Compare commits
12 Commits
c2892a244c
...
a4df0c004a
Author | SHA1 | Date |
---|---|---|
Zbigniew Jędrzejewski-Szmek | a4df0c004a | |
brainrom | 1fbeddebb1 | |
Zbigniew Jędrzejewski-Szmek | 2eecdd1d69 | |
Wen Yang | abac810b96 | |
Anita Zhang | 174fff9acf | |
Anita Zhang | e3897c1aff | |
Lennart Poettering | df778749b4 | |
Lennart Poettering | 1f894e682c | |
Lennart Poettering | 4428c49db9 | |
Lennart Poettering | 3196e42393 | |
Zbigniew Jędrzejewski-Szmek | b4eaa6cc99 | |
Zbigniew Jędrzejewski-Szmek | 6da432fd54 |
|
@ -381,11 +381,17 @@ sensor:modalias:acpi:BMA250*:dmi:*:bvritWORKS.G.WI71C.JGBMRB*:*:svnInsyde:pni71c
|
||||||
ACCEL_MOUNT_MATRIX=0, 1, 0; 1, 0, 0; 0, 0, 1
|
ACCEL_MOUNT_MATRIX=0, 1, 0; 1, 0, 0; 0, 0, 1
|
||||||
|
|
||||||
#########################################
|
#########################################
|
||||||
# Irbis TW90
|
# Irbis
|
||||||
#########################################
|
#########################################
|
||||||
|
|
||||||
|
#TW90
|
||||||
sensor:modalias:acpi:BOSC0200*:dmi:*:svnIRBIS:pnTW90:*
|
sensor:modalias:acpi:BOSC0200*:dmi:*:svnIRBIS:pnTW90:*
|
||||||
ACCEL_MOUNT_MATRIX=0, 1, 0; -1, 0, 0; 0, 0, 1
|
ACCEL_MOUNT_MATRIX=0, 1, 0; -1, 0, 0; 0, 0, 1
|
||||||
|
|
||||||
|
#TW118
|
||||||
|
sensor:modalias:acpi:BOSC0200*:dmi:*:svnIRBIS:pnTW118:*
|
||||||
|
ACCEL_MOUNT_MATRIX=1, 0, 0; 0, -1, 0; 0, 0, 1
|
||||||
|
|
||||||
#########################################
|
#########################################
|
||||||
# iOTA 360
|
# iOTA 360
|
||||||
#########################################
|
#########################################
|
||||||
|
|
|
@ -172,6 +172,11 @@
|
||||||
<entry><varname>proot</varname></entry>
|
<entry><varname>proot</varname></entry>
|
||||||
<entry><ulink url="https://proot-me.github.io/">proot</ulink> userspace chroot/bind mount emulation</entry>
|
<entry><ulink url="https://proot-me.github.io/">proot</ulink> userspace chroot/bind mount emulation</entry>
|
||||||
</row>
|
</row>
|
||||||
|
|
||||||
|
<row>
|
||||||
|
<entry><varname>pouch</varname></entry>
|
||||||
|
<entry><ulink url="https://github.com/alibaba/pouch">Pouch</ulink> Container Engine</entry>
|
||||||
|
</row>
|
||||||
</tbody>
|
</tbody>
|
||||||
</tgroup>
|
</tgroup>
|
||||||
</table>
|
</table>
|
||||||
|
|
|
@ -1169,6 +1169,7 @@
|
||||||
<literal>rkt</literal>,
|
<literal>rkt</literal>,
|
||||||
<literal>wsl</literal>,
|
<literal>wsl</literal>,
|
||||||
<literal>proot</literal>,
|
<literal>proot</literal>,
|
||||||
|
<literal>pouch</literal>,
|
||||||
<literal>acrn</literal> to test
|
<literal>acrn</literal> to test
|
||||||
against a specific implementation, or
|
against a specific implementation, or
|
||||||
<literal>private-users</literal> to check whether we are running in a user namespace. See
|
<literal>private-users</literal> to check whether we are running in a user namespace. See
