cgroup: remove support for NetClass= directive Support for net_cls.class_id through the NetClass= configuration directive has been added in v227 in preparation for a per-unit packet filter mechanism. However, it turns out the kernel people have decided to deprecate the net_cls and net_prio controllers in v2. Tejun provides a comprehensive justification for this in his commit, which has landed during the merge window for kernel v4.5: https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=bd1060a1d671 As we're aiming for full support for the v2 cgroup hierarchy, we can no longer support this feature. Userspace tool such as nftables are moving over to setting rules that are specific to the full cgroup path of a task, which obsoletes these controllers anyway. This commit removes support for tweaking details in the net_cls controller, but keeps the NetClass= directive around for legacy compatibility reasons.

core: treat JobTimeout=0 as equivalent to JobTimeout=infinity Corrects an incompatibility introduced with 36c16a7cdd6c33d7980efc2cd6a2211941f302b4. Fixes: #2537

core: simplify how we parse TimeoutSec=, TimeoutStartSec= and TimeoutStopSec= Let's make things more obvious by placing the parse_usec() invocation directly in config_parse_service_timeout().

tree-wide: remove Emacs lines from all files This should be handled fine now by .dir-locals.el, so need to carry that stuff in every file.

core: rework unit timeout handling, and add new setting RuntimeMaxSec= This clean-ups timeout handling in PID 1. Specifically, instead of storing 0 in internal timeout variables as indication for a disabled timeout, use USEC_INFINITY which is in-line with how we do this in the rest of our code (following the logic that 0 means "no", and USEC_INFINITY means "never"). This also replace all usec_t additions with invocations to usec_add(), so that USEC_INFINITY is properly propagated, and sd-event considers it has indication for turning off the event source. This also alters the deserialization of the units to restart timeouts from the time they were originally started from. Before this patch timeouts would be restarted beginning with the time of the deserialization, which could lead to artificially prolonged timeouts if a daemon reload took place. Finally, a new RuntimeMaxSec= setting is introduced for service units, that specifies a maximum runtime after which a specific service is forcibly terminated. This is useful to put time limits on time-intensive processing jobs. This also simplifies the various xyz_spawn() calls of the various types in that explicit distruction of the timers is removed, as that is done anyway by the state change handlers, and a state change is always done when the xyz_spawn() calls fail. Fixes: #2249

core: move parsing of rlimits into rlimit-util.[ch] This way we can reuse it for parsing rlimit settings in "systemctl set-property" and related commands.

capabilities: added support for ambient capabilities. This patch adds support for ambient capabilities in service files. The idea with ambient capabilities is that the execed processes can run with non-root user and get some inherited capabilities, without having any need to add the capabilities to the executable file. You need at least Linux 4.3 to use ambient capabilities. SecureBit keep-caps is automatically added when you use ambient capabilities and wish to change the user. An example system service file might look like this: [Unit] Description=Service for testing caps [Service] ExecStart=/usr/bin/sleep 10000 User=nobody AmbientCapabilities=CAP_NET_ADMIN CAP_NET_RAW After starting the service it has these capabilities: CapInh: 0000000000003000 CapPrm: 0000000000003000 CapEff: 0000000000003000 CapBnd: 0000003fffffffff CapAmb: 0000000000003000

capabilities: keep bounding set in non-inverted format. Change the capability bounding set parser and logic so that the bounding set is kept as a positive set internally. This means that the set reflects those capabilities that we want to keep instead of drop.

core: resolve specifier in config_parse_exec() When parse ExecXXX=, specifiers are not resolved in config_parse_exec(). Finally, the specifiers are set into unit properties. So, systemctl shows not resolved speicifier on "Process:" field. To set the exec properties well, resolve specifiers before parse the rvale by unit_full_printf();

tree-wide: expose "p"-suffix unref calls in public APIs to make gcc cleanup easy GLIB has recently started to officially support the gcc cleanup attribute in its public API, hence let's do the same for our APIs. With this patch we'll define an xyz_unrefp() call for each public xyz_unref() call, to make it easy to use inside a __attribute__((cleanup())) expression. Then, all code is ported over to make use of this. The new calls are also documented in the man pages, with examples how to use them (well, I only added docs where the _unref() call itself already had docs, and the examples, only cover sd_bus_unrefp() and sd_event_unrefp()). This also renames sd_lldp_free() to sd_lldp_unref(), since that's how we tend to call our destructors these days. Note that this defines no public macro that wraps gcc's attribute and makes it easier to use. While I think it's our duty in the library to make our stuff easy to use, I figure it's not our duty to make gcc's own features easy to use on its own. Most likely, client code which wants to make use of this should define its own: #define _cleanup_(function) __attribute__((cleanup(function))) Or similar, to make the gcc feature easier to use. Making this logic public has the benefit that we can remove three header files whose only purpose was to define these functions internally. See #2008.

core: fix rlimit parsing * refuse limits if soft > hard * print an actual value instead of (null) see https://github.com/systemd/systemd/pull/1994#issuecomment-159999123

core: support <soft:hard> ranges for RLIMIT options The new parser supports: <value> - specify both limits to the same value <soft:hard> - specify both limits the size or time specific suffixes are supported, for example LimitRTTIME=1sec LimitAS=4G:16G The patch introduces parse_rlimit_range() and rlim type (size, sec, usec, etc.) specific parsers. No code is duplicated now. The patch also sync docs for DefaultLimitXXX= and LimitXXX=. References: https://github.com/systemd/systemd/issues/1769

core: mount flags remove FOREACH_WORD_SEPARATOR FOREACH_WORD_SEPARATOR is no need here since we only apply only one mount flag. The rvalue is sufficient for this.

socket: Add support for socket protcol Now we don't support the socket protocol like sctp and udplite . This patch add a new config param SocketProtocol: udplite/sctp With this now we can configure the protocol as udplite = IPPROTO_UDPLITE sctp = IPPROTO_SCTP Tested with nspawn:

tree-wide: sort includes Sort the includes accoding to the new coding style.

