mirror of
https://github.com/systemd/systemd
synced 2025-11-22 10:14:45 +01:00
Compare commits
32 Commits
bdd8728c91
...
de5d773ddf
| Author | SHA1 | Date | |
|---|---|---|---|
|
de5d773ddf | ||
|
|
6aaff2d532 | ||
|
|
597eed0aa8 | ||
|
|
9b72c358d4 | ||
|
|
9dd33dce76 | ||
|
|
0dc73c5253 | ||
|
|
2f5fb752a6 | ||
|
|
222dcf3bc2 | ||
|
|
bc54521855 | ||
|
|
6db162492b | ||
|
|
722d3f712a | ||
|
|
4d8c5c657a | ||
|
|
93ed79c0b0 | ||
|
|
8796164189 | ||
|
|
9adb4685df | ||
|
|
d4da97400c | ||
|
|
9cf6ad16dd | ||
|
|
e03e5056db | ||
|
|
db35a83fe9 | ||
|
|
e37e64e942 | ||
|
|
cbdbf68a72 | ||
|
|
2672108a1e | ||
|
|
b0f6d31f6f | ||
|
|
12ef7e0a2c | ||
|
|
01184496a2 | ||
|
|
c3c42b30dd | ||
|
|
3111327ca4 | ||
|
|
1403faeb15 | ||
|
|
56f003d164 | ||
|
|
7184f8366f | ||
|
|
9b75c41cb3 | ||
|
|
114c4b95df |
@ -2691,6 +2691,15 @@ node /org/freedesktop/systemd1/unit/avahi_2ddaemon_2eservice {
|
||||
or the restart rate limit is reached. See the <literal>RestartMode=</literal> section in
|
||||
<citerefentry><refentrytitle>systemd.service</refentrytitle><manvolnum>5</manvolnum></citerefentry>
|
||||
for more details.</para>
|
||||
|
||||
<para><varname>OOMKills</varname> contains a different value depending on whether
|
||||
<varname>OOMPolicy=kill</varname> is enabled for the unit or not. If enabled, the property contains the
|
||||
number of times the kernel OOM killer killed all the processes in the unit's cgroup and its
|
||||
descendant cgroups. If disabled, the property contains the number of processes the kernel OOM killer
|
||||
has killed in the unit's cgroup and its descendant cgroups.</para>
|
||||
|
||||
<para><varname>ManagedOOMKills</varname> contains the number of times <command>systemd-oomd</command>
|
||||
killed all the processes in the unit's cgroup and its descendant cgroups.</para>
|
||||
</refsect2>
|
||||
|
||||
<refsect2>
|
||||
@ -2900,6 +2909,10 @@ node /org/freedesktop/systemd1/unit/avahi_2ddaemon_2eservice {
|
||||
@org.freedesktop.DBus.Property.EmitsChangedSignal("false")
|
||||
readonly t IOWriteOperations = ...;
|
||||
@org.freedesktop.DBus.Property.EmitsChangedSignal("false")
|
||||
readonly t OOMKills = ...;
|
||||
@org.freedesktop.DBus.Property.EmitsChangedSignal("false")
|
||||
readonly t ManagedOOMKills = ...;
|
||||
@org.freedesktop.DBus.Property.EmitsChangedSignal("false")
|
||||
readonly b Delegate = ...;
|
||||
@org.freedesktop.DBus.Property.EmitsChangedSignal("false")
|
||||
readonly as DelegateControllers = ['...', ...];
|
||||
@ -4247,6 +4260,10 @@ node /org/freedesktop/systemd1/unit/avahi_2ddaemon_2eservice {
|
||||
|
||||
<variablelist class="dbus-property" generated="True" extra-ref="IOWriteOperations"/>
|
||||
|
||||
<variablelist class="dbus-property" generated="True" extra-ref="OOMKills"/>
|
||||
|
||||
<variablelist class="dbus-property" generated="True" extra-ref="ManagedOOMKills"/>
|
||||
|
||||
<variablelist class="dbus-property" generated="True" extra-ref="Delegate"/>
|
||||
|
||||
<variablelist class="dbus-property" generated="True" extra-ref="DelegateControllers"/>
|
||||
@ -5139,6 +5156,10 @@ node /org/freedesktop/systemd1/unit/avahi_2ddaemon_2esocket {
|
||||
@org.freedesktop.DBus.Property.EmitsChangedSignal("false")
|
||||
readonly t IOWriteOperations = ...;
|
||||
@org.freedesktop.DBus.Property.EmitsChangedSignal("false")
|
||||
readonly t OOMKills = ...;
|
||||
@org.freedesktop.DBus.Property.EmitsChangedSignal("false")
|
||||
readonly t ManagedOOMKills = ...;
|
||||
@org.freedesktop.DBus.Property.EmitsChangedSignal("false")
|
||||
readonly b Delegate = ...;
|
||||
@org.freedesktop.DBus.Property.EmitsChangedSignal("false")
|
||||
readonly as DelegateControllers = ['...', ...];
|
||||
@ -6486,6 +6507,10 @@ node /org/freedesktop/systemd1/unit/avahi_2ddaemon_2esocket {
|
||||
|
||||
<variablelist class="dbus-property" generated="True" extra-ref="IOWriteOperations"/>
|
||||
|
||||
<variablelist class="dbus-property" generated="True" extra-ref="OOMKills"/>
|
||||
|
||||
<variablelist class="dbus-property" generated="True" extra-ref="ManagedOOMKills"/>
|
||||
|
||||
<variablelist class="dbus-property" generated="True" extra-ref="Delegate"/>
|
||||
|
||||
<variablelist class="dbus-property" generated="True" extra-ref="DelegateControllers"/>
|
||||
@ -7202,6 +7227,10 @@ node /org/freedesktop/systemd1/unit/home_2emount {
|
||||
@org.freedesktop.DBus.Property.EmitsChangedSignal("false")
|
||||
readonly t IOWriteOperations = ...;
|
||||
@org.freedesktop.DBus.Property.EmitsChangedSignal("false")
|
||||
readonly t OOMKills = ...;
|
||||
@org.freedesktop.DBus.Property.EmitsChangedSignal("false")
|
||||
readonly t ManagedOOMKills = ...;
|
||||
@org.freedesktop.DBus.Property.EmitsChangedSignal("false")
|
||||
readonly b Delegate = ...;
|
||||
@org.freedesktop.DBus.Property.EmitsChangedSignal("false")
|
||||
readonly as DelegateControllers = ['...', ...];
|
||||
@ -8379,6 +8408,10 @@ node /org/freedesktop/systemd1/unit/home_2emount {
|
||||
|
||||
<variablelist class="dbus-property" generated="True" extra-ref="IOWriteOperations"/>
|
||||
|
||||
<variablelist class="dbus-property" generated="True" extra-ref="OOMKills"/>
|
||||
|
||||
<variablelist class="dbus-property" generated="True" extra-ref="ManagedOOMKills"/>
|
||||
|
||||
<variablelist class="dbus-property" generated="True" extra-ref="Delegate"/>
|
||||
|
||||
<variablelist class="dbus-property" generated="True" extra-ref="DelegateControllers"/>
|
||||
@ -9228,6 +9261,10 @@ node /org/freedesktop/systemd1/unit/dev_2dsda3_2eswap {
|
||||
@org.freedesktop.DBus.Property.EmitsChangedSignal("false")
|
||||
readonly t IOWriteOperations = ...;
|
||||
@org.freedesktop.DBus.Property.EmitsChangedSignal("false")
|
||||
readonly t OOMKills = ...;
|
||||
@org.freedesktop.DBus.Property.EmitsChangedSignal("false")
|
||||
readonly t ManagedOOMKills = ...;
|
||||
@org.freedesktop.DBus.Property.EmitsChangedSignal("false")
|
||||
readonly b Delegate = ...;
|
||||
@org.freedesktop.DBus.Property.EmitsChangedSignal("false")
|
||||
readonly as DelegateControllers = ['...', ...];
|
||||
@ -10369,6 +10406,10 @@ node /org/freedesktop/systemd1/unit/dev_2dsda3_2eswap {
|
||||
|
||||
<variablelist class="dbus-property" generated="True" extra-ref="IOWriteOperations"/>
|
||||
|
||||
<variablelist class="dbus-property" generated="True" extra-ref="OOMKills"/>
|
||||
|
||||
<variablelist class="dbus-property" generated="True" extra-ref="ManagedOOMKills"/>
|
||||
|
||||
<variablelist class="dbus-property" generated="True" extra-ref="Delegate"/>
|
||||
|
||||
<variablelist class="dbus-property" generated="True" extra-ref="DelegateControllers"/>
|
||||
@ -11071,6 +11112,10 @@ node /org/freedesktop/systemd1/unit/system_2eslice {
|
||||
@org.freedesktop.DBus.Property.EmitsChangedSignal("false")
|
||||
readonly t IOWriteOperations = ...;
|
||||
@org.freedesktop.DBus.Property.EmitsChangedSignal("false")
|
||||
readonly t OOMKills = ...;
|
||||
@org.freedesktop.DBus.Property.EmitsChangedSignal("false")
|
||||
readonly t ManagedOOMKills = ...;
|
||||
@org.freedesktop.DBus.Property.EmitsChangedSignal("false")
|
||||
readonly b Delegate = ...;
|
||||
@org.freedesktop.DBus.Property.EmitsChangedSignal("false")
|
||||
readonly as DelegateControllers = ['...', ...];
|
||||
@ -11436,6 +11481,10 @@ node /org/freedesktop/systemd1/unit/system_2eslice {
|
||||
|
||||
<variablelist class="dbus-property" generated="True" extra-ref="IOWriteOperations"/>
|
||||
|
||||
<variablelist class="dbus-property" generated="True" extra-ref="OOMKills"/>
|
||||
|
||||
<variablelist class="dbus-property" generated="True" extra-ref="ManagedOOMKills"/>
|
||||
|
||||
<variablelist class="dbus-property" generated="True" extra-ref="Delegate"/>
|
||||
|
||||
<variablelist class="dbus-property" generated="True" extra-ref="DelegateControllers"/>
|
||||
@ -11647,6 +11696,10 @@ node /org/freedesktop/systemd1/unit/session_2d1_2escope {
|
||||
@org.freedesktop.DBus.Property.EmitsChangedSignal("false")
|
||||
readonly t IOWriteOperations = ...;
|
||||
@org.freedesktop.DBus.Property.EmitsChangedSignal("false")
|
||||
readonly t OOMKills = ...;
|
||||
@org.freedesktop.DBus.Property.EmitsChangedSignal("false")
|
||||
readonly t ManagedOOMKills = ...;
|
||||
@org.freedesktop.DBus.Property.EmitsChangedSignal("false")
|
||||
readonly b Delegate = ...;
|
||||
@org.freedesktop.DBus.Property.EmitsChangedSignal("false")
|
||||
readonly as DelegateControllers = ['...', ...];
|
||||
@ -12050,6 +12103,10 @@ node /org/freedesktop/systemd1/unit/session_2d1_2escope {
|
||||
|
||||
<variablelist class="dbus-property" generated="True" extra-ref="IOWriteOperations"/>
|
||||
|
||||
<variablelist class="dbus-property" generated="True" extra-ref="OOMKills"/>
|
||||
|
||||
<variablelist class="dbus-property" generated="True" extra-ref="ManagedOOMKills"/>
|
||||
|
||||
<variablelist class="dbus-property" generated="True" extra-ref="Delegate"/>
|
||||
|
||||
<variablelist class="dbus-property" generated="True" extra-ref="DelegateControllers"/>
|
||||
@ -12459,6 +12516,8 @@ $ gdbus introspect --system --dest org.freedesktop.systemd1 \
|
||||
<varname>LogsDirectoryQuotaUsage</varname>,
|
||||
<varname>LogsDirectoryAccounting</varname>, and
|
||||
<function>KillSubgroup()</function> were added in version 258.</para>
|
||||
<para><varname>OOMKills</varname>, and
|
||||
<varname>ManagedOOMKills</varname> were added in 259.</para>
|
||||
</refsect2>
|
||||
<refsect2>
|
||||
<title>Socket Unit Objects</title>
|
||||
@ -12524,6 +12583,8 @@ $ gdbus introspect --system --dest org.freedesktop.systemd1 \
|
||||
<varname>LogsDirectoryQuotaUsage</varname>,
|
||||
<varname>LogsDirectoryAccounting</varname>, and
|
||||
<function>KillSubgroup()</function> were added in version 258.</para>
|
||||
<para><varname>OOMKills</varname>, and
|
||||
<varname>ManagedOOMKills</varname> were added in 259.</para>
|
||||
</refsect2>
|
||||
<refsect2>
|
||||
<title>Mount Unit Objects</title>
|
||||
@ -12584,6 +12645,8 @@ $ gdbus introspect --system --dest org.freedesktop.systemd1 \
|
||||
<varname>LogsDirectoryQuotaUsage</varname>,
|
||||
<varname>LogsDirectoryAccounting</varname>, and
|
||||
<function>KillSubgroup()</function> were added in version 258.</para>
|
||||
<para><varname>OOMKills</varname>, and
|
||||
<varname>ManagedOOMKills</varname> were added in 259.</para>
|
||||
</refsect2>
|
||||
<refsect2>
|
||||
<title>Swap Unit Objects</title>
|
||||
@ -12642,6 +12705,8 @@ $ gdbus introspect --system --dest org.freedesktop.systemd1 \
|
||||
<varname>LogsDirectoryQuotaUsage</varname>,
|
||||
<varname>LogsDirectoryAccounting</varname>, and
|
||||
<function>KillSubgroup()</function> were added in version 258.</para>
|
||||
<para><varname>OOMKills</varname>, and
|
||||
<varname>ManagedOOMKills</varname> were added in 259.</para>
|
||||
</refsect2>
|
||||
<refsect2>
|
||||
<title>Slice Unit Objects</title>
|
||||
@ -12672,6 +12737,8 @@ $ gdbus introspect --system --dest org.freedesktop.systemd1 \
|
||||
<varname>NCurrentlyActive</varname>,
|
||||
<function>RemoveSubgroup()</function>, and
|
||||
<function>KillSubgroup()</function> were added in version 258.</para>
|
||||
<para><varname>OOMKills</varname>, and
|
||||
<varname>ManagedOOMKills</varname> were added in 259.</para>
|
||||
</refsect2>
|
||||
<refsect2>
|
||||
<title>Scope Unit Objects</title>
|
||||
@ -12700,6 +12767,8 @@ $ gdbus introspect --system --dest org.freedesktop.systemd1 \
|
||||
<para><varname>ManagedOOMMemoryPressureDurationUSec</varname> was added in version 257.</para>
|
||||
<para><function>RemoveSubgroup()</function> and
|
||||
<function>KillSubgroup()</function> were added in version 258.</para>
|
||||
<para><varname>OOMKills</varname>, and
|
||||
<varname>ManagedOOMKills</varname> were added in 259.</para>
|
||||
</refsect2>
|
||||
<refsect2>
|
||||
<title>Job Objects</title>
|
||||
|
||||
@ -874,7 +874,7 @@
|
||||
|
||||
<listitem><para>Configures the list of PCRs to use for LUKS2 volumes configured with
|
||||
the <varname>Encrypt=tpm2</varname> setting in partition files.
|
||||
This option take the same parameters as the similary named options to
|
||||
This option take the same parameters as the similarly named options to
|
||||
<citerefentry><refentrytitle>systemd-cryptenroll</refentrytitle><manvolnum>1</manvolnum></citerefentry>
|
||||
and have the same effect on partitions where TPM2 enrollment is requested.
