Compare commits

...

23 Commits

Author SHA1 Message Date
Mike Yuan a52a7abaaf
Merge 18c36b1e24 into 0e44a351ea 2024-11-25 00:14:26 +00:00
Daan De Meyer 0e44a351ea mkosi: Make sure mkosi.clangd always runs on the host
If the editor that invokes mkosi.clangd is a flatpak, let's make sure
that mkosi is run on the host and not in the flatpak sandbox since it
won't be installed there.
2024-11-25 00:21:10 +01:00
Luca Boccassi 94eacb9329
Various mkosi and integration test fixes (#35336) 2024-11-24 18:10:03 +00:00
Daan De Meyer f458a60391 test: Lint integration-test-wrapper.py 2024-11-24 16:47:20 +01:00
Daan De Meyer ceca7c5005 test: Fix typing errors in integration-test-wrapper.py 2024-11-24 16:47:20 +01:00
Daan De Meyer 4f969b20b0 test: Format integration-test-wrapper.py 2024-11-24 16:47:20 +01:00
Daan De Meyer d6047d9fb5 ukify: Fix typing error 2024-11-24 16:47:20 +01:00
Daan De Meyer a2aacbfad5 Move mypy.ini and ruff.toml to top level
This allows reusing them for integration-test-wrapper.py as well.
2024-11-24 16:47:20 +01:00
Daan De Meyer 6d2fd490cf integration-test-wrapper: Remove unneeded format strings 2024-11-24 16:47:20 +01:00
Daan De Meyer c859b310ed mkosi: Add github CLI to tools 2024-11-24 16:47:20 +01:00
Daan De Meyer 51cd3dec2a mkosi: Add dnf and dnf5 to sanitizer workaround list 2024-11-24 16:47:20 +01:00
Daan De Meyer fdc4706850 mkosi: Install clangd everywhere 2024-11-24 16:47:20 +01:00
Daan De Meyer 506403f561 mkosi: Use bash to execute command -v
command is only an executable on Fedora due to a downstream patch,
on Arch for example it's only a builtin so we have to use bash to
execute command -v to get proper results on Arch.
2024-11-24 16:47:18 +01:00
Daan De Meyer 6fd5df6005 mkosi: Add shellcheck to tools 2024-11-24 16:47:04 +01:00
Daan De Meyer a197604af4 mkosi: update to latest 2024-11-24 16:47:04 +01:00
Mike Yuan 18c36b1e24
basic/cgroup-util: port cg_pidref_get_path() to pidfd_get_cgroupid() 2024-11-19 23:03:19 +01:00
Mike Yuan 43f08f534d
basic/cgroup-util: introduce generic cg_path_from_cgroupid() helper 2024-11-19 23:03:19 +01:00
Mike Yuan bcfcd1e5be
nsresourced: don't specify REMOVE_PHYSICAL, remove redundant safety check
Even without REMOVE_PHYSICAL, rm_rf() permits cgroupfs, hence
just delegate the safety check to that.
2024-11-19 23:03:12 +01:00
Mike Yuan 31865c9948
basic/pidfd-util: introduce pidfd_get_cgroupid() 2024-11-19 23:01:27 +01:00
Mike Yuan 30b1644d31
basic/pidref: move generic pidfd_get_inode_id() to pidfd-util
Prompted by 221d6e54c6
2024-11-19 22:55:53 +01:00
Mike Yuan 7ea32bf4a4
basic/pidfd: try to translate pidfd -> pid through ioctl(PIDFD_GET_INFO) 2024-11-19 22:55:38 +01:00
Mike Yuan 01c3b02427
basic: introduce missing_pidfd.h 2024-11-19 22:55:02 +01:00
Mike Yuan c5160a9e38
basic/process-util: extract pidfd-related funcs into pidfd-util.[ch] 2024-11-19 22:54:58 +01:00
28 changed files with 378 additions and 202 deletions

View File

@ -37,7 +37,7 @@ jobs:
VALIDATE_GITHUB_ACTIONS: true VALIDATE_GITHUB_ACTIONS: true
- name: Check that tabs are not used in Python code - name: Check that tabs are not used in Python code
run: sh -c '! git grep -P "\\t" -- src/ukify/ukify.py' run: sh -c '! git grep -P "\\t" -- src/ukify/ukify.py test/integration-test-wrapper.py'
- name: Install ruff and mypy - name: Install ruff and mypy
run: | run: |
@ -47,14 +47,14 @@ jobs:
- name: Run mypy - name: Run mypy
run: | run: |
python3 -m mypy --version python3 -m mypy --version
python3 -m mypy src/ukify/ukify.py python3 -m mypy src/ukify/ukify.py test/integration-test-wrapper.py
- name: Run ruff check - name: Run ruff check
run: | run: |
ruff --version ruff --version
ruff check src/ukify/ukify.py ruff check src/ukify/ukify.py test/integration-test-wrapper.py
- name: Run ruff format - name: Run ruff format
run: | run: |
ruff --version ruff --version
ruff format --check src/ukify/ukify.py ruff format --check src/ukify/ukify.py test/integration-test-wrapper.py

View File

@ -105,7 +105,7 @@ jobs:
steps: steps:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
- uses: systemd/mkosi@8976a0abb19221e65300222f2d33067970cca0f1 - uses: systemd/mkosi@0825cca8084674ec8fa27502134b1bc601f79e0c
# Freeing up disk space with rm -rf can take multiple minutes. Since we don't need the extra free space # Freeing up disk space with rm -rf can take multiple minutes. Since we don't need the extra free space
# immediately, we remove the files in the background. However, we first move them to a different location # immediately, we remove the files in the background. However, we first move them to a different location

