tree-wide: remove Emacs lines from all files This should be handled fine now by .dir-locals.el, so need to carry that stuff in every file.

core: don't reset /dev/console if stdin/stdout/stderr as passed as fd in a transient service Otherwise we might end resetting /dev/console all the time when a transient service starts or stops. Fixes #2377 Fixes #2198 Fixes #2061

core: normalize error handling a bit, in setup_pam() Assign errno-style errors to a variable called "r" when they happen, the same way we do this in most other calls. It's bad enough that the error handling part of the function deals with two different error variables (pam_code and r) now, but before this fix it was even three!

systemd: remove dead code We only go to fail label if pam_pid <= 0. CID #1306746.

tree-wide: check if errno is greater than zero (2) Compare errno with zero in a way that tells gcc that (if the condition is true) errno is positive.

tree-wide: check if errno is greater then zero gcc is confused by the common idiom of return errno ? -errno : -ESOMETHING and thinks a positive value may be returned. Replace this condition with errno > 0 to help gcc and avoid many spurious warnings. I filed a gcc rfe a long time ago, but it hard to say if it will ever be implemented [1]. Both conventions were used in the codebase, this change makes things more consistent. This is a follow up to bcb161b0230f. [1] https://gcc.gnu.org/bugzilla/show_bug.cgi?id=61846

capabilities: added support for ambient capabilities. This patch adds support for ambient capabilities in service files. The idea with ambient capabilities is that the execed processes can run with non-root user and get some inherited capabilities, without having any need to add the capabilities to the executable file. You need at least Linux 4.3 to use ambient capabilities. SecureBit keep-caps is automatically added when you use ambient capabilities and wish to change the user. An example system service file might look like this: [Unit] Description=Service for testing caps [Service] ExecStart=/usr/bin/sleep 10000 User=nobody AmbientCapabilities=CAP_NET_ADMIN CAP_NET_RAW After starting the service it has these capabilities: CapInh: 0000000000003000 CapPrm: 0000000000003000 CapEff: 0000000000003000 CapBnd: 0000003fffffffff CapAmb: 0000000000003000

capabilities: keep bounding set in non-inverted format. Change the capability bounding set parser and logic so that the bounding set is kept as a positive set internally. This means that the set reflects those capabilities that we want to keep instead of drop.

core: dump soft limits too

core:execute: fix fork() fail handling in exec_spawn() If pid < 0 after fork(), 0 is always returned because r = exec_context_load_environment() has exited successfully. This will make the caller of exec_spawn() not able to handle the fork() error case and make systemd abort assert() possibly.

core: dump rlim_cur too

execute: Add new PassEnvironment= directive This directive allows passing environment variables from the system manager to spawned services. Variables in the system manager can be set inside a container by passing `--set-env=...` options to systemd-spawn. Tested with an on-disk test.service unit. Tested using multiple variable names on a single line, with an empty setting to clear the current list of variables, with non-existing variables. Tested using `systemd-run -p PassEnvironment=VARNAME` to confirm it works with transient units. Confirmed that `systemctl show` will display the PassEnvironment settings. Checked that man pages are generated correctly. No regressions in `make check`.

util-lib: split out allocation calls into alloc-util.[ch]

util-lib: split out globbing related calls into glob-util.[ch]

util-lib: split out syslog-related calls into syslog-util.[ch]

src/basic: rename audit.[ch] → audit-util.[ch] and capability.[ch] → capability-util.[ch] The files are named too generically, so that they might conflict with the upstream project headers. Hence, let's add a "-util" suffix, to clarify that this are just our utility headers and not any official upstream headers.

util-lib: move string table stuff into its own string-table.[ch]

util-lib: move a number of fs operations into fs-util.[ch]

util-lib: split out resource limits related calls into rlimit-util.[ch]

util-lib: split string parsing related calls from util.[ch] into parse-util.[ch]

util-lib: split out user/group/uid/gid calls into user-util.[ch]

util-lib: split out IO related calls to io-util.[ch]

util-lib: split out fd-related operations into fd-util.[ch] There are more than enough to deserve their own .c file, hence move them over.

util-lib: split our string related calls from util.[ch] into its own file string-util.[ch] There are more than enough calls doing string manipulations to deserve its own files, hence do something about it. This patch also sorts the #include blocks of all files that needed to be updated, according to the sorting suggestions from CODING_STYLE. Since pretty much every file needs our string manipulation functions this effectively means that most files have sorted #include blocks now. Also touches a few unrelated include files.

core: dump RuntimeDirectories and RuntimeDirectoryMode too

util: do not reset terminal in acquire_terminal() Before, we'd always reset acquired terminals, which is not really desired, as we expose a setting TTYReset= which is supposed to control whether the TTY is reset or not. Previously that setting would only enable a second resetting of the TTY, which is of course pointless... Hence, move the implicit resetting out of acquire_terminal() and make the callers do it if they need it.

core: add support for setting stdin/stdout/stderr for transient services When starting a transient service, allow setting stdin/stdout/stderr fds for it, by passing them in via the bus. This also simplifies some of the serialization code for units.

