chiark / gitweb /
elogind.git
6 years agosysusers: do not set todo to create a user when we only need a group
Kay Sievers [Fri, 13 Jun 2014 01:26:41 +0000 (03:26 +0200)]
sysusers: do not set todo to create a user when we only need a group

6 years agocryptsetup: check that password is not null
Thomas Hindoe Paaboel Andersen [Thu, 12 Jun 2014 20:50:04 +0000 (22:50 +0200)]
cryptsetup: check that password is not null

Beef up the assert to protect against passing null to strlen.

Found with scan-build.

6 years agosysuser: generate default snippet incorporating TTY_GID properly
Lennart Poettering [Thu, 12 Jun 2014 21:22:27 +0000 (23:22 +0200)]
sysuser: generate default snippet incorporating TTY_GID properly

When the user specifies --with-tty-gid= then we should honour that and
write it to the snippet, too.

6 years agosysusers: add new input group to default snippet
Lennart Poettering [Thu, 12 Jun 2014 21:08:51 +0000 (23:08 +0200)]
sysusers: add new input group to default snippet

6 years agotmpfiles: minor modernizations
Lennart Poettering [Thu, 12 Jun 2014 21:07:17 +0000 (23:07 +0200)]
tmpfiles: minor modernizations

6 years agomachine: minor modernizations
Lennart Poettering [Thu, 12 Jun 2014 21:06:56 +0000 (23:06 +0200)]
machine: minor modernizations

6 years agosysusers: add minimal tool to reconstruct /etc/passwd and /etc/group from static...
Lennart Poettering [Thu, 12 Jun 2014 20:54:02 +0000 (22:54 +0200)]
sysusers: add minimal tool to reconstruct /etc/passwd and /etc/group from static files

systemd-sysusers is a tool to reconstruct /etc/passwd and /etc/group
from static definition files that take a lot of inspiration from
tmpfiles snippets. These snippets should carry information about system
users only. To make sure it is not misused for normal users these
snippets only allow configuring UID and gecos field for each user, but
do not allow configuration of the home directory or shell, which is
necessary for real login users.

The purpose of this tool is to enable state-less systems that can
populate /etc with the minimal files necessary, solely from static data
in /usr. systemd-sysuser is additive only, and will never override
existing users.

This tool will create these files directly, and not via some user
database abtsraction layer. This is appropriate as this tool is supposed
to run really early at boot, and is only useful for creating system
users, and system users cannot be stored in remote databases anyway.

The tool is also useful to be invoked from RPM scriptlets, instead of
useradd. This allows moving from imperative user descriptions in RPM to
declarative descriptions.

The UID/GID for a user/group to be created can either be chosen dynamic,
or fixed, or be read from the owner of a file in the file system, in
order to support reconstructing the correct IDs for files that shall be
owned by them.

This also adds a minimal user definition file, that should be
sufficient for most basic systems. Distributions are expected to patch
these files and augment the contents, for example with fixed UIDs for
the users where that's necessary.

6 years agodebug-shell: add condition for tty device to run on
Kay Sievers [Thu, 12 Jun 2014 20:26:43 +0000 (22:26 +0200)]
debug-shell: add condition for tty device to run on

6 years agoudev: assign group "input" to all input devices
Kay Sievers [Thu, 12 Jun 2014 12:59:53 +0000 (14:59 +0200)]
udev: assign group "input" to all input devices

6 years agoNEWS: fix directory name
Mantas Mikulėnas [Wed, 11 Jun 2014 14:09:11 +0000 (17:09 +0300)]
NEWS: fix directory name

6 years agoNEWS: add missing comment about the "floppy" group
Lennart Poettering [Wed, 11 Jun 2014 16:42:38 +0000 (18:42 +0200)]
NEWS: add missing comment about the "floppy" group

6 years agoNEWS: mention that resolved's resolv.conf fragment moved v214
Lennart Poettering [Wed, 11 Jun 2014 13:32:20 +0000 (15:32 +0200)]
NEWS: mention that resolved's resolv.conf fragment moved