|
||||||
|
|
|
@ -27,7 +27,7 @@ int xdg_user_runtime_dir(char **ret, const char *suffix) {
|
||||||
if (!e)
|
if (!e)
|
||||||
return -ENXIO;
|
return -ENXIO;
|
||||||
|
|
||||||
j = strjoin(e, suffix);
|
j = path_join(e, suffix);
|
||||||
if (!j)
|
if (!j)
|
||||||
return -ENOMEM;
|
return -ENOMEM;
|
||||||
|
|
||||||
|
@ -44,7 +44,7 @@ int xdg_user_config_dir(char **ret, const char *suffix) {
|
||||||
|
|
||||||
e = getenv("XDG_CONFIG_HOME");
|
e = getenv("XDG_CONFIG_HOME");
|
||||||
if (e)
|
if (e)
|
||||||
j = strjoin(e, suffix);
|
j = path_join(e, suffix);
|
||||||
else {
|
else {
|
||||||
_cleanup_free_ char *home = NULL;
|
_cleanup_free_ char *home = NULL;
|
||||||
|
|
||||||
|
@ -52,7 +52,7 @@ int xdg_user_config_dir(char **ret, const char *suffix) {
|
||||||
if (r < 0)
|
if (r < 0)
|
||||||
return r;
|
return r;
|
||||||
|
|
||||||
j = strjoin(home, "/.config", suffix);
|
j = path_join(home, "/.config", suffix);
|
||||||
}
|
}
|
||||||
|
|
||||||
if (!j)
|
if (!j)
|
||||||
|
@ -76,7 +76,7 @@ int xdg_user_data_dir(char **ret, const char *suffix) {
|
||||||
|
|
||||||
e = getenv("XDG_DATA_HOME");
|
e = getenv("XDG_DATA_HOME");
|
||||||
if (e)
|
if (e)
|
||||||
j = strjoin(e, suffix);
|
j = path_join(e, suffix);
|
||||||
else {
|
else {
|
||||||
_cleanup_free_ char *home = NULL;
|
_cleanup_free_ char *home = NULL;
|
||||||
|
|
||||||
|
@ -84,7 +84,7 @@ int xdg_user_data_dir(char **ret, const char *suffix) {
|
||||||
if (r < 0)
|
if (r < 0)
|
||||||
return r;
|
return r;
|
||||||
|
|
||||||
j = strjoin(home, "/.local/share", suffix);
|
j = path_join(home, "/.local/share", suffix);
|
||||||
}
|
}
|
||||||
if (!j)
|
if (!j)
|
||||||
return -ENOMEM;
|
return -ENOMEM;
|
||||||
|
|
|
@ -442,6 +442,7 @@ static const char *const container_table[_VIRTUALIZATION_MAX] = {
|
||||||
[VIRTUALIZATION_RKT] = "rkt",
|
[VIRTUALIZATION_RKT] = "rkt",
|
||||||
[VIRTUALIZATION_WSL] = "wsl",
|
[VIRTUALIZATION_WSL] = "wsl",
|
||||||
[VIRTUALIZATION_PROOT] = "proot",
|
[VIRTUALIZATION_PROOT] = "proot",
|
||||||
|
[VIRTUALIZATION_POUCH] = "pouch",
|
||||||
};
|
};
|
||||||
|
|
||||||
DEFINE_PRIVATE_STRING_TABLE_LOOKUP_FROM_STRING(container, int);
|
DEFINE_PRIVATE_STRING_TABLE_LOOKUP_FROM_STRING(container, int);
|
||||||
|
@ -679,6 +680,7 @@ static const char *const virtualization_table[_VIRTUALIZATION_MAX] = {
|
||||||
[VIRTUALIZATION_RKT] = "rkt",
|
[VIRTUALIZATION_RKT] = "rkt",
|
||||||
[VIRTUALIZATION_WSL] = "wsl",
|
[VIRTUALIZATION_WSL] = "wsl",
|
||||||
[VIRTUALIZATION_PROOT] = "proot",
|
[VIRTUALIZATION_PROOT] = "proot",
|
||||||
|
[VIRTUALIZATION_POUCH] = "pouch",
|
||||||
[VIRTUALIZATION_CONTAINER_OTHER] = "container-other",
|
[VIRTUALIZATION_CONTAINER_OTHER] = "container-other",
|
||||||
};
|
};
|
||||||
|
|
||||||
|
|
|
@ -35,6 +35,7 @@ enum {
|
||||||
VIRTUALIZATION_RKT,
|
VIRTUALIZATION_RKT,
