tree-wide: remove Emacs lines from all files This should be handled fine now by .dir-locals.el, so need to carry that stuff in every file.

logind: simplify job variable handling manager_{start,stop}_{slice,scope,unit} functions had an optional job output parameter. But all callers specified job, so make the parameter mandatory, add asserts. Also extract common job variable handling to a helper function to avoid duplication. Avoids gcc warning about job being unitialized.

tree-wide: check if errno is greater than zero (2) Compare errno with zero in a way that tells gcc that (if the condition is true) errno is positive.

tree-wide: expose "p"-suffix unref calls in public APIs to make gcc cleanup easy GLIB has recently started to officially support the gcc cleanup attribute in its public API, hence let's do the same for our APIs. With this patch we'll define an xyz_unrefp() call for each public xyz_unref() call, to make it easy to use inside a __attribute__((cleanup())) expression. Then, all code is ported over to make use of this. The new calls are also documented in the man pages, with examples how to use them (well, I only added docs where the _unref() call itself already had docs, and the examples, only cover sd_bus_unrefp() and sd_event_unrefp()). This also renames sd_lldp_free() to sd_lldp_unref(), since that's how we tend to call our destructors these days. Note that this defines no public macro that wraps gcc's attribute and makes it easier to use. While I think it's our duty in the library to make our stuff easy to use, I figure it's not our duty to make gcc's own features easy to use on its own. Most likely, client code which wants to make use of this should define its own: #define _cleanup_(function) __attribute__((cleanup(function))) Or similar, to make the gcc feature easier to use. Making this logic public has the benefit that we can remove three header files whose only purpose was to define these functions internally. See #2008.

login: fix re-use of users If the last reference to a user is released, we queue stop-jobs for the user-service and slice. Only once those are finished, we drop the user-object. However, if a new session is opened before the user object is fully dropped, we currently incorrectly re-use the object. This has the effect, that we get stale sessions without a valid "systemd --user" instance. Fix this by properly allowing user_start() to be called, even if user->stopping is true.

login: make user->service static Just like user->slice, there is no reason to store the unit name in /run, nor should we allocate it dynamically on job instantiation/removal. Just keep it statically around at all times and rely on user->started || user->stopping to figure out whether the unit exists or not.

login: make user_new() and user_free() follow coding-style Few changes to user_new() and user_free(): - Use _cleanup_(user_freep) in constructor - return 'int' from user_new() - make user_free() deal with partially initialized objects - keep reverse-order in user_free() compared to user_new() - make user_free() return NULL - make user_free() accept NULL as no-op

login: keep user->slice constant Currently, we allocate user->slice when starting a slice, but we never release it. This is incompatible if we want to re-use a user object once it was stopped. Hence, make sure user->slice is allocated statically on the user object and use "u->started || u->stopping" as an indication whether the slice is actually available on pid1 or not.

login: simply XDG_RUNTIME_DIR management Lets not pretend we support changing XDG_RUNTIME_DIR via logind state files. There is no reason to ever write the string into /run, as we allocate it statically based on the UID, anyway. Lets stop that and just allocate the runtime_path in "struct User" at all times. We keep writing it into the /run state to make sure pam_systemd of previous installs can still read it. However, pam_systemd is now fixed to allocate it statically as well, so we can safely remove that some time in the future. Last but not least: If software depends on systemd, they're more than free to assume /run/user/$uid is their runtime dir. Lets not require sane applications to query the environment to get their runtime dir. As long as applications know their login-UID, they should be safe to deduce the runtime dir.

logind: add a new UserTasksMax= setting to logind.conf This new setting configures the TasksMax= field for the slice objects we create for each user. This alters logind to create the slice unit as transient unit explicitly instead of relying on implicit generation of slice units by simply starting them. This also enables us to set a friendly description for slice units that way.

util-lib: split out allocation calls into alloc-util.[ch]

user-util: move UID/GID related macros from macro.h to user-util.h

util-lib: move string table stuff into its own string-table.[ch]

util-lib: move a number of fs operations into fs-util.[ch]

util-lib: move mount related utility calls to mount-util.[ch]

util-lib: split string parsing related calls from util.[ch] into parse-util.[ch]

util-lib: split out fd-related operations into fd-util.[ch] There are more than enough to deserve their own .c file, hence move them over.

util: split out escaping code into escape.[ch] This really deserves its own file, given how much code this is now.

