SUBDIRS = po
LIBSYSTEMD_LOGIN_CURRENT=0
-LIBSYSTEMD_LOGIN_REVISION=5
+LIBSYSTEMD_LOGIN_REVISION=6
LIBSYSTEMD_LOGIN_AGE=0
LIBSYSTEMD_DAEMON_CURRENT=0
units/halt.target \
units/kexec.target \
units/local-fs.target \
+ units/local-fs-pre.target \
units/remote-fs.target \
+ units/remote-fs-pre.target \
units/cryptsetup.target \
units/network.target \
units/nss-lookup.target \
Features:
-* bind mounts should be ordered after remount-root-fs.service
+* unset container= in PID1?
+
+* if we can not get user quota for tmpfs, mount a separate tmpfs instance
+ for every user in /run/user/$USER with a configured maximum size
+
+* default to actual 32bit PIDs, via /proc/sys/kernel/pid_max
* add an option to make mounts private/shareable and so on, enable this for root by default
AC_PREREQ(2.63)
-AC_INIT([systemd],[36],[systemd-devel@lists.freedesktop.org])
+AC_INIT([systemd],[37],[systemd-devel@lists.freedesktop.org])
AC_CONFIG_SRCDIR([src/main.c])
AC_CONFIG_MACRO_DIR([m4])
AC_CONFIG_HEADERS([config.h])
command.</para></listitem>
</varlistentry>
+ <varlistentry>
+ <term><command>list-unit-files</command></term>
+
+ <listitem><para>List installed unit files.
+ </para></listitem>
+ </varlistentry>
+
<varlistentry>
<term><command>enable [NAME...]</command></term>
assignments. Empty lines and lines
starting with ; or # will be ignored,
which may be used for commenting. The
+ parser strips leading and
+ trailing whitespace from the values
+ of assignments, unless you use
+ double quotes (").
+ The
argument passed should be an absolute
file name, optionally prefixed with
"-", which indicates that if the file
main process of the daemon. The
command line accepts % specifiers as
described in
- <citerefentry><refentrytitle>systemd.unit</refentrytitle><manvolnum>5</manvolnum></citerefentry>. On
- top of that basic environment variable
- substitution is supported, where
- <literal>${FOO}</literal> is replaced
- by the string value of the environment
- variable of the same name. Also
- <literal>$FOO</literal> may appear as
- separate word on the command line in
- which case the variable is replaced by
- its value split at whitespaces. Note
- that the first argument (i.e. the
- binary to execute) may not be a
- variable, and must be a literal and
- absolute path name.</para></listitem>
+ <citerefentry><refentrytitle>systemd.unit</refentrytitle><manvolnum>5</manvolnum></citerefentry>.</para>
+
+ <para>On top of that basic environment
+ variable substitution is
+ supported. Use
+ <literal>${FOO}</literal> as part of a
+ word, or as word of its own on the
+ command line, in which case it will be
+ replaced by the value of the
+ environment variable including all
+ whitespace it contains, resulting in a
+ single argument. Use
+ <literal>$FOO</literal> as a separate
+ word on the command line, in which
+ case it will be replaced by the value
+ of the environment variable split up
+ at whitespace, resulting in no or more
+ arguments. Note that the first
+ argument (i.e. the program to execute)
+ may not be a variable, and must be a
+ literal and absolute path
+ name.</para></listitem>
</varlistentry>
<varlistentry>
<filename>halt.target</filename>,
<filename>kbrequest.target</filename>,
<filename>local-fs.target</filename>,