|
||||||
VIRTUALIZATION_WSL,
|
VIRTUALIZATION_WSL,
|
||||||
VIRTUALIZATION_PROOT,
|
VIRTUALIZATION_PROOT,
|
||||||
|
VIRTUALIZATION_POUCH,
|
||||||
VIRTUALIZATION_CONTAINER_OTHER,
|
VIRTUALIZATION_CONTAINER_OTHER,
|
||||||
VIRTUALIZATION_CONTAINER_LAST = VIRTUALIZATION_CONTAINER_OTHER,
|
VIRTUALIZATION_CONTAINER_LAST = VIRTUALIZATION_CONTAINER_OTHER,
|
||||||
|
|
||||||
|
|
|
@ -44,7 +44,7 @@ static int generate_machine_id(const char *root, sd_id128_t *ret) {
|
||||||
fd = safe_close(fd);
|
fd = safe_close(fd);
|
||||||
}
|
}
|
||||||
|
|
||||||
if (isempty(root)) {
|
if (isempty(root) && running_in_chroot() <= 0) {
|
||||||
/* If that didn't work, see if we are running in a container,
|
/* If that didn't work, see if we are running in a container,
|
||||||
* and a machine ID was passed in via $container_uuid the way
|
* and a machine ID was passed in via $container_uuid the way
|
||||||
* libvirt/LXC does it */
|
* libvirt/LXC does it */
|
||||||
|
|
|
@ -2653,6 +2653,31 @@ int main(int argc, char *argv[]) {
|
||||||
goto finish;
|
goto finish;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/* Try to figure out if we can use colors with the console. No need to do that for user instances since
|
||||||
|
* they never log into the console. */
|
||||||
|
log_show_color(colors_enabled());
|
||||||
|
|
||||||
|
r = make_null_stdio();
|
||||||
|
if (r < 0)
|
||||||
|
log_warning_errno(r, "Failed to redirect standard streams to /dev/null, ignoring: %m");
|
||||||
|
|
||||||
|
/* Load the kernel modules early. */
|
||||||
|
if (!skip_setup)
|
||||||
|
kmod_setup();
|
||||||
|
|
||||||
|
/* Mount /proc, /sys and friends, so that /proc/cmdline and /proc/$PID/fd is available. */
|
||||||
|
r = mount_setup(loaded_policy, skip_setup);
|
||||||
|
if (r < 0) {
|
||||||
|
error_message = "Failed to mount API filesystems";
|
||||||
|
goto finish;
|
||||||
|
}
|
||||||
|
|
||||||
|
/* The efivarfs is now mounted, let's read the random seed off it */
|
||||||
|
(void) efi_take_random_seed();
|
||||||
|
|
||||||
|
/* Cache command-line options passed from EFI variables */
|
||||||
|
if (!skip_setup)
|
||||||
|
(void) cache_efi_options_variable();
|
||||||
} else {
|
} else {
|
||||||
/* Running as user instance */
|
/* Running as user instance */
|
||||||
arg_system = false;
|
arg_system = false;
|
||||||
|
@ -2668,37 +2693,6 @@ int main(int argc, char *argv[]) {
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
if (arg_system) {
|
|
||||||
/* Try to figure out if we can use colors with the console. No need to do that for user instances since
|
|
||||||
* they never log into the console. */
|
|
||||||
log_show_color(colors_enabled());
|
|
||||||
|
|
||||||
r = make_null_stdio();
|
|
||||||
if (r < 0)
|
|
||||||
log_warning_errno(r, "Failed to redirect standard streams to /dev/null, ignoring: %m");
|
|
||||||
}