tree-wide: clean up log_syntax() usage - Rely everywhere that we use abs() on the error code passed in anyway, thus don't need to explicitly negate what we pass in - Never attach synthetic error number information to log messages. Only log about errors we *receive* with the error number we got there, don't log any synthetic error, that don#t even propagate, but just eat up. - Be more careful with attaching exactly the error we get, instead of errno or unrelated errors randomly. - Fix one occasion where the error number and line number got swapped. - Make sure we never tape over OOM issues, or inability to resolve specifiers

tree-wide: never use the off_t unless glibc makes us use it off_t is a really weird type as it is usually 64bit these days (at least in sane programs), but could theoretically be 32bit. We don't support off_t as 32bit builds though, but still constantly deal with safely converting from off_t to other types and back for no point. Hence, never use the type anymore. Always use uint64_t instead. This has various benefits, including that we can expose these values directly as D-Bus properties, and also that the values parse the same in all cases.

tree-wide: use coccinelle to patch a lot of code to use mfree() This replaces this: free(p); p = NULL; by this: p = mfree(p); Change generated using coccinelle. Semantic patch is added to the sources.

tree-wide: port everything over to fflush_and_check() Some places invoked fflush() directly with their own manual error checking, let's unify all that by using fflush_and_check(). This also unifies the general error paths of fflush()+rename() file writers.

logind: save /run/systemd/users/UID before starting user@.service Previously, this had a race condition during a user's first login. Some component calls CreateSession (most likely by a PAM service other than 'systemd-user' running pam_systemd), with the following results: - logind: * create the user's XDG_RUNTIME_DIR * tell pid 1 to create user-UID.slice * tell pid 1 to start user@UID.service Then these two processes race: - logind: * save information including XDG_RUNTIME_DIR to /run/systemd/users/UID - the subprocess of pid 1 responsible for user@service: * start a 'systemd-user' PAM session, which reads XDG_RUNTIME_DIR and puts it in the environment * run systemd --user, which requires XDG_RUNTIME_DIR in the environment If logind wins the race, which usually happens, everything is fine; but if the subprocesses of pid 1 win the race, which can happen under load, then systemd --user exits unsuccessfully. To avoid this race, we have to write out /run/systemd/users/UID even though the service has not "officially" started yet; previously this did an early-return without saving anything. Record its state as OPENING in this case. Bug: https://github.com/systemd/systemd/issues/232 Reviewed-by: Philip Withnall <philip.withnall@collabora.co.uk>

logind: apply selinux label to XDG_RUNTIME_DIR As discussed in #257: we should ensure the selinux label is correctly applied to each user's XDG_RUNTIME_DIR.

everywhere: actually make use of DUAL_TIMESTAMP_NULL macro Let's use it as initializer where appropriate.

login: fix potential null pointer dereference Fix CID 1304686: Dereference after null check (FORWARD_NULL) However, this commit does not fix any bug in logind. It helps to keep the elect_display_compare() function generic.

logind,sd-event: drop spurious new-lines

logind: Fix user_elect_display() to be more stable The previous implementation of user_elect_display() could easily end up overwriting the user’s valid graphical session with a new TTY session. For example, consider the situation where there is one session: c1, type = SESSION_X11, !stopping, class = SESSION_USER it is initially elected as the user’s display (i.e. u->display = c1). If another session is started, on a different VT, the sessions_by_user list becomes: c1, type = SESSION_X11, !stopping, class = SESSION_USER c2, type = SESSION_TTY, !stopping, class = SESSION_USER In the previous code, graphical = c1 and text = c2, as expected. However, neither graphical nor text fulfil the conditions for setting u->display = graphical (because neither is better than u->display), so the code falls through to check the text variable. The conditions for this match, as u->display->type != SESSION_TTY (it’s actually SESSION_X11). Hence u->display is set to c2, which is incorrect, because session c1 is still valid. Refactor user_elect_display() to use a more explicit filter and pre-order comparison over the sessions. This can be demonstrated to be stable and only ever ‘upgrade’ the session to a more graphical one. https://bugs.freedesktop.org/show_bug.cgi?id=90769

path-util: Change path_is_mount_point() symlink arg from bool to flags This makes path_is_mount_point() consistent with fd_is_mount_point() wrt. flags.

