, SYSCALL_FILTER_SET_TIMER,
SYSCALL_FILTER_SET_KNOWN,
_SYSCALL_FILTER_SET_MAX _SYSCALL_FILTER_SET_MAX
}; };
@ -59,7 +60,13 @@ const SyscallFilterSet *syscall_filter_set_find(const char *name);
int seccomp_filter_set_add(Hashmap *s, bool b, const SyscallFilterSet *set); int seccomp_filter_set_add(Hashmap *s, bool b, const SyscallFilterSet *set);
int seccomp_add_syscall_filter_item(scmp_filter_ctx *ctx, const char *name, uint32_t action, char **exclude, bool log_missing); int seccomp_add_syscall_filter_item(
scmp_filter_ctx *ctx,
const char *name,
uint32_t action,
char **exclude,
bool log_missing,
char ***added);
int seccomp_load_syscall_filter_set(uint32_t default_action, const SyscallFilterSet *set, uint32_t action, bool log_missing); int seccomp_load_syscall_filter_set(uint32_t default_action, const SyscallFilterSet *set, uint32_t action, bool log_missing);
int seccomp_load_syscall_filter_set_raw(uint32_t default_action, Hashmap* set, uint32_t action, bool log_missing); int seccomp_load_syscall_filter_set_raw(uint32_t default_action, Hashmap* set, uint32_t action, bool log_missing);

