Merge pull request #16782 from keszybz/seccomp-use-cleanup

Use less iffedeffery around syscall names and _cleanup_ in one more place
hwdb: ACCEL_MOUNT_MATRIX for Irbis TW118 (#16786 )
2020-08-20 10:27:55 +02:00 · 2020-08-20 10:23:35 +02:00 · 2020-08-20 10:15:01 +02:00 · 2020-08-20 09:48:13 +02:00 · 2020-08-19 23:21:56 -07:00 · 2020-08-19 23:12:50 -07:00
11 changed files with 57 additions and 56 deletions
--- a/hwdb.d/60-sensor.hwdb
+++ b/hwdb.d/60-sensor.hwdb
@ -381,11 +381,17 @@ sensor:modalias:acpi:BMA250*:dmi:*:bvritWORKS.G.WI71C.JGBMRB*:*:svnInsyde:pni71c
 ACCEL_MOUNT_MATRIX=0, 1, 0; 1, 0, 0; 0, 0, 1
 #########################################
-# Irbis TW90
+# Irbis
 #########################################
 #TW90
 sensor:modalias:acpi:BOSC0200*:dmi:*:svnIRBIS:pnTW90:*
 ACCEL_MOUNT_MATRIX=0, 1, 0; -1, 0, 0; 0, 0, 1
 #TW118
 sensor:modalias:acpi:BOSC0200*:dmi:*:svnIRBIS:pnTW118:*
 ACCEL_MOUNT_MATRIX=1, 0, 0; 0, -1, 0; 0, 0, 1
 #########################################
 # iOTA 360
 #########################################
--- a/man/systemd-detect-virt.xml
+++ b/man/systemd-detect-virt.xml
@ -172,6 +172,11 @@
            <entry><varname>proot</varname></entry>
            <entry><ulink url="https://proot-me.github.io/">proot</ulink> userspace chroot/bind mount emulation</entry>
          </row>
          <row>
            <entry><varname>pouch</varname></entry>
            <entry><ulink url="https://github.com/alibaba/pouch">Pouch</ulink> Container Engine</entry>
          </row>
        </tbody>
      </tgroup>
    </table>
--- a/man/systemd.unit.xml
+++ b/man/systemd.unit.xml
@ -1169,6 +1169,7 @@
          <literal>rkt</literal>,
          <literal>wsl</literal>,
          <literal>proot</literal>,
          <literal>pouch</literal>,
          <literal>acrn</literal> to test
          against a specific implementation, or
          <literal>private-users</literal> to check whether we are running in a user namespace. See
--- a/src/basic/path-lookup.c
+++ b/src/basic/path-lookup.c
@ -27,7 +27,7 @@ int xdg_user_runtime_dir(char **ret, const char *suffix) {
        if (!e)
                return -ENXIO;
-        j = strjoin(e, suffix);
+        j = path_join(e, suffix);
        if (!j)
                return -ENOMEM;
@ -44,7 +44,7 @@ int xdg_user_config_dir(char **ret, const char *suffix) {
        e = getenv("XDG_CONFIG_HOME");
        if (e)
-                j = strjoin(e, suffix);
+                j = path_join(e, suffix);
        else {
                _cleanup_free_ char *home = NULL;
@ -52,7 +52,7 @@ int xdg_user_config_dir(char **ret, const char *suffix) {
                if (r < 0)
                        return r;
-                j = strjoin(home, "/.config", suffix);
+                j = path_join(home, "/.config", suffix);
        }
        if (!j)
@ -76,7 +76,7 @@ int xdg_user_data_dir(char **ret, const char *suffix) {
        e = getenv("XDG_DATA_HOME");
        if (e)
-                j = strjoin(e, suffix);
+                j = path_join(e, suffix);
        else {
                _cleanup_free_ char *home = NULL;
@ -84,7 +84,7 @@ int xdg_user_data_dir(char **ret, const char *suffix) {
                if (r < 0)
                        return r;
-                j = strjoin(home, "/.local/share", suffix);
+                j = path_join(home, "/.local/share", suffix);
        }
        if (!j)
                return -ENOMEM;
--- a/src/basic/virt.c
+++ b/src/basic/virt.c
@ -442,6 +442,7 @@ static const char *const container_table[_VIRTUALIZATION_MAX] = {
