tree-wide: remove Emacs lines from all files This should be handled fine now by .dir-locals.el, so need to carry that stuff in every file.

core: fix support for transient resource limit properties Make sure we can properly process resource limit properties. Specifically, allow transient configuration of both the soft and hard limit, the same way from the unit files. Previously, only the the hard rlimits could be configured but they'd implicitly spill into the soft hard rlimits. This also updates the client-side code to be able to parse hard/soft resource limit specifications. Since we need to serialize two properties in bus_append_unit_property_assignment() now, the marshalling of the container around it is now moved into the function itself. This has the benefit of shortening the calling code. As a side effect this now beefs up the rlimit parser of "systemctl set-property" to understand time and disk sizes where that's appropriate.

core/dbus-execute: do not needlessly compare strings again gcc complains that dirs might be unitialized. It cannot, but we just checked that name has one of three values above, so no need to check again.

tree-wide: check if errno is greater than zero (2) Compare errno with zero in a way that tells gcc that (if the condition is true) errno is positive.

capabilities: added support for ambient capabilities. This patch adds support for ambient capabilities in service files. The idea with ambient capabilities is that the execed processes can run with non-root user and get some inherited capabilities, without having any need to add the capabilities to the executable file. You need at least Linux 4.3 to use ambient capabilities. SecureBit keep-caps is automatically added when you use ambient capabilities and wish to change the user. An example system service file might look like this: [Unit] Description=Service for testing caps [Service] ExecStart=/usr/bin/sleep 10000 User=nobody AmbientCapabilities=CAP_NET_ADMIN CAP_NET_RAW After starting the service it has these capabilities: CapInh: 0000000000003000 CapPrm: 0000000000003000 CapEff: 0000000000003000 CapBnd: 0000003fffffffff CapAmb: 0000000000003000

capabilities: keep bounding set in non-inverted format. Change the capability bounding set parser and logic so that the bounding set is kept as a positive set internally. This means that the set reflects those capabilities that we want to keep instead of drop.

core: expose soft limits on the bus This is a follow-up for https://github.com/systemd/systemd/pull/1994 See https://github.com/systemd/systemd/pull/1994#issuecomment-160087219

execute: Add new PassEnvironment= directive This directive allows passing environment variables from the system manager to spawned services. Variables in the system manager can be set inside a container by passing `--set-env=...` options to systemd-spawn. Tested with an on-disk test.service unit. Tested using multiple variable names on a single line, with an empty setting to clear the current list of variables, with non-existing variables. Tested using `systemd-run -p PassEnvironment=VARNAME` to confirm it works with transient units. Confirmed that `systemctl show` will display the PassEnvironment settings. Checked that man pages are generated correctly. No regressions in `make check`.

process-util: move a couple of process-related calls over

util-lib: split out allocation calls into alloc-util.[ch]

util-lib: split out syslog-related calls into syslog-util.[ch]

src/basic: rename audit.[ch] → audit-util.[ch] and capability.[ch] → capability-util.[ch] The files are named too generically, so that they might conflict with the upstream project headers. Hence, let's add a "-util" suffix, to clarify that this are just our utility headers and not any official upstream headers.

util-lib: split out resource limits related calls into rlimit-util.[ch]

util-lib: split out hex/dec/oct encoding/decoding into its own file

util-lib: split string parsing related calls from util.[ch] into parse-util.[ch]

run: can launch units with RuntimeDirectory

run: can launch units with ProtectHome

util-lib: split out fd-related operations into fd-util.[ch] There are more than enough to deserve their own .c file, hence move them over.

run: can launch units with ProtectSystem

core: check parsed bus msg in full before applying it

run: can launch units with ReadWriteDirectories, ReadOnlyDirectories, InaccessibleDirectories

dbus-execute: remove unused variable from ceb728cf

run: fix Environment parsing * `Environment=` resets previous assignments * `Environment='a=1 b=2'` sets `a` to `1` and `b` to `2` * `Environment='"a=1 2" b=2"'` sets `a` to `1 2` and `b` to `2`

dbus-execute: some cleanups when parsing EnvironmentFiles= for transient units

Hook more properties for transient units systemd-run can now launch units with EnvironmentFile set.

run: can launch units with OOMScoreAdjust

run: can launch units with TimerSlackNSec

core: execute: validate syslog level and facility

systemd-run: can launch units with SyslogFacility

systemd-run: can launch units with SyslogLevel

core: expose SyslogLevel and SyslogFacility as properties on dbus

bus-util: add bus_property_get_rlimit (move from core/dbus_execute)

systemd-run can now launch units with SyslogIdentifier

systemd-run can now launch units with SyslogLevelPrefix

core: allow setting WorkingDirectory= to the special value ~ If set to ~ the working directory is set to the home directory of the user configured in User=. This change also exposes the existing switch for the working directory that allowed making missing working directories non-fatal. This also changes "machinectl shell" to make use of this to ensure that the invoked shell is by default in the user's home directory. Fixes #1268.