View File

@ -1,12 +1,18 @@
#!/bin/bash #!/bin/bash
# SPDX-License-Identifier: LGPL-2.1-or-later # SPDX-License-Identifier: LGPL-2.1-or-later
MKOSI_CONFIG="$(mkosi --json summary | jq -r .Images[-1])" if command -v flatpak-spawn >/dev/null; then
SPAWN=(flatpak-spawn --host)
else
SPAWN=()
fi
MKOSI_CONFIG="$("${SPAWN[@]}" --host mkosi --json summary | jq -r .Images[-1])"
DISTRIBUTION="$(jq -r .Distribution <<< "$MKOSI_CONFIG")" DISTRIBUTION="$(jq -r .Distribution <<< "$MKOSI_CONFIG")"
RELEASE="$(jq -r .Release <<< "$MKOSI_CONFIG")" RELEASE="$(jq -r .Release <<< "$MKOSI_CONFIG")"
ARCH="$(jq -r .Architecture <<< "$MKOSI_CONFIG")" ARCH="$(jq -r .Architecture <<< "$MKOSI_CONFIG")"
exec mkosi \ exec "${SPAWN[@]}" mkosi \
--incremental=strict \ --incremental=strict \
--build-sources-ephemeral=no \ --build-sources-ephemeral=no \
--format=none \ --format=none \

View File

@ -6,10 +6,12 @@ ToolsTreeDistribution=arch
[Build] [Build]
ToolsTreePackages= ToolsTreePackages=
cryptsetup cryptsetup
github-cli
libcap libcap
libmicrohttpd libmicrohttpd
python-jinja python-jinja
python-pytest python-pytest
ruff ruff
shellcheck
tpm2-tss tpm2-tss
util-linux-libs util-linux-libs

View File

@ -16,3 +16,4 @@ ToolsTreePackages=
tpm2-tss-devel tpm2-tss-devel
python3-jinja2 python3-jinja2
python3-pytest python3-pytest
shellcheck

View File

@ -6,6 +6,7 @@ ToolsTreeDistribution=|ubuntu
[Build] [Build]
ToolsTreePackages= ToolsTreePackages=
gh
libblkid-dev libblkid-dev
libcap-dev libcap-dev
libcryptsetup-dev libcryptsetup-dev
@ -16,3 +17,4 @@ ToolsTreePackages=
libtss2-dev libtss2-dev
python3-jinja2 python3-jinja2
python3-pytest python3-pytest
shellcheck

View File

@ -5,4 +5,5 @@ ToolsTreeDistribution=fedora
[Build] [Build]
ToolsTreePackages= ToolsTreePackages=
gh
ruff ruff

View File

@ -5,6 +5,7 @@ ToolsTreeDistribution=opensuse
[Build] [Build]
ToolsTreePackages= ToolsTreePackages=
gh
pkgconfig(blkid) pkgconfig(blkid)
pkgconfig(libcap) pkgconfig(libcap)
pkgconfig(libcryptsetup) pkgconfig(libcryptsetup)
@ -16,3 +17,4 @@ ToolsTreePackages=
tss2-devel tss2-devel
python3-jinja2 python3-jinja2
python3-pytest python3-pytest
ShellCheck

View File

@ -13,6 +13,7 @@ Environment=
[Content] [Content]
Packages= Packages=
clang-devel
compiler-rt compiler-rt
gdb gdb
git-core git-core

View File

@ -15,6 +15,7 @@ Environment=
[Content] [Content]
Packages= Packages=
apt apt
clangd
erofs-utils erofs-utils
git-core git-core
libclang-rt-dev libclang-rt-dev

View File

@ -12,6 +12,7 @@ Environment=
[Content] [Content]
Packages= Packages=
clang
diffutils diffutils
erofs-utils erofs-utils
gcc-c++ gcc-c++

View File

@ -57,6 +57,8 @@ wrap=(
delv delv
dhcpd dhcpd
dig dig
dnf
dnf5
dmsetup dmsetup
dnsmasq dnsmasq
findmnt findmnt
@ -93,7 +95,7 @@ wrap=(
) )
for bin in "${wrap[@]}"; do for bin in "${wrap[@]}"; do
if ! mkosi-chroot command -v "$bin" >/dev/null; then if ! mkosi-chroot bash -c "command -v $bin" >/dev/null; then
continue continue
fi fi
@ -103,7 +105,7 @@ for bin in "${wrap[@]}"; do
enable_lsan=0 enable_lsan=0
fi fi
target="$(mkosi-chroot command -v "$bin")" target="$(mkosi-chroot bash -c "command -v $bin")"
mv "$BUILDROOT/$target" "$BUILDROOT/$target.orig" mv "$BUILDROOT/$target" "$BUILDROOT/$target.orig"