View File

@ -0,0 +1,597 @@
_llseek
_newselect
_sysctl
accept
accept4
access
acct
add_key
adjtimex
alarm
arc_gettls
arc_settls
arc_usr_cmpxchg
arch_prctl
arm_fadvise64_64
arm_sync_file_range
atomic_barrier
atomic_cmpxchg_32
bdflush
bfin_spinlock
bind
bpf
brk
cache_sync
cachectl
cacheflush
capget
capset
chdir
chmod
chown
chown32
chroot
clock_adjtime
clock_adjtime64
clock_getres
clock_getres_time64
clock_gettime
clock_gettime64
clock_nanosleep
clock_nanosleep_time64
clock_settime
clock_settime64
clone
clone2
clone3
close
close_range
connect
copy_file_range
creat
create_module
delete_module
dipc
dup
dup2
dup3
epoll_create
epoll_create1
epoll_ctl
epoll_ctl_old
epoll_pwait
epoll_wait
epoll_wait_old
eventfd
eventfd2
exec_with_loader
execv
execve
execveat
exit
exit_group
faccessat
faccessat2
fadvise64
fadvise64_64
fallocate
fanotify_init
fanotify_mark
fchdir
fchmod
fchmodat
fchown
fchown32
fchownat
fcntl
fcntl64
fdatasync
fgetxattr
finit_module
flistxattr
flock
fork
fp_udfiex_crtl
fremovexattr
fsconfig
fsetxattr
fsmount
fsopen
fspick
fstat
fstat64
fstatat64
fstatfs
fstatfs64
fsync
ftruncate
ftruncate64
futex
futex_time64
futimesat
get_kernel_syms
get_mempolicy
get_robust_list
get_thread_area
getcpu
getcwd
getdents
getdents64
getdomainname
getdtablesize
getegid
getegid32
geteuid
geteuid32
getgid
getgid32
getgroups
getgroups32
gethostname
getitimer
getpagesize
getpeername
getpgid
getpgrp
getpid
getpmsg
getppid
getpriority
getrandom
getresgid
getresgid32
getresuid
getresuid32
getrlimit
getrusage
getsid
getsockname
getsockopt
gettid
gettimeofday
getuid
getuid32
getunwind
getxattr
getxgid
getxpid
getxuid
idle
init_module
inotify_add_watch
inotify_init
inotify_init1
inotify_rm_watch
io_cancel
io_destroy
io_getevents
io_pgetevents
io_pgetevents_time64
io_setup
io_submit
io_uring_enter
io_uring_register
io_uring_setup
ioctl
ioperm
iopl
ioprio_get
ioprio_set
ipc
kcmp
kern_features
kexec_file_load
kexec_load
keyctl
kill
lchown
lchown32
lgetxattr
link
linkat
listen
listxattr
llistxattr
lookup_dcookie
lremovexattr
lseek
lsetxattr
lstat
lstat64
madvise
mbind
membarrier
memfd_create
memory_ordering
migrate_pages
mincore
mkdir
mkdirat
mknod
mknodat
mlock
mlock2
mlockall
mmap
mmap2
modify_ldt
mount
move_mount
move_pages
mprotect
mq_getsetattr
mq_notify
mq_open
mq_timedreceive
mq_timedreceive_time64
mq_timedsend
mq_timedsend_time64
mq_unlink
mremap
msgctl
msgget
msgrcv
msgsnd
msync
multiplexer
munlock
munlockall
munmap
name_to_handle_at
nanosleep
newfstatat
nfsservctl
ni_syscall
nice
old_adjtimex
old_getpagesize
oldfstat
oldlstat
oldolduname
oldstat
oldumount
olduname
open
open_by_handle_at
open_tree
openat
openat2
or1k_atomic
osf_adjtime
osf_afs_syscall
osf_alt_plock
osf_alt_setsid
osf_alt_sigpending
osf_asynch_daemon
osf_audcntl
osf_audgen
osf_chflags
osf_execve
osf_exportfs
osf_fchflags
osf_fdatasync
osf_fpathconf
osf_fstat
osf_fstatfs
osf_fstatfs64
osf_fuser
osf_getaddressconf
osf_getdirentries
osf_getdomainname
osf_getfh
osf_getfsstat
osf_gethostid
osf_getitimer
osf_getlogin
osf_getmnt
osf_getrusage
osf_getsysinfo
osf_gettimeofday
osf_kloadcall
osf_kmodcall
osf_lstat
osf_memcntl
osf_mincore
osf_mount
osf_mremap
osf_msfs_syscall
osf_msleep
osf_mvalid
osf_mwakeup
osf_naccept
osf_nfssvc
osf_ngetpeername
osf_ngetsockname
osf_nrecvfrom
osf_nrecvmsg
osf_nsendmsg
osf_ntp_adjtime