6 years agobuild-sys: update library versions
Lennart Poettering [Wed, 11 Jun 2014 13:30:28 +0000 (15:30 +0200)]
build-sys: update library versions

6 years agoNEWS: add contributor list for 214
Lennart Poettering [Wed, 11 Jun 2014 13:04:59 +0000 (15:04 +0200)]
NEWS: add contributor list for 214

6 years agounits: order network-online.target after network.target
Lennart Poettering [Wed, 11 Jun 2014 12:58:32 +0000 (14:58 +0200)]
units: order network-online.target after network.target

There might be implementations around where the network-online logic
might not talk to any network configuration service (and thus not have
to wait for it), hence let's explicitly order network-online.target
after network.target to avoid any ambiguities.

6 years agoNEWS: update
Kay Sievers [Wed, 11 Jun 2014 12:04:28 +0000 (14:04 +0200)]
NEWS: update

6 years agoNEWS: prepare NEWS for 214
Lennart Poettering [Wed, 11 Jun 2014 11:31:51 +0000 (13:31 +0200)]
NEWS: prepare NEWS for 214

6 years agodoc: specify kernel configs for cpushares
Umut Tezduyar Lindskog [Tue, 10 Jun 2014 21:29:30 +0000 (23:29 +0200)]
doc: specify kernel configs for cpushares

6 years agounits: time-sync.target probably makes sense, is not just sysv compat
Lennart Poettering [Wed, 11 Jun 2014 09:35:42 +0000 (11:35 +0200)]
units: time-sync.target probably makes sense, is not just sysv compat

6 years agounits: introduce network-pre.target as place to hook in firewalls
Lennart Poettering [Wed, 11 Jun 2014 09:33:02 +0000 (11:33 +0200)]
units: introduce network-pre.target as place to hook in firewalls

network-pre.target is a passive target that should be pulled in by
services that want to be executed before any network is configured (for
example: firewall scrips).

network-pre.target should be ordered before all network managemet
services (but not be pulled in by them).

network-pre.target should be order after all services that want to be
executed before any network is configured (and be pulled in by them).

6 years agoNEWS: add section about udev locking
Kay Sievers [Wed, 11 Jun 2014 10:00:47 +0000 (12:00 +0200)]
NEWS: add section about udev locking

6 years agoudev: stop using "floppy" group
Kay Sievers [Wed, 11 Jun 2014 09:20:55 +0000 (11:20 +0200)]
udev: stop using "floppy" group

6 years agojournald: create /run/log/journal with the correct access modes
Lennart Poettering [Wed, 11 Jun 2014 08:36:13 +0000 (10:36 +0200)]
journald: create /run/log/journal with the correct access modes

6 years agotmpfiles: don't allow read access to journal files to users not in systemd-journal
Lennart Poettering [Wed, 11 Jun 2014 08:23:16 +0000 (10:23 +0200)]
tmpfiles: don't allow read access to journal files to users not in systemd-journal

Also, don't apply access mode recursively to /var/log/journal/*/, since
that might be quite large, and should be correct anyway.

6 years agoupdate TODO
Lennart Poettering [Wed, 11 Jun 2014 08:15:51 +0000 (10:15 +0200)]
update TODO

6 years agotmpfiles: don't apply sgid and executable bit to journal files, only the directories...
Lennart Poettering [Wed, 11 Jun 2014 08:15:07 +0000 (10:15 +0200)]
tmpfiles: don't apply sgid and executable bit to journal files, only the directories they are contained in

6 years agotmpfiles: add ability to mask access mode by pre-existing access mode on files/direct...
Lennart Poettering [Wed, 11 Jun 2014 08:14:07 +0000 (10:14 +0200)]
tmpfiles: add ability to mask access mode by pre-existing access mode on files/directories

This way it makes a lot more sense to specify an access mode for "Z"
lines.