View File

@ -28,6 +28,7 @@
#include "mkdir.h" #include "mkdir.h"
#include "parse-util.h" #include "parse-util.h"
#include "path-util.h" #include "path-util.h"
#include "pidfd-util.h"
#include "process-util.h" #include "process-util.h"
#include "set.h" #include "set.h"
#include "special.h" #include "special.h"
@ -72,6 +73,28 @@ int cg_cgroupid_open(int cgroupfs_fd, uint64_t id) {
return fd; return fd;
} }
int cg_path_from_cgroupid(int cgroupfs_fd, uint64_t id, char **ret) {
_cleanup_close_ int cgfd = -EBADF;
int r;
cgfd = cg_cgroupid_open(cgroupfs_fd, id);
if (cgfd < 0)
return cgfd;
_cleanup_free_ char *path = NULL;
r = fd_get_path(cgfd, &path);
if (r < 0)
return r;
if (isempty(path_startswith(path, "/sys/fs/cgroup/")))
return -EINVAL;
if (ret)
*ret = TAKE_PTR(path);
return 0;
}
static int cg_enumerate_items(const char *controller, const char *path, FILE **ret, const char *item) { static int cg_enumerate_items(const char *controller, const char *path, FILE **ret, const char *item) {
_cleanup_free_ char *fs = NULL; _cleanup_free_ char *fs = NULL;
FILE *f; FILE *f;
@ -826,6 +849,16 @@ int cg_pidref_get_path(const char *controller, const PidRef *pidref, char **ret_
if (!pidref_is_set(pidref)) if (!pidref_is_set(pidref))
return -ESRCH; return -ESRCH;
if (pidref->fd >= 0) {
uint64_t cgroup_id;
r = pidfd_get_cgroupid(pidref->fd, &cgroup_id);
if (r >= 0)
return cg_path_from_cgroupid(/* cgroupfs_fd = */ -EBADF, cgroup_id, ret_path);
if (!ERRNO_IS_NEG_NOT_SUPPORTED(r))
return r;
}
r = cg_pid_get_path(controller, pidref->pid, &path); r = cg_pid_get_path(controller, pidref->pid, &path);
if (r < 0) if (r < 0)
return r; return r;

View File

@ -183,6 +183,8 @@ typedef enum CGroupUnified {
int cg_path_open(const char *controller, const char *path); int cg_path_open(const char *controller, const char *path);
int cg_cgroupid_open(int fsfd, uint64_t id); int cg_cgroupid_open(int fsfd, uint64_t id);
int cg_path_from_cgroupid(int cgroupfs_fd, uint64_t id, char **ret);
typedef enum CGroupFlags { typedef enum CGroupFlags {
CGROUP_SIGCONT = 1 << 0, CGROUP_SIGCONT = 1 << 0,
CGROUP_IGNORE_SELF = 1 << 1, CGROUP_IGNORE_SELF = 1 << 1,

View File

@ -72,6 +72,7 @@ basic_sources = files(
'parse-util.c', 'parse-util.c',
'path-util.c', 'path-util.c',
'percent-util.c', 'percent-util.c',
'pidfd-util.c',
'pidref.c', 'pidref.c',
'prioq.c', 'prioq.c',
'proc-cmdline.c', 'proc-cmdline.c',

43
src/basic/missing_pidfd.h Normal file
View File

@ -0,0 +1,43 @@
/* SPDX-License-Identifier: LGPL-2.1-or-later */
#pragma once
#include <linux/types.h>
#define PIDFS_IOCTL_MAGIC 0xFF
#ifndef PIDFD_GET_CGROUP_NAMESPACE
# define PIDFD_GET_CGROUP_NAMESPACE _IO(PIDFS_IOCTL_MAGIC, 1)
# define PIDFD_GET_IPC_NAMESPACE _IO(PIDFS_IOCTL_MAGIC, 2)
# define PIDFD_GET_MNT_NAMESPACE _IO(PIDFS_IOCTL_MAGIC, 3)
# define PIDFD_GET_NET_NAMESPACE _IO(PIDFS_IOCTL_MAGIC, 4)
# define PIDFD_GET_PID_NAMESPACE _IO(PIDFS_IOCTL_MAGIC, 5)
# define PIDFD_GET_PID_FOR_CHILDREN_NAMESPACE _IO(PIDFS_IOCTL_MAGIC, 6)
# define PIDFD_GET_TIME_NAMESPACE _IO(PIDFS_IOCTL_MAGIC, 7)
# define PIDFD_GET_TIME_FOR_CHILDREN_NAMESPACE _IO(PIDFS_IOCTL_MAGIC, 8)
# define PIDFD_GET_USER_NAMESPACE _IO(PIDFS_IOCTL_MAGIC, 9)
# define PIDFD_GET_UTS_NAMESPACE _IO(PIDFS_IOCTL_MAGIC, 10)
#endif
#ifndef PIDFD_GET_INFO
struct pidfd_info {
__u64 mask;
__u64 cgroupid;
__u32 pid;
__u32 tgid;
__u32 ppid;
__u32 ruid;
__u32 rgid;
__u32 euid;
__u32 egid;
__u32 suid;
__u32 sgid;
__u32 fsuid;
__u32 fsgid;
__u32 spare0[1];
};
#define PIDFD_GET_INFO _IOWR(PIDFS_IOCTL_MAGIC, 11, struct pidfd_info)
#define PIDFD_INFO_PID (1UL << 0)
#define PIDFD_INFO_CREDS (1UL << 1)
#define PIDFD_INFO_CGROUPID (1UL << 2)
#endif

