Compare commits
17 Commits
b82e818f5c
...
59a49b1bcd
| Author | SHA1 | Date |
|---|---|---|
Lennart Poettering
|
59a49b1bcd | |
|
Lennart Poettering
|
168e131b8b | |
|
Zbigniew Jędrzejewski-Szmek
|
8490fc7aef | |
|
Zbigniew Jędrzejewski-Szmek
|
2d8898f564 | |
|
Lennart Poettering
|
6d19b71876 | |
|
Lennart Poettering
|
4e67759960 | |
|
Lennart Poettering
|
e884e00071 | |
|
Anita Zhang
|
206a29b2e1 | |
|
Zbigniew Jędrzejewski-Szmek
|
2536752dda | |
|
Zbigniew Jędrzejewski-Szmek
|
cc560ac064 | |
|
Zbigniew Jędrzejewski-Szmek
|
b289de2b06 | |
|
Zbigniew Jędrzejewski-Szmek
|
93e63b2a35 | |
|
Zbigniew Jędrzejewski-Szmek
|
4d985a317a | |
|
Zbigniew Jędrzejewski-Szmek
|
26e1e97345 | |
|
Zbigniew Jędrzejewski-Szmek
|
6ab863190d | |
|
Zbigniew Jędrzejewski-Szmek
|
6962cf2e2a | |
|
Zbigniew Jędrzejewski-Szmek
|
38fcb7f766 |
17
NEWS
17
NEWS
|
|
@ -19,7 +19,7 @@ CHANGES WITH 244 in spe:
|
|||
SystemdOptions. This may be used to configure systemd behaviour when
|
||||
modifying the kernel command line is inconvenient, but configuration
|
||||
on disk is read too late, for example for the options related to
|
||||
cgroup hierarchy setup. 'bootctl system-options' may be used to
|
||||
cgroup hierarchy setup. 'bootctl systemd-efi-options' may be used to
|
||||
set the EFI variable.
|
||||
|
||||
* systemd will now disable printk ratelimits in early boot. This should
|
||||
|
|
@ -187,6 +187,19 @@ CHANGES WITH 244 in spe:
|
|||
used by the user service manager. The default is again to use the same
|
||||
path as the system manager.
|
||||
|
||||
* The systemd-id128 tool gained a new switch "-u" (or "--uuid") for
|
||||
outputting the 128bit IDs in UUID format (i.e. in the "canonical
|
||||
representation").
|
||||
|
||||
* Service units gained a new sandboxing option ProtectKernelLogs= which
|
||||
makes sure the program cannot get direct access to the kernel log
|
||||
buffer anymore, i.e. the syslog() system call (not to be confused
|
||||
with the API of the same name in libc, which is not affected), the
|
||||
/proc/kmsg and /dev/kmsg nodes and the CAP_SYSLOG capability are made
|
||||
inaccessible to the service. It's recommended to enable this setting
|
||||
for all services that should not be able to read from or write to the
|
||||
kernel log buffer, which are probably almost all.
|
||||
|
||||
CHANGES WITH 243:
|
||||
|
||||
* This release enables unprivileged programs (i.e. requiring neither
|
||||
|
|
@ -505,7 +518,7 @@ CHANGES WITH 243:
|
|||
* SuccessExitStatus=, RestartPreventExitStatus=, and
|
||||
RestartForceExitStatus= now accept exit status names (e.g. "DATAERR"
|
||||
is equivalent to "65"). Those exit status name mappings may be
|
||||
displayed with the sytemd-analyze exit-status verb describe above.
|
||||
displayed with the systemd-analyze exit-status verb describe above.
|
||||
|
||||
* systemd-logind now exposes a per-session SetBrightness() bus call,
|
||||
which may be used to securely change the brightness of a kernel
|
||||
|
|
|
|||
|
|
@ -47,8 +47,8 @@ All tools:
|
|||
* `$SYSTEMD_CRYPTTAB` — if set, use this path instead of /etc/crypttab. Only
|
||||
useful for debugging. Currently only supported by systemd-cryptsetup-generator.
|
||||
|
||||
* `$SYSTEMD_EFI_OPTIONS` — if set, used instead of the string in SystemdOptions
|
||||
EFI variable. Analogous to `$SYSTEMD_PROC_CMDLINE`.
|
||||
* `$SYSTEMD_EFI_OPTIONS` — if set, used instead of the string in the
|
||||
SystemdOptions EFI variable. Analogous to `$SYSTEMD_PROC_CMDLINE`.
|
||||
|
||||
* `$SYSTEMD_IN_INITRD` — takes a boolean. If set, overrides initrd detection.
