tree-wide: remove Emacs lines from all files This should be handled fine now by .dir-locals.el, so need to carry that stuff in every file.

core: fix memory leak on failed preset-all How to reproduce $ systemctl set-default multi-user # https://github.com/systemd/systemd/issues/2298 $ systemctl preset-all Failed to execute operation: Too many levels of symbolic links $ systemctl poweroff Fixes: ==1== ==1== HEAP SUMMARY: ==1== in use at exit: 65,645 bytes in 7 blocks ==1== total heap usage: 40,539 allocs, 40,532 frees, 30,147,547 bytes allocated ==1== ==1== 109 (24 direct, 85 indirect) bytes in 1 blocks are definitely lost in loss record 2 of 7 ==1== at 0x4C2BBCF: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so) ==1== by 0x4C2DE2F: realloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so) ==1== by 0x23DA71: unit_file_changes_add (install.c:233) ==1== by 0x23E45D: remove_marked_symlinks_fd (install.c:453) ==1== by 0x23E267: remove_marked_symlinks_fd (install.c:405) ==1== by 0x23E641: remove_marked_symlinks (install.c:494) ==1== by 0x243A91: execute_preset (install.c:2190) ==1== by 0x244343: unit_file_preset_all (install.c:2351) ==1== by 0x18AAA2: method_preset_all_unit_files (dbus-manager.c:1846) ==1== by 0x1D8157: method_callbacks_run (bus-objects.c:420) ==1== by 0x1DA9E9: object_find_and_run (bus-objects.c:1257) ==1== by 0x1DB02B: bus_process_object (bus-objects.c:1373) ==1== ==1== LEAK SUMMARY: ==1== definitely lost: 24 bytes in 1 blocks ==1== indirectly lost: 85 bytes in 1 blocks ==1== possibly lost: 0 bytes in 0 blocks ==1== still reachable: 65,536 bytes in 5 blocks ==1== suppressed: 0 bytes in 0 blocks ==1== Reachable blocks (those to which a pointer was found) are not shown. ==1== To see them, rerun with: --leak-check=full --show-leak-kinds=all ==1== ==1== For counts of detected and suppressed errors, rerun with: -v ==1== ERROR SUMMARY: 1 errors from 1 contexts (suppressed: 0 from 0)

core: fix memory leak on set-default, enable, disable etc Fixes: ==1== by 0x23E44C: remove_marked_symlinks_fd (install.c:453) ==1== by 0x23E256: remove_marked_symlinks_fd (install.c:405) ==1== by 0x23E630: remove_marked_symlinks (install.c:494) ==1== by 0x2427A0: unit_file_disable (install.c:1876) ==1== by 0x18A633: method_disable_unit_files_generic (dbus-manager.c:1760) ==1== by 0x18A6CA: method_disable_unit_files (dbus-manager.c:1768) ==1== by 0x1D8146: method_callbacks_run (bus-objects.c:420) ==1== by 0x1DA9D8: object_find_and_run (bus-objects.c:1257) ==1== by 0x1DB01A: bus_process_object (bus-objects.c:1373) ==1== ==1== 228 (48 direct, 180 indirect) bytes in 2 blocks are definitely lost in loss record 8 of 14 ==1== at 0x4C2BBCF: malloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so) ==1== by 0x4C2DE2F: realloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so) ==1== by 0x23DA60: unit_file_changes_add (install.c:233) ==1== by 0x23DDB2: create_symlink (install.c:298) ==1== by 0x240C5C: install_info_symlink_wants (install.c:1328) ==1== by 0x240FC8: install_info_apply (install.c:1384) ==1== by 0x241211: install_context_apply (install.c:1439) ==1== by 0x242563: unit_file_enable (install.c:1830) ==1== by 0x18A06E: method_enable_unit_files_generic (dbus-manager.c:1650) ==1== by 0x18A141: method_enable_unit_files (dbus-manager.c:1660) ==1== by 0x1D8146: method_callbacks_run (bus-objects.c:420) ==1== by 0x1DA9D8: object_find_and_run (bus-objects.c:1257) ==1== ==1== 467 (144 direct, 323 indirect) bytes in 3 blocks are definitely lost in loss record 9 of 14 ==1== at 0x4C2DD9F: realloc (in /usr/lib/valgrind/vgpreload_memcheck-amd64-linux.so) ==1== by 0x23DA60: unit_file_changes_add (install.c:233) ==1== by 0x23DE97: create_symlink (install.c:320) ==1== by 0x242CFC: unit_file_set_default (install.c:1951) ==1== by 0x18A881: method_set_default_target (dbus-manager.c:1802) ==1== by 0x1D8146: method_callbacks_run (bus-objects.c:420) ==1== by 0x1DA9D8: object_find_and_run (bus-objects.c:1257) ==1== by 0x1DB01A: bus_process_object (bus-objects.c:1373) ==1== by 0x259143: process_message (sd-bus.c:2567) ==1== by 0x259326: process_running (sd-bus.c:2609) ==1== by 0x259BDC: bus_process_internal (sd-bus.c:2798) ==1== by 0x259CAD: sd_bus_process (sd-bus.c:2817) ==1== ==1== LEAK SUMMARY: ==1== definitely lost: 216 bytes in 6 blocks ==1== indirectly lost: 560 bytes in 14 blocks ==1== possibly lost: 0 bytes in 0 blocks ==1== still reachable: 65,536 bytes in 5 blocks ==1== suppressed: 0 bytes in 0 blocks ==1== Reachable blocks (those to which a pointer was found) are not shown. ==1== To see them, rerun with: --leak-check=full --show-leak-kinds=all ==1==