ask-password: add support for caching passwords in the kernel keyring This adds support for caching harddisk passwords in the kernel keyring if it is available, thus supporting caching without Plymouth being around. This is also useful for hooking up "gdm-auto-login" with the collected boot-time harddisk password, in order to support gnome keyring passphrase unlocking via the HDD password, if it is the same. Any passwords added to the kernel keyring this way have a timeout of 2.5min at which time they are purged from the kernel.

core: add support for naming file descriptors passed using socket activation This adds support for naming file descriptors passed using socket activation. The names are passed in a new $LISTEN_FDNAMES= environment variable, that matches the existign $LISTEN_FDS= one and contains a colon-separated list of names. This also adds support for naming fds submitted to the per-service fd store using FDNAME= in the sd_notify() message. This also adds a new FileDescriptorName= setting for socket unit files to set the name for fds created by socket units. This also adds a new call sd_listen_fds_with_names(), that is similar to sd_listen_fds(), but also returns the names of the fds. systemd-activate gained the new --fdname= switch to specify a name for testing socket activation. This is based on #1247 by Maciej Wereski. Fixes #1247.

core: allow setting WorkingDirectory= to the special value ~ If set to ~ the working directory is set to the home directory of the user configured in User=. This change also exposes the existing switch for the working directory that allowed making missing working directories non-fatal. This also changes "machinectl shell" to make use of this to ensure that the invoked shell is by default in the user's home directory. Fixes #1268.

exec: move mac_smack_apply_pid() and setup_pam() to same condition block This cleans up exec_child() function by moving mac_smack_apply_pid() and setup_pam() to the same condition block, since both of them have the same condition (i.e params->apply_permissions). It improves readability without changing its operation.

exec: call setup_pam() after SMACK labeling When 'SmackProcessLabel=' is used in user@.service file, all processes launched in systemd user session should be labeled as the designated name of 'SmackProcessLabel' directive. However, if systemd has its own smack label using '--with-smack-run-label' configuration, '(sd-pam)' is labeled as the specific name of '--with-smack-run-label'. If 'SmackProcessLabel=' is used in user@.service file without '--with-smack-run-label' configuration, (sd-pam) is labeled as "_" since systemd (i.e. pid=1) is labeled as "_". This is mainly because setup_pam() function is called before applying smack label to child process. This patch fixes it by calling setup_pam() after setting the smack label.

core: make setup_pam() synchronous If we spawn a unit with a non-empty 'PAMName=', we fork off a child-process _inside_ the unit, known as '(sd-pam)', which watches the session. It waits for the main-process to exit and then finishes it via pam_close_session(3). However, the '(sd-pam)' setup is highly asynchronous. There is no guarantee that process gets spawned before we finish the unit setup. Therefore, there might be a root-owned process inside of the cgroup of the unit, thus causing cg_migrate() to error-out with EPERM. This patch makes setup_pam() synchronous and waits for the '(sd-pam)' setup to finish before continuing. This guarantees that setresuid(2) was at least tried before we continue with the child setup of the real unit. Note that if setresuid(2) fails, we already warn loudly about it. You really must make sure that you own the passed user if using 'PAMName='. It seems very plausible to rely on that assumption.

core: fix group ownership when Group is set When Group is set in the unit, the runtime directories are owned by this group and not the default group of the user (same for cgroup paths and standard outputs) Fix #1231

execute: fix return type from write()

execute: invalidate idle pipe after use Not strictly necessary, but makes clear the fds are invalidated. Make sure we do the same here as in most other cases.

tree-wide: take benefit of the fact that hashmap_free() returns NULL And set_free() too. Another Coccinelle patch.

tree-wide: make use of the fact that strv_free() returns NULL Another Coccinelle patch.

tree-wide: update empty-if coccinelle script to cover empty-while and more Let's also clean up single-line while and for blocks.

tree-wide: make use of log_error_errno() return value Turns this: r = -errno; log_error_errno(errno, "foo"); into this: r = log_error_errno(errno, "foo"); and this: r = log_error_errno(errno, "foo"); return r; into this: return log_error_errno(errno, "foo");

tree-wide: don't do assignments within if checks Turn this: if ((r = foo()) < 0) { ... into this: r = foo(); if (r < 0) { ...

tree-wide: use coccinelle to patch a lot of code to use mfree() This replaces this: free(p); p = NULL; by this: p = mfree(p); Change generated using coccinelle. Semantic patch is added to the sources.

core: optionally create LOGIN_PROCESS or USER_PROCESS utmp entries When generating utmp/wtmp entries, optionally add both LOGIN_PROCESS and INIT_PROCESS entries or even all three of LOGIN_PROCESS, INIT_PROCESS and USER_PROCESS entries, instead of just a single INIT_PROCESS entry. With this change systemd may be used to not only invoke a getty directly in a SysV-compliant way but alternatively also a login(1) implementation or even forego getty and login entirely, and invoke arbitrary shells in a way that they appear in who(1) or w(1). This is preparation for a later commit that adds a "machinectl shell" operation to invoke a shell in a container, in a way that is compatible with who(1) and w(1).