Hook more properties for transient units systemd-run can now launch units with WorkingDirectory, RootDirectory set.

Hook more properties for transient units systemd-run can now launch units with PrivateTmp, PrivateDevices, PrivateNetwork, NoNewPrivileges set.

tree-wide: use coccinelle to patch a lot of code to use mfree() This replaces this: free(p); p = NULL; by this: p = mfree(p); Change generated using coccinelle. Semantic patch is added to the sources.

core: drop spurious new line

core: open up more executable properties via the bus This is preparation for a later commit that makes use of these properties for spawning an interactive shell in a container.

core: optionally create LOGIN_PROCESS or USER_PROCESS utmp entries When generating utmp/wtmp entries, optionally add both LOGIN_PROCESS and INIT_PROCESS entries or even all three of LOGIN_PROCESS, INIT_PROCESS and USER_PROCESS entries, instead of just a single INIT_PROCESS entry. With this change systemd may be used to not only invoke a getty directly in a SysV-compliant way but alternatively also a login(1) implementation or even forego getty and login entirely, and invoke arbitrary shells in a way that they appear in who(1) or w(1). This is preparation for a later commit that adds a "machinectl shell" operation to invoke a shell in a container, in a way that is compatible with who(1) and w(1).

run: add a new "-t" mode for invoking a binary on an allocated TTY

smack: introduce new SmackProcessLabel option In service file, if the file has some of special SMACK label in ExecStart= and systemd has no permission for the special SMACK label then permission error will occurred. To resolve this, systemd should be able to set its SMACK label to something accessible of ExecStart=. So introduce new SmackProcessLabel. If label is specified with SmackProcessLabel= then the child systemd will set its label to that. To successfully execute the ExecStart=, accessible label should be specified with SmackProcessLabel=. Additionally, by SMACK policy, if the file in ExecStart= has no SMACK64EXEC then the executed process will have given label by SmackProcessLabel=. But if the file has SMACK64EXEC then the SMACK64EXEC label will be overridden. [zj: reword man page]

time-util: add and use USEC/NSEC_INFINIY

core: make sure Environment fields passed in for transient units are properly written to unit files https://bugs.freedesktop.org/show_bug.cgi?id=76744

core: rename ReadOnlySystem= to ProtectSystem= and add a third value for also mounting /etc read-only Also, rename ProtectedHome= to ProtectHome=, to simplify things a bit. With this in place we now have two neat options ProtectSystem= and ProtectHome= for protecting the OS itself (and optionally its configuration), and for protecting the user's data.

core: add new ReadOnlySystem= and ProtectedHome= settings for service units ReadOnlySystem= uses fs namespaces to mount /usr and /boot read-only for a service. ProtectedHome= uses fs namespaces to mount /home and /run/user inaccessible or read-only for a service. This patch also enables these settings for all our long-running services. Together they should be good building block for a minimal service sandbox, removing the ability for services to modify the operating system or access the user's private data.

core: remove tcpwrap support tcpwrap is legacy code, that is barely maintained upstream. It's APIs are awful, and the feature set it exposes (such as DNS and IDENT access control) questionnable. We should not support this natively in systemd. Hence, let's remove the code. If people want to continue making use of this, they can do so by plugging in "tcpd" for the processes they start. With that scheme things are as well or badly supported as they were from traditional inetd, hence no functionality is really lost.

core: make the LimitXYZ= properties settable for transient service units

core: when passing resource limit values to client, map RLIM_INFINITY into portable value (uint64_t) -1

Introduce strv_consume which takes ownership This mirrors set_consume and makes the common use a bit nicer.

core: introduce new RuntimeDirectory= and RuntimeDirectoryMode= unit settings As discussed on the ML these are useful to manage runtime directories below /run for services.

core: add new RestrictAddressFamilies= switch This new unit settings allows restricting which address families are available to processes. This is an effective way to minimize the attack surface of services, by turning off entire network stacks for them. This is based on seccomp, and does not work on x86-32, since seccomp cannot filter socketcall() syscalls on that platform.

core: Add AppArmor profile switching This permit to switch to a specific apparmor profile when starting a daemon. This will result in a non operation if apparmor is disabled. It also add a new build requirement on libapparmor for using this feature.

core: add Personality= option for units to set the personality for spawned processes

core: store and expose SELinuxContext field normalized as bool + string

core: add SystemCallArchitectures= unit setting to allow disabling of non-native architecture support for system calls Also, turn system call filter bus properties into complex types instead of concatenated strings.