|
||||
This is useful for debugging and testing initrd-only programs in the main
|
||||
|
|
|
|||
|
|
@ -102,7 +102,7 @@
|
|||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><option>system-options</option> <optional><replaceable>VALUE</replaceable></optional></term>
|
||||
<term><option>systemd-efi-options</option> <optional><replaceable>VALUE</replaceable></optional></term>
|
||||
|
||||
<listitem><para>When called without the optional argument, prints the current value of the
|
||||
<literal>SystemdOptions</literal> EFI variable. When called with an argument, sets the
|
||||
|
|
|
|||
|
|
@ -1032,7 +1032,7 @@ Jan 12 10:46:45 example.com bluetoothd[8900]: gatt-time-server: Input/output err
|
|||
</refsect2>
|
||||
|
||||
<refsect2>
|
||||
<title>Manager Lifecycle Commands</title>
|
||||
<title>Manager State Commands</title>
|
||||
|
||||
<variablelist>
|
||||
<varlistentry>
|
||||
|
|
@ -1051,6 +1051,7 @@ Jan 12 10:46:45 example.com bluetoothd[8900]: gatt-time-server: Input/output err
|
|||
<command>reload</command> command.</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><command>daemon-reexec</command></term>
|
||||
|
||||
|
|
@ -1065,6 +1066,39 @@ Jan 12 10:46:45 example.com bluetoothd[8900]: gatt-time-server: Input/output err
|
|||
</para>
|
||||
</listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><command>log-level</command> [<replaceable>LEVEL</replaceable>]</term>
|
||||
|
||||
<listitem><para>If no argument is given, print the current log level of the manager. If an
|
||||
optional argument <replaceable>LEVEL</replaceable> is provided, then the command changes the
|
||||
current log level of the manager to <replaceable>LEVEL</replaceable> (accepts the same values as
|
||||
<option>--log-level=</option> described in
|
||||
<citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry>).
|
||||
</para></listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><command>log-target</command> [<replaceable>TARGET</replaceable>]</term>
|
||||
|
||||
<listitem><para>If no argument is given, print the current log target of the manager. If an
|
||||
optional argument <replaceable>TARGET</replaceable> is provided, then the command changes the
|
||||
current log target of the manager to <replaceable>TARGET</replaceable> (accepts the same values as
|
||||
<option>--log-target=</option>, described in
|
||||
<citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry>).
|
||||
</para></listitem>
|
||||
</varlistentry>
|
||||
|
||||
<varlistentry>
|
||||
<term><command>service-watchdogs</command> [yes|no]</term>
|
||||
|
||||
<listitem><para>If no argument is given, print the current state of service runtime watchdogs of
|
||||
the manager. If an optional boolean argument is provided, then globally enables or disables the
|
||||
service runtime watchdogs (<option>WatchdogSec=</option>) and emergency actions (e.g.
|
||||
<option>OnFailure=</option> or <option>StartLimitAction=</option>); see
|
||||
<citerefentry><refentrytitle>systemd.service</refentrytitle><manvolnum>5</manvolnum></citerefentry>.
|
||||
The hardware watchdog is not affected by this setting.</para></listitem>
|
||||
</varlistentry>
|
||||
</variablelist>
|
||||
</refsect2>
|
||||
|
||||
|
|
|
|||
|
|
@ -39,25 +39,6 @@
|
|||
<arg choice="opt" rep="repeat"><replaceable>UNIT</replaceable></arg>
|
||||
</cmdsynopsis>
|
||||
|
||||
<cmdsynopsis>
|
||||
<command>systemd-analyze</command>
|
||||
<arg choice="opt" rep="repeat">OPTIONS</arg>
|
||||
<arg choice="plain">log-level</arg>
|
||||
<arg choice="opt"><replaceable>LEVEL</replaceable></arg>
|
||||
</cmdsynopsis>
|
||||
<cmdsynopsis>
|
||||
<command>systemd-analyze</command>
|
||||
<arg choice="opt" rep="repeat">OPTIONS</arg>
|
||||
<arg choice="plain">log-target</arg>
|
||||
<arg choice="opt"><replaceable>TARGET</replaceable></arg>
|
||||
</cmdsynopsis>
|
||||
<cmdsynopsis>
|
||||
<command>systemd-analyze</command>
|
||||
<arg choice="opt" rep="repeat">OPTIONS</arg>
|
||||
<arg choice="plain">service-watchdogs</arg>
|
||||
<arg choice="opt"><replaceable>BOOL</replaceable></arg>
|
||||
</cmdsynopsis>
|
||||
|
||||
<cmdsynopsis>
|
||||
<command>systemd-analyze</command>
|
||||
<arg choice="opt" rep="repeat">OPTIONS</arg>
|
||||
|
|
@ -241,37 +222,6 @@ multi-user.target @47.820s
|
|||
</example>
|
||||
</refsect2>
|
||||
|
||||
<refsect2>
|
||||
<title><command>systemd-analyze log-level [<replaceable>LEVEL</replaceable>]</command></title>
|
||||
|
||||
<para><command>systemd-analyze log-level</command> prints the current log level of the
|
||||
<command>systemd</command> daemon. If an optional argument <replaceable>LEVEL</replaceable> is
|
||||
provided, then the command changes the current log level of the <command>systemd</command> daemon to
|
||||
<replaceable>LEVEL</replaceable> (accepts the same values as <option>--log-level=</option> described in
|
||||
<citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry>).</para>
|
||||
</refsect2>
|
||||
|
||||
<refsect2>
|
||||
<title><command>systemd-analyze log-target [<replaceable>TARGET</replaceable>]</command></title>
|
||||
|
||||
<para><command>systemd-analyze log-target</command> prints the current log target of the
|
||||
<command>systemd</command> daemon. If an optional argument <replaceable>TARGET</replaceable> is
|
||||
provided, then the command changes the current log target of the <command>systemd</command> daemon to
|
||||
<replaceable>TARGET</replaceable> (accepts the same values as <option>--log-target=</option>, described
|
||||
in <citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry>).</para>
|
||||
</refsect2>
|
||||
|
||||
<refsect2>
|
||||
<title><command>systemd-analyze service-watchdogs [yes|no]</command></title>
|
||||
|
||||
<para><command>systemd-analyze service-watchdogs</command> prints the current state of service runtime
|
||||
watchdogs of the <command>systemd</command> daemon. If an optional boolean argument is provided, then
|
||||
globally enables or disables the service runtime watchdogs (<option>WatchdogSec=</option>) and
|
||||
emergency actions (e.g. <option>OnFailure=</option> or <option>StartLimitAction=</option>); see
|
||||
<citerefentry><refentrytitle>systemd.service</refentrytitle><manvolnum>5</manvolnum></citerefentry>.