|
|
||||||
|
|
||||||
/* Mount /proc, /sys and friends, so that /proc/cmdline and /proc/$PID/fd is available. */
|
|
||||||
if (getpid_cached() == 1) {
|
|
||||||
|
|
||||||
/* Load the kernel modules early. */
|
|
||||||
if (!skip_setup)
|
|
||||||
kmod_setup();
|
|
||||||
|
|
||||||
r = mount_setup(loaded_policy, skip_setup);
|
|
||||||
if (r < 0) {
|
|
||||||
error_message = "Failed to mount API filesystems";
|
|
||||||
goto finish;
|
|
||||||
}
|
|
||||||
|
|
||||||
/* The efivarfs is now mounted, let's read the random seed off it */
|
|
||||||
(void) efi_take_random_seed();
|
|
||||||
|
|
||||||
/* Cache command-line options passed from EFI variables */
|
|
||||||
if (!skip_setup)
|
|
||||||
(void) cache_efi_options_variable();
|
|
||||||
}
|
|
||||||
|
|
||||||
/* Save the original RLIMIT_NOFILE/RLIMIT_MEMLOCK so that we can reset it later when
|
/* Save the original RLIMIT_NOFILE/RLIMIT_MEMLOCK so that we can reset it later when
|
||||||
* transitioning from the initrd to the main systemd or suchlike. */
|
* transitioning from the initrd to the main systemd or suchlike. */
|
||||||
save_rlimits(&saved_rlimit_nofile, &saved_rlimit_memlock);
|
save_rlimits(&saved_rlimit_nofile, &saved_rlimit_memlock);
|
||||||
|
|
|
@ -480,7 +480,7 @@ static int relabel_extra(void) {
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
int mount_setup(bool loaded_policy, bool leave_propagation) {
|
int mount_setup(bool loaded_policy, bool leave_propagation) {
|
||||||
int r = 0;
|
int r;
|
||||||
|
|
||||||
r = mount_points_setup(ELEMENTSOF(mount_table), loaded_policy);
|
r = mount_points_setup(ELEMENTSOF(mount_table), loaded_policy);
|
||||||
if (r < 0)
|
if (r < 0)
|
||||||
|
|
|
@ -3,4 +3,4 @@
|
||||||
|
|
||||||
#include <sys/types.h>
|
#include <sys/types.h>
|
||||||
|
|
||||||
int setup_seccomp(uint64_t cap_list_retain, char **syscall_allow_ist, char **syscall_deny_list);
|
int setup_seccomp(uint64_t cap_list_retain, char **syscall_allow_list, char **syscall_deny_list);
|
||||||
|
|
|
@ -187,7 +187,7 @@ int seccomp_arch_from_string(const char *n, uint32_t *ret) {
|
||||||
}
|
}
|
||||||
|
|
||||||
int seccomp_init_for_arch(scmp_filter_ctx *ret, uint32_t arch, uint32_t default_action) {
|
int seccomp_init_for_arch(scmp_filter_ctx *ret, uint32_t arch, uint32_t default_action) {
|
||||||
scmp_filter_ctx seccomp;
|
_cleanup_(seccomp_releasep) scmp_filter_ctx seccomp = NULL;
|
||||||
int r;
|
int r;
|
||||||
|
|
||||||
/* Much like seccomp_init(), but initializes the filter for one specific architecture only, without affecting
|
/* Much like seccomp_init(), but initializes the filter for one specific architecture only, without affecting
|
||||||
|
@ -202,11 +202,11 @@ int seccomp_init_for_arch(scmp_filter_ctx *ret, uint32_t arch, uint32_t default_
|
||||||
|
|
||||||
r = seccomp_arch_remove(seccomp, seccomp_arch_native());