core: add new DefaultTasksMax= setting for system.conf This allows initializing the TasksMax= setting of all units by default to some fixed value, instead of leaving it at infinity as before.

core: remove support for RequiresOverridable= and RequisiteOverridable= As discussed at systemd.conf 2015 and on also raised on the ML: http://lists.freedesktop.org/archives/systemd-devel/2015-November/034880.html This removes the two XyzOverridable= unit dependencies, that were basically never used, and do not enhance user experience in any way. Most folks looking for the functionality this provides probably opt for the "ignore-dependencies" job mode, and that's probably a good idea. Hence, let's simplify systemd's dependency engine and remove these two dependency types (and their inverses). The unit file parser and the dbus property parser will now redirect the settings/properties to result in an equivalent non-overridable dependency. In the case of the unit file parser we generate a warning, to inform the user. The dbus properties for this unit type stay available on the unit objects, but they are now hidden from usual introspection and will always return the empty list when queried. This should provide enough compatibility for the few unit files that actually ever made use of this.

core: fix dependency parsing 3d793d29059a7ddf5282efa6b32b953c183d7a4d broke parsing of unit file names that include backslashes, as extract_first_word() strips those. Fix this, by introducing a new EXTRACT_RETAIN_ESCAPE flag which disables looking at any flags, thus being compatible with the classic FOREACH_WORD() behaviour.

execute: Add new PassEnvironment= directive This directive allows passing environment variables from the system manager to spawned services. Variables in the system manager can be set inside a container by passing `--set-env=...` options to systemd-spawn. Tested with an on-disk test.service unit. Tested using multiple variable names on a single line, with an empty setting to clear the current list of variables, with non-existing variables. Tested using `systemd-run -p PassEnvironment=VARNAME` to confirm it works with transient units. Confirmed that `systemctl show` will display the PassEnvironment settings. Checked that man pages are generated correctly. No regressions in `make check`.

core: unit deps port to extract_first_word

core: accept time units for time-based resource limits Let's make sure "LimitCPU=30min" can be parsed properly, following the usual logic how we parse time values. Similar for LimitRTTIME=. While we are at it, extend a bit on the man page section about resource limits. Fixes: #1772

core: when parsing resource limits, be more careful with types and corner cases Let's not convert RLIM_INFINITY to "unsigned long long" and then back to rlim_t, but let's leave it in the right type right-away. Parse resource limits as 64 bit in all cases, as according to the man page that's what libc does anyway. Make sure setting a resource limit to (uint64_t) -1 results in a parsing error, and isn't implicitly converted to RLIM_INFINITY.

core: simplify parsing of capability bounding set settings Let's generate a simple error, and that's it. Let's not try to be smart and record the last word that failed. Also, let's make sure we don't compare numeric values with 0 by relying on C's downgrade-to-bool feature, as suggested in CODING_STYLE.

core: remove unused variable unused since 7b2313f5

core: support IEC suffixes for RLIMIT stuff Let's make things more user-friendly and support for example LimitAS=16G rather than force users to always use LimitAS=16106127360. The change is relevant for options: [Default]Limit{FSIZE,DATA,STACK,CORE,RSS,AS,MEMLOCK,MSGQUEUE} The patch introduces config_parse_bytes_limit(), it's the same as config_parse_limit() but uses parse_size() tu support the suffixes. Addresses: https://github.com/systemd/systemd/issues/1772

core: small fixes to parse_namespace * don't hide ENOMEM * log r instead of 0

core: parse socket port to extract_first_word

core: port config_parse_bounding_set to extract_first_word

core: fix capability bounding set parsing bug: CapabilityBoundingSet= doesn't reset all caps

process-util: move a couple of process-related calls over

util-lib: split out allocation calls into alloc-util.[ch]

util-lib: move web-related calls into web-util.[ch]

util-lib: split stat()/statfs()/stavfs() related calls into stat-util.[ch]

util-lib: move a number of fs operations into fs-util.[ch]

util-lib: split string parsing related calls from util.[ch] into parse-util.[ch]

core: fix CapabilityBoundingSet merging Fixes: #1221

util-lib: split out fd-related operations into fd-util.[ch] There are more than enough to deserve their own .c file, hence move them over.

util-lib: split our string related calls from util.[ch] into its own file string-util.[ch] There are more than enough calls doing string manipulations to deserve its own files, hence do something about it. This patch also sorts the #include blocks of all files that needed to be updated, according to the sorting suggestions from CODING_STYLE. Since pretty much every file needs our string manipulation functions this effectively means that most files have sorted #include blocks now. Also touches a few unrelated include files.

util: split out escaping code into escape.[ch] This really deserves its own file, given how much code this is now.

util-lib: rework extract_first_word_and_warn() a bit - Really warn in all error cases, not just some. We need to make sure that all errors are logged to not confuse the user. - Explicitly check for EINVAL error code before claiming anything about invalid escapes, could be ENOMEM after all.

core: use extract_first_word for namespace parsing see https://github.com/systemd/systemd/pull/1632#issuecomment-149903791 We should port this loop over to extract_first_word(), too.

core: fix namespace parsing ReadOnlyDirectories=-/ works fine

core: actually set pids_max field after parsing it Fixes one of the issues pointed out in #1522.

core: add support for naming file descriptors passed using socket activation This adds support for naming file descriptors passed using socket activation. The names are passed in a new $LISTEN_FDNAMES= environment variable, that matches the existign $LISTEN_FDS= one and contains a colon-separated list of names. This also adds support for naming fds submitted to the per-service fd store using FDNAME= in the sd_notify() message. This also adds a new FileDescriptorName= setting for socket unit files to set the name for fds created by socket units. This also adds a new call sd_listen_fds_with_names(), that is similar to sd_listen_fds(), but also returns the names of the fds. systemd-activate gained the new --fdname= switch to specify a name for testing socket activation. This is based on #1247 by Maciej Wereski. Fixes #1247.

basic: split out cpu set specific APIs into cpu-set-util.[ch]

util: rename parse_cpu_set() to parse_cpu_set_and_warn() It's pretty untypical for our parsing functions to log on their own. Clarify in the name that this one does.

