tree-wide: remove Emacs lines from all files This should be handled fine now by .dir-locals.el, so need to carry that stuff in every file.

core: re-sync bus name list after deserializing during daemon-reload When the daemon reloads, it doesn not actually give up its DBus connection, as wrongly stated in an earlier commit. However, even though the bus connection stays open, the daemon flushes out all its internal state. Hence, if there is a NameOwnerChanged signal after the flush and before the deserialization, it cannot be matched against any pending unit. To fix this, rename bus_list_names() to manager_sync_bus_names() and call it explicitly at the end of the daemon reload operation.

core: fix bus name synchronization after daemon-reload During daemon-reload, PID1 temporarly loses its DBus connection, so there's a small window in which all signals sent by dbus-daemon are lost. This is a problem, since we rely on the NameOwnerChanged signals in order to consider a service with Type=dbus fully started or terminated, respectively. In order to fix this, a rewrite of bus_list_names() is necessary. We used to walk the current list of names on the bus, and blindly triggered the bus_name_owner_change() callback on each service, providing the actual name as current owner. This implementation has a number of problems: * We cannot detect if the the name was moved from one owner to the other while we were reloading * We don't notify services which missed the name loss signal * Providing the actual name as current owner is a hack, as the comment also admits. To fix this, this patch carries the following changes: * Track the name of the current bus name owner, and (de-)serialize it during reload. This way, we can detect changes. * In bus_list_names(), walk the list of bus names we're interested in first, and then see if the name is active on the bus. If it is, check it it's still the same as it used to be, and synthesize NameOwnerChanged signals for the name add and/or loss. This should fully synchronize the current name list with the internal state of all services.

tree-wide: expose "p"-suffix unref calls in public APIs to make gcc cleanup easy GLIB has recently started to officially support the gcc cleanup attribute in its public API, hence let's do the same for our APIs. With this patch we'll define an xyz_unrefp() call for each public xyz_unref() call, to make it easy to use inside a __attribute__((cleanup())) expression. Then, all code is ported over to make use of this. The new calls are also documented in the man pages, with examples how to use them (well, I only added docs where the _unref() call itself already had docs, and the examples, only cover sd_bus_unrefp() and sd_event_unrefp()). This also renames sd_lldp_free() to sd_lldp_unref(), since that's how we tend to call our destructors these days. Note that this defines no public macro that wraps gcc's attribute and makes it easier to use. While I think it's our duty in the library to make our stuff easy to use, I figure it's not our duty to make gcc's own features easy to use on its own. Most likely, client code which wants to make use of this should define its own: #define _cleanup_(function) __attribute__((cleanup(function))) Or similar, to make the gcc feature easier to use. Making this logic public has the benefit that we can remove three header files whose only purpose was to define these functions internally. See #2008.

core: drop "override" flag when building transactions Now that we don't have RequiresOverridable= and RequisiteOverridable= dependencies anymore, we can get rid of tracking the "override" boolean for jobs in the job engine, as it serves no purpose anymore. While we are at it, fix some error messages we print when invoking functions that take the override parameter.

core: be more verbose when NameOwnerChanged subscriptions fail

util-lib: split out allocation calls into alloc-util.[ch]

user-util: move UID/GID related macros from macro.h to user-util.h

util-lib: split out fd-related operations into fd-util.[ch] There are more than enough to deserve their own .c file, hence move them over.

util-lib: split our string related calls from util.[ch] into its own file string-util.[ch] There are more than enough calls doing string manipulations to deserve its own files, hence do something about it. This patch also sorts the #include blocks of all files that needed to be updated, according to the sorting suggestions from CODING_STYLE. Since pretty much every file needs our string manipulation functions this effectively means that most files have sorted #include blocks now. Also touches a few unrelated include files.

unit: allocate bus name match string on the stack Let's use strjoina() rather than strjoin() for construct dbus match strings. Also, while we are at it, fix parameter ordering, so that our functions always put the object first, like it is customary for OO-like programming.

tree-wide: take benefit of the fact that hashmap_free() returns NULL And set_free() too. Another Coccinelle patch.

tree-wide: make use of the fact that strv_free() returns NULL Another Coccinelle patch.