|
||||
The hardware watchdog is not affected by this setting.</para>
|
||||
</refsect2>
|
||||
|
||||
<refsect2>
|
||||
<title><command>systemd-analyze dump</command></title>
|
||||
|
||||
|
|
|
|||
|
|
@ -2166,8 +2166,8 @@ static int service_watchdogs(int argc, char *argv[], void *userdata) {
|
|||
if (r < 0)
|
||||
return log_error_errno(r, "Failed to create bus connection: %m");
|
||||
|
||||
/* get ServiceWatchdogs */
|
||||
if (argc == 1) {
|
||||
/* get ServiceWatchdogs */
|
||||
r = sd_bus_get_property_trivial(
|
||||
bus,
|
||||
"org.freedesktop.systemd1",
|
||||
|
|
@ -2182,15 +2182,11 @@ static int service_watchdogs(int argc, char *argv[], void *userdata) {
|
|||
|
||||
printf("%s\n", yes_no(!!b));
|
||||
|
||||
return 0;
|
||||
}
|
||||
|
||||
} else {
|
||||
/* set ServiceWatchdogs */
|
||||
b = parse_boolean(argv[1]);
|
||||
if (b < 0) {
|
||||
log_error("Failed to parse service-watchdogs argument.");
|
||||
return -EINVAL;
|
||||
}
|
||||
if (b < 0)
|
||||
return log_error_errno(b, "Failed to parse service-watchdogs argument: %m");
|
||||
|
||||
r = sd_bus_set_property(
|
||||
bus,
|
||||
|
|
@ -2203,6 +2199,7 @@ static int service_watchdogs(int argc, char *argv[], void *userdata) {
|
|||
b);
|
||||
if (r < 0)
|
||||
return log_error_errno(r, "Failed to set service-watchdog state: %s", bus_error_message(&error, r));
|
||||
}
|
||||
|
||||
return 0;
|
||||
}
|
||||
|
|
@ -2246,13 +2243,11 @@ static int help(int argc, char *argv[], void *userdata) {
|
|||
printf("%s [OPTIONS...] COMMAND ...\n\n"
|
||||
"%sProfile systemd, show unit dependencies, check unit files.%s\n"
|
||||
"\nCommands:\n"
|
||||
" time Print time spent in the kernel\n"
|
||||
" [time] Print time required to boot the machine\n"
|
||||
" blame Print list of running units ordered by time to init\n"
|
||||
" critical-chain [UNIT...] Print a tree of the time critical chain of units\n"
|
||||
" plot Output SVG graphic showing service initialization\n"
|
||||
" dot [UNIT...] Output dependency graph in %s format\n"
|
||||
" log-level [LEVEL] Get/set logging threshold for manager\n"
|
||||
" log-target [TARGET] Get/set logging target for manager\n"
|
||||
" dump Output state serialization of service manager\n"
|
||||
" cat-config Show configuration file and drop-ins\n"
|
||||
" unit-files List files and symlinks for units\n"
|
||||
|
|
@ -2261,7 +2256,6 @@ static int help(int argc, char *argv[], void *userdata) {
|
|||
" syscall-filter [NAME...] Print list of syscalls in seccomp filter\n"
|
||||
" condition CONDITION... Evaluate conditions and asserts\n"
|
||||
" verify FILE... Check unit files for correctness\n"
|
||||
" service-watchdogs [BOOL] Get/set service watchdog state\n"
|
||||
" calendar SPEC... Validate repetitive calendar time events\n"
|
||||
" timestamp TIMESTAMP... Validate a timestamp\n"
|
||||
" timespan SPAN... Validate a time span\n"
|
||||
|
|
@ -2482,13 +2476,14 @@ static int run(int argc, char *argv[]) {
|
|||
{ "critical-chain", VERB_ANY, VERB_ANY, 0, analyze_critical_chain },
|
||||
{ "plot", VERB_ANY, 1, 0, analyze_plot },
|
||||
{ "dot", VERB_ANY, VERB_ANY, 0, dot },
|
||||
/* The following seven verbs are deprecated */
|
||||
{ "log-level", VERB_ANY, 2, 0, get_or_set_log_level },
|
||||
{ "log-target", VERB_ANY, 2, 0, get_or_set_log_target },
|
||||
/* The following four verbs are deprecated aliases */
|
||||
{ "set-log-level", 2, 2, 0, set_log_level },
|
||||
{ "get-log-level", VERB_ANY, 1, 0, get_log_level },
|
||||
{ "set-log-target", 2, 2, 0, set_log_target },
|
||||
{ "get-log-target", VERB_ANY, 1, 0, get_log_target },
|
||||
{ "service-watchdogs", VERB_ANY, 2, 0, service_watchdogs },
|
||||
{ "dump", VERB_ANY, 1, 0, dump },
|
||||
{ "cat-config", 2, VERB_ANY, 0, cat_config },
|
||||
{ "unit-files", VERB_ANY, VERB_ANY, 0, do_unit_files },
|
||||
|
|
@ -2500,7 +2495,6 @@ static int run(int argc, char *argv[]) {
|
|||
{ "calendar", 2, VERB_ANY, 0, test_calendar },
|
||||
{ "timestamp", 2, VERB_ANY, 0, test_timestamp },