manager: log log level changes uniformly Output the same message when a request to change the log level is received over dbus and through a signal. From the user point of view those two operations are very similar and it's easy to think that the dbus operation didn't work when the expected message is not emitted. Also "downgrade" the message level to info, since this is a normal user initiated action.

core: expose soft limits on the bus This is a follow-up for https://github.com/systemd/systemd/pull/1994 See https://github.com/systemd/systemd/pull/1994#issuecomment-160087219

tree-wide: expose "p"-suffix unref calls in public APIs to make gcc cleanup easy GLIB has recently started to officially support the gcc cleanup attribute in its public API, hence let's do the same for our APIs. With this patch we'll define an xyz_unrefp() call for each public xyz_unref() call, to make it easy to use inside a __attribute__((cleanup())) expression. Then, all code is ported over to make use of this. The new calls are also documented in the man pages, with examples how to use them (well, I only added docs where the _unref() call itself already had docs, and the examples, only cover sd_bus_unrefp() and sd_event_unrefp()). This also renames sd_lldp_free() to sd_lldp_unref(), since that's how we tend to call our destructors these days. Note that this defines no public macro that wraps gcc's attribute and makes it easier to use. While I think it's our duty in the library to make our stuff easy to use, I figure it's not our duty to make gcc's own features easy to use on its own. Most likely, client code which wants to make use of this should define its own: #define _cleanup_(function) __attribute__((cleanup(function))) Or similar, to make the gcc feature easier to use. Making this logic public has the benefit that we can remove three header files whose only purpose was to define these functions internally. See #2008.

core: allow 'SetUnitProperties()' to run on inactive units too 'set-property' has been primarly designed to change some properties of *active* units. However it can easily work on inactive units as well. In that case changes are only saved in a drop-in for futur uses and changes will be effective when unit will be started. Actually it already works on inactive units but that was not documented and not fully supported. Indeed the inactive units had to be known by the manager otherwise it was reported as not loaded: $ systemctl status my-test.service * my-test.service - My Testing Unit Loaded: loaded (/etc/systemd/system/my-test.service; static; vendor preset: disabled) Drop-In: /etc/systemd/system/my-test.service.d Active: inactive (dead) $ systemctl set-property my-test.service MemoryLimit=1000000 Failed to set unit properties on my-test.service: Unit my-test.service is not loaded. [ Note: that the unit load state reported by the 'status' command might be confusing since it claimed the unit as loaded but 'set-property' reported the contrary. ] One can possibily workaround this by making the unit a dependency of another active unit so the manager will keep it around: $ systemctl add-wants multi-user.target my-test.service Created symlink from /etc/systemd/system/multi-user.target.wants/my-test.service to /etc/systemd/system/my-test.service. $ systemctl set-property my-test.service MemoryLimit=1000000 $ systemctl status my-test.service * my-test.service - My Testing Unit Loaded: loaded (/etc/systemd/system/my-test.service; enabled; vendor preset: disabled) Drop-In: /etc/systemd/system/my-test.service.d `-50-MemoryLimit.conf Active: inactive (dead) This patch simply forces 'SetUnitProperties()' to load the unit if it's not already the case. It also documents the fact that 'set-property' can be used on inactive units.

core: dispatch load queue each time we set up a transient units manager_load_unit() will dispatch the load queue anyway, but let's make sure we also dispatch it immediately, after truning a unit into a transient one and loading the properties from the message. That way the know about the validity of the unit before we begin processing the next auxiliary unit.

core: move check whether a unit is suitable to become transient into unit.c Lets introduce unit_is_pristine() that verifies whether a unit is suitable to become a transient unit, by checking that it is no referenced yet and has no data on disk assigned.

core: generate nice error messages for auxiliary transient units, too Let's move the validation checks into the loop that sets up the main and auxiliary transient units, so that we can generate pretty error messages for all units a transient unit transaction generates, not just for the main unit.

core: enable transient unit support for slice units

core: add new DefaultTasksMax= setting for system.conf This allows initializing the TasksMax= setting of all units by default to some fixed value, instead of leaving it at infinity as before.