log: move log_invalid_utf8() to log.h Also, make sure it follows the same scheme as log_syntax() does in its behaviour.

tree-wide: clean up log_syntax() usage - Rely everywhere that we use abs() on the error code passed in anyway, thus don't need to explicitly negate what we pass in - Never attach synthetic error number information to log messages. Only log about errors we *receive* with the error number we got there, don't log any synthetic error, that don#t even propagate, but just eat up. - Be more careful with attaching exactly the error we get, instead of errno or unrelated errors randomly. - Fix one occasion where the error number and line number got swapped. - Make sure we never tape over OOM issues, or inability to resolve specifiers

core: allow setting WorkingDirectory= to the special value ~ If set to ~ the working directory is set to the home directory of the user configured in User=. This change also exposes the existing switch for the working directory that allowed making missing working directories non-fatal. This also changes "machinectl shell" to make use of this to ensure that the invoked shell is by default in the user's home directory. Fixes #1268.

load-fragment: Use parse_cpu_set in CPUAffinity support Tested with a dummy service running 'sleep', modifying its CPUAffinity, restarting the service and checking the ^Cpus_allowed entries in the /proc/PID/status file.

core: Add list of additional file descriptors to socket port Some additional files related to single socket may appear in the filesystem and they should be opened and passed to related service. This commit adds optional list of file descriptors, which are dynamically discovered and opened.

load-fragment: resolve specifiers in RuntimeDirectory

cgroup: add support for net_cls controllers Add a new config directive called NetClass= to CGroup enabled units. Allowed values are positive numbers for fix assignments and "auto" for picking a free value automatically, for which we need to keep track of dynamically assigned net class IDs of units. Introduce a hash table for this, and also record the last ID that was given out, so the allocator can start its search for the next 'hole' from there. This could eventually be optimized with something like an irb. The class IDs up to 65536 are considered reserved and won't be assigned automatically by systemd. This barrier can be made a config directive in the future. Values set in unit files are stored in the CGroupContext of the unit and considered read-only. The actually assigned number (which may have been chosen dynamically) is stored in the unit itself and is guaranteed to remain stable as long as the unit is active. In the CGroup controller, set the configured CGroup net class to net_cls.classid. Multiple unit may share the same net class ID, and those which do are linked together.

core: refactor cpu shares/blockio weight cgroup logic Let's stop using the "unsigned long" type for weights/shares, and let's just use uint64_t for this, as that's what we expose on the bus. Unify parsers, and always validate the range for these fields. Correct the default blockio weight to 500, since that's what the kernel actually uses. When parsing the weight/shares settings from unit files accept the empty string as a way to reset the weight/shares value. When getting it via the bus, uniformly map (uint64_t) -1 to unset. Open up StartupCPUShares= and StartupBlockIOWeight= to transient units.

core: add support for the "pids" cgroup controller This adds support for the new "pids" cgroup controller of 4.3 kernels. It allows accounting the number of tasks in a cgroup and enforcing limits on it. This adds two new setting TasksAccounting= and TasksMax= to each unit, as well as a gloabl option DefaultTasksAccounting=. This also updated "cgtop" to optionally make use of the new kernel-provided accounting. systemctl has been updated to show the number of tasks for each service if it is available. This patch also adds correct support for undoing memory limits for units using a MemoryLimit=infinity syntax. We do the same for TasksMax= now and hence keep things in sync here.

tree-wide: never use the off_t unless glibc makes us use it off_t is a really weird type as it is usually 64bit these days (at least in sane programs), but could theoretically be 32bit. We don't support off_t as 32bit builds though, but still constantly deal with safely converting from off_t to other types and back for no point. Hence, never use the type anymore. Always use uint64_t instead. This has various benefits, including that we can expose these values directly as D-Bus properties, and also that the values parse the same in all cases.

tree-wide: take benefit of the fact that hashmap_free() returns NULL And set_free() too. Another Coccinelle patch.

tree-wide: make use of the fact that strv_free() returns NULL Another Coccinelle patch.

tree-wide: drop {} from one-line if blocks Patch via coccinelle.

tree-wide: use coccinelle to patch a lot of code to use mfree() This replaces this: free(p); p = NULL; by this: p = mfree(p); Change generated using coccinelle. Semantic patch is added to the sources.

nspawn: add new .nspawn files for container settings .nspawn fiels are simple settings files that may accompany container images and directories and contain settings otherwise passed on the nspawn command line. This provides an efficient way to attach execution data directly to containers.

core: don't use uninitialized errno

unit: unify how we assing slices to units This adds a new call unit_set_slice(), and simplifies unit_add_default_slice(). THis should make our code a bit more robust and simpler.

core: don't generate stub unit file for transient units We store the properties for transient units in drop-ins anyway, and units don't have to have fragment files, hence don't bother with them, and don't create them.

core: optionally create LOGIN_PROCESS or USER_PROCESS utmp entries When generating utmp/wtmp entries, optionally add both LOGIN_PROCESS and INIT_PROCESS entries or even all three of LOGIN_PROCESS, INIT_PROCESS and USER_PROCESS entries, instead of just a single INIT_PROCESS entry. With this change systemd may be used to not only invoke a getty directly in a SysV-compliant way but alternatively also a login(1) implementation or even forego getty and login entirely, and invoke arbitrary shells in a way that they appear in who(1) or w(1). This is preparation for a later commit that adds a "machinectl shell" operation to invoke a shell in a container, in a way that is compatible with who(1) and w(1).

util: Don't interpret quotes by default in extract_first_word This adds an EXTRACT_QUOTES option to allow the previous behaviour, of not interpreting any character inside ' or " quotes as separators.

util: change unquote_*_word to extract_*_word It now takes a separators argument, which defaults to WHITESPACE if NULL is passed.