execute: don't fail if we create the runtime directory from two processes simultaneously If a service has both ExecStart= and ExecStartPost= set with Type=simple, then it might happen that we have two children create the runtime directory of a service (as configured with RuntimeDirectory=) at the same time. Previously we did this with mkdir_safe() which will create the dir only if it is missing, but if it already exists will at least verify the access mode and ownership to match the right values. This is problematic in this case, since it creates and then adjusts the settings, thus it might happen that one child creates the directory with root owner, another one then verifies it, and only afterwards the directory ownership is fixed by the original child, while the second child already failed. With this change we'll now always adjust the access mode, so that we know that it is right. In the worst case this means we adjust the mode/ownership even though its unnecessary, but this should have no negative effect. https://bugzilla.redhat.com/show_bug.cgi?id=1226509

tree-wide: fix indentation

core: set default process label only exec label is none When command path has access label and no SmackProcessLabel= is not set, default process label will be set. But if the default process label has no rule for the access label of the command path then smack access error will be occurred. So, if the command path has execute label then the child have to set its label to the same of execute label of command path instead of default process label.

tree-wide: fix write_string_file() user that should not create files The latest consolidation cleanup of write_string_file() revealed some users of that helper which should have used write_string_file_no_create() in the past but didn't. Basically, all existing users that write to files in /sys and /proc should not expect to write to a file which is not yet existant.

fileio: consolidate write_string_file*() Merge write_string_file(), write_string_file_no_create() and write_string_file_atomic() into write_string_file() and provide a flags mask that allows combinations of atomic writing, newline appending and automatic file creation. Change all users accordingly.

smack: add default smack process label config Similar to SmackProcessLabel=, if this configuration is set, systemd executes processes with given SMACK label. If unit has SmackProcessLabel=, this config is overwritten. But, do NOT be confused with SMACK64EXEC of execute file. This default execute process label(and also label which is set by SmackProcessLabel=) is set fork-ed process SMACK subject label and used to access the execute file. If the execution file has also SMACK64EXEC, finally executed process has SMACK64EXEC subject. While if the execution file has no SMACK64EXEC, the executed process has label of this config(or label which is set by SmackProcessLabel=). Because if execution file has no SMACK64EXEC then excuted process inherits label from caller process(in this case, the caller is systemd).

turn kdbus support into a runtime option ./configure --enable/disable-kdbus can be used to set the default behavior regarding kdbus. If no kdbus kernel support is available, dbus-dameon will be used. With --enable-kdbus, the kernel command line option "kdbus=0" can be used to disable kdbus. With --disable-kdbus, the kernel command line option "kdbus=1" is required to enable kdbus support.

core: execute: fix regression in pam_setup() Commit 72c0a2c25 ("everywhere: port everything to sigprocmask_many() and friends") reworked code tree-wide to use the new sigprocmask_many() helper. In this, it caused a regression in pam_setup, because it dropped a line to initialize the 'ss' signal mask which is later used in sigwait(). While at it, move the variable declaration to an inner scope.

everywhere: port everything to sigprocmask_many() and friends This ports a lot of manual code over to sigprocmask_many() and friends. Also, we now consistly check for sigprocmask() failures with assert_se(), since the call cannot realistically fail unless there's a programming error. Also encloses a few sd_event_add_signal() calls with (void) when we ignore the return values for it knowingly.

tree-wide: whenever we fork off a foreign child process reset signal mask/handlers Also, when the child is potentially long-running make sure to set a death signal. Also, ignore the result of the reset operations explicitly by casting them to (void).

util: split out signal-util.[ch] from util.[ch] No functional changes.

util: introduce PERSONALITY_INVALID as macro for 0xffffffffLU

core: Private*/Protect* options with RootDirectory When a service is chrooted with the option RootDirectory=/opt/..., then the options PrivateDevices, PrivateTmp, ProtectHome, ProtectSystem must mount the directories under $RootDirectory/{dev,tmp,home,usr,boot}. The test-ns tool can test setup_namespace() with and without chroot: $ sudo TEST_NS_PROJECTS=/home/lennart/projects ./test-ns $ sudo TEST_NS_CHROOT=/home/alban/debian-tree TEST_NS_PROJECTS=/home/alban/debian-tree/home/alban/Documents ./test-ns

core: make exec code a bit more readable Let's add a function that checks whether we need fs namespacing, to make things easier to read, instead of using a humungous if expression...