6 years agotmpfiles: if /var is mounted from tmpfs, we should adjust its access mode
Lennart Poettering [Wed, 11 Jun 2014 07:20:17 +0000 (09:20 +0200)]
tmpfiles: if /var is mounted from tmpfs, we should adjust its access mode

6 years agotmpfiles: remove unnecessary function
Lennart Poettering [Wed, 11 Jun 2014 07:19:57 +0000 (09:19 +0200)]
tmpfiles: remove unnecessary function

6 years agotmpfiles: when processing lines, always process prefixes before suffixes
Lennart Poettering [Tue, 10 Jun 2014 23:37:35 +0000 (01:37 +0200)]
tmpfiles: when processing lines, always process prefixes before suffixes

If two lines refer to paths that are suffix and prefix of each other,
then always process the prefix first, the suffix second. In all other
cases strictly process rules in the order they appear in the files.

This makes creating /var/run as symlink to /run a lot more fun, since it
is automatically created first.

6 years agotmpfiles: static variables populated immediately from the command line should be...
Lennart Poettering [Tue, 10 Jun 2014 23:26:28 +0000 (01:26 +0200)]
tmpfiles: static variables populated immediately from the command line should be prefixed with arg_

6 years agonspawn: add new --tmpfs= option to mount a tmpfs on specific directories, such as...
Lennart Poettering [Tue, 10 Jun 2014 22:44:30 +0000 (00:44 +0200)]
nspawn: add new --tmpfs= option to mount a tmpfs on specific directories, such as /var

6 years agotmpfiles: always recreate the most basic directory structure in /var
Lennart Poettering [Tue, 10 Jun 2014 22:12:21 +0000 (00:12 +0200)]
tmpfiles: always recreate the most basic directory structure in /var

Let's allow booting up with /var empty. Only create the most basic
directories to get to a working directory structure and symlink set in
/var.

6 years agoupdate TODO
Lennart Poettering [Tue, 10 Jun 2014 22:07:07 +0000 (00:07 +0200)]
update TODO

6 years agotmpfiles: get rid of "m" lines, make them redundant by "z"
Lennart Poettering [Tue, 10 Jun 2014 21:42:16 +0000 (23:42 +0200)]
tmpfiles: get rid of "m" lines, make them redundant by "z"

"m" so far has been a non-globbing version of "z". Since this makes it
quite redundant, let's get rid of it. Remove "m" from the man pages,
beef up "z" docs instead, and make "m" nothing more than a compatibility
alias for "z".

6 years agotmpfiles: add new "C" line for copying files or directories
Lennart Poettering [Tue, 10 Jun 2014 21:02:40 +0000 (23:02 +0200)]
tmpfiles: add new "C" line for copying files or directories

6 years agotmpfiles: various modernizations
Lennart Poettering [Tue, 10 Jun 2014 20:50:46 +0000 (22:50 +0200)]
tmpfiles: various modernizations

6 years agolabel: when clearing selinux context, don't mangle errno
Lennart Poettering [Tue, 10 Jun 2014 20:48:56 +0000 (22:48 +0200)]
label: when clearing selinux context, don't mangle errno

6 years agobus-proxy: fix misplaced s/system/session/
Mantas Mikulėnas [Tue, 10 Jun 2014 17:00:33 +0000 (20:00 +0300)]
bus-proxy: fix misplaced s/system/session/

6 years agomachine-id-setup: fix array size of parameters
Lennart Poettering [Tue, 10 Jun 2014 17:15:06 +0000 (19:15 +0200)]
machine-id-setup: fix array size of parameters

Not that it really would have any effect on the generated code, but
let's not confuse people...