core: pass details to polkit for some unit actions The following details are passed: - unit: the primary name of the unit upon which the action was invoked (i.e. after resolving any aliases); - verb: one of 'start', 'stop', 'reload', 'restart', 'try-restart', 'reload-or-restart', 'reload-or-try-restart', 'kill', 'reset-failed', or 'set-property', corresponding to the systemctl verb used to invoke the action. Typical use of these details in a polkit policy rule might be: // Allow alice to manage example.service; // fall back to implicit authorization otherwise. polkit.addRule(function(action, subject) { if (action.id == "org.freedesktop.systemd1.manage-units" && action.lookup("unit") == "example.service" && subject.user == "alice") { return polkit.Result.YES; } }); We also supply a custom polkit message that includes the unit's name and the requested operation.

bus-util: support details in CheckAuthorization calls Extra details for an action can be supplied when calling polkit's CheckAuthorization method. Details are a list of key/value string pairs. Custom policy can use these details when making authorization decisions.

unit: add new macros to test for unit contexts

core: add unit_dbus_interface_from_type() to unit-name.h Let's add a way to get the type-specific D-Bus interface of a unit from either its type or name to src/basic/unit-name.[ch]. That way we can share it with the client side, where it is useful in tools like cgls or machinectl. Also ports over machinectl to make use of this.

core: dbus: track bus names per unit Currently, PID1 installs an unfiltered NameOwnerChanged signal match, and dispatches the signals itself. This does not scale, as right now, PID1 wakes up every time a bus client connects. To fix this, install individual matches once they are requested by unit_watch_bus_name(), and remove the watches again through their slot in unit_unwatch_bus_name(). If the bus is not available during unit_watch_bus_name(), just store name in the 'watch_bus' hashmap, and let bus_setup_api() do the installing later.

core: fix coding style in agent-handling Avoid late bail-out based on a condition. This makes code hard to read. Instead, reverse the forwarding-condition.

core: harden cgroups-agent forwarding On dbus1, we receive systemd1.Agent signals via the private socket, hence it's trusted. However, on kdbus we receive it on the system bus. We must make sure it's sent by UID=0, otherwise unprivileged users can fake it. Furthermore, never forward broadcasts we sent ourself. This might happen on kdbus, as we forward the message on the same bus we received it on, thus ending up in an endless loop.

core: rename SystemdRunningAs to ManagerRunningAs It's primarily just a property of the Manager object after all, and we try to refer to PID 1 as "manager" instead of "systemd", hence let's to stick to this here too.

treewide: Correct typos and spell plural of bus consistent

tree-wide: get rid of a few more explicit bus parameters

core: for queued reload message there is no need to store the bus explicitly After all it can be derived from the message directly, and already is.

sd-bus: drop bus parameter from message callback prototype This should simplify the prototype a bit. The bus parameter is redundant in most cases, and in the few where it matters it can be derived from the message via sd_bus_message_get_bus().

core: annotate event sources

core: explicitly specify credentials for direct connections, too So far we authenticate direct connections primarily at connection time, but let's also do this for each method individually, by attaching the creds we need for that right away.

dbus: typo fix in log

core: fix cgroups-agent match for kdbus On kdbus, we get cgroups-agent messages via the system bus, not the private systemd socket. Therefore, we must install the match properly or we will never receive cgroup notifications.

core: rewind message before forwarding it Forwarding messages that are not rewinded will drop data. Fix this for cgroups-agent messages that we might remarshal before forwarding to the system bus.

Allow up to 4096 simultaneous connections On large system we hit the limit on 512 simultaneous dbus connections, resulting in tons of annoying messages: Too many concurrent connections, refusing This patch raises the limit to 4096.

remove unused includes This patch removes includes that are not used. The removals were found with include-what-you-use which checks if any of the symbols from a header is in use.

core: rework policykit hookup - Always issue selinux access check as early as possible, and PK check as late as possible. - Introduce a new policykit action for altering environment - Open most remaining bus calls to unprivileged clients via PK

logind: open up most bus calls for unpriviliged processes, using PolicyKit Also, allow clients to alter their own objects without any further priviliges. i.e. this allows clients to kill and lock their own sessions without involving PK.

sd-bus: move common errors src/shared/bus-errors.h → src/libsystemd/sd-bus/bus-common-errors.h Stuff in src/shared/ should not use stuff from src/libsystemd/ really.

core: OOM really shouldn't be considered a deserialization parse failure

treewide: another round of simplifications Using the same scripts as in f647962d64e "treewide: yet more log_*_errno + return simplifications".

treewide: use log_*_errno whenever %m is in the format string If the format string contains %m, clearly errno must have a meaningful value, so we might as well use log_*_errno to have ERRNO= logged. Using: find . -name '*.[ch]' | xargs sed -r -i -e \ 's/log_(debug|info|notice|warning|error|emergency)\((".*%m.*")/log_\1_errno(errno, \2/' Plus some whitespace, linewrap, and indent adjustments.