|
||||
{ "timespan", 2, VERB_ANY, 0, dump_timespan },
|
||||
{ "service-watchdogs", VERB_ANY, 2, 0, service_watchdogs },
|
||||
{ "security", VERB_ANY, VERB_ANY, 0, do_security },
|
||||
{}
|
||||
};
|
||||
|
|
|
|||
|
|
@ -220,7 +220,7 @@ int efi_set_variable_string(sd_id128_t vendor, const char *name, const char *v)
|
|||
return efi_set_variable(vendor, name, u16, (char16_strlen(u16) + 1) * sizeof(char16_t));
|
||||
}
|
||||
|
||||
int efi_systemd_options_variable(char **line) {
|
||||
int systemd_efi_options_variable(char **line) {
|
||||
const char *e;
|
||||
int r;
|
||||
|
||||
|
|
|
|||
|
|
@ -28,7 +28,7 @@ int efi_get_variable_string(sd_id128_t vendor, const char *name, char **p);
|
|||
int efi_set_variable(sd_id128_t vendor, const char *name, const void *value, size_t size);
|
||||
int efi_set_variable_string(sd_id128_t vendor, const char *name, const char *p);
|
||||
|
||||
int efi_systemd_options_variable(char **line);
|
||||
int systemd_efi_options_variable(char **line);
|
||||
|
||||
#else
|
||||
|
||||
|
|
@ -52,7 +52,7 @@ static inline int efi_set_variable_string(sd_id128_t vendor, const char *name, c
|
|||
return -EOPNOTSUPP;
|
||||
}
|
||||
|
||||
static inline int efi_systemd_options_variable(char **line) {
|
||||
static inline int systemd_efi_options_variable(char **line) {
|
||||
return -ENODATA;
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -94,3 +94,10 @@ static inline bool ERRNO_IS_NOT_SUPPORTED(int r) {
|
|||
ENOTTY,
|
||||
ENOSYS);
|
||||
}
|
||||
|
||||
/* Two different errors for access problems */
|
||||
static inline bool ERRNO_IS_PRIVILEGE(int r) {
|
||||
return IN_SET(abs(r),
|
||||
EACCES,
|
||||
EPERM);
|
||||
}
|
||||
|
|
|
|||
|
|
@ -119,7 +119,7 @@ int proc_cmdline_parse(proc_cmdline_parse_t parse_item, void *data, ProcCmdlineF
|
|||
|
||||
/* We parse the EFI variable first, because later settings have higher priority. */
|
||||
|
||||
r = efi_systemd_options_variable(&line);
|
||||
r = systemd_efi_options_variable(&line);
|
||||
if (r < 0 && r != -ENODATA)
|
||||
log_debug_errno(r, "Failed to get SystemdOptions EFI variable, ignoring: %m");
|
||||
|
||||
|
|
@ -250,7 +250,7 @@ int proc_cmdline_get_key(const char *key, ProcCmdlineFlags flags, char **ret_val
|
|||
return r;
|
||||
|
||||
line = mfree(line);
|
||||
r = efi_systemd_options_variable(&line);
|
||||
r = systemd_efi_options_variable(&line);
|
||||
if (r == -ENODATA)
|
||||
return false; /* Not found */
|
||||
if (r < 0)
|
||||
|
|
|
|||
|
|
@ -1033,7 +1033,7 @@ static int help(int argc, char *argv[], void *userdata) {
|
|||
return log_oom();
|
||||
|
||||
printf("%s [OPTIONS...] COMMAND ...\n"
|
||||
"\n%sInstall, update or remove the systemd-boot EFI boot manager.%s\n"
|
||||
"\n%sInstall/update/remove the systemd-boot EFI boot manager and list/select entries.%s\n"
|
||||
"\nBoot Loader Commands:\n"
|
||||
" status Show status of installed systemd-boot and EFI variables\n"
|
||||
" install Install systemd-boot to the ESP and EFI variables\n"
|
||||
|
|
@ -1041,7 +1041,7 @@ static int help(int argc, char *argv[], void *userdata) {
|
|||
" remove Remove systemd-boot from the ESP and EFI variables\n"
|
||||
" is-installed Test whether systemd-boot is installed in the ESP\n"
|
||||
" random-seed Initialize random seed in ESP and EFI variables\n"
|
||||
" system-options Query or set system options string in EFI variable\n"
|
||||
" systemd-efi-options Query or set system options string in EFI variable\n"
|
||||
"\nBoot Loader Entries Commands:\n"
|
||||
" list List boot loader entries\n"
|
||||
" set-default ID Set default boot loader entry\n"
|
||||
|
|
@ -1716,17 +1716,17 @@ static int verb_random_seed(int argc, char *argv[], void *userdata) {
|
|||
return 0;
|
||||
}
|
||||
|
||||
static int verb_system_options(int argc, char *argv[], void *userdata) {
|
||||
static int verb_systemd_efi_options(int argc, char *argv[], void *userdata) {
|
||||
int r;
|
||||
|
||||
if (argc == 1) {
|
||||
_cleanup_free_ char *line = NULL;
