tree-wide: remove Emacs lines from all files This should be handled fine now by .dir-locals.el, so need to carry that stuff in every file.

logind: load SELinux labelling system systemd-logind uses mkdir_label and label_fix functions without calling first mac_selinux_init. This makes /run/user/$UID/ directories not labelled correctly on an Arch Linux system using SELinux. Fix this by calling mac_selinux_init("/run") early in systemd-logind. This makes files created in /etc/udev/rules.d and /var/lib/systemd to be labelled through transitions in the SELinux policy instead of using setfscreatecon (with mac_selinux_create_file_prepare).

logind: simplify job variable handling manager_{start,stop}_{slice,scope,unit} functions had an optional job output parameter. But all callers specified job, so make the parameter mandatory, add asserts. Also extract common job variable handling to a helper function to avoid duplication. Avoids gcc warning about job being unitialized.

logind: do not use an uninitialized variable We requested various fields using SD_BUS_CREDS_AUGMENT but at least sd_bus_creds_get_tty can fail with ENXIO, not setting the output variable.

tree-wide: check if errno is greater then zero gcc is confused by the common idiom of return errno ? -errno : -ESOMETHING and thinks a positive value may be returned. Replace this condition with errno > 0 to help gcc and avoid many spurious warnings. I filed a gcc rfe a long time ago, but it hard to say if it will ever be implemented [1]. Both conventions were used in the codebase, this change makes things more consistent. This is a follow up to bcb161b0230f. [1] https://gcc.gnu.org/bugzilla/show_bug.cgi?id=61846

Fix typo on logind-dbus.c method_schedule_shutdown referenced org.freedesktop.login1.poweroff* which is never registered in polkit. Now refers to org.freedesktop.login1.power-off* Signed-off-by: Joost Bremmer <toost.b@gmail.com>

login: make sure /run/nologin has correct SELinux label

tree-wide: expose "p"-suffix unref calls in public APIs to make gcc cleanup easy GLIB has recently started to officially support the gcc cleanup attribute in its public API, hence let's do the same for our APIs. With this patch we'll define an xyz_unrefp() call for each public xyz_unref() call, to make it easy to use inside a __attribute__((cleanup())) expression. Then, all code is ported over to make use of this. The new calls are also documented in the man pages, with examples how to use them (well, I only added docs where the _unref() call itself already had docs, and the examples, only cover sd_bus_unrefp() and sd_event_unrefp()). This also renames sd_lldp_free() to sd_lldp_unref(), since that's how we tend to call our destructors these days. Note that this defines no public macro that wraps gcc's attribute and makes it easier to use. While I think it's our duty in the library to make our stuff easy to use, I figure it's not our duty to make gcc's own features easy to use on its own. Most likely, client code which wants to make use of this should define its own: #define _cleanup_(function) __attribute__((cleanup(function))) Or similar, to make the gcc feature easier to use. Making this logic public has the benefit that we can remove three header files whose only purpose was to define these functions internally. See #2008.

login: ignore JobRemoved of old jobs If we requeue jobs, we are no longer interested in old jobs. Hence, we better ignore any JobRemoved signals for old jobs and concentrate on our replacements.

login: make sure to replace existing units When queuing unit jobs, we should rather replace existing units than fail. This is especially important when we queued a user-shutdown and a new login is encountered. In this case, we better raplce the shutdown jobs. systemd takes care of everything else.

machined,logind: be more careful when accepting PIDs and UIDs from clients Always validate first before we start processing the data.

logind: add a new UserTasksMax= setting to logind.conf This new setting configures the TasksMax= field for the slice objects we create for each user. This alters logind to create the slice unit as transient unit explicitly instead of relying on implicit generation of slice units by simply starting them. This also enables us to set a friendly description for slice units that way.

util-lib: split out allocation calls into alloc-util.[ch]

src/basic: rename audit.[ch] → audit-util.[ch] and capability.[ch] → capability-util.[ch] The files are named too generically, so that they might conflict with the upstream project headers. Hence, let's add a "-util" suffix, to clarify that this are just our utility headers and not any official upstream headers.

util-lib: move a number of fs operations into fs-util.[ch]

util-lib: introduce dirent-util.[ch] for directory entry calls Also, move a couple of more path-related functions to path-util.c.

util: remove lookup_uid(), replace by uid_to_name() So far we had two pretty much identical calls in user-util.[ch]: lookup_uid() and uid_to_name(). Get rid of the former, in favour of the latter, and while we are at it, rewrite it, to use getpwuid_r() correctly, inside an allocation loop, as POSIX intended.

util-lib: split out user/group/uid/gid calls into user-util.[ch]

util-lib: split out fd-related operations into fd-util.[ch] There are more than enough to deserve their own .c file, hence move them over.

util: split out escaping code into escape.[ch] This really deserves its own file, given how much code this is now.

login: suspend - be a bit more explicit when logging When the Suspend method is called, the only log message we write (unless debugging is enabled) is "Operation finished.". This is not very helpful when trying to figure out what is going on, so add what operation we are talking about to the message: "Operation 'sleep' finished.". Hat tip to Daniel Aleksandersen for pointing this out.

logind: avoid a dot before parenthesis systemd-logind[27]: System is rebooting. (Applied kernel updates.) is changed to systemd-logind[27]: System is rebooting (Applied kernel updates). Users should not add a dot in the sentence in --message, i.e. the correct usage is now: $ systemctl reboot --message "Applied kernel updates"

logind: allow dry run variants for scheduled shutdowns Allow passing a "dry-" prefix to the action parameter passed to .ScheduleShutdown(). When strings with this prefix are passed, the scheduled action will not take place. Instead, an info message is logged.

