tree-wide: remove Emacs lines from all files This should be handled fine now by .dir-locals.el, so need to carry that stuff in every file.

tree-wide: expose "p"-suffix unref calls in public APIs to make gcc cleanup easy GLIB has recently started to officially support the gcc cleanup attribute in its public API, hence let's do the same for our APIs. With this patch we'll define an xyz_unrefp() call for each public xyz_unref() call, to make it easy to use inside a __attribute__((cleanup())) expression. Then, all code is ported over to make use of this. The new calls are also documented in the man pages, with examples how to use them (well, I only added docs where the _unref() call itself already had docs, and the examples, only cover sd_bus_unrefp() and sd_event_unrefp()). This also renames sd_lldp_free() to sd_lldp_unref(), since that's how we tend to call our destructors these days. Note that this defines no public macro that wraps gcc's attribute and makes it easier to use. While I think it's our duty in the library to make our stuff easy to use, I figure it's not our duty to make gcc's own features easy to use on its own. Most likely, client code which wants to make use of this should define its own: #define _cleanup_(function) __attribute__((cleanup(function))) Or similar, to make the gcc feature easier to use. Making this logic public has the benefit that we can remove three header files whose only purpose was to define these functions internally. See #2008.

util-lib: split out allocation calls into alloc-util.[ch]

user-util: move UID/GID related macros from macro.h to user-util.h

bus-util: support details in CheckAuthorization calls Extra details for an action can be supplied when calling polkit's CheckAuthorization method. Details are a list of key/value string pairs. Custom policy can use these details when making authorization decisions.

sd-bus: drop bus parameter from message callback prototype This should simplify the prototype a bit. The bus parameter is redundant in most cases, and in the few where it matters it can be derived from the message via sd_bus_message_get_bus().

logind: open up most bus calls for unpriviliged processes, using PolicyKit Also, allow clients to alter their own objects without any further priviliges. i.e. this allows clients to kill and lock their own sessions without involving PK.

logind: hide 'self' links if not available If the caller does not run in a session/seat or has no tracked user, hide the /org/freedesktop/login1/.../self links in introspection data. Otherwise, "busctl tree org.freedesktop.login1" tries to query those nodes even though it cant.

logind: when a bus call is done on a session, user or seat, optionally determine them from the caller credentials More specifically, if an operation is requested on a session with an empty name, the caller's session is used. If an operation is requested on a seat with an empty name, the seat of the caller's session is used. Finally, if an operation on the user with UID -1 is requested, the user of the client's session is used (and not the UID of the client!).

logind: include "self" object links in dbus introspection Makes "busctl introspect" a lot more fun.

logind: remove spurious include of <sys/capability.h> They do not use any functions from libcap directly. The CAP_* constants in use through these files come from "missing.h" which will import <linux/capability.h> and complement it with CAP_* constants not defined by the current kernel headers. The "missing.h" header is imported through "util.h" which gets imported in "logind.h". Tested that "systemd-logind" builds cleanly and works after this change.

sd-bus: move common errors src/shared/bus-errors.h → src/libsystemd/sd-bus/bus-common-errors.h Stuff in src/shared/ should not use stuff from src/libsystemd/ really.

sd-bus: introduce sd_bus_slot objects encapsulating callbacks or vtables attached to a bus connection This makes callback behaviour more like sd-event or sd-resolve, and creates proper object for unregistering callbacks. Taking the refernce to the slot is optional. If not taken life time of the slot will be bound to the underlying bus object (or in the case of an async call until the reply has been recieved).

bus: replace sd_bus_label_{escape,unescape}() by new sd_bus_path_{encode,decode}() The new calls work similarly, but enforce a that a common, fixed bus path prefix is used. This follows discussions with Simon McVittie on IRC that it should be a good idea to make sure that people don't use the escaping applied here too wildly as anything other than the last label of a bus path.

Introduce strv_consume which takes ownership This mirrors set_consume and makes the common use a bit nicer.

logind: always kill session when termination is requested KillUserProcesses=yes/no should be ignored when termination is explicitly requested.

