units: add ProtectClock=yes

Add `ProtectClock=yes` to systemd units. Since it implies certain `DeviceAllow=` rules, make sure that the units have `DeviceAllow=` rules so they are still able to access other devices. Exclude timesyncd and timedated.
Remove message->priority field
2020-04-07 15:37:14 +02:00 · 2020-04-07 15:29:23 +02:00 · 2020-04-07 15:28:46 +02:00 · 2020-04-07 15:27:50 +02:00 · 2020-04-07 14:23:31 +02:00 · 2020-04-07 14:10:56 +02:00
18 changed files with 73 additions and 21 deletions
--- a/6
+++ b/6
@ -1,5 +1,11 @@
 systemd System and Service Manager

+CHANGES WITH 246 in spe:
+        * The fs.suid_dumpable sysctl is set to 2 / "suidsafe". This allows
+          systemd-coredump to save core files for suid processes. When saving
+          the core file, systemd-coredump will use the effective uid and gid of
+          the process that faulted.
+
 CHANGES WITH 245:

        * A new tool "systemd-repart" has been added, that operates as an
--- a/hwdb.d/60-sensor.hwdb
+++ b/hwdb.d/60-sensor.hwdb
@ -469,6 +469,12 @@ sensor:modalias:acpi:KIOX010A*:dmi:*:svnMEDION:pnE*:*
 sensor:modalias:acpi:KIOX010A*:dmi:*:svnMEDION:pnMEDION*:*
 ACCEL_MOUNT_MATRIX=0, -1, 0; -1, 0, 0; 0, 0, 1

+#########################################
+# MPMAN
+#########################################
+sensor:modalias:acpi:BMA250E*:dmi:*:svnMPMAN:pnMPWIN8900CL:*
+ ACCEL_MOUNT_MATRIX=1, 0, 0; 0, -1, 0; 0, 0, 1
+
 #########################################
 # MSI
 #########################################
--- a/man/rules/meson.build
+++ b/man/rules/meson.build
@ -140,7 +140,12 @@ manpages = [
  ''],
 ['sd_bus_attach_event', '3', ['sd_bus_detach_event', 'sd_bus_get_event'], ''],
 ['sd_bus_call', '3', ['sd_bus_call_async'], ''],
- ['sd_bus_call_method', '3', ['sd_bus_call_method_async'], ''],
+ ['sd_bus_call_method',
+  '3',
+  ['sd_bus_call_method_async',
+   'sd_bus_call_method_asyncv',
+   'sd_bus_call_methodv'],
+  ''],
 ['sd_bus_close', '3', ['sd_bus_default_flush_close', 'sd_bus_flush'], ''],
 ['sd_bus_creds_get_pid',
  '3',
@ -325,9 +330,11 @@ manpages = [
  '3',
  ['sd_bus_reply_method_errno',
   'sd_bus_reply_method_errnof',
-   'sd_bus_reply_method_errorf'],
+   'sd_bus_reply_method_errnofv',
+   'sd_bus_reply_method_errorf',
+   'sd_bus_reply_method_errorfv'],
  ''],
- ['sd_bus_reply_method_return', '3', [], ''],
+ ['sd_bus_reply_method_return', '3', ['sd_bus_reply_method_returnv'], ''],
 ['sd_bus_request_name',
  '3',
  ['sd_bus_release_name',
--- a/man/sd_bus_message_dump.xml
+++ b/man/sd_bus_message_dump.xml
@ -65,7 +65,7 @@

    <para>Output for a signal message (with <constant>SD_BUS_MESSAGE_DUMP_WITH_HEADER</constant>):
    <programlisting>
-‣ Type=signal  Endian=l  Flags=1  Version=1  Priority=0 Cookie=22
+‣ Type=signal  Endian=l  Flags=1  Version=1  Cookie=22
  Path=/value/a  Interface=org.freedesktop.DBus.Properties  Member=PropertiesChanged
  MESSAGE "sa{sv}as" {
          STRING "org.freedesktop.systemd.ValueTest";
--- a/man/systemd.special.xml
+++ b/man/systemd.special.xml
@ -106,7 +106,7 @@
  </refsect1>