core: rework unit name validation and manipulation logic A variety of changes: - Make sure all our calls distuingish OOM from other errors if OOM is not the only error possible. - Be much stricter when parsing escaped paths, do not accept trailing or leading escaped slashes. - Change unit validation to take a bit mask for allowing plain names, instance names or template names or an combination thereof. - Refuse manipulating invalid unit name

shared: add formats-util.h

util: rework rm_rf() logic - Move to its own file rm-rf.c - Change parameters into a single flags parameter - Remove "honour sticky" logic, it's unused these days

remove unused includes This patch removes includes that are not used. The removals were found with include-what-you-use which checks if any of the symbols from a header is in use.

logind: tell Coverity that we knowingly ignore mkdir()'s return value

util: rework strappenda(), and rename it strjoina() After all it is now much more like strjoin() than strappend(). At the same time, add support for NULL sentinels, even if they are normally not necessary.

logind: chown+chmod /run/user/$UID if mount(tmpfs) fails with EPERM In containers without CAP_SYS_ADMIN, it is not possible to mount tmpfs (or any filesystem for that matter) on top of /run/user/$UID. Previously, logind just failed in such a situation. Now, logind will resort to chown+chmod of the directory instead. This allows logind still to work in those environments, although without the guarantees it provides (i.e. users not being able to DOS /run or other users' /run/user/$UID space) when CAP_SYS_ADMIN is available.

logind: remove per-user runtime dir again if setup fails If setup of per-user runtime dir fails, clean up afterwards by removing the directory before returning from the function, so we don't leave the directory behind. If this is not done, the second time the user logs in logind would assume that the directory is already set up, even though it isn't.

logind: unify how we cast between uid_t and pointers for hashmap keys

treewide: use log_*_errno whenever %m is in the format string If the format string contains %m, clearly errno must have a meaningful value, so we might as well use log_*_errno to have ERRNO= logged. Using: find . -name '*.[ch]' | xargs sed -r -i -e \ 's/log_(debug|info|notice|warning|error|emergency)\((".*%m.*")/log_\1_errno(errno, \2/' Plus some whitespace, linewrap, and indent adjustments.

treewide: yet more log_*_errno + return simplifications Using: find . -name '*.[ch]' | while read f; do perl -i.mmm -e \ 'local $/; local $_=<>; s/(if\s*\([^\n]+\))\s*{\n(\s*)(log_[a-z_]*_errno\(\s*([->a-zA-Z_]+)\s*,[^;]+);\s*return\s+\g4;\s+}/\1\n\2return \3;/msg; print;' $f done And a couple of manual whitespace fixups.

treewide: no need to negate errno for log_*_errno() It corrrectly handles both positive and negative errno values.

treewide: auto-convert the simple cases to log_*_errno() As a followup to 086891e5c1 "log: add an "error" parameter to all low-level logging calls and intrdouce log_error_errno() as log calls that take error numbers", use sed to convert the simple cases to use the new macros: find . -name '*.[ch]' | xargs sed -r -i -e \ 's/log_(debug|info|notice|warning|error|emergency)\("(.*)%s"(.*), strerror\(-([a-zA-Z_]+)\)\);/log_\1_errno(-\4, "\2%m"\3);/' Multi-line log_*() invocations are not covered. And we also should add log_unit_*_errno().

mac: also rename use_{smack,selinux,apparmor}() calls so that they share the new mac_{smack,selinux,apparmor}_xyz() convention

logind: mount per-user tmpfs with 'smackfsroot=*' for smack enabled systems

logind: add new session type "web" for PAM web clients, such as cockpit On request of Stef Walter.

logind: fix Display property of user objects When we dropped support for creating a per-user to the "main" X11 display we stopped returning useful data in the "Display" user property. With this change this is fixed and we again expose an appropriate (graphical session) in the property that is useful as the "main" one, if one is needed.