+ <filename>local-fs-pre.target</filename>,
<filename>mail-transfer-agent.target</filename>,
<filename>multi-user.target</filename>,
<filename>network.target</filename>,
<filename>poweroff.target</filename>,
<filename>reboot.target</filename>,
<filename>remote-fs.target</filename>,
+ <filename>remote-fs-pre.target</filename>,
<filename>rescue.target</filename>,
<filename>rpcbind.target</filename>,
<filename>runlevel2.target</filename>,
facility.</para>
</listitem>
</varlistentry>
+ <varlistentry>
+ <term><filename>local-fs-pre.target</filename></term>
+ <listitem>
+ <para>This target unit is
+ automatically ordered before
+ all local mount points marked
+ with <option>auto</option>
+ (see above). It can be used to
+ execute certain units before
+ all local mounts.</para>
+ </listitem>
+ </varlistentry>
<varlistentry>
<term><filename>mail-transfer-agent.target</filename></term>
<listitem>
facility.</para>
</listitem>
</varlistentry>
+ <varlistentry>
+ <term><filename>remote-fs-pre.target</filename></term>
+ <listitem>
+ <para>This target unit is
+ automatically ordered before
+ all remote mount points marked
+ with <option>auto</option>
+ (see above). It can be used to
+ execute certain units before
+ all remote mounts.</para>
+ </listitem>
+ </varlistentry>
<varlistentry>
<term><filename>rescue.target</filename></term>
<listitem>
<para>If a line starts with <option>.include</option>
followed by a file name, the specified file will be
- read as if its contents were listed in place of the
- <option>.include</option> directive.</para>
+ parsed at this point. Make sure that the file that is
+ included has the appropiate section headers before
+ any directives.</para>
<para>Along with a unit file
<filename>foo.service</filename> a directory
<term><varname>ConditionKernelCommandLine=</varname></term>
<term><varname>ConditionVirtualization=</varname></term>
<term><varname>ConditionSecurity=</varname></term>
+ <term><varname>ConditionCapability=</varname></term>
<term><varname>ConditionNull=</varname></term>
<listitem><para>Before starting a unit
value to check if being executed in
any virtualized environment, or one of
<varname>vm</varname> and
- <varname>container</varname> to test against
- a specific type of virtualization
- solution, or one of
+ <varname>container</varname> to test
+ against a specific type of
+ virtualization solution, or one of
<varname>qemu</varname>,
<varname>kvm</varname>,
<varname>vmware</varname>,
system. Currently the only recognized
value is <varname>selinux</varname>.
The test may be negated by prepending
- an exclamation mark. Finally,
+ an exclamation
+ mark. <varname>ConditionCapability=</varname>
+ may be used to check whether the given
+ capability exists in the capability
+ bounding set of the service manager
+ (i.e. this does not check whether
+ capability is actually available in
+ the permitted or effective sets, see
+ <citerefentry><refentrytitle>capabilities</refentrytitle><manvolnum>7</manvolnum></citerefentry>
+ for details). Pass a capability name
+ such as <literal>CAP_MKNOD</literal>,
+ possibly prefixed with an exclamation
+ mark to negate the check. Finally,
<varname>ConditionNull=</varname> may
be used to add a constant condition
check value to the unit. It takes a