core: fix build without libseccomp

core: rework syscall filter - Allow configuration of an errno error to return from blacklisted syscalls, instead of immediately terminating a process. - Fix parsing logic when libseccomp support is turned off - Only keep the actual syscall set in the ExecContext, and generate the string version only on demand.

syscallfilter: port to libseccomp

exec: Add SELinuxContext configuration item This permit to let system administrators decide of the domain of a service. This can be used with templated units to have each service in a différent domain ( for example, a per customer database, using MLS or anything ), or can be used to force a non selinux enabled system (jvm, erlang, etc) to start in a different domain for each service.

core: fix warning introduced in c7040b5d1c2c148f12b6a5eef3dfce1661805131

core: allow User=, Group=, Nice=, Environment=, Type= to be passed when creating a transient service

exec: introduce PrivateDevices= switch to provide services with a private /dev Similar to PrivateNetwork=, PrivateTmp= introduce PrivateDevices= that sets up a private /dev with only the API pseudo-devices like /dev/null, /dev/zero, /dev/random, but not any physical devices in them.

Introduce cleanup functions for cap_free Unfortunately a different cleanup function is necessary per type, because cap_t** and char** are incompatible with void**.

bus: decorate the various object vtables with SD_BUS_VTABLE_PROPERTY_CONST where appropriate

core: fix serialization of exec command structs

bus: rework message handlers to always take an error argument Message handler callbacks can be simplified drastically if the dispatcher automatically replies to method calls if errors are returned. Thus: add an sd_bus_error argument to all message handlers. When we dispatch a message handler and it returns negative or a set sd_bus_error we send this as message error back to the client. This means errors returned by handlers by default are given back to clients instead of rippling all the way up to the event loop, which is desirable to make things robust. As a side-effect we can now easily turn the SELinux checks into normal function calls, since the method call dispatcher will generate the right error replies automatically now. Also, make sure we always pass the error structure to all property and method handlers as last argument to follow the usual style of passing variables for return values as last argument.

core: convert PID 1 to libsystemd-bus This patch converts PID 1 to libsystemd-bus and thus drops the dependency on libdbus. The only remaining code using libdbus is a test case that validates our bus marshalling against libdbus' marshalling, and this dependency can be turned off. This patch also adds a couple of things to libsystem-bus, that are necessary to make the port work: - Synthesizing of "Disconnected" messages when bus connections are severed. - Support for attaching multiple vtables for the same interface on the same path. This patch also fixes the SetDefaultTarget() and GetDefaultTarget() bus calls which used an inappropriate signature. As a side effect we will now generate PropertiesChanged messages which carry property contents, rather than just invalidation information.

dbus: use _cleanup_free_ instead of freeing ourself

core: general cgroup rework Replace the very generic cgroup hookup with a much simpler one. With this change only the high-level cgroup settings remain, the ability to set arbitrary cgroup attributes is removed, so is support for adding units to arbitrary cgroup controllers or setting arbitrary paths for them (especially paths that are different for the various controllers). This also introduces a new -.slice root slice, that is the parent of system.slice and friends. This enables easy admin configuration of root-level cgrouo properties. This replaces DeviceDeny= by DevicePolicy=, and implicitly adds in /dev/null, /dev/zero and friends if DeviceAllow= is used (unless this is turned off by DevicePolicy=).

Use initalization instead of explicit zeroing Before, we would initialize many fields twice: first by filling the structure with zeros, and then a second time with the real values. We can let the compiler do the job for us, avoiding one copy. A downside of this patch is that text gets slightly bigger. This is because all zero() calls are effectively inlined: $ size build/.libs/systemd text data bss dec hex filename before 897737 107300 2560 1007597 f5fed build/.libs/systemd after 897873 107300 2560 1007733 f6075 build/.libs/systemd … actually less than 1‰. A few asserts that the parameter is not null had to be removed. I don't think this changes much, because first, it is quite unlikely for the assert to fail, and second, an immediate SEGV is almost as good as an assert.

Modernization Use _cleanup_ and wrap lines to ~80 chars and such.

honor SELinux labels, when creating and writing config files Also split out some fileio functions to fileio.c and provide a SELinux aware pendant in fileio-label.c see https://bugzilla.redhat.com/show_bug.cgi?id=881577

unit: split off KillContext from ExecContext containing only kill definitions

execute: support syscall filtering using seccomp filters

remove support for deprecated /proc/self/oom_adj

util: introduce a proper nsec_t and make use of it where appropriate

relicense to LGPLv2.1 (with exceptions) We finally got the OK from all contributors with non-trivial commits to relicense systemd from GPL2+ to LGPL2.1+. Some udev bits continue to be GPL2+ for now, but we are looking into relicensing them too, to allow free copy/paste of all code within systemd. The bits that used to be MIT continue to be MIT. The big benefit of the relicensing is that closed source code may now link against libsystemd-login.so and friends.

move libsystemd_core.la sources into core/