  <refsect1>
-    <title>Units managed by the system's service manager</title>
+    <title>Units managed by the system service manager</title>

    <refsect2>
      <title>Special System Units</title>
@ -1058,7 +1058,7 @@
  </refsect1>

  <refsect1>
-    <title>Units managed by the user's service manager</title>
+    <title>Units managed by the user service manager</title>

    <refsect2>
      <title>Special User Units</title>
--- a/network/networkd-dhcp-server.c
+++ b/network/networkd-dhcp-server.c
--- a/src/busctl/busctl.c
+++ b/src/busctl/busctl.c
@ -1200,7 +1200,6 @@ static int message_json(sd_bus_message *m, FILE *f) {
                                       JSON_BUILD_PAIR("endian", JSON_BUILD_STRING(e)),
                                       JSON_BUILD_PAIR("flags", JSON_BUILD_INTEGER(m->header->flags)),
                                       JSON_BUILD_PAIR("version", JSON_BUILD_INTEGER(m->header->version)),
-                                       JSON_BUILD_PAIR_CONDITION(m->priority != 0, "priority", JSON_BUILD_INTEGER(m->priority)),
                                       JSON_BUILD_PAIR("cookie", JSON_BUILD_INTEGER(BUS_MESSAGE_COOKIE(m))),
                                       JSON_BUILD_PAIR_CONDITION(m->reply_cookie != 0, "reply_cookie", JSON_BUILD_INTEGER(m->reply_cookie)),
                                       JSON_BUILD_PAIR_CONDITION(m->sender, "sender", JSON_BUILD_STRING(m->sender)),
--- a/src/core/manager.c
+++ b/src/core/manager.c
@ -4247,6 +4247,11 @@ ManagerState manager_state(Manager *m) {

        assert(m);

+        /* Is the special shutdown target active or queued? If so, we are in shutdown state */
+        u = manager_get_unit(m, SPECIAL_SHUTDOWN_TARGET);
+        if (u && unit_active_or_pending(u))
+                return MANAGER_STOPPING;
+
        /* Did we ever finish booting? If not then we are still starting up */
        if (!MANAGER_IS_FINISHED(m)) {

@ -4257,11 +4262,6 @@ ManagerState manager_state(Manager *m) {
                return MANAGER_STARTING;
        }

-        /* Is the special shutdown target active or queued? If so, we are in shutdown state */
-        u = manager_get_unit(m, SPECIAL_SHUTDOWN_TARGET);
-        if (u && unit_active_or_pending(u))
-                return MANAGER_STOPPING;
-
        if (MANAGER_IS_SYSTEM(m)) {
                /* Are the rescue or emergency targets active or queued? If so we are in maintenance state */
                u = manager_get_unit(m, SPECIAL_RESCUE_TARGET);
--- a/src/libsystemd/sd-bus/bus-dump.c
+++ b/src/libsystemd/sd-bus/bus-dump.c
@ -56,7 +56,7 @@ _public_ int sd_bus_message_dump(sd_bus_message *m, FILE *f, uint64_t flags) {

        if (flags & SD_BUS_MESSAGE_DUMP_WITH_HEADER) {
                fprintf(f,
-                        "%s%s%s Type=%s%s%s  Endian=%c  Flags=%u  Version=%u  Priority=%"PRIi64,
+                        "%s%s%s Type=%s%s%s  Endian=%c  Flags=%u  Version=%u",
                        m->header->type == SD_BUS_MESSAGE_METHOD_ERROR ? ansi_highlight_red() :
                        m->header->type == SD_BUS_MESSAGE_METHOD_RETURN ? ansi_highlight_green() :
                        m->header->type != SD_BUS_MESSAGE_SIGNAL ? ansi_highlight() : "",
@ -69,8 +69,7 @@ _public_ int sd_bus_message_dump(sd_bus_message *m, FILE *f, uint64_t flags) {

                        m->header->endian,
                        m->header->flags,
-                        m->header->version,
-                        m->priority);
+                        m->header->version);