<citerefentry><refentrytitle>systemd.target</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
<citerefentry><refentrytitle>systemd.path</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
<citerefentry><refentrytitle>systemd.timer</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
- <citerefentry><refentrytitle>systemd.snapshot</refentrytitle><manvolnum>5</manvolnum></citerefentry>
+ <citerefentry><refentrytitle>systemd.snapshot</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
+ <citerefentry><refentrytitle>capabilities</refentrytitle><manvolnum>7</manvolnum></citerefentry>
</para>
</refsect1>
#: ../src/org.freedesktop.login1.policy.in.h:1
msgid "Allow attaching devices to seats"
-msgstr "Zezwolenie na podłączanie urządzeń do siedzeń"
+msgstr "Zezwolenie na podłączanie urządzeń do stanowisk"
#: ../src/org.freedesktop.login1.policy.in.h:2
msgid "Allow non-logged-in users to run programs"
#: ../src/org.freedesktop.login1.policy.in.h:4
msgid "Authentication is required to allow attaching a device to a seat"
msgstr ""
-"Wymagane jest uwierzytelnienie, aby zezwolić na podłączanie urządzeń do "
-"siedzeń"
+"Wymagane jest uwierzytelnienie, aby zezwolić na podłączenie urządzenia do "
+"stanowiska"
#: ../src/org.freedesktop.login1.policy.in.h:5
msgid "Authentication is required to allow powering off the system"
"seats"
msgstr ""
"Wymagane jest uwierzytelnienie, aby zezwolić na ponowne ustawianie sposobu "
-"podłączenia urządzeń do siedzeń"
+"podłączenia urządzeń do stanowisk"
#: ../src/org.freedesktop.login1.policy.in.h:10
msgid "Flush device to seat attachments"
-msgstr "Czyszczenie podłączeń urządzeń do siedzeń"
+msgstr "Usunięcie podłączenia urządzeń do stanowisk"
#: ../src/org.freedesktop.login1.policy.in.h:11
msgid "Power off the system"
#include <errno.h>
#include <string.h>
#include <unistd.h>
+#include <sys/capability.h>
#ifdef HAVE_SELINUX
#include <selinux/selinux.h>
return true;
/* Finally compare id */
- return streq(parameter, id);
+ return v > 0 && streq(parameter, id);
}
static bool test_security(const char *parameter) {
return false;
}
+static bool test_capability(const char *parameter) {
+ cap_value_t value;
+ FILE *f;
+ char line[LINE_MAX];
+ unsigned long long capabilities = (unsigned long long) -1;
+
+ /* If it's an invalid capability, we don't have it */
+
+ if (cap_from_name(parameter, &value) < 0)
+ return false;
+
+ /* If it's a valid capability we default to assume
+ * that we have it */
+
+ f = fopen("/proc/self/status", "re");
+ if (!f)
+ return true;
+
+ while (fgets(line, sizeof(line), f)) {
+ truncate_nl(line);
+
+ if (startswith(line, "CapBnd:")) {
+ (void) sscanf(line+7, "%llx", &capabilities);
+ break;
+ }
+ }
+
+ return !!(capabilities & (1ULL << value));
+}
+
bool condition_test(Condition *c) {
assert(c);
case CONDITION_SECURITY:
return test_security(c->parameter) == !c->negate;
+ case CONDITION_CAPABILITY:
+ return test_capability(c->parameter) == !c->negate;
+
case CONDITION_NULL:
return !c->negate;
CONDITION_KERNEL_COMMAND_LINE,
CONDITION_VIRTUALIZATION,
CONDITION_SECURITY,
+ CONDITION_CAPABILITY,
CONDITION_NULL,
_CONDITION_TYPE_MAX,
_CONDITION_TYPE_INVALID = -1
}
}
- for (i = 0; i <= MAX(63LU, (unsigned long) CAP_LAST_CAP); i++)