|
||||
This option will be overridden by the global <varname>--tpm2-pcrs=</varname> option.</para>
|
||||
|
||||
@ -45,7 +45,7 @@
|
||||
raised as client-generated reply to the method call.</para>
|
||||
|
||||
<para>This call is particularly useful for method calls issued via
|
||||
<function>sd_varlink_observe()</function> that shall remain open continously for a long time.</para>
|
||||
<function>sd_varlink_observe()</function> that shall remain open continuously for a long time.</para>
|
||||
</refsect1>
|
||||
|
||||
<refsect1>
|
||||
|
||||
@ -1187,6 +1187,7 @@ conf.set10('HAVE_ACL', libacl.found())
|
||||
libaudit = dependency('audit',
|
||||
required : get_option('audit'))
|
||||
conf.set10('HAVE_AUDIT', libaudit.found())
|
||||
libaudit_cflags = libaudit.partial_dependency(includes: true, compile_args: true)
|
||||
|
||||
libblkid = dependency('blkid',
|
||||
required : get_option('blkid'))
|
||||
@ -1305,11 +1306,6 @@ endif
|
||||
conf.set10('HAVE_LIBIDN', not have and libidn.found())
|
||||
conf.set10('HAVE_LIBIDN2', have)
|
||||
|
||||
libiptc = dependency('libiptc',
|
||||
required : get_option('libiptc'))
|
||||
conf.set10('HAVE_LIBIPTC', libiptc.found())
|
||||
libiptc_cflags = libiptc.partial_dependency(includes: true, compile_args: true)
|
||||
|
||||
libqrencode = dependency('libqrencode',
|
||||
version : '>= 3',
|
||||
required : get_option('qrencode'))
|
||||
@ -3052,7 +3048,6 @@ foreach tuple : [
|
||||
['libfido2'],
|
||||
['libidn'],
|
||||
['libidn2'],
|
||||
['libiptc'],
|
||||
['microhttpd'],
|
||||
['openssl'],
|
||||
['p11kit'],
|
||||
|
||||
@ -432,7 +432,7 @@ option('libidn2', type : 'feature', deprecated : { 'true' : 'enabled', 'false' :
|
||||
description : 'libidn2 support')
|
||||
option('libidn', type : 'feature', deprecated : { 'true' : 'enabled', 'false' : 'disabled' },
|
||||
description : 'libidn support')
|
||||
option('libiptc', type : 'feature', deprecated : { 'true' : 'enabled', 'false' : 'disabled' },
|
||||
option('libiptc', type : 'feature', deprecated : true,
|
||||
description : 'libiptc support')
|
||||
option('qrencode', type : 'feature', deprecated : { 'true' : 'enabled', 'false' : 'disabled' },
|
||||
description : 'libqrencode support')
|
||||
|
||||
@ -90,6 +90,7 @@ wrap=(
|
||||
socat
|
||||
sshd
|
||||
stat
|
||||
stress-ng
|
||||
su
|
||||
tar
|
||||
tgtd
|
||||
|
||||
@ -1,6 +1,5 @@
|
||||
/* SPDX-License-Identifier: LGPL-2.1-or-later */
|
||||
|
||||
#include <stdio.h>
|
||||
#include <stdlib.h>
|
||||
#include <unistd.h>
|
||||
|
||||
|
||||
@ -3,7 +3,6 @@
|
||||
#include <stdlib.h>
|
||||
|
||||
#include "ansi-color.h"
|
||||
#include "log.h"
|
||||
#include "process-util.h"
|
||||
#include "string-table.h"
|
||||
#include "string-util.h"
|
||||
|
||||
@ -126,12 +126,6 @@ const char* const systemd_features =
|
||||
" -IDN"
|
||||
#endif
|
||||
|
||||
#if HAVE_LIBIPTC
|
||||
" +IPTC"
|
||||
#else
|
||||
" -IPTC"
|
||||
#endif
|
||||
|
||||
#if HAVE_KMOD
|
||||
" +KMOD"
|
||||
#else
|
||||
|
||||
@ -6,7 +6,6 @@
|
||||
#include "alloc-util.h"
|
||||
#include "env-file.h"
|
||||
#include "env-util.h"
|
||||
#include "errno-util.h"
|
||||
#include "escape.h"
|
||||
#include "fd-util.h"
|
||||
#include "fileio.h"
|
||||
|
||||
@ -20,7 +20,6 @@
|
||||
#include "parse-util.h"
|
||||
#include "path-util.h"
|
||||
#include "process-util.h"
|
||||
#include "socket-util.h"
|
||||
#include "sort-util.h"
|
||||
#include "stat-util.h"
|
||||
#include "stdio-util.h"
|
||||
|
||||
@ -1,7 +1,6 @@
|
||||
/* SPDX-License-Identifier: LGPL-2.1-or-later */
|
||||
|
||||
#include "filesystems-gperf.h"
|
||||
#include "nulstr-util.h"
|
||||
#include "stat-util.h"
|
||||
#include "string-util.h"
|
||||
|
||||
|
||||
@ -39,7 +39,8 @@ char* format_bytes_full(char *buf, size_t l, uint64_t t, FormatBytesFlag flag) {
|
||||
(t / table[i + 1].factor * 10 / table[n - 1].factor) % 10 :
|
||||
(t * 10 / table[i].factor) % 10;
|
||||
|
||||
if (FLAGS_SET(flag, FORMAT_BYTES_BELOW_POINT) && remainder > 0)
|
||||
if (FLAGS_SET(flag, FORMAT_BYTES_ALWAYS_POINT) ||
|
||||
(FLAGS_SET(flag, FORMAT_BYTES_BELOW_POINT) && remainder > 0))
|
||||
(void) snprintf(buf, l,
|
||||
"%" PRIu64 ".%" PRIu64 "%s",
|
||||
t / table[i].factor,
|
||||
|
||||
@ -64,9 +64,10 @@ assert_cc(sizeof(gid_t) == sizeof(uint32_t));
|
||||
#endif
|
||||
|
||||
typedef enum {
|
||||
FORMAT_BYTES_USE_IEC = 1 << 0,
|
||||
FORMAT_BYTES_BELOW_POINT = 1 << 1,
|
||||
FORMAT_BYTES_TRAILING_B = 1 << 2,
|
||||
FORMAT_BYTES_USE_IEC = 1 << 0, /* use base 1024 rather than 1000 */
|
||||
FORMAT_BYTES_BELOW_POINT = 1 << 1, /* show one digit after the point, if non-zero */
|
||||
FORMAT_BYTES_ALWAYS_POINT = 1 << 2, /* show one digit after the point, always */
|
||||
FORMAT_BYTES_TRAILING_B = 1 << 3, /* suffix the expression with a "B" for "bytes" */
|
||||
} FormatBytesFlag;
|
||||
|
||||
#define FORMAT_BYTES_MAX 16U
|
||||
@ -82,6 +83,7 @@ static inline char* format_bytes(char *buf, size_t l, uint64_t t) {
|
||||
* see C11 §6.5.2.5, and
|
||||
* https://stackoverflow.com/questions/34880638/compound-literal-lifetime-and-if-blocks */
|
||||
#define FORMAT_BYTES(t) format_bytes((char[FORMAT_BYTES_MAX]){}, FORMAT_BYTES_MAX, t)
|
||||
#define FORMAT_BYTES_FULL(t, flag) format_bytes_full((char[FORMAT_BYTES_MAX]){}, FORMAT_BYTES_MAX, t, flag)
|
||||
#define FORMAT_BYTES_FULL(t, flags) format_bytes_full((char[FORMAT_BYTES_MAX]){}, FORMAT_BYTES_MAX, t, flags)
|
||||
#define FORMAT_BYTES_WITH_POINT(t) format_bytes_full((char[FORMAT_BYTES_MAX]){}, FORMAT_BYTES_MAX, t, FORMAT_BYTES_USE_IEC|FORMAT_BYTES_ALWAYS_POINT|FORMAT_BYTES_TRAILING_B)
|
||||
|
||||
#define FORMAT_BYTES_CGROUP_PROTECTION(t) (t == CGROUP_LIMIT_MAX ? "infinity" : FORMAT_BYTES(t))
|
||||
|
||||
@ -284,7 +284,6 @@ typedef struct ConfigTableItem ConfigTableItem;
|
||||
typedef struct CPUSet CPUSet;
|
||||
typedef struct FDSet FDSet;
|
||||
typedef struct Fido2HmacSalt Fido2HmacSalt;
|
||||
typedef struct FirewallContext FirewallContext;
|
||||
typedef struct GroupRecord GroupRecord;
|
||||
typedef struct Image Image;
|
||||
typedef struct ImagePolicy ImagePolicy;
|
||||
|
||||
@ -16,8 +16,8 @@
|
||||
#include "log.h"
|
||||
#include "namespace-util.h"
|
||||
#include "parse-util.h"
|
||||
#include "pidref.h"
|
||||
#include "process-util.h"
|
||||
#include "stat-util.h"
|
||||
#include "string-table.h"
|
||||
#include "string-util.h"
|
||||
#include "strv.h"
|
||||
@ -816,16 +816,19 @@ int running_in_chroot(void) {
|
||||
if (getenv_bool("SYSTEMD_IGNORE_CHROOT") > 0)
|
||||
return 0;
|
||||
|
||||
r = pidref_from_same_root_fs(&PIDREF_MAKE_FROM_PID(1), NULL);
|
||||
if (r == -ENOSYS) {
|
||||
r = inode_same("/proc/1/root", "/", /* flags = */ 0);
|
||||
if (r == -ENOENT) {
|
||||
r = proc_mounted();
|
||||
if (r == 0) {
|
||||
if (getpid_cached() == 1)
|
||||
return false; /* We will mount /proc, assuming we're not in a chroot. */
|
||||
|
||||
log_debug("/proc/ is not mounted, assuming we're in a chroot.");
|
||||
return true;
|
||||
}
|
||||
if (r == -ESRCH) /* We must have a fake /proc/, we can't do the check properly. */
|
||||
if (r > 0) /* If we have fake /proc/, we can't do the check properly. */
|
||||
return -ENOSYS;
|
||||
}
|
||||
if (r < 0)
|
||||
return r;
|
||||
|
||||
|
||||
@ -28,12 +28,12 @@
|
||||
#include "fd-util.h"
|
||||
#include "fdset.h"
|
||||
#include "fileio.h"
|
||||
#include "firewall-util.h"
|
||||
#include "in-addr-prefix-util.h"
|
||||
#include "inotify-util.h"
|
||||
#include "ip-protocol-list.h"
|
||||
#include "limits-util.h"
|
||||
#include "manager.h"
|
||||
#include "netlink-internal.h"
|
||||
#include "nulstr-util.h"
|
||||
#include "parse-util.h"
|
||||
#include "path-util.h"
|
||||
@ -1335,12 +1335,10 @@ void unit_modify_nft_set(Unit *u, bool add) {
|
||||
if (!crt || crt->cgroup_id == 0)
|
||||
return;
|
||||
|
||||
if (!u->manager->fw_ctx) {
|
||||
r = fw_ctx_new_full(&u->manager->fw_ctx, /* init_tables= */ false);
|
||||
if (!u->manager->nfnl) {
|
||||
r = sd_nfnl_socket_open(&u->manager->nfnl);
|
||||
if (r < 0)
|
||||
return;
|
||||
|
||||
assert(u->manager->fw_ctx);
|
||||
}
|
||||
|
||||
CGroupContext *c = ASSERT_PTR(unit_get_cgroup_context(u));
|
||||
@ -1351,7 +1349,7 @@ void unit_modify_nft_set(Unit *u, bool add) {
|
||||
|
||||
uint64_t element = crt->cgroup_id;
|
||||
|
||||
r = nft_set_element_modify_any(u->manager->fw_ctx, add, nft_set->nfproto, nft_set->table, nft_set->set, &element, sizeof(element));
|
||||
r = nft_set_element_modify_any(u->manager->nfnl, add, nft_set->nfproto, nft_set->table, nft_set->set, &element, sizeof(element));
|
||||
if (r < 0)
|
||||
log_warning_errno(r, "Failed to %s NFT set entry: family %s, table %s, set %s, cgroup %" PRIu64 ", ignoring: %m",
|
||||
add? "add" : "delete", nfproto_to_string(nft_set->nfproto), nft_set->table, nft_set->set, crt->cgroup_id);
|
||||
@ -3036,20 +3034,43 @@ int unit_check_oom(Unit *u) {
|
||||
if (!crt || !crt->cgroup_path)
|
||||
return 0;
|
||||
|
||||
CGroupContext *ctx = unit_get_cgroup_context(u);
|
||||
if (!ctx)
|
||||
return 0;
|
||||
|
||||
/* If memory.oom.group=1, then look up the oom_group_kill field, which reports how many times the
|
||||
* kernel killed every process recursively in this cgroup and its descendants, similar to
|
||||
* systemd-oomd. Because the memory.events.local file was only introduced in kernel 5.12, we fall
|
||||
* back to reading oom_kill if we can't find the file or field. */
|
||||
|
||||
if (ctx->memory_oom_group) {
|
||||
r = cg_get_keyed_attribute(
|
||||
"memory",
|
||||
crt->cgroup_path,
|
||||
"memory.events.local",
|
||||
STRV_MAKE("oom_group_kill"),
|
||||
&oom_kill);
|
||||
if (r < 0 && !IN_SET(r, -ENOENT, -ENXIO))
|
||||
return log_unit_debug_errno(u, r, "Failed to read oom_group_kill field of memory.events.local cgroup attribute, ignoring: %m");
|
||||
}
|
||||
|
||||
if (isempty(oom_kill)) {
|
||||
r = cg_get_keyed_attribute(
|
||||
"memory",
|
||||
crt->cgroup_path,
|
||||
"memory.events",
|
||||
STRV_MAKE("oom_kill"),
|
||||
&oom_kill);
|
||||
if (IN_SET(r, -ENOENT, -ENXIO)) /* Handle gracefully if cgroup or oom_kill attribute don't exist */
|
||||
c = 0;
|
||||
else if (r < 0)
|
||||
if (r < 0 && !IN_SET(r, -ENOENT, -ENXIO))
|
||||
return log_unit_debug_errno(u, r, "Failed to read oom_kill field of memory.events cgroup attribute: %m");
|
||||
}
|
||||
|
||||
if (!oom_kill)
|
||||
c = 0;
|
||||
else {
|
||||
r = safe_atou64(oom_kill, &c);
|
||||
if (r < 0)
|
||||
return log_unit_debug_errno(u, r, "Failed to parse oom_kill field: %m");
|
||||
return log_unit_debug_errno(u, r, "Failed to parse memory.events cgroup oom field: %m");
|
||||
}
|
||||
|
||||
increased = c > crt->oom_kill_last;
|
||||
@ -3061,7 +3082,7 @@ int unit_check_oom(Unit *u) {
|
||||
log_unit_struct(u, LOG_NOTICE,
|
||||
LOG_MESSAGE_ID(SD_MESSAGE_UNIT_OUT_OF_MEMORY_STR),
|
||||
LOG_UNIT_INVOCATION_ID(u),
|
||||
LOG_UNIT_MESSAGE(u, "A process of this unit has been killed by the OOM killer."));
|
||||
LOG_UNIT_MESSAGE(u, "The kernel OOM killer killed some processes in this unit."));
|
||||
|
||||
unit_notify_cgroup_oom(u, /* managed_oom= */ false);
|
||||
|
||||
|
||||
@ -9,7 +9,6 @@
|
||||
#include "cgroup-util.h"
|
||||
#include "dbus-cgroup.h"
|
||||
#include "escape.h"
|
||||
#include "firewall-util.h"
|
||||
#include "in-addr-prefix-util.h"
|
||||
#include "limits-util.h"
|
||||
#include "manager.h"
|
||||
|
||||
@ -1295,6 +1295,42 @@ static int property_get_cgroup_id(
|
||||
return sd_bus_message_append(reply, "t", crt ? crt->cgroup_id : UINT64_C(0));
|
||||
}
|
||||
|
||||
static int property_get_oom_kills(
|
||||
sd_bus *bus,
|
||||
const char *path,
|
||||
const char *interface,
|
||||
const char *property,
|
||||
sd_bus_message *reply,
|
||||
void *userdata,
|
||||
sd_bus_error *error) {
|
||||
|
||||
Unit *u = ASSERT_PTR(userdata);
|
||||
|
||||
assert(bus);
|
||||
assert(reply);
|
||||
|
||||
CGroupRuntime *crt = unit_get_cgroup_runtime(u);
|
||||
return sd_bus_message_append(reply, "t", crt ? crt->oom_kill_last : UINT64_MAX);
|
||||
}
|
||||
|
||||
static int property_get_managed_oom_kills(
|
||||
sd_bus *bus,
|
||||
const char *path,
|
||||
const char *interface,
|
||||
const char *property,
|
||||
sd_bus_message *reply,
|
||||
void *userdata,
|
||||
sd_bus_error *error) {
|
||||
|
||||
Unit *u = ASSERT_PTR(userdata);
|
||||
|
||||
assert(bus);
|
||||
assert(reply);
|
||||
|
||||
CGroupRuntime *crt = unit_get_cgroup_runtime(u);
|
||||
return sd_bus_message_append(reply, "t", crt ? crt->managed_oom_kill_last : UINT64_MAX);
|
||||
}
|
||||
|
||||