161
src/basic/pidfd-util.c Normal file
View File

@ -0,0 +1,161 @@
/* SPDX-License-Identifier: LGPL-2.1-or-later */
#include <sys/ioctl.h>
#include <unistd.h>
#include "errno-util.h"
#include "fd-util.h"
#include "fileio.h"
#include "macro.h"
#include "memory-util.h"
#include "missing_magic.h"
#include "missing_pidfd.h"
#include "parse-util.h"
#include "path-util.h"
#include "pidfd-util.h"
#include "stat-util.h"
#include "string-util.h"
static bool pidfd_get_info_supported = true;
static bool ERRNO_IS_NEG_PIDFD_IOCTL_NOT_SUPPORTED(intmax_t r) {
return IN_SET(r, -ENOTTY, -EINVAL);
}
_DEFINE_ABS_WRAPPER(PIDFD_IOCTL_NOT_SUPPORTED);
static int pidfd_get_pid_fdinfo(int fd, pid_t *ret) {
char path[STRLEN("/proc/self/fdinfo/") + DECIMAL_STR_MAX(int)];
_cleanup_free_ char *fdinfo = NULL;
int r;
assert(fd >= 0);
xsprintf(path, "/proc/self/fdinfo/%i", fd);
r = read_full_virtual_file(path, &fdinfo, NULL);
if (r == -ENOENT)
return proc_fd_enoent_errno();
if (r < 0)
return r;
char *p = find_line_startswith(fdinfo, "Pid:");
if (!p)
return -ENOTTY; /* not a pidfd? */
p = skip_leading_chars(p, /* bad = */ NULL);
p[strcspn(p, WHITESPACE)] = 0;
if (streq(p, "0"))
return -EREMOTE; /* PID is in foreign PID namespace? */
if (streq(p, "-1"))
return -ESRCH; /* refers to reaped process? */
return parse_pid(p, ret);
}
static int pidfd_get_pid_ioctl(int fd, pid_t *ret) {
struct pidfd_info info = { .mask = PIDFD_INFO_PID };
assert(fd >= 0);
if (ioctl(fd, PIDFD_GET_INFO, &info) < 0)
return -errno;
assert(FLAGS_SET(info.mask, PIDFD_INFO_PID));
if (ret)
*ret = info.pid;
return 0;
}
int pidfd_get_pid(int fd, pid_t *ret) {
int r;
/* Converts a pidfd into a pid. We try ioctl(PIDFD_GET_INFO) (kernel 6.13+) first,
* /proc/self/fdinfo/ as fallback. Well known errors:
*
* -EBADF fd invalid
* -ESRCH fd valid, but process is already reaped
*
* pidfd_get_pid_fdinfo() might additionally fail for other reasons:
*
* -ENOSYS /proc/ not mounted
* -ENOTTY fd valid, but not a pidfd
* -EREMOTE fd valid, but pid is in another namespace we cannot translate to the local one
*/
assert(fd >= 0);
if (pidfd_get_info_supported) {
r = pidfd_get_pid_ioctl(fd, ret);
if (!ERRNO_IS_NEG_PIDFD_IOCTL_NOT_SUPPORTED(r))
return r;
pidfd_get_info_supported = false;
}
return pidfd_get_pid_fdinfo(fd, ret);
}
int pidfd_verify_pid(int pidfd, pid_t pid) {
pid_t current_pid;
int r;
assert(pidfd >= 0);
assert(pid > 0);
r = pidfd_get_pid(pidfd, &current_pid);
if (r < 0)
return r;
return current_pid != pid ? -ESRCH : 0;
}
int pidfd_get_cgroupid(int fd, uint64_t *ret) {
struct pidfd_info info = { .mask = PIDFD_INFO_CGROUP };
assert(fd >= 0);
if (!pidfd_get_info_supported)
return -EOPNOTSUPP;
if (ioctl(fd, PIDFD_GET_INFO, &info) < 0) {
if (ERRNO_IS_PIDFD_IOCTL_NOT_SUPPORTED(errno)) {
pidfd_get_info_supported = false;
return -EOPNOTSUPP;
}
return -errno;
}
if (!FLAGS_SET(info.mask, PIDFD_INFO_CGROUP))
return -ENODATA;
if (ret)
*ret = info.cgroupid;
return 0;
}
int pidfd_get_inode_id(int fd, uint64_t *ret) {
static int cached_supported = -1;
int r;
assert(fd >= 0);
if (cached_supported < 0) {
cached_supported = fd_is_fs_type(fd, PID_FS_MAGIC);
if (cached_supported < 0)
return cached_supported;
}
if (cached_supported == 0)
return -EOPNOTSUPP;
struct stat st;
if (fstat(fd, &st) < 0)
return -errno;
if (ret)
*ret = (uint64_t) st.st_ino;
return 0;
}

15
src/basic/pidfd-util.h Normal file
View File

@ -0,0 +1,15 @@
/* SPDX-License-Identifier: LGPL-2.1-or-later */
#pragma once
#include <stdint.h>
#if HAVE_PIDFD_OPEN
#include <sys/pidfd.h>
#endif
#include <sys/types.h>
int pidfd_get_pid(int fd, pid_t *ret);
int pidfd_verify_pid(int pidfd, pid_t pid);
int pidfd_get_cgroupid(int fd, uint64_t *ret);
int pidfd_get_inode_id(int fd, uint64_t *ret);

