tree-wide: remove Emacs lines from all files This should be handled fine now by .dir-locals.el, so need to carry that stuff in every file.

tree-wide: check if errno is greater than zero (2) Compare errno with zero in a way that tells gcc that (if the condition is true) errno is positive.

basic: re-sort includes My previous patch to only include what we use accidentially placed the added inlcudes in non-sorted order.

basic: include only what we use This is a cleaned up result of running iwyu but without forward declarations on src/basic.

tree-wide: use right cast macros for UIDs, GIDs and PIDs

tree-wide: sort includes Sort the includes accoding to the new coding style.

util-lib: move fdname_is_valid() to fd-util.[ch]

process-util: move a couple of process-related calls over

process-util: actually move rename_process() over The prototype was moved long ago, actually move the definition over now, too.

mount-util: move fstype_is_network() and name_to_handle_at() definitions over

util-lib: split out allocation calls into alloc-util.[ch]

util-lib: split out globbing related calls into glob-util.[ch]

util-lib: move web-related calls into web-util.[ch]

util-lib: split out syslog-related calls into syslog-util.[ch]

util-lib: move running_in_chroot() into virt.[ch] It's a very weak kind of virtualization, after all.

util-lib: move /proc/cmdline parsing code to proc-cmdline.[ch]

util-lib: move is_main_thread() to process-util.[ch]

util-lib: move more locale-related calls to locale-util.[ch]

util-lib: move string table stuff into its own string-table.[ch]

util-lib: split stat()/statfs()/stavfs() related calls into stat-util.[ch]

util: move string_is_safe() to string-util.[ch]

util-lib: move a number of fs operations into fs-util.[ch]

util-lib: split out file attribute calls to chattr-util.[ch]

util-lib: split xattr-related calls into xattr-util.[ch]

util-lib: introduce dirent-util.[ch] for directory entry calls Also, move a couple of more path-related functions to path-util.c.

util-lib: split out resource limits related calls into rlimit-util.[ch]

util-lib: move take_password_lock() to user-util.[ch] Also, rename it take_etc_passwd_lock(), in order to make it more expressive.

util: move filename_is_valid() and path_is_safe() to path-util.[ch]

util-lib: move mount related utility calls to mount-util.[ch]

util-lib: move fstab_node_to_udev_node() to fstab-util.[ch]

util-lib: move more file I/O related calls into fileio.[ch]

util: remove path_get_parent(), in favour of dirname_malloc() We don't need two functions that do essentialy the same, hence drop path_get_parent(), and stick to dirname_malloc(), but move it to path-util.[ch].

util-lib: split out hex/dec/oct encoding/decoding into its own file

util-lib: split string parsing related calls from util.[ch] into parse-util.[ch]

process-util: move more process related calls to process-util.[ch]

socket-util: move remaining socket-related calls from util.[ch] to socket-util.[ch]

util-lib: split out user/group/uid/gid calls into user-util.[ch]

util-lib: split out IO related calls to io-util.[ch]

util-lib: split out fd-related operations into fd-util.[ch] There are more than enough to deserve their own .c file, hence move them over.

util-lib: split our string related calls from util.[ch] into its own file string-util.[ch] There are more than enough calls doing string manipulations to deserve its own files, hence do something about it. This patch also sorts the #include blocks of all files that needed to be updated, according to the sorting suggestions from CODING_STYLE. Since pretty much every file needs our string manipulation functions this effectively means that most files have sorted #include blocks now. Also touches a few unrelated include files.

util: split out escaping code into escape.[ch] This really deserves its own file, given how much code this is now.

util: split out extract_first_word() and related calls into extract-word.[ch] This is quite a lot of code these days, hence move it to its own source file.

util: Replace state with separate booleans in extract_first_word This simplifies the logic and uniformizes the way single and double quotes are handled. In the end, the code is about 40 lines shorter. Tested by running the excellent test cases from test-util. Also installed the systemd binaries including this patch and booted a system with it, everything looked normal.

util: allow unbalanced double quote in EXTRACT_QUOTES|EXTRACT_RELAX mode extract_first_word understands "\'string" but doesn't understand "\"string" fixed this inconsistency.

util: improve dir_is_empty() call Simplify the call, and add dir_is_populated() as inverse call, in order to make some checks easier to read.