static int append_process(sd_bus_message *reply, const char *p, PidRef *pid, Set *pids) {
|
||||
_cleanup_free_ char *buf = NULL, *cmdline = NULL;
|
||||
int r;
|
||||
@ -1715,6 +1751,8 @@ const sd_bus_vtable bus_unit_cgroup_vtable[] = {
|
||||
SD_BUS_PROPERTY("IOReadOperations", "t", property_get_io_counter, 0, 0),
|
||||
SD_BUS_PROPERTY("IOWriteBytes", "t", property_get_io_counter, 0, 0),
|
||||
SD_BUS_PROPERTY("IOWriteOperations", "t", property_get_io_counter, 0, 0),
|
||||
SD_BUS_PROPERTY("OOMKills", "t", property_get_oom_kills, 0, 0),
|
||||
SD_BUS_PROPERTY("ManagedOOMKills", "t", property_get_managed_oom_kills, 0, 0),
|
||||
|
||||
SD_BUS_METHOD_WITH_ARGS("GetProcesses",
|
||||
SD_BUS_NO_ARGS,
|
||||
|
||||
@ -62,7 +62,6 @@
|
||||
#include "open-file.h"
|
||||
#include "osc-context.h"
|
||||
#include "path-util.h"
|
||||
#include "percent-util.h"
|
||||
#include "pidref.h"
|
||||
#include "proc-cmdline.h"
|
||||
#include "process-util.h"
|
||||
|
||||
@ -115,10 +115,6 @@ int kmod_setup(void) {
|
||||
/* This should never be a module */
|
||||
{ "unix", "/proc/net/unix", true, true, NULL },
|
||||
|
||||
#if HAVE_LIBIPTC
|
||||
/* netfilter is needed by networkd, nspawn among others, and cannot be autoloaded */
|
||||
{ "ip_tables", "/proc/net/ip_tables_names", false, false, NULL },
|
||||
#endif
|
||||
/* virtio_rng would be loaded by udev later, but real entropy might be needed very early */
|
||||
{ "virtio_rng", NULL, false, false, has_virtio_rng },
|
||||
|
||||
|
||||
@ -32,7 +32,6 @@
|
||||
#include "execute.h"
|
||||
#include "extract-word.h"
|
||||
#include "fd-util.h"
|
||||
#include "firewall-util.h"
|
||||
#include "fstab-util.h"
|
||||
#include "hashmap.h"
|
||||
#include "hexdecoct.h"
|
||||
|
||||
@ -12,6 +12,7 @@
|
||||
#include "sd-bus.h"
|
||||
#include "sd-daemon.h"
|
||||
#include "sd-messages.h"
|
||||
#include "sd-netlink.h"
|
||||
#include "sd-path.h"
|
||||
|
||||
#include "all-units.h"
|
||||
@ -1753,7 +1754,7 @@ Manager* manager_free(Manager *m) {
|
||||
free(m->watchdog_pretimeout_governor);
|
||||
free(m->watchdog_pretimeout_governor_overridden);
|
||||
|
||||
fw_ctx_free(m->fw_ctx);
|
||||
sd_netlink_unref(m->nfnl);
|
||||
|
||||
#if BPF_FRAMEWORK
|
||||
bpf_restrict_fs_destroy(m->restrict_fs);
|
||||
@ -3416,7 +3417,7 @@ void manager_send_unit_audit(Manager *m, Unit *u, int type, bool success) {
|
||||
}
|
||||
|
||||
msg = strjoina("unit=", p);
|
||||
if (audit_log_user_comm_message(audit_fd, type, msg, "systemd", NULL, NULL, NULL, success) < 0) {
|
||||
if (sym_audit_log_user_comm_message(audit_fd, type, msg, "systemd", NULL, NULL, NULL, success) < 0) {
|
||||
if (ERRNO_IS_PRIVILEGE(errno)) {
|
||||
/* We aren't allowed to send audit messages? Then let's not retry again. */
|
||||
log_debug_errno(errno, "Failed to send audit message, closing audit socket: %m");
|
||||
|
||||
@ -474,7 +474,7 @@ typedef struct Manager {
|
||||
sd_event_source *memory_pressure_event_source;
|
||||
|
||||
/* For NFTSet= */
|
||||
FirewallContext *fw_ctx;
|
||||
sd_netlink *nfnl;
|
||||
|
||||
/* Pin the systemd-executor binary, so that it never changes until re-exec, ensuring we don't have
|
||||
* serialization/deserialization compatibility issues during upgrades. */
|
||||
|
||||
@ -132,7 +132,7 @@ libcore_static = static_library(
|
||||
implicit_include_directories : false,
|
||||
c_args : ['-fvisibility=default'],
|
||||
dependencies : [libacl,
|
||||
libaudit,
|
||||
libaudit_cflags,
|
||||
libblkid,
|
||||
libdl,
|
||||
libm,
|
||||
|
||||
@ -38,7 +38,6 @@
|
||||
#include "nsflags.h"
|
||||
#include "nulstr-util.h"
|
||||
#include "os-util.h"
|
||||
#include "parse-util.h"
|
||||
#include "path-util.h"
|
||||
#include "pidref.h"
|
||||
#include "process-util.h"
|
||||
|
||||
@ -121,9 +121,9 @@ _printf_(2, 3) static int log_callback(int type, const char *fmt, ...) {
|
||||
|
||||
if (r >= 0) {
|
||||
if (type == SELINUX_AVC)
|
||||
audit_log_user_avc_message(fd, AUDIT_USER_AVC, buf, NULL, NULL, NULL, getuid());
|
||||
sym_audit_log_user_avc_message(fd, AUDIT_USER_AVC, buf, NULL, NULL, NULL, getuid());
|
||||
else if (type == SELINUX_ERROR)
|
||||
audit_log_user_avc_message(fd, AUDIT_USER_SELINUX_ERR, buf, NULL, NULL, NULL, getuid());
|
||||
sym_audit_log_user_avc_message(fd, AUDIT_USER_SELINUX_ERR, buf, NULL, NULL, NULL, getuid());
|
||||
|
||||
return 0;
|
||||
}
|
||||
|
||||
@ -35,7 +35,6 @@
|
||||
#include "id128-util.h"
|
||||
#include "install.h"
|
||||
#include "iovec-util.h"
|
||||
#include "label-util.h"
|
||||
#include "load-dropin.h"
|
||||
#include "load-fragment.h"
|
||||
#include "log.h"
|
||||
@ -44,6 +43,7 @@
|
||||
#include "manager.h"
|
||||
#include "mount-util.h"
|
||||
#include "mountpoint-util.h"
|
||||
#include "netlink-internal.h"
|
||||
#include "path-util.h"
|
||||
#include "process-util.h"
|
||||
#include "quota-util.h"
|
||||
@ -5290,19 +5290,17 @@ static void unit_modify_user_nft_set(Unit *u, bool add, NFTSetSource source, uin
|
||||
if (!c)
|
||||
return;
|
||||
|
||||
if (!u->manager->fw_ctx) {
|
||||
r = fw_ctx_new_full(&u->manager->fw_ctx, /* init_tables= */ false);
|
||||
if (!u->manager->nfnl) {
|
||||
r = sd_nfnl_socket_open(&u->manager->nfnl);
|
||||
if (r < 0)
|
||||
return;
|
||||
|
||||
assert(u->manager->fw_ctx);
|
||||
}
|
||||
|
||||
FOREACH_ARRAY(nft_set, c->nft_set_context.sets, c->nft_set_context.n_sets) {
|
||||
if (nft_set->source != source)
|
||||
continue;
|
||||
|
||||
r = nft_set_element_modify_any(u->manager->fw_ctx, add, nft_set->nfproto, nft_set->table, nft_set->set, &element, sizeof(element));
|
||||
r = nft_set_element_modify_any(u->manager->nfnl, add, nft_set->nfproto, nft_set->table, nft_set->set, &element, sizeof(element));
|
||||
if (r < 0)
|
||||
log_warning_errno(r, "Failed to %s NFT set entry: family %s, table %s, set %s, ID %u, ignoring: %m",
|
||||
add? "add" : "delete", nfproto_to_string(nft_set->nfproto), nft_set->table, nft_set->set, element);
|
||||
|
||||
@ -615,5 +615,9 @@ int unit_cgroup_runtime_build_json(sd_json_variant **ret, const char *name, void
|
||||
JSON_BUILD_PAIR_CALLBACK_NON_NULL("IOReadBytes", get_io_counter_build_json, u),
|
||||
JSON_BUILD_PAIR_CALLBACK_NON_NULL("IOReadOperations", get_io_counter_build_json, u),
|
||||
JSON_BUILD_PAIR_CALLBACK_NON_NULL("IOWriteBytes", get_io_counter_build_json, u),
|
||||
JSON_BUILD_PAIR_CALLBACK_NON_NULL("IOWriteOperations", get_io_counter_build_json, u));
|
||||
JSON_BUILD_PAIR_CALLBACK_NON_NULL("IOWriteOperations", get_io_counter_build_json, u),
|
||||
|
||||
/* OOM */
|
||||
SD_JSON_BUILD_PAIR_UNSIGNED("OOMKills", crt->oom_kill_last),
|
||||
SD_JSON_BUILD_PAIR_UNSIGNED("ManagedOOMKills", crt->managed_oom_kill_last));
|
||||
}
|
||||
|
||||
@ -3,7 +3,6 @@
|
||||
#include "sd-varlink.h"
|
||||
|
||||
#include "dynamic-user.h"
|
||||
#include "errno-util.h"
|
||||
#include "hashmap.h"
|
||||
#include "json-util.h"
|
||||
#include "manager.h"
|
||||
|
||||
@ -13,9 +13,7 @@
|
||||
#include "set.h"
|
||||
#include "strv.h"
|
||||
#include "unit.h"
|
||||
#include "unit-name.h"
|
||||
#include "varlink-cgroup.h"
|
||||
#include "varlink-common.h"
|
||||
#include "varlink-unit.h"
|
||||
#include "varlink-util.h"
|
||||
|
||||
|
||||
@ -4,7 +4,6 @@
|
||||
|
||||
#include "constants.h"
|
||||
#include "errno-util.h"
|
||||
#include "json-util.h"
|
||||
#include "manager.h"
|
||||
#include "path-util.h"
|
||||
#include "pidref.h"
|
||||
|
||||
@ -22,7 +22,6 @@
|
||||
#include "fs-util.h"
|
||||
#include "fsck-util.h"
|
||||
#include "main-func.h"
|
||||
#include "parse-util.h"
|
||||
#include "path-util.h"
|
||||
#include "proc-cmdline.h"
|
||||
#include "process-util.h"
|
||||
|
||||
@ -9,7 +9,6 @@
|
||||
#include "fuzz.h"
|
||||
#include "hexdecoct.h"
|
||||
#include "iovec-util.h"
|
||||
#include "log.h"
|
||||
|
||||
static FILE *null = NULL;
|
||||
|
||||
|
||||
@ -6,7 +6,6 @@
|
||||
#include "dirent-util.h"
|
||||
#include "escape.h"
|
||||
#include "fd-util.h"
|
||||
#include "hexdecoct.h"
|
||||
#include "io-util.h"
|
||||
#include "log.h"
|
||||
#include "memory-util.h"
|
||||
|
||||
@ -759,7 +759,7 @@ int pull_job_begin(PullJob *j) {
|
||||
if (curl_easy_setopt(j->curl, CURLOPT_XFERINFODATA, j) != CURLE_OK)
|
||||
return -EIO;
|
||||
|
||||
if (curl_easy_setopt(j->curl, CURLOPT_NOPROGRESS, 0) != CURLE_OK)
|
||||
if (curl_easy_setopt(j->curl, CURLOPT_NOPROGRESS, 0L) != CURLE_OK)
|
||||
return -EIO;
|
||||
|
||||
r = curl_glue_add(j->glue, j->curl);
|
||||
|
||||
@ -1,7 +1,7 @@
|
||||
/* SPDX-License-Identifier: LGPL-2.1-or-later */
|
||||
#pragma once
|
||||
|
||||
#include_next <fcntl.h>
|
||||
#include_next <fcntl.h> /* IWYU pragma: export */
|
||||
|
||||
/* This is defined since glibc-2.41. */
|
||||
#ifndef F_DUPFD_QUERY
|
||||
|
||||
@ -1,7 +1,7 @@
|
||||
/* SPDX-License-Identifier: LGPL-2.1-or-later */
|
||||
#pragma once
|
||||
|
||||
#include_next <malloc.h>
|
||||
#include_next <malloc.h> /* IWYU pragma: export */
|
||||
|
||||
#if !HAVE_MALLINFO2
|
||||
struct mallinfo2 {
|
||||
|
||||
@ -6,7 +6,7 @@
|
||||
* Note, this must be included before sched.h, otherwise the headers conflict with each other. */
|
||||
#include <linux/sched/types.h>
|
||||
|
||||
#include_next <sched.h>
|
||||
#include_next <sched.h> /* IWYU pragma: export */
|
||||
|
||||
#include <assert.h>
|
||||
|
||||
|
||||
@ -1,7 +1,7 @@
|
||||
/* SPDX-License-Identifier: LGPL-2.1-or-later */
|
||||
#pragma once
|
||||
|
||||
#include_next <signal.h>
|
||||
#include_next <signal.h> /* IWYU pragma: export */
|
||||
|
||||
#if !HAVE_RT_TGSIGQUEUEINFO
|
||||
int missing_rt_tgsigqueueinfo(pid_t tgid, pid_t tid, int sig, siginfo_t *info);
|
||||
|
||||
@ -1,7 +1,7 @@
|
||||
/* SPDX-License-Identifier: LGPL-2.1-or-later */
|
||||
#pragma once
|
||||
|
||||
#include_next <sys/mman.h>
|
||||
#include_next <sys/mman.h> /* IWYU pragma: export */
|
||||
|
||||
#include <assert.h>
|
||||
|
||||
|
||||
@ -3,7 +3,7 @@
|
||||
|
||||
/* since glibc-2.36 */
|
||||
#if HAVE_PIDFD_OPEN
|
||||
#include_next <sys/pidfd.h>
|
||||
#include_next <sys/pidfd.h> /* IWYU pragma: export */
|
||||
#endif
|
||||
|
||||
#include <linux/types.h>
|
||||
|
||||
@ -1,7 +1,7 @@
|
||||
/* SPDX-License-Identifier: LGPL-2.1-or-later */
|
||||
#pragma once
|
||||
|
||||
#include_next <sys/quota.h>
|
||||
#include_next <sys/quota.h> /* IWYU pragma: export */
|
||||
|
||||
/* Supported since kernel v5.14 (64c2c2c62f92339b176ea24403d8db16db36f9e6). */
|
||||
#if !HAVE_QUOTACTL_FD
|
||||
|
||||
@ -1,7 +1,7 @@
|
||||
/* SPDX-License-Identifier: LGPL-2.1-or-later */
|
||||
#pragma once
|
||||
|
||||
#include_next <sys/random.h>
|
||||
#include_next <sys/random.h> /* IWYU pragma: export */
|
||||
|
||||
#include <assert.h>
|
||||
|
||||
|
||||
@ -1,7 +1,7 @@
|
||||
/* SPDX-License-Identifier: LGPL-2.1-or-later */
|
||||
#pragma once
|
||||
|
||||
#include_next <sys/socket.h>
|
||||
#include_next <sys/socket.h> /* IWYU pragma: export */
|
||||
|
||||
/* Supported since kernel v6.5 (5e2ff6704a275be009be8979af17c52361b79b89) */
|
||||
#ifndef SO_PASSPIDFD
|
||||
|
||||
@ -1,7 +1,7 @@
|
||||
/* SPDX-License-Identifier: LGPL-2.1-or-later */
|
||||
#pragma once
|
||||
|
||||
#include_next <sys/stat.h>
|
||||
#include_next <sys/stat.h> /* IWYU pragma: export */
|
||||
|
||||
/* Supported since kernel v6.6 (78252deb023cf0879256fcfbafe37022c390762b). */
|
||||
#if !HAVE_FCHMODAT2
|
||||
|
||||
@ -9,7 +9,7 @@
|
||||
*/
|
||||
#pragma once
|
||||
|
||||
#include_next <sys/syscall.h>
|
||||
#include_next <sys/syscall.h> /* IWYU pragma: export */
|
||||
|
||||
#ifdef ARCH_MIPS
|
||||
#include <asm/sgidefs.h>
|
||||
|
||||
@ -1,7 +1,7 @@
|
||||
/* SPDX-License-Identifier: LGPL-2.1-or-later */
|
||||
#pragma once
|
||||
|
||||
#include_next <sys/wait.h>
|
||||
#include_next <sys/wait.h> /* IWYU pragma: export */
|
||||
|
||||
#include <assert.h>
|
||||
|
||||
|
||||
@ -3,9 +3,9 @@
|
||||
|
||||
/* To make struct xattr_args defined, which is used by setxattrat(). Note, the kernel header must be
|
||||
* included before the glibc header, otherwise the struct will not be defined. */
|
||||
#include <linux/xattr.h>
|
||||
#include <linux/xattr.h> /* IWYU pragma: export */
|
||||
|
||||
#include_next <sys/xattr.h>
|
||||
#include_next <sys/xattr.h> /* IWYU pragma: export */
|
||||
|
||||
/* Supported since kernel v6.13 (6140be90ec70c39fa844741ca3cc807dd0866394). */
|
||||
#if !HAVE_SETXATTRAT
|
||||
|
||||
@ -1,7 +1,7 @@
|
||||
/* SPDX-License-Identifier: LGPL-2.1-or-later */
|
||||
#pragma once
|
||||
|
||||
#include_next <unistd.h>
|
||||
#include_next <unistd.h> /* IWYU pragma: export */
|
||||
|
||||
/* Defined since glibc-2.34.
