test: accept that char device 0/0 can now be created witout privileges

Fixes: #16721
hwdb: ACCEL_MOUNT_MATRIX quirk for Acer SP111-32*
2020-08-17 19:28:32 +02:00 · 2020-08-17 18:57:53 +02:00 · 2020-08-17 18:56:42 +02:00 · 2020-08-17 18:55:59 +02:00 · 2020-08-17 18:32:51 +02:00 · 2020-08-17 18:30:24 +02:00
11 changed files with 50 additions and 42 deletions
--- a/factory/etc/nsswitch.conf
+++ b/factory/etc/nsswitch.conf
@ -4,7 +4,7 @@ passwd:         compat systemd
 group:          compat [SUCCESS=merge] systemd
 shadow:         compat
-hosts:          files mymachines resolve [!UNAVAIL=return] dns myhostname
+hosts:          mymachines resolve [!UNAVAIL=return] files myhostname dns
 networks:       files
 protocols:      db files
--- a/hwdb.d/60-sensor.hwdb
+++ b/hwdb.d/60-sensor.hwdb
@ -90,6 +90,7 @@ sensor:modalias:acpi:KIOX0009*:dmi:*:svnAcer:pnOneS1003:*
 sensor:modalias:acpi:BOSC0200*:dmi:*:svnAcer*:pnSwitchSW312-31:*
 ACCEL_MOUNT_MATRIX=0, -1, 0; -1, 0, 0; 0, 0, 1
 sensor:modalias:acpi:BOSC0200*:dmi:*svn*Acer*:*pn*Spin*SP111-32*
 sensor:modalias:acpi:BOSC0200*:dmi:*svn*Acer*:*pn*Spin*SP111-33*
 ACCEL_MOUNT_MATRIX=0, 1, 0; 1, 0, 0; 0, 0, 1
--- a/man/nss-myhostname.xml
+++ b/man/nss-myhostname.xml
@ -67,12 +67,12 @@
    <literal>hosts:</literal> in <filename>/etc/nsswitch.conf</filename>.</para>
    <para>It is recommended to place <literal>myhostname</literal> either between <literal>resolve</literal>
-    and "traditional" modules like <literal>files</literal> and <literal>dns</literal>, or after them. In the
+    and "traditional" modules like <literal>dns</literal>, or after them. In the first version, well-known
-    first version, well-known names like <literal>localhost</literal> and the machine hostname are given
+    names like <literal>localhost</literal> and the machine hostname are given higher priority than the
-    higher priority than the external configuration. This is recommended when the external DNS servers and
+    external configuration. This is recommended when the external DNS servers and network are not absolutely
-    network are not absolutely trusted. In the second version, external configuration is given higher
+    trusted. In the second version, external configuration is given higher priority and
-    priority and <command>nss-myhostname</command> only provides a fallback mechanism. This might be suitable
+    <command>nss-myhostname</command> only provides a fallback mechanism. This might be suitable in closely
-    in closely controlled networks, for example on a company LAN.</para>
+    controlled networks, for example on a company LAN.</para>
  </refsect1>
  <refsect1>
@ -83,11 +83,11 @@
    <!-- synchronize with other nss-* man pages and factory/etc/nsswitch.conf -->
 <programlisting>passwd:         compat systemd
-group:          compat systemd
+group:          compat [SUCCESS=merge] systemd
 shadow:         compat
-# Either (untrusted network):
+# Either (untrusted network, see above):
-hosts:          mymachines resolve [!UNAVAIL=return] <command>myhostname</command> files dns
+hosts:          mymachines resolve [!UNAVAIL=return] files <command>myhostname</command> dns
 # Or (only trusted networks):
 hosts:          mymachines resolve [!UNAVAIL=return] files dns <command>myhostname</command>
 networks:       files
--- a/man/nss-mymachines.xml
+++ b/man/nss-mymachines.xml
@ -42,10 +42,10 @@
    <para>To activate the NSS module, add <literal>mymachines</literal> to the line starting with
    <literal>hosts:</literal> in <filename>/etc/nsswitch.conf</filename>.</para>
-    <para>It is recommended to place <literal>mymachines</literal> after the <literal>files</literal> or
+    <para>It is recommended to place <literal>mymachines</literal> before the <literal>resolve</literal> or
-    <literal>compat</literal> entry of the <filename>/etc/nsswitch.conf</filename> line to make sure that its
+    <literal>dns</literal> entry of the <literal>hosts:</literal> line of
-    mappings are preferred over other resolvers such as DNS, but so that <filename>/etc/hosts</filename>
+    <filename>/etc/nsswitch.conf</filename> in order to make sure that its mappings are preferred over other
-    based mappings take precedence.</para>
+    resolvers such as DNS.</para>
  </refsect1>
  <refsect1>
@ -56,10 +56,10 @@
    <!-- synchronize with other nss-* man pages and factory/etc/nsswitch.conf -->
    <programlisting>passwd:         compat systemd
-group:          compat systemd
+group:          compat [SUCCESS=merge] systemd
 shadow:         compat
-hosts:          <command>mymachines</command> resolve [!UNAVAIL=return] myhostname files dns