|
||||
|
||||
r = efi_systemd_options_variable(&line);
|
||||
r = systemd_efi_options_variable(&line);
|
||||
if (r < 0)
|
||||
return log_error_errno(r, "Failed to query SystemdOptions EFI variable: %m");
|
||||
|
||||
printf("SystemdOptions: %s\n", line);
|
||||
puts(line);
|
||||
|
||||
} else {
|
||||
r = efi_set_variable_string(EFI_VENDOR_SYSTEMD, "SystemdOptions", argv[1]);
|
||||
|
|
@ -1749,7 +1749,7 @@ static int bootctl_main(int argc, char *argv[]) {
|
|||
{ "set-default", 2, 2, 0, verb_set_default },
|
||||
{ "set-oneshot", 2, 2, 0, verb_set_default },
|
||||
{ "random-seed", VERB_ANY, 1, 0, verb_random_seed },
|
||||
{ "system-options", VERB_ANY, 2, 0, verb_system_options },
|
||||
{ "systemd-efi-options", VERB_ANY, 2, 0, verb_systemd_efi_options },
|
||||
{}
|
||||
};
|
||||
|
||||
|
|
|
|||
|
|
@ -2459,6 +2459,40 @@ finish:
|
|||
return r;
|
||||
}
|
||||
|
||||
static bool insist_on_sandboxing(
|
||||
const ExecContext *context,
|
||||
const char *root_dir,
|
||||
const char *root_image,
|
||||
const BindMount *bind_mounts,
|
||||
size_t n_bind_mounts) {
|
||||
|
||||
size_t i;
|
||||
|
||||
assert(context);
|
||||
assert(n_bind_mounts == 0 || bind_mounts);
|
||||
|
||||
/* Checks whether we need to insist on fs namespacing. i.e. whether we have settings configured that
|
||||
* would alter the view on the file system beyond making things read-only or invisble, i.e. would
|
||||
* rearrange stuff in a way we cannot ignore gracefully. */
|
||||
|
||||
if (context->n_temporary_filesystems > 0)
|
||||
return true;
|
||||
|
||||
if (root_dir || root_image)
|
||||
return true;
|
||||
|
||||
if (context->dynamic_user)
|
||||
return true;
|
||||
|
||||
/* If there are any bind mounts set that don't map back onto themselves, fs namespacing becomes
|
||||
* essential. */
|
||||
for (i = 0; i < n_bind_mounts; i++)
|
||||
if (!path_equal(bind_mounts[i].source, bind_mounts[i].destination))
|
||||
return true;
|
||||
|
||||
return false;
|
||||
}
|
||||
|
||||
static int apply_mount_namespace(
|
||||
const Unit *u,
|
||||
const ExecCommand *command,
|
||||
|
|
@ -2545,28 +2579,28 @@ static int apply_mount_namespace(
|
|||
DISSECT_IMAGE_DISCARD_ON_LOOP,
|
||||
error_path);
|
||||
|
||||
bind_mount_free_many(bind_mounts, n_bind_mounts);
|
||||
|
||||
/* If we couldn't set up the namespace this is probably due to a missing capability. setup_namespace() reports
|
||||
* that with a special, recognizable error ENOANO. In this case, silently proceed, but only if exclusively
|
||||
* sandboxing options were used, i.e. nothing such as RootDirectory= or BindMount= that would result in a
|
||||
* completely different execution environment. */
|
||||
if (r == -ENOANO) {
|
||||
if (n_bind_mounts == 0 &&
|
||||
context->n_temporary_filesystems == 0 &&
|
||||
!root_dir && !root_image &&
|
||||
!context->dynamic_user) {
|
||||
log_unit_debug(u, "Failed to set up namespace, assuming containerized execution and ignoring.");
|
||||
return 0;
|
||||
}
|
||||
|
||||
if (insist_on_sandboxing(
|
||||
context,
|
||||
root_dir, root_image,
|
||||
bind_mounts,
|
||||
n_bind_mounts)) {
|
||||
log_unit_debug(u, "Failed to set up namespace, and refusing to continue since the selected namespacing options alter mount environment non-trivially.\n"
|
||||
"Bind mounts: %zu, temporary filesystems: %zu, root directory: %s, root image: %s, dynamic user: %s",
|
||||
n_bind_mounts, context->n_temporary_filesystems, yes_no(root_dir), yes_no(root_image), yes_no(context->dynamic_user));
|
||||
|
||||
return -EOPNOTSUPP;
|
||||
r = -EOPNOTSUPP;
|
||||
} else {
|
||||
log_unit_debug(u, "Failed to set up namespace, assuming containerized execution and ignoring.");
|
||||
r = 0;
|
||||
}
|
||||
}
|
||||
|
||||
bind_mount_free_many(bind_mounts, n_bind_mounts);
|
||||
return r;
|
||||
}
|
||||
|
||||
|
|
@ -3414,9 +3448,13 @@ static int exec_child(
|
|||
if (context->protect_hostname) {
|
||||
if (ns_type_supported(NAMESPACE_UTS)) {
|
||||