osf_ntp_gettime
osf_old_creat
osf_old_fstat
osf_old_getpgrp
osf_old_killpg
osf_old_lstat
osf_old_open
osf_old_sigaction
osf_old_sigblock
osf_old_sigreturn
osf_old_sigsetmask
osf_old_sigvec
osf_old_stat
osf_old_vadvise
osf_old_vtrace
osf_old_wait
osf_oldquota
osf_pathconf
osf_pid_block
osf_pid_unblock
osf_plock
osf_priocntlset
osf_profil
osf_proplist_syscall
osf_reboot
osf_revoke
osf_sbrk
osf_security
osf_select
osf_set_program_attributes
osf_set_speculative
osf_sethostid
osf_setitimer
osf_setlogin
osf_setsysinfo
osf_settimeofday
osf_shmat
osf_signal
osf_sigprocmask
osf_sigsendset
osf_sigstack
osf_sigwaitprim
osf_sstk
osf_stat
osf_statfs
osf_statfs64
osf_subsys_info
osf_swapctl
osf_swapon
osf_syscall
osf_sysinfo
osf_table
osf_uadmin
osf_usleep_thread
osf_uswitch
osf_utc_adjtime
osf_utc_gettime
osf_utimes
osf_utsname
osf_wait4
osf_waitid
pause
pciconfig_iobase
pciconfig_read
pciconfig_write
perf_event_open
perfctr
perfmonctl
personality
pidfd_getfd
pidfd_open
pidfd_send_signal
pipe
pipe2
pivot_root
pkey_alloc
pkey_free
pkey_mprotect
poll
ppoll
ppoll_time64
prctl
pread64
preadv
preadv2
prlimit64
process_vm_readv
process_vm_writev
pselect6
pselect6_time64
ptrace
pwrite64
pwritev
pwritev2
query_module
quotactl
read
readahead
readdir
readlink
readlinkat
readv
reboot
recv
recvfrom
recvmmsg
recvmmsg_time64
recvmsg
remap_file_pages
removexattr
rename
renameat
renameat2
request_key
restart_syscall
riscv_flush_icache
rmdir
rseq
rt_sigaction
rt_sigpending
rt_sigprocmask
rt_sigqueueinfo
rt_sigreturn
rt_sigsuspend
rt_sigtimedwait
rt_sigtimedwait_time64
rt_tgsigqueueinfo
rtas
s390_guarded_storage
s390_pci_mmio_read
s390_pci_mmio_write
s390_runtime_instr
s390_sthyi
sched_get_affinity
sched_get_priority_max
sched_get_priority_min
sched_getaffinity
sched_getattr
sched_getparam
sched_getscheduler
sched_rr_get_interval
sched_rr_get_interval_time64
sched_set_affinity
sched_setaffinity
sched_setattr
sched_setparam
sched_setscheduler
sched_yield
seccomp
select
semctl
semget
semop
semtimedop
semtimedop_time64
send
sendfile
sendfile64
sendmmsg
sendmsg
sendto
set_mempolicy
set_robust_list
set_thread_area
set_tid_address
setdomainname
setfsgid
setfsgid32
setfsuid
setfsuid32
setgid
setgid32
setgroups
setgroups32
sethae
sethostname
setitimer
setns
setpgid
setpgrp
setpriority
setregid
setregid32
setresgid
setresgid32
setresuid
setresuid32
setreuid
setreuid32
setrlimit
setsid
setsockopt
settimeofday
setuid
setuid32
setxattr
sgetmask
shmat
shmctl
shmdt
shmget
shutdown
sigaction
sigaltstack
signal
signalfd
signalfd4
sigpending
sigprocmask
sigreturn
sigsuspend
socket
socketcall
socketpair
splice
spu_create
spu_run
ssetmask
stat
stat64
statfs
statfs64
statx
stime
subpage_prot
swapcontext
swapoff
swapon
switch_endian
symlink
symlinkat
sync
sync_file_range
sync_file_range2
syncfs
sys_debug_setcontext
syscall
sysfs
sysinfo
syslog
sysmips
tee
tgkill
time
timer_create
timer_delete
timer_getoverrun
timer_gettime
timer_gettime64
timer_settime
timer_settime64
timerfd
timerfd_create
timerfd_gettime
timerfd_gettime64
timerfd_settime
timerfd_settime64
times
tkill
truncate
truncate64
udftrap
ugetrlimit
umask
umount
umount2
uname
unlink
unlinkat
unshare
uselib
userfaultfd
ustat
utime
utimensat
utimensat_time64
utimes
utimesat
utrap_install
vfork
vhangup
vm86
vm86old
vmsplice
wait4
waitid
waitpid
write
writev