+ for (i = 0; i <= cap_last_cap(); i++)
if (drop & ((uint64_t) 1ULL << (uint64_t) i)) {
if (prctl(PR_CAPBSET_DROP, i) < 0) {
- if (errno == EINVAL)
- break;
-
r = -errno;
goto finish;
}
unsigned long l;
fprintf(f, "%sCapabilityBoundingSet:", prefix);
- for (l = 0; l <= (unsigned long) CAP_LAST_CAP; l++)
+ for (l = 0; l <= cap_last_cap(); l++)
if (!(c->capability_bounding_set_drop & ((uint64_t) 1ULL << (uint64_t) l))) {
char *t;
#!/usr/bin/python
-import system_config_keyboard.keyboard_models, sys
+import sys
+import system_config_keyboard.keyboard_models
def strdash(s):
- r = s.strip()
-
- if r == "":
- return "-"
-
- return r
-
-def tab_extend(s, n = 1):
+ return s.strip() or '-'
+def tab_extend(s, n=1):
s = strdash(s)
- k = len(s) / 8
+ k = len(s) // 8
if k >= n:
f = 1
else:
f = n - k
- for x in range(0, f):
- s = s + "\t"
-
- return s
-
+ return s + '\t'*f
models = system_config_keyboard.keyboard_models.KeyboardModels().get_models()
print "# Generated from system-config-keyboard's model list"
-
print "# consolelayout\t\txlayout\txmodel\t\txvariant\txoptions"
-k = models.keys()
-
-k.reverse()
-
-for key in k:
- value = models[key]
-
- options = value[4]
- if len(options) > 0:
- options = "terminate:ctrl_alt_bksp," + options
- else:
- options = "terminate:ctrl_alt_bksp"
+for key, value in reversed(models.items()):
+ options = "terminate:ctrl_alt_bksp"
+ if value[4]:
+ options += ',' + value[4]
- print "%s%s%s%s%s" % (tab_extend(key, 3), tab_extend(value[1]), tab_extend(value[2], 2), tab_extend(value[3], 2), options)
+ print ''.join((tab_extend(key, 3), tab_extend(value[1]),
+ tab_extend(value[2], 2), tab_extend(value[3], 2),
+ options))
#if defined(TARGET_FEDORA) || defined(TARGET_ALTLINUX) || defined(TARGET_MANDRIVA) || defined(TARGET_MEEGO)
#define FILENAME "/etc/sysconfig/network"
-#elif defined(TARGET_SUSE) || defined(TARGET_SLACKWARE) || defined(TARGET_FRUGALWARE)
+#elif defined(TARGET_SUSE) || defined(TARGET_SLACKWARE)
#define FILENAME "/etc/HOSTNAME"
#elif defined(TARGET_ARCH)
#define FILENAME "/etc/rc.conf"
fclose(f);
return r;
-#elif defined(TARGET_SUSE) || defined(TARGET_SLACKWARE) || defined(TARGET_FRUGALWARE)
+#elif defined(TARGET_SUSE) || defined(TARGET_SLACKWARE)
return read_and_strip_hostname(FILENAME, hn);
#else
return -ENOENT;
Unit.ConditionKernelCommandLine, config_parse_unit_condition_string, CONDITION_KERNEL_COMMAND_LINE, 0
Unit.ConditionVirtualization, config_parse_unit_condition_string, CONDITION_VIRTUALIZATION, 0
Unit.ConditionSecurity, config_parse_unit_condition_string, CONDITION_SECURITY, 0
+Unit.ConditionCapability, config_parse_unit_condition_string, CONDITION_CAPABILITY, 0
Unit.ConditionNull, config_parse_unit_condition_null, 0, 0
m4_dnl
Service.PIDFile, config_parse_unit_path_printf, 0, offsetof(Service, pid_file)
#ifdef TARGET_FEDORA
unlink("/etc/X11/xorg.conf.d/00-system-setup-keyboard.conf");
+
+ /* Symlink this to /dev/null, so that s-s-k (if it is
+ * still running) doesn't recreate this. */
+ symlink("/dev/null", "/etc/X11/xorg.conf.d/00-system-setup-keyboard.conf");
#endif
if (unlink("/etc/X11/xorg.conf.d/00-keyboard.conf") < 0)
#ifdef TARGET_FEDORA
unlink("/etc/X11/xorg.conf.d/00-system-setup-keyboard.conf");
+
+ /* Symlink this to /dev/null, so that s-s-k (if it is