if (unshare(CLONE_NEWUTS) < 0) {
|
||||
if (!ERRNO_IS_NOT_SUPPORTED(errno) && !ERRNO_IS_PRIVILEGE(errno)) {
|
||||
*exit_status = EXIT_NAMESPACE;
|
||||
return log_unit_error_errno(unit, errno, "Failed to set up UTS namespacing: %m");
|
||||
}
|
||||
|
||||
log_unit_warning(unit, "ProtectHostname=yes is configured, but UTS namespace setup is prohibited (container manager?), ignoring namespace setup.");
|
||||
}
|
||||
} else
|
||||
log_unit_warning(unit, "ProtectHostname=yes is configured, but the kernel does not support UTS namespaces, ignoring namespace setup.");
|
||||
#if HAVE_SECCOMP
|
||||
|
|
|
|||
|
|
@ -501,18 +501,14 @@ fail:
|
|||
|
||||
static bool path_check_good(Path *p, bool initial) {
|
||||
PathSpec *s;
|
||||
bool good = false;
|
||||
|
||||
assert(p);
|
||||
|
||||
LIST_FOREACH(spec, s, p->specs) {
|
||||
good = path_spec_check_good(s, initial);
|
||||
LIST_FOREACH(spec, s, p->specs)
|
||||
if (path_spec_check_good(s, initial))
|
||||
return true;
|
||||
|
||||
if (good)
|
||||
break;
|
||||
}
|
||||
|
||||
return good;
|
||||
return false;
|
||||
}
|
||||
|
||||
static void path_enter_waiting(Path *p, bool initial, bool recheck) {
|
||||
|
|
|
|||
|
|
@ -12,7 +12,7 @@
|
|||
#include "verbs.h"
|
||||
|
||||
static Id128PrettyPrintMode arg_mode = ID128_PRINT_ID128;
|
||||
static sd_id128_t arg_app = SD_ID128_NULL;
|
||||
static sd_id128_t arg_app = {};
|
||||
|
||||
static int verb_new(int argc, char **argv, void *userdata) {
|
||||
return id128_print_new(arg_mode);
|
||||
|
|
|
|||
|
|
@ -6343,6 +6343,145 @@ static int switch_root(int argc, char *argv[], void *userdata) {
|
|||
return 0;
|
||||
}
|
||||
|
||||
static int log_level(int argc, char *argv[], void *userdata) {
|
||||
sd_bus *bus;
|
||||
_cleanup_(sd_bus_error_free) sd_bus_error error = SD_BUS_ERROR_NULL;
|
||||
int r;
|
||||
|
||||
r = acquire_bus(BUS_MANAGER, &bus);
|
||||
if (r < 0)
|
||||
return r;
|
||||
|
||||
if (argc == 1) {
|
||||
_cleanup_free_ char *level = NULL;
|
||||
|
||||
r = sd_bus_get_property_string(
|
||||
bus,
|
||||
"org.freedesktop.systemd1",
|
||||
"/org/freedesktop/systemd1",
|
||||
"org.freedesktop.systemd1.Manager",
|
||||
"LogLevel",
|
||||
&error,
|
||||
&level);
|
||||
if (r < 0)
|
||||
return log_error_errno(r, "Failed to get log level: %s", bus_error_message(&error, r));
|
||||
|
||||
puts(level);
|
||||
|
||||
} else {
|
||||
assert(argc == 2);
|
||||
|
||||
r = sd_bus_set_property(
|
||||
bus,
|
||||
"org.freedesktop.systemd1",
|
||||
"/org/freedesktop/systemd1",
|
||||
"org.freedesktop.systemd1.Manager",
|
||||
"LogLevel",
|
||||
&error,
|
||||
"s",
|
||||
argv[1]);
|
||||
if (r < 0)
|
||||
return log_error_errno(r, "Failed to set log level: %s", bus_error_message(&error, r));
|
||||
}
|
||||
|
||||
return 0;
|
||||
}
|
||||
|
||||
static int log_target(int argc, char *argv[], void *userdata) {
|
||||
sd_bus *bus;
|
||||
_cleanup_(sd_bus_error_free) sd_bus_error error = SD_BUS_ERROR_NULL;
|
||||
int r;
|
||||
|
||||
r = acquire_bus(BUS_MANAGER, &bus);
|
||||
if (r < 0)
|
||||
return r;
|
||||
|
||||
if (argc == 1) {
|
||||
_cleanup_free_ char *target = NULL;
|
||||
|
||||
r = sd_bus_get_property_string(
|
||||
bus,
|
||||
"org.freedesktop.systemd1",
|
||||
"/org/freedesktop/systemd1",
|
||||
"org.freedesktop.systemd1.Manager",
|
||||
"LogTarget",
|
||||
&error,
|
||||
&target);
|
||||
if (r < 0)
|
||||
return log_error_errno(r, "Failed to get log target: %s", bus_error_message(&error, r));
|
||||
|
||||
puts(target);
|
||||
|
||||
} else {
|
||||
assert(argc == 2);
|
||||
|
||||
r = sd_bus_set_property(
|
||||
bus,
|
||||
"org.freedesktop.systemd1",
|
||||
"/org/freedesktop/systemd1",
|
||||
"org.freedesktop.systemd1.Manager",
|
||||
"LogTarget",
|
||||
&error,
|
||||
"s",
|
||||
argv[1]);
|
||||
if (r < 0)
|
||||
return log_error_errno(r, "Failed to set log target: %s", bus_error_message(&error, r));
|
||||
}
|
||||
|
||||
return 0;
|
||||
}
|
||||
|
||||
static int service_watchdogs(int argc, char *argv[], void *userdata) {