install: follow unit file symlinks in /usr, but not /etc when looking for [Install] data Some distributions use alias unit files via symlinks in /usr to cover for legacy service names. With this change we'll allow "systemctl enable" on such aliases. Previously, our rule was that symlinks are user configuration that "systemctl enable" + "systemctl disable" creates and removes, while unit files is where the instructions to do so are store. As a result of the rule we'd never read install information through symlinks, since that would mix enablement state with installation instructions. Now, the new rule is that only symlinks inside of /etc are configuration. Unit files, and symlinks in /usr are now valid for installation instructions. This patch is quite a rework of the whole install logic, and makes the following addional changes: - Adds a complete test "test-instal-root" that tests the install logic pretty comprehensively. - Never uses canonicalize_file_name(), because that's incompatible with operation relative to a specific root directory. - unit_file_get_state() is reworked to return a proper error, and returns the state in a call-by-ref parameter. This cleans up confusion between the enum type and errno-like errors. - The new logic puts a limit on how long to follow unit file symlinks: it will do so only for 64 steps at max. - The InstallContext object's fields are renamed to will_process and has_processed (will_install and has_installed) since they are also used for deinstallation and all kinds of other operations. - The root directory is always verified before use. - install.c is reordered to place the exported functions together. - Stricter rules are followed when traversing symlinks: the unit suffix must say identical, and it's not allowed to link between regular units and templated units. - Various modernizations - The "invalid" unit file state has been renamed to "bad", in order to avoid confusion between UNIT_FILE_INVALID and _UNIT_FILE_STATE_INVALID. Given that the state should normally not be seen and is not documented this should not be a problematic change. The new name is now documented however. Fixes #1375, #1718, #1706

install: never log from install functions Instead, let the caller do that. Fix this by moving masked unit messages into the caller, by returning a clear error code (ESHUTDOWN) by which this may be detected.

Remove snapshot unit type Snapshots were never useful or used for anything. Many systemd developers that I spoke to at systemd.conf2015, didn't even know they existed, so it is fairly safe to assume that this type can be deleted without harm. The fundamental problem with snapshots is that the state of the system is dynamic, devices come and go, users log in and out, timers fire... and restoring all units to some state from the past would "undo" those changes, which isn't really possible. Tested by creating a snapshot, running the new binary, and checking that the transition did not cause errors, and the snapshot is gone, and snapshots cannot be created anymore. New systemctl says: Unknown operation snapshot. Old systemctl says: Failed to create snapshot: Support for snapshots has been removed. IgnoreOnSnaphost settings are warned about and ignored: Support for option IgnoreOnSnapshot= has been removed and it is ignored http://lists.freedesktop.org/archives/systemd-devel/2015-November/034872.html

util-lib: split out allocation calls into alloc-util.[ch]

util-lib: split out syslog-related calls into syslog-util.[ch]

util-lib: split stat()/statfs()/stavfs() related calls into stat-util.[ch]

util-lib: move more file I/O related calls into fileio.[ch]

util-lib: split out fd-related operations into fd-util.[ch] There are more than enough to deserve their own .c file, hence move them over.

util-lib: split our string related calls from util.[ch] into its own file string-util.[ch] There are more than enough calls doing string manipulations to deserve its own files, hence do something about it. This patch also sorts the #include blocks of all files that needed to be updated, according to the sorting suggestions from CODING_STYLE. Since pretty much every file needs our string manipulation functions this effectively means that most files have sorted #include blocks now. Also touches a few unrelated include files.

core: expose manager's TimerSlackNSec as propery on dbus

core: manager: expose DefaultLimit* as properties on dbus

core: remove taint flag about /etc/mtab not being a symlink. We already stop boot if /etc/mtab is not a symlink right now, and most likely we'll stop referecing it at all in the future, either way there's no point in keeping it around as taint flag.

core: manager: add some missing dbus properties

core: make sure we expose the empty string when we detect no virtualization On the bus, stick to exposing the empty string as "no virtualization", instead of none. Fixes #1423

containers: systemd exits with non-zero code When a systemd service running in a container exits with a non-zero code, it can be useful to terminate the container immediately and get the exit code back to the host, when systemd-nspawn returns. This was not possible to do. This patch adds the following to make it possible: - Add a read-only "ExitCode" property on PID 1's "Manager" bus object. By default, it is 0 so the behaviour stays the same as previously. - Add a method "SetExitCode" on the same object. The method fails when called on baremetal: it is only allowed in containers or in user session. - Add support in systemctl to call "systemctl exit 42". It reuses the existing code for user session. - Add exit.target and systemd-exit.service to the system instance. - Change main() to actually call systemd-shutdown to exit() with the correct value. - Add verb 'exit' in systemd-shutdown with parameter --exit-code - Update systemctl manpage. I used the following to test it: | $ sudo rkt --debug --insecure-skip-verify run \ | --mds-register=false --local docker://busybox \ | --exec=/bin/chroot -- /proc/1/root \ | systemctl --force exit 42 | ... | Container rkt-895a0cba-5c66-4fa5-831c-e3f8ddc5810d failed with error code 42. | $ echo $? | 42 Fixes https://github.com/systemd/systemd/issues/1290

basic: rework virtualization detection API Introduce a proper enum, and don't pass around string ids anymore. This simplifies things quite a bit, and makes virtualization detection more similar to architecture detection.