+ * still running) doesn't recreate this. */
+ symlink("/dev/null", "/etc/X11/xorg.conf.d/00-system-setup-keyboard.conf");
#endif
r = 0;
} else if (dbus_message_is_method_call(message, "org.freedesktop.login1.Manager", "CreateSession")) {
r = bus_manager_create_session(m, message, &reply);
- if (r == -ENOMEM)
- goto oom;
+
+ /* Don't delay the work on OOM here, since it might be
+ * triggered by a low RLIMIT_NOFILE here (since we
+ * send a dupped fd to the client), and we'd rather
+ * see this fail quickly then be retried later */
if (r < 0)
return bus_send_error_reply(connection, message, &error, r);
if (mount_is_network(p)) {
target = SPECIAL_REMOTE_FS_TARGET;
- after = SPECIAL_NETWORK_TARGET;
- } else
+ after = SPECIAL_REMOTE_FS_PRE_TARGET;
+ } else {
target = SPECIAL_LOCAL_FS_TARGET;
+ after = SPECIAL_LOCAL_FS_PRE_TARGET;
+ }
if (!path_equal(m->where, "/"))
if ((r = unit_add_two_dependencies_by_name(UNIT(m), UNIT_BEFORE, UNIT_CONFLICTS, SPECIAL_UMOUNT_TARGET, NULL, true)) < 0)
unsigned long l;
- for (l = 0; l <= MAX(63LU, (unsigned long) CAP_LAST_CAP); l++) {
+ for (l = 0; l <= cap_last_cap(); l++) {
unsigned i;
for (i = 0; i < ELEMENTSOF(retain); i++)
continue;
if (prctl(PR_CAPBSET_DROP, l) < 0) {
-
- /* If this capability is not known, EINVAL
- * will be returned, let's ignore this. */
- if (errno == EINVAL)
- break;
-
log_error("PR_CAPBSET_DROP failed: %m");
return -errno;
}
static pid_t pager_pid = 0;
-static void pager_fallback(void) {
+_noreturn_ static void pager_fallback(void) {
ssize_t n;
do {
n = splice(STDIN_FILENO, NULL, STDOUT_FILENO, NULL, 64*1024, 0);
#include "macro.h"
-#define READAHEAD_FILE_SIZE_MAX (128*1024*1024)
+#define READAHEAD_FILE_SIZE_MAX (10*1024*1024)
int file_verify(int fd, const char *fn, off_t file_size_max, struct stat *st);
int sd_seat_get_active(const char *seat, char **session, uid_t *uid);
/* Return sessions and users on seat. Returns number of sessions as
- * return value. If sessions is NULL returs only the number of
+ * return value. If sessions is NULL returns only the number of
* sessions. */
int sd_seat_get_sessions(const char *seat, char ***sessions, uid_t **uid, unsigned *n_uids);
* seats is NULL only returns number of seats. */
int sd_get_seats(char ***seats);
-/* Get all sessions, store in *seessions. Returns the number of
+/* Get all sessions, store in *sessions. Returns the number of
* sessions. If sessions is NULL only returns number of sessions. */
int sd_get_sessions(char ***sessions);
/* Special setting for all SysV services */
s->type = SERVICE_FORKING;
s->remain_after_exit = !s->pid_file;
+ s->guess_main_pid = false;
s->restart = SERVICE_RESTART_NO;
if (s->meta.manager->sysv_console)
#define SPECIAL_SYSINIT_TARGET "sysinit.target"
#define SPECIAL_SOCKETS_TARGET "sockets.target"
#define SPECIAL_LOCAL_FS_TARGET "local-fs.target" /* LSB's $local_fs */
+#define SPECIAL_LOCAL_FS_PRE_TARGET "local-fs-pre.target"
#define SPECIAL_REMOTE_FS_TARGET "remote-fs.target" /* LSB's $remote_fs */
+#define SPECIAL_REMOTE_FS_PRE_TARGET "remote-fs-pre.target"
#define SPECIAL_SWAP_TARGET "swap.target"
#define SPECIAL_BASIC_TARGET "basic.target"
free_data();
r = read_one_line_file("/etc/timezone", &zone);
- if (r < 0 && r != -ENOENT)
- return r;