logind: introduce session "positions" logind has no concept of session ordering. Sessions have a unique name, some attributes about the capabilities and that's already it. There is currently no stable+total order on sessions. If we use the logind API to switch between sessions, we are faced with an unordered list of sessions we have no clue of. This used to be no problem on seats with VTs or on seats with only a single active session. However, with the introduction of multi-session capability for seats without VTs, we need to find a way to order sessions in a stable way. This patch introduces session "positions". A position is a simple integer assigned to a session which is never changed implicitly (currently, we also don't change it explicitly, but that may be changed someday). For seats with VTs, we force the position to be the same as the VTnr. Without VTs, we simply find the lowest unassigned number and use it as position. If position-assignment fails or if, for any reason, we decide to not assign a position to a session, the position is set to 0 (which is treated as invalid position). During session_load() or if two sessions have the same VTnr, we may end up with two sessions with the same position (this shouldn't happen, but lets be fail-safe in case some other part of the stack fails). This case is dealt with gracefully by ignoring any session but the first session assigned to the position. Thus, session->pos is a hint, seat->positions[i] is the definite position-assignment. Always verify both match in case you need to modify them! Additionally, we introduce SwitchTo(unsigned int) on the seat-dbus-API. You can call it with any integer value != 0 and logind will try to switch to the request position. If you implement a compositor or any other session-controller, you simply watch for ctrl+alt+F1 to F12 and call SwitchTo(Fx). logind will figure a way out deal with this number. For convenience, we also introduce SwitchToNext/Previous(). It should be called on ctrl+alt+Left/Right (like the kernel-console used to support). Note that the public API (SwitchTo*()) is *not* bound to the underlying logic that is implemented now. We don't export "session-positions" on the dbus/C API! They are an implementation detail. Instead, the SwitchTo*() API is supposed to be a hint to let logind choose the session-switching logic. Any foreground session-controller is free to enumerate/order existing sessions according to their needs and call Session.Activate() manually. But the SwitchTo*() API provides a uniform behavior across session-controllers. Background: Session-switching keys depend on the active keymap. The XKB specification provides the XKB_KEY_XF86Switch_VT_1-12 key-symbols which have to be mapped by all keymaps to allow session-switching. It is usually bound to ctrl+alt+Fx but may be set differently. A compositor passes any keyboard input to XKB before passing it to clients. In case a key-press invokes the XKB_KEY_XF86Switch_VT_x action, the keypress is *not* forwarded to clients, but instead a session-switch is scheduled. This actually prevents us from handling these keys outside of the session. If an active compositor has a keymap with a different mapping of these keys, and logind itself tries to catch these combinations, we end up with the key-press sent to the compositor's clients *and* handled by logind. This is *bad* and we must avoid this. The only situation where a background process is allowed to handle key-presses is debugging and emergency-keys. In these cases, we don't care for keymap mismatches and accept the double-event. Another exception is unmapped keys like PowerOff/Suspend (even though this one is controversial).

bus: decorate the various object vtables with SD_BUS_VTABLE_PROPERTY_CONST where appropriate

bus: introduce "trusted" bus concept and encode access control in object vtables Introduces a new concept of "trusted" vs. "untrusted" busses. For the latter libsystemd-bus will automatically do per-method access control, for the former all access is automatically granted. Per-method access control is encoded in the vtables: by default all methods are only accessible to privileged clients. If the SD_BUS_VTABLE_UNPRIVILEGED flag is set for a method it is accessible to unprivileged clients too. By default whether a client is privileged is determined via checking for its CAP_SYS_ADMIN capability, but this can be altered via the SD_BUS_VTABLE_CAPABILITY() macro that can be ORed into the flags field of the method. Writable properties are also subject to SD_BUS_VTABLE_UNPRIVILEGED and SD_BUS_VTABLE_CAPABILITY() for controlling write access to them. Note however that read access is unrestricted, as PropertiesChanged messages might send out the values anyway as an unrestricted broadcast. By default the system bus is set to "untrusted" and the user bus is "trusted" since per-method access control on the latter is unnecessary. On dbus1 busses we check the UID of the caller rather than the configured capability since the capability cannot be determined without race. On kdbus the capability is checked if possible from the attached meta-data of a message and otherwise queried from the sending peer. This also decorates the vtables of the various daemons we ship with these flags.

logind: fix "CanGraphical" attribute to return correct value We should return seat_can_graphical() instead of seat_can_tty() for the public dbus CanGraphical attribute. This used to work, but the dbus -> sd-bus conversion introduced this regression.

bus: add new sd_bus_creds object to encapsulate process credentials This way we can unify handling of credentials that are attached to messages, or can be queried for bus name owners or connection peers. This also adds the ability to extend incomplete credential information with data from /proc, Also, provide a convenience call that will automatically determine the most appropriate credential object for an incoming message, by using the the attached information if possible, the sending name information if available and otherwise the peer's credentials.

bus: also add error parameter to object find and enumerator callbacks Just in order to bring things inline with the method and property callbacks.