selinux: drop mac_selinux_unit_access_check_strv() It is not acceptable to load unit files during enable/disable operations just to figure out the selinux labels. systemd implements lazy loading for units, so the selinux hooks need to follow it. This drops the mac_selinux_unit_access_check_strv() helper which implements a non-acceptable policy check. If anyone cares for that functionality, you really should pass a callback+userdata to the helpers in src/shared/install.c which does policy checks on each touched file. See #1050 on github for more.

tree-wide: port everything over to fflush_and_check() Some places invoked fflush() directly with their own manual error checking, let's unify all that by using fflush_and_check(). This also unifies the general error paths of fflush()+rename() file writers.

core: rename SystemdRunningAs to ManagerRunningAs It's primarily just a property of the Manager object after all, and we try to refer to PID 1 as "manager" instead of "systemd", hence let's to stick to this here too.

core: for queued reload message there is no need to store the bus explicitly After all it can be derived from the message directly, and already is.

sd-bus: allow passing NULL as bus parameter to sd_bus_send() If NULL is specified for the bus it is now automatically derived from the passed in message. This commit also changes a number of invocations of sd_bus_send() to make use of this.

sd-bus: drop bus parameter from message callback prototype This should simplify the prototype a bit. The bus parameter is redundant in most cases, and in the few where it matters it can be derived from the message via sd_bus_message_get_bus().

shared: add formats-util.h

core: make SELinux enable/disable check symmetric We'd use the generic check for disable, and a unit-file-specific one for enable. Use the more specific one both ways. systemd[1]: SELinux access check scon=system_u:system_r:systemd_timedated_t:s0 tcon=system_u:system_r:init_t:s0 tclass=system perm=disable path=(null) cmdline=/usr/lib/systemd/systemd-timedated: -13 systemd[1]: SELinux access check scon=system_u:system_r:systemd_timedated_t:s0 tcon=system_u:object_r:systemd_unit_file_t:s0 tclass=service perm=enable path=/usr/lib/systemd/system/systemd-timesyncd.service cmdline=/usr/lib/systemd/systemd-timedated: -13 https://bugzilla.redhat.com/show_bug.cgi?id=1014315

core/dbus-manager: remove dead check CID #1257766.

core: emit changes for NFailedUnits property By notifying the clients when this property is changed it's possible to allow "system health monitor" tools to get transitions like running<->degraded. This is an alternative to send changes on the SystemState property since the latter is more difficult to derive.

core: rework policykit hookup - Always issue selinux access check as early as possible, and PK check as late as possible. - Introduce a new policykit action for altering environment - Open most remaining bus calls to unprivileged clients via PK

Assorted format fixes Types used for pids and uids in various interfaces are unpredictable. Too bad.

sd-bus: move common errors src/shared/bus-errors.h → src/libsystemd/sd-bus/bus-common-errors.h Stuff in src/shared/ should not use stuff from src/libsystemd/ really.

run: introduce timer support option Support timer options --on-active=, --on-boot=, --on-startup=, --on-unit-active=, --on-unit-inactive=, --on-calendar=. Each options corresponding with OnActiveSec=, OnBootSec=, OnStartupSec=, OnUnitActiveSec=, OnUnitInactiveSec=, OnCalendar= of timer respectively. And OnCalendar= and WakeSystem= supported by --timer-property= option like --property= of systemd-run. And if --unit= option and timer options are specified the command can be omitted. In this case, systemd-run assumes the target service is already loaded. And just try to generate transient timer unit only.

bus: StartTransientUnit can have aux unit

treewide: no need to negate errno for log_*_errno() It corrrectly handles both positive and negative errno values.

treewide: auto-convert the simple cases to log_*_errno() As a followup to 086891e5c1 "log: add an "error" parameter to all low-level logging calls and intrdouce log_error_errno() as log calls that take error numbers", use sed to convert the simple cases to use the new macros: find . -name '*.[ch]' | xargs sed -r -i -e \ 's/log_(debug|info|notice|warning|error|emergency)\("(.*)%s"(.*), strerror\(-([a-zA-Z_]+)\)\);/log_\1_errno(-\4, "\2%m"\3);/' Multi-line log_*() invocations are not covered. And we also should add log_unit_*_errno().

core: watchdog bus properties cannot be both writable and constant

mac: add mac_ prefix to distinguish origin security apis

systemctl: add add-wants and add-requires verbs

hashmap: introduce hash_ops to make struct Hashmap smaller It is redundant to store 'hash' and 'compare' function pointers in struct Hashmap separately. The functions always comprise a pair. Store a single pointer to struct hash_ops instead. systemd keeps hundreds of hashmaps, so this saves a little bit of memory.

systemd: fix argument ordering in UnsetAndSetEnvironment Fixup for v208-615-g718db96199.