                /* Display synthetic message serial number in a more readable
                 * format than (uint32_t) -1 */
--- a/src/libsystemd/sd-bus/bus-message.c
+++ b/src/libsystemd/sd-bus/bus-message.c
@ -5924,18 +5924,31 @@ int bus_message_remarshal(sd_bus *bus, sd_bus_message **m) {
 }

 _public_ int sd_bus_message_get_priority(sd_bus_message *m, int64_t *priority) {
+        static bool warned = false;
+
        assert_return(m, -EINVAL);
        assert_return(priority, -EINVAL);

-        *priority = m->priority;
+        if (!warned) {
+                log_debug("sd_bus_message_get_priority() is deprecated and always returns 0.");
+                warned = true;
+        }
+
+        *priority = 0;
        return 0;
 }

 _public_ int sd_bus_message_set_priority(sd_bus_message *m, int64_t priority) {
+        static bool warned = false;
+
        assert_return(m, -EINVAL);
        assert_return(!m->sealed, -EPERM);

-        m->priority = priority;
+        if (!warned) {
+                log_debug("sd_bus_message_set_priority() is deprecated and does nothing.");
+                warned = true;
+        }
+
        return 0;
 }

--- a/src/libsystemd/sd-bus/bus-message.h
+++ b/src/libsystemd/sd-bus/bus-message.h
@ -76,7 +76,6 @@ struct sd_bus_message {
        usec_t monotonic;
        usec_t realtime;
        uint64_t seqnum;
-        int64_t priority;
        uint64_t verify_destination_id;

        bool sealed:1;
--- a/sysctl.d/50-coredump.conf.in
+++ b/sysctl.d/50-coredump.conf.in
@ -5,8 +5,23 @@
 #  the Free Software Foundation; either version 2.1 of the License, or
 #  (at your option) any later version.

-# See sysctl.d(5) for the description of the files in this directory,
-# and systemd-coredump(8) and core(5) for the explanation of the
-# setting below.
+# See sysctl.d(5) for the description of the files in this directory.

+# Pipe the core file to systemd-coredump. The systemd-coredump process spawned
+# by the kernel will start a second copy of itself as the
+# systemd-coredump@.service, which will do the actual processing and storing of
+# the core dump.
+#
+# See systemd-coredump(8) and core(5).
 kernel.core_pattern=|@rootlibexecdir@/systemd-coredump %P %u %g %s %t %c %h
+
+# Also dump processes executing a set-user-ID/set-group-ID program that is
+# owned by a user/group other than the real user/group ID of the process, or
+# a program that has file capabilities. ("2" is called "suidsafe" in core(5)).
+#
+# systemd-coredump will store the core file owned by the effective uid and gid
+# of the running process (and not the filesystem-user-ID which the kernel uses
+# when saving a core dump).
+#
+# See proc(5), setuid(2), capabilities(7).
+fs.suid_dumpable=2
--- a/units/systemd-journal-remote.service.in
+++ b/units/systemd-journal-remote.service.in
@ -21,6 +21,7 @@ NoNewPrivileges=yes
 PrivateDevices=yes
 PrivateNetwork=yes
 PrivateTmp=yes
+ProtectClock=yes
 ProtectControlGroups=yes
 ProtectHome=yes
 ProtectHostname=yes
--- a/units/systemd-journald.service.in
+++ b/units/systemd-journald.service.in
@ -25,6 +25,7 @@ LockPersonality=yes
 MemoryDenyWriteExecute=yes
 NoNewPrivileges=yes
 OOMScoreAdjust=-250
+ProtectClock=yes
 Restart=always
 RestartSec=0
 RestrictAddressFamilies=AF_UNIX AF_NETLINK
--- a/units/systemd-logind.service.in
+++ b/units/systemd-logind.service.in
@ -36,6 +36,7 @@ LockPersonality=yes
 MemoryDenyWriteExecute=yes
 NoNewPrivileges=yes
 PrivateTmp=yes
+ProtectClock=yes
 ProtectControlGroups=yes
 ProtectHome=yes
 ProtectHostname=yes
--- a/units/systemd-networkd.service.in
+++ b/units/systemd-networkd.service.in
@ -26,6 +26,7 @@ ExecStart=!!@rootlibexecdir@/systemd-networkd
 LockPersonality=yes
 MemoryDenyWriteExecute=yes
 NoNewPrivileges=yes
+ProtectClock=yes
 ProtectControlGroups=yes
 ProtectHome=yes
 ProtectKernelModules=yes
--- a/units/systemd-resolved.service.in
+++ b/units/systemd-resolved.service.in
@ -28,6 +28,7 @@ MemoryDenyWriteExecute=yes
 NoNewPrivileges=yes
 PrivateDevices=yes
 PrivateTmp=yes
+ProtectClock=yes
 ProtectControlGroups=yes
 ProtectHome=yes
 ProtectKernelModules=yes
--- a/units/systemd-udevd.service.in
+++ b/units/systemd-udevd.service.in
@ -16,6 +16,8 @@ Before=sysinit.target
 ConditionPathIsReadWrite=/sys