bus: rework message handlers to always take an error argument Message handler callbacks can be simplified drastically if the dispatcher automatically replies to method calls if errors are returned. Thus: add an sd_bus_error argument to all message handlers. When we dispatch a message handler and it returns negative or a set sd_bus_error we send this as message error back to the client. This means errors returned by handlers by default are given back to clients instead of rippling all the way up to the event loop, which is desirable to make things robust. As a side-effect we can now easily turn the SELinux checks into normal function calls, since the method call dispatcher will generate the right error replies automatically now. Also, make sure we always pass the error structure to all property and method handlers as last argument to follow the usual style of passing variables for return values as last argument.

bus: let's simplify things by getting rid of unnecessary bus parameters

bus: add API calls to escape string components of objects paths

core: convert PID 1 to libsystemd-bus This patch converts PID 1 to libsystemd-bus and thus drops the dependency on libdbus. The only remaining code using libdbus is a test case that validates our bus marshalling against libdbus' marshalling, and this dependency can be turned off. This patch also adds a couple of things to libsystem-bus, that are necessary to make the port work: - Synthesizing of "Disconnected" messages when bus connections are severed. - Support for attaching multiple vtables for the same interface on the same path. This patch also fixes the SetDefaultTarget() and GetDefaultTarget() bus calls which used an inappropriate signature. As a side effect we will now generate PropertiesChanged messages which carry property contents, rather than just invalidation information.

logind: add virtual object paths that always can be used to refer to the callers session, user, seat or machine object This way clients can skip invoking GetSessionByPID() for their own PID or a similar call to access these objects.

logind: port logind to libsystemd-bus

logind: add infrastructure to keep track of machines, and move to slices - This changes all logind cgroup objects to use slice objects rather than fixed croup locations. - logind can now collect minimal information about running VMs/containers. As fixed cgroup locations can no longer be used we need an entity that keeps track of machine cgroups in whatever slice they might be located. Since logind already keeps track of users, sessions and seats this is a trivial addition. - nspawn will now register with logind and pass various bits of metadata along. A new option "--slice=" has been added to place the container in a specific slice. - loginctl gained commands to list, introspect and terminate machines. - user.slice and machine.slice will now be pulled in by logind.service, since only logind.service requires this slice.

move _cleanup_ attribute in front of the type http://lists.freedesktop.org/archives/systemd-devel/2013-April/010510.html

logind: exploit previous cleanups and simplify returns

logind: Make more use of cleanup macros

Use bus_maybe_send_reply() where applicable This is a followup to: commit 1a37b9b9043ef83e9900e460a9a1fccced3acf89 It will fix denial messages from dbus-daemon between gdm and systemd-logind on logging into GNOME due to this. See the previous commit for more details.

logind: expose CanGraphical and CanTTY properties on seat objects Since we boot so fast now that gdm might get started before the graphics drivers are properly loaded and probed we might end up announcing seat0 to gdm before it has graphics capabilities. Which will cause gdm/X11 cause to fail later on. To fix this race, let's expose CanGraphical and CanTTY fields on all seats, which clarify whether a seat is suitable for gdm resp, suitable for text logins. gdm then needs to watch CanGraphical and spawn X11 on it only if it is true. This way: USB graphics seats will expose CanGraphical=yes, CanTTY=no Machines with no graphics drivers at all, but a text console: CanGraphical=no, CanTTY=yes Machines with CONFIG_VT turned off: CanGraphical=yes, CanTTY=no And the most important case: seat0 where the graphics driver has not been probed yet boot up with CanGraphical=no, CanTTY=yes first, which then changes to CanGraphical=yes as soon as the probing is complete.

relicense to LGPLv2.1 (with exceptions) We finally got the OK from all contributors with non-trivial commits to relicense systemd from GPL2+ to LGPL2.1+. Some udev bits continue to be GPL2+ for now, but we are looking into relicensing them too, to allow free copy/paste of all code within systemd. The bits that used to be MIT continue to be MIT. The big benefit of the relicensing is that closed source code may now link against libsystemd-login.so and friends.

dbus: more efficient implementation of properties The way the various properties[] arrays are initialized is inefficient: - only the .data members change at runtime, yet the whole arrays of properties with all the fields are constructed on the stack one by one by the code. - there's duplication, eg. the properties of "org.freedesktop.systemd1.Unit" are repeated in several unit types. Fix it by moving the information about properties into static const sections. Instead of storing the .data directly in the property, store a constant offset from a run-time base. The small arrays of struct BusBoundProperties bind together the constant information with the right runtime information (the base pointer). On my system the code shrinks by 60 KB, data increases by 10 KB.

logind: if we can't open /dev/tty0, assume there is no VT subsystem and don't pretend we could do VT switching

logind: move logind into its own subdirectory