+hosts:          <command>mymachines</command> resolve [!UNAVAIL=return] files myhostname dns
 networks:       files
 protocols:      db files
--- a/man/nss-resolve.xml
+++ b/man/nss-resolve.xml
@ -44,14 +44,12 @@
    <literal>dns</literal> somewhere after <literal>resolve</literal>, to fall back to
    <command>nss-dns</command> if <filename>systemd-resolved.service</filename> is not available.</para>
-    <para>Note that <command>systemd-resolved</command> will synthesize DNS resource
+    <para>Note that <command>systemd-resolved</command> will synthesize DNS resource records in a few cases,
-    records in a few cases, for example for <literal>localhost</literal> and the
+    for example for <literal>localhost</literal> and the current local hostname, see
-    current hostname, see
+    <citerefentry><refentrytitle>systemd-resolved</refentrytitle><manvolnum>8</manvolnum></citerefentry> for
-    <citerefentry><refentrytitle>systemd-resolved</refentrytitle><manvolnum>8</manvolnum></citerefentry>
+    the full list. This duplicates the functionality of
-    for the full list. This duplicates the functionality of
+    <citerefentry><refentrytitle>nss-myhostname</refentrytitle><manvolnum>8</manvolnum></citerefentry>, but
-    <citerefentry><refentrytitle>nss-myhostname</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
+    it is still recommended (see examples below) to keep <command>nss-myhostname</command> configured in
    but it is still recommended (see examples below) to keep
    <command>nss-myhostname</command> configured in
    <filename>/etc/nsswitch.conf</filename>, to keep those names resolveable if
    <command>systemd-resolved</command> is not running.</para>
  </refsect1>
@ -64,10 +62,10 @@
    <!-- synchronize with other nss-* man pages and factory/etc/nsswitch.conf -->
 <programlisting>passwd:         compat systemd
-group:          compat systemd
+group:          compat [SUCCESS=merge] systemd
 shadow:         compat
-hosts:          mymachines <command>resolve [!UNAVAIL=return]</command> myhostname files dns
+hosts:          mymachines <command>resolve [!UNAVAIL=return]</command> files myhostname dns
 networks:       files
 protocols:      db files
--- a/man/nss-systemd.xml
+++ b/man/nss-systemd.xml
@ -65,7 +65,7 @@
 group:          compat [SUCCESS=merge] <command>systemd</command>
 shadow:         compat
-hosts:          mymachines resolve [!UNAVAIL=return] myhostname files dns
+hosts:          mymachines resolve [!UNAVAIL=return] files myhostname dns
 networks:       files
 protocols:      db files
--- a/src/shared/socket-netlink.c
+++ b/src/shared/socket-netlink.c
@ -464,7 +464,14 @@ struct in_addr_full *in_addr_full_free(struct in_addr_full *a) {
        return mfree(a);
 }
-int in_addr_full_new(int family, union in_addr_union *a, uint16_t port, int ifindex, const char *server_name, struct in_addr_full **ret) {
+int in_addr_full_new(
                int family,
                const union in_addr_union *a,
                uint16_t port,
                int ifindex,
                const char *server_name,
                struct in_addr_full **ret) {
        _cleanup_free_ char *name = NULL;
        struct in_addr_full *x;
--- a/src/shared/socket-netlink.h
+++ b/src/shared/socket-netlink.h
@ -45,6 +45,6 @@ struct in_addr_full {
 struct in_addr_full *in_addr_full_free(struct in_addr_full *a);
 DEFINE_TRIVIAL_CLEANUP_FUNC(struct in_addr_full*, in_addr_full_free);
-int in_addr_full_new(int family, union in_addr_union *a, uint16_t port, int ifindex, const char *server_name, struct in_addr_full **ret);
+int in_addr_full_new(int family, const union in_addr_union *a, uint16_t port, int ifindex, const char *server_name, struct in_addr_full **ret);
 int in_addr_full_new_from_string(const char *s, struct in_addr_full **ret);
 const char *in_addr_full_to_string(struct in_addr_full *a);
--- a/src/test/test-fs-util.c
+++ b/src/test/test-fs-util.c
@ -615,8 +615,8 @@ static void test_touch_file(void) {
        assert_se(timespec_load(&st.st_mtim) == test_mtime);
        if (geteuid() == 0) {
-                a = strjoina(p, "/cdev");
+                a = strjoina(p, "/bdev");
-                r = mknod(a, 0775 | S_IFCHR, makedev(0, 0));
+                r = mknod(a, 0775 | S_IFBLK, makedev(0, 0));
                if (r < 0 && errno == EPERM && detect_container() > 0) {
                        log_notice("Running in unprivileged container? Skipping remaining tests in %s", __func__);
                        return;
@ -626,17 +626,17 @@ static void test_touch_file(void) {
                assert_se(lstat(a, &st) >= 0);
                assert_se(st.st_uid == test_uid);
                assert_se(st.st_gid == test_gid);