treewide: more log_*_errno + return simplifications

treewide: no need to negate errno for log_*_errno() It corrrectly handles both positive and negative errno values.

treewide: auto-convert the simple cases to log_*_errno() As a followup to 086891e5c1 "log: add an "error" parameter to all low-level logging calls and intrdouce log_error_errno() as log calls that take error numbers", use sed to convert the simple cases to use the new macros: find . -name '*.[ch]' | xargs sed -r -i -e \ 's/log_(debug|info|notice|warning|error|emergency)\("(.*)%s"(.*), strerror\(-([a-zA-Z_]+)\)\);/log_\1_errno(-\4, "\2%m"\3);/' Multi-line log_*() invocations are not covered. And we also should add log_unit_*_errno().

core: make sure we have enough information when doing selinux decisions Let's ask for the security relevant bits in a race-free way, and augment the rest from /proc.

dbus: return non-zero return value in the case that prefix won't match strv_extend returns 0 in the case of success which means that else if (bus_track_deserialize_item(&m->deserialized_subscribed, l) == 0) log_warning("Unknown serialization item '%s'", l); will be printed when value is added correctly.

core: unify how we create the notify and private dbus socket Use the same robust logic of mkdir + unlink of any existing AF_UNIX socket, ignoring the return value, right before bind().

mac: add mac_ prefix to distinguish origin security apis

hashmap: introduce hash_ops to make struct Hashmap smaller It is redundant to store 'hash' and 'compare' function pointers in struct Hashmap separately. The functions always comprise a pair. Store a single pointer to struct hash_ops instead. systemd keeps hundreds of hashmaps, so this saves a little bit of memory.

core: Verify systemd1 DBus method callers via polkit DBus methods that retrieve information can be called by anyone. DBus methods that modify state of units are verified via polkit action: org.freedesktop.systemd1.manage-units DBus methods that modify state of unit files are verified via polkit action: org.freedesktop.systemd1.manage-unit-files DBus methods that reload the entire daemon state are verified via polkit action: org.freedesktop.systemd1.reload-daemon DBus methods that modify job state are callable from the clients that started the job. root (ie: CAP_SYS_ADMIN) can continue to perform all calls, property access etc. There are several DBus methods that can only be called by root. Open up the dbus1 policy for the above methods. (Heavily modified by Lennart, making use of the new bus_verify_polkit_async() version that doesn't force us to always pass the original callback around. Also, interactive auhentication must be opt-in, not unconditional, hence I turned this off.)

core: Rename Job.subscribed field to Job.clients This reflects how this field will be used, to not only track where to send signals, but also which callers (other than root) are allowed to call DBus methods on the Job.

sd-bus: introduce sd_bus_slot objects encapsulating callbacks or vtables attached to a bus connection This makes callback behaviour more like sd-event or sd-resolve, and creates proper object for unregistering callbacks. Taking the refernce to the slot is optional. If not taken life time of the slot will be bound to the underlying bus object (or in the case of an async call until the reply has been recieved).

core: no need to pass bus object to selinux access check calls anymore

core: minor typo fix

util: replace close_nointr_nofail() by a more useful safe_close() safe_close() automatically becomes a NOP when a negative fd is passed, and returns -1 unconditionally. This makes it easy to write lines like this: fd = safe_close(fd); Which will close an fd if it is open, and reset the fd variable correctly. By making use of this new scheme we can drop a > 200 lines of code that was required to test for non-negative fds or to reset the closed fd variable afterwards.

Use strlen even for constant strings GCC optimizes strlen("string constant") to a constant, even with -O0. Thus, replace patterns like sizeof("string constant")-1 with strlen("string constant") where possible, for clarity. In particular, for expressions intended to add up the lengths of components going into a string, this often makes it clearer that the expression counts the trailing '\0' exactly once, by putting the +1 for the '\0' at the end of the expression, rather than hidden in a sizeof in the middle of the expression.

