| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
| |
We already have rootprefix_noslash as meson variable, export it so that
we can also use it in C code.
Fixes: #16773
(cherry picked from commit b612c26ceb9f56af0271fc9f07c1724d2d260a8a)
|
| |
|
|
|
|
|
|
|
|
|
|
| |
if we allocate a bunch of hash tables all at the same time, with none
earlier than the other, there's a good chance we'll initialize the
shared hash key multiple times, so that some threads will see a
different shared hash key than others.
Let's fix that, and make sure really everyone sees the same hash key.
Fixes: #17007
(cherry picked from commit ae0b700a856c0ae460d271bb50dccfaae84dbcab)
|
| |
|
|
|
|
|
|
|
|
|
| |
In containers we might lack the privs to up the socket buffers. Let's
not complain so loudly about that. Let's hence downgrade this to debug
logging if it's a permission problem.
(This wasn't an issue before b92f350789e33942be0cf85af22a580c1fd483d6
because back then the failures wouldn't be detected at all.)
(cherry picked from commit 35b4e3c1bc7d4001244ff3986c084152c8901d03)
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Desired functionality:
Set securebits for services started as non-root user.
Failure:
The starting of the service fails if no ambient capability shall be
raised.
... systemd[217941]: ...: Failed to set process secure bits: Operation
not permitted
... systemd[217941]: ...: Failed at step SECUREBITS spawning
/usr/bin/abc.service: Operation not permitted
... systemd[1]: abc.service: Failed with result 'exit-code'.
Reason:
For setting securebits the capability CAP_SETPCAP is required. However
the securebits (if no ambient capability shall be raised) are set after
setresuid.
When setresuid is invoked all capabilities are dropped from the
permitted, effective and ambient capability set. If the securebit
SECBIT_KEEP_CAPS is set the permitted capability set is retained, but
the effective and the ambient set are cleared.
If ambient capabilities shall be set, the securebit SECBIT_KEEP_CAPS is
added to the securebits configured in the service file and set together
with the securebits from the service file before setresuid is executed
(in enforce_user).
Before setresuid is executed the capabilities are the same as for pid1.
This means that all capabilities in the effective, permitted and
bounding set are set. Thus the capability CAP_SETPCAP is in the
effective set and the prctl(PR_SET_SECUREBITS, ...) succeeds.
However, if the secure bits aren't set before setresuid is invoked they
shall be set shortly after the uid change in enforce_user.
This fails as SECBIT_KEEP_CAPS wasn't set before setresuid and in
consequence the effective and permitted set was cleared, hence
CAP_SETPCAP is not set in the effective set (and cannot be raised any
longer) and prctl(PR_SET_SECUREBITS, ...) failes with EPERM.
Proposed solution:
The proposed solution consists of three parts
1. Check in enforce_user, if securebits are configured in the service
file. If securebits are configured, set SECBIT_KEEP_CAPS
before invoking setresuid.
2. Don't set any other securebits than SECBIT_KEEP_CAPS in enforce_user,
but set all requested ones after enforce_user.
This has the advantage that securebits are set at the same place for
root and non-root services.
3. Raise CAP_SETPCAP to the effective set (if not already set) before
setting the securebits to avoid EPERM during the prctl syscall.
For gaining CAP_SETPCAP the function capability_bounding_set_drop is
splitted into two functions:
- The first one raises CAP_SETPCAP (required for dropping bounding
capabilities)
- The second drops the bounding capabilities
Why are ambient capabilities not affected by this change?
Ambient capabilities get cleared during setresuid, no matter if
SECBIT_KEEP_CAPS is set or not.
For raising ambient capabilities for a user different to root, the
requested capability has to be raised in the inheritable set first. Then
the SECBIT_KEEP_CAPS securebit needs to be set before setresuid is
invoked. Afterwards the ambient capability can be raised, because it is
in the inheritable and permitted set.
Security considerations:
Although the manpage is ambiguous SECBIT_KEEP_CAPS is cleared during
execve no matter if SECBIT_KEEP_CAPS_LOCKED is set or not. If both are
set only SECBIT_KEEP_CAPS_LOCKED is set after execve.
Setting SECBIT_KEEP_CAPS in enforce_user for being able to set
securebits is no security risk, as the effective and permitted set are
set to the value of the ambient set during execve (if the executed file
has no file capabilities. For details check man 7 capabilities).