Convert unquote_*_word users to expect isempty(p) after the last entry This is so that, when called in a loop, unquote_first_word can distinguish between reaching the end of a string because it has consumed all the input before the end, and consuming all the input. This is important because we later add a flag that allows char *in = ""; char *out; unquote_first_word(&in, &out, flags); To put "" in out, and set in = NULL, so the trailing empty string of the input can be consumed, and mark that the input has been consumed.

load-fragment: fix segv on parse error https://bugzilla.redhat.com/show_bug.cgi?id=1251334

tree-wide: introduce mfree() Pretty trivial helper which wraps free() but returns NULL, so we can simplify this: free(foobar); foobar = NULL; to this: foobar = mfree(foobar);

load-fragment: reset the list on an ExecStart= containing only whitespace This is consistent with how an empty string works in an ExecStart= statement. We should not differentiate between an empty string and whitespace only (since they look the same.) Update the test case with whitespace only to reflect that the list is reset. Tested that `test-unit-file` passes and other test cases are not affected. Installed the patched systemd binaries on a machine, booted it, looked for out of the usual behavior but did not find any.

load-fragment: use unquote_first_word in config_parse_exec Convert config_parse_exec() from using FOREACH_WORD_QUOTED into a loop of unquote_first_word. Loop through the arguments only once (the FOREACH_WORD_QUOTED implementation did it twice, once to count them and another time to process and store them.) Use newly introduced flag UNQUOTE_UNESCAPE_RELAX to preserve unrecognized escape sequences such as regexps matches such as "\w", "\d", etc. (Valid escape sequences such as "\s" or "\b" still need an extra backslash if literals are desired for regexps.) Differences in behavior: - Handle ; (command separator) in special, so that only ; on its own is valid for that purpose, an quoted semicolon ";" or ';' will now behave as a literal semicolon. This is probably what was initially intended. - Handle \; (to introduce a literal semicolon) in special, so that only \; is turned into a semicolon but not \\; or "\\;" or "\;" which are kept as a literal \; in the output. This is probably what was initially intended. Known issues: - Using an empty string (for example, ExecStartPre=<empty>) will empty the list and remove the existing commands, but using whitespace only (for example, ExecStartPre=<spaces>) will not. This is a pre-existing issue and will be dealt with in a follow up commit. Tested: - Unit tests passing. Also `make distcheck` still works as expected. - Installed it on a local machine and booted with it, checked console output, systemctl and journalctl output, did not notice any issues running the patched systemd binaries. Relevant bug: https://bugs.freedesktop.org/show_bug.cgi?id=90794

load-fragment: use UNESCAPE_RELAX flag to parse exec directives The cunescape() helper function used to handle unknown escaping sequences gracefully by copying them over verbatim. Commit 527b7a42 ("util: rework cunescape(), improve error handling") added a flag to make that behavior optional, and changed to default to error out with -EINVAL otherwise. However, config_parse_exec(), which is used to parse the Exec{Start,Stop}{Post,Pre,} directives of unit files, was not changed along with that commit, which means that directives with improperly escaped command line strings are no longer parsed. Relevant bugreports include: https://bugs.freedesktop.org/show_bug.cgi?id=90794 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=787256 Fix this by passing UNESCAPE_RELAX to config_parse_exec() in order to restore the original behavior.

util: split out signal-util.[ch] from util.[ch] No functional changes.

util: introduce PERSONALITY_INVALID as macro for 0xffffffffLU

load-fragment: put quotes around iffy rvalue

socket-util: socket_address_parse() should not log errors on its own Given that socket_address_parse() is mostly a "library" call it shouldn't log on its own, but leave that to its caller. This patch removes logging from the call in case IPv6 is not available but and IPv6 address shall be parsed. Instead a new call socket_address_parse_and_warn() is introduced which first invokes socket_address_parse() and then logs if necessary. This should fix "make check" on ipv6-less kernels: http://lists.freedesktop.org/archives/systemd-devel/2015-April/031385.html

core: Fix assertion with empty Exec*= paths An Exec*= line with whitespace after modifiers, like ExecStart=- /bin/true is considered to have an empty command path. This is as specified, but causes systemd to crash with Assertion 'skip < l' failed at ../src/core/load-fragment.c:607, function config_parse_exec(). Aborting. Aborted (core dumped) Fix this by logging an error instead and ignoring the invalid line. Add corresponding test cases. Also add a test case for a completely empty value which resets the command list. https://launchpad.net/bugs/1454173

core: rename SystemdRunningAs to ManagerRunningAs It's primarily just a property of the Manager object after all, and we try to refer to PID 1 as "manager" instead of "systemd", hence let's to stick to this here too.

core: rework unit name validation and manipulation logic A variety of changes: - Make sure all our calls distuingish OOM from other errors if OOM is not the only error possible. - Be much stricter when parsing escaped paths, do not accept trailing or leading escaped slashes. - Change unit validation to take a bit mask for allowing plain names, instance names or template names or an combination thereof. - Refuse manipulating invalid unit name

core: fix parsing of mount flags As reported my Maciej Wereski: http://lists.freedesktop.org/archives/systemd-devel/2015-February/028320.html

core: set_put never returns -EEXIST When the value is already there it returns 0. Also add a test to ensure this

Indentation

util: rework cunescape(), improve error handling Change cunescape() to return a normal error code, so that we can distuingish OOM errors from parse errors. This also adds a flags parameter to control whether "relaxed" or normal parsing shall be done. If set no parse failures are generated, and the only reason why cunescape() can fail is OOM.

core: remove left-over debug message

tree-wide: there is no ENOTSUP on linux Replace ENOTSUP by EOPNOTSUPP as this is what linux actually uses.

core/load-fragment: safe_close() protects errno

remove unused includes This patch removes includes that are not used. The removals were found with include-what-you-use which checks if any of the symbols from a header is in use.

config_parse_set_status: put signals in the correct set This was broken when the code was rearranged in "1e2fd62d70ff core/load-fragment.c: correct argument sign and split up long lines"

treewide: fix multiple typos

util: make http url validity checks more generic, and move them to util.c

core/load-fragment: avoid allocating 0 bytes when given an invalid command With a command line like "@/something" we would allocate an array with 0 elements. Avoid that, and add a test too.