+ if (r < 0) {
+ if (r != -ENOENT)
+ log_warning("Failed to read /etc/timezone: %s", strerror(-r));
+
+#ifdef TARGET_FEDORA
+ r = parse_env_file("/etc/sysconfig/clock", NEWLINE,
+ "ZONE", &zone,
+ NULL);
+
+ if (r < 0 && r != -ENOENT)
+ log_warning("Failed to read /etc/sysconfig/clock: %s", strerror(-r));
+#endif
+ }
+
+ if (isempty(zone)) {
+ free(zone);
+ zone = NULL;
+ }
verify_timezone();
}
}
+ fclose(f);
return;
fail:
0
};
- if (ioctl(fd, TIOCLINUX, tiocl) < 0)
- return -errno;
+ if (ioctl(fd, TIOCLINUX, tiocl) < 0) {
+ r = -errno;
+ goto fail;
+ }
vt = tiocl[0] <= 0 ? 1 : tiocl[0];
}
if (ioctl(fd, VT_ACTIVATE, vt) < 0)
r = -errno;
- close_nointr_nofail(r);
+fail:
+ close_nointr_nofail(fd);
return r;
}
default:
return -EINVAL;
}
+
+unsigned long cap_last_cap(void) {
+ static __thread unsigned long saved;
+ static __thread bool valid = false;
+ unsigned long p;
+
+ if (valid)
+ return saved;
+
+ p = (unsigned long) CAP_LAST_CAP;
+
+ if (prctl(PR_CAPBSET_READ, p) < 0) {
+
+ /* Hmm, look downwards, until we find one that
+ * works */
+ for (p--; p > 0; p --)
+ if (prctl(PR_CAPBSET_READ, p) >= 0)
+ break;
+
+ } else {
+
+ /* Hmm, look upwards, until we find one that doesn't
+ * work */
+ for (;; p++)
+ if (prctl(PR_CAPBSET_READ, p+1) < 0)
+ break;
+ }
+
+ saved = p;
+ valid = true;
+
+ return p;
}
int prot_from_flags(int flags);
+unsigned long cap_last_cap(void);
+
#endif
--- /dev/null
+# This file is part of systemd.
+#
+# systemd is free software; you can redistribute it and/or modify it
+# under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 2 of the License, or
+# (at your option) any later version.
+
+# See systemd.special(7) for details
+
+[Unit]
+Description=Local File Systems (Pre)
--- /dev/null
+# This file is part of systemd.
+#
+# systemd is free software; you can redistribute it and/or modify it
+# under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 2 of the License, or
+# (at your option) any later version.
+
+# See systemd.special(7) for details
+
+[Unit]
+Description=Remote File Systems (Pre)
+After=network.target
+
+[Install]
+WantedBy=multi-user.target
DefaultDependencies=no
Conflicts=shutdown.target
After=systemd-readahead-collect.service systemd-readahead-replay.service fsck-root.service
-Before=local-fs.target shutdown.target
+Before=local-fs-pre.target local-fs.target shutdown.target
+Wants=local-fs-pre.target
[Service]
Type=oneshot
BusName=org.freedesktop.login1
CapabilityBoundingSet=CAP_AUDIT_CONTROL CAP_CHOWN CAP_KILL CAP_DAC_READ_SEARCH CAP_DAC_OVERRIDE CAP_FOWNER
StandardOutput=syslog
+
+# Increase the default a bit in order to allow many simultaneous
+# logins since we keep one fd open per session.
+LimitNOFILE=16384
DefaultDependencies=no
Conflicts=shutdown.target
After=systemd-readahead-collect.service systemd-readahead-replay.service
-Before=local-fs.target shutdown.target
+Before=local-fs-pre.target local-fs.target shutdown.target
+Wants=local-fs-pre.target
[Service]
Type=oneshot
NotifyAccess=all
StandardOutput=null
CapabilityBoundingSet=CAP_SYS_ADMIN CAP_SETUID CAP_SETGID
+
+# Increase the default a bit in order to allow many simultaneous
+# services being run since we keep one fd open per service.
+LimitNOFILE=16384
~ianmdlvl / elogind.git / commitdiff