6 years agolog: honour the kernel's quiet cmdline argument
Ronny Chevalier [Tue, 3 Jun 2014 17:44:03 +0000 (19:44 +0200)]
log: honour the kernel's quiet cmdline argument

It was forgotten in b1e90ec515408aec2702522f6f68c4920b56375b

See https://bugs.freedesktop.org/show_bug.cgi?id=79582

6 years agoudev: check the return value from udev_enumerate_scan_devices
Thomas Hindoe Paaboel Andersen [Wed, 4 Jun 2014 21:40:43 +0000 (23:40 +0200)]
udev: check the return value from udev_enumerate_scan_devices

The return value from udev_enumerate_scan_devices was stored but
never used. I assume this was meant to be checked.

6 years agotests: do not use systemctl status --failed
Ronny Chevalier [Sat, 31 May 2014 20:28:17 +0000 (22:28 +0200)]
tests: do not use systemctl status --failed

since v212 calling systemctl status without arguments
will show a overall system state

6 years agobacklight: Do not clamp brightness for LEDs
Denis Tikhomirov [Thu, 5 Jun 2014 19:59:40 +0000 (23:59 +0400)]
backlight: Do not clamp brightness for LEDs

https://bugs.freedesktop.org/show_bug.cgi?id=77092

On Thu, Jun 05, 2014 at 08:37:20AM +0200, Lennart Poettering wrote:
> The patch is line-broken, please send an uncorrupted patch!
I am very sorry, I forgot that my client limits line width. I will use
mutt now on.
> clamp_brightness() clamps the brightness value to the range of the
> actual device. This is a recent addition that was added to deal with
> driver updates where the resolution is changed. I don't think this part
> should be dropped for LED devices. The clamp_brightness() call hence
> should be called unconditionally, however, internally it should use a
> different min_brightness value if something is an !backlight devices...
Thank you for explanation, this sounds very reasonable to me. Please,
see updated patch:

6 years agoman: updates to the passive target section
Lennart Poettering [Tue, 10 Jun 2014 16:52:28 +0000 (18:52 +0200)]
man: updates to the passive target section

6 years agosystemd-detect-virt: only discover Xen domU
Thomas Blume [Fri, 6 Jun 2014 14:36:45 +0000 (16:36 +0200)]
systemd-detect-virt: only discover Xen domU

The current vm detection lacks the distinction between Xen dom0 and Xen domU.
Both, dom0 and domU are running inside the hypervisor.
Therefore systemd-detect-virt and the ConditionVirtualization directive detect
dom0 as a virtual machine.

dom0 is not using virtual devices but is accessing the real hardware.
Therefore dom0 should be considered the virtualisation host and not a virtual
machine.

https://bugs.freedesktop.org/show_bug.cgi?id=77271

6 years agoman: Searching for an explanation of what a "slice unit" was, found this, felt compel...
Mark Eichin [Mon, 9 Jun 2014 05:57:19 +0000 (01:57 -0400)]
man: Searching for an explanation of what a "slice unit" was, found this, felt compelled to send in fixes for the obvious typos

6 years agobus-proxy: properly index policy by uid/gid when parsing
Lennart Poettering [Tue, 10 Jun 2014 15:56:17 +0000 (17:56 +0200)]
bus-proxy: properly index policy by uid/gid when parsing

6 years agobus-proxy: read the right policy when running in user mode
Lennart Poettering [Tue, 10 Jun 2014 13:46:32 +0000 (15:46 +0200)]
bus-proxy: read the right policy when running in user mode

6 years agoudev: really exclude device-mapper from block device ownership event locking
Christian Hesse [Tue, 10 Jun 2014 13:51:15 +0000 (15:51 +0200)]
udev: really exclude device-mapper from block device ownership event locking

Arguments were wrong order, no?
This fixes commits:

e918a1b5a94f270186dca59156354acd2a596494
3d06f4183470d42361303086ed9dedd29c0ffc1b

6 years agoman: clarify the effect of replace-irreversibly on future conflicting jobs
David Strauss [Mon, 9 Jun 2014 22:32:03 +0000 (15:32 -0700)]
man: clarify the effect of replace-irreversibly on future conflicting jobs