conf-parse: don't accept invalid bus names as BusName= arguments in service units

load-fragment: allow quoting in command name and document allowed escapes The handling of the command name and other arguments is unified. This simplifies things and should make them more predictable for users. Incidentally, this makes ExecStart handling match the .desktop file specification, apart for the requirment for an absolute path. https://bugs.freedesktop.org/show_bug.cgi?id=86171

tree-wide: make condition_free_list return NULL

core: make exec_command_free_list return NULL

load-fragment: properly unescape \; https://bugs.freedesktop.org/show_bug.cgi?id=87393

wrap a few *_FOREACH macros in curly braces cppcheck would give up with "syntax error" without them. This led to reports of syntax errors in unrelated locations and potentially hid other errors

util: when using basename() for creating temporary files, verify the resulting name is actually valid Also, rename filename_is_safe() to filename_is_valid(), since it actually does a full validation for what the kernel will accept as file name, it's not just a heuristic.

util: introduce our own gperf based capability list This way, we can ensure we have a more complete, up-to-date list of capabilities around, always.

load-fragment: remove wrong ifdef guard config_parse_warn_compat is now always used for removed options. https://bugs.freedesktop.org/show_bug.cgi?id=87125

core: warn and ignore SysVStartPriority= Option was being parsed but not used for anything.

When warning about unsupported options, be more detailed

core: remove unused variables

smack: introduce new SmackProcessLabel option In service file, if the file has some of special SMACK label in ExecStart= and systemd has no permission for the special SMACK label then permission error will occurred. To resolve this, systemd should be able to set its SMACK label to something accessible of ExecStart=. So introduce new SmackProcessLabel. If label is specified with SmackProcessLabel= then the child systemd will set its label to that. To successfully execute the ExecStart=, accessible label should be specified with SmackProcessLabel=. Additionally, by SMACK policy, if the file in ExecStart= has no SMACK64EXEC then the executed process will have given label by SmackProcessLabel=. But if the file has SMACK64EXEC then the SMACK64EXEC label will be overridden. [zj: reword man page]

core: introduce the concept of AssertXYZ= similar to ConditionXYZ=, but fatal for a start job if not met

calendar: make freeing a calendar spec object deal fine with NULL In order to make object destruction easier (in particular in combination with _cleanup_) we usually make destructors deal with NULL objects as NOPs. Change the calendar spec destructor to follow the same scheme.

Modernization

hashmap: introduce hash_ops to make struct Hashmap smaller It is redundant to store 'hash' and 'compare' function pointers in struct Hashmap separately. The functions always comprise a pair. Store a single pointer to struct hash_ops instead. systemd keeps hundreds of hashmaps, so this saves a little bit of memory.

core: use correct function to free CalendarSpec

core: fix a potential mem leak Found with Coverity. Fixes: CID#996438

bus: parse BusPolicy directive in service files Add a new directive called BusPolicy to define custom endpoint policies. If one such directive is given, an endpoint object in the service's ExecContext is created and the given policy is added to it.

bus: factor out bus policy items In order to re-use the policy definitions, factor them out into their own files.

core/load-fragment.c: correct argument sign and split up long lines With everything on one line they are just harder to read.

Properly report invalid quoted strings $ systemd-analyze verify trailing-g.service [./trailing-g.service:2] Trailing garbage, ignoring. trailing-g.service lacks ExecStart setting. Refusing. Error: org.freedesktop.systemd1.LoadFailed: Unit trailing-g.service failed to load: Invalid argument. Failed to create trailing-g.service/start: Invalid argument

Reject invalid quoted strings String which ended in an unfinished quote were accepted, potentially with bad memory accesses. Reject anything which ends in a unfished quote, or contains non-whitespace characters right after the closing quote. _FOREACH_WORD now returns the invalid character in *state. But this return value is not checked anywhere yet. Also, make 'word' and 'state' variables const pointers, and rename 'w' to 'word' in various places. Things are easier to read if the same name is used consistently. mbiebl_> am I correct that something like this doesn't work mbiebl_> ExecStart=/usr/bin/encfs --extpass='/bin/systemd-ask-passwd "Unlock EncFS"' mbiebl_> systemd seems to strip of the quotes mbiebl_> systemctl status shows mbiebl_> ExecStart=/usr/bin/encfs --extpass='/bin/systemd-ask-password Unlock EncFS $RootDir $MountPoint mbiebl_> which is pretty weird

time-util: add and use USEC/NSEC_INFINIY

Let config_parse open file where applicable Special care is needed so that we get an error message if the file failed to parse, but not when it is missing. To avoid duplicating the same error check in every caller, add an additional 'warn' boolean to tell config_parse whether a message should be issued. This makes things both shorter and more robust wrt. to error reporting.

Constify ConfigTableItem tables

exit-status: rename ExitStatusSet's "code" field to "status" We should follow the naming scheme waitid() uses, not come up with our own reversed one...

kdbus: when uploading bus name policy, resolve users/groups out-of-process It's not safe invoking NSS from PID 1, hence fork off worker processes that upload the policy into the kernel for busnames.

core: rename ReadOnlySystem= to ProtectSystem= and add a third value for also mounting /etc read-only Also, rename ProtectedHome= to ProtectHome=, to simplify things a bit. With this in place we now have two neat options ProtectSystem= and ProtectHome= for protecting the OS itself (and optionally its configuration), and for protecting the user's data.

socket: add new Symlinks= option for socket units With Symlinks= we can manage one or more symlinks to AF_UNIX or FIFO nodes in the file system, with the same lifecycle as the socket itself. This has two benefits: first, this allows us to remove /dev/log and /dev/initctl from /dev, thus leaving only symlinks, device nodes and directories in the /dev tree. More importantly however, this allows us to move /dev/log out of /dev, while still making it accessible there, so that PrivateDevices= can provide /dev/log too.