systemd: fix error message

core: Verify systemd1 DBus method callers via polkit DBus methods that retrieve information can be called by anyone. DBus methods that modify state of units are verified via polkit action: org.freedesktop.systemd1.manage-units DBus methods that modify state of unit files are verified via polkit action: org.freedesktop.systemd1.manage-unit-files DBus methods that reload the entire daemon state are verified via polkit action: org.freedesktop.systemd1.reload-daemon DBus methods that modify job state are callable from the clients that started the job. root (ie: CAP_SYS_ADMIN) can continue to perform all calls, property access etc. There are several DBus methods that can only be called by root. Open up the dbus1 policy for the above methods. (Heavily modified by Lennart, making use of the new bus_verify_polkit_async() version that doesn't force us to always pass the original callback around. Also, interactive auhentication must be opt-in, not unconditional, hence I turned this off.)

core: Common code for DBus methods that Cancel a job Both ofs.Job.Cancel() and ofs.Manager.CancelJob() now use same implementation. So we can add caller verify logic appropriately.

install: beef up preset logic to limit to only enable or only disable, and do all-unit preset operations The new "systemctl preset-all" command may now be used to put all installed units back into the enable/disable state the vendor/admin encoded in preset files. Also, introduce "systemctl --preset-mode=enable-only" and "systemctl --preset-mode=disable-only" to only apply the enable or only the disable operations of a "systemctl preset" or "systemctl preset-all" operation. "systemctl preset-all" implements this RFE: https://bugzilla.redhat.com/show_bug.cgi?id=630174

os-release: define /usr/lib/os-release as fallback for /etc/os-release The file should have been in /usr/lib/ in the first place, since it describes the OS container in /usr (and not the configuration in /etc), hence, let's support os-release files in /usr/lib as fallback if no version in /etc exists, following the usual override logic. A prior commit already enabled tmpfiles to create /etc/os-release as a symlink to /usr/lib/os-release should it be missing, thus providing nice compatibility with applications only checking in /etc. While it's probably a good idea if all apps check both locations via a fallback logic, it is only necessary in the early boot process, as long as the /etc/os-release symlink has not been restored, in case we boot with an empty /etc.

shared: rename hwclock.[ch] to clock-util.[ch]

core: Filter by state behind the D-Bus API, not in the systemctl client.

core: no need to pass bus object to selinux access check calls anymore

core: introduce system state enum The system state knows the states starting → running/degraded/maintenance → stopping, where: starting = system startup running = normal operation degraded = at least one unit is currently in failed state maintenance = rescue/emergency mode is active or queued stopping = system shutdown

dbus: suppress duplicate and misleading messages When we try to send a signal on a connection we didn't hae the time to process the Disconnected message yet, don't generate multiple warning messages, but only a single debug message. https://bugs.freedesktop.org/show_bug.cgi?id=75874

bus: add sd_bus_track object for tracking peers, and port core over to it This is primarily useful for services that need to track clients which reference certain objects they maintain, or which explicitly want to subscribe to certain events. Something like this is done in a large number of services, and not trivial to do. Hence, let's unify this at one place. This also ports over PID 1 to use this to ensure that subscriptions to job and manager events are correctly tracked. As a side-effect this makes sure we properly serialize and restore the track list across daemon reexec/reload, which didn't work correctly before. This also simplifies how we distribute messages to broadcast to the direct busses: we only track subscriptions for the API bus and implicitly assume that all direct busses are subscribed. This should be a pretty OK simplification since clients connected via direct bus connections are shortlived anyway.

core: expose architecture as a bus property, so that we can easily query it remotely

core: expose root control group on the bus We expose the control group of the units on the bus, so let's also expose the root control group.

api: in constructor function calls, always put the returned object pointer first (or second) Previously the returned object of constructor functions where sometimes returned as last, sometimes as first and sometimes as second parameter. Let's clean this up a bit. Here are the new rules: 1. The object the new object is derived from is put first, if there is any 2. The object we are creating will be returned in the next arguments 3. This is followed by any additional arguments Rationale: For functions that operate on an object we always put that object first. Constructors should probably not be too different in this regard. Also, if the additional parameters might want to use varargs which suggests to put them last. Note that this new scheme only applies to constructor functions, not to all other functions. We do give a lot of freedom for those. Note that this commit only changes the order of the new functions we added, for old ones we accept the wrong order and leave it like that.

make gcc shut up If -flto is used then gcc will generate a lot more warnings than before, among them a number of use-without-initialization warnings. Most of them without are false positives, but let's make them go away, because it doesn't really matter.

core: fix gcc unused variable warning

bus: fix a couple of format string mistakes

selinux: Check access vector for enable/disable perm for each unit file SELinux check will be done using the context of the unit file as as a target instead of the default init_t context, allowing selinux control on the level of individual units. https://bugzilla.redhat.com/show_bug.cgi?id=1022762

bus: decorate the various object vtables with SD_BUS_VTABLE_PROPERTY_CONST where appropriate