View File

@ -1,36 +1,14 @@
/* SPDX-License-Identifier: LGPL-2.1-or-later */ /* SPDX-License-Identifier: LGPL-2.1-or-later */
#if HAVE_PIDFD_OPEN
#include <sys/pidfd.h>
#endif
#include "errno-util.h" #include "errno-util.h"
#include "fd-util.h" #include "fd-util.h"
#include "missing_magic.h"
#include "missing_syscall.h" #include "missing_syscall.h"
#include "missing_wait.h" #include "missing_wait.h"
#include "parse-util.h" #include "parse-util.h"
#include "pidfd-util.h"
#include "pidref.h" #include "pidref.h"
#include "process-util.h" #include "process-util.h"
#include "signal-util.h" #include "signal-util.h"
#include "stat-util.h"
static int pidfd_inode_ids_supported(void) {
static int cached = -1;
if (cached >= 0)
return cached;
_cleanup_close_ int fd = pidfd_open(getpid_cached(), 0);
if (fd < 0) {
if (ERRNO_IS_NOT_SUPPORTED(errno))
return (cached = false);
return -errno;
}
return (cached = fd_is_fs_type(fd, PID_FS_MAGIC));
}
int pidref_acquire_pidfd_id(PidRef *pidref) { int pidref_acquire_pidfd_id(PidRef *pidref) {
int r; int r;
@ -49,19 +27,14 @@ int pidref_acquire_pidfd_id(PidRef *pidref) {
if (pidref->fd_id > 0) if (pidref->fd_id > 0)
return 0; return 0;
r = pidfd_inode_ids_supported(); r = pidfd_get_inode_id(pidref->fd, &pidref->fd_id);
if (r < 0) if (r < 0) {
if (!ERRNO_IS_NEG_NOT_SUPPORTED(r))
log_debug_errno(r, "Failed to get inode number of pidfd for pid " PID_FMT ": %m",
pidref->pid);
return r; return r;
if (r == 0) }
return -EOPNOTSUPP;
struct stat st;
if (fstat(pidref->fd, &st) < 0)
return log_debug_errno(errno, "Failed to get inode number of pidfd for pid " PID_FMT ": %m",
pidref->pid);
pidref->fd_id = (uint64_t) st.st_ino;
return 0; return 0;
} }

View File

@ -1874,59 +1874,6 @@ int get_oom_score_adjust(int *ret) {
return 0; return 0;
} }
int pidfd_get_pid(int fd, pid_t *ret) {
char path[STRLEN("/proc/self/fdinfo/") + DECIMAL_STR_MAX(int)];
_cleanup_free_ char *fdinfo = NULL;
int r;
/* Converts a pidfd into a pid. Well known errors:
*
* -EBADF fd invalid
* -ENOSYS /proc/ not mounted
* -ENOTTY fd valid, but not a pidfd
* -EREMOTE fd valid, but pid is in another namespace we cannot translate to the local one
* -ESRCH fd valid, but process is already reaped
*/
assert(fd >= 0);
xsprintf(path, "/proc/self/fdinfo/%i", fd);
r = read_full_virtual_file(path, &fdinfo, NULL);
if (r == -ENOENT)
return proc_fd_enoent_errno();
if (r < 0)
return r;
char *p = find_line_startswith(fdinfo, "Pid:");
if (!p)
return -ENOTTY; /* not a pidfd? */
p = skip_leading_chars(p, /* bad = */ NULL);
p[strcspn(p, WHITESPACE)] = 0;
if (streq(p, "0"))
return -EREMOTE; /* PID is in foreign PID namespace? */
if (streq(p, "-1"))
return -ESRCH; /* refers to reaped process? */
return parse_pid(p, ret);
}
int pidfd_verify_pid(int pidfd, pid_t pid) {
pid_t current_pid;
int r;
assert(pidfd >= 0);
assert(pid > 0);
r = pidfd_get_pid(pidfd, &current_pid);
if (r < 0)
return r;
return current_pid != pid ? -ESRCH : 0;
}
static int rlimit_to_nice(rlim_t limit) { static int rlimit_to_nice(rlim_t limit) {
if (limit <= 1) if (limit <= 1)
return PRIO_MAX-1; /* i.e. 19 */ return PRIO_MAX-1; /* i.e. 19 */

View File

@ -251,9 +251,6 @@ assert_cc(TASKS_MAX <= (unsigned long) PID_T_MAX);
/* Like TAKE_PTR() but for pid_t, resetting them to 0 */ /* Like TAKE_PTR() but for pid_t, resetting them to 0 */
#define TAKE_PID(pid) TAKE_GENERIC(pid, pid_t, 0) #define TAKE_PID(pid) TAKE_GENERIC(pid, pid_t, 0)
int pidfd_get_pid(int fd, pid_t *ret);
int pidfd_verify_pid(int pidfd, pid_t pid);
int setpriority_closest(int priority); int setpriority_closest(int priority);
_noreturn_ void freeze(void); _noreturn_ void freeze(void);

View File

@ -1,9 +1,6 @@
/* SPDX-License-Identifier: LGPL-2.1-or-later */ /* SPDX-License-Identifier: LGPL-2.1-or-later */
#include <sys/epoll.h> #include <sys/epoll.h>
#if HAVE_PIDFD_OPEN
#include <sys/pidfd.h>
#endif
#include <sys/timerfd.h> #include <sys/timerfd.h>
#include <sys/wait.h> #include <sys/wait.h>
@ -31,6 +28,7 @@
#include "origin-id.h" #include "origin-id.h"
#include "path-util.h" #include "path-util.h"
#include "prioq.h" #include "prioq.h"
#include "pidfd-util.h"
#include "process-util.h" #include "process-util.h"
#include "psi-util.h" #include "psi-util.h"
#include "set.h" #include "set.h"

View File

@ -22,6 +22,7 @@
#include "macro.h" #include "macro.h"
#include "parse-util.h" #include "parse-util.h"
#include "path-util.h" #include "path-util.h"
#include "pidfd-util.h"
#include "process-util.h" #include "process-util.h"
#include "socket-util.h" #include "socket-util.h"
#include "stdio-util.h" #include "stdio-util.h"