core: add new ReadOnlySystem= and ProtectedHome= settings for service units ReadOnlySystem= uses fs namespaces to mount /usr and /boot read-only for a service. ProtectedHome= uses fs namespaces to mount /home and /run/user inaccessible or read-only for a service. This patch also enables these settings for all our long-running services. Together they should be good building block for a minimal service sandbox, removing the ability for services to modify the operating system or access the user's private data.

cgroups: simplify CPUQuota= logic Only accept cpu quota values in percentages, get rid of period definition. It's not clear whether the CFS period controllable per-cgroup even has a future in the kernel, hence let's simplify all this, hardcode the period to 100ms and only accept percentage based quota values.

cgroup: rework startup logic Introduce a (unsigned long) -1 as "unset" state for cpu shares/block io weights, and keep the startup unit set around all the time.

core: add startup resource control option Similar to CPUShares= and BlockIOWeight= respectively. However only assign the specified weight during startup. Each control group attribute is re-assigned as weight by CPUShares=weight and BlockIOWeight=weight after startup. If not CPUShares= or BlockIOWeight= be specified, then the attribute is re-assigned to each default attribute value. (default cpu.shares=1024, blkio.weight=1000) If only CPUShares=weight or BlockIOWeight=weight be specified, then that implies StartupCPUShares=weight and StartupBlockIOWeight=weight.

fix spelling of privilege

load-fragment: minor cleanup

core: expose CFS CPU time quota as high-level unit properties

service: rename StartLimitAction enum to FailureAction It's used for the FailureAction property as well.

core: remove tcpwrap support tcpwrap is legacy code, that is barely maintained upstream. It's APIs are awful, and the feature set it exposes (such as DNS and IDENT access control) questionnable. We should not support this natively in systemd. Hence, let's remove the code. If people want to continue making use of this, they can do so by plugging in "tcpd" for the processes they start. With that scheme things are as well or badly supported as they were from traditional inetd, hence no functionality is really lost.

timer: support timers that can resume the system from suspend

unit: turn off mount propagation for udevd Keep mounts done by udev rules private to udevd. Also, document how MountFlags= may be used for this.

util: replace close_nointr_nofail() by a more useful safe_close() safe_close() automatically becomes a NOP when a negative fd is passed, and returns -1 unconditionally. This makes it easy to write lines like this: fd = safe_close(fd); Which will close an fd if it is open, and reset the fd variable correctly. By making use of this new scheme we can drop a > 200 lines of code that was required to test for non-negative fds or to reset the closed fd variable afterwards.

busname: add parser for bus name policies There are three directives to specify bus name polices in .busname files: * AllowUser [username] [access] * AllowGroup [groupname] [access] * AllowWorld [access] Where [access] is one of * 'see': The user/group/world is allowed to see a name on the bus * 'talk': The user/group/world is allowed to talk to a name * 'own': The user/group/world is allowed to own a name There is no user added yet in this commit.

core: don't override NoNewPriviliges= from SystemCallFilter= if it is already explicitly set

Do not print invalid UTF-8 in error messages Inexplicably, 550a40ec ('core: do not print invalid utf-8 in error messages') only fixed two paths. Convert all of them now.

conf-parser: config_parse_path_strv() is not generic, so let's move it into load-fragment.c The parse code actually checked for specific lvalue names, which is really wrong for supposedly generic parsers...

core: move config_parse_set_status() into load-fragment.c Let's keep specific config parsers close to where they are needed. Only the really generic ones should be defined in conf-parser.[ch].

conf-parse: rename config_parse_level() to config_parse_log_level() "level" is a bit too generic, let's clarify what kind of level we are referring to here.

core: introduce new RuntimeDirectory= and RuntimeDirectoryMode= unit settings As discussed on the ML these are useful to manage runtime directories below /run for services.

core: add new RestrictAddressFamilies= switch This new unit settings allows restricting which address families are available to processes. This is an effective way to minimize the attack surface of services, by turning off entire network stacks for them. This is based on seccomp, and does not work on x86-32, since seccomp cannot filter socketcall() syscalls on that platform.

core: clean up some confusing regarding SI decimal and IEC binary suffixes for sizes According to Wikipedia it is customary to specify hardware metrics and transfer speeds to the basis 1000 (SI decimal), while software metrics and physical volatile memory (RAM) sizes to the basis 1024 (IEC binary). So far we specified everything in IEC, let's fix that and be more true to what's otherwise customary. Since we don't want to parse "Mi" instead of "M" we document each time what the context used is.

cgroup: Extend DeviceAllow= syntax to whitelist groups of devices, not just particular devices nodes

core: Add AppArmor profile switching This permit to switch to a specific apparmor profile when starting a daemon. This will result in a non operation if apparmor is disabled. It also add a new build requirement on libapparmor for using this feature.

core: add Personality= option for units to set the personality for spawned processes

core: warn when unit files with unsupported options are parsed

core: store and expose SELinuxContext field normalized as bool + string

core: add a system-wide SystemCallArchitectures= setting This is useful to prohibit execution of non-native processes on systems, for example 32bit binaries on 64bit systems, this lowering the attack service on incorrect syscall and ioctl 32→64bit mappings.

core: add SystemCallArchitectures= unit setting to allow disabling of non-native architecture support for system calls Also, turn system call filter bus properties into complex types instead of concatenated strings.

core: rework syscall filter - Allow configuration of an errno error to return from blacklisted syscalls, instead of immediately terminating a process. - Fix parsing logic when libseccomp support is turned off - Only keep the actual syscall set in the ExecContext, and generate the string version only on demand.

syscallfilter: port to libseccomp

Use enums to make it obvious what boolean params mean Suggested-by: Russ Allbery <rra@debian.org>

bus: when connecting to a container's kdbus instance, enter namespace first Previously we'd open the connection in the originating namespace, which meant most peers of the bus would not be able to make sense of the PID/UID/... identity of us since we didn't exist in the namespace they run in. However they require this identity for privilege decisions, hence disallowing access to anything from the host. Instead, when connecting to a container, create a temporary subprocess, make it join the container's namespace and then connect from there to the kdbus instance. This is similar to how we do it for socket conections already. THis also unifies the namespacing code used by machinectl and the bus APIs.