tree-wide: use coccinelle to patch a lot of code to use mfree() This replaces this: free(p); p = NULL; by this: p = mfree(p); Change generated using coccinelle. Semantic patch is added to the sources.

logind: make scope of wall message handling smaller

bus-util: support details in CheckAuthorization calls Extra details for an action can be supplied when calling polkit's CheckAuthorization method. Details are a list of key/value string pairs. Custom policy can use these details when making authorization decisions.

login: fix NULL-deref on wall_message We treat an empty wall-message equal to a NULL wall-message since: commit 5744f59a3ee883ef3a78214bd5236157acdc35ba Author: Lennart Poettering <lennart@poettering.net> Date: Fri Sep 4 10:34:47 2015 +0200 logind: treat an empty wall message like a NULL one Fix the shutdown scheduler to not deref a NULL pointer, but properly check for an empty wall-message. Fixes: #1120

logind: when parsing a boolean via sd-bus the type must be "int" And not bool.

logind: treat an empty wall message like a NULL one

logind/systemctl: introduce SetWallMessage and --message Enable unprivileged users to set wall message on a shutdown operation. When the message is set via the --message option, it is logged together with the default shutdown message. $ systemctl reboot --message "Applied kernel updates." $ journalctl -b -1 ... systemd-logind[27]: System is rebooting. (Applied kernel updates.) ...

logind,machined: various smaller cleanups Use mfree() where we can. Drop unnecessary {}. Drop unnecessary variable declarations. Cast syscall invocations where explicitly don't care for the return value to (void). Reword a comment.

machined,logind: don't generate errors on signal match functions If we get a weird signal, then we should log about it, but not return an error, since sd-bus will not call us again then anymore, but for these signals we match here we actually do want to be called on the next invocation.

logind: switch to sd_bus_track helper Let logind use the sd_bus_track helper object to track the controllers of sessions. This does not only remove quite some code but also kills the unconditional matches for all NameOwnerChanged signals. The latter is something we should never ever do, as it wakes up the daemon every time a client connects, which doesn't scale.

tree-wide: introduce mfree() Pretty trivial helper which wraps free() but returns NULL, so we can simplify this: free(foobar); foobar = NULL; to this: foobar = mfree(foobar);

tree-wide: port everything over to fflush_and_check() Some places invoked fflush() directly with their own manual error checking, let's unify all that by using fflush_and_check(). This also unifies the general error paths of fflush()+rename() file writers.

logind: fix write_string_file() fallout WRITE_STRING_FILE_ATOMIC is only valid if WRITE_STRING_FILE_CREATE is also given. IOW, an atomic file write operation is only possible when creating a file is also being asked for. This is a regression from the recent write_string_file() rework.

logind: bring bus policy up-to-date A while back we opened up all of logind's bus calls to unprivileged users, via PK. However, the dbus1 policy wasn't updated accordingly. With this change, the dbus1 policy is opened up for all bus calls that should be available to unprivileged clients. (also rearranges some calls in the vtable, to make more sense, and be in line with the order in the bus policy file) Fixes #471.

logind: allow greeters to take over VTs Make sure a greeter can forcefully spawn a session on a VT that is in-use. A recent patch prevented this (this used to be possible for all session types) as it is highly fragile. However, as it turns out, greeters seem to rely on that feature. Therefore, make sure we allow it explicitly for greeters.

logind: fail on CreateSession if already in session Right now, if you're already in a session and call CreateSession, we return information about the current session of yours. This is highy confusing and a nasty hack. Avoid that, and instead return a commonly known error, so the caller can detect that. This has the side-effect, that we no longer override XDG_VTNR and XDG_SEAT in pam_systemd, if you're already in a session. But this sounds like the right thing to do, anyway.

logind: allow sessions to share a VT if it's a greeter Old gdm and lightdm start the user-session during login before they destroy the greeter-session. Therefore, the user-session will take over the VT from the greeter. We recently prevented this by never allowing multiple sessions on the same VT. Fix this now, by explicitly allowing this if the owning session is a GREETER. Note that gdm no longer behaves like this. Instead, due to wayland, they always use a different VT for each session. All other login-managers are highly encouraged to destroy the greeter-session _before_ starting the user-session. We now work around this, but this will probably not last forever (and will already have nasty side-effects on the greeter-session).

fileio: consolidate write_string_file*() Merge write_string_file(), write_string_file_no_create() and write_string_file_atomic() into write_string_file() and provide a flags mask that allows combinations of atomic writing, newline appending and automatic file creation. Change all users accordingly.

login: simplify assignment

login: re-use VT-sessions if they already exist Right now, if you start a session via 'su' or 'sudo' from within a session, we make sure to re-use the existing session instead of creating a new one. We detect this by reading the session of the requesting PID. However, with gnome-terminal running as a busname-unit, and as such running outside the session of the user, this will no longer work. Therefore, this patch makes sure to return the existing session of a VT if you start a new one. This has the side-effect, that you will re-use a session which your PID is not part of. This works fine, but will break assumptions if the parent session dies (and as such close your session even though you think you're part of it). However, this should be perfectly fine. If you run multiple logins on the same session, you should really know what you're doing. The current way of silently accepting it but choosing the last registered session is just weird.

logind: fix delayed execution regression Commit c0f32805 ("logind: use sd_event timer source for inhibitor logic") reworked the main loop logic of logind so that it uses a real timeout callback handler to execute delayed functions. What the old code did, however, was to call those functions on every iteration in the main loop, not only when the timeout expired. Restore that behavior by bringing back manager_dispatch_delayed(), and call it from manager_run(). The internal event source callback manager_inhibit_timeout_handler() was turned into a wrapper of manager_dispatch_delayed() now.