Remark:
In capability-util.c is a comment complaining about the missing
capability CAP_SETPCAP in the effective set, after the kernel executed
/sbin/init. Thus it is checked there if this capability has to be raised
in the effective set before dropping capabilities from the bounding set.
If this were true all the time, ambient capabilities couldn't be set
without dropping at least one capability from the bounding set, as the
capability CAP_SETPCAP would miss and setting SECBIT_KEEP_CAPS would
fail with EPERM.
(cherry picked from commit dbdc4098f6ebc6bf6e68f0c05a9b4e540d133e3b)
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
Up to now the capability CAP_SETPCAP was raised implicitly in the
function capability_bounding_set_drop.
This functionality is moved into a new function
(capability_gain_cap_setpcap).
The new function optionally provides the capability set as it was
before raisining CAP_SETPCAP.
(cherry picked from commit 57d4d284c95a3dfdb9a4e3f74978623cbb3f918a)
|
| |
|
|
|
|
| |
Fixes #17017.
(cherry picked from commit 85b6a8110d21defb3d6cddace09ee21db4eb9766)
|
| |
|
|
|
|
|
|
|
| |
The manual states that a persistent timer triggers it's service
immediately on activation to catch up with missed invocations, but since
PR #11608 it is no longer the case if RandomizedDelaySec= is set to a
non-zero value.
(cherry picked from commit 5501da15ba34284e50c10ccd6b3ffa8838bb431b)
|
| |
|
|
|
|
|
| |
The issue seems already fixed by PR #16982 and its follow-up commit
4934ba2121d76229659939e19ab7d70a89446629.
(cherry picked from commit 766f8f388fac18730bacd1a922f0619023244c89)
|
| |
|
|
| |
(cherry picked from commit 06d98bdc81b233584d4b225892d358f324b7030b)
|
| |
|
|
|
|
|
|
|
|
|
| |
When 4dfaa528d45 was first commited its callers relied on `errno` instead of the
return value for error reporting. Which worked fine, since internally
under all conditions base were set — even if ugly and not inline with
our coding style. Things then got broken in
f8606626ed3c2582e06543550d58fe9886cdca5f where suddenly additional
syscalls might end up being done in the function, thus corrupting `errno`.
(cherry picked from commit dee00c1939c6194404c15a80650d0c04bb01b0db)
|
| |
|
|
|
| |
Fixes: #16989
(cherry picked from commit c1b9708c109376578b08a97a64a34936b33463e1)
|
| |
|
|
| |
(cherry picked from commit d8ea7f838b1199d240d522ee3ce05d1c263b7ad4)
|
| |
|
|
|
|
|
| |
We typically don't fail on config parse errors (to maximize compat),
let's not do this in these cases either.
(cherry picked from commit e5f1b999eb51681e895ad77281a6862478641845)
|
| |
|
|
|
|
|
| |
end of container
Prompted-by: https://lists.freedesktop.org/archives/systemd-devel/2020-September/045264.html
(cherry picked from commit 8d29a1b9c52467f1b4c4c4c3c4b1be0dcd2bb5f5)
|
| |
|
|
|
|
|
|
| |
cryptsetup: Fix null pointer dereference
Fix null pointer dereference in the pkcs11 related code of systemd-cryptsetup
(cherry picked from commit 664ad0f6f54257643fa069d9e1e9cad0f6fd7cc3)
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The securebit keep-caps retains the capabilities in the permitted set
over an UID change (ambient capabilities are cleared though).
Setting the keep-caps securebit after the uid change and before execve
doesn't make sense as it is cleared during execve and there is no
additional user ID change after this point.
Altough the documentation (man 7 capabilities) is ambigious, keep-caps
is reset during execve although keep-caps-locked is set. After execve
only keep-caps-locked is set and keep-caps is cleared.
(cherry picked from commit 198dc1784514b800c3e69153839084a55ebf2e84)
|
| |
|
|
|
|
| |
The comments on the code for ambient capabilities was wrong/outdated.