-                assert_se(S_ISCHR(st.st_mode));
+                assert_se(S_ISBLK(st.st_mode));
                assert_se((st.st_mode & 0777) == 0640);
                assert_se(timespec_load(&st.st_mtim) == test_mtime);
-                a = strjoina(p, "/bdev");
+                a = strjoina(p, "/cdev");
-                assert_se(mknod(a, 0775 | S_IFBLK, makedev(0, 0)) >= 0);
+                assert_se(mknod(a, 0775 | S_IFCHR, makedev(0, 0)) >= 0);
                assert_se(touch_file(a, false, test_mtime, test_uid, test_gid, 0640) >= 0);
                assert_se(lstat(a, &st) >= 0);
                assert_se(st.st_uid == test_uid);
                assert_se(st.st_gid == test_gid);
-                assert_se(S_ISBLK(st.st_mode));
+                assert_se(S_ISCHR(st.st_mode));
                assert_se((st.st_mode & 0777) == 0640);
                assert_se(timespec_load(&st.st_mtim) == test_mtime);
        }
@ -850,11 +850,12 @@ static void test_path_is_encrypted_one(const char *p, int expect) {
        int r;
        r = path_is_encrypted(p);
-        if (r == -ENOENT) /* This might fail, if btrfs is used and we run in a container. In that case we
+        if (r == -ENOENT || ERRNO_IS_PRIVILEGE(r)) /* This might fail, if btrfs is used and we run in a
-                           * cannot resolve the device node paths that BTRFS_IOC_DEV_INFO returns, because
+                           * container. In that case we cannot resolve the device node paths that
-                           * the device nodes are unlikely to exist in the container. But if we can't stat()
+                           * BTRFS_IOC_DEV_INFO returns, because the device nodes are unlikely to exist in
-                           * them we cannot determine the dev_t of them, and thus cannot figure out if they
+                           * the container. But if we can't stat() them we cannot determine the dev_t of
-                           * are enrypted. Hence let's just ignore ENOENT here. */
+                           * them, and thus cannot figure out if they are enrypted. Hence let's just ignore
                           * ENOENT here. Also skip the test if we lack privileges. */
                return;
        assert_se(r >= 0);
--- a/src/test/test-stat-util.c
+++ b/src/test/test-stat-util.c
@ -148,7 +148,7 @@ static void test_device_path_make_canonical(void) {
        test_device_path_make_canonical_one("/dev/urandom");
        test_device_path_make_canonical_one("/dev/tty");
-        if (is_device_node("/run/systemd/inaccessible/chr") > 0) {
+        if (is_device_node("/run/systemd/inaccessible/blk") > 0) {
                test_device_path_make_canonical_one("/run/systemd/inaccessible/chr");
                test_device_path_make_canonical_one("/run/systemd/inaccessible/blk");
        }
--- a/tools/make-man-index.py
+++ b/tools/make-man-index.py
@ -55,7 +55,8 @@ def make_index(pages):
        check_id(p, t)
        section = t.find('./refmeta/manvolnum').text
        refname = t.find('./refnamediv/refname').text
-        purpose = ' '.join(t.find('./refnamediv/refpurpose').text.split())
+        purpose_text = ' '.join(t.find('./refnamediv/refpurpose').itertext())
        purpose = ' '.join(purpose_text.split())
        for f in t.findall('./refnamediv/refname'):
            infos = (f.text, section, purpose, refname)
            index[f.text[0].upper()].append(infos)
Author	SHA1	Message	Date
Lennart Poettering	5b5ce6298e	test: accept that char device 0/0 can now be created witout privileges Fixes: #16721	2020-08-17 19:28:32 +02:00
Grant Mathews	340e1933c4	hwdb: ACCEL_MOUNT_MATRIX quirk for Acer SP111-32*	2020-08-17 18:57:53 +02:00
Lennart Poettering	ceffbc584d	socket-netlink: make address argument const	2020-08-17 18:56:42 +02:00
Lennart Poettering	d296c20f1f	man: move 'files' module in NSS 'hosts:' line before myhostname I am pretty sure /etc/hosts (i.e. an explicitly configured, local, trusted database) should be useful for overriding the automatic myhostname logic. resolved's internal logic handles it that way and hence we should suggest it in the NSS fallback line, too. Let's also bring the factory file back into sync with what the docs say. And update the prose a bit too, to actually match what we recommend.	2020-08-17 18:55:59 +02:00
Haochen Tong	f331733645	tools/make-man-index: fix purpose text that contains tags	2020-08-17 18:32:51 +02:00
Topi Miettinen	209650b720	test-fs-util: skip encrypted path test if we get EACCES Unprivileged test-fs-util fails on my system since /sys/dev/block is inaccessible for unprivileged users, so let's skip encrypted path test if we get EACCES or similar.	2020-08-17 18:30:24 +02:00