logind: rework display counting when detecting whether the system is docked Previously, we'd just count connected displays, and if there was 2 or more we assumed a "docked" state. With this change we now: - Only count external displays, ignore internal ones (which we detect by checking the connector name against a whitelist of known external plug types) - We ignore connectors which are explicitly disabled - We then compare the count with >= 1 rather than >= 2 as before This new logic has the benefit that systems that disconnect the internal display when the lid is closed are better supported. Also, explicitly disabled ports do not confuse the algorithm anymore. This new algorithm has been suggested here: http://lists.freedesktop.org/archives/intel-gfx/2015-June/068821.html This also makes two functions static, that are not used outside of their .c files.

logind: expose "Docked" bool as property on the bus We know the state anyway, let's expose it in the bus. It's useful for debugging at least, but it might be useful for DEs too.

everywhere: actually make use of DUAL_TIMESTAMP_NULL macro Let's use it as initializer where appropriate.

logind: Save the user’s state when a session enters SESSION_ACTIVE When (for example) switching from X11 to a new VT and logging in there, creating a new session, the user state file (/run/systemd/users/$uid) is not updated after the session becomes active. The latest time it is saved is when the session is in SESSION_OPENING. This results in a /run/systemd/users/$uid file which contains STATE=online for the current user on the current active VT, which is obviously wrong. As functions like sd_uid_get_state() use this file to get the user’s state, this could result in things like PolicyKit making incorrect decisions about the user’s state. (See https://bugs.freedesktop.org/show_bug.cgi?id=76358.) Fix this by re-saving the state for a session’s user after completing the state_job for that session. https://bugs.freedesktop.org/show_bug.cgi?id=90818

logind: prefix some calls to unlink with (void) Make Coverity happy and tell it we're not interested in the return value of these two calls.

logind: unlink /run/nologin when shutdown is cancelled When a scheduled is cancelled, make sure to remove /run/nologin. This is a regression from the recent shutdownd removal and logind rework.

sd-bus: allow passing NULL as bus parameter to sd_bus_send() If NULL is specified for the bus it is now automatically derived from the passed in message. This commit also changes a number of invocations of sd_bus_send() to make use of this.

sd-bus: drop bus parameter from message callback prototype This should simplify the prototype a bit. The bus parameter is redundant in most cases, and in the few where it matters it can be derived from the message via sd_bus_message_get_bus().

logind: kill newline characters from log_error_errno() calls log_error_errno() already adds a newline, so drop them.

logind: add support for /run/nologin and /run/systemd/shutdown/scheduled Port over more code from shutdownd and teach logind to write /run/nologin at least 5 minutes before the system is going down, and /run/systemd/shutdown/scheduled when a shutdown is scheduled.

logind: add code for UTMP wall messages Add a timer to print UTMP wall messages so that it repeatedly informs users about a scheduled shutdown: * every 1 minute with less than 10 minutes to go * every 15 minutes with less than 60 minutes to go * every 30 minutes with less than 180 minutes (3 hours) to go * every 60 minutes if more than that to go This functionality only active if the .EnableWallMessages DBus property is set to true. Also, a custom string can be added to the wall message, set through the WallMessagePrefix property.

logind: add .ScheduleShutdown and .CancelScheduledShutdown methods Add a method called ScheduleShutdown in org.freedesktop.login1.Manager which adds a timer to shut down the system at a later point in time. The first argument holds the type of the schedule that is about to happen, and must be one of 'reboot', 'halt' or 'poweroff'. The second argument specifies the absolute time, based on CLOCK_REALTIME in nanoseconds, at which the the operation should be executed. To cancel a previously scheduled shutdown, the CancelScheduledShutdown() can be called, which returns a bool, indicating whether a scheduled timeout was cancelled. Also add a new property called ScheduledShutdown which returns the equivalent to what was passed in via ScheduleShutdown, as '(st)' type.

logind: factor out polkit checks Factor out the code to ask polkit for authorization from method_do_shutdown_or_sleep() into an own function called verify_shutdown_creds(). This is needed in order to also use the same checks when shutdown operations are scheduled. For that, it's also necessary to allow NULL values for that action{,_multiple_sessions,_ignore_inhibit) arguments, which will suppress the call if no action string is passed.

logind: use sd_event timer source for inhibitor logic Instead of open-coding the delayed action and inhibit timeout logic, switch over to a real sd_event_source based implementation. This is not only easier to read but also allows us to add more timers in the future.

logind: drop unused argument from method_do_shutdown_or_sleep()

shared: add terminal-util.[ch]

shared: add process-util.[ch]

shared: add formats-util.h

logind: drop "interactive" parameter from SetRebootToFirmwareSetup() bus call Newer dbus versions have an "allow interactive authentication" bit in the message header, hence it is not necessary to take a boolean for this explicitly.

logind,systemctl: add reboot to EFI firmware support

polkit: rename bus_verify_polkit() to bus_test_polkit() and make it strictly non-interactive Interactive authorization should only happen asynchronously, hence disallow it in synchronous bus_verify_polkit(), and rename it to bus_test_polkit(). This way even if the bus message header asks for interactive authorization, we'll ask for non-interactive authorization which is actually the desired behaviour if CanSuspend, CanHibernate and friends, which call this function.

logind: check return value of session_release It allocates memory, so it can fail. CID #1237527.

login: make hold-off timeout configurable This introduces 'HoldoffTimeoutSec' to logind.conf to make IGNORE_LID_SWITCH_{SUSPEND,STARTUP}_USEC configurable. Background: If an external monitor is connected, or if the system is docked, we want to ignore LID events. This is required to support setups where a laptop is used with external peripherals while the LID is closed. However, this requires us to probe all hot-plugged devices before reacting to LID events. But with modern buses like USB, the standards do not impose any timeout on the slots, so we have no chance to know whether a given slot is used or not. Hence, after resume and startup, we have to wait a fixed timeout to give the kernel a chance to probe devices. Our timeout has always been generous enough to support even the slowest devices. However, a lot of people didn't use these features and wanted to disable the hold-off timer. Now we provide a knob to do that.