core,network: major per-object logging rework This changes log_unit_info() (and friends) to take a real Unit* object insted of just a unit name as parameter. The call will now prefix all logged messages with the unit name, thus allowing the unit name to be dropped from the various passed romat strings, simplifying invocations drastically, and unifying log output across messages. Also, UNIT= vs. USER_UNIT= is now derived from the Manager object attached to the Unit object, instead of getpid(). This has the benefit of correcting the field for --test runs. Also contains a couple of other logging improvements: - Drops a couple of strerror() invocations in favour of using %m. - Not only .mount units now warn if a symlinks exist for the mount point already, .automount units do that too, now. - A few invocations of log_struct() that didn't actually pass any additional structured data have been replaced by simpler invocations of log_unit_info() and friends. - For structured data a new LOG_UNIT_MESSAGE() macro has been added, that works like LOG_MESSAGE() but prefixes the message with the unit name. Similar, there's now LOG_LINK_MESSAGE() and LOG_NETDEV_MESSAGE(). - For structured data new LOG_UNIT_ID(), LOG_LINK_INTERFACE(), LOG_NETDEV_INTERFACE() macros have been added that generate the necessary per object fields. The old log_unit_struct() call has been removed in favour of these new macros used in raw log_struct() invocations. In addition to removing one more function call this allows generated structured log messages that contain two object fields, as necessary for example for network interfaces that are joined into another network interface, and whose messages shall be indexed by both. - The LOG_ERRNO() macro has been removed, in favour of log_struct_errno(). The latter has the benefit of ensuring that %m in format strings is properly resolved to the specified error number. - A number of logging messages have been converted to use log_unit_info() instead of log_info() - The client code in sysv-generator no longer #includes core code from src/core/. - log_unit_full_errno() has been removed, log_unit_full() instead takes an errno now, too. - log_unit_info(), log_link_info(), log_netdev_info() and friends, now avoid double evaluation of their parameters

core: when we cannot add PID to a scope cgroup, log about it Also, place the scope unit in failed state.

shared: add terminal-util.[ch]

shared: add process-util.[ch]

shared: add formats-util.h

util: rework rm_rf() logic - Move to its own file rm-rf.c - Change parameters into a single flags parameter - Remove "honour sticky" logic, it's unused these days

core: don't wait for reply if writing to pipe fails This shouldn't really happen, but it's seems cleaner to continue on error. CID #1237552.

remove unused includes This patch removes includes that are not used. The removals were found with include-what-you-use which checks if any of the symbols from a header is in use.

core: make RuntimeDirectory honor SELinux labels https://bugzilla.redhat.com/show_bug.cgi?id=1192726

include <poll.h> instead of <sys/poll.h> include-what-you-use automatically does this and it makes finding unnecessary harder to spot. The only content of poll.h is a include of sys/poll.h so should be harmless.

exec: also evaluate working_directory_missing_ok when not applying chroots

core: don't fail to run services in --user instances if $HOME is missing Otherwise we cannot even invoke systemd-exit.service anymore, thus not even exit. https://bugs.freedesktop.org/show_bug.cgi?id=83100 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=759320

core: remove unneeded <libgen.h> include execute.c only uses basename (the GNU version in <string.h>)

util: rework strappenda(), and rename it strjoina() After all it is now much more like strjoin() than strappend(). At the same time, add support for NULL sentinels, even if they are normally not necessary.

core: Fix EACCES check for OOM adjustments Commit 3bd5c3 added a check for EACCES, but missed the minus sign.

core: modernize execution code a bit Among other things, avoid log_struct() unless we really need it. Also, use "r" as variable to store function errors in, instead of "err". "r" is pretty much what we use everywhere else, hence using the same here make sense. FInally, in the child, when we want to log, make sure to open the logging framework first, since it is explicitly closed in preparation for the exec().

core: check both EPERM and EACCES for OOM adjustments

core: make EPERM errors when applying OOM adjustment for forked processes non-fatal This should be useful for user namespaces.

tree-wide: remove unnecessary LOG_PRI LOG_DEBUG is already a log level, there is no need to use LOG_PRI which is for filtering out the facility.

journal: call connect() with dropped privileges When systemd starts a service, it first opened /run/systemd/journal/stdout socket, and only later switched to the right user.group (if they are specified). Later on, journald looked at the credentials, and saw root.root, because credentials are stored at the time the socket is opened. As a result, all messages passed over _TRANSPORT=stdout were logged with _UID=0, _GID=0. Drop real uid and gid temporarily to fix the issue.

env-util: don't include files from src/core/

core: rearrange code so that libsystemd/sd-bus/ does not include header files from core Stuff in src/shared or src/libsystemd should *never* include code from src/core or any of the tools, so don't do that here either. It's not OK!

execute: the runtime directory can only be on tmpfs, hence don't use rm_rf_dangerous() needlessly

core: make exec_command_free_list return NULL

core: correct spacing near eol in code comments

scope: make attachment of initial PIDs a bit more robust

util: introduce our own gperf based capability list This way, we can ensure we have a more complete, up-to-date list of capabilities around, always.

selinux: figure out selinux context applied on exec() before closing all fds We need original socket_fd around otherwise mac_selinux_get_child_mls_label fails with -EINVAL return code. Also don't call setexeccon twice but rather pass context value of SELinuxContext option as an extra argument.

treewide: introduce UID_INVALID (and friends) as macro for (uid_t) -1

treewide: use log_*_errno whenever %m is in the format string If the format string contains %m, clearly errno must have a meaningful value, so we might as well use log_*_errno to have ERRNO= logged. Using: find . -name '*.[ch]' | xargs sed -r -i -e \ 's/log_(debug|info|notice|warning|error|emergency)\((".*%m.*")/log_\1_errno(errno, \2/' Plus some whitespace, linewrap, and indent adjustments.