6 years agobuild: fix copypaste error in networkd-wait-online symlink
Dave Reisner [Mon, 9 Jun 2014 12:48:21 +0000 (08:48 -0400)]
build: fix copypaste error in networkd-wait-online symlink

6 years agobus-policy.c: use draw_special_char(DRAW_ARROW)
Daniel Buch [Sun, 8 Jun 2014 11:57:21 +0000 (13:57 +0200)]
bus-policy.c: use draw_special_char(DRAW_ARROW)

Lets allow LC_ALL=C without corrupted output

6 years agoFix spelling mistake, proces -> process
Colin Ian King [Fri, 6 Jun 2014 22:06:33 +0000 (23:06 +0100)]
Fix spelling mistake, proces -> process

6 years agonspawn: split long message into two lines
Zbigniew Jędrzejewski-Szmek [Wed, 28 May 2014 16:39:38 +0000 (12:39 -0400)]
nspawn: split long message into two lines

For names like /var/lib/container/something, the message
becomes quite long. Better to split it.

Also reword the message not to suggest that ^]^]^] only works
in the beginning.

6 years agobus-proxyd: do not free NULL items
Kay Sievers [Sat, 7 Jun 2014 14:22:28 +0000 (16:22 +0200)]
bus-proxyd: do not free NULL items

6 years agoRemove sysv parser from service.c
Thomas Hindoe Paaboel Andersen [Thu, 29 May 2014 19:51:50 +0000 (21:51 +0200)]
Remove sysv parser from service.c

Parsing sysv files was moved to the sysv-generator in the previous commit.
This patch removes the sysv parsing from serivce.c.

Note that this patch drops the following now unused sysv-specific info
from service dump:
"SysV Init Script has LSB Header: (yes/no)"
"SysVEnabled: (yes/no)"
"SysVRunLevels: (levels)"

6 years agoMove handling of sysv initscripts to a generator
Thomas Hindoe Paaboel Andersen [Thu, 22 May 2014 22:37:39 +0000 (00:37 +0200)]
Move handling of sysv initscripts to a generator

Reuses logic from service.c and the rc-local generator.

Note that this drops reading of chkconfig entirely. It also drops reading
runlevels from the LSB headers. The runlevels were only used to check for
runlevels outside of the normal 1-5 range and then add special dependencies
and settings. Special runlevels were dropped in the past so it seemed to be
unused code.

The generator does not know about non-generated units with a value set with
SysVStartPriority=. These are therefor not taken into account when converting
start priority to before/after.

6 years agocore: allow transient mount units
Tom Gundersen [Fri, 6 Jun 2014 13:10:20 +0000 (15:10 +0200)]
core: allow transient mount units

For now only What=, Options=, Type= are supported, and Where= is deduced
from the unit name.

6 years agofix warnings
Thomas Hindoe Paaboel Andersen [Fri, 6 Jun 2014 21:29:09 +0000 (23:29 +0200)]
fix warnings

Prevent use of uninitialized variable and removed a now unused
cleanup function for freeaddrinfo

6 years agobus-proxy: properly read user/group policy items
Lennart Poettering [Fri, 6 Jun 2014 17:52:50 +0000 (19:52 +0200)]
bus-proxy: properly read user/group policy items

6 years agobus: add basic dbus1 policy parser
Lennart Poettering [Fri, 6 Jun 2014 17:41:24 +0000 (19:41 +0200)]
bus: add basic dbus1 policy parser

Enforcement is still missing, but at least we can parse it now.

6 years agoupdate TODO
Lennart Poettering [Fri, 6 Jun 2014 16:38:43 +0000 (18:38 +0200)]
update TODO

6 years agosd-bus: don't allow creating message objects that are not attached to a bus
Lennart Poettering [Fri, 6 Jun 2014 16:30:01 +0000 (18:30 +0200)]
sd-bus: don't allow creating message objects that are not attached to a bus

It seems unnecessary to support this, and we rather should avoid
allowing this at all, so that people don't program against this
sloppily and we end up remarshalling all the time...