remove unused includes This patch removes includes that are not used. The removals were found with include-what-you-use which checks if any of the symbols from a header is in use.

logind: open up most bus calls for unpriviliged processes, using PolicyKit Also, allow clients to alter their own objects without any further priviliges. i.e. this allows clients to kill and lock their own sessions without involving PK.

util: rework strappenda(), and rename it strjoina() After all it is now much more like strjoin() than strappend(). At the same time, add support for NULL sentinels, even if they are normally not necessary.

remove unused variables

bus: use EUID over UID and fix unix-creds Whenever a process performs an action on an object, the kernel uses the EUID of the process to do permission checks and to apply on any newly created objects. The UID of a process is only used if someone *ELSE* acts on the process. That is, the UID of a process defines who owns the process, the EUID defines what privileges are used by this process when performing an action. Process limits, on the other hand, are always applied to the real UID, not the effective UID. This is, because a process has a user object linked, which always corresponds to its UID. A process never has a user object linked for its EUID. Thus, accounting (and limits) is always done on the real UID. This commit fixes all sd-bus users to use the EUID when performing privilege checks and alike. Furthermore, it fixes unix-creds to be parsed as EUID, not UID (as the kernel always takes the EUID on UDS). Anyone using UID (eg., to do user-accounting) has to fall back to the EUID as UDS does not transmit the UID.

logind: unify how we cast between uid_t and pointers for hashmap keys

logind: when a bus call is done on a session, user or seat, optionally determine them from the caller credentials More specifically, if an operation is requested on a session with an empty name, the caller's session is used. If an operation is requested on a seat with an empty name, the seat of the caller's session is used. Finally, if an operation on the user with UID -1 is requested, the user of the client's session is used (and not the UID of the client!).

machined: ignore spurious error

tmpfiles: add new line type 'v' for creating btrfs subvolumes

logind: remove spurious include of <sys/capability.h> They do not use any functions from libcap directly. The CAP_* constants in use through these files come from "missing.h" which will import <linux/capability.h> and complement it with CAP_* constants not defined by the current kernel headers. The "missing.h" header is imported through "util.h" which gets imported in "logind.h". Tested that "systemd-logind" builds cleanly and works after this change.

treewide: correct spacing near eol in code comments

sd-bus: move common errors src/shared/bus-errors.h → src/libsystemd/sd-bus/bus-common-errors.h Stuff in src/shared/ should not use stuff from src/libsystemd/ really.

treewide: use log_*_errno whenever %m is in the format string If the format string contains %m, clearly errno must have a meaningful value, so we might as well use log_*_errno to have ERRNO= logged. Using: find . -name '*.[ch]' | xargs sed -r -i -e \ 's/log_(debug|info|notice|warning|error|emergency)\((".*%m.*")/log_\1_errno(errno, \2/' Plus some whitespace, linewrap, and indent adjustments.

log: fix order of log_unit_struct() to match other logging calls Also, while we are at it, introduce some syntactic sugar for creating ERRNO= and MESSAGE= structured logging fields.

mac: rename apis with mac_{selinux/smack}_ prefix

logind: add HandleLidSwitchDocked= option to logind.conf + documentation https://bugs.freedesktop.org/show_bug.cgi?id=82485

bus-util: simplify bus_verify_polkit_async() a bit First, let's drop the "bus" argument, we can determine it from the message anyway. Secondly, determine the right callback/userdata pair automatically from what is currently is being dispatched. This should simplify things a lot for us, since it makes it unnecessary to pass pointers through the original handlers through all functions when we process messages, which might require authentication.

sd-bus: add API to check if a client has privileges This is a generalization of the vtable privilege check we already have, but exported, and hence useful when preparing for a polkit change. This will deal with the complexity that on dbus1 one cannot trust the capability field we retrieve via the bus, since it is read via /proc/$$/stat (and thus might be out-of-date) rather than directly from the message (like on kdbus) or bus connection (as for uid creds on dbus1). Also, port over all code to this new API.

Remove unnecessary casts in printfs No functional change expected :)

sd-event: rework API to support CLOCK_REALTIME_ALARM and CLOCK_BOOTTIME_ALARM, too

logind: move lid switch handling from logind-main to logind-core ../src/login/logind-dbus.c:1352: error: undefined reference to 'manager_set_lid_switch_ignore' collect2: error: ld returned 1 exit status make[2]: *** [test-login-tables]

logind: add a debug message in case the session already exists If the session already exists then the only way to log it is to set the debug option of pam_systemd. There are no debug messages in the login service that permits to log if the session already exists. So just add it, and while we are it add the "uid" field to the debug message that indicates that the session was created.

logind: fix policykit checks

logind: ignore lid switch events for 30s after each suspend and 3min after startup This is needed to give USB docking stations and suchlike time to settle, so that a display connected to an USB docking station can actually act as a lid swith inhibitor correctly. With this change we should have somewhat reliable docking station support in place.

api: in constructor function calls, always put the returned object pointer first (or second) Previously the returned object of constructor functions where sometimes returned as last, sometimes as first and sometimes as second parameter. Let's clean this up a bit. Here are the new rules: 1. The object the new object is derived from is put first, if there is any 2. The object we are creating will be returned in the next arguments 3. This is followed by any additional arguments Rationale: For functions that operate on an object we always put that object first. Constructors should probably not be too different in this regard. Also, if the additional parameters might want to use varargs which suggests to put them last. Note that this new scheme only applies to constructor functions, not to all other functions. We do give a lot of freedom for those. Note that this commit only changes the order of the new functions we added, for old ones we accept the wrong order and leave it like that.