View File

@ -160,11 +160,8 @@ static int lock_all_homes(void) {
r = sd_bus_call(bus, m, DEFAULT_TIMEOUT_USEC, &error, NULL); r = sd_bus_call(bus, m, DEFAULT_TIMEOUT_USEC, &error, NULL);
if (r < 0) { if (r < 0) {
if (sd_bus_error_has_name(&error, SD_BUS_ERROR_SERVICE_UNKNOWN) || if (bus_error_is_unknown_service(&error))
sd_bus_error_has_name(&error, SD_BUS_ERROR_NAME_HAS_NO_OWNER)) { return log_debug("systemd-homed is not running, skipping locking of home directories.");
log_debug("systemd-homed is not running, skipping locking of home directories.");
return 0;
}
return log_error_errno(r, "Failed to lock home directories: %s", bus_error_message(&error, r)); return log_error_errno(r, "Failed to lock home directories: %s", bus_error_message(&error, r));
} }

View File

@ -279,17 +279,17 @@ static int translate_bus_error_to_exit_status(int r, const sd_bus_error *error)
if (!sd_bus_error_is_set(error)) if (!sd_bus_error_is_set(error))
return r; return r;
if (sd_bus_error_has_name(error, SD_BUS_ERROR_ACCESS_DENIED) || if (sd_bus_error_has_names(error, SD_BUS_ERROR_ACCESS_DENIED,
sd_bus_error_has_name(error, BUS_ERROR_ONLY_BY_DEPENDENCY) || BUS_ERROR_ONLY_BY_DEPENDENCY,
sd_bus_error_has_name(error, BUS_ERROR_NO_ISOLATION) || BUS_ERROR_NO_ISOLATION,
sd_bus_error_has_name(error, BUS_ERROR_TRANSACTION_IS_DESTRUCTIVE)) BUS_ERROR_TRANSACTION_IS_DESTRUCTIVE))
return EXIT_NOPERMISSION; return EXIT_NOPERMISSION;
if (sd_bus_error_has_name(error, BUS_ERROR_NO_SUCH_UNIT)) if (sd_bus_error_has_name(error, BUS_ERROR_NO_SUCH_UNIT))
return EXIT_NOTINSTALLED; return EXIT_NOTINSTALLED;
if (sd_bus_error_has_name(error, BUS_ERROR_JOB_TYPE_NOT_APPLICABLE) || if (sd_bus_error_has_names(error, BUS_ERROR_JOB_TYPE_NOT_APPLICABLE,
sd_bus_error_has_name(error, SD_BUS_ERROR_NOT_SUPPORTED)) SD_BUS_ERROR_NOT_SUPPORTED))
return EXIT_NOTIMPLEMENTED; return EXIT_NOTIMPLEMENTED;
if (sd_bus_error_has_name(error, BUS_ERROR_LOAD_FAILED)) if (sd_bus_error_has_name(error, BUS_ERROR_LOAD_FAILED))
@ -552,8 +552,8 @@ static int get_unit_list(
return bus_log_create_error(r); return bus_log_create_error(r);
r = sd_bus_call(bus, m, 0, &error, &reply); r = sd_bus_call(bus, m, 0, &error, &reply);
if (r < 0 && (sd_bus_error_has_name(&error, SD_BUS_ERROR_UNKNOWN_METHOD) || if (r < 0 && (sd_bus_error_has_names(&error, SD_BUS_ERROR_UNKNOWN_METHOD,
sd_bus_error_has_name(&error, SD_BUS_ERROR_ACCESS_DENIED))) { SD_BUS_ERROR_ACCESS_DENIED))) {
/* Fallback to legacy ListUnitsFiltered method */ /* Fallback to legacy ListUnitsFiltered method */
fallback = true; fallback = true;
log_debug_errno(r, "Failed to list units: %s Falling back to ListUnitsFiltered method.", bus_error_message(&error, r)); log_debug_errno(r, "Failed to list units: %s Falling back to ListUnitsFiltered method.", bus_error_message(&error, r));
@ -2945,9 +2945,9 @@ fail:
log_error_errno(r, "Failed to %s %s: %s", job_type, name, bus_error_message(error, r)); log_error_errno(r, "Failed to %s %s: %s", job_type, name, bus_error_message(error, r));
if (!sd_bus_error_has_name(error, BUS_ERROR_NO_SUCH_UNIT) && if (!sd_bus_error_has_names(error, BUS_ERROR_NO_SUCH_UNIT,
!sd_bus_error_has_name(error, BUS_ERROR_UNIT_MASKED) && BUS_ERROR_UNIT_MASKED,
!sd_bus_error_has_name(error, BUS_ERROR_JOB_TYPE_NOT_APPLICABLE)) BUS_ERROR_JOB_TYPE_NOT_APPLICABLE))
log_error("See %s logs and 'systemctl%s status%s %s' for details.", log_error("See %s logs and 'systemctl%s status%s %s' for details.",
arg_scope == UNIT_FILE_SYSTEM ? "system" : "user", arg_scope == UNIT_FILE_SYSTEM ? "system" : "user",
arg_scope == UNIT_FILE_SYSTEM ? "" : " --user", arg_scope == UNIT_FILE_SYSTEM ? "" : " --user",