core: convert log_unit_*() to log_unit_*_errno() Using: find . -name '*.[ch]' | xargs sed -r -i -e \ 's/log_unit_(debug|info|notice|warning|error|emergency)\(([^"]+), "(.*)%s"(.*), strerror\(-([a-zA-Z_]+)\)\);/log_unit_\1_errno(\2, \5, "\3%m"\4);/'

treewide: no need to negate errno for log_*_errno() It corrrectly handles both positive and negative errno values.

treewide: auto-convert the simple cases to log_*_errno() As a followup to 086891e5c1 "log: add an "error" parameter to all low-level logging calls and intrdouce log_error_errno() as log calls that take error numbers", use sed to convert the simple cases to use the new macros: find . -name '*.[ch]' | xargs sed -r -i -e \ 's/log_(debug|info|notice|warning|error|emergency)\("(.*)%s"(.*), strerror\(-([a-zA-Z_]+)\)\);/log_\1_errno(-\4, "\2%m"\3);/' Multi-line log_*() invocations are not covered. And we also should add log_unit_*_errno().

log: fix order of log_unit_struct() to match other logging calls Also, while we are at it, introduce some syntactic sugar for creating ERRNO= and MESSAGE= structured logging fields.

log: rearrange log function naming - Rename log_meta() → log_internal(), to follow naming scheme of most other log functions that are usually invoked through macros, but never directly. - Rename log_info_object() to log_object_info(), simply because the object should be before any other parameters, to follow OO-style programming style.

smack: introduce new SmackProcessLabel option In service file, if the file has some of special SMACK label in ExecStart= and systemd has no permission for the special SMACK label then permission error will occurred. To resolve this, systemd should be able to set its SMACK label to something accessible of ExecStart=. So introduce new SmackProcessLabel. If label is specified with SmackProcessLabel= then the child systemd will set its label to that. To successfully execute the ExecStart=, accessible label should be specified with SmackProcessLabel=. Additionally, by SMACK policy, if the file in ExecStart= has no SMACK64EXEC then the executed process will have given label by SmackProcessLabel=. But if the file has SMACK64EXEC then the SMACK64EXEC label will be overridden. [zj: reword man page]

core: introduce new Delegate=yes/no property controlling creation of cgroup subhierarchies For priviliged units this resource control property ensures that the processes have all controllers systemd manages enabled. For unpriviliged services (those with User= set) this ensures that access rights to the service cgroup is granted to the user in question, to create further subgroups. Note that this only applies to the name=systemd hierarchy though, as access to other controllers is not safe for unpriviliged processes. Delegate=yes should be set for container scopes where a systemd instance inside the container shall manage the hierarchies below its own cgroup and have access to all controllers. Delegate=yes should also be set for user@.service, so that systemd --user can run, controlling its own cgroup tree. This commit changes machined, systemd-nspawn@.service and user@.service to set this boolean, in order to ensure that container management will just work, and the user systemd instance can run fine.

mac: also rename use_{smack,selinux,apparmor}() calls so that they share the new mac_{smack,selinux,apparmor}_xyz() convention

mac: rename apis with mac_{selinux/smack}_ prefix

environment: append unit_id to error messages regarding EnvironmentFile

execute: downgrade namespace error to "warning" Also, extend the printed warning a bit, explaining the situation more verbosely.

execute: don't fail child when we don't have privileges to setup namespaces If we don't have privileges to setup the namespaces then we are most likely running inside some sort of unprivileged container, hence not being able to create namespace is not a problem because spawned service can't access host system anyway.

Report aa_change_onexec error code Since aa_change_onexec return the error code in errno, and return -1, the current code do not give any useful information when something fail. This make apparmor easier to debug, as seen on https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=760526

core: execute - don't leak strv

swap: introduce Discard property Process possible "discard" values from /etc/fstab.

socket: introduce SELinuxContextFromNet option This makes possible to spawn service instances triggered by socket with MLS/MCS SELinux labels which are created based on information provided by connected peer. Implementation of label_get_child_mls_label derived from xinetd. Reviewed-by: Paul Moore <pmoore@redhat.com>

execute: silence warnings Mark two function parameters as const

service: hook up custom endpoint logic If BusPolicy= was passed, the parser function will have created an ExecContext->bus_endpoint object, along with policy information. In that case, create a kdbus endpoint, and pass its path name to the namespace logic, to it will be mounted over the actual 'bus' node. At endpoint creation time, no policy is updloaded. That is done after fork(), through a separate call. This is necessary because we don't know the real uid of the process earlier than that.

namespace: add support for custom kdbus endpoint If a path to a previously created custom kdbus endpoint is passed in, bind-mount a new devtmpfs that contains a 'bus' node, which in turn in bind-mounted with the custom endpoint. This tmpfs then mounted over the kdbus subtree that refers to the current bus. This way, we can fake the bus node in order to lock down services with a kdbus custom endpoint policy.

bus: add kdbus endpoint types Add types to describe endpoints and associated policy entries, and add a BusEndpoint instace to ExecContext.