logind: ignore PropertiesChanged signals for jobs Otherwise we get a (harmless) message like: systemd-logind[30845]: Failed to process message [type=signal sender=:1.36 path=/org/freedesktop/systemd1/job/4674 interface=org.freedesktop.DBus.Properties member=PropertiesChanged signature=sa{sv}as]: Invalid argument

logind: always kill session when termination is requested KillUserProcesses=yes/no should be ignored when termination is explicitly requested.

remove unused variables

core: when an already abandoned unit gets abandoned again generate a clean error

logind: order all scopes after both systemd-logind.service and systemd-user-sessions.service This way at shutdown we can be sure that the sessions go away before the network.

logind: add function session_jobs_reply() to unify the create reply The session_send_create_reply() function which notifies clients about session creation is used for both session and user units. Unify the shared code in a new function session_jobs_reply(). The session_save() will be called unconditionally on sessions since it does not make sense to only call it if '!session->started', this will also allow to update the session state as soon as possible.

logind: given that we can now relatively safely shutdown sessions copes without working cgroup empty notifications there's no need to set the stop timeout of sessions scopes low

logind: rework session shutdown logic Simplify the shutdown logic a bit: - Keep the session FIFO around in the PAM module, even after the session shutdown hook has been finished. This allows logind to track precisely when the PAM handler goes away. - In the ReleaseSession() call start a timer, that will stop terminate the session when elapsed. - Never fiddle with the KillMode of scopes to configure whether user processes should be killed or not. Instead, simply leave the scope units around when we terminate a session whose processes should not be killed. - When killing is enabled, stop the session scope on FIFO EOF or after the ReleaseSession() timeout. When killing is disabled, simply tell PID 1 to abandon the scope. Because the scopes stay around and hence all processes are always member of a scope, the system shutdown logic should be more robust, as the scopes can be shutdown as part of the usual shutdown logic.

man: introduce new "Desktop" property for sessions This is initialized from XDG_SESSION_DESKTOP and is useful for GNOME to recognize its own sessions. It's supposed to be set to a short string identifying the session, such as "kde" or "gnome".

logind: wait for the user service to finish startup before completing login attempt

bus: fix a couple of format string mistakes

bus: decorate the various object vtables with SD_BUS_VTABLE_PROPERTY_CONST where appropriate

core,logind: libudev usage modernizations Always use cleanup logic and don't eat up errors returned by libudev

bus: introduce "trusted" bus concept and encode access control in object vtables Introduces a new concept of "trusted" vs. "untrusted" busses. For the latter libsystemd-bus will automatically do per-method access control, for the former all access is automatically granted. Per-method access control is encoded in the vtables: by default all methods are only accessible to privileged clients. If the SD_BUS_VTABLE_UNPRIVILEGED flag is set for a method it is accessible to unprivileged clients too. By default whether a client is privileged is determined via checking for its CAP_SYS_ADMIN capability, but this can be altered via the SD_BUS_VTABLE_CAPABILITY() macro that can be ORed into the flags field of the method. Writable properties are also subject to SD_BUS_VTABLE_UNPRIVILEGED and SD_BUS_VTABLE_CAPABILITY() for controlling write access to them. Note however that read access is unrestricted, as PropertiesChanged messages might send out the values anyway as an unrestricted broadcast. By default the system bus is set to "untrusted" and the user bus is "trusted" since per-method access control on the latter is unnecessary. On dbus1 busses we check the UID of the caller rather than the configured capability since the capability cannot be determined without race. On kdbus the capability is checked if possible from the attached meta-data of a message and otherwise queried from the sending peer. This also decorates the vtables of the various daemons we ship with these flags.

bus: add new sd_bus_creds object to encapsulate process credentials This way we can unify handling of credentials that are attached to messages, or can be queried for bus name owners or connection peers. This also adds the ability to extend incomplete credential information with data from /proc, Also, provide a convenience call that will automatically determine the most appropriate credential object for an incoming message, by using the the attached information if possible, the sending name information if available and otherwise the peer's credentials.

logind: remove unused session->closing field This field is always false, drop it. If you want a reliable way to get session state, call session_get_state(). Testing for any flags directly doesn't work currently so don't pretend it would.

logind: require VTs on seat0 and forbid elsewhere Sessions on seat0 must pass us a vtnr, otherwise, you shouldn't try attaching it to seat0. For seats without VTs, we do the exact opposite: we forbid VTs. There can be odd situations if the session-files contain invalid combinations. However, we try to keep sessions alive and restore state as good as possible.

logind: make VT numbers unsigned Fix the whole code to use "unsigned int" for vtnr. 0 is an invalid vtnr so we don't need negative numbers at all. Note that most code already assumes it's unsigned so in case there's a negative vtnr, our code may, under special circumstances, silently break. So this patch makes sure all sources of vtnrs verify the validity. Also note that the dbus api already uses unsigned ints.

logind: log which process is delaying suspend and not closing locks

pam_systemd: do not set XDG_RUNTIME_DIR if the session's original user is not the same as the newly logged in one It's better not to set any XDG_RUNTIME_DIR at all rather than one of a different user. So let's do this. This changes the bus call parameters of CreateSession(), but that is explicitly an internal API hence should be fine. Note however, that a logind restart (the way the RPM postinst scriptlets do it) is necessary to make things work again.