View File

@ -458,6 +458,8 @@ int sd_bus_error_copy(sd_bus_error *dest, const sd_bus_error *e);
int sd_bus_error_move(sd_bus_error *dest, sd_bus_error *e); int sd_bus_error_move(sd_bus_error *dest, sd_bus_error *e);
int sd_bus_error_is_set(const sd_bus_error *e); int sd_bus_error_is_set(const sd_bus_error *e);
int sd_bus_error_has_name(const sd_bus_error *e, const char *name); int sd_bus_error_has_name(const sd_bus_error *e, const char *name);
int sd_bus_error_has_names_sentinel(const sd_bus_error *e, ...) _sd_sentinel_;
#define sd_bus_error_has_names(e, ...) sd_bus_error_has_names_sentinel(e, __VA_ARGS__, NULL)
#define SD_BUS_ERROR_MAP(_name, _code) \ #define SD_BUS_ERROR_MAP(_name, _code) \
{ \ { \

View File

@ -163,8 +163,6 @@ static void test_protect_kernel_logs(void) {
NULL, NULL,
NULL, NULL,
NULL, NULL,
PROTECT_HOME_NO,
PROTECT_SYSTEM_NO,
0, 0,
NULL, NULL,
0, 0,

View File

@ -36,6 +36,8 @@ int main(int argc, char *argv[]) {
.protect_control_groups = true, .protect_control_groups = true,
.protect_kernel_tunables = true, .protect_kernel_tunables = true,
.protect_kernel_modules = true, .protect_kernel_modules = true,
.protect_proc = PROTECT_PROC_NOACCESS,
.proc_subset = PROC_SUBSET_PID,
}; };
char *root_directory; char *root_directory;
@ -76,8 +78,6 @@ int main(int argc, char *argv[]) {
tmp_dir, tmp_dir,
var_tmp_dir, var_tmp_dir,
NULL, NULL,
PROTECT_HOME_NO,
PROTECT_SYSTEM_NO,
0, 0,
NULL, NULL,
0, 0,

View File

@ -124,7 +124,9 @@ static void test_filter_sets(void) {
int fd, r; int fd, r;
/* If we look at the default set (or one that includes it), allow-list instead of deny-list */ /* If we look at the default set (or one that includes it), allow-list instead of deny-list */
if (IN_SET(i, SYSCALL_FILTER_SET_DEFAULT, SYSCALL_FILTER_SET_SYSTEM_SERVICE)) if (IN_SET(i, SYSCALL_FILTER_SET_DEFAULT,
SYSCALL_FILTER_SET_SYSTEM_SERVICE,
SYSCALL_FILTER_SET_KNOWN))
r = seccomp_load_syscall_filter_set(SCMP_ACT_ERRNO(EUCLEAN), syscall_filter_sets + i, SCMP_ACT_ALLOW, true); r = seccomp_load_syscall_filter_set(SCMP_ACT_ERRNO(EUCLEAN), syscall_filter_sets + i, SCMP_ACT_ALLOW, true);
else else
r = seccomp_load_syscall_filter_set(SCMP_ACT_ALLOW, syscall_filter_sets + i, SCMP_ACT_ERRNO(EUCLEAN), true); r = seccomp_load_syscall_filter_set(SCMP_ACT_ALLOW, syscall_filter_sets + i, SCMP_ACT_ERRNO(EUCLEAN), true);
@ -148,22 +150,25 @@ static void test_filter_sets(void) {
} }
static void test_filter_sets_ordered(void) { static void test_filter_sets_ordered(void) {
size_t i;
log_info("/* %s */", __func__); log_info("/* %s */", __func__);
/* Ensure "@default" always remains at the beginning of the list */ /* Ensure "@default" always remains at the beginning of the list */
assert_se(SYSCALL_FILTER_SET_DEFAULT == 0); assert_se(SYSCALL_FILTER_SET_DEFAULT == 0);
assert_se(streq(syscall_filter_sets[0].name, "@default")); assert_se(streq(syscall_filter_sets[0].name, "@default"));
for (i = 0; i < _SYSCALL_FILTER_SET_MAX; i++) { /* Ensure "@known" always remains at the end of the list */
assert_se(SYSCALL_FILTER_SET_KNOWN == _SYSCALL_FILTER_SET_MAX - 1);
assert_se(streq(syscall_filter_sets[SYSCALL_FILTER_SET_KNOWN].name, "@known"));
for (size_t i = 0; i < _SYSCALL_FILTER_SET_MAX; i++) {
const char *k, *p = NULL; const char *k, *p = NULL;
/* Make sure each group has a description */ /* Make sure each group has a description */
assert_se(!isempty(syscall_filter_sets[0].help)); assert_se(!isempty(syscall_filter_sets[0].help));
/* Make sure the groups are ordered alphabetically, except for the first entry */ /* Make sure the groups are ordered alphabetically, except for the first and last entries */
assert_se(i < 2 || strcmp(syscall_filter_sets[i-1].name, syscall_filter_sets[i].name) < 0); assert_se(i < 2 || i == _SYSCALL_FILTER_SET_MAX - 1 ||
strcmp(syscall_filter_sets[i-1].name, syscall_filter_sets[i].name) < 0);
NULSTR_FOREACH(k, syscall_filter_sets[i].value) { NULSTR_FOREACH(k, syscall_filter_sets[i].value) {