|
||||
* Supported since kernel v5.9 (9b4feb630e8e9801603f3cab3a36369e3c1cf88d). */
|
||||
|
||||
@ -308,7 +308,7 @@ int start_upload(Uploader *u,
|
||||
}
|
||||
|
||||
if (STRPTR_IN_SET(arg_trust, "-", "all"))
|
||||
easy_setopt(curl, CURLOPT_SSL_VERIFYPEER, 0,
|
||||
easy_setopt(curl, CURLOPT_SSL_VERIFYPEER, 0L,
|
||||
LOG_ERR, return -EUCLEAN);
|
||||
else if (arg_trust || startswith(u->url, "https://"))
|
||||
easy_setopt(curl, CURLOPT_CAINFO, arg_trust ?: TRUST_FILE,
|
||||
|
||||
@ -18,8 +18,6 @@
|
||||
#include "alloc-util.h"
|
||||
#include "audit-util.h"
|
||||
#include "cgroup-util.h"
|
||||
#include "conf-parser.h"
|
||||
#include "creds-util.h"
|
||||
#include "daemon-util.h"
|
||||
#include "dirent-util.h"
|
||||
#include "errno-util.h"
|
||||
@ -53,14 +51,12 @@
|
||||
#include "log-ratelimit.h"
|
||||
#include "memory-util.h"
|
||||
#include "mkdir.h"
|
||||
#include "parse-util.h"
|
||||
#include "path-util.h"
|
||||
#include "prioq.h"
|
||||
#include "process-util.h"
|
||||
#include "rm-rf.h"
|
||||
#include "set.h"
|
||||
#include "signal-util.h"
|
||||
#include "socket-netlink.h"
|
||||
#include "socket-util.h"
|
||||
#include "stdio-util.h"
|
||||
#include "string-util.h"
|
||||
|
||||
@ -7,7 +7,6 @@
|
||||
#include "journald-forward.h"
|
||||
#include "list.h"
|
||||
#include "ratelimit.h"
|
||||
#include "socket-util.h"
|
||||
|
||||
typedef struct JournalStorageSpace {
|
||||
usec_t timestamp;
|
||||
|
||||
@ -1,6 +1,6 @@
|
||||
/* SPDX-License-Identifier: LGPL-2.1-or-later */
|
||||
|
||||
#include "journald-manager.h"
|
||||
#include "journald-config.h"
|
||||
#include "test-tables.h"
|
||||
#include "tests.h"
|
||||
|
||||
|
||||
@ -4,7 +4,6 @@
|
||||
#include "dhcp-client-id-internal.h"
|
||||
#include "iovec-util.h"
|
||||
#include "json-util.h"
|
||||
#include "log.h"
|
||||
#include "siphash24.h"
|
||||
#include "string-util.h"
|
||||
#include "unaligned.h"
|
||||
|
||||
@ -6,10 +6,10 @@
|
||||
#include <unistd.h>
|
||||
|
||||
#include "sd-event.h"
|
||||
#include "sd-json.h"
|
||||
#include "sd-lldp-rx.h"
|
||||
|
||||
#include "fd-util.h"
|
||||
#include "json-util.h"
|
||||
#include "lldp-neighbor.h"
|
||||
#include "lldp-network.h"
|
||||
#include "tests.h"
|
||||
|
||||
@ -34,7 +34,6 @@
|
||||
#include "path-util.h"
|
||||
#include "prioq.h"
|
||||
#include "random-util.h"
|
||||
#include "ratelimit.h"
|
||||
#include "sort-util.h"
|
||||
#include "stat-util.h"
|
||||
#include "string-table.h"
|
||||
|
||||
@ -16,7 +16,6 @@
|
||||
#include "io-util.h"
|
||||
#include "iovec-util.h"
|
||||
#include "journal-send.h"
|
||||
#include "log.h"
|
||||
#include "memfd-util.h"
|
||||
#include "process-util.h"
|
||||
#include "socket-util.h"
|
||||
|
||||
@ -16,7 +16,6 @@
|
||||
#include "journal-vacuum.h"
|
||||
#include "log.h"
|
||||
#include "log-ratelimit.h"
|
||||
#include "ratelimit.h"
|
||||
#include "sort-util.h"
|
||||
#include "string-util.h"
|
||||
#include "time-util.h"
|
||||
|
||||
@ -9,7 +9,6 @@
|
||||
#include "alloc-util.h"
|
||||
#include "errno-util.h"
|
||||
#include "iovec-util.h"
|
||||
#include "log.h"
|
||||
#include "netlink-internal.h"
|
||||
#include "netlink-util.h"
|
||||
|
||||
|
||||
@ -466,7 +466,8 @@ static int timeout_compare(const void *a, const void *b) {
|
||||
}
|
||||
|
||||
size_t netlink_get_reply_callback_count(sd_netlink *nl) {
|
||||
assert(nl);
|
||||
if (!nl)
|
||||
return 0;
|
||||
|
||||
return hashmap_size(nl->reply_callbacks);
|
||||
}
|
||||
|
||||
@ -19,7 +19,6 @@
|
||||
#include "io-util.h"
|
||||
#include "iovec-util.h"
|
||||
#include "list.h"
|
||||
#include "log.h"
|
||||
#include "memory-util.h"
|
||||
#include "process-util.h"
|
||||
#include "resolve-private.h"
|
||||
|
||||
@ -15,7 +15,6 @@
|
||||
#include "bus-unit-util.h"
|
||||
#include "env-file.h"
|
||||
#include "errno-util.h"
|
||||
#include "escape.h"
|
||||
#include "extract-word.h"
|
||||
#include "fd-util.h"
|
||||
#include "fileio.h"
|
||||
|
||||
@ -669,6 +669,10 @@ static int address_set_masquerade(Address *address, bool add) {
|
||||
|
||||
assert(address);
|
||||
assert(address->link);
|
||||
assert(address->link->manager);
|
||||
|
||||
if (!address->link->manager->nfnl)
|
||||
return 0;
|
||||
|
||||
if (!address->link->network)
|
||||
return 0;
|
||||
@ -687,7 +691,7 @@ static int address_set_masquerade(Address *address, bool add) {
|
||||
if (r < 0)
|
||||
return r;
|
||||
|
||||
r = fw_add_masquerade(&address->link->manager->fw_ctx, add, address->family, &masked, address->prefixlen);
|
||||
r = fw_nftables_add_masquerade(address->link->manager->nfnl, add, address->family, &masked, address->prefixlen);
|
||||
if (r < 0)
|
||||
return r;
|
||||
|
||||
@ -702,14 +706,9 @@ static void address_modify_nft_set_context(Address *address, bool add, NFTSetCon
|
||||
assert(address);
|
||||
assert(address->link);
|
||||
assert(address->link->manager);
|
||||
assert(address->link->manager->nfnl);
|
||||
assert(nft_set_context);
|
||||
|
||||
if (!address->link->manager->fw_ctx) {
|
||||
r = fw_ctx_new_full(&address->link->manager->fw_ctx, /* init_tables= */ false);
|
||||
if (r < 0)
|
||||
return;
|
||||
}
|
||||
|
||||
FOREACH_ARRAY(nft_set, nft_set_context->sets, nft_set_context->n_sets) {
|
||||
uint32_t ifindex;
|
||||
|
||||
@ -717,16 +716,16 @@ static void address_modify_nft_set_context(Address *address, bool add, NFTSetCon
|
||||
|
||||
switch (nft_set->source) {
|
||||
case NFT_SET_SOURCE_ADDRESS:
|
||||
r = nft_set_element_modify_ip(address->link->manager->fw_ctx, add, nft_set->nfproto, address->family, nft_set->table, nft_set->set,
|
||||
r = nft_set_element_modify_ip(address->link->manager->nfnl, add, nft_set->nfproto, address->family, nft_set->table, nft_set->set,
|
||||
&address->in_addr);
|
||||
break;
|
||||
case NFT_SET_SOURCE_PREFIX:
|
||||
r = nft_set_element_modify_iprange(address->link->manager->fw_ctx, add, nft_set->nfproto, address->family, nft_set->table, nft_set->set,
|
||||
r = nft_set_element_modify_iprange(address->link->manager->nfnl, add, nft_set->nfproto, address->family, nft_set->table, nft_set->set,
|
||||
&address->in_addr, address->prefixlen);
|
||||
break;
|
||||
case NFT_SET_SOURCE_IFINDEX:
|
||||
ifindex = address->link->ifindex;
|
||||
r = nft_set_element_modify_any(address->link->manager->fw_ctx, add, nft_set->nfproto, nft_set->table, nft_set->set,
|
||||
r = nft_set_element_modify_any(address->link->manager->nfnl, add, nft_set->nfproto, nft_set->table, nft_set->set,
|
||||
&ifindex, sizeof(ifindex));
|
||||
break;
|
||||
default:
|
||||
@ -749,6 +748,10 @@ static void address_modify_nft_set_context(Address *address, bool add, NFTSetCon
|
||||
static void address_modify_nft_set(Address *address, bool add) {
|
||||
assert(address);
|
||||
assert(address->link);
|
||||
assert(address->link->manager);
|
||||
|
||||
if (!address->link->manager->nfnl)
|
||||
return;
|
||||
|
||||
if (!IN_SET(address->family, AF_INET, AF_INET6))
|
||||
return;
|
||||
|
||||
@ -15,7 +15,6 @@
|
||||
#include "siphash24.h"
|
||||
#include "socket-util.h"
|
||||
#include "string-table.h"
|
||||
#include "string-util.h"
|
||||
#include "strv.h"
|
||||
#include "sysctl-util.h"
|
||||
|
||||
|
||||
@ -23,9 +23,9 @@
|
||||
#include "env-util.h"
|
||||
#include "errno-util.h"
|
||||
#include "fd-util.h"
|
||||
#include "firewall-util.h"
|
||||
#include "initrd-util.h"
|
||||
#include "mount-util.h"
|
||||
#include "netlink-internal.h"
|
||||
#include "netlink-util.h"
|
||||
#include "networkd-address.h"
|
||||
#include "networkd-address-label.h"
|
||||
@ -285,6 +285,28 @@ static int manager_connect_genl(Manager *m) {
|
||||
return 0;
|
||||
}
|
||||
|
||||
static int manager_connect_nfnl(Manager *m) {
|
||||
int r;
|
||||
|
||||
assert(m);
|
||||
|
||||
r = sd_nfnl_socket_open(&m->nfnl);
|
||||
if (r < 0) {
|
||||
log_warning_errno(r, "Failed to open nftables netlink socket. IPMasquerade= and NFTSet= settings will not be applied. Ignoring: %m");
|
||||
return 0;
|
||||
}
|
||||
|
||||
r = sd_netlink_increase_rxbuf(m->nfnl, RCVBUF_SIZE);
|
||||
if (r < 0)
|
||||
log_warning_errno(r, "Failed to increase receive buffer size for nftables netlink socket, ignoring: %m");
|
||||
|
||||
r = sd_netlink_attach_event(m->nfnl, m->event, 0);
|
||||
if (r < 0)
|
||||
return r;
|
||||
|
||||
return 0;
|
||||
}
|
||||
|
||||
static int manager_setup_rtnl_filter(Manager *manager) {
|
||||
struct sock_filter filter[] = {
|
||||
/* Check the packet length. */
|
||||
@ -435,7 +457,7 @@ static int manager_post_handler(sd_event_source *s, void *userdata) {
|
||||
|
||||
if (netlink_get_reply_callback_count(manager->rtnl) > 0 ||
|
||||
netlink_get_reply_callback_count(manager->genl) > 0 ||
|
||||
fw_ctx_get_reply_callback_count(manager->fw_ctx) > 0)
|
||||
netlink_get_reply_callback_count(manager->nfnl) > 0)
|
||||
return 0; /* There are some message calls waiting for their replies. */
|
||||
|
||||
(void) manager_serialize(manager);
|
||||
@ -557,6 +579,10 @@ int manager_setup(Manager *m) {
|
||||
if (r < 0)
|
||||
return r;
|
||||
|
||||
r = manager_connect_nfnl(m);
|
||||
if (r < 0)
|
||||
return r;
|
||||
|
||||
if (m->test_mode)
|
||||
return 0;
|
||||
|
||||
@ -696,6 +722,7 @@ Manager* manager_free(Manager *m) {
|
||||
|
||||
sd_netlink_unref(m->rtnl);
|
||||
sd_netlink_unref(m->genl);
|
||||
sd_netlink_unref(m->nfnl);
|
||||
sd_resolve_unref(m->resolve);
|
||||
|
||||
m->routes = set_free(m->routes);
|
||||
@ -720,8 +747,6 @@ Manager* manager_free(Manager *m) {
|
||||
safe_close(m->ethtool_fd);
|
||||
safe_close(m->persistent_storage_fd);
|
||||
|
||||
m->fw_ctx = fw_ctx_free(m->fw_ctx);
|
||||
|
||||
m->serialization_fd = safe_close(m->serialization_fd);
|
||||
|
||||
return mfree(m);
|
||||
|
||||
@ -17,6 +17,7 @@ typedef struct Manager {
|
||||
sd_netlink *rtnl;
|
||||
/* lazy initialized */
|
||||
sd_netlink *genl;
|
||||
sd_netlink *nfnl;
|
||||
sd_event *event;
|
||||
sd_resolve *resolve;
|
||||
sd_bus *bus;
|
||||
@ -103,8 +104,6 @@ typedef struct Manager {
|
||||
usec_t speed_meter_usec_new;
|
||||
usec_t speed_meter_usec_old;
|
||||
|
||||
FirewallContext *fw_ctx;
|
||||
|
||||
bool request_queued;
|
||||
OrderedSet *request_queue;
|
||||
OrderedSet *remove_request_queue;
|
||||
|
||||
@ -293,7 +293,7 @@ int manager_process_requests(Manager *manager) {
|
||||
* queued, then this event may make reply callback queue in sd-netlink full. */
|
||||
if (netlink_get_reply_callback_count(manager->rtnl) >= REPLY_CALLBACK_COUNT_THRESHOLD ||
|
||||
netlink_get_reply_callback_count(manager->genl) >= REPLY_CALLBACK_COUNT_THRESHOLD ||
|
||||
fw_ctx_get_reply_callback_count(manager->fw_ctx) >= REPLY_CALLBACK_COUNT_THRESHOLD)
|
||||
netlink_get_reply_callback_count(manager->nfnl) >= REPLY_CALLBACK_COUNT_THRESHOLD)
|
||||
break;
|
||||
|
||||
/* Avoid the request and link freed by req->process() and request_detach(). */
|
||||
|
||||
@ -76,12 +76,13 @@ void expose_port_free_all(ExposePort *p) {
|
||||
LIST_CLEAR(ports, p, free);
|
||||
}
|
||||
|
||||
int expose_port_flush(FirewallContext **fw_ctx, ExposePort* l, int af, union in_addr_union *exposed) {
|
||||
int expose_port_flush(sd_netlink *nfnl, ExposePort* l, int af, union in_addr_union *exposed) {