logind,machined,run: properly invoke StartTransientUnit() bus call

bus: rework message handlers to always take an error argument Message handler callbacks can be simplified drastically if the dispatcher automatically replies to method calls if errors are returned. Thus: add an sd_bus_error argument to all message handlers. When we dispatch a message handler and it returns negative or a set sd_bus_error we send this as message error back to the client. This means errors returned by handlers by default are given back to clients instead of rippling all the way up to the event loop, which is desirable to make things robust. As a side-effect we can now easily turn the SELinux checks into normal function calls, since the method call dispatcher will generate the right error replies automatically now. Also, make sure we always pass the error structure to all property and method handlers as last argument to follow the usual style of passing variables for return values as last argument.

bus: let's simplify things by getting rid of unnecessary bus parameters

core: convert PID 1 to libsystemd-bus This patch converts PID 1 to libsystemd-bus and thus drops the dependency on libdbus. The only remaining code using libdbus is a test case that validates our bus marshalling against libdbus' marshalling, and this dependency can be turned off. This patch also adds a couple of things to libsystem-bus, that are necessary to make the port work: - Synthesizing of "Disconnected" messages when bus connections are severed. - Support for attaching multiple vtables for the same interface on the same path. This patch also fixes the SetDefaultTarget() and GetDefaultTarget() bus calls which used an inappropriate signature. As a side effect we will now generate PropertiesChanged messages which carry property contents, rather than just invalidation information.

bus: rename sd_bus_send_with_reply_and_block() to sd_bus_call() The call is one of the most important ones we expose, where we place major emphasis on. We should make sure to give it a short, memorable name.

logind: automatically determine client side PID if GetSessionByPID() is called with a PID == 0

logind: fix serialization for PrepareForSleep boolean

logind: fix serialization of ListInhibitors() request

logind: fix serialization of ListSeats() bus call

logind: port logind to libsystemd-bus

Fix write-only use of a few variables Since the invention of read-only memory, write-only memory has been considered deprecated. Where appropriate, either make use of the value, or avoid writing it, to make it clear that it is not used.

logind: never consider a closing session relevant for PK checks https://bugzilla.redhat.com/show_bug.cgi?id=1010215

logind: put correct user object paths in introspection data Sync with user_bus_path() in logind-user-dbus.c

Remove six unused variables and add annotation clang FTW!

logind: extract has_vts() from can_multi_session() We currently use seat_can_multi_session() to test for two things: * whether the seat can handle session-switching * whether the seat has VTs As both are currently logically equivalent, we didn't care. However, we want to allow session-switching on seats without VTs, so split this helper into: * seat_can_multi_session(): whether session-switching is supported * seat_has_vts(): whether the seat has VTs Note that only one seat on a system can have VTs. There is only one set of them. We automatically assign them to seat0 as usual. With this patch in place, we can easily add new session-switching/tracking methods without breaking any VT code as it is now protected by has_vts(), no longer by can_multi_session().

logind: rename vtconsole to seat0 The seat->vtconsole member always points to the default seat seat0. Even if VTs are disabled, it's used as default seat. Therefore, rename it to seat0 to correctly state what it is. This also changes the seat files in /run from IS_VTCONSOLE to IS_SEAT0. It wasn't used by any code, yet, so this seems fine. While we are at it, we also remove every "if (s->vtconsole)" as this pointer is always valid!

logind: add session controllers A session usually has only a single compositor or other application that controls graphics and input devices on it. To avoid multiple applications from hijacking each other's devices or even using the devices in parallel, we add session controllers. A session controller is an application that manages a session. Specific API calls may be limited to controllers to avoid others from getting unprivileged access to restricted resources. A session becomes a controller by calling the RequestControl() dbus API call. It can drop it via ReleaseControl(). logind tracks bus-names to release the controller once an application closes the bus. We use the new bus-name tracking to do that. Note that during ReleaseControl() we need to check whether some other session also tracks the name before we remove it from the bus-name tracking list. Currently, we only allow one controller at a time. However, the public API does not enforce this restriction. So if it makes sense, we can allow multiple controllers in parallel later. Or we can add a "scope" parameter, which allows a different controller for graphics-devices, sound-devices and whatever you want. Note that currently you get -EBUSY if there is already a controller. You can force the RequestControl() call (root-only) to drop the current controller and recover the session during an emergency. To recover a seat, this is not needed, though. You can simply create a new session or force-activate it. To become a session controller, a dbus caller must either be root or the same user as the user of the session. This allows us to run a session compositor as user and we no longer need any CAP_SYS_ADMIN.

logind: add infrastructure to watch busnames If we want to track bus-names to allow exclusive resource-access, we need a way to get notified when a bus-name is gone. We make logind watch for NameOwnerChanged dbus events and check whether the name is currently watched. If it is, we remove it from the watch-list (notification for other objects can be added in follow-up patches).

Verify validity of session name when received from outside Only ASCII letters and digits are allowed.

logind: restore logic to kill user processes when session ends

logind: make sure login sessions are terminated with SIGHUP bash ignores SIGTERM, and can only be terminated cleanly via SIGHUP. Hence make sure that we the scope unit for the session is created with SendSIGHUP enabled.

logind: update the session state file before we send out the CreateSession() reply https://bugs.freedesktop.org/show_bug.cgi?id=67273

logind: update state file after generating the session fifo, not before https://bugs.freedesktop.org/show_bug.cgi?id=67273

user-sessions: rely on PID 1 to kill sessions As we want to centralized cgroup access we should stop killing the user sessions directly from the systemd-user-sessions service. Instead, rely on PID 1 doing this by adding the right ordering dependencies to the session scope units.

logind: don't misunderstand UnitRemoved signals during reloading When PID 1 reloads the units logind/machined will see UnitRemoved signals for all units. Instead of trusting these immediately, let's check the actual unit state before considering a unit gone, so that reloading PID 1 is not mistaken as the end of all sessions.