 [Service]
+DeviceAllow=block-* rwm
+DeviceAllow=char-* rwm
 Type=notify
 # Note that udev also adjusts the OOM score internally and will reset the value internally for its workers
 OOMScoreAdjust=-1000
@ -27,6 +29,7 @@ ExecReload=udevadm control --reload --timeout 0
 KillMode=mixed
 TasksMax=infinity
 PrivateMounts=yes
+ProtectClock=yes
 ProtectHostname=yes
 MemoryDenyWriteExecute=yes
 RestrictAddressFamilies=AF_UNIX AF_NETLINK AF_INET AF_INET6
Author	SHA1	Message	Date
Topi Miettinen	cabc1c6d7a	units: add ProtectClock=yes Add `ProtectClock=yes` to systemd units. Since it implies certain `DeviceAllow=` rules, make sure that the units have `DeviceAllow=` rules so they are still able to access other devices. Exclude timesyncd and timedated.	2020-04-07 15:37:14 +02:00
Zbigniew Jędrzejewski-Szmek	c3362c2f97	Remove message->priority field A warning is emitted from sd_bus_message_{get,set}_priority. Those functions are exposed by pystemd, so we have no easy way of checking if anything is calling them. Just making the functions always return without doing anything would be an option, but then we could leave the caller with an undefined variable. So I think it's better to make the functions emit a warnings and return priority=0 in the get operation.	2020-04-07 15:29:23 +02:00
Zbigniew Jędrzejewski-Szmek	6635f57d3e	sysctl: enable coredump for suid binaries Right now the kernel will not dump anything that went through setuid or setgid. But it is routine for daemons to do that, and it makes things hard to debug. systemd-coredump saves the coredump readable by the users the process was running as. This should be enough to avoid information leakage. So let's also tell the kernel to do the coredump. For https://bugzilla.redhat.com/show_bug.cgi?id=1790972. Both patterns are stored in the same file, so they are enabled or disabled together. (Though suid_dumpable=2 is supposed to be safe even when writing to plain files.)	2020-04-07 15:28:46 +02:00
root	f9d29f6d06	fix manager_state	2020-04-07 15:27:50 +02:00
Hans de Goede	e6b68254c2	hwdb: Add accel orientation quirk for MPMAN MPWIN895CL tablet Add a quirk to fix the accelerometer orientation on the MPMAN MPWIN895CL tablet.	2020-04-07 14:23:31 +02:00
Lennart Poettering	602235f27d	Merge pull request #15349 from keszybz/doc-work Remove stray file and fix two minor issues in man pages	2020-04-07 14:10:56 +02:00
Zbigniew Jędrzejewski-Szmek	9aa822179b	man: update rules Apparently this step was forgotten in `935052a8aa`.	2020-04-06 20:47:14 +02:00
Zbigniew Jędrzejewski-Szmek	326b1f897b	Remove stray file	2020-04-06 20:45:41 +02:00
Zbigniew Jędrzejewski-Szmek	bb288a2cb3	man: drop apostophe from section title For whatever reason, this does not get rendered propely in the man page and results in an invalid code: W: manual-page-warning /usr/share/man/man7/systemd.special.7.gz 103: warning: macro `AQ' not defined We say 'user manager' and 'system manager' in most other places, so let's just use this form here too.	2020-04-06 20:45:41 +02:00