exec: move code executed after fork into exec_child() This factors out one conditional branch that has grown way too big, and makes the code more readable by using return statements rather than jump labels.

exec: factor out most function arguments of exec_spawn() to ExecParameters This way, the list of arguments to that function gets more comprehensive, and we can get around passing lots of NULL and 0 arguments from socket.c, swap.c and mount.c. It also allows for splitting up the code in exec_spawn(). While at it, make ExecContext const in execute.c.

util: make use of newly added reset_signal_mask() call wherever appropriate

execute: explain in a comment, why close_all_fds() is invoked the second time differently

core: unify how we generate the prefix string when dumping unit state

Revert "socket: introduce SELinuxLabelViaNet option" This reverts commit cf8bd44339b00330fdbc91041d6731ba8aba9fec. Needs more discussion on the mailing list.

socket: introduce SELinuxLabelViaNet option This makes possible to spawn service instances triggered by socket with MLS/MCS SELinux labels which are created based on information provided by connected peer. Implementation of label_get_child_label derived from xinetd. Reviewed-by: Paul Moore <pmoore@redhat.com>

time-util: add and use USEC/NSEC_INFINIY

firstboot: add new component to query basic system settings on first boot, or when creating OS images offline A new tool "systemd-firstboot" can be used either interactively on boot, where it will query basic locale, timezone, hostname, root password information and set it. Or it can be used non-interactively from the command line when prepareing disk images for booting. When used non-inertactively the tool can either copy settings from the host, or take settings on the command line. $ systemd-firstboot --root=/path/to/my/new/root --copy-locale --copy-root-password --hostname=waldi The tool will be automatically invoked (interactively) now on first boot if /etc is found unpopulated. This also creates the infrastructure for generators to be notified via an environment variable whether they are running on the first boot, or not.

machinectl: show /etc/os-release information of container in status output

use more _cleanup_ macro

core: rename ReadOnlySystem= to ProtectSystem= and add a third value for also mounting /etc read-only Also, rename ProtectedHome= to ProtectHome=, to simplify things a bit. With this in place we now have two neat options ProtectSystem= and ProtectHome= for protecting the OS itself (and optionally its configuration), and for protecting the user's data.

core: add new ReadOnlySystem= and ProtectedHome= settings for service units ReadOnlySystem= uses fs namespaces to mount /usr and /boot read-only for a service. ProtectedHome= uses fs namespaces to mount /home and /run/user inaccessible or read-only for a service. This patch also enables these settings for all our long-running services. Together they should be good building block for a minimal service sandbox, removing the ability for services to modify the operating system or access the user's private data.

Remove unnecessary casts in printfs No functional change expected :)

core: remove tcpwrap support tcpwrap is legacy code, that is barely maintained upstream. It's APIs are awful, and the feature set it exposes (such as DNS and IDENT access control) questionnable. We should not support this natively in systemd. Hence, let's remove the code. If people want to continue making use of this, they can do so by plugging in "tcpd" for the processes they start. With that scheme things are as well or badly supported as they were from traditional inetd, hence no functionality is really lost.

util: replace close_pipe() with new safe_close_pair() safe_close_pair() is more like safe_close(), except that it handles pairs of fds, and doesn't make and misleading allusion, as it works similarly well for socketpairs() as for pipe()s...

util: replace close_nointr_nofail() by a more useful safe_close() safe_close() automatically becomes a NOP when a negative fd is passed, and returns -1 unconditionally. This makes it easy to write lines like this: fd = safe_close(fd); Which will close an fd if it is open, and reset the fd variable correctly. By making use of this new scheme we can drop a > 200 lines of code that was required to test for non-negative fds or to reset the closed fd variable afterwards.

missing: if RLIMIT_RTTIME is not defined by the libc, then we need a new define for the max number of rlimits, too

core: introduce new RuntimeDirectory= and RuntimeDirectoryMode= unit settings As discussed on the ML these are useful to manage runtime directories below /run for services.

execute: free directory path if we fail to remove it because we cannot allocate a thread

exec: imply NoNewPriviliges= only when seccomp filters are used in user mode

core: add new RestrictAddressFamilies= switch This new unit settings allows restricting which address families are available to processes. This is an effective way to minimize the attack surface of services, by turning off entire network stacks for them. This is based on seccomp, and does not work on x86-32, since seccomp cannot filter socketcall() syscalls on that platform.

seccomp: we should control NO_NEW_PRIVS on our own, not let seccomp do this for us

core: Add AppArmor profile switching This permit to switch to a specific apparmor profile when starting a daemon. This will result in a non operation if apparmor is disabled. It also add a new build requirement on libapparmor for using this feature.

execute: modernizations

core: add Personality= option for units to set the personality for spawned processes

seccomp: add helper call to add all secondary archs to a seccomp filter And make use of it where appropriate for executing services and for nspawn.

core: store and expose SELinuxContext field normalized as bool + string

core: add SystemCallArchitectures= unit setting to allow disabling of non-native architecture support for system calls Also, turn system call filter bus properties into complex types instead of concatenated strings.