core: serialize/deserialize bus subscribers

logind/machined: properly notice when units are gc'ed

login: pass correct boolean type to libdbus

machined: sync to /run after job completed

machined: split out machine registration stuff from logind Embedded folks don't need the machine registration stuff, hence it's nice to make this optional. Also, I'd expect that machinectl will grow additional commands quickly, for example to join existing containers and suchlike, hence it's better keeping that separate from loginctl.

logind: port over to use scopes+slices for all cgroup stuff In order to prepare things for the single-writer cgroup scheme, let's make logind use systemd's own primitives for cgroup management. Every login user now gets his own private slice unit, in which his sessions live in a scope unit each. Also, add user@$UID.service to the same slice, and implicitly start it on first login.

logind: add infrastructure to keep track of machines, and move to slices - This changes all logind cgroup objects to use slice objects rather than fixed croup locations. - logind can now collect minimal information about running VMs/containers. As fixed cgroup locations can no longer be used we need an entity that keeps track of machine cgroups in whatever slice they might be located. Since logind already keeps track of users, sessions and seats this is a trivial addition. - nspawn will now register with logind and pass various bits of metadata along. A new option "--slice=" has been added to place the container in a specific slice. - loginctl gained commands to list, introspect and terminate machines. - user.slice and machine.slice will now be pulled in by logind.service, since only logind.service requires this slice.

systemd-sleep: add support for freeze and standby A new config file /etc/systemd/sleep.conf is added. It is parsed by systemd-sleep and logind. The strings written to /sys/power/disk and /sys/power/state can be configured. This allows people to use different modes of suspend on systems with broken or special hardware. Configuration is shared between systemd-sleep and logind to enable logind to answer the question "can the system be put to sleep" as correctly as possible without actually invoking the action. If the user configured systemd-sleep to only use 'freeze', but current kernel does not support it, logind will properly report that the system cannot be put to sleep. https://bugs.freedesktop.org/show_bug.cgi?id=57793 https://git.kernel.org/?p=linux/kernel/git/torvalds/linux.git;a=commit;h=7e73c5ae6e7991a6c01f6d096ff8afaef4458c36 http://lists.freedesktop.org/archives/systemd-devel/2013-February/009238.html SYSTEM_CONFIG_FILE and USER_CONFIG_FILE defines were removed since they were used in only a few places and with the addition of /etc/systemd/sleep.conf it becomes easier to just append the name of each file to the dir name.

logind: don't busy loop if a job is still running but the delay timeout expires

logind-dbus: initialize result variable

move _cleanup_ attribute in front of the type http://lists.freedesktop.org/archives/systemd-devel/2013-April/010510.html

Move bus_error to dbus-common and remove bus_error_message_or_strerror bus_error and bus_error_message_or_strerror dit almost exactly the same, so use only one of them and place it in dbus-common.

nspawn: introduce the new /machine/ tree in the cgroup tree and move containers there Containers will now carry a label (normally derived from the root directory name, but configurable by the user), and the container's root cgroup is /machine/<label>. This label is called "machine name", and can cover both containers and VMs (as soon as libvirt also makes use of /machine/). libsystemd-login can be used to query the machine name from a process. This patch also includes numerous clean-ups for the cgroup code.

logind: filter configured cgroup controller lists

Fix spelling errors using 'codespell' tool

logind: introduce an explicit session class for cronjobs and similar cronjobs are neither interactive user session, nor lock screens, nor login screens, hence they should get their own class.

util: rename write_one_line_file() to write_string_file() You can write much more than just one line with this call (and we frequently do), so let's correct the naming.

logind: exploit previous cleanups and simplify returns

logind: Make more use of cleanup macros

logind: when registering a new session always use previous session info from cgroup path rather than audit Previously for cases like "su" or "sudo" where a session is attempted to be created from within an existing one we used the audit session ID to detect this and in such a case we simple returned the session data of the original session a second time. With this change we will now use the cgroup path of the calling path to determine the old session, i.e. we only rely on our own session identification scheme, instead of audits. We will continue to keep the audit session ID and ours in sync however, to avoid unnecessary confusion.

systemctl: make shutdown operations use irreversible jobs Occasionally people report problem with reboot/poweroff operations hanging in the middle. One known cause is when a new transaction to start a unit is enqueued while the shutdown is going on. The start of the unit conflicts with the shutdown jobs, so they get cancelled. The failure case can be quite unpleasant, becase getty and sshd may already be stopped. Fix it by using irreversible jobs for shutdown (reboot/poweroff/...) actions. This applies to commands like "reboot", "telinit 6", "systemctl reboot". Should someone desire to use reversible jobs, they can say "systemctl start reboot.target".`

honor SELinux labels, when creating and writing config files Also split out some fileio functions to fileio.c and provide a SELinux aware pendant in fileio-label.c see https://bugzilla.redhat.com/show_bug.cgi?id=881577

logind: rework delay inhibition logic - Don't allow any locks to be taken while we are in the process of executing the specific operation, so that apps are not surprised if a suspend/shutdown happens while they rely on their inhibitor. - Get rid of the Resumed signal, it was a bad idea, and redundant due to PrepareForSleep(false), see below. - Always send out PrepareFor{Shutdown,Sleep} signals, instead of only if a delay lock is taken. - Move PrepareForSleep(false) after we come back from the suspend, so that apps can use this as "Resumed" notification. This also has the benefit that apps know when to take a new lock.

logind: add UnlockSessions() clal to complement LockSessions()

logind: send Resumed() signal after we come back from suspend/hibernate/hybrid-sleep This allows clients to get asynchronous notifications for user-requested suspend/hibernate cycles. Kernel-triggered automatic suspending is not covered.