6 years agounits: pull in time-sync.target from systemd-timedated.service
Lennart Poettering [Fri, 6 Jun 2014 14:20:33 +0000 (16:20 +0200)]
units: pull in time-sync.target from systemd-timedated.service

After all, that's what we document for time-sync.target in
systemd.special(5), hence let's follow our own suggestion.

6 years agoman: fix references to sd_journal_cutoff_realtime_usec
Mantas Mikulėnas [Mon, 2 Jun 2014 13:47:15 +0000 (16:47 +0300)]
man: fix references to sd_journal_cutoff_realtime_usec

6 years agoupdate TODO
Lennart Poettering [Fri, 6 Jun 2014 12:51:07 +0000 (14:51 +0200)]
update TODO

6 years agonamespace: cover /boot with ProtectSystem= again
Lennart Poettering [Fri, 6 Jun 2014 12:48:51 +0000 (14:48 +0200)]
namespace: cover /boot with ProtectSystem= again

Now that we properly exclude autofs mounts from ProtectSystem= we can
include it in the effect of ProtectSystem= again.

6 years agounits: fix minor typo
Lennart Poettering [Fri, 6 Jun 2014 12:30:09 +0000 (14:30 +0200)]
units: fix minor typo

6 years agonamespace: beef up read-only bind mount logic
Lennart Poettering [Fri, 6 Jun 2014 09:42:25 +0000 (11:42 +0200)]
namespace: beef up read-only bind mount logic

Instead of blindly creating another bind mount for read-only mounts,
check if there's already one we can use, and if so, use it. Also,
recursively mark all submounts read-only too. Also, ignore autofs mounts
when remounting read-only unless they are already triggered.

6 years agonamespace: also include /root in ProtectHome=
Lennart Poettering [Thu, 5 Jun 2014 19:37:40 +0000 (21:37 +0200)]
namespace: also include /root in ProtectHome=

/root can't really be autofs, and is also a home, directory, so cover it
with ProtectHome=.

6 years agonamespace: when setting up an inaccessible mount point, unmounting everything below
Lennart Poettering [Thu, 5 Jun 2014 19:35:35 +0000 (21:35 +0200)]
namespace: when setting up an inaccessible mount point, unmounting everything below

This has the benefit of not triggering any autofs mount points
unnecessarily.

6 years agoumount: modernizations
Lennart Poettering [Thu, 5 Jun 2014 19:35:15 +0000 (21:35 +0200)]
umount: modernizations

6 years agoutil: fix fd_cloexec(), fd_nonblock()
Lennart Poettering [Thu, 5 Jun 2014 17:38:00 +0000 (19:38 +0200)]
util: fix fd_cloexec(), fd_nonblock()

6 years agocore: introduce new Restart=on-abnormal setting
Lennart Poettering [Thu, 5 Jun 2014 16:42:52 +0000 (18:42 +0200)]
core: introduce new Restart=on-abnormal setting

Restart=on-abnormal is similar to Restart=on-failure, but avoids
restarts on unclean exit codes (but still doing restarts on all
obviously unclean exits, such as timeouts, signals, coredumps, watchdog
timeouts).

Also see:

https://fedorahosted.org/fpc/ticket/191

6 years agoupdate TODO
Lennart Poettering [Thu, 5 Jun 2014 15:31:03 +0000 (17:31 +0200)]
update TODO

6 years agosd-daemon: introduce sd_pid_notify() and sd_pid_notifyf()
Lennart Poettering [Thu, 5 Jun 2014 15:05:18 +0000 (17:05 +0200)]
sd-daemon: introduce sd_pid_notify() and sd_pid_notifyf()

sd_pid_notify() operates like sd_notify(), however operates on a
different PID (for example the parent PID of a process).

Make use of this in systemd-notify, so that message are sent from the
PID specified with --pid= rather than the usually shortlived PID of
systemd-notify itself.