View File

@ -782,6 +782,8 @@ KEYMAP=
KEYMAP_TOGGLE= KEYMAP_TOGGLE=
KeepFree= KeepFree=
KeyringMode= KeyringMode=
ProtectProc=
ProcSubset=
KillExcludeUsers= KillExcludeUsers=
KillOnlyUsers= KillOnlyUsers=
KillSignal= KillSignal=

6
tools/syscall-names-update.sh Executable file
View File

@ -0,0 +1,6 @@
#!/bin/sh
set -eu
cd "$1"
curl -L -o syscall-names.text 'https://raw.githubusercontent.com/hrw/syscalls-table/master/syscall-names.text'

View File

@ -23,11 +23,12 @@ NoNewPrivileges=yes
PrivateDevices=yes PrivateDevices=yes
PrivateNetwork=yes PrivateNetwork=yes
PrivateTmp=yes PrivateTmp=yes
ProtectProc=invisible
ProtectControlGroups=yes ProtectControlGroups=yes
ProtectHome=yes ProtectHome=yes
ProtectKernelLogs=yes
ProtectKernelModules=yes ProtectKernelModules=yes
ProtectKernelTunables=yes ProtectKernelTunables=yes
ProtectKernelLogs=yes
ProtectSystem=strict ProtectSystem=strict
ReadWritePaths=/etc ReadWritePaths=/etc
RestrictAddressFamilies=AF_UNIX RestrictAddressFamilies=AF_UNIX

View File

@ -19,12 +19,13 @@ LockPersonality=yes
MemoryDenyWriteExecute=yes MemoryDenyWriteExecute=yes
PrivateDevices=yes PrivateDevices=yes
PrivateNetwork=yes PrivateNetwork=yes
ProtectProc=invisible
ProtectControlGroups=yes ProtectControlGroups=yes
ProtectHome=yes ProtectHome=yes
ProtectHostname=yes ProtectHostname=yes
ProtectKernelLogs=yes
ProtectKernelModules=yes ProtectKernelModules=yes
ProtectKernelTunables=yes ProtectKernelTunables=yes
ProtectKernelLogs=yes
RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
RestrictNamespaces=yes RestrictNamespaces=yes
RestrictRealtime=yes RestrictRealtime=yes