bus: introduce "trusted" bus concept and encode access control in object vtables Introduces a new concept of "trusted" vs. "untrusted" busses. For the latter libsystemd-bus will automatically do per-method access control, for the former all access is automatically granted. Per-method access control is encoded in the vtables: by default all methods are only accessible to privileged clients. If the SD_BUS_VTABLE_UNPRIVILEGED flag is set for a method it is accessible to unprivileged clients too. By default whether a client is privileged is determined via checking for its CAP_SYS_ADMIN capability, but this can be altered via the SD_BUS_VTABLE_CAPABILITY() macro that can be ORed into the flags field of the method. Writable properties are also subject to SD_BUS_VTABLE_UNPRIVILEGED and SD_BUS_VTABLE_CAPABILITY() for controlling write access to them. Note however that read access is unrestricted, as PropertiesChanged messages might send out the values anyway as an unrestricted broadcast. By default the system bus is set to "untrusted" and the user bus is "trusted" since per-method access control on the latter is unnecessary. On dbus1 busses we check the UID of the caller rather than the configured capability since the capability cannot be determined without race. On kdbus the capability is checked if possible from the attached meta-data of a message and otherwise queried from the sending peer. This also decorates the vtables of the various daemons we ship with these flags.

core: fix SetUnitProperties

bus: add new sd_bus_creds object to encapsulate process credentials This way we can unify handling of credentials that are attached to messages, or can be queried for bus name owners or connection peers. This also adds the ability to extend incomplete credential information with data from /proc, Also, provide a convenience call that will automatically determine the most appropriate credential object for an incoming message, by using the the attached information if possible, the sending name information if available and otherwise the peer's credentials.

core: don't warn loudly if we cannot send a bus signal to a disconnected client

core: fix timestamp assignment

core: actually make SwitchRoot() bus call do the deed

core: fix serilization of ListJobs() response

core: fix deserialization of StartTransientUnit() parameters

bus: properly serialize unit file change list

bus: rework message handlers to always take an error argument Message handler callbacks can be simplified drastically if the dispatcher automatically replies to method calls if errors are returned. Thus: add an sd_bus_error argument to all message handlers. When we dispatch a message handler and it returns negative or a set sd_bus_error we send this as message error back to the client. This means errors returned by handlers by default are given back to clients instead of rippling all the way up to the event loop, which is desirable to make things robust. As a side-effect we can now easily turn the SELinux checks into normal function calls, since the method call dispatcher will generate the right error replies automatically now. Also, make sure we always pass the error structure to all property and method handlers as last argument to follow the usual style of passing variables for return values as last argument.

bus: let's simplify things by getting rid of unnecessary bus parameters

core: convert PID 1 to libsystemd-bus This patch converts PID 1 to libsystemd-bus and thus drops the dependency on libdbus. The only remaining code using libdbus is a test case that validates our bus marshalling against libdbus' marshalling, and this dependency can be turned off. This patch also adds a couple of things to libsystem-bus, that are necessary to make the port work: - Synthesizing of "Disconnected" messages when bus connections are severed. - Support for attaching multiple vtables for the same interface on the same path. This patch also fixes the SetDefaultTarget() and GetDefaultTarget() bus calls which used an inappropriate signature. As a side effect we will now generate PropertiesChanged messages which carry property contents, rather than just invalidation information.

analyze: plot the time spent setting up security modules

detect_virtualization() returns NULL; pass empty string to dbus

bus: remove static introspection file export

manager: when verifying whether clients may change environment using selinux check for "reload" rather "reboot" This appears to be a copy/paste error.

core: drop some out-of-date references to cgroup settings

dbus: use _cleanup_free_ instead of freeing ourself

core: correct dbus parameter direction

core: send out "Reloading" signal before and after doing a full reload/reexec of PID 1 Since we'll unload all units/job during a reload, and then readd them it is really useful for clients to be aware of this phase hence sent a signal out before and after. This signal is called "Reloading" (despite the fact that it is also sent out during reexecution, which we consider a special case in this context) and has one boolean parameter which is true for the signal sent before the reload, and false for the signal after the reload. The UnitRemoved/JobRremoved and UnitNew/JobNew due to the reloading are guranteed to be between the pair of Reloading messages.

core: serialize/deserialize bus subscribers

core: add transient units Transient units can be created via the bus API. They are configured via the method call parameters rather than on-disk files. They are subject to normal GC. Transient units currently may only be created for services (however, we will extend this), and currently only ExecStart= and the cgroup parameters can be configured (also to be extended). Transient units require a unique name, that previously had no configuration file on disk. A tool systemd-run is added that makes use of this functionality to run arbitrary command lines as transient services: $ systemd-run /bin/ping www.heise.de Will cause systemd to create a new transient service and run ping in it.

unit: make sure the dropins we write are high-priority

dbus: add infrastructure for changing multiple properties at once on units and hook some cgroup attributes up to it This introduces two bus calls to make runtime changes to selected bus properties, optionally with persistence. This currently hooks this up only for three cgroup atributes, but this brings the infrastructure to add more changable attributes. This allows setting multiple attributes at once, and takes an array rather than a dictionary of properties, in order to implement simple resetting of lists using the same approach as when they are sourced from unit files. This means, that list properties are appended to by this call, unless they are first reset via assigning the empty list.