|
||||
int r;
|
||||
|
||||
assert(IN_SET(af, AF_INET, AF_INET6));
|
||||
assert(exposed);
|
||||
|
||||
if (!l)
|
||||
if (!nfnl || !l)
|
||||
return 0;
|
||||
|
||||
if (!in_addr_is_set(af, exposed))
|
||||
@ -90,14 +91,15 @@ int expose_port_flush(FirewallContext **fw_ctx, ExposePort* l, int af, union in_
|
||||
log_debug("Lost IP address.");
|
||||
|
||||
LIST_FOREACH(ports, p, l) {
|
||||
r = fw_add_local_dnat(fw_ctx,
|
||||
false,
|
||||
r = fw_nftables_add_local_dnat(
|
||||
nfnl,
|
||||
/* add = */ false,
|
||||
af,
|
||||
p->protocol,
|
||||
p->host_port,
|
||||
exposed,
|
||||
p->container_port,
|
||||
NULL);
|
||||
/* previous_remote = */ NULL);
|
||||
if (r < 0)
|
||||
log_warning_errno(r, "Failed to modify %s firewall: %m", af_to_name(af));
|
||||
}
|
||||
@ -106,12 +108,15 @@ int expose_port_flush(FirewallContext **fw_ctx, ExposePort* l, int af, union in_
|
||||
return 0;
|
||||
}
|
||||
|
||||
int expose_port_execute(sd_netlink *rtnl, FirewallContext **fw_ctx, ExposePort *l, int af, union in_addr_union *exposed) {
|
||||
int expose_port_execute(sd_netlink *rtnl, sd_netlink *nfnl, ExposePort *l, int af, union in_addr_union *exposed) {
|
||||
_cleanup_free_ struct local_address *addresses = NULL;
|
||||
union in_addr_union new_exposed;
|
||||
bool add;
|
||||
int r;
|
||||
|
||||
assert(rtnl);
|
||||
assert(nfnl);
|
||||
assert(IN_SET(af, AF_INET, AF_INET6));
|
||||
assert(exposed);
|
||||
|
||||
/* Invoked each time an address is added or removed inside the
|
||||
@ -129,7 +134,7 @@ int expose_port_execute(sd_netlink *rtnl, FirewallContext **fw_ctx, ExposePort *
|
||||
addresses[0].scope < RT_SCOPE_LINK;
|
||||
|
||||
if (!add)
|
||||
return expose_port_flush(fw_ctx, l, af, exposed);
|
||||
return expose_port_flush(nfnl, l, af, exposed);
|
||||
|
||||
new_exposed = addresses[0].address;
|
||||
if (in_addr_equal(af, exposed, &new_exposed))
|
||||
@ -138,8 +143,9 @@ int expose_port_execute(sd_netlink *rtnl, FirewallContext **fw_ctx, ExposePort *
|
||||
log_debug("New container IP is %s.", IN_ADDR_TO_STRING(af, &new_exposed));
|
||||
|
||||
LIST_FOREACH(ports, p, l) {
|
||||
r = fw_add_local_dnat(fw_ctx,
|
||||
true,
|
||||
r = fw_nftables_add_local_dnat(
|
||||
nfnl,
|
||||
/* add = */ true,
|
||||
af,
|
||||
p->protocol,
|
||||
p->host_port,
|
||||
|
||||
@ -1,7 +1,6 @@
|
||||
/* SPDX-License-Identifier: LGPL-2.1-or-later */
|
||||
#pragma once
|
||||
|
||||
#include "firewall-util.h"
|
||||
#include "forward.h"
|
||||
#include "list.h"
|
||||
|
||||
@ -18,5 +17,5 @@ int expose_port_parse(ExposePort **l, const char *s);
|
||||
int expose_port_watch_rtnl(sd_event *event, int recv_fd, sd_netlink_message_handler_t handler, void *userdata, sd_netlink **ret);
|
||||
int expose_port_send_rtnl(int send_fd);
|
||||
|
||||
int expose_port_execute(sd_netlink *rtnl, FirewallContext **fw_ctx, ExposePort *l, int af, union in_addr_union *exposed);
|
||||
int expose_port_flush(FirewallContext **fw_ctx, ExposePort* l, int af, union in_addr_union *exposed);
|
||||
int expose_port_execute(sd_netlink *rtnl, sd_netlink *nfnl, ExposePort *l, int af, union in_addr_union *exposed);
|
||||
int expose_port_flush(sd_netlink *nfnl, ExposePort* l, int af, union in_addr_union *exposed);
|
||||
|
||||
@ -13,7 +13,6 @@
|
||||
#include "nspawn-network.h"
|
||||
#include "nspawn-settings.h"
|
||||
#include "parse-util.h"
|
||||
#include "path-util.h"
|
||||
#include "process-util.h"
|
||||
#include "rlimit-util.h"
|
||||
#include "socket-util.h"
|
||||
|
||||
@ -71,6 +71,7 @@
|
||||
#include "mount-util.h"
|
||||
#include "mountpoint-util.h"
|
||||
#include "namespace-util.h"
|
||||
#include "netlink-internal.h"
|
||||
#include "notify-recv.h"
|
||||
#include "nspawn-bind-user.h"
|
||||
#include "nspawn-cgroup.h"
|
||||
@ -2539,7 +2540,7 @@ static int setup_kmsg(int fd_inner_socket) {
|
||||
struct ExposeArgs {
|
||||
union in_addr_union address4;
|
||||
union in_addr_union address6;
|
||||
struct FirewallContext *fw_ctx;
|
||||
sd_netlink *nfnl;
|
||||
};
|
||||
|
||||
static int on_address_change(sd_netlink *rtnl, sd_netlink_message *m, void *userdata) {
|
||||
@ -2548,8 +2549,8 @@ static int on_address_change(sd_netlink *rtnl, sd_netlink_message *m, void *user
|
||||
assert(rtnl);
|
||||
assert(m);
|
||||
|
||||
(void) expose_port_execute(rtnl, &args->fw_ctx, arg_expose_ports, AF_INET, &args->address4);
|
||||
(void) expose_port_execute(rtnl, &args->fw_ctx, arg_expose_ports, AF_INET6, &args->address6);
|
||||
(void) expose_port_execute(rtnl, args->nfnl, arg_expose_ports, AF_INET, &args->address4);
|
||||
(void) expose_port_execute(rtnl, args->nfnl, arg_expose_ports, AF_INET6, &args->address6);
|
||||
return 0;
|
||||
}
|
||||
|
||||
@ -5607,8 +5608,8 @@ static int run_container(
|
||||
if (r < 0)
|
||||
return r;
|
||||
|
||||
(void) expose_port_execute(rtnl, &expose_args->fw_ctx, arg_expose_ports, AF_INET, &expose_args->address4);
|
||||
(void) expose_port_execute(rtnl, &expose_args->fw_ctx, arg_expose_ports, AF_INET6, &expose_args->address6);
|
||||
(void) expose_port_execute(rtnl, expose_args->nfnl, arg_expose_ports, AF_INET, &expose_args->address4);
|
||||
(void) expose_port_execute(rtnl, expose_args->nfnl, arg_expose_ports, AF_INET6, &expose_args->address6);
|
||||
}
|
||||
|
||||
_cleanup_(osc_context_closep) sd_id128_t osc_context_id = SD_ID128_NULL;
|
||||
@ -5730,8 +5731,8 @@ static int run_container(
|
||||
return 0; /* finito */
|
||||
}
|
||||
|
||||
expose_port_flush(&expose_args->fw_ctx, arg_expose_ports, AF_INET, &expose_args->address4);
|
||||
expose_port_flush(&expose_args->fw_ctx, arg_expose_ports, AF_INET6, &expose_args->address6);
|
||||
expose_port_flush(expose_args->nfnl, arg_expose_ports, AF_INET, &expose_args->address4);
|
||||
expose_port_flush(expose_args->nfnl, arg_expose_ports, AF_INET6, &expose_args->address6);
|
||||
|
||||
(void) remove_veth_links(veth_name, arg_network_veth_extra);
|
||||
*veth_created = false;
|
||||
@ -5900,7 +5901,7 @@ static int run(int argc, char *argv[]) {
|
||||
_cleanup_(rmdir_and_freep) char *rootdir = NULL;
|
||||
_cleanup_(loop_device_unrefp) LoopDevice *loop = NULL;
|
||||
_cleanup_(dissected_image_unrefp) DissectedImage *dissected_image = NULL;
|
||||
_cleanup_(fw_ctx_freep) FirewallContext *fw_ctx = NULL;
|
||||
_cleanup_(sd_netlink_unrefp) sd_netlink *nfnl = NULL;
|
||||
_cleanup_(pidref_done) PidRef pid = PIDREF_NULL;
|
||||
|
||||
log_setup();
|
||||
@ -6385,12 +6386,12 @@ static int run(int argc, char *argv[]) {
|
||||
}
|
||||
|
||||
if (arg_expose_ports) {
|
||||
r = fw_ctx_new(&fw_ctx);
|
||||
r = sd_nfnl_socket_open(&nfnl);
|
||||
if (r < 0) {
|
||||
log_error_errno(r, "Cannot expose configured ports, firewall initialization failed: %m");
|
||||
log_error_errno(r, "Cannot expose configured ports, failed to initialize nftables: %m");
|
||||
goto finish;
|
||||
}
|
||||
expose_args.fw_ctx = fw_ctx;
|
||||
expose_args.nfnl = nfnl;
|
||||
}
|
||||
|
||||
for (;;) {
|
||||
@ -6454,8 +6455,8 @@ finish:
|
||||
|
||||
cleanup_propagation_and_export_directories();
|
||||
|
||||
expose_port_flush(&fw_ctx, arg_expose_ports, AF_INET, &expose_args.address4);
|
||||
expose_port_flush(&fw_ctx, arg_expose_ports, AF_INET6, &expose_args.address6);
|
||||
expose_port_flush(nfnl, arg_expose_ports, AF_INET, &expose_args.address4);
|
||||
expose_port_flush(nfnl, arg_expose_ports, AF_INET6, &expose_args.address6);
|
||||
|
||||
if (arg_userns_mode != USER_NAMESPACE_MANAGED) {
|
||||
if (veth_created)
|
||||
|
||||
@ -789,7 +789,11 @@ static Partition* partition_unlink_and_free(Context *context, Partition *p) {
|
||||
|
||||
DEFINE_TRIVIAL_CLEANUP_FUNC(Partition*, partition_free);
|
||||
|
||||
static Context* context_new(sd_id128_t seed, X509 *certificate, EVP_PKEY *private_key) {
|
||||
static Context* context_new(
|
||||
sd_id128_t seed,
|
||||
X509 *certificate,
|
||||
EVP_PKEY *private_key) {
|
||||
|
||||
Context *context;
|
||||
|
||||
/* Note: This function takes ownership of the certificate and private_key arguments. */
|
||||
@ -3445,7 +3449,7 @@ static int context_load_partition_table(Context *context) {
|
||||
/* Use the fallback values if we have no better idea */
|
||||
context->sector_size = fdisk_get_sector_size(c);
|
||||
context->default_fs_sector_size = fs_secsz;
|
||||
context->grain_size = 4096;
|
||||
context->grain_size = MAX(context->sector_size, 4096U);
|
||||
return /* from_scratch = */ true;
|
||||
}
|
||||
|
||||
@ -5489,9 +5493,9 @@ static int progress_bytes(uint64_t n_bytes, uint64_t bps, void *userdata) {
|
||||
strna(p->copy_blocks_path),
|
||||
glyph(GLYPH_ARROW_RIGHT),
|
||||
strna(p->definition_path),
|
||||
FORMAT_BYTES(p->copy_blocks_done),
|
||||
FORMAT_BYTES(p->copy_blocks_size),
|
||||
FORMAT_BYTES(bps));
|
||||
FORMAT_BYTES_WITH_POINT(p->copy_blocks_done),
|
||||
FORMAT_BYTES_WITH_POINT(p->copy_blocks_size),
|
||||
FORMAT_BYTES_WITH_POINT(bps));
|
||||
else
|
||||
(void) draw_progress_barf(
|
||||
percent,
|
||||
@ -5499,8 +5503,8 @@ static int progress_bytes(uint64_t n_bytes, uint64_t bps, void *userdata) {
|
||||
strna(p->copy_blocks_path),
|
||||
glyph(GLYPH_ARROW_RIGHT),
|
||||
strna(p->definition_path),
|
||||
FORMAT_BYTES(p->copy_blocks_done),
|
||||
FORMAT_BYTES(p->copy_blocks_size));
|
||||
FORMAT_BYTES_WITH_POINT(p->copy_blocks_done),
|
||||
FORMAT_BYTES_WITH_POINT(p->copy_blocks_size));
|
||||
|
||||
p->last_percent = percent;
|
||||
|
||||
@ -8666,7 +8670,13 @@ static int help(void) {
|
||||
return 0;
|
||||
}
|
||||
|
||||
static int parse_argv(int argc, char *argv[], X509 **ret_certificate, EVP_PKEY **ret_private_key, OpenSSLAskPasswordUI **ret_ui) {
|
||||
static int parse_argv(
|
||||
int argc,
|
||||
char *argv[],
|
||||
X509 **ret_certificate,
|
||||
EVP_PKEY **ret_private_key,
|
||||
OpenSSLAskPasswordUI **ret_ui) {
|
||||
|
||||
enum {
|
||||
ARG_VERSION = 0x100,
|
||||
ARG_NO_PAGER,
|
||||
|
||||
@ -1,9 +1,10 @@
|
||||
/* SPDX-License-Identifier: LGPL-2.1-or-later */
|
||||
|
||||
#include "af-list.h"
|
||||
#include "alloc-util.h"
|
||||
#include "event-util.h"
|
||||
#include "dns-domain.h"
|
||||
#include "json-util.h"
|
||||
#include "log.h"
|
||||
#include "random-util.h"
|
||||
#include "resolved-dns-browse-services.h"
|
||||
#include "resolved-dns-cache.h"
|
||||
@ -12,8 +13,8 @@
|
||||
#include "resolved-dns-rr.h"
|
||||
#include "resolved-dns-scope.h"
|
||||
#include "resolved-manager.h"
|
||||
#include "resolved-varlink.h"
|
||||
#include "string-table.h"
|
||||
#include "string-util.h"
|
||||
|
||||
typedef enum BrowseServiceUpdateEvent {
|
||||
BROWSE_SERVICE_UPDATE_ADDED,
|
||||
|
||||
@ -7,7 +7,6 @@
|
||||
#include <openssl/bio.h>
|
||||
#include <openssl/err.h>
|
||||
#include <openssl/x509v3.h>
|
||||
#include <sys/epoll.h>
|
||||
|
||||
#include "alloc-util.h"
|
||||
#include "openssl-util.h"
|
||||
|
||||
@ -7,7 +7,6 @@
|
||||
#include "dns-domain.h"
|
||||
#include "dns-type.h"
|
||||
#include "errno-util.h"
|
||||
#include "glyph-util.h"
|
||||
#include "in-addr-util.h"
|
||||
#include "iovec-util.h"
|
||||
#include "json-util.h"
|
||||
|
||||
@ -5,7 +5,6 @@
|
||||
#include <stdio.h>
|
||||