This should increase the likelyhood that PID 1 can identify the cgroup
that the notification message was sent from properly.

6 years agoupdate TODO
Lennart Poettering [Thu, 5 Jun 2014 14:13:22 +0000 (16:13 +0200)]
update TODO

6 years agosocket-proxyd: port to asynchronous name resolution using sd-resolve
Lennart Poettering [Thu, 5 Jun 2014 14:12:48 +0000 (16:12 +0200)]
socket-proxyd: port to asynchronous name resolution using sd-resolve

6 years agoupdate TODO
Lennart Poettering [Thu, 5 Jun 2014 11:53:44 +0000 (13:53 +0200)]
update TODO

6 years agobus: make use of sd_bus_try_close() in exit-on-idle services
Lennart Poettering [Thu, 5 Jun 2014 11:31:25 +0000 (13:31 +0200)]
bus: make use of sd_bus_try_close() in exit-on-idle services

6 years agosd-event: restore correct timeout behaviour
Lennart Poettering [Thu, 5 Jun 2014 11:43:30 +0000 (13:43 +0200)]
sd-event: restore correct timeout behaviour

6 years agoupdate TODO
Lennart Poettering [Thu, 5 Jun 2014 10:23:41 +0000 (12:23 +0200)]
update TODO

6 years agokdbus: when uploading bus name policy, resolve users/groups out-of-process
Lennart Poettering [Thu, 5 Jun 2014 10:24:03 +0000 (12:24 +0200)]
kdbus: when uploading bus name policy, resolve users/groups out-of-process

It's not safe invoking NSS from PID 1, hence fork off worker processes
that upload the policy into the kernel for busnames.

6 years agocore: don't include /boot in effect of ProtectSystem=
Lennart Poettering [Thu, 5 Jun 2014 08:03:26 +0000 (10:03 +0200)]
core: don't include /boot in effect of ProtectSystem=

This would otherwise unconditionally trigger any /boot autofs mount,
which we probably should avoid.

ProtectSystem= will now only cover /usr and (optionally) /etc, both of
which cannot be autofs anyway.

ProtectHome will continue to cover /run/user and /home. The former
cannot be autofs either. /home could be, however is frequently enough
used (unlikey /boot) so that it isn't too problematic to simply trigger
it unconditionally via ProtectHome=.

6 years agosocket: add SocketUser= and SocketGroup= for chown()ing sockets in the file system
Lennart Poettering [Thu, 5 Jun 2014 07:55:53 +0000 (09:55 +0200)]
socket: add SocketUser= and SocketGroup= for chown()ing sockets in the file system

This is relatively complex, as we cannot invoke NSS from PID 1, and thus
need to fork a helper process temporarily.

6 years agocore: make sure we properly parse ProtectHome= and ProtectSystem=
Lennart Poettering [Wed, 4 Jun 2014 21:03:37 +0000 (23:03 +0200)]
core: make sure we properly parse ProtectHome= and ProtectSystem=

6 years agoycm: update flag blacklist
Dave Reisner [Wed, 4 Jun 2014 19:03:08 +0000 (15:03 -0400)]
ycm: update flag blacklist

-Wdate-time isn't known to clang, and it seems to cause errors in
syntastic.

6 years agonetworkd: link - intialize mac address
Tom Gundersen [Wed, 4 Jun 2014 19:29:08 +0000 (21:29 +0200)]
networkd: link - intialize mac address

Otherwise .netwrok matching on MAC address will not work.

Based on patch by Dave Reisner, and bug originally reported by Max Pray.

6 years agoupdate TODO
Lennart Poettering [Wed, 4 Jun 2014 16:58:05 +0000 (18:58 +0200)]
update TODO

6 years agocore: rename ReadOnlySystem= to ProtectSystem= and add a third value for also mountin...
Lennart Poettering [Wed, 4 Jun 2014 16:07:55 +0000 (18:07 +0200)]
core: rename ReadOnlySystem= to ProtectSystem= and add a third value for also mounting /etc read-only

Also, rename ProtectedHome= to ProtectHome=, to simplify things a bit.