core: general cgroup rework Replace the very generic cgroup hookup with a much simpler one. With this change only the high-level cgroup settings remain, the ability to set arbitrary cgroup attributes is removed, so is support for adding units to arbitrary cgroup controllers or setting arbitrary paths for them (especially paths that are different for the various controllers). This also introduces a new -.slice root slice, that is the parent of system.slice and friends. This enables easy admin configuration of root-level cgrouo properties. This replaces DeviceDeny= by DevicePolicy=, and implicitly adds in /dev/null, /dev/zero and friends if DeviceAllow= is used (unless this is turned off by DevicePolicy=).

logind: add infrastructure to keep track of machines, and move to slices - This changes all logind cgroup objects to use slice objects rather than fixed croup locations. - logind can now collect minimal information about running VMs/containers. As fixed cgroup locations can no longer be used we need an entity that keeps track of machine cgroups in whatever slice they might be located. Since logind already keeps track of users, sessions and seats this is a trivial addition. - nspawn will now register with logind and pass various bits of metadata along. A new option "--slice=" has been added to place the container in a specific slice. - loginctl gained commands to list, introspect and terminate machines. - user.slice and machine.slice will now be pulled in by logind.service, since only logind.service requires this slice.

analyze: show unit file loading on plot This will add another color to the legend called "Loading unit files" Like the generators it will mark a part of the systemd bar indicating the time spent while loading unit files.

analyze: show generators on plot

systemctl: add commands set-default and get-default systemctl set-default NAME links the default.target to the given unit, get-default prints out the path to the currently set default target.

dbus-manager.c: log error, why switch-root is refused

Add set_consume which always takes ownership Freeing in error path is the common pattern with set_put().

path-util: unify code for detecting OS trees This also makes sure we always detect an OS tree the same way, by checking for /etc/os-release.

dbus-manager: fix variable type introspection

Use bus_maybe_send_reply() where applicable This is a followup to: commit 1a37b9b9043ef83e9900e460a9a1fccced3acf89 It will fix denial messages from dbus-daemon between gdm and systemd-logind on logging into GNOME due to this. See the previous commit for more details.

unit: rework resource management API This introduces a new static list of known attributes and their special semantics. This means that cgroup attribute values can now be automatically translated from user to kernel notation for command line set settings, too. This also adds proper support for multi-line attributes.

manager: validate environment parameters for SetEnvironment(), UnsetEnvironment() bus calls

env: considerably beef up environment cleaning logic Now, actually check if the environment variable names and values used are valid, before accepting them. With this in place are at some places more rigid than POSIX, and less rigid at others. For example, this code allows lower-case environment variables (which POSIX suggests not to use), but it will not allow non-UTF8 variable values. All in all this should be a good middle ground of what to allow and what not to allow as environment variables. (This also splits out all environment related calls into env-util.[ch])

systemctl: add new "get-cgroup-attr" to query current cgroup attribute value Also adds a pair of bus calls for this to the daemon.

core: add bus API and systemctl commands for altering cgroup parameters during runtime

dbus: duplicate Job.Cancel() as CancelJob() and Snapshot.Remove() as RemoveSnapshot() on the Manager interface For all other object mehtods there are already counterparts on the manager object, as they help us reduce round-trips. So let's complete this, and reduce complexity on the client side a bit. As a side effect this also makes "systemctl snapshot" without arguments work again.

build-sys: drop all distribution specfic checks Yay, we now have a completely generic systemd. No distribution specific checks anymore!

dbus-manager: modernize style

dbus-manager: fix a fatal dbus abort in bus_manager_message_handler() If ListUnitFiles fails, or an OOM occurs, then dbus_message_unref() will be called twice on "reply", causing systemd to crash. So remove the call to dbus_message_unref(); it is unnecessary because of the cleanup attribute on "reply". [zj: modified to leave one dbus_message_unref() alone, per Colin Walters' comment.]

shared, core: do not always accept numbers in string lookups The behaviour of the common name##_from_string conversion is surprising. It accepts not only the strings from name##_table but also any number that falls within the range of the table. The order of items in most of our tables is an internal affair. It should not be visible to the user. I know of a case where the surprising numeric conversion leads to a crash. We will allow the direct numeric conversion only for the tables where the mapping of strings to numeric values has an external meaning. This holds for the following lookup tables: - netlink_family, ioprio_class, ip_tos, sched_policy - their numeric values are stable as they are defined by the Linux kernel interface. - log_level, log_facility_unshifted - the well-known syslog interface. We allow the user to use numeric values whose string names systemd does not know. For instance, the user may want to test a new kernel featuring a scheduling policy that did not exist when his systemd version was released. A slightly unpleasant effect of this is that the name##_to_string conversion cannot return pointers to constant strings anymore. The strings have to be allocated on demand and freed by the caller.

dbus-manager: check return of unit_dbus_path Reply of dbus_message_new_method_return was check twice and path from unit_dbus_path was not.