Remove unnecessary casts in printfs No functional change expected :)

logind: automatically remove SysV + POSIX IPC objects when the users owning them fully log out

logind: make $XDG_RUNTIME_DIR a per-user tmpfs This way each user allocates from his own pool, with its own size limit. This puts the size limit by default to 10% of the physical RAM size but makes it configurable in logind.conf.

logind: make sure to terminate systemd user on logouts Currently if the user logs out, the GC may never call user_stop(), this will not terminate the systemd user and (sd-pam) of that user. To fix this, remove the USER_CLOSING state check that is blocking the GC from calling user_stop(). Since if user_check_gc() returns false this means that all the sessions of the user were removed which will make user_get_state() return USER_CLOSING. Conclusion: that test will never be statisfied. So we remove the USER_CLOSING check and replace it with a check inside user_stop() this way we know that user_stop() has already queued stop jobs, no need to redo. This ensures that the GC will get its two steps correctly as pointed out by Lennart: http://lists.freedesktop.org/archives/systemd-devel/2014-February/016825.html Note: this also fixes another bug that prevents creating the user private dbus socket which will break communications with the user manager.

logind: always kill session when termination is requested KillUserProcesses=yes/no should be ignored when termination is explicitly requested.

logind: use session_get_state() to get sessions state of the user In function user_get_state() remove the session_is_active() check, just count on the session_get_state() function to get the correct session state. session_is_active() may return true before starting the session scope and user service, this means it will return true even before the creation of the session fifo_fd which will produce incorrect states. So be consistent and just use session_get_state().

logind: rework session shutdown logic Simplify the shutdown logic a bit: - Keep the session FIFO around in the PAM module, even after the session shutdown hook has been finished. This allows logind to track precisely when the PAM handler goes away. - In the ReleaseSession() call start a timer, that will stop terminate the session when elapsed. - Never fiddle with the KillMode of scopes to configure whether user processes should be killed or not. Instead, simply leave the scope units around when we terminate a session whose processes should not be killed. - When killing is enabled, stop the session scope on FIFO EOF or after the ReleaseSession() timeout. When killing is disabled, simply tell PID 1 to abandon the scope. Because the scopes stay around and hence all processes are always member of a scope, the system shutdown logic should be more robust, as the scopes can be shutdown as part of the usual shutdown logic.

Update some message formats Use PID_FMT/USEC_FMT/... in more places. Also update logind error messages to print the full path to a file that failed. This should make debugging easier for people who do not know off the top of their head where logind stores it state.

logind: remove dead variable Noticed-by: Jan Alexander Steffens <jan.steffens@gmail.com>

login: Don't stop a running user manager from garbage-collecting the user. With the current logic, a user will never be garbage-collected, since its manager will always be around. Change the logic such that a user is garbage-collected when it has no sessions and linger is disabled.

logind: expose linger state on User object

logind: port logind to libsystemd-bus

list: make our list macros a bit easier to use by not requring type spec on each invocation We can determine the list entry type via the typeof() gcc construct, and so we should to make the macros much shorter to use.

logind: restore logic to kill user processes when session ends

logind: after deserializatio readd systemd units to unit-to-object hashmap correctly

machined: split out machine registration stuff from logind Embedded folks don't need the machine registration stuff, hence it's nice to make this optional. Also, I'd expect that machinectl will grow additional commands quickly, for example to join existing containers and suchlike, hence it's better keeping that separate from loginctl.

logind: port over to use scopes+slices for all cgroup stuff In order to prepare things for the single-writer cgroup scheme, let's make logind use systemd's own primitives for cgroup management. Every login user now gets his own private slice unit, in which his sessions live in a scope unit each. Also, add user@$UID.service to the same slice, and implicitly start it on first login.

core: general cgroup rework Replace the very generic cgroup hookup with a much simpler one. With this change only the high-level cgroup settings remain, the ability to set arbitrary cgroup attributes is removed, so is support for adding units to arbitrary cgroup controllers or setting arbitrary paths for them (especially paths that are different for the various controllers). This also introduces a new -.slice root slice, that is the parent of system.slice and friends. This enables easy admin configuration of root-level cgrouo properties. This replaces DeviceDeny= by DevicePolicy=, and implicitly adds in /dev/null, /dev/zero and friends if DeviceAllow= is used (unless this is turned off by DevicePolicy=).

logind: add infrastructure to keep track of machines, and move to slices - This changes all logind cgroup objects to use slice objects rather than fixed croup locations. - logind can now collect minimal information about running VMs/containers. As fixed cgroup locations can no longer be used we need an entity that keeps track of machine cgroups in whatever slice they might be located. Since logind already keeps track of users, sessions and seats this is a trivial addition. - nspawn will now register with logind and pass various bits of metadata along. A new option "--slice=" has been added to place the container in a specific slice. - loginctl gained commands to list, introspect and terminate machines. - user.slice and machine.slice will now be pulled in by logind.service, since only logind.service requires this slice.