Get rid of our reimplementation of basename The only problem is that libgen.h #defines basename to point to it's own broken implementation instead of the GNU one. This can be fixed by #undefining basename.

bus: add .busname unit type to implement kdbus-style bus activation

service: add the ability for units to join other unit's PrivateNetwork= and PrivateTmp= namespaces

core: replace OnFailureIsolate= setting by a more generic OnFailureJobMode= setting and make use of it where applicable

conf-parser: distinguish between multiple sections with the same name Pass on the line on which a section was decleared to the parsers, so they can distinguish between multiple sections (if they chose to). Currently no parsers take advantage of this, but a follow-up patch will do that to distinguish [Address] Address=192.168.0.1/24 Label=one [Address] Address=192.168.0.2/24 Label=two from [Address] Address=192.168.0.1/24 Label=one Address=192.168.0.2/24 Label=two

socket: fix segfault

core: convert PID 1 to libsystemd-bus This patch converts PID 1 to libsystemd-bus and thus drops the dependency on libdbus. The only remaining code using libdbus is a test case that validates our bus marshalling against libdbus' marshalling, and this dependency can be turned off. This patch also adds a couple of things to libsystem-bus, that are necessary to make the port work: - Synthesizing of "Disconnected" messages when bus connections are severed. - Support for attaching multiple vtables for the same interface on the same path. This patch also fixes the SetDefaultTarget() and GetDefaultTarget() bus calls which used an inappropriate signature. As a side effect we will now generate PropertiesChanged messages which carry property contents, rather than just invalidation information.

core: some more _cleanup_free_

clients: various simplifications

mount/service: drop FsckPassNo support We now treat passno as boleans in the generators, and don't need this any more. fsck itself is able to sequentialize checks on the same local media, so in the common case the ordering is redundant. It is still possible to force an order by using .d fragments, in case that is desired.

list: make our list macros a bit easier to use by not requring type spec on each invocation We can determine the list entry type via the typeof() gcc construct, and so we should to make the macros much shorter to use.

Make sure that we don't dereference NULL The code was actually safe, because b should never be null, because if rvalue is empty, a different branch is taken. But we *do* check for NULL in the loop above, so it's better to also check here for symmetry.

Do not use unitialized variable and remove duplicated line

core: rework how we match mount units against each other Previously to automatically create dependencies between mount units we matched every mount unit agains all others resulting in O(n^2) complexity. On setups with large amounts of mount units this might make things slow. This change replaces the matching code to use a hashtable that is keyed by a path prefix, and points to a set of units that require that path to be around. When a new mount unit is installed it is hence sufficient to simply look up this set of units via its own file system paths to know which units to order after itself. This patch also changes all unit types to only create automatic mount dependencies via the RequiresMountsFor= logic, and this is exposed to the outside to make things more transparent. With this change we still have some O(n) complexities in place when handling mounts, but that's currently unavoidable due to kernel APIs, and still substantially better than O(n^2) as before. https://bugs.freedesktop.org/show_bug.cgi?id=69740

cgroup: get rid of MemorySoftLimit= The cgroup attribute memory.soft_limit_in_bytes is unlikely to stay around in the kernel for good, so let's not expose it for now. We can readd something like it later when the kernel guys decided on a final API for this.

specifier: rework specifier calls to return proper error message Previously the specifier calls could only indicate OOM by returning NULL. With this change they will return negative errno-style error codes like everything else.

blkio bandwidth: don't clean up all of entries in blockio_device_bandwidths list if we get BlockIOReadBandwidth="", we should only remove the read-bandwidth-entries in blockio_device_bandwidths list.

blcokio bandwidth: add missing set of CGroupBlockIODeviceBandwidth's read BlockIOReadBandwidth and BlockIOWriteBandwidth both use config_parse_blockio_bandwidth to set up CGroupBlockIODeviceBandwidth, We should set the read value based on the left values in config files.

core: update configuration directive list "systemd --dump-configuration-items" shows

cgroup: split out per-device BlockIOWeight= setting into BlockIODeviceWeight= This way we can nicely map the configuration directive to properties and back, without requiring two different signatures for the same property.

core: add transient units Transient units can be created via the bus API. They are configured via the method call parameters rather than on-disk files. They are subject to normal GC. Transient units currently may only be created for services (however, we will extend this), and currently only ExecStart= and the cgroup parameters can be configured (also to be extended). Transient units require a unique name, that previously had no configuration file on disk. A tool systemd-run is added that makes use of this functionality to run arbitrary command lines as transient services: $ systemd-run /bin/ping www.heise.de Will cause systemd to create a new transient service and run ping in it.

core: general cgroup rework Replace the very generic cgroup hookup with a much simpler one. With this change only the high-level cgroup settings remain, the ability to set arbitrary cgroup attributes is removed, so is support for adding units to arbitrary cgroup controllers or setting arbitrary paths for them (especially paths that are different for the various controllers). This also introduces a new -.slice root slice, that is the parent of system.slice and friends. This enables easy admin configuration of root-level cgrouo properties. This replaces DeviceDeny= by DevicePolicy=, and implicitly adds in /dev/null, /dev/zero and friends if DeviceAllow= is used (unless this is turned off by DevicePolicy=).

manager: add DefaultEnvironment option This complements existing functionality of setting variables through 'systemctl set-environment', the kernel command line, and through normal environment variables for systemd in session mode.

core: add new .slice unit type for partitioning systems In order to prepare for the kernel cgroup rework, let's introduce a new unit type to systemd, the "slice". Slices can be arranged in a tree and are useful to partition resources freely and hierarchally by the user. Each service unit can now be assigned to one of these slices, and later on login users and machines may too. Slices translate pretty directly to the cgroup hierarchy, and the various objects can be assigned to any of the slices in the tree.

conf-parser: restrict .include usage Disallow recursive .include, and make it unavailable in anything but unit files.