|
||||
sd_bus *bus;
|
||||
_cleanup_(sd_bus_error_free) sd_bus_error error = SD_BUS_ERROR_NULL;
|
||||
int b, r;
|
||||
|
||||
assert(argv);
|
||||
|
||||
r = acquire_bus(BUS_MANAGER, &bus);
|
||||
if (r < 0)
|
||||
return r;
|
||||
|
||||
if (argc == 1) {
|
||||
/* get ServiceWatchdogs */
|
||||
r = sd_bus_get_property_trivial(
|
||||
bus,
|
||||
"org.freedesktop.systemd1",
|
||||
"/org/freedesktop/systemd1",
|
||||
"org.freedesktop.systemd1.Manager",
|
||||
"ServiceWatchdogs",
|
||||
&error,
|
||||
'b',
|
||||
&b);
|
||||
if (r < 0)
|
||||
return log_error_errno(r, "Failed to get service-watchdog state: %s", bus_error_message(&error, r));
|
||||
|
||||
printf("%s\n", yes_no(!!b));
|
||||
|
||||
} else {
|
||||
/* set ServiceWatchdogs */
|
||||
assert(argc == 2);
|
||||
|
||||
b = parse_boolean(argv[1]);
|
||||
if (b < 0)
|
||||
return log_error_errno(b, "Failed to parse service-watchdogs argument: %m");
|
||||
|
||||
r = sd_bus_set_property(
|
||||
bus,
|
||||
"org.freedesktop.systemd1",
|
||||
"/org/freedesktop/systemd1",
|
||||
"org.freedesktop.systemd1.Manager",
|
||||
"ServiceWatchdogs",
|
||||
&error,
|
||||
"b",
|
||||
b);
|
||||
if (r < 0)
|
||||
return log_error_errno(r, "Failed to set service-watchdog state: %s", bus_error_message(&error, r));
|
||||
}
|
||||
|
||||
return 0;
|
||||
}
|
||||
|
||||
static int set_environment(int argc, char *argv[], void *userdata) {
|
||||
_cleanup_(sd_bus_error_free) sd_bus_error error = SD_BUS_ERROR_NULL;
|
||||
_cleanup_(sd_bus_message_unrefp) sd_bus_message *m = NULL;
|
||||
|
|
@ -7727,7 +7866,7 @@ static int systemctl_help(void) {
|
|||
" units\n"
|
||||
" list-dependencies [UNIT] Recursively show units which are required\n"
|
||||
" or wanted by this unit or by which this\n"
|
||||
" unit is required or wanted\n"
|
||||
" unit is required or wanted"
|
||||
"\n%3$sUnit File Commands:%4$s\n"
|
||||
" list-unit-files [PATTERN...] List installed unit files\n"
|
||||
" enable [UNIT...|PATH...] Enable one or more unit files\n"
|
||||
|
|
@ -7752,7 +7891,7 @@ static int systemctl_help(void) {
|
|||
" get-default Get the name of the default target\n"
|
||||
" set-default TARGET Set the default target\n"
|
||||
"\n%3$sMachine Commands:%4$s\n"
|
||||
" list-machines [PATTERN...] List local containers and host\n\n"
|
||||
" list-machines [PATTERN...] List local containers and host\n"
|
||||
"\n%3$sJob Commands:%4$s\n"
|
||||
" list-jobs [PATTERN...] List jobs\n"
|
||||
" cancel [JOB...] Cancel all, one, or more jobs\n"
|
||||
|
|
@ -7760,10 +7899,13 @@ static int systemctl_help(void) {
|
|||
" show-environment Dump environment\n"
|
||||
" set-environment VARIABLE=VALUE... Set one or more environment variables\n"
|
||||
" unset-environment VARIABLE... Unset one or more environment variables\n"
|
||||
" import-environment [VARIABLE...] Import all or some environment variables\n\n"
|
||||
"\n%3$sManager Lifecycle Commands:%4$s\n"
|
||||
" import-environment [VARIABLE...] Import all or some environment variables\n"
|
||||
"\n%3$sManager State Commands:%4$s\n"
|
||||
" daemon-reload Reload systemd manager configuration\n"
|
||||
" daemon-reexec Reexecute systemd manager\n"
|
||||
" log-level [LEVEL] Get/set logging threshold for manager\n"
|
||||
" log-target [TARGET] Get/set logging target for manager\n"
|
||||
" service-watchdogs [BOOL] Get/set service watchdog state\n"
|
||||
"\n%3$sSystem Commands:%4$s\n"
|
||||
" is-system-running Check whether system is fully running\n"
|
||||
" default Enter system default mode\n"
|
||||
|
|
@ -7779,38 +7921,34 @@ static int systemctl_help(void) {
|
|||
" hibernate Hibernate the system\n"
|
||||
" hybrid-sleep Hibernate and suspend the system\n"
|
||||
" suspend-then-hibernate Suspend the system, wake after a period of\n"
|
||||
" time and put it into hibernate\n"
|
||||
" time, and hibernate"
|
||||
"\n%3$sOptions:%4$s\n"
|
||||
" -h --help Show this help\n"
|
||||
" --version Show package version\n"
|
||||