        [VIRTUALIZATION_RKT]            = "rkt",
        [VIRTUALIZATION_WSL]            = "wsl",
        [VIRTUALIZATION_PROOT]          = "proot",
        [VIRTUALIZATION_POUCH]          = "pouch",
 };
 DEFINE_PRIVATE_STRING_TABLE_LOOKUP_FROM_STRING(container, int);
@ -679,6 +680,7 @@ static const char *const virtualization_table[_VIRTUALIZATION_MAX] = {
        [VIRTUALIZATION_RKT] = "rkt",
        [VIRTUALIZATION_WSL] = "wsl",
        [VIRTUALIZATION_PROOT] = "proot",
        [VIRTUALIZATION_POUCH] = "pouch",
        [VIRTUALIZATION_CONTAINER_OTHER] = "container-other",
 };
--- a/src/basic/virt.h
+++ b/src/basic/virt.h
@ -35,6 +35,7 @@ enum {
        VIRTUALIZATION_RKT,
        VIRTUALIZATION_WSL,
        VIRTUALIZATION_PROOT,
        VIRTUALIZATION_POUCH,
        VIRTUALIZATION_CONTAINER_OTHER,
        VIRTUALIZATION_CONTAINER_LAST = VIRTUALIZATION_CONTAINER_OTHER,
--- a/src/core/machine-id-setup.c
+++ b/src/core/machine-id-setup.c
@ -44,7 +44,7 @@ static int generate_machine_id(const char *root, sd_id128_t *ret) {
                fd = safe_close(fd);
        }
-        if (isempty(root)) {
+        if (isempty(root) && running_in_chroot() <= 0) {
                /* If that didn't work, see if we are running in a container,
                 * and a machine ID was passed in via $container_uuid the way
                 * libvirt/LXC does it */
--- a/src/core/main.c
+++ b/src/core/main.c
@ -2653,6 +2653,31 @@ int main(int argc, char *argv[]) {
                        goto finish;
                }
                /* Try to figure out if we can use colors with the console. No need to do that for user instances since
                 * they never log into the console. */
                log_show_color(colors_enabled());
                r = make_null_stdio();
                if (r < 0)
                        log_warning_errno(r, "Failed to redirect standard streams to /dev/null, ignoring: %m");
                /* Load the kernel modules early. */
                if (!skip_setup)
                        kmod_setup();
                /* Mount /proc, /sys and friends, so that /proc/cmdline and /proc/$PID/fd is available. */
                r = mount_setup(loaded_policy, skip_setup);
                if (r < 0) {
                        error_message = "Failed to mount API filesystems";
                        goto finish;
                }
                /* The efivarfs is now mounted, let's read the random seed off it */
                (void) efi_take_random_seed();
                /* Cache command-line options passed from EFI variables */
                if (!skip_setup)
                        (void) cache_efi_options_variable();
        } else {
                /* Running as user instance */
                arg_system = false;
@ -2668,37 +2693,6 @@ int main(int argc, char *argv[]) {
                }
        }
        if (arg_system) {
                /* Try to figure out if we can use colors with the console. No need to do that for user instances since
                 * they never log into the console. */
                log_show_color(colors_enabled());
                r = make_null_stdio();
                if (r < 0)
                        log_warning_errno(r, "Failed to redirect standard streams to /dev/null, ignoring: %m");
        }
        /* Mount /proc, /sys and friends, so that /proc/cmdline and /proc/$PID/fd is available. */
        if (getpid_cached() == 1) {
                /* Load the kernel modules early. */
                if (!skip_setup)