View File

@ -21,13 +21,14 @@ NoNewPrivileges=yes
PrivateDevices=yes PrivateDevices=yes
PrivateNetwork=yes PrivateNetwork=yes
PrivateTmp=yes PrivateTmp=yes
ProtectProc=invisible
ProtectClock=yes ProtectClock=yes
ProtectControlGroups=yes ProtectControlGroups=yes
ProtectHome=yes ProtectHome=yes
ProtectHostname=yes ProtectHostname=yes
ProtectKernelLogs=yes
ProtectKernelModules=yes ProtectKernelModules=yes
ProtectKernelTunables=yes ProtectKernelTunables=yes
ProtectKernelLogs=yes
ProtectSystem=strict ProtectSystem=strict
RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
RestrictNamespaces=yes RestrictNamespaces=yes

View File

@ -19,12 +19,13 @@ ExecStart=@rootlibexecdir@/systemd-journal-upload --save-state
LockPersonality=yes LockPersonality=yes
MemoryDenyWriteExecute=yes MemoryDenyWriteExecute=yes
PrivateDevices=yes PrivateDevices=yes
ProtectProc=invisible
ProtectControlGroups=yes ProtectControlGroups=yes
ProtectHome=yes ProtectHome=yes
ProtectHostname=yes ProtectHostname=yes
ProtectKernelLogs=yes
ProtectKernelModules=yes ProtectKernelModules=yes
ProtectKernelTunables=yes ProtectKernelTunables=yes
ProtectKernelLogs=yes
RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6
RestrictNamespaces=yes RestrictNamespaces=yes
RestrictRealtime=yes RestrictRealtime=yes

View File

@ -23,12 +23,13 @@ NoNewPrivileges=yes
PrivateDevices=yes PrivateDevices=yes
PrivateNetwork=yes PrivateNetwork=yes
PrivateTmp=yes PrivateTmp=yes
ProtectProc=invisible
ProtectControlGroups=yes ProtectControlGroups=yes
ProtectHome=yes ProtectHome=yes
ProtectHostname=yes ProtectHostname=yes
ProtectKernelLogs=yes
ProtectKernelModules=yes ProtectKernelModules=yes
ProtectKernelTunables=yes ProtectKernelTunables=yes
ProtectKernelLogs=yes
ProtectSystem=strict ProtectSystem=strict
ReadWritePaths=/etc ReadWritePaths=/etc
RestrictAddressFamilies=AF_UNIX RestrictAddressFamilies=AF_UNIX

View File

@ -28,7 +28,6 @@ DeviceAllow=char-drm rw
DeviceAllow=char-input rw DeviceAllow=char-input rw
DeviceAllow=char-tty rw DeviceAllow=char-tty rw
DeviceAllow=char-vcs rw DeviceAllow=char-vcs rw
# Make sure the DeviceAllow= lines above can work correctly when referenceing char-drm
ExecStart=@rootlibexecdir@/systemd-logind ExecStart=@rootlibexecdir@/systemd-logind
FileDescriptorStoreMax=512 FileDescriptorStoreMax=512
IPAddressDeny=any IPAddressDeny=any
@ -36,12 +35,13 @@ LockPersonality=yes
MemoryDenyWriteExecute=yes MemoryDenyWriteExecute=yes
NoNewPrivileges=yes NoNewPrivileges=yes
PrivateTmp=yes PrivateTmp=yes
ProtectProc=invisible
ProtectClock=yes ProtectClock=yes
ProtectControlGroups=yes ProtectControlGroups=yes
ProtectHome=yes ProtectHome=yes
ProtectHostname=yes ProtectHostname=yes
ProtectKernelModules=yes
ProtectKernelLogs=yes ProtectKernelLogs=yes
ProtectKernelModules=yes
ProtectSystem=strict ProtectSystem=strict
ReadWritePaths=/etc /run ReadWritePaths=/etc /run
Restart=always Restart=always