|
r = seccomp_arch_remove(seccomp, seccomp_arch_native());
|
||||||
if (r < 0)
|
if (r < 0)
|
||||||
goto finish;
|
return r;
|
||||||
|
|
||||||
r = seccomp_arch_add(seccomp, arch);
|
r = seccomp_arch_add(seccomp, arch);
|
||||||
if (r < 0)
|
if (r < 0)
|
||||||
goto finish;
|
return r;
|
||||||
|
|
||||||
assert(seccomp_arch_exist(seccomp, arch) >= 0);
|
assert(seccomp_arch_exist(seccomp, arch) >= 0);
|
||||||
assert(seccomp_arch_exist(seccomp, SCMP_ARCH_NATIVE) == -EEXIST);
|
assert(seccomp_arch_exist(seccomp, SCMP_ARCH_NATIVE) == -EEXIST);
|
||||||
|
@ -218,18 +218,14 @@ int seccomp_init_for_arch(scmp_filter_ctx *ret, uint32_t arch, uint32_t default_
|
||||||
|
|
||||||
r = seccomp_attr_set(seccomp, SCMP_FLTATR_ACT_BADARCH, SCMP_ACT_ALLOW);
|
r = seccomp_attr_set(seccomp, SCMP_FLTATR_ACT_BADARCH, SCMP_ACT_ALLOW);
|
||||||
if (r < 0)
|
if (r < 0)
|
||||||
goto finish;
|
return r;
|
||||||
|
|
||||||
r = seccomp_attr_set(seccomp, SCMP_FLTATR_CTL_NNP, 0);
|
r = seccomp_attr_set(seccomp, SCMP_FLTATR_CTL_NNP, 0);
|
||||||
if (r < 0)
|
if (r < 0)
|
||||||
goto finish;
|
return r;
|
||||||
|
|
||||||
*ret = seccomp;
|
*ret = TAKE_PTR(seccomp);
|
||||||
return 0;
|
return 0;
|
||||||
|
|
||||||
finish:
|
|
||||||
seccomp_release(seccomp);
|
|
||||||
return r;
|
|
||||||
}
|
}
|
||||||
|
|
||||||
static bool is_basic_seccomp_available(void) {
|
static bool is_basic_seccomp_available(void) {
|
||||||
|
@ -387,7 +383,7 @@ const SyscallFilterSet syscall_filter_sets[_SYSCALL_FILTER_SET_MAX] = {
|
||||||
"pidfd_getfd\0"
|
"pidfd_getfd\0"
|
||||||
"ptrace\0"
|
"ptrace\0"
|
||||||
"rtas\0"
|
"rtas\0"
|
||||||
#ifdef __NR_s390_runtime_instr
|
#if defined __s390__ || defined __s390x__
|
||||||
"s390_runtime_instr\0"
|
"s390_runtime_instr\0"
|
||||||
#endif
|
#endif
|
||||||
"sys_debug_setcontext\0"
|
"sys_debug_setcontext\0"
|
||||||
|
@ -464,9 +460,7 @@ const SyscallFilterSet syscall_filter_sets[_SYSCALL_FILTER_SET_MAX] = {
|
||||||
"stat64\0"
|
"stat64\0"
|
||||||
"statfs\0"
|
"statfs\0"
|
||||||
"statfs64\0"
|
"statfs64\0"
|
||||||
#ifdef __NR_statx
|
|
||||||
"statx\0"
|
"statx\0"
|
||||||
#endif
|
|
||||||
"symlink\0"
|
"symlink\0"
|
||||||
"symlinkat\0"
|
"symlinkat\0"
|
||||||
"truncate\0"
|
"truncate\0"
|
||||||
|
@ -712,10 +706,8 @@ const SyscallFilterSet syscall_filter_sets[_SYSCALL_FILTER_SET_MAX] = {
|
||||||
"pciconfig_iobase\0"
|
"pciconfig_iobase\0"
|
||||||
"pciconfig_read\0"
|
"pciconfig_read\0"
|
||||||
"pciconfig_write\0"
|
"pciconfig_write\0"
|
||||||
#ifdef __NR_s390_pci_mmio_read
|
#if defined __s390__ || defined __s390x__
|
||||||
"s390_pci_mmio_read\0"
|
"s390_pci_mmio_read\0"
|
||||||
#endif
|
|
||||||
#ifdef __NR_s390_pci_mmio_write
|
|
||||||
"s390_pci_mmio_write\0"
|
"s390_pci_mmio_write\0"
|
||||||
#endif
|
#endif
|
||||||
},
|
},
|
||||||
|
|
Loading…
Reference in New Issue