#include <stdlib.h>
|
||||
#include <sys/resource.h>
|
||||
#include <sys/stat.h>
|
||||
#include <unistd.h>
|
||||
|
||||
#include "sd-bus.h"
|
||||
|
||||
@ -8,7 +8,6 @@
|
||||
#include "bitfield.h"
|
||||
#include "cpu-set-util.h"
|
||||
#include "extract-word.h"
|
||||
#include "hexdecoct.h"
|
||||
#include "log.h"
|
||||
#include "parse-util.h"
|
||||
#include "string-util.h"
|
||||
|
||||
@ -1209,7 +1209,7 @@ int decrypt_credential_and_warn(
|
||||
* -EHWPOISON → Attempt to decode NULL key (and CREDENTIAL_ALLOW_NULL is off), but the system has a TPM and SecureBoot is on
|
||||
* -EMEDIUMTYPE → File has unexpected scope, i.e. user-scoped credential is attempted to be unlocked in system scope, or vice versa
|
||||
* -EDESTADDRREQ → Credential is incorrectly named (i.e. the authenticated name does not match the actual name)
|
||||
* -ESTALE → Credential's valdity has passed
|
||||
* -ESTALE → Credential's validity has passed
|
||||
* -ESRCH → User specified for scope does not exist on this system
|
||||
*
|
||||
* (plus the various error codes tpm2_unseal() returns) */
|
||||
|
||||
@ -1,383 +0,0 @@
|
||||
/* SPDX-License-Identifier: LGPL-2.1-or-later */
|
||||
|
||||
#include <endian.h>
|
||||
#include <libiptc/libiptc.h>
|
||||
#include <linux/netfilter/nf_nat.h>
|
||||
#include <linux/netfilter/xt_addrtype.h>
|
||||
#include <linux/netfilter_ipv4/ip_tables.h>
|
||||
#include <string.h>
|
||||
|
||||
#include "alloc-util.h"
|
||||
#include "dlfcn-util.h"
|
||||
#include "firewall-util-private.h"
|
||||
#include "in-addr-util.h"
|
||||
#include "log.h"
|
||||
#include "socket-util.h"
|
||||
|
||||
static DLSYM_PROTOTYPE(iptc_check_entry) = NULL;
|
||||
static DLSYM_PROTOTYPE(iptc_commit) = NULL;
|
||||
static DLSYM_PROTOTYPE(iptc_delete_entry) = NULL;
|
||||
static DLSYM_PROTOTYPE(iptc_free) = NULL;
|
||||
static DLSYM_PROTOTYPE(iptc_init) = NULL;
|
||||
static DLSYM_PROTOTYPE(iptc_insert_entry) = NULL;
|
||||
static DLSYM_PROTOTYPE(iptc_strerror) = NULL;
|
||||
|
||||
static void *iptc_dl = NULL;
|
||||
|
||||
DEFINE_TRIVIAL_CLEANUP_FUNC_FULL(struct xtc_handle*, sym_iptc_free, NULL);
|
||||
|
||||
static int entry_fill_basics(
|
||||
struct ipt_entry *entry,
|
||||
int protocol,
|
||||
const char *in_interface,
|
||||
const union in_addr_union *source,
|
||||
unsigned source_prefixlen,
|
||||
const char *out_interface,
|
||||
const union in_addr_union *destination,
|
||||
unsigned destination_prefixlen) {
|
||||
|
||||
assert(entry);
|
||||
|
||||
if (out_interface && !ifname_valid(out_interface))
|
||||
return -EINVAL;
|
||||
if (in_interface && !ifname_valid(in_interface))
|
||||
return -EINVAL;
|
||||
|
||||
entry->ip.proto = protocol;
|
||||
|
||||
if (in_interface) {
|
||||
size_t l;
|
||||
|
||||
l = strlen(in_interface);
|
||||
assert(l < sizeof entry->ip.iniface);
|
||||
assert(l < sizeof entry->ip.iniface_mask);
|
||||
|
||||
strcpy(entry->ip.iniface, in_interface);
|
||||
memset(entry->ip.iniface_mask, 0xFF, l + 1);
|
||||
}
|
||||
if (source) {
|
||||
entry->ip.src = source->in;
|
||||
in4_addr_prefixlen_to_netmask(&entry->ip.smsk, source_prefixlen);
|
||||
}
|
||||
|
||||
if (out_interface) {
|
||||
size_t l = strlen(out_interface);
|
||||
assert(l < sizeof entry->ip.outiface);
|
||||
assert(l < sizeof entry->ip.outiface_mask);
|
||||
|
||||
strcpy(entry->ip.outiface, out_interface);
|
||||
memset(entry->ip.outiface_mask, 0xFF, l + 1);
|
||||
}
|
||||
if (destination) {
|
||||
entry->ip.dst = destination->in;
|
||||
in4_addr_prefixlen_to_netmask(&entry->ip.dmsk, destination_prefixlen);
|
||||
}
|
||||
|
||||
return 0;
|
||||
}
|
||||
|
||||
int fw_iptables_add_masquerade(
|
||||
bool add,
|
||||
int af,
|
||||
const union in_addr_union *source,
|
||||
unsigned source_prefixlen) {
|
||||
|
||||
static const xt_chainlabel chain = "POSTROUTING";
|
||||
_cleanup_(sym_iptc_freep) struct xtc_handle *h = NULL;
|
||||
struct ipt_entry *entry, *mask;
|
||||
struct ipt_entry_target *t;
|
||||
size_t sz;
|
||||
struct nf_nat_ipv4_multi_range_compat *mr;
|
||||
int r, protocol = 0;
|
||||
const char *out_interface = NULL;
|
||||
const union in_addr_union *destination = NULL;
|
||||
unsigned destination_prefixlen = 0;
|
||||
|
||||
if (af != AF_INET)
|
||||
return -EOPNOTSUPP;
|
||||
|
||||
if (!source || source_prefixlen == 0)
|
||||
return -EINVAL;
|
||||
|
||||
r = fw_iptables_init_nat(&h);
|
||||
if (r < 0)
|
||||
return r;
|
||||
|
||||
sz = XT_ALIGN(sizeof(struct ipt_entry)) +
|
||||
XT_ALIGN(sizeof(struct ipt_entry_target)) +
|
||||
XT_ALIGN(sizeof(struct nf_nat_ipv4_multi_range_compat));
|
||||
|
||||
/* Put together the entry we want to add or remove */
|
||||
entry = alloca0(sz);
|
||||
entry->next_offset = sz;
|
||||
entry->target_offset = XT_ALIGN(sizeof(struct ipt_entry));
|
||||
r = entry_fill_basics(entry, protocol, NULL, source, source_prefixlen, out_interface, destination, destination_prefixlen);
|
||||
if (r < 0)
|
||||
return r;
|
||||
|
||||
/* Fill in target part */
|
||||
t = ipt_get_target(entry);
|
||||
t->u.target_size =
|
||||
XT_ALIGN(sizeof(struct ipt_entry_target)) +
|
||||
XT_ALIGN(sizeof(struct nf_nat_ipv4_multi_range_compat));
|
||||
strncpy(t->u.user.name, "MASQUERADE", sizeof(t->u.user.name));
|
||||
mr = (struct nf_nat_ipv4_multi_range_compat*) t->data;
|
||||
mr->rangesize = 1;
|
||||
|
||||
/* Create a search mask entry */
|
||||
mask = alloca_safe(sz);
|
||||
memset(mask, 0xFF, sz);
|
||||
|
||||
if (add) {
|
||||
if (sym_iptc_check_entry(chain, entry, (unsigned char*) mask, h))
|
||||
return 0;
|
||||
if (errno != ENOENT) /* if other error than not existing yet, fail */
|
||||
return -errno;
|
||||
|
||||
if (!sym_iptc_insert_entry(chain, entry, 0, h))
|
||||
return -errno;
|
||||
} else {
|
||||
if (!sym_iptc_delete_entry(chain, entry, (unsigned char*) mask, h)) {
|
||||
if (errno == ENOENT) /* if it's already gone, all is good! */
|
||||
return 0;
|
||||
|
||||
return -errno;
|
||||
}
|
||||
}
|
||||
|
||||
if (!sym_iptc_commit(h))
|
||||
return -errno;
|
||||
|
||||
return 0;
|
||||
}
|
||||
|
||||
int fw_iptables_add_local_dnat(
|
||||
bool add,
|
||||
int af,
|
||||
int protocol,
|
||||
uint16_t local_port,
|
||||
const union in_addr_union *remote,
|
||||
uint16_t remote_port,
|
||||
const union in_addr_union *previous_remote) {
|
||||
|
||||
static const xt_chainlabel chain_pre = "PREROUTING", chain_output = "OUTPUT";
|
||||
_cleanup_(sym_iptc_freep) struct xtc_handle *h = NULL;
|
||||
struct ipt_entry *entry, *mask;
|
||||
struct ipt_entry_target *t;
|
||||
struct ipt_entry_match *m;
|
||||
struct xt_addrtype_info_v1 *at;
|
||||
struct nf_nat_ipv4_multi_range_compat *mr;
|
||||
size_t sz, msz;
|
||||
int r;
|
||||
const char *in_interface = NULL;
|
||||
const union in_addr_union *source = NULL;
|
||||
unsigned source_prefixlen = 0;
|
||||
const union in_addr_union *destination = NULL;
|
||||
unsigned destination_prefixlen = 0;
|
||||
|
||||
assert(add || !previous_remote);
|
||||
|
||||
if (af != AF_INET)
|
||||
return -EOPNOTSUPP;
|
||||
|
||||
if (!IN_SET(protocol, IPPROTO_TCP, IPPROTO_UDP))
|
||||
return -EOPNOTSUPP;
|
||||
|
||||
if (local_port <= 0)
|
||||
return -EINVAL;
|
||||
|
||||
if (remote_port <= 0)
|
||||
return -EINVAL;
|
||||
|
||||
r = fw_iptables_init_nat(&h);
|
||||
if (r < 0)
|
||||
return r;
|
||||
|
||||
sz = XT_ALIGN(sizeof(struct ipt_entry)) +
|
||||
XT_ALIGN(sizeof(struct ipt_entry_match)) +
|
||||
XT_ALIGN(sizeof(struct xt_addrtype_info_v1)) +
|
||||
XT_ALIGN(sizeof(struct ipt_entry_target)) +
|
||||
XT_ALIGN(sizeof(struct nf_nat_ipv4_multi_range_compat));
|
||||
|
||||
if (protocol == IPPROTO_TCP)
|
||||
msz = XT_ALIGN(sizeof(struct ipt_entry_match)) +
|
||||
XT_ALIGN(sizeof(struct xt_tcp));
|
||||
else
|
||||
msz = XT_ALIGN(sizeof(struct ipt_entry_match)) +
|
||||
XT_ALIGN(sizeof(struct xt_udp));
|
||||
|
||||
sz += msz;
|
||||
|
||||
/* Fill in basic part */
|
||||
entry = alloca0(sz);
|
||||
entry->next_offset = sz;
|
||||
entry->target_offset =
|
||||
XT_ALIGN(sizeof(struct ipt_entry)) +
|
||||
XT_ALIGN(sizeof(struct ipt_entry_match)) +
|
||||
XT_ALIGN(sizeof(struct xt_addrtype_info_v1)) +
|
||||
msz;
|
||||
r = entry_fill_basics(entry, protocol, in_interface, source, source_prefixlen, NULL, destination, destination_prefixlen);
|
||||
if (r < 0)
|
||||
return r;
|
||||
|
||||
/* Fill in first match */
|
||||
m = (struct ipt_entry_match*) ((uint8_t*) entry + XT_ALIGN(sizeof(struct ipt_entry)));
|
||||
m->u.match_size = msz;
|
||||
if (protocol == IPPROTO_TCP) {
|
||||
struct xt_tcp *tcp;
|
||||
|
||||
strncpy(m->u.user.name, "tcp", sizeof(m->u.user.name));
|
||||
tcp = (struct xt_tcp*) m->data;
|
||||
tcp->dpts[0] = tcp->dpts[1] = local_port;
|
||||
tcp->spts[0] = 0;
|
||||
tcp->spts[1] = 0xFFFF;
|
||||
|
||||
} else {
|
||||
struct xt_udp *udp;
|
||||
|
||||
strncpy(m->u.user.name, "udp", sizeof(m->u.user.name));
|
||||
udp = (struct xt_udp*) m->data;
|
||||
udp->dpts[0] = udp->dpts[1] = local_port;
|
||||
udp->spts[0] = 0;
|
||||
udp->spts[1] = 0xFFFF;
|
||||
}
|
||||
|
||||
/* Fill in second match */
|
||||
m = (struct ipt_entry_match*) ((uint8_t*) entry + XT_ALIGN(sizeof(struct ipt_entry)) + msz);
|
||||
m->u.match_size =
|
||||
XT_ALIGN(sizeof(struct ipt_entry_match)) +
|
||||
XT_ALIGN(sizeof(struct xt_addrtype_info_v1));
|
||||
strncpy(m->u.user.name, "addrtype", sizeof(m->u.user.name));
|
||||
m->u.user.revision = 1;
|
||||
at = (struct xt_addrtype_info_v1*) m->data;
|
||||
at->dest = XT_ADDRTYPE_LOCAL;
|
||||
|
||||
/* Fill in target part */
|
||||
t = ipt_get_target(entry);
|
||||
t->u.target_size =
|
||||
XT_ALIGN(sizeof(struct ipt_entry_target)) +
|
||||
XT_ALIGN(sizeof(struct nf_nat_ipv4_multi_range_compat));
|
||||
strncpy(t->u.user.name, "DNAT", sizeof(t->u.user.name));
|
||||
mr = (struct nf_nat_ipv4_multi_range_compat*) t->data;
|
||||
mr->rangesize = 1;
|
||||
mr->range[0].flags = NF_NAT_RANGE_PROTO_SPECIFIED|NF_NAT_RANGE_MAP_IPS;
|
||||
mr->range[0].min_ip = mr->range[0].max_ip = remote->in.s_addr;
|
||||
if (protocol == IPPROTO_TCP)
|
||||
mr->range[0].min.tcp.port = mr->range[0].max.tcp.port = htobe16(remote_port);
|
||||
else
|
||||
mr->range[0].min.udp.port = mr->range[0].max.udp.port = htobe16(remote_port);
|
||||
|
||||
mask = alloca0(sz);
|
||||
memset(mask, 0xFF, sz);
|
||||
|
||||
if (add) {
|
||||
/* Add the PREROUTING rule, if it is missing so far */
|
||||
if (!sym_iptc_check_entry(chain_pre, entry, (unsigned char*) mask, h)) {
|
||||
if (errno != ENOENT)
|
||||
return -EINVAL;
|
||||
|
||||
if (!sym_iptc_insert_entry(chain_pre, entry, 0, h))
|
||||
return -errno;
|
||||
}
|
||||
|
||||
/* If a previous remote is set, remove its entry */
|
||||
if (previous_remote && previous_remote->in.s_addr != remote->in.s_addr) {
|
||||
mr->range[0].min_ip = mr->range[0].max_ip = previous_remote->in.s_addr;
|
||||
|
||||
if (!sym_iptc_delete_entry(chain_pre, entry, (unsigned char*) mask, h)) {
|
||||
if (errno != ENOENT)
|
||||
return -errno;
|
||||
}
|
||||
|
||||
mr->range[0].min_ip = mr->range[0].max_ip = remote->in.s_addr;
|
||||
}
|
||||
|
||||
/* Add the OUTPUT rule, if it is missing so far */
|
||||
if (!in_interface) {
|
||||
|
||||