" --system Connect to system manager\n"
|
||||
" --user Connect to user service manager\n"
|
||||
" -H --host=[USER@]HOST\n"
|
||||
" Operate on remote host\n"
|
||||
" -M --machine=CONTAINER\n"
|
||||
" Operate on local container\n"
|
||||
" -H --host=[USER@]HOST Operate on remote host\n"
|
||||
" -M --machine=CONTAINER Operate on a local container\n"
|
||||
" -t --type=TYPE List units of a particular type\n"
|
||||
" --state=STATE List units with particular LOAD or SUB or ACTIVE state\n"
|
||||
" --failed Shorcut for --state=failed\n"
|
||||
" -p --property=NAME Show only properties by this name\n"
|
||||
" -a --all Show all properties/all units currently in memory,\n"
|
||||
" including dead/empty ones. To list all units installed on\n"
|
||||
" the system, use the 'list-unit-files' command instead.\n"
|
||||
" including dead/empty ones. To list all units installed\n"
|
||||
" on the system, use 'list-unit-files' instead.\n"
|
||||
" -l --full Don't ellipsize unit names on output\n"
|
||||
" -r --recursive Show unit list of host and local containers\n"
|
||||
" --reverse Show reverse dependencies with 'list-dependencies'\n"
|
||||
" --job-mode=MODE Specify how to deal with already queued jobs, when\n"
|
||||
" queueing a new job\n"
|
||||
" -T --show-transaction\n"
|
||||
" When enqueuing a unit job, show full transaction\n"
|
||||
" -T --show-transaction When enqueuing a unit job, show full transaction\n"
|
||||
" --show-types When showing sockets, explicitly show their type\n"
|
||||
" --value When showing properties, only print the value\n"
|
||||
" -i --ignore-inhibitors\n"
|
||||
" When shutting down or sleeping, ignore inhibitors\n"
|
||||
" --kill-who=WHO Who to send signal to\n"
|
||||
" -i --ignore-inhibitors When shutting down or sleeping, ignore inhibitors\n"
|
||||
" --kill-who=WHO Whom to send signal to\n"
|
||||
" -s --signal=SIGNAL Which signal to send\n"
|
||||
" --what=RESOURCES Which types of resources to remove\n"
|
||||
" --now Start or stop unit in addition to enabling or disabling it\n"
|
||||
" --now Start or stop unit after enabling or disabling it\n"
|
||||
" --dry-run Only print what would be done\n"
|
||||
" -q --quiet Suppress output\n"
|
||||
" --wait For (re)start, wait until service stopped again\n"
|
||||
|
|
@ -7820,8 +7958,7 @@ static int systemctl_help(void) {
|
|||
" --no-reload Don't reload daemon after en-/dis-abling unit files\n"
|
||||
" --no-legend Do not print a legend (column headers and hints)\n"
|
||||
" --no-pager Do not pipe output into a pager\n"
|
||||
" --no-ask-password\n"
|
||||
" Do not ask for system passwords\n"
|
||||
" --no-ask-password Do not ask for system passwords\n"
|
||||
" --global Enable/disable/mask unit files globally\n"
|
||||
" --runtime Enable/disable/mask unit files temporarily until next\n"
|
||||
" reboot\n"
|
||||
|
|
@ -8986,6 +9123,9 @@ static int systemctl_main(int argc, char *argv[]) {
|
|||
{ "help", VERB_ANY, VERB_ANY, VERB_ONLINE_ONLY, show },
|
||||
{ "daemon-reload", VERB_ANY, 1, VERB_ONLINE_ONLY, daemon_reload },
|
||||
{ "daemon-reexec", VERB_ANY, 1, VERB_ONLINE_ONLY, daemon_reload },
|
||||
{ "log-level", VERB_ANY, 2, 0, log_level },
|
||||
{ "log-target", VERB_ANY, 2, 0, log_target },
|
||||
{ "service-watchdogs", VERB_ANY, 2, 0, service_watchdogs },
|
||||
{ "show-environment", VERB_ANY, 1, VERB_ONLINE_ONLY, show_environment },
|
||||
{ "set-environment", 2, VERB_ANY, VERB_ONLINE_ONLY, set_environment },
|
||||
{ "unset-environment", 2, VERB_ANY, VERB_ONLINE_ONLY, set_environment },
|
||||
|
|
|
|||
|
|
@ -3,7 +3,6 @@ Description=Test for ReadOnlyPaths=
|
|||
|
||||
[Service]
|
||||
ReadOnlyPaths=/etc -/i-dont-exist /usr
|
||||
# From 6c47cd7d3bf35c8158a0737f34fe2c5dc95e72d6, RuntimeDirectory= implies BindPaths=.
|
||||
RuntimeDirectory=foo
|
||||
BindPaths=/etc:/tmp/etc2
|
||||
ExecStart=/bin/sh -x -c 'test ! -w /etc && test ! -w /usr && test ! -e /i-dont-exist && test -w /var'
|
||||
Type=oneshot
|
||||
|
|
|
|||
Loading…
Reference in New Issue