core: fix assert when trying to serialize non-initialized bus peer tracker object

bus: add sd_bus_track object for tracking peers, and port core over to it This is primarily useful for services that need to track clients which reference certain objects they maintain, or which explicitly want to subscribe to certain events. Something like this is done in a large number of services, and not trivial to do. Hence, let's unify this at one place. This also ports over PID 1 to use this to ensure that subscriptions to job and manager events are correctly tracked. As a side-effect this makes sure we properly serialize and restore the track list across daemon reexec/reload, which didn't work correctly before. This also simplifies how we distribute messages to broadcast to the direct busses: we only track subscriptions for the API bus and implicitly assume that all direct busses are subscribed. This should be a pretty OK simplification since clients connected via direct bus connections are shortlived anyway.

api: in constructor function calls, always put the returned object pointer first (or second) Previously the returned object of constructor functions where sometimes returned as last, sometimes as first and sometimes as second parameter. Let's clean this up a bit. Here are the new rules: 1. The object the new object is derived from is put first, if there is any 2. The object we are creating will be returned in the next arguments 3. This is followed by any additional arguments Rationale: For functions that operate on an object we always put that object first. Constructors should probably not be too different in this regard. Also, if the additional parameters might want to use varargs which suggests to put them last. Note that this new scheme only applies to constructor functions, not to all other functions. We do give a lot of freedom for those. Note that this commit only changes the order of the new functions we added, for old ones we accept the wrong order and leave it like that.

bus: fix a couple of format string mistakes

core: make check for Disconnected message more precise

core: suppress gcc warnings on selinux-less systems

bus: instead of exposing the dbus1 flags when acquiring a name use our own that are closer to kdbus This turns around DO_NOT_QUEUE into QUEUE which implies a more useful default. (And negative options are awful anyway.)

core: fix bus registration on daemon reexec

bus: don't make use of the private bus socket if kdbus is available

core: use normal library call to query list of current names

bus: make sd_bus_request_name() and sd_bus_release_name() behave more like other calls Instead of returning an enum of return codes, make them return error codes like kdbus does internally. Also, document this behaviour so that clients can stick to it. (Also rework bus-control.c to always have to functions for dbus1 vs. kernel implementation of the various calls.)

bus: add new sd_bus_creds object to encapsulate process credentials This way we can unify handling of credentials that are attached to messages, or can be queried for bus name owners or connection peers. This also adds the ability to extend incomplete credential information with data from /proc, Also, provide a convenience call that will automatically determine the most appropriate credential object for an incoming message, by using the the attached information if possible, the sending name information if available and otherwise the peer's credentials.

bus: also add error parameter to object find and enumerator callbacks Just in order to bring things inline with the method and property callbacks.

bus: restore selinux access control to PID 1 for properties

bus: rework message handlers to always take an error argument Message handler callbacks can be simplified drastically if the dispatcher automatically replies to method calls if errors are returned. Thus: add an sd_bus_error argument to all message handlers. When we dispatch a message handler and it returns negative or a set sd_bus_error we send this as message error back to the client. This means errors returned by handlers by default are given back to clients instead of rippling all the way up to the event loop, which is desirable to make things robust. As a side-effect we can now easily turn the SELinux checks into normal function calls, since the method call dispatcher will generate the right error replies automatically now. Also, make sure we always pass the error structure to all property and method handlers as last argument to follow the usual style of passing variables for return values as last argument.

bus: fix seriliazation of activation errors

core: convert PID 1 to libsystemd-bus This patch converts PID 1 to libsystemd-bus and thus drops the dependency on libdbus. The only remaining code using libdbus is a test case that validates our bus marshalling against libdbus' marshalling, and this dependency can be turned off. This patch also adds a couple of things to libsystem-bus, that are necessary to make the port work: - Synthesizing of "Disconnected" messages when bus connections are severed. - Support for attaching multiple vtables for the same interface on the same path. This patch also fixes the SetDefaultTarget() and GetDefaultTarget() bus calls which used an inappropriate signature. As a side effect we will now generate PropertiesChanged messages which carry property contents, rather than just invalidation information.

bus: initialize variable, now that we might skip debug logging

list: make our list macros a bit easier to use by not requring type spec on each invocation We can determine the list entry type via the typeof() gcc construct, and so we should to make the macros much shorter to use.

core: send out "Reloading" signal before and after doing a full reload/reexec of PID 1 Since we'll unload all units/job during a reload, and then readd them it is really useful for clients to be aware of this phase hence sent a signal out before and after. This signal is called "Reloading" (despite the fact that it is also sent out during reexecution, which we consider a special case in this context) and has one boolean parameter which is true for the signal sent before the reload, and false for the signal after the reload. The UnitRemoved/JobRremoved and UnitNew/JobNew due to the reloading are guranteed to be between the pair of Reloading messages.