/* Don't apply onto loopback addresses */
|
||||
if (!destination) {
|
||||
entry->ip.dst.s_addr = htobe32(0x7F000000);
|
||||
entry->ip.dmsk.s_addr = htobe32(0xFF000000);
|
||||
entry->ip.invflags = IPT_INV_DSTIP;
|
||||
}
|
||||
|
||||
if (!sym_iptc_check_entry(chain_output, entry, (unsigned char*) mask, h)) {
|
||||
if (errno != ENOENT)
|
||||
return -errno;
|
||||
|
||||
if (!sym_iptc_insert_entry(chain_output, entry, 0, h))
|
||||
return -errno;
|
||||
}
|
||||
|
||||
/* If a previous remote is set, remove its entry */
|
||||
if (previous_remote && previous_remote->in.s_addr != remote->in.s_addr) {
|
||||
mr->range[0].min_ip = mr->range[0].max_ip = previous_remote->in.s_addr;
|
||||
|
||||
if (!sym_iptc_delete_entry(chain_output, entry, (unsigned char*) mask, h)) {
|
||||
if (errno != ENOENT)
|
||||
return -errno;
|
||||
}
|
||||
}
|
||||
}
|
||||
} else {
|
||||
if (!sym_iptc_delete_entry(chain_pre, entry, (unsigned char*) mask, h)) {
|
||||
if (errno != ENOENT)
|
||||
return -errno;
|
||||
}
|
||||
|
||||
if (!in_interface) {
|
||||
if (!destination) {
|
||||
entry->ip.dst.s_addr = htobe32(0x7F000000);
|
||||
entry->ip.dmsk.s_addr = htobe32(0xFF000000);
|
||||
entry->ip.invflags = IPT_INV_DSTIP;
|
||||
}
|
||||
|
||||
if (!sym_iptc_delete_entry(chain_output, entry, (unsigned char*) mask, h)) {
|
||||
if (errno != ENOENT)
|
||||
return -errno;
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
if (!sym_iptc_commit(h))
|
||||
return -errno;
|
||||
|
||||
return 0;
|
||||
}
|
||||
|
||||
static int dlopen_iptc(void) {
|
||||
ELF_NOTE_DLOPEN("ip4tc",
|
||||
"Support for firewall rules with iptables backend",
|
||||
ELF_NOTE_DLOPEN_PRIORITY_SUGGESTED,
|
||||
"libip4tc.so.2");
|
||||
|
||||
return dlopen_many_sym_or_warn(
|
||||
&iptc_dl,
|
||||
"libip4tc.so.2", LOG_DEBUG,
|
||||
DLSYM_ARG(iptc_check_entry),
|
||||
DLSYM_ARG(iptc_commit),
|
||||
DLSYM_ARG(iptc_delete_entry),
|
||||
DLSYM_ARG(iptc_free),
|
||||
DLSYM_ARG(iptc_init),
|
||||
DLSYM_ARG(iptc_insert_entry),
|
||||
DLSYM_ARG(iptc_strerror));
|
||||
}
|
||||
|
||||
int fw_iptables_init_nat(struct xtc_handle **ret) {
|
||||
_cleanup_(sym_iptc_freep) struct xtc_handle *h = NULL;
|
||||
int r;
|
||||
|
||||
r = dlopen_iptc();
|
||||
if (r < 0)
|
||||
return r;
|
||||
|
||||
h = sym_iptc_init("nat");
|
||||
if (!h)
|
||||
return log_debug_errno(errno, "Failed to init \"nat\" table: %s", sym_iptc_strerror(errno));
|
||||
|
||||
if (ret)
|
||||
*ret = TAKE_PTR(h);
|
||||
|
||||
return 0;
|
||||
}
|
||||
File diff suppressed because it is too large
Load Diff
@ -1,64 +0,0 @@
|
||||
/* SPDX-License-Identifier: LGPL-2.1-or-later */
|
||||
#pragma once
|
||||
|
||||
#include "firewall-util.h"
|
||||
#include "forward.h"
|
||||
|
||||
typedef enum FirewallBackend {
|
||||
FW_BACKEND_NONE,
|
||||
#if HAVE_LIBIPTC
|
||||
FW_BACKEND_IPTABLES,
|
||||
#endif
|
||||
FW_BACKEND_NFTABLES,
|
||||
_FW_BACKEND_MAX,
|
||||
_FW_BACKEND_INVALID = -EINVAL,
|
||||
} FirewallBackend;
|
||||
|
||||
struct FirewallContext {
|
||||
FirewallBackend backend;
|
||||
sd_netlink *nfnl;
|
||||
};
|
||||
|
||||
const char* firewall_backend_to_string(FirewallBackend b) _const_;
|
||||
|
||||
int fw_nftables_init(FirewallContext *ctx);
|
||||
int fw_nftables_init_full(FirewallContext *ctx, bool init_tables);
|
||||
void fw_nftables_exit(FirewallContext *ctx);
|
||||
|
||||
int fw_nftables_add_masquerade(
|
||||
FirewallContext *ctx,
|
||||
bool add,
|
||||
int af,
|
||||
const union in_addr_union *source,
|
||||
unsigned source_prefixlen);
|
||||
|
||||
int fw_nftables_add_local_dnat(
|
||||
FirewallContext *ctx,
|
||||
bool add,
|
||||
int af,
|
||||
int protocol,
|
||||
uint16_t local_port,
|
||||
const union in_addr_union *remote,
|
||||
uint16_t remote_port,
|
||||
const union in_addr_union *previous_remote);
|
||||
|
||||
#if HAVE_LIBIPTC
|
||||
struct xtc_handle;
|
||||
|
||||
int fw_iptables_add_masquerade(
|
||||
bool add,
|
||||
int af,
|
||||
const union in_addr_union *source,
|
||||
unsigned source_prefixlen);
|
||||
|
||||
int fw_iptables_add_local_dnat(
|
||||
bool add,
|
||||
int af,
|
||||
int protocol,
|
||||
uint16_t local_port,
|
||||
const union in_addr_union *remote,
|
||||
uint16_t remote_port,
|
||||
const union in_addr_union *previous_remote);
|
||||
|
||||
int fw_iptables_init_nat(struct xtc_handle **ret);
|
||||
#endif
|
||||
File diff suppressed because it is too large
Load Diff
@ -4,25 +4,15 @@
|
||||
#include "conf-parser-forward.h"
|
||||
#include "forward.h"
|
||||
|
||||
typedef struct FirewallContext FirewallContext;
|
||||
|
||||
int fw_ctx_new(FirewallContext **ret);
|
||||
int fw_ctx_new_full(FirewallContext **ret, bool init_tables);
|
||||
FirewallContext *fw_ctx_free(FirewallContext *ctx);
|
||||
|
||||
DEFINE_TRIVIAL_CLEANUP_FUNC(FirewallContext *, fw_ctx_free);
|
||||
|
||||
size_t fw_ctx_get_reply_callback_count(FirewallContext *ctx);
|
||||
|
||||
int fw_add_masquerade(
|
||||
FirewallContext **ctx,
|
||||
int fw_nftables_add_masquerade(
|
||||
sd_netlink *nfnl,
|
||||
bool add,
|
||||
int af,
|
||||
const union in_addr_union *source,
|
||||
unsigned source_prefixlen);
|
||||
|
||||
int fw_add_local_dnat(
|
||||
FirewallContext **ctx,
|
||||
int fw_nftables_add_local_dnat(
|
||||
sd_netlink *nfnl,
|
||||
bool add,
|
||||
int af,
|
||||
int protocol,
|
||||
@ -64,7 +54,7 @@ const char* nft_set_source_to_string(int i) _const_;
|
||||
int nft_set_source_from_string(const char *s) _pure_;
|
||||
|
||||
int nft_set_element_modify_iprange(
|
||||
FirewallContext *ctx,
|
||||
sd_netlink *nfnl,
|
||||
bool add,
|
||||
int nfproto,
|
||||
int af,
|
||||
@ -74,7 +64,7 @@ int nft_set_element_modify_iprange(
|
||||
unsigned source_prefixlen);
|
||||
|
||||
int nft_set_element_modify_ip(
|
||||
FirewallContext *ctx,
|
||||
sd_netlink *nfnl,
|
||||
bool add,
|
||||
int nfproto,
|
||||
int af,
|
||||
@ -83,7 +73,7 @@ int nft_set_element_modify_ip(
|
||||
const union in_addr_union *source);
|
||||
|
||||
int nft_set_element_modify_any(
|
||||
FirewallContext *ctx,
|
||||
sd_netlink *nfnl,
|
||||
bool add,
|
||||
int nfproto,
|
||||
const char *table,
|
||||
|
||||
@ -6,7 +6,6 @@
|
||||
|
||||
#include "alloc-util.h"
|
||||
#include "argv-util.h"
|
||||
#include "cgroup-util.h"
|
||||
#include "dropin.h"
|
||||
#include "escape.h"
|
||||
#include "fd-util.h"
|
||||
|
||||
@ -5,7 +5,6 @@
|
||||
|
||||
#include "btrfs-util.h"
|
||||
#include "errno-util.h"
|
||||
#include "fs-util.h"
|
||||
#include "label-util.h"
|
||||
#include "selinux-util.h"
|
||||
#include "smack-util.h"
|
||||
|
||||
@ -2,7 +2,6 @@
|
||||
|
||||
#include <linux/audit.h>
|
||||
#include <linux/netlink.h>
|
||||
#include <stdio.h>
|
||||
#include <sys/socket.h>
|
||||
|
||||
#include "errno-util.h"
|
||||
@ -12,6 +11,32 @@
|
||||
#include "log.h"
|
||||
#include "socket-util.h"
|
||||
|
||||
#if HAVE_AUDIT
|
||||
static void *libaudit_dl = NULL;
|
||||
|
||||
static DLSYM_PROTOTYPE(audit_close) = NULL;
|
||||
DLSYM_PROTOTYPE(audit_log_acct_message) = NULL;
|
||||
DLSYM_PROTOTYPE(audit_log_user_avc_message) = NULL;
|
||||
DLSYM_PROTOTYPE(audit_log_user_comm_message) = NULL;
|
||||
static DLSYM_PROTOTYPE(audit_open) = NULL;
|
||||
|
||||
int dlopen_libaudit(void) {
|
||||
ELF_NOTE_DLOPEN("libaudit",
|
||||
"Support for Audit loggging",
|
||||
ELF_NOTE_DLOPEN_PRIORITY_RECOMMENDED,
|
||||
"libaudit.so.1");
|
||||
|
||||
return dlopen_many_sym_or_warn(
|
||||
&libaudit_dl,
|
||||
"libaudit.so.1",
|
||||
LOG_DEBUG,
|
||||
DLSYM_ARG(audit_close),
|
||||
DLSYM_ARG(audit_log_acct_message),
|
||||
DLSYM_ARG(audit_log_user_avc_message),
|
||||
DLSYM_ARG(audit_log_user_comm_message),
|
||||
DLSYM_ARG(audit_open));
|
||||
}
|
||||
|
||||
static int try_audit_request(int fd) {
|
||||
struct iovec iov;
|
||||
struct msghdr mh;
|
||||
@ -49,14 +74,19 @@ static int try_audit_request(int fd) {
|
||||
|
||||
return msg.err.error;
|
||||
}
|
||||
#endif
|
||||
|
||||
bool use_audit(void) {
|
||||
#if HAVE_AUDIT
|
||||
static int cached_use = -1;
|
||||
int r;
|
||||
|
||||
if (cached_use >= 0)
|
||||
return cached_use;
|
||||
|
||||
if (dlopen_libaudit() < 0)
|
||||
return (cached_use = false);
|
||||
|
||||
_cleanup_close_ int fd = socket(AF_NETLINK, SOCK_RAW|SOCK_CLOEXEC|SOCK_NONBLOCK, NETLINK_AUDIT);
|
||||
if (fd < 0) {
|
||||
cached_use = !ERRNO_IS_PRIVILEGE(errno) && !ERRNO_IS_NOT_SUPPORTED(errno);
|
||||
@ -83,12 +113,15 @@ bool use_audit(void) {
|
||||
}
|
||||
|
||||
return cached_use;
|
||||
#else
|
||||
return false;
|
||||
#endif
|
||||
}
|
||||
|
||||
int close_audit_fd(int fd) {
|
||||
#if HAVE_AUDIT
|
||||
if (fd >= 0)
|
||||
audit_close(fd);
|
||||
sym_audit_close(fd);
|
||||
#else
|
||||
assert(fd < 0);
|
||||
#endif
|
||||
@ -97,8 +130,14 @@ int close_audit_fd(int fd) {
|
||||
|
||||
int open_audit_fd_or_warn(void) {
|
||||
#if HAVE_AUDIT
|
||||
int r;
|
||||
|
||||
r = dlopen_libaudit();
|
||||
if (r < 0)
|
||||
return r;
|
||||
|
||||
/* If the kernel lacks netlink or audit support, don't worry about it. */
|
||||
int fd = audit_open();
|
||||
int fd = sym_audit_open();
|
||||
if (fd < 0)
|
||||
return log_full_errno(ERRNO_IS_NOT_SUPPORTED(errno) ? LOG_DEBUG : LOG_WARNING,
|
||||
errno, "Failed to connect to audit log, ignoring: %m");
|
||||
|
||||
@ -1,11 +1,19 @@
|
||||
/* SPDX-License-Identifier: LGPL-2.1-or-later */
|
||||
#pragma once
|
||||
|
||||
#include "forward.h"
|
||||
|
||||
#if HAVE_AUDIT
|
||||
# include <libaudit.h> /* IWYU pragma: export */
|
||||
#endif
|
||||
|
||||
#include "forward.h"
|
||||
# include "dlfcn-util.h"
|
||||
|
||||
extern DLSYM_PROTOTYPE(audit_log_acct_message);
|
||||
extern DLSYM_PROTOTYPE(audit_log_user_avc_message);
|
||||
extern DLSYM_PROTOTYPE(audit_log_user_comm_message);
|
||||
|
||||
int dlopen_libaudit(void);
|
||||
#endif
|
||||
|
||||
bool use_audit(void);
|
||||
|
||||
|
||||
@ -2,7 +2,6 @@
|
||||
|
||||
#include <grp.h>
|
||||
#include <pwd.h>
|
||||
#include <unistd.h>
|
||||
|
||||
#include "alloc-util.h"
|
||||
#include "chase.h"
|
||||
|
||||
@ -5,11 +5,12 @@
|
||||
#include "escape.h"
|
||||
#include "extract-word.h"
|
||||
#include "fileio.h"
|
||||
#include "iovec-util.h"
|
||||
#include "log.h"
|
||||
#include "machine-credential.h"
|
||||
#include "memory-util.h"
|
||||
#include "path-util.h"
|
||||
#include "string-util-fundamental.h"
|
||||
#include "string-util.h"
|
||||
|
||||
static void machine_credential_done(MachineCredential *cred) {
|
||||
assert(cred);
|
||||
@ -28,74 +29,118 @@ void machine_credential_context_done(MachineCredentialContext *ctx) {
|
||||
free(ctx->credentials);
|
||||
}
|
||||
|
||||
bool machine_credentials_contains(const MachineCredentialContext *ctx, const char *id) {
|
||||
MachineCredential* machine_credential_find(MachineCredentialContext *ctx, const char *id) {
|
||||
assert(ctx);
|
||||
assert(id);
|
||||
|
||||
FOREACH_ARRAY(cred, ctx->credentials, ctx->n_credentials)
|
||||
if (streq(cred->id, id))
|
||||
return true;
|
||||
return cred;
|
||||
|
||||
return false;
|
||||
return NULL;
|
||||
}
|
||||
|
||||
int machine_credential_set(MachineCredentialContext *ctx, const char *cred_str) {
|
||||
int machine_credential_add(
|
||||
MachineCredentialContext *ctx,