View File

@ -525,49 +525,20 @@ int userns_info_add_cgroup(UserNamespaceInfo *userns, uint64_t cgroup_id) {
} }
static int userns_destroy_cgroup(uint64_t cgroup_id) { static int userns_destroy_cgroup(uint64_t cgroup_id) {
_cleanup_close_ int cgroup_fd = -EBADF, parent_fd = -EBADF; _cleanup_free_ char *path = NULL;
int r; int r;
cgroup_fd = cg_cgroupid_open(/* cgroupfsfd= */ -EBADF, cgroup_id); r = cg_path_from_cgroupid(/* cgroupfs_fd = */ -EBADF, cgroup_id, &path);
if (cgroup_fd == -ESTALE) { if (r == -ESTALE) {
log_debug_errno(cgroup_fd, "Control group %" PRIu64 " already gone, ignoring: %m", cgroup_id); log_debug_errno(r, "Control group %" PRIu64 " already gone, ignoring.", cgroup_id);
return 0; return 0;
} }
if (cgroup_fd < 0)
return log_debug_errno(errno, "Failed to open cgroup %" PRIu64 ", ignoring: %m", cgroup_id);
_cleanup_free_ char *path = NULL;
r = fd_get_path(cgroup_fd, &path);
if (r < 0) if (r < 0)
return log_debug_errno(r, "Failed to get path of cgroup %" PRIu64 ", ignoring: %m", cgroup_id); return log_debug_errno(r, "Failed to get path of cgroup %" PRIu64 ", ignoring: %m", cgroup_id);
const char *e = path_startswith(path, "/sys/fs/cgroup/"); log_debug("Destroying cgroup %" PRIu64 " (%s)", cgroup_id, path);
if (!e)
return log_debug_errno(SYNTHETIC_ERRNO(EPERM), "Got cgroup path that doesn't start with /sys/fs/cgroup/, refusing: %s", path);
if (isempty(e))
return log_debug_errno(SYNTHETIC_ERRNO(EPERM), "Got root cgroup path, which can't be right, refusing.");
log_debug("Path of cgroup %" PRIu64 " is: %s", cgroup_id, path); r = rm_rf(path, REMOVE_ROOT|REMOVE_ONLY_DIRECTORIES|REMOVE_CHMOD);
_cleanup_free_ char *fname = NULL;
r = path_extract_filename(path, &fname);
if (r < 0)
return log_debug_errno(r, "Failed to extract name of cgroup %" PRIu64 ", ignoring: %m", cgroup_id);
parent_fd = openat(cgroup_fd, "..", O_CLOEXEC|O_DIRECTORY);
if (parent_fd < 0)
return log_debug_errno(errno, "Failed to open parent cgroup of %" PRIu64 ", ignoring: %m", cgroup_id);
/* Safety check, never leave cgroupfs */
r = fd_is_fs_type(parent_fd, CGROUP2_SUPER_MAGIC);
if (r < 0)
return log_debug_errno(r, "Failed to determine if parent directory of cgroup %" PRIu64 " is still a cgroup, ignoring: %m", cgroup_id);
if (!r)
return log_debug_errno(SYNTHETIC_ERRNO(EPERM), "Parent directory of cgroup %" PRIu64 " is not a cgroup, refusing.", cgroup_id);
cgroup_fd = safe_close(cgroup_fd);
r = rm_rf_child(parent_fd, fname, REMOVE_ONLY_DIRECTORIES|REMOVE_PHYSICAL|REMOVE_CHMOD);
if (r < 0) if (r < 0)
log_debug_errno(r, "Failed to remove delegated cgroup %" PRIu64 ", ignoring: %m", cgroup_id); log_debug_errno(r, "Failed to remove delegated cgroup %" PRIu64 ", ignoring: %m", cgroup_id);

View File

@ -467,7 +467,7 @@ class SignTool:
raise NotImplementedError() raise NotImplementedError()
@staticmethod @staticmethod
def from_string(name) -> type['SignTool']: def from_string(name: str) -> type['SignTool']:
if name == 'pesign': if name == 'pesign':
return PeSign return PeSign
elif name == 'sbsign': elif name == 'sbsign':