With this in place we now have two neat options ProtectSystem= and
ProtectHome= for protecting the OS itself (and optionally its
configuration), and for protecting the user's data.

6 years agohwdb: fix case-sensitive match
Kay Sievers [Wed, 4 Jun 2014 15:55:14 +0000 (17:55 +0200)]
hwdb: fix case-sensitive match

6 years agobuild-sys: accommodate gcc-4.9.0 link-time optimization (LTO) changes
John [Wed, 4 Jun 2014 15:45:42 +0000 (17:45 +0200)]
build-sys: accommodate gcc-4.9.0 link-time optimization (LTO) changes

systemd fails to build (symbols not found/resolved during cgls link step)
under gcc-4.9.0 due to link-time optimization (lto) changes, in particular
from gcc-4.9.0/NEWS:

  + When using a linker plugin, compiling with the -flto option
    now generates slim objects files (.o) which only contain
    intermediate language representation for LTO. Use
    -ffat-lto-objects to create files which contain additionally
    the object code. To generate static libraries suitable for LTO
    processing, use gcc-ar and gcc-ranlib; to list symbols from a
    slim object file use gcc-nm. (Requires that ar, ranlib and nm
    have been compiled with plugin support.)

Both -flto and -ffat-lto-objects are now needed when building and linking
against static libs w/LTO.

6 years agoupdate TODO
Lennart Poettering [Wed, 4 Jun 2014 15:31:31 +0000 (17:31 +0200)]
update TODO

6 years agocore: provide /dev/ptmx as symlink in PrivateDevices= execution environments
Lennart Poettering [Wed, 4 Jun 2014 15:21:18 +0000 (17:21 +0200)]
core: provide /dev/ptmx as symlink in PrivateDevices= execution environments

6 years agocore: make sure PrivateDevices= makes /dev/log available
Lennart Poettering [Wed, 4 Jun 2014 14:59:13 +0000 (16:59 +0200)]
core: make sure PrivateDevices= makes /dev/log available

Now that we moved the actual syslog socket to
/run/systemd/journal/dev-log we can actually make /dev/log a symlink to
it, when PrivateDevices= is used, thus making syslog available to
services using PrivateDevices=.

6 years agoinitctl: move /dev/initctl fifo into /run, replace it by symlink
Lennart Poettering [Wed, 4 Jun 2014 14:53:15 +0000 (16:53 +0200)]
initctl: move /dev/initctl fifo into /run, replace it by symlink

With this change we have no fifos/sockets remaining in /dev.

6 years agojournald: move /dev/log socket to /run
Lennart Poettering [Wed, 4 Jun 2014 14:37:02 +0000 (16:37 +0200)]
journald: move /dev/log socket to /run

This way we can make the socket also available for sandboxed apps that
have their own private /dev. They can now simply symlink the socket from
/dev.

6 years agoudev: guard REREADPT by exclusive lock instead of O_EXCL
Kay Sievers [Wed, 4 Jun 2014 14:21:19 +0000 (16:21 +0200)]
udev: guard REREADPT by exclusive lock instead of O_EXCL

6 years agosocket: add new Symlinks= option for socket units
Lennart Poettering [Wed, 4 Jun 2014 14:19:00 +0000 (16:19 +0200)]
socket: add new Symlinks= option for socket units

With Symlinks= we can manage one or more symlinks to AF_UNIX or FIFO
nodes in the file system, with the same lifecycle as the socket itself.

This has two benefits: first, this allows us to remove /dev/log and
/dev/initctl from /dev, thus leaving only symlinks, device nodes and
directories in the /dev tree. More importantly however, this allows us
to move /dev/log out of /dev, while still making it accessible there, so
that PrivateDevices= can provide /dev/log too.