nspawn: skip /sys-as-tmpfs if we don't use private-network Since v3.11/7dc5dbc ("sysfs: Restrict mounting sysfs"), the kernel doesn't allow mounting sysfs if you don't have CAP_SYS_ADMIN rights over the network namespace. So the mounting /sys as a tmpfs code introduced in d8fc6a000fe21b0c1ba27fbfed8b42d00b349a4b doesn't work with user namespaces if we don't use private-net. The reason is that we mount sysfs inside the container and we're in the network namespace of the host but we don't have CAP_SYS_ADMIN over that namespace. To fix that, we mount /sys as a sysfs (instead of tmpfs) if we don't use private network and ignore the /sys-as-a-tmpfs code if we find that /sys is already mounted as sysfs. Fixes #1555

strv: Add _cleanup_strv_free_erase_ and _cleanup_string_free_erase_

tree-wide: whenever we deal with passwords, erase them from memory after use A bit snake-oilish, but can't hurt.

util: add func for checking OOMScoreAdjust

util: add functions for validating syslog level and facility

basic: move two more terminal-related calls into terminal-util.[ch]

util: always enforce O_NOCTTY and O_CLOEXEC in openpt_in_namespace() The child process is shortliving, hence always set O_NOCTTY so that the tty doesn't quickly become controlling TTY and then gives it up again. Also set O_CLOEXEC, because it's cleaner, and doesn't affect the parent anyway.

util: some comment fixes in fdname_is_valid()

core: add support for naming file descriptors passed using socket activation This adds support for naming file descriptors passed using socket activation. The names are passed in a new $LISTEN_FDNAMES= environment variable, that matches the existign $LISTEN_FDS= one and contains a colon-separated list of names. This also adds support for naming fds submitted to the per-service fd store using FDNAME= in the sd_notify() message. This also adds a new FileDescriptorName= setting for socket unit files to set the name for fds created by socket units. This also adds a new call sd_listen_fds_with_names(), that is similar to sd_listen_fds(), but also returns the names of the fds. systemd-activate gained the new --fdname= switch to specify a name for testing socket activation. This is based on #1247 by Maciej Wereski. Fixes #1247.

util: rework fgetxattrat_fake() to use O_PATH That way, we don't ever open the file, thus leave the atime untouched, and this works even when unprivileged.

tree-wide: remove a number of invocations of strerror() and replace by %m Let's clean up our tree a bit, and reduce invocations of the thread-unsafe strerror() by replacing it with printf()'s %m specifier.

basic: split out cpu set specific APIs into cpu-set-util.[ch]

util: there cannot be trailing garbage when parsing cpu sets extract_first() already skips trailing whitespace, hence no reason to explicitly check for it.

util: rename parse_cpu_set() to parse_cpu_set_and_warn() It's pretty untypical for our parsing functions to log on their own. Clarify in the name that this one does.

tree-wide: clean up log_syntax() usage - Rely everywhere that we use abs() on the error code passed in anyway, thus don't need to explicitly negate what we pass in - Never attach synthetic error number information to log messages. Only log about errors we *receive* with the error number we got there, don't log any synthetic error, that don#t even propagate, but just eat up. - Be more careful with attaching exactly the error we get, instead of errno or unrelated errors randomly. - Fix one occasion where the error number and line number got swapped. - Make sure we never tape over OOM issues, or inability to resolve specifiers

util: introduce common version() implementation and use it everywhere This also allows us to drop build.h from a ton of files, hence do so. Since we touched the #includes of those files, let's order them properly according to CODING_STYLE.

util: unify implementation of NOP signal handler This is highly complex code after all, we really should make sure to only keep one implementation of this extremely difficult function around.

tree-wide: port more code to use send_one_fd() and receive_one_fd() Also, make it slightly more powerful, by accepting a flags argument, and make it safe for handling if more than one cmsg attribute happens to be attached.

util: refactor cpu_set parsing into its own function Use the new code in config_parse_cpu_affinity2. Tested by modifying CPUAffinity=... setting in /etc/systemd/system.conf and reloading the daemon, then checking ^Cpus_allowed in /proc/1/status to confirm the correct CPU mask is in place.

s390: add personality support Introduce personality support for Linux on z Systems to run particular services with a 64-bit or 31-bit personality.

util.h: order includes, as suggested by CODING_STYLE Of course, because Linux is broken we cannot actually really order it, and must keep linux/fs.h after sys/mount.h... Yay for Linux!

util: clean-ups to enum parsers Never log when we fail due to OOM when translating enums, let the caller do that. Translating basic types like enums should be something where the caller logs, not the translatior functions. Return -1 when NULL is passed to all enum parser functions. The non-fallback versions of the enum translator calls already handle NULL as failure, instead of hitting an assert, and we should do this here, too.

util: minor cleanups for loop_read() and friends When 0 bytes are to be written, make sure to go into read() at least once, in order to validate the parameters, such as the passed fd. Return error on huge values, add a couple of asserts and casts where appropriate.

util: add safe_closedir() similar to safe_fclose()

util: introduce {send,receive}_one_fd() Introduce two new helpers that send/receive a single fd via a unix transport. Also make nspawn use them instead of hard-coding it. Based on a patch by Krzesimir Nowak.