logind: only allow one shutdown/sleep action to be queued at the same time This should make sure that closing the lid while shutting down won't suspend the machine but will simply cause the shutdown to complete.

logind: ignore non-tty/non-x11 session when checking if there are other sessions before shutting down https://bugzilla.redhat.com/show_bug.cgi?id=890827

logind: add support for automatic suspend/hibernate/shutdown on idle

dbus-common: Add helper method to handle no-reply messages [Tested in latest gnome-ostree; if accepted, I'll look at a followup patch which fixes the other dbus_connection_send(reply, ...) calls besides logind] DBus messages can have a flag NO_REPLY associated that means "I don't need a reply". This is for efficiency reasons - for one-off requests that can't return an error, etc. However, it's up to users to manually check dbus_message_get_no_reply() from a message. libdbus will happily send out a reply if you don't. Unfortunately, doing so is not just less efficient - it also triggers a security error, for complex reasons. This is something that will eventually be fixed in dbus, but it's also correct to handle it in client applications. This new helper API is slightly nicer in that you don't have to pass NULL to say you don't want a reply serial for your reply. This patch also tweaks logind to use the API - there are more areas of the code that need this treatment too.

logind: it's OK if a process on an pty requests a session for seat0 After all, if a sudo/su inside an X terminal should get added to the same session as the X session itself.

logind: unify all session lock loop

logind: support for hybrid sleep (i.e. suspend+hibernate at the same time)

logind: only release logind session from the PAM module if the same module instance actually created it

log: introduce a macro to format message id The MESSAGE_ID=... stanza will appear in countless number of places. It is just too long to write it out in full each time. Incidentally, this also fixes a typo of MESSSAGE is three places.

logind: split up HandleSleepKey= into HandleSuspendKey= and HandleHibernateKey= The kernel and X11 distuingish these two, and Thinkpad keys have both, hence we really should distinguish them too.

logind: allow users to override their own suspend/sleep inhibitors

logind: rework power key/suspend key/lid switch handling http://lists.freedesktop.org/archives/systemd-devel/2012-September/006604.html https://bugzilla.gnome.org/show_bug.cgi?id=680689 This changes the meaning of the HandlePowerKey=/HandleSleepKey=/HandleLidSwitch= setting of logind.conf

logind: split up inhibit acquire policy

journal: generate structured journal messages for a number of events

logind: use bus_method_call_with_reply() where posible

logind: add LockSessions() call to lock all local sessions at once

logind: add PreparingForShutdown/PreparingForSleep properties

logind: fix check for multiple sessions The "$action-multiple-sessions" polkit actions are defined as "$action while other users are logged in". To me this implies that the following sessions should not count: - greeter sessions - user sessions belonging to the same user as the one who's asking Not sure how to treat class SESSION_LOCK_SCREEN. I never have these. I just ignore every class that's not SESSION_USER. https://bugzilla.redhat.com/show_bug.cgi?id=814424

logind: fix indentation

logind: interpret the can_sleep return value properly can_sleep() returns a boolean, so a return value > 0 does not mean 'na'.

mkdir: append _label to all mkdir() calls that explicitly set the selinux context

logind: optionally handle power, sleep and lid switch events This takes handling of chassis power and sleep keys as well as the lid switch over from acpid. This logic is enabled by default for power and sleep keys, but not for the lid switch. If a graphical session is in the foreground no action is taken under the assumption that the graphical session does this.

logind: implement suspend/hibernate calls with inhibition logic

util: split-out path-util.[ch]

logind: implement delay inhibitor locks in addition to block inhibitor locks This is useful to allow applications to synchronously save data before the system is suspended or shut down.

login: assing /dev/console logins to seat0

logind: hook up inhibit logic with idle hint logic

logind: add shutdown/suspend/idle inhibition framework

relicense to LGPLv2.1 (with exceptions) We finally got the OK from all contributors with non-trivial commits to relicense systemd from GPL2+ to LGPL2.1+. Some udev bits continue to be GPL2+ for now, but we are looking into relicensing them too, to allow free copy/paste of all code within systemd. The bits that used to be MIT continue to be MIT. The big benefit of the relicensing is that closed source code may now link against libsystemd-login.so and friends.

rename basic.la to shared.la and put selinux deps in shared-selinx.la Only 34 of 74 tools need libselinux linked, and libselinux is a pain with its unconditional library constructor.

logind: close FIFO before ending sessions cleanly For clean session endings ask logind explicitly to get rid of the FIFO before closing it so that the FIFO logic doesn't result in su/sudo to be terminated immediately.

login: track login class (i.e. one of "user", "greeter", "lock-screen") for each session This introduces the new PAM environment variable XDG_SESSION_CLASS. If not set, defaults to "user". This is useful for apps that want to distuingish real user logins from "fake" ones which just exist to show a gdm login screen or a lock screen.

logind: introduce CanReboot/CanPowerOff bus calls

logind: fix introspection data

logind: introduce ActivateSessionOnSeat()

logind: add GetSessionByPID() bus call

logind: make sure we create /var/lib/systemd before using it

dbus: more efficient implementation of properties The way the various properties[] arrays are initialized is inefficient: - only the .data members change at runtime, yet the whole arrays of properties with all the fields are constructed on the stack one by one by the code. - there's duplication, eg. the properties of "org.freedesktop.systemd1.Unit" are repeated in several unit types. Fix it by moving the information about properties into static const sections. Instead of storing the .data directly in the property, store a constant offset from a run-time base. The small arrays of struct BusBoundProperties bind together the constant information with the right runtime information (the base pointer). On my system the code shrinks by 60 KB, data increases by 10 KB.

logind: if we can't open /dev/tty0, assume there is no VT subsystem and don't pretend we could do VT switching

logind: move logind into its own subdirectory