(cherry picked from commit 16fcb1918a0e4514b1d0d78259d4ffd646b5da59)
|
| |
|
|
| |
(cherry picked from commit d157714b6819d9e4faa93ef64a5041d5a8ae4779)
|
| |
|
|
| |
(cherry picked from commit 8ed6f81ba3b7be55d20a5d703c9aa7d4018b80ed)
|
| |
|
|
| |
(cherry picked from commit 93c5b904597ee86cbf65d8b5dc9d68428f2a2130)
|
| |
|
|
| |
(cherry picked from commit 38104ee2a545a0e06fc261c0161aed322285f363)
|
| |
|
|
| |
(cherry picked from commit ab54f12b783eea891d6414fbc14cd6fe7cbe4c80)
|
| |
|
|
| |
(cherry picked from commit 09c69ecaeb2c63b2b7e20728c4f4704bbb464a9c)
|
| |
|
|
| |
(cherry picked from commit a718b951ac2c2186db22311b611b7e7ccdc30915)
|
| |
|
|
| |
(cherry picked from commit 3b4e123173ba1e4cb6af504d98e0c018d9ccfc8a)
|
| |
|
|
|
| |
Fixes: CID1432653
(cherry picked from commit 4934ba2121d76229659939e19ab7d70a89446629)
|
| |
|
|
| |
(cherry picked from commit e77f52e5f951e6b51f3b6eeee69f1f8bb965f4f3)
|
| |
|
|
|
|
|
|
|
| |
If networkd creates huge amount of netdevs, then the buffer of device
monitor becomes easily flowed.
Hopefully fixes #16865.
(cherry picked from commit a725efb08b068055dcbf163426eef6b04a23aca0)
|
| |
|
|
|
|
| |
Follow-up for bf331d87171b7750d1c72ab0b140a240c0cf32c3.
(cherry picked from commit d31f33e3c9f6ea3bdc873ee52f4398edbec74527)
|
| |
|
|
| |
(cherry picked from commit e13af7bdb6236d91498a6a5936fc75237ebfa01d)
|
| |
|
|
| |
(cherry picked from commit ded71ab3bc580852a378b6cfac5e8d4053697b75)
|
| |
|
|
| |
(cherry picked from commit 2807a79424a0be807bc904ca145f1db03ac7fbb0)
|
| |
|
|
| |
(cherry picked from commit d9d9b2a0ae2befb645ef3aa420831423bcb9f58f)
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
than the kernel limit
The commit 10ce2e0681ac16e7bb3619b7bb1a72a6f98a2f2c inverts the order of
SO_{RCV,SND}BUFFORCE and SO_{RCV,SND}BUF. However, setting buffer size with
SO_{RCV,SND}BUF does not fail even if the requested size is larger than
the kernel limit. Hence, SO_{RCV,SND}BUFFORCE will not use anymore and
the buffer size is always limited by the kernel limit even if we have
the priviledge to ignore the limit.
This makes the buffer size is checked after configuring it with
SO_{RCV,SND}BUF, and if it is still not sufficient, then try to set it
with FORCE command. With this commit, if we have enough priviledge, the
requested buffer size is correctly set.
Hopefully fixes #14417.
(cherry picked from commit b92f350789e33942be0cf85af22a580c1fd483d6)
|
| |
|
|
| |
(cherry picked from commit 1263c85ef32ea35969748cd4304cd1a51d19e8d1)
|
| |
|
|
| |
(cherry picked from commit 8c63924c8d1eeb5a173669b8b06230bfe721f139)
|
| |
|
|
|
|
|
| |
And add a comment for the existing cases where things aren't clear
already.
(cherry picked from commit d161680e7afb7ae01593ffc5deb6c02bbc08ed19)
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
On systems that boot without initrd on a btrfs root file systems the
BTRFS_IOC_DEV_INFO ioctl returns /dev/root as backing device. That
sucks, since that is not a real device visible to userspace.
Since this has been that way since forever, and it doesn't look like the
kernel will get fixed soon for this, let's at least generate a useful
error message in this case.
This is not a bug fix, just a tweak to make this more recognizable.
Once the kernel gets fixed to report the correct device nodes in this
case, in a way userspace can make sense of them things will magically
work for systemd, too.