|
||||
const char *id,
|
||||
const char *value,
|
||||
size_t size) {
|
||||
|
||||
assert(ctx);
|
||||
assert(id);
|
||||
assert(value || size == 0);
|
||||
|
||||
if (!credential_name_valid(id))
|
||||
return -EINVAL;
|
||||
|
||||
if (machine_credential_find(ctx, id))
|
||||
return -EEXIST;
|
||||
|
||||
if (size == SIZE_MAX)
|
||||
size = strlen_ptr(value);
|
||||
|
||||
_cleanup_(machine_credential_done) MachineCredential cred = {};
|
||||
ssize_t l;
|
||||
cred.id = strdup(id);
|
||||
if (!cred.id)
|
||||
return -ENOMEM;
|
||||
|
||||
cred.data = memdup(value, size);
|
||||
if (!cred.data)
|
||||
return -ENOMEM;
|
||||
|
||||
cred.size = size;
|
||||
|
||||
if (!GREEDY_REALLOC(ctx->credentials, ctx->n_credentials + 1))
|
||||
return -ENOMEM;
|
||||
|
||||
ctx->credentials[ctx->n_credentials++] = TAKE_STRUCT(cred);
|
||||
return 0;
|
||||
}
|
||||
|
||||
static int machine_credential_add_and_log(
|
||||
MachineCredentialContext *ctx,
|
||||
const char *id,
|
||||
const char *value,
|
||||
size_t size) {
|
||||
|
||||
int r;
|
||||
|
||||
assert(ctx);
|
||||
assert(id);
|
||||
assert(value || size == 0);
|
||||
|
||||
r = machine_credential_add(ctx, id, value, size);
|
||||
if (r == -EEXIST)
|
||||
return log_error_errno(r, "Duplicated credential '%s', refusing.", id);
|
||||
if (r == -EINVAL)
|
||||
return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "Credential name is not valid: %s", id);
|
||||
if (r == -ENOMEM)
|
||||
return log_oom();
|
||||
if (r < 0)
|
||||
return log_error_errno(r, "Failed to add credential '%s': %m", id);
|
||||
|
||||
return 0;
|
||||
}
|
||||
|
||||
|
||||
int machine_credential_set(MachineCredentialContext *ctx, const char *cred_str) {
|
||||
int r;
|
||||
|
||||
assert(ctx);
|
||||
|
||||
const char *p = ASSERT_PTR(cred_str);
|
||||
|
||||
r = extract_first_word(&p, &cred.id, ":", EXTRACT_DONT_COALESCE_SEPARATORS);
|
||||
_cleanup_free_ char *id = NULL;
|
||||
r = extract_first_word(&p, &id, ":", EXTRACT_DONT_COALESCE_SEPARATORS);
|
||||
if (r < 0)
|
||||
return log_error_errno(r, "Failed to parse --set-credential= parameter: %m");
|
||||
if (r == 0 || !p)
|
||||
return log_error_errno(SYNTHETIC_ERRNO(EINVAL),
|
||||
"Missing value for --set-credential=: %s", cred_str);
|
||||
|
||||
if (!credential_name_valid(cred.id))
|
||||
return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "Credential name is not valid: %s", cred.id);
|
||||
|
||||
if (machine_credentials_contains(ctx, cred.id))
|
||||
return log_error_errno(SYNTHETIC_ERRNO(EEXIST), "Duplicate credential '%s', refusing.", cred.id);
|
||||
|
||||
l = cunescape(p, UNESCAPE_ACCEPT_NUL, &cred.data);
|
||||
_cleanup_free_ char *data = NULL;
|
||||
ssize_t l;
|
||||
l = cunescape(p, UNESCAPE_ACCEPT_NUL, &data);
|
||||
if (l < 0)
|
||||
return log_error_errno(l, "Failed to unescape credential data: %s", p);
|
||||
cred.size = l;
|
||||
|
||||
if (!GREEDY_REALLOC(ctx->credentials, ctx->n_credentials + 1))
|
||||
return log_oom();
|
||||
|
||||
ctx->credentials[ctx->n_credentials++] = TAKE_STRUCT(cred);
|
||||
|
||||
return 0;
|
||||
return machine_credential_add_and_log(ctx, id, data, l);
|
||||
}
|
||||
|
||||
int machine_credential_load(MachineCredentialContext *ctx, const char *cred_path) {
|
||||
_cleanup_(machine_credential_done) MachineCredential cred = {};
|
||||
_cleanup_free_ char *path_alloc = NULL;
|
||||
ReadFullFileFlags flags = READ_FULL_FILE_SECURE;
|
||||
int r;
|
||||
|
||||
assert(ctx);
|
||||
|
||||
const char *p = ASSERT_PTR(cred_path);
|
||||
|
||||
r = extract_first_word(&p, &cred.id, ":", EXTRACT_DONT_COALESCE_SEPARATORS);
|
||||
_cleanup_free_ char *id = NULL;
|
||||
r = extract_first_word(&p, &id, ":", EXTRACT_DONT_COALESCE_SEPARATORS);
|
||||
if (r < 0)
|
||||
return log_error_errno(r, "Failed to parse --load-credential= parameter: %m");
|
||||
if (r == 0 || !p)
|
||||
return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "Missing value for --load-credential=: %s", cred_path);
|
||||
|
||||
if (!credential_name_valid(cred.id))
|
||||
return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "Credential name is not valid: %s", cred.id);
|
||||
|
||||
if (machine_credentials_contains(ctx, cred.id))
|
||||
return log_error_errno(SYNTHETIC_ERRNO(EEXIST), "Duplicate credential '%s', refusing.", cred.id);
|
||||
|
||||
ReadFullFileFlags flags = READ_FULL_FILE_SECURE;
|
||||
_cleanup_free_ char *path_alloc = NULL;
|
||||
if (is_path(p) && path_is_valid(p))
|
||||
flags |= READ_FULL_FILE_CONNECT_SOCKET;
|
||||
else if (credential_name_valid(p)) {
|
||||
@ -103,8 +148,7 @@ int machine_credential_load(MachineCredentialContext *ctx, const char *cred_path
|
||||
|
||||
r = get_credentials_dir(&e);
|
||||
if (r < 0)
|
||||
return log_error_errno(r,
|
||||
"Credential not available (no credentials passed at all): %s", cred.id);
|
||||
return log_error_errno(r, "Credential not available (no credentials passed at all): %s", p);
|
||||
|
||||
path_alloc = path_join(e, p);
|
||||
if (!path_alloc)
|
||||
@ -115,17 +159,16 @@ int machine_credential_load(MachineCredentialContext *ctx, const char *cred_path
|
||||
return log_error_errno(SYNTHETIC_ERRNO(EINVAL),
|
||||
"Credential source appears to be neither a valid path nor a credential name: %s", p);
|
||||
|
||||
r = read_full_file_full(AT_FDCWD, p, UINT64_MAX, SIZE_MAX,
|
||||
_cleanup_(iovec_done_erase) struct iovec iov = {};
|
||||
r = read_full_file_full(
|
||||
AT_FDCWD, p,
|
||||
/* offset= */ UINT64_MAX,
|
||||
/* size= */ SIZE_MAX,
|
||||
flags,
|
||||
NULL,
|
||||
&cred.data, &cred.size);
|
||||
/* bind_name= */ NULL,
|
||||
(char**) &iov.iov_base, &iov.iov_len);
|
||||
if (r < 0)
|
||||
return log_error_errno(r, "Failed to read credential '%s': %m", p);
|
||||
|
||||
if (!GREEDY_REALLOC(ctx->credentials, ctx->n_credentials + 1))
|
||||
return log_oom();
|
||||
|
||||
ctx->credentials[ctx->n_credentials++] = TAKE_STRUCT(cred);
|
||||
|
||||
return 0;
|
||||
return machine_credential_add_and_log(ctx, id, iov.iov_base, iov.iov_len);
|
||||
}
|
||||
|
||||
@ -16,7 +16,8 @@ typedef struct MachineCredentialContext {
|
||||
|
||||
void machine_credential_context_done(MachineCredentialContext *ctx);
|
||||
|
||||
bool machine_credentials_contains(const MachineCredentialContext *ctx, const char *id);
|
||||
MachineCredential* machine_credential_find(MachineCredentialContext *ctx, const char *id);
|
||||
|
||||
int machine_credential_add(MachineCredentialContext *ctx, const char *id, const char *value, size_t size);
|
||||
int machine_credential_set(MachineCredentialContext *ctx, const char *cred_str);
|
||||
int machine_credential_load(MachineCredentialContext *ctx, const char *cred_path);
|
||||
|
||||
@ -76,7 +76,6 @@ shared_sources = files(
|
||||
'fdset.c',
|
||||
'fido2-util.c',
|
||||
'find-esp.c',
|
||||
'firewall-util-nft.c',
|
||||
'firewall-util.c',
|
||||
'fork-notify.c',
|
||||
'format-table.c',
|
||||
@ -249,10 +248,6 @@ if conf.get('ENABLE_UTMP') == 1
|
||||
shared_sources += files('utmp-wtmp.c')
|
||||
endif
|
||||
|
||||
if conf.get('HAVE_LIBIPTC') == 1
|
||||
shared_sources += files('firewall-util-iptables.c')
|
||||
endif
|
||||
|
||||
if conf.get('HAVE_LIBBPF') == 1
|
||||
shared_sources += files('bpf-link.c')
|
||||
endif
|
||||
@ -317,13 +312,12 @@ libshared_name = 'systemd-shared-@0@'.format(shared_lib_tag)
|
||||
|
||||
libshared_deps = [threads,
|
||||
libacl,
|
||||
libaudit,
|
||||
libaudit_cflags,
|
||||
libblkid,
|
||||
libcap,
|
||||
libcrypt,
|
||||
libdl,
|
||||
libgcrypt_cflags,
|
||||
libiptc_cflags,
|
||||
libkmod_cflags,
|
||||
liblz4_cflags,
|
||||
libmount,
|
||||
|
||||
@ -1726,12 +1726,14 @@ int openssl_load_private_key(
|
||||
|
||||
assert(private_key);
|
||||
assert(request);
|
||||
assert(ret_private_key);
|
||||
|
||||
if (private_key_source_type == OPENSSL_KEY_SOURCE_FILE) {
|
||||
r = openssl_load_private_key_from_file(private_key, ret_private_key);
|
||||
if (r < 0)
|
||||
return r;
|
||||
|
||||
if (ret_user_interface)
|
||||
*ret_user_interface = NULL;
|
||||
} else {
|
||||
_cleanup_(openssl_ask_password_ui_freep) OpenSSLAskPasswordUI *ui = NULL;
|
||||
@ -1757,6 +1759,7 @@ int openssl_load_private_key(
|
||||
private_key,
|
||||
private_key_source);
|
||||
|
||||
if (ret_user_interface)
|
||||
*ret_user_interface = TAKE_PTR(ui);
|
||||
}
|
||||
|
||||
|
||||
@ -14,7 +14,6 @@
|
||||
#include "errno-util.h"
|
||||
#include "fd-util.h"
|
||||
#include "fileio.h"
|
||||
#include "fs-util.h"
|
||||
#include "log.h"
|
||||
#include "path-util.h"
|
||||
#include "pretty-print.h"
|
||||
|
||||
@ -3,8 +3,6 @@
|
||||
#include <sched.h>
|
||||
#include <stdlib.h>
|
||||
#include <sys/mman.h>
|
||||
#include <sys/prctl.h>
|
||||
#include <sys/wait.h>
|
||||
#include <unistd.h>
|
||||
|
||||
#include "sd-bus.h"
|
||||
|
||||
@ -116,7 +116,7 @@ static SD_VARLINK_DEFINE_ERROR(DeniedByImagePolicy);
|
||||
static SD_VARLINK_DEFINE_ERROR(KeyNotFound);
|
||||
static SD_VARLINK_DEFINE_ERROR(VerityFailure);
|
||||
static SD_VARLINK_DEFINE_ERROR(BadFileDescriptorFlags,
|
||||
SD_VARLINK_FIELD_COMMENT("Name of the parameter referencing the file descriptor with one or more bad flag."),
|
||||
SD_VARLINK_FIELD_COMMENT("Name of the parameter referencing the file descriptor with one or more bad flags."),
|
||||
SD_VARLINK_DEFINE_FIELD(parameter, SD_VARLINK_STRING, 0));
|
||||
|
||||
SD_VARLINK_DEFINE_INTERFACE(
|
||||
|
||||
@ -455,7 +455,13 @@ static SD_VARLINK_DEFINE_STRUCT_TYPE(
|
||||
SD_VARLINK_FIELD_COMMENT("The total number of bytes written to block devices by the cgroup"),
|
||||
SD_VARLINK_DEFINE_FIELD(IOWriteBytes, SD_VARLINK_INT, SD_VARLINK_NULLABLE),
|
||||
SD_VARLINK_FIELD_COMMENT("The total number of write operations performed on block devices by the cgroup"),
|
||||
SD_VARLINK_DEFINE_FIELD(IOWriteOperations, SD_VARLINK_INT, SD_VARLINK_NULLABLE));
|
||||
SD_VARLINK_DEFINE_FIELD(IOWriteOperations, SD_VARLINK_INT, SD_VARLINK_NULLABLE),
|
||||
|
||||
/* OOM */
|
||||
SD_VARLINK_FIELD_COMMENT("The number of processes of this unit killed by the kernel OOM killer"),
|
||||
SD_VARLINK_DEFINE_FIELD(OOMKills, SD_VARLINK_INT, SD_VARLINK_NULLABLE),
|
||||
SD_VARLINK_FIELD_COMMENT("The number of processes of this unit killed by systemd-oomd"),
|
||||
SD_VARLINK_DEFINE_FIELD(ManagedOOMKills, SD_VARLINK_INT, SD_VARLINK_NULLABLE));
|
||||
|
||||
static SD_VARLINK_DEFINE_STRUCT_TYPE(
|
||||
UnitRuntime,
|
||||
|
||||
@ -11,7 +11,6 @@
|
||||
#include "strv.h"
|
||||
#include "systemctl.h"
|
||||
#include "systemctl-compat-shutdown.h"
|
||||
#include "systemctl-logind.h"
|
||||
#include "time-util.h"
|
||||
|
||||
static int shutdown_help(void) {
|
||||
|
||||
@ -6,12 +6,9 @@
|
||||
#include "sd-daemon.h"
|
||||
|
||||
#include "build.h"
|
||||
#include "chase.h"
|
||||
#include "conf-files.h"
|
||||
#include "constants.h"
|
||||
#include "dirent-util.h"
|
||||
#include "dissect-image.h"
|
||||
#include "fd-util.h"
|
||||
#include "format-table.h"
|
||||
#include "glyph-util.h"
|
||||
#include "hexdecoct.h"
|
||||
|
||||
Some files were not shown because too many files have changed in this diff Show More
Loading…
x
Reference in New Issue
Block a user