dbus: expose Virtualization ID on PID1's bus interface This allows unprivileged clients to check for the used virtualization even when lacking the privileges that some of the virtualization tests require. https://bugzilla.gnome.org/show_bug.cgi?id=684801

selinux: remove anything PID1-specific from selinux-access.[ch] so that we can reuse it in logind

selinux: rework selinux access check logic a) Instead of parsing the bus messages inside of selinux-access.c simply pass everything pre-parsed in the functions b) implement the access checking with a macro that resolves to nothing on non-selinux builds c) split out the selinux checks into their own sources selinux-util.[ch] d) this unifies the job creation code behind the D-Bus calls Manager.StartUnit() and Unit.Start().

core: move ManagerRunningAs to shared Note: I did s/MANAGER/SYSTEMD/ everywhere, even though it makes the patch quite verbose. Nevertheless, keeping MANAGER prefix in some places, and SYSTEMD prefix in others would just lead to confusion down the road. Better to rip off the band-aid now.

selinux: use existing library calls for audit data

selinux: add bus service access control -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 This patch adds the ability to look at the calling process that is trying to do dbus calls into systemd, then it checks with the SELinux policy to see if the calling process is allowed to do the activity. The basic idea is we want to allow NetworkManager_t to be able to start and stop ntpd.service, but not necessarly mysqld.service. Similarly we want to allow a root admin webadm_t that can only manage the apache environment. systemctl enable httpd.service, systemctl disable iptables.service bad. To make this code cleaner, we really need to refactor the dbus-manager.c code. This has just become a huge if-then-else blob, which makes doing the correct check difficult. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://www.enigmail.net/ iEYEARECAAYFAlBJBi8ACgkQrlYvE4MpobOzTwCdEUikbvRWUCwOb83KlVF0Nuy5 lRAAnjZZNuc19Z+aNxm3k3nwD4p/JYco =yops -----END PGP SIGNATURE-----

manager: extend performance measurement interface to include firmware/loader times This only adds the fields to the D-Bus interfaces but doesn't fill them in with anything useful yet. Gummiboot exposes the necessary bits of information to use however and as soon as I get my fingers on a proper UEFI laptop I'll hook up the remaining bits. Since we want to stabilize the D-Bus interface soon and include it in the stability promise we should get the last fixes in, hence this change now.

core: drop KillMode parameter from KillUnit() bus call It made no sense, and since we are documenting the bus calls now and want to include them in our stability promise we really should get it cleaned up sooner, not later.

core: fix name of dbus call parameter

util: rename join() to strjoin() This is to match strappend() and the other string related functions.

remount-fs: also remount /usr according to fstab

bus: drop HaveWatchdog option Clients should always watch /dev/watchdog directly, instead of going indirect. Let's keep our stacks small.

dbus: don't expose SysVInitPath and SysVRcndPath on the bus People should use systemd.pc if anything at all to determine these directories, and people should not assume that the bus fields are part of the supported API, so let's just drop this.

core: remove sysv_console option This option never made much sense. It was originally intended to make sure that the usual startup output of sysv scripts goes to the terminal. However, since SysV scripts started from a terminal would not output to that terminal, but rather /dev/console this effect was more often than not actually taking place. Nowadays systemd has much nicer boot time status output than SysV which makes the sysv output redundant. Finally, all output of services goes to the journal anyway, and is not lost. Hence, let's drop this option, and simplify things a bit.

systemd: return error when asked to stop unknown unit Command systemctl stop foo.service, will print error message, when foo.service is unknown to systemd, i.e. there is no unit file loaded for this service. https://bugzilla.redhat.com/show_bug.cgi?id=732874

dbus: better don't expose options we better shouldn't exposed NotifySocket= is hardly useful, people should use $NOTIFY_SOCKET if anything. RunningAs= suggests people had a choice of running user mode as PID 1 or vice versa, so remove this too.

switch-root: check for absolute paths

core: add extra safety check before switching root

dbus-manager: fix tainted string The pointer to the end of the string was not advanced after adding the "cgroups-missing" taint. If "local-hwclock" was detected too, it would overwrite the previous string. With 'e' always pointing to the end of the string, removing the last delimiter is easier.

manager: introduce SwitchRoot bus call for initrd/main transition

util: split-out hwclock.[ch]

dbus: include unit name in JobNew/JobRemoved signals This breaks D-Bus interface slightly, but since the D-Bus API isn't covered by the interface stability promise this should be OK.

hwclock: add taint flag for non-local hwclock

manager: drop MountAuto= and SwapAuto= options The ability to set MountAuto=no and SwapAuto=no was useful during the adoption phase of systemd, so that distributions could stick to their classic mount scripts a bit longer. It is about time to get rid of it now.

dbus-job: allow multiple bus clients Merging of jobs can result in more than one client being interested in a job.

watchdog: make watchdog dbus properties writable

dbus: expose whether we have a hardware watchdog on the bus

relicense to LGPLv2.1 (with exceptions) We finally got the OK from all contributors with non-trivial commits to relicense systemd from GPL2+ to LGPL2.1+. Some udev bits continue to be GPL2+ for now, but we are looking into relicensing them too, to allow free copy/paste of all code within systemd. The bits that used to be MIT continue to be MIT. The big benefit of the relicensing is that closed source code may now link against libsystemd-login.so and friends.

move libsystemd_core.la sources into core/