cgroup: make sure all our cgroup objects have a suffix and are properly escaped Session objects will now get the .session suffix, user objects the .user suffix, nspawn containers the .nspawn suffix. This also changes the user cgroups to be named after the numeric UID rather than the username, since this allows us the parse these paths standalone without requiring access to the cgroup file system. This also changes the mapping of instanced units to cgroups. Instead of mapping foo@bar.service to the cgroup path /user/foo@.service/bar we will now map it to /user/foo@.service/foo@bar.service, in order to ensure that all our objects are properly suffixed in the tree.

core: always create /user and /machine top-level cgroup dirs This allows clients to put inotify watches on these trees to watch for state changes, without having to wait until these dirs are created. This introduces the new top-level /machine cgroup dir as canonical location where OS containers and VMs shall be located (as discussed with the libvirt folks).

honor SELinux labels, when creating and writing config files Also split out some fileio functions to fileio.c and provide a SELinux aware pendant in fileio-label.c see https://bugzilla.redhat.com/show_bug.cgi?id=881577

logind: check return value, log warning on error

logind: Add a two new variables to the user session tracking file. This counts 'online sessions' in addition to 'active sessions' and 'sessions'. In this context, an 'online session' covers all session in the 'active' state in addition to the explicit 'online' state. This provides an easy machanism to determin all relevant sessions easily (i.e. those that are not 'closing') and adds new semantics to the sd-login.c APIs sd_uid_get_sessions() and sd_uid_get_seats() where the require_active argument can be supplied as a value 2 which only lists sessions which are 'online'. This functionality should allow client applications to avoid deadlocks where they only exit when all sessions are complete, such as a the problem where PulseAudio will not exit until all sessions are gone, but in itself prevents the session from exiting.

logind: Properly list the ACTIVE_SEATS in the user session tracking file. Prevsiouly the first active seat for a user would never be listed and any subsequent seats would be concatenated on without any spaces.

logind: If all user sessions are in closing state, set the overall status to closing. PulseAudio for example will keep a client connection open provided at least one session exists. However, if all sessions are currently in the process of closing, we should flag that as the overall state appropriately to better reflect what is happening. Although this does better reflect the status for any given user, it does not actually solve the overall problem of PulseAudio still finding some sessions active and thus not exiting and therefore actually preventing the session from closing. Future commits will extend sd-login to cope with this situation.

log.h: new log_oom() -> int -ENOMEM, use it also a number of minor fixups and bug fixes: spelling, oom errors that didn't print errors, not properly forwarding error codes, few more consistency issues, et cetera

use "Out of memory." consistantly (or with "\n") glibc/glib both use "out of memory" consistantly so maybe we should consider that instead of this. Eliminates one string out of a number of binaries. Also fixes extra newline in udev/scsi_id

login: initialize XDG_RUNTIME_DIR as /run/user/$UID instead of /run/user/$USER The sssd folks would like to place the kerberos credential cache in XDG_RUNTIME_DIR, but need to do that in the PAM auth hooks, before pam_systemd is run as part of the PAM session setup. Hence, in order to make this easy for them: avoid usage of usernames, and use user IDs instead thus making an additional NSS lookup unnecessary in the kerberos bits, but still have the directory well-defined so that the kerberos bits can determine it before pam_systemd is run.

logind: add new user state 'closing'

logind: properly clean up user cgroups when they run empty

mkdir: append _label to all mkdir() calls that explicitly set the selinux context

logind: fix write out of user state file

relicense to LGPLv2.1 (with exceptions) We finally got the OK from all contributors with non-trivial commits to relicense systemd from GPL2+ to LGPL2.1+. Some udev bits continue to be GPL2+ for now, but we are looking into relicensing them too, to allow free copy/paste of all code within systemd. The bits that used to be MIT continue to be MIT. The big benefit of the relicensing is that closed source code may now link against libsystemd-login.so and friends.

rename basic.la to shared.la and put selinux deps in shared-selinx.la Only 34 of 74 tools need libselinux linked, and libselinux is a pain with its unconditional library constructor.

logind: simplify session_activate() a bit

logind: downgrade login message to debug The messages make people nervous. https://bugzilla.redhat.com/show_bug.cgi?id=727315

logind: move logind into its own subdirectory