                        kmod_setup();
                r = mount_setup(loaded_policy, skip_setup);
                if (r < 0) {
                        error_message = "Failed to mount API filesystems";
                        goto finish;
                }
                /* The efivarfs is now mounted, let's read the random seed off it */
                (void) efi_take_random_seed();
                /* Cache command-line options passed from EFI variables */
                if (!skip_setup)
                        (void) cache_efi_options_variable();
        }
        /* Save the original RLIMIT_NOFILE/RLIMIT_MEMLOCK so that we can reset it later when
         * transitioning from the initrd to the main systemd or suchlike. */
        save_rlimits(&saved_rlimit_nofile, &saved_rlimit_memlock);
--- a/src/core/mount-setup.c
+++ b/src/core/mount-setup.c
@ -480,7 +480,7 @@ static int relabel_extra(void) {
 #endif
 int mount_setup(bool loaded_policy, bool leave_propagation) {
-        int r = 0;
+        int r;
        r = mount_points_setup(ELEMENTSOF(mount_table), loaded_policy);
        if (r < 0)
--- a/src/nspawn/nspawn-seccomp.h
+++ b/src/nspawn/nspawn-seccomp.h
@ -3,4 +3,4 @@
 #include <sys/types.h>
-int setup_seccomp(uint64_t cap_list_retain, char **syscall_allow_ist, char **syscall_deny_list);
+int setup_seccomp(uint64_t cap_list_retain, char **syscall_allow_list, char **syscall_deny_list);
--- a/src/shared/seccomp-util.c
+++ b/src/shared/seccomp-util.c
@ -187,7 +187,7 @@ int seccomp_arch_from_string(const char *n, uint32_t *ret) {
 }
 int seccomp_init_for_arch(scmp_filter_ctx *ret, uint32_t arch, uint32_t default_action) {
-        scmp_filter_ctx seccomp;
+        _cleanup_(seccomp_releasep) scmp_filter_ctx seccomp = NULL;
        int r;
        /* Much like seccomp_init(), but initializes the filter for one specific architecture only, without affecting
@ -202,11 +202,11 @@ int seccomp_init_for_arch(scmp_filter_ctx *ret, uint32_t arch, uint32_t default_
                r = seccomp_arch_remove(seccomp, seccomp_arch_native());
                if (r < 0)
-                        goto finish;
+                        return r;
                r = seccomp_arch_add(seccomp, arch);
                if (r < 0)
-                        goto finish;
+                        return r;
                assert(seccomp_arch_exist(seccomp, arch) >= 0);
                assert(seccomp_arch_exist(seccomp, SCMP_ARCH_NATIVE) == -EEXIST);
@ -218,18 +218,14 @@ int seccomp_init_for_arch(scmp_filter_ctx *ret, uint32_t arch, uint32_t default_
        r = seccomp_attr_set(seccomp, SCMP_FLTATR_ACT_BADARCH, SCMP_ACT_ALLOW);
        if (r < 0)
-                goto finish;
+                return r;
        r = seccomp_attr_set(seccomp, SCMP_FLTATR_CTL_NNP, 0);
        if (r < 0)
                goto finish;
        *ret = seccomp;
        return 0;
 finish:
        seccomp_release(seccomp);
                return r;
        *ret = TAKE_PTR(seccomp);
        return 0;
 }
 static bool is_basic_seccomp_available(void) {
@ -387,7 +383,7 @@ const SyscallFilterSet syscall_filter_sets[_SYSCALL_FILTER_SET_MAX] = {
                "pidfd_getfd\0"
                "ptrace\0"
                "rtas\0"
-#ifdef __NR_s390_runtime_instr
+#if defined __s390__ || defined __s390x__
                "s390_runtime_instr\0"
 #endif
                "sys_debug_setcontext\0"
@ -464,9 +460,7 @@ const SyscallFilterSet syscall_filter_sets[_SYSCALL_FILTER_SET_MAX] = {
                "stat64\0"
                "statfs\0"