View File

@ -1,8 +1,7 @@
#!/usr/bin/python3 #!/usr/bin/python3
# SPDX-License-Identifier: LGPL-2.1-or-later # SPDX-License-Identifier: LGPL-2.1-or-later
'''Test wrapper command for driving integration tests. """Test wrapper command for driving integration tests."""
'''
import argparse import argparse
import json import json
@ -13,7 +12,6 @@ import sys
import textwrap import textwrap
from pathlib import Path from pathlib import Path
EMERGENCY_EXIT_DROPIN = """\ EMERGENCY_EXIT_DROPIN = """\
[Unit] [Unit]
Wants=emergency-exit.service Wants=emergency-exit.service
@ -34,7 +32,7 @@ ExecStart=false
""" """
def main(): def main() -> None:
parser = argparse.ArgumentParser(description=__doc__) parser = argparse.ArgumentParser(description=__doc__)
parser.add_argument('--mkosi', required=True) parser.add_argument('--mkosi', required=True)
parser.add_argument('--meson-source-dir', required=True, type=Path) parser.add_argument('--meson-source-dir', required=True, type=Path)
@ -46,34 +44,43 @@ def main():
parser.add_argument('--slow', action=argparse.BooleanOptionalAction) parser.add_argument('--slow', action=argparse.BooleanOptionalAction)
parser.add_argument('--vm', action=argparse.BooleanOptionalAction) parser.add_argument('--vm', action=argparse.BooleanOptionalAction)
parser.add_argument('--exit-code', required=True, type=int) parser.add_argument('--exit-code', required=True, type=int)
parser.add_argument('mkosi_args', nargs="*") parser.add_argument('mkosi_args', nargs='*')
args = parser.parse_args() args = parser.parse_args()
if not bool(int(os.getenv("SYSTEMD_INTEGRATION_TESTS", "0"))): if not bool(int(os.getenv('SYSTEMD_INTEGRATION_TESTS', '0'))):
print(f"SYSTEMD_INTEGRATION_TESTS=1 not found in environment, skipping {args.name}", file=sys.stderr) print(
f'SYSTEMD_INTEGRATION_TESTS=1 not found in environment, skipping {args.name}',
file=sys.stderr,
)
exit(77) exit(77)
if args.slow and not bool(int(os.getenv("SYSTEMD_SLOW_TESTS", "0"))): if args.slow and not bool(int(os.getenv('SYSTEMD_SLOW_TESTS', '0'))):
print(f"SYSTEMD_SLOW_TESTS=1 not found in environment, skipping {args.name}", file=sys.stderr) print(
f'SYSTEMD_SLOW_TESTS=1 not found in environment, skipping {args.name}',
file=sys.stderr,
)
exit(77) exit(77)
if args.vm and bool(int(os.getenv("TEST_NO_QEMU", "0"))): if args.vm and bool(int(os.getenv('TEST_NO_QEMU', '0'))):
print(f"TEST_NO_QEMU=1, skipping {args.name}", file=sys.stderr) print(f'TEST_NO_QEMU=1, skipping {args.name}', file=sys.stderr)
exit(77) exit(77)
for s in os.getenv("TEST_SKIP", "").split(): for s in os.getenv('TEST_SKIP', '').split():
if s in args.name: if s in args.name:
print(f"Skipping {args.name} due to TEST_SKIP", file=sys.stderr) print(f'Skipping {args.name} due to TEST_SKIP', file=sys.stderr)
exit(77) exit(77)
keep_journal = os.getenv("TEST_SAVE_JOURNAL", "fail") keep_journal = os.getenv('TEST_SAVE_JOURNAL', 'fail')
shell = bool(int(os.getenv("TEST_SHELL", "0"))) shell = bool(int(os.getenv('TEST_SHELL', '0')))
if shell and not sys.stderr.isatty(): if shell and not sys.stderr.isatty():
print(f"--interactive must be passed to meson test to use TEST_SHELL=1", file=sys.stderr) print(
'--interactive must be passed to meson test to use TEST_SHELL=1',
file=sys.stderr,
)
exit(1) exit(1)
name = args.name + (f"-{i}" if (i := os.getenv("MESON_TEST_ITERATION")) else "") name = args.name + (f'-{i}' if (i := os.getenv('MESON_TEST_ITERATION')) else '')
dropin = textwrap.dedent( dropin = textwrap.dedent(
"""\ """\
@ -84,14 +91,14 @@ def main():
if not shell: if not shell:
dropin += textwrap.dedent( dropin += textwrap.dedent(
f""" """
[Unit] [Unit]
SuccessAction=exit SuccessAction=exit
SuccessActionExitStatus=123 SuccessActionExitStatus=123
""" """
) )
if os.getenv("TEST_MATCH_SUBTEST"): if os.getenv('TEST_MATCH_SUBTEST'):
dropin += textwrap.dedent( dropin += textwrap.dedent(
f""" f"""
[Service] [Service]
@ -99,7 +106,7 @@ def main():
""" """
) )
if os.getenv("TEST_MATCH_TESTCASE"): if os.getenv('TEST_MATCH_TESTCASE'):
dropin += textwrap.dedent( dropin += textwrap.dedent(
f""" f"""
[Service] [Service]
@ -116,7 +123,7 @@ def main():
""" """
) )
journal_file = (args.meson_build_dir / (f"test/journal/{name}.journal")).absolute() journal_file = (args.meson_build_dir / (f'test/journal/{name}.journal')).absolute()
journal_file.unlink(missing_ok=True) journal_file.unlink(missing_ok=True)
elif not shell: elif not shell:
dropin += textwrap.dedent( dropin += textwrap.dedent(
@ -136,54 +143,60 @@ def main():
*(['--forward-journal', journal_file] if journal_file else []), *(['--forward-journal', journal_file] if journal_file else []),
*( *(
[ [
'--credential', '--credential', f'systemd.extra-unit.emergency-exit.service={shlex.quote(EMERGENCY_EXIT_SERVICE)}', # noqa: E501
f"systemd.extra-unit.emergency-exit.service={shlex.quote(EMERGENCY_EXIT_SERVICE)}", '--credential', f'systemd.unit-dropin.emergency.target={shlex.quote(EMERGENCY_EXIT_DROPIN)}',
'--credential',
f"systemd.unit-dropin.emergency.target={shlex.quote(EMERGENCY_EXIT_DROPIN)}",
] ]
if not sys.stderr.isatty() if not sys.stderr.isatty()