core: fix build without libseccomp

core: rework syscall filter - Allow configuration of an errno error to return from blacklisted syscalls, instead of immediately terminating a process. - Fix parsing logic when libseccomp support is turned off - Only keep the actual syscall set in the ExecContext, and generate the string version only on demand.

syscallfilter: port to libseccomp

nspawn,man: use a common vocabulary when referring to selinux security contexts Let's always call the security labels the same way: SMACK: "Smack Label" SELINUX: "SELinux Security Context" And the low-level encapsulation is called "seclabel". Now let's hope we stick to this vocabulary in future, too, and don't mix "label"s and "security contexts" and so on wildly.

exec: Add support for ignoring errors on SELinuxContext by prefixing it with -, like for others settings. Also remove call to security_check_context, as this doesn't serve anything, since setexeccon will fail anyway.

exec: Ignore the setting SELinuxContext if selinux is not enabled

exec: Add SELinuxContext configuration item This permit to let system administrators decide of the domain of a service. This can be used with templated units to have each service in a différent domain ( for example, a per customer database, using MLS or anything ), or can be used to force a non selinux enabled system (jvm, erlang, etc) to start in a different domain for each service.

exec: introduce PrivateDevices= switch to provide services with a private /dev Similar to PrivateNetwork=, PrivateTmp= introduce PrivateDevices= that sets up a private /dev with only the API pseudo-devices like /dev/null, /dev/zero, /dev/random, but not any physical devices in them.

Introduce cleanup functions for cap_free Unfortunately a different cleanup function is necessary per type, because cap_t** and char** are incompatible with void**.

Use format patterns for usec_t, pid_t, nsec_t, usec_t It is nicer to predefine patterns using configure time check instead of using casts everywhere. Since we do not need to use any flags, include "%" in the format instead of excluding it like PRI* macros.

core: Forgot to dereference pointer when checking for NULL Actually we already checked for !rt before, now we'd like to examine the return value of the memory allocation.

build-sys: minor fixes found with cppcheck

sd-daemon: introduce sd_watchdog_enabled() for parsing $WATCHDOG_USEC Also, introduce a new environment variable named $WATCHDOG_PID which cotnains the PID of the process that is supposed to send the keep-alive events. This is similar how $LISTEN_FDS and $LISTEN_PID work together, and protects against confusing processes further down the process tree due to inherited environment.

execute: set TERM even if we don't open the tty on our own This way, when a tty path is configured TERM is set, which is nice to set a useful term for gettys.

execute: also set SO_SNDBUF when spawning a service with stdout/stderr connected to journald

Get rid of our reimplementation of basename The only problem is that libgen.h #defines basename to point to it's own broken implementation instead of the GNU one. This can be fixed by #undefining basename.

service: add the ability for units to join other unit's PrivateNetwork= and PrivateTmp= namespaces

Remove dead code and unexport some calls "make check-api-unused" informs us about code that is not used anymore or that is exported but only used internally. Fix these all over the place.

strv: introduce new strv_from_stdarg_alloca() macro to generate a string array from stdarg function parameters This allows us to turn lists of strings passed in easily into string arrays without having to allocate memory.

systemd: use unit name in PrivateTmp directories Unit name is used whole in the directory name, so that the unit name can be easily extracted from it, e.g. "/tmp/systemd-abcd.service-DEDBIF1". https://bugzilla.redhat.com/show_bug.cgi?id=957439

macro: clean up usage of gcc attributes Always use our own macros, and name all our own macros the same style.

list: make our list macros a bit easier to use by not requring type spec on each invocation We can determine the list entry type via the typeof() gcc construct, and so we should to make the macros much shorter to use.

execute: more debugging messages

execute.c: always set $SHELL In e6dca81 $SHELL was added to user@.service. Let's instead provide it to all units which have a user.

execute.c: little modernization

cgroup: if we do a cgroup operation then do something on all supported controllers Previously we did operations like attach, trim or migrate only on the controllers that were enabled for a specific unit. With this changes we will now do them for all supproted controllers, and fall back to all possible prefix paths if the specified paths do not exist. This fixes issues if a controller is being disabled for a unit where it was previously enabled, and makes sure that all processes stay as "far down" the tree as groups exist.

Make tmpdir removal asynchronous https://bugs.freedesktop.org/show_bug.cgi?id=68232

systemd: do not output status messages once gettys are running Make Type=idle communication bidirectional: when bootup is finished, the manager, as before, signals idling Type=idle jobs to continue. However, if the boot takes too long, idling jobs signal the manager that they have had enough, wait a tiny bit more, and continue, taking ownership of the console. The manager, when signalled that Type=idle jobs are done, makes a note and will not write to the console anymore. This is a cosmetic issue, but quite noticable, so let's just fix it. Based on Harald Hoyer's patch. https://bugs.freedesktop.org/show_bug.cgi?id=54247 http://unix.stackexchange.com/questions/51805/systemd-messages-after-starting-login/

core: grant user@.service instances write access to their own cgroup

replace tabs with spaces in various files The affected files in this patch had inconsistent use of tabs vs. spaces for indentation, and this patch eliminates the stray tabs. Also, the opening brace of sigchld_hdl() in activate.c was moved so the opening braces are consistent throughout the file.

core: general cgroup rework Replace the very generic cgroup hookup with a much simpler one. With this change only the high-level cgroup settings remain, the ability to set arbitrary cgroup attributes is removed, so is support for adding units to arbitrary cgroup controllers or setting arbitrary paths for them (especially paths that are different for the various controllers). This also introduces a new -.slice root slice, that is the parent of system.slice and friends. This enables easy admin configuration of root-level cgrouo properties. This replaces DeviceDeny= by DevicePolicy=, and implicitly adds in /dev/null, /dev/zero and friends if DeviceAllow= is used (unless this is turned off by DevicePolicy=).