                "statfs64\0"
 #ifdef __NR_statx
                "statx\0"
 #endif
                "symlink\0"
                "symlinkat\0"
                "truncate\0"
@ -712,10 +706,8 @@ const SyscallFilterSet syscall_filter_sets[_SYSCALL_FILTER_SET_MAX] = {
                "pciconfig_iobase\0"
                "pciconfig_read\0"
                "pciconfig_write\0"
-#ifdef __NR_s390_pci_mmio_read
+#if defined __s390__ || defined __s390x__
                "s390_pci_mmio_read\0"
 #endif
 #ifdef __NR_s390_pci_mmio_write
                "s390_pci_mmio_write\0"
 #endif
        },
Author	SHA1	Message	Date
Zbigniew Jędrzejewski-Szmek	a4df0c004a	Merge pull request #16782 from keszybz/seccomp-use-cleanup Use less iffedeffery around syscall names and _cleanup_ in one more place	2020-08-20 10:27:55 +02:00
brainrom	1fbeddebb1	hwdb: ACCEL_MOUNT_MATRIX for Irbis TW118 (#16786 ) This was required to get orientation sensor work properly in my tablet.	2020-08-20 10:23:35 +02:00
Zbigniew Jędrzejewski-Szmek	2eecdd1d69	Merge pull request #16790 from poettering/core-if-block-merge core: merge a few if blocks	2020-08-20 10:15:01 +02:00
Wen Yang	abac810b96	basic/virt: treat "pouch" as a container type (id: pouch)	2020-08-20 09:48:13 +02:00
Anita Zhang	174fff9acf	Merge pull request #16792 from poettering/machine-id-chroot machine-id-setup: don't use KVM or container manager supplied uuid if…	2020-08-19 23:21:56 -07:00
Anita Zhang	e3897c1aff	Merge pull request #16793 from poettering/path-join-more path-lookup: path_join() all the things!	2020-08-19 23:12:50 -07:00
Lennart Poettering	df778749b4	path-lookup: path_join() all the things! When we talk about paths, better use path_join(), who knows what callers pass to us, i.e. prefixed with "/" or not.	2020-08-19 18:28:39 +02:00
Lennart Poettering	1f894e682c	machine-id-setup: don't use KVM or container manager supplied uuid if in chroot env Fixes: #16758	2020-08-19 18:23:11 +02:00
Lennart Poettering	4428c49db9	mount-setup: drop pointless zero initialization	2020-08-19 18:11:00 +02:00
Lennart Poettering	3196e42393	core: merge a few if blocks arg_system == true and getpid() == 1 hold under the very same condition this early in the main() function (this only changes later when we start parsing command lines, where arg_system = true is set if users invoke us in test mode even when getpid() != 1. Hence, let's simplify things, and merge a couple of if branches and not pretend they were orthogonal.	2020-08-19 18:06:12 +02:00
Zbigniew Jędrzejewski-Szmek	b4eaa6cc99	shared/seccomp: use _cleanup_ in one more place (cherry picked from commit 27605d6a836d85563faf41db9f7a72883d44c0ff)	2020-08-19 10:57:30 +02:00
Zbigniew Jędrzejewski-Szmek	6da432fd54	shared/seccomp: do not use ifdef guards around textual syscall names It is possible that we will be running with an upgraded libseccomp, in which case libseccomp might know the syscall name, even if the number is not known at the time when systemd is being compiled. The guard only serves to break such upgrades, by requiring that we also recompile systemd. For s390-specific syscalls, use a define to exclude them, so that that we don't try to filter them on other arches. (cherry picked from commit 6cf852e79eb0eced2f77653941f9c75c3bd79386)	2020-08-19 10:57:18 +02:00
`@ -3,4 +3,4 @@`

	`#include <sys/types.h>`	`#include <sys/types.h>`

	`int setup_seccomp(uint64_t cap_list_retain, char syscall_allow_ist, char syscall_deny_list);`	`int setup_seccomp(uint64_t cap_list_retain, char syscall_allow_list, char syscall_deny_list);`