Add set_consume which always takes ownership Freeing in error path is the common pattern with set_put().

unit: rework trigger dependency logic Instead of having explicit type-specific callbacks that inform the triggering unit when a triggered unit changes state, make this generic so that state changes are forwarded betwee any triggered and triggering unit. Also, get rid of UnitRef references from automount, timer, path units, to the units they trigger and rely exclsuively on UNIT_TRIGGER type dendencies.

move _cleanup_ attribute in front of the type http://lists.freedesktop.org/archives/systemd-devel/2013-April/010510.html

Move bus_error to dbus-common and remove bus_error_message_or_strerror bus_error and bus_error_message_or_strerror dit almost exactly the same, so use only one of them and place it in dbus-common.

core/main: use _cleanup_

Report about syntax errors with metadata The information about the unit for which files are being parsed is passed all the way down. This way messages land in the journal with proper UNIT=... or USER_UNIT=... attribution. 'systemctl status' and 'journalctl -u' not displaying those messages has been a source of confusion for users, since the journal entry for a misspelt setting was often logged quite a bit earlier than the failure to start a unit. Based-on-a-patch-by: Oleksii Shevchuk <alxchk@gmail.com>

util: rename parse_usec() to parse_sec() sinds the default unit is seconds Internally we store all time values in usec_t, however parse_usec() actually was used mostly to parse values in seconds (unless explicit units were specified to define a different unit). Hence, be clear about this and name the function about what we pass into it, not what we get out of it.

execute: convert secure bits into mask properly C.f. http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=5975c725dfd6f7d36f493ab1453fbdbd35c1f0e3

exec: Assigning the empty string to CapabilityBoundSet= should drop all caps Previously, it would set all caps, but it should drop them all, anything else makes little sense. Also, document that this works as it does, and what to do in order to assign all caps to the bounding set. https://bugzilla.redhat.com/show_bug.cgi?id=914705

specifier: when resolving specifier strings when loading configuration, don't misunderstand parse failures as OOM http://lists.freedesktop.org/archives/systemd-devel/2013-February/009179.html

unit: rework resource management API This introduces a new static list of known attributes and their special semantics. This means that cgroup attribute values can now be automatically translated from user to kernel notation for command line set settings, too. This also adds proper support for multi-line attributes.

use strneq instead of strncmp

core: properly validate environment data from Environment= lines in unit files

execute: Fix seccomp support on x32 In the x32 ABI, syscall numbers start at 0x40000000. Mask that bit on x32 for lookups in the syscall_names array and syscall_filter and ensure that syscall.h is parsed correctly. [zj: added SYSCALL_TO_INDEX, INDEX_TO_SYSCALL macros.]

units: for all unit settings that take lists, allow the empty string for resetting the lists https://bugzilla.redhat.com/show_bug.cgi?id=756787

load-fragment: fix bad memory access

load-fragment: replace specifiers in path unit's Unit= setting

core: add bus API and systemctl commands for altering cgroup parameters during runtime

timer: implement calendar time events

core/load-fragment: fix (potential) bad memory access strncmp() could be used with size bigger then the size of the string, because MAX was used instead of MIN. If failing, print just the offending mount flag.

core/load-fragment: be more precise in error messages Whenever a message fails, mention the offending word, instead of just giving the whole line. If one bad word causes just this word to be rejected, print only the word. If one bad word causes the whole line to be rejected, print the whole line too. https://bugs.freedesktop.org/show_bug.cgi?id=56874

sched: Only setting CPUSchedulingPriority=rr doesn't work A service that only sets the scheduling policy to round-robin fails to be started. This is because the cpu_sched_priority is initialized to 0 and is not adjusted when the policy is changed. Clamp the cpu_sched_priority when the scheduler policy is set. Use the current policy to validate the new priority. Change the manual page to state that the given range only applies to the real-time scheduling policies. Add a testcase that verifies this change: $ make test-sched-prio; ./test-sched-prio [test/sched_idle_bad.service:6] CPU scheduling priority is out of range, ignoring: 1 [test/sched_rr_bad.service:7] CPU scheduling priority is out of range, ignoring: 0 [test/sched_rr_bad.service:8] CPU scheduling priority is out of range, ignoring: 100

core: lift restriction on order of - and @ in ExecStart

core: interpret \; token in ExecStart as escaped ; Some commands (like 'find') take a semicolon as separate arg. With current parser implementation there is no way to pass one. Patch adds token \;

shared, core: do not always accept numbers in string lookups The behaviour of the common name##_from_string conversion is surprising. It accepts not only the strings from name##_table but also any number that falls within the range of the table. The order of items in most of our tables is an internal affair. It should not be visible to the user. I know of a case where the surprising numeric conversion leads to a crash. We will allow the direct numeric conversion only for the tables where the mapping of strings to numeric values has an external meaning. This holds for the following lookup tables: - netlink_family, ioprio_class, ip_tos, sched_policy - their numeric values are stable as they are defined by the Linux kernel interface. - log_level, log_facility_unshifted - the well-known syslog interface. We allow the user to use numeric values whose string names systemd does not know. For instance, the user may want to test a new kernel featuring a scheduling policy that did not exist when his systemd version was released. A slightly unpleasant effect of this is that the name##_to_string conversion cannot return pointers to constant strings anymore. The strings have to be allocated on demand and freed by the caller.

man: document behaviour of ListenStream= with only a port number in regards to IPv4/IPv6

path: support specifier resolvin in .path units

unit: split unit_printf() and friends into its own .c file

macro: introduce _cleanup_free_ macro for automatic freeing of scoped vars and make use of it

load-fragment: Expand specifiers in conditions. Add specifier expansion to Path and String conditions. Specifier expansion for conditions will help create instance and user session units by allowing us to template conditions based on the instance or user session parameters. An example would be a system-wide user session service file that conditionally runs based on whether a user has the service configured through a configuration file in ~/.config/.

load-fragment: initialize bool invert before use

unit: add new ConditionHost= condition type

systemd: introduced new timeout types Makes possible to specify separate timeout for start and stop of the service. [ Improved the manpage. Coding style fix. -- michich ]