Use stdint.h macros instead of casts to print uint64_t values Casts are visually heavy, and can obscure unwanted truncations.

Add __attribute__((const, pure, format)) in various places I'm assuming that it's fine if a _const_ or _pure_ function calls assert. It is assumed that the assert won't trigger, and even if it does, it can only trigger on the first call with a given set of parameters, and we don't care if the compiler moves the order of calls.

move _cleanup_ attribute in front of the type http://lists.freedesktop.org/archives/systemd-devel/2013-April/010510.html

core/execute: only clean the environment, if we have one

execute: always add in EXECUTABLE= field when we log something about execution

core/execute: report invalid environment variables from files Because "export key=val" is not supported by systemd, an error is logged where the invalid assignment is coming from. Introduce strv_env_clean_log() to log invalid environment assignments, where logging is possible and allowed. parse_env_file_internal() is modified to allow WHITESPACE in keys, to report the issues later on.

core/execute.c: debug log final execve() with argv[] https://bugzilla.redhat.com/show_bug.cgi?id=772073

cgroup: clean-ups

cgroup: always keep access mode of 'tasks' and 'cgroup.procs' files in cgroup directories in sync

Add _cleanup_globfree_ Fixes a memleak in error path in exec_context_load_environment.

Use initalization instead of explicit zeroing Before, we would initialize many fields twice: first by filling the structure with zeros, and then a second time with the real values. We can let the compiler do the job for us, avoiding one copy. A downside of this patch is that text gets slightly bigger. This is because all zero() calls are effectively inlined: $ size build/.libs/systemd text data bss dec hex filename before 897737 107300 2560 1007597 f5fed build/.libs/systemd after 897873 107300 2560 1007733 f6075 build/.libs/systemd … actually less than 1‰. A few asserts that the parameter is not null had to be removed. I don't think this changes much, because first, it is quite unlikely for the assert to fail, and second, an immediate SEGV is almost as good as an assert.

shared: rework env file reader Implement this with a proper state machine, so that newlines and escaped chars can appear in string assignments. This should bring the parser much closer to shell.

util: rename write_one_line_file() to write_string_file() You can write much more than just one line with this call (and we frequently do), so let's correct the naming.

Modernization Use _cleanup_ and wrap lines to ~80 chars and such.

execute: convert secure bits into mask properly C.f. http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=5975c725dfd6f7d36f493ab1453fbdbd35c1f0e3

core: check return value of rm_rf_dangerous and warn if it fails

Make PrivateTmp dirs also inaccessible from the outside Currently, PrivateTmp=yes means that the service cannot see the /tmp shared by rest of the system and is isolated from other services using PrivateTmp, but users can access and modify /tmp as seen by the service. Move the private /tmp and /var/tmp directories into a 0077-mode directory. This way unpriviledged users on the system cannot see (or modify) /tmp as seen by the service.

core: reuse the same /tmp, /var/tmp and inaccessible dir All Execs within the service, will get mounted the same /tmp and /var/tmp directories, if service is configured with PrivateTmp=yes. Temporary directories are cleaned up by service itself in addition to systemd-tmpfiles. Directory which is mounted as inaccessible is created at runtime in /run/systemd.

core/execute: determine if ExecContext may fiddle with /dev/console There is some guesswork, but it should work satisfactorily for the purpose of knowing when to suppress printing of status messages.

core/execute: add internal is_terminal_output() Similar to already existing is_terminal_input(). Note that the only current user (connect_logger_as) is never called for EXEC_OUTPUT_TTY, so it won't mind whether we accept it.

execute: increase severity of journal connect failure message journald is supposed to work. Failure to connect to its socket implies losing messages. It should be a very unusual event. Log the failure with LOG_CRIT. Just because this unit's stdout/stderr failed to connect to the journal does not necessarily mean that we shouldn't try to log the failure using a structured entry, so let's use log_struct_unit.

execute: unify setup_{output,error} The functions are quite similar. Unify them into one. The source gets shorter, the binary gets slightly smaller.

execute: robustness against journald failures Almost every unit logs to the journal. If journald gets a permanent failure, units would not be able to start (exit code 209/STDOUT). Add a fallback to /dev/null to avoid making the system entirely unusable in such a case.

honor SELinux labels, when creating and writing config files Also split out some fileio functions to fileio.c and provide a SELinux aware pendant in fileio-label.c see https://bugzilla.redhat.com/show_bug.cgi?id=881577