else [] else []
), ),
'--credential', '--credential', f'systemd.unit-dropin.{args.unit}={shlex.quote(dropin)}',
f"systemd.unit-dropin.{args.unit}={shlex.quote(dropin)}",
'--runtime-network=none', '--runtime-network=none',
'--runtime-scratch=no', '--runtime-scratch=no',
*args.mkosi_args, *args.mkosi_args,
'--qemu-firmware', args.firmware, '--qemu-firmware',
*(['--qemu-kvm', 'no'] if int(os.getenv("TEST_NO_KVM", "0")) else []), args.firmware,
*(['--qemu-kvm', 'no'] if int(os.getenv('TEST_NO_KVM', '0')) else []),
'--kernel-command-line-extra', '--kernel-command-line-extra',
' '.join([ ' '.join(
'systemd.hostname=H', [
f"SYSTEMD_UNIT_PATH=/usr/lib/systemd/tests/testdata/{args.name}.units:/usr/lib/systemd/tests/testdata/units:", 'systemd.hostname=H',
*([f"systemd.unit={args.unit}"] if not shell else []), f'SYSTEMD_UNIT_PATH=/usr/lib/systemd/tests/testdata/{args.name}.units:/usr/lib/systemd/tests/testdata/units:',
'systemd.mask=systemd-networkd-wait-online.service', *([f'systemd.unit={args.unit}'] if not shell else []),
*( 'systemd.mask=systemd-networkd-wait-online.service',
[ *(
"systemd.mask=serial-getty@.service", [
"systemd.show_status=error", 'systemd.mask=serial-getty@.service',
"systemd.crash_shell=0", 'systemd.show_status=error',
"systemd.crash_action=poweroff", 'systemd.crash_shell=0',
] 'systemd.crash_action=poweroff',
if not sys.stderr.isatty() ]
else [] if not sys.stderr.isatty()
), else []
]), ),
]
),
'--credential', f"journal.storage={'persistent' if sys.stderr.isatty() else args.storage}", '--credential', f"journal.storage={'persistent' if sys.stderr.isatty() else args.storage}",
*(['--runtime-build-sources=no'] if not sys.stderr.isatty() else []), *(['--runtime-build-sources=no'] if not sys.stderr.isatty() else []),
'qemu' if args.vm or os.getuid() != 0 else 'boot', 'qemu' if args.vm or os.getuid() != 0 else 'boot',
] ] # fmt: skip
result = subprocess.run(cmd) result = subprocess.run(cmd)
# On Debian/Ubuntu we get a lot of random QEMU crashes. Retry once, and then skip if it fails again. # On Debian/Ubuntu we get a lot of random QEMU crashes. Retry once, and then skip if it fails again.
if args.vm and result.returncode == 247 and args.exit_code != 247: if args.vm and result.returncode == 247 and args.exit_code != 247:
journal_file.unlink(missing_ok=True) if journal_file:
journal_file.unlink(missing_ok=True)
result = subprocess.run(cmd) result = subprocess.run(cmd)
if args.vm and result.returncode == 247 and args.exit_code != 247: if args.vm and result.returncode == 247 and args.exit_code != 247:
print(f"Test {args.name} failed due to QEMU crash (error 247), ignoring", file=sys.stderr) print(
f'Test {args.name} failed due to QEMU crash (error 247), ignoring',
file=sys.stderr,
)
exit(77) exit(77)
if journal_file and (keep_journal == "0" or (result.returncode in (args.exit_code, 77) and keep_journal == "fail")): if journal_file and (
keep_journal == '0' or (result.returncode in (args.exit_code, 77) and keep_journal == 'fail')
):
journal_file.unlink(missing_ok=True) journal_file.unlink(missing_ok=True)
if shell or result.returncode in (args.exit_code, 77): if shell or result.returncode in (args.exit_code, 77):
@ -192,31 +205,33 @@ def main():
if journal_file: if journal_file:
ops = [] ops = []
if os.getenv("GITHUB_ACTIONS"): if os.getenv('GITHUB_ACTIONS'):
id = os.environ["GITHUB_RUN_ID"] id = os.environ['GITHUB_RUN_ID']
iteration = os.environ["GITHUB_RUN_ATTEMPT"] iteration = os.environ['GITHUB_RUN_ATTEMPT']
j = json.loads( j = json.loads(
subprocess.run( subprocess.run(
[ [
args.mkosi, args.mkosi,
"--directory", os.fspath(args.meson_source_dir), '--directory', os.fspath(args.meson_source_dir),
"--json", '--json',
"summary", 'summary',
], ],
stdout=subprocess.PIPE, stdout=subprocess.PIPE,
text=True, text=True,
).stdout ).stdout
) ) # fmt: skip
distribution = j["Images"][-1]["Distribution"] distribution = j['Images'][-1]['Distribution']
release = j["Images"][-1]["Release"] release = j['Images'][-1]['Release']
artifact = f"ci-mkosi-{id}-{iteration}-{distribution}-{release}-failed-test-journals" artifact = f'ci-mkosi-{id}-{iteration}-{distribution}-{release}-failed-test-journals'
ops += [f"gh run download {id} --name {artifact} -D ci/{artifact}"] ops += [f'gh run download {id} --name {artifact} -D ci/{artifact}']
journal_file = Path(f"ci/{artifact}/test/journal/{name}.journal") journal_file = Path(f'ci/{artifact}/test/journal/{name}.journal')
ops += [f"journalctl --file {journal_file} --no-hostname -o short-monotonic -u {args.unit} -p info"] ops += [f'journalctl --file {journal_file} --no-hostname -o short-monotonic -u {args.unit} -p info']
print("Test failed, relevant logs can be viewed with: \n\n" print(
f"{(' && '.join(ops))}\n", file=sys.stderr) "Test failed, relevant logs can be viewed with: \n\n" f"{(' && '.join(ops))}\n",
file=sys.stderr,
)
# 0 also means we failed so translate that to a non-zero exit code to mark the test as failed. # 0 also means we failed so translate that to a non-zero exit code to mark the test as failed.
exit(result.returncode or 1) exit(result.returncode or 1)