tree-wide: never use the off_t unless glibc makes us use it off_t is a really weird type as it is usually 64bit these days (at least in sane programs), but could theoretically be 32bit. We don't support off_t as 32bit builds though, but still constantly deal with safely converting from off_t to other types and back for no point. Hence, never use the type anymore. Always use uint64_t instead. This has various benefits, including that we can expose these values directly as D-Bus properties, and also that the values parse the same in all cases.

util: introduce safe_fclose() and port everything over to it Adds a coccinelle script to port things over automatically.

basic: rework virtualization detection API Introduce a proper enum, and don't pass around string ids anymore. This simplifies things quite a bit, and makes virtualization detection more similar to architecture detection.

util: document why parse_uid() returns ENXIO parse_uid() returns EINVAL for invalid strings, but ENXIO for the (uid_t) -1 user ids in order to distinguish these two cases. Document this.

util: add new uid_is_valid() call This simply factors out the uid validation checks from parse_uid() and uses them everywhere. This simply verifies that the passed UID is neither 64bit -1 nor 32bit -1.

machined: call unlockpt() in container, not host It makes assumptions about the pty path, hence better call it in the container namespace rather than the host.

util: treat 'C' and 'POSIX' locale identical

extract_first_word: Refactor EXTRACT_DONT_COALESCE_SEPARATORS handling Refactor allocation of the result string to the top, since it is currently done in both branches of the condition. Remove unreachable code checking for EXTRACT_DONT_COALESCE_SEPARATORS when state == SEPARATOR (the only place where SEPARATOR is assigned to state follows a check for EXTRACT_DONT_COALESCE_SEPARATORS that jumps to the end of the function.) Tested by running test-util successfully. Follow up to: 206644aedeb8859801051ac170ec562c6a113a79

extract_first_word: Refactor allocation in empty argument case This covers the case where an argument is an empty string, such as ''. Instead of allocating the empty string in the individual conditions when state == VALUE, just always allocate it at the end of state == START, at which point we know we will have an argument. Tested that test-util keeps passing after the refactor. Follow up to: 14e685c29d5b317b815e3e9f056648027852b07e

machined: validate machine names at more places When enumerating machines from /run, and when accepting machine names for operations, be more strict and always validate. Note that these checks are strictly speaking unnecessary, since enumeration happens only on the trusted /run...

util: make machine_name_is_valid() a macro and move it to hostname-util.h As it turns out machine_name_is_valid() does the exact same thing as hostname_is_valid() these days, as it just invoked that and checked the name length was < 64. However, hostname_is_valid() checks the length against HOST_NAME_MAX anyway (which is 64 on Linux), hence any additional check is redundant. We hence replace machine_name_is_valid() by a macro that simply maps it to hostname_is_valid() but sets the allow_trailing_dot parameter to false. We also move this this call to hostname-util.h, to the same place as the hostname_is_valid() declaration.

namespace helpers: Allow entering a UID namespace To be able to use `systemd-run` or `machinectl login` on a container that is in a private user namespace, the sub-process must have entered the user namespace before connecting to the container's D-Bus, otherwise the UID and GID in the peer credentials are garbage. So we extend namespace_open and namespace_enter to support UID namespaces, and we enter the UID namespace in bus_container_connect_{socket,kernel}. namespace_open will degrade to a no-op if user namespaces are not enabled in the kernel. Special handling is required for the setns call in namespace_enter with a user namespace, since transitioning to your own namespace is forbidden, as it would result in re-entering your user namespace as root. Arguably it may be valid to check this at the call site, rather than inside namespace_enter, but it is less code to do it inside, and if the intention of calling namespace_enter is to *be* in the target namespace, rather than to transition to the target namespace, it is a reasonable approach. The check for whether the user namespace is the same must happen before entering namespaces, as we may not be able to access /proc during the intermediate transition stage. We can't instead attempt to enter the user namespace and then ignore the failure from it being the same namespace, since the error code is not distinct, and we can't compare namespaces while mid-transition.

util: Add shell_escape This is for shell-style \ escaping rather than quoting, which while it has the same effect in produced shell commands, is not exclusively useful for shell commands. shell_escape would be useful for producing sed commands, as you would be able to \ escape the normal special characters, plus whichever argument separator was chosen; or it could be used to escape arguments passed to the overlayfs mount command.

util: Allow non-separator coalescing parsing in extract_first_word If EXTRACT_DONT_COALESCE_SEPARATORS is passed, then leading separators, trailing separators and spans of multiple separators aren't skipped, and empty arguments from before, after or between separators may be extracted.

util: Don't interpret quotes by default in extract_first_word This adds an EXTRACT_QUOTES option to allow the previous behaviour, of not interpreting any character inside ' or " quotes as separators.