core: while we are reloading don't suppress bus signals While we are reloading we shouldn't suppress adding units to the bus queue when there are no subscribers, simply because we might not have deserialized the subscribers list yet. Hence, during reloading always assume we have subscribers.

core: serialize/deserialize bus subscribers

core: general cgroup rework Replace the very generic cgroup hookup with a much simpler one. With this change only the high-level cgroup settings remain, the ability to set arbitrary cgroup attributes is removed, so is support for adding units to arbitrary cgroup controllers or setting arbitrary paths for them (especially paths that are different for the various controllers). This also introduces a new -.slice root slice, that is the parent of system.slice and friends. This enables easy admin configuration of root-level cgrouo properties. This replaces DeviceDeny= by DevicePolicy=, and implicitly adds in /dev/null, /dev/zero and friends if DeviceAllow= is used (unless this is turned off by DevicePolicy=).

core: bump simultaneous bus connection limit to 512

unit: rework stop pending logic When a trigger unit wants to know if a stop is queued for it, we should just check precisely that and do not check whether it is actually stopped already. This is because we use these checks usually from state change calls where the state variables are not updated yet. This change splits unit_pending_inactive() into two calls unit_inactive_or_pending() and unit_stop_pending(). The former checks state and pending jobs, the latter only pending jobs.

Use initalization instead of explicit zeroing Before, we would initialize many fields twice: first by filling the structure with zeros, and then a second time with the real values. We can let the compiler do the job for us, avoiding one copy. A downside of this patch is that text gets slightly bigger. This is because all zero() calls are effectively inlined: $ size build/.libs/systemd text data bss dec hex filename before 897737 107300 2560 1007597 f5fed build/.libs/systemd after 897873 107300 2560 1007733 f6075 build/.libs/systemd … actually less than 1‰. A few asserts that the parameter is not null had to be removed. I don't think this changes much, because first, it is quite unlikely for the assert to fail, and second, an immediate SEGV is almost as good as an assert.

Remove some dead code Based on coverity report.

dbus: let's make this const array static

Use bus_maybe_send_reply() where applicable This is a followup to: commit 1a37b9b9043ef83e9900e460a9a1fccced3acf89 It will fix denial messages from dbus-daemon between gdm and systemd-logind on logging into GNOME due to this. See the previous commit for more details.

bus: Escape environment-based D-Bus addresses properly If XDG_RUNTIME_DIR contains a character like ":" (for instance if it's formed from an X11 display name), then it isn't valid to substitute it into a D-Bus address without escaping. http://bugs.freedesktop.org/show_bug.cgi?id=60499

core: move ManagerRunningAs to shared Note: I did s/MANAGER/SYSTEMD/ everywhere, even though it makes the patch quite verbose. Nevertheless, keeping MANAGER prefix in some places, and SYSTEMD prefix in others would just lead to confusion down the road. Better to rip off the band-aid now.

build-sys: __secure_getenv lost dunder in libc 2.17

manager: extend performance measurement interface to include firmware/loader times This only adds the fields to the D-Bus interfaces but doesn't fill them in with anything useful yet. Gummiboot exposes the necessary bits of information to use however and as soon as I get my fingers on a proper UEFI laptop I'll hook up the remaining bits. Since we want to stabilize the D-Bus interface soon and include it in the stability promise we should get the last fixes in, hence this change now.

shared: in code that might get called from suid programs use __secure_getenv() rather than getenv() It's better to be safe than sorry.

log.h: new log_oom() -> int -ENOMEM, use it also a number of minor fixups and bug fixes: spelling, oom errors that didn't print errors, not properly forwarding error codes, few more consistency issues, et cetera

use "Out of memory." consistantly (or with "\n") glibc/glib both use "out of memory" consistantly so maybe we should consider that instead of this. Eliminates one string out of a number of binaries. Also fixes extra newline in udev/scsi_id

mkdir: append _label to all mkdir() calls that explicitly set the selinux context

dbus-job: allow multiple bus clients Merging of jobs can result in more than one client being interested in a job.

relicense to LGPLv2.1 (with exceptions) We finally got the OK from all contributors with non-trivial commits to relicense systemd from GPL2+ to LGPL2.1+. Some udev bits continue to be GPL2+ for now, but we are looking into relicensing them too, to allow free copy/paste of all code within systemd. The bits that used to be MIT continue to be MIT. The big benefit of the relicensing is that closed source code may now link against libsystemd-login.so and friends.

move libsystemd_core.la sources into core/