(Note that this doesn't add a log message about this to really all cases
we call get_device() in, but just the main ones that are called in early
boot context, after all all there's no benefit in seeing this message
too many times.)
https://github.com/systemd/systemd/issues/16953
https://bugs.freedesktop.org/show_bug.cgi?id=84689
https://bugzilla.kernel.org/show_bug.cgi?id=89721
(cherry picked from commit 67f0ac8c79bb08451a70ee314daf06ee081ef24d)
|
| |
|
|
|
|
|
|
|
|
|
|
| |
log_debug still returns 0. I think it is legitimate to use 'return log_debug()' to
return 0. It is different than the other functions, since we often want to supress
errors logged at debug level. This case is quite common in the codebase and
we could use 'return log_debug_errno()' to make the code more consise.
For all other variants, a separate return line is required.
Previous commit changes all the non-conforming instances, now we can make it mandatory.
(cherry picked from commit 44f0dd628ce4ca9565b0e02b8cb63ed8272529cd)
|
| |
|
|
|
|
|
|
|
|
| |
In various cases, we would say 'return log_warning()' or 'return log_error()'. Those
functions return 0 if no error is passed in. For log_warning or log_error this doesn't
make sense, and we generally want to propagate the error. In the few cases where
the error should be ignored, I think it's better to split it in two, and call 'return 0'
on a separate line.
(cherry picked from commit c413bb28df0996be99fd6b3f2335dfe8739d62fb)
|
| |
|
|
|
|
|
|
|
|
|
| |
All backslashes that should be single in shell syntax need to be written as "\\" because
our parser will remove one level of quoting. Also, single quotes were doubly nested, which
cannot work.
Should fix the following message:
test-execute/exec-dynamicuser-statedir.service:16: Ignoring unknown escape sequences: "test $$(find / \( -path /var/tmp -o -path /tmp -o -path /proc -o -path /dev/mqueue -o -path /dev/shm -o -path /sys/fs/bpf -o -path /dev/.lxc \) -prune -o -type d -writable -print 2>/dev/null | sort -u | tr -d \\n) = /var/lib/private/quux/pief/var/lib/private/waldo"
(cherry picked from commit 0b3861d2247fd96ca1ff018bbf35c8465c43323c)
|
| |
|
|
|
|
| |
Fixes #16958.
(cherry picked from commit fc706b4816f75c01bd78bd5936e5f8740405093a)
|
| |
|
|
|
|
|
|
|
| |
69203fba700ea8d7b0c4f4e3d1e1f809ac4644a1 does not consider the case that
multiple routers exist, and causes #16719.
Fixes #16719.
(cherry picked from commit 50550722e3ba8c33c58c9a2f3da827877bd659cc)
|
| |
|
|
| |
(cherry picked from commit 501b09dbf2ab75d90cd05ec4b44c92341e201e46)
|
| |
|
|
| |
(cherry picked from commit 99a2878457b5e1a1b87ba2f638bf7aeacee98662)
|
| |
|
|
| |
(cherry picked from commit badd49288d54d33d1c89eec51a40dc3a774741c1)
|
| |
|
|
|
|
|
|
|
|
|
| |
This fixes the following issue:
- If a DHCP lease does not contains router option, then routes with
`Gateway=_dhcp` setting introduce unexpected results.
This also makes several failure paths critical. And adjust warnings when
classless routes are provided.
(cherry picked from commit 2200c3cf56ca6ddede06c15ca1d9b3dfc60c33ae)
|
| |
|
|
| |
(cherry picked from commit 3605aae16170c8f86bc080b5810233c8e0fe3307)
|
| |
|
|
|
|
| |
Follow-up for df9578498f3f566409fcb71229d9fc99e4ab0568.
(cherry picked from commit bde4bc9bd29bcce4ccb9442bb8ed6678936268a6)
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This means that the connection was aborted before we even got to figure out
what the service name will be. Let's treat this as a non-event and close the
connection fd without any further messages.
Code last changed in 934ef6a5.
Reported-by: Thiago Macieira <thiago.macieira@intel.com>
With the patch:
systemd[1]: foobar.socket: Incoming traffic
systemd[1]: foobar.socket: Got ENOTCONN on incoming socket, assuming aborted connection attempt, ignoring.
...
Also, when we get ENOMEM, don't give the hint about missing unit.
(cherry picked from commit 86e045ecefc404d4fccbeb78aa212ec4714a5763)
|