util: change unquote_*_word to extract_*_word It now takes a separators argument, which defaults to WHITESPACE if NULL is passed.

unquote_first_word: set *p=NULL on termination To add a flag to allow an empty string to be parsed as an argument, we need to be able to distinguish between the end of the string, and after the end of the string, so when we *do* reach the end, let's set *p to this state.

hostname-util: add relax parameter to hostname_is_valid Tests are modified to check behaviour with relax and without relax. New tests are added for hostname_cleanup(). Tests are moved a new file (test-hostname-util) because there's now a bunch of them. New parameter is not used anywhere, except in tests, so there should be no observable change.

util: add getxattr helper apis To get xattr of given path or fd on newly allocated buffer, add new helper api getxattr_malloc() and fgetxattr_malloc().

busctl: add and use strcmp_ptr() In member_compare_func(), it compares interface, type and name of members. But as it can contain NULL pointer, it needs to check them before calling strcmp(). So make it as a separate strcmp_ptr function (named after streq_ptr) so that it can be used by others. Also let streq_ptr() to use it in order to make the code simpler.

util: base32hex - explain distinction with base32

unquote_first_word: parse ` '' ` as an empty argument instead of no argument

basic: util - add base32hexmem() function similar to hexmem() This implements more of RFC4648.

basic: util - fix memleak on error in unbase64mem()

basic: util - add base64mem() function similar to hexmem() This implements RFC4648 for a slightly more compact representation of binary data compared to hex (6 bits per character rather than 4).

basic: util - fix errorhandling in unhexmem() We were ignoring failures from unhexchar, which meant that invalid hex characters were being turned into garbage rather than the string rejected. Fix this by making unhexmem return an error code, also change the API slightly, to return the size of the returned memory, reflecting the fact that the memory is a binary blob,and not a string. For convenience, still append a trailing NULL byte to the returned memory (not included in the returned size), allowing callers to treat it as a string without doing a second copy.

util: make sure we don't clobber errno in error path

basic/util.c fopen_temporary(): close fd if failed

fileio: consolidate write_string_file*() Merge write_string_file(), write_string_file_no_create() and write_string_file_atomic() into write_string_file() and provide a flags mask that allows combinations of atomic writing, newline appending and automatic file creation. Change all users accordingly.

util: fall back in rename_noreplace when renameat2 isn't implemented According to README we only need 3.7, and while it may also make sense to bump that requirement when appropriate, it's trivial to fall back when renameat2 is not available.

util: fix incorrect escape sequence in string_is_safe()

util: Introduce unquote_first_word_and_warn It will try to unquot_first_word, but if it runs into escaping problems it will retry it adding UNQUOTE_CUNESCAPE_RELAX to the flags. If it succeeds on the second try, it will log a warning about it. If it fails both times, it will log an error. Add test cases to confirm it behaves as expected.

util: New flag UNQUOTE_UNESCAPE_RELAX for unquote_first_word The new flag UNQUOTE_UNESCAPE_RELAX preserves unrecognized escape sequences verbatim in unquote_first_word, either when it's a trailing backslash (similar to UNQUOTE_RELAX, but in this case keep the extra backslash in the output) or in the middle of a sequence string. Add unit test cases to ensure the new flag works as expected and to prevent regressions from being introduced. Tested with a follow up commit converting config_parse_exec() to start using unquote_first_word, in which case this flags makes it possible to preserve unrecognized escape sequences. Relevant bug: https://bugs.freedesktop.org/show_bug.cgi?id=90794

util: Refactor common cunescape block in unquote_first_word

Stop talking about the "XDG" version of basename() XDG refers to X Desktop Group, a former name for freedesktop.org. This group is responsible for specifications like basedirs, .desktop files and icon naming, but as far as I know, it has never tried to redefine basename(). I think these references were meant to say XPG (X/Open Portability Guide), a precursor of POSIX. POSIX is better-known and less easily confused with XDG, and is how the basename(3) man page describes the libgen.h version of basename(). The other version of basename() is glibc-specific and is described in basename(3) as "the GNU version"; specifically mention that version, to disambiguate.

util: when creating temporary file names, allow including extra id string in it This adds a "char *extra" parameter to tempfn_xxxxxx(), tempfn_random(), tempfn_ranomd_child(). If non-NULL this string is included in the middle of the newly created file name. This is useful for being able to distuingish the kind of temporary file when we see one. This also adds tests for the three call. For now, we don't make use of this at all, but port all users over.

build-sys: split internal basic/ library from shared/ basic/ can be used by everything cannot use anything outside of basic/ libsystemd/ can use basic/ cannot use shared/ shared/ can use libsystemd/