View File

@ -26,13 +26,15 @@ ExecStart=!!@rootlibexecdir@/systemd-networkd
LockPersonality=yes LockPersonality=yes
MemoryDenyWriteExecute=yes MemoryDenyWriteExecute=yes
NoNewPrivileges=yes NoNewPrivileges=yes
ProtectProc=invisible
ProtectClock=yes ProtectClock=yes
ProtectControlGroups=yes ProtectControlGroups=yes
ProtectHome=yes ProtectHome=yes
ProtectKernelModules=yes
ProtectKernelLogs=yes ProtectKernelLogs=yes
ProtectKernelModules=yes
ProtectSystem=strict ProtectSystem=strict
Restart=on-failure Restart=on-failure
RestartKillSignal=SIGUSR2
RestartSec=0 RestartSec=0
RestrictAddressFamilies=AF_UNIX AF_NETLINK AF_INET AF_INET6 AF_PACKET AF_ALG RestrictAddressFamilies=AF_UNIX AF_NETLINK AF_INET AF_INET6 AF_PACKET AF_ALG
RestrictNamespaces=yes RestrictNamespaces=yes
@ -44,7 +46,6 @@ SystemCallArchitectures=native
SystemCallErrorNumber=EPERM SystemCallErrorNumber=EPERM
SystemCallFilter=@system-service SystemCallFilter=@system-service
Type=notify Type=notify
RestartKillSignal=SIGUSR2
User=systemd-network User=systemd-network
@SERVICE_WATCHDOG@ @SERVICE_WATCHDOG@

View File

@ -28,12 +28,13 @@ MemoryDenyWriteExecute=yes
NoNewPrivileges=yes NoNewPrivileges=yes
PrivateDevices=yes PrivateDevices=yes
PrivateTmp=yes PrivateTmp=yes
ProtectProc=invisible
ProtectClock=yes ProtectClock=yes
ProtectControlGroups=yes ProtectControlGroups=yes
ProtectHome=yes ProtectHome=yes
ProtectKernelLogs=yes
ProtectKernelModules=yes ProtectKernelModules=yes
ProtectKernelTunables=yes ProtectKernelTunables=yes
ProtectKernelLogs=yes
ProtectSystem=strict ProtectSystem=strict
Restart=always Restart=always
RestartSec=0 RestartSec=0

View File

@ -22,12 +22,13 @@ LockPersonality=yes
MemoryDenyWriteExecute=yes MemoryDenyWriteExecute=yes
NoNewPrivileges=yes NoNewPrivileges=yes
PrivateTmp=yes PrivateTmp=yes
ProtectProc=invisible
ProtectControlGroups=yes ProtectControlGroups=yes
ProtectHome=yes ProtectHome=yes
ProtectHostname=yes ProtectHostname=yes
ProtectKernelLogs=yes
ProtectKernelModules=yes ProtectKernelModules=yes
ProtectKernelTunables=yes ProtectKernelTunables=yes
ProtectKernelLogs=yes
ProtectSystem=strict ProtectSystem=strict
ReadWritePaths=/etc ReadWritePaths=/etc
RestrictAddressFamilies=AF_UNIX RestrictAddressFamilies=AF_UNIX

View File

@ -27,12 +27,13 @@ MemoryDenyWriteExecute=yes
NoNewPrivileges=yes NoNewPrivileges=yes
PrivateDevices=yes PrivateDevices=yes
PrivateTmp=yes PrivateTmp=yes
ProtectProc=invisible
ProtectControlGroups=yes ProtectControlGroups=yes
ProtectHome=yes ProtectHome=yes
ProtectHostname=yes ProtectHostname=yes
ProtectKernelLogs=yes
ProtectKernelModules=yes ProtectKernelModules=yes
ProtectKernelTunables=yes ProtectKernelTunables=yes
ProtectKernelLogs=yes
ProtectSystem=strict ProtectSystem=strict
Restart=always Restart=always
RestartSec=0 RestartSec=0

View File

@ -24,6 +24,7 @@ LockPersonality=yes
MemoryDenyWriteExecute=yes MemoryDenyWriteExecute=yes
NoNewPrivileges=yes NoNewPrivileges=yes
PrivateDevices=yes PrivateDevices=yes
ProtectProc=invisible
ProtectControlGroups=yes ProtectControlGroups=yes
ProtectHome=yes ProtectHome=yes
ProtectHostname=yes ProtectHostname=yes