dasharo/systemd
0
0
Fork 0
mirror of https://github.com/Dasharo/systemd.git synced 2026-03-06 15:02:31 -08:00
Code Issues Packages Projects Releases Wiki Activity
70,015 Commits 1 Branch 0 Tags
032fd10de88fedcaec68d1049596c25e9a4ea355
Commit Graph

70015 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Yu Watanabe
032fd10de8 test-network: use read_networkd_log() at one more place 2024-01-06 12:46:00 +09:00
Yu Watanabe
bd581438a1 test-network: sync journal before read 
Otherwise, test cases that check journal entries, e.g. test_unit_file()
may fail.
 2024-01-06 12:45:59 +09:00
Lennart Poettering
6db53d20f5 nspawn: lock down access to notify socket a bit 
On Linux only the "w" access bit is necessary to connect to an AF_UNIX
socket, hence let's only set that and nothing else, to limit exposure.

Just paranoia.
 2024-01-06 11:21:00 +09:00
Frantisek Sumsal
d7942fe5fc core: escape spaces in paths during serialization 
Otherwise we split them incorrectly when deserializing them.

Resolves: #30747
 2024-01-06 11:19:59 +09:00
Yu Watanabe
b82b4d258e Merge pull request #30794 from poettering/parse-vsock-better 
socket-util: add more careful parsers for AF_VSOCK cid/port
 2024-01-06 11:16:19 +09:00
Yu Watanabe
7ba3e44651 udevadm: allow to override the default log level by environment variable 
Previously, there was no way to override the log level for test and
test-builtin commands. Let's re-parse environment after setting the log
level to debug. Then, we can control the log level through environment
variable.
 2024-01-06 08:30:58 +09:00
Yu Watanabe
976309db6a Merge pull request #30796 from mrc0mmand/journalctl-namespaces 
journalctl: provide shell completion for --namespace=
 2024-01-06 08:30:31 +09:00
Lennart Poettering
a6a7983dbf dev-setup: rework make_inaccessible_nodes() around openat() and friends 
Let's operate on fds rather than paths. Make some tweaks to the logic on
top:

1. Mark the resulting dir as read-only after we are done.
2. Use the new inode_type_to_string() calls to determine the inode
   names.
3. If an inode already exists, try to adjust the access mode, just in
   case.
4. Use FOREACH_ARRAY()
 2024-01-06 08:27:51 +09:00
Yu Watanabe
0d1706b5fa Merge pull request #30775 from yuwata/network-nexthop-is-ready 
network: introduce nexthop_is_ready() helper function and use it
 2024-01-06 08:27:35 +09:00
networkException
dcfac3a3f9 parse-helpers: allow port 0 for socket bind items 
This patch adds a new parameter to parse_ip_port_range, giving callers
the option to allow ranges to have their min be 0 instead of 1.

This is then used by parse_ip_ports_token, intern used by
parse_socket_bind_item to allow port 0 when restricting bind system
calls with SocketBindDeny / SocketBindAllow.

With this, users running server software written using the golang
standard library will be able to effectively sandbox their software,
albeit with a small loss in security protections by allowing the
process to bind on a random port in the
/proc/sys/net/ipv4/ip_local_port_range.
 2024-01-06 08:27:14 +09:00
Lennart Poettering
9807ee19b0 Merge pull request #30791 from poettering/nspawn-restrict-run-host 
nspawn: make some files we expose in /run/host/ in nspawn read-only via access mode
 2024-01-05 22:37:29 +01:00
Lennart Poettering
32fa24582c nspawn: add new common make_run_host() helper 
This new helper creates the /run/host/ top-level dir inside the
container.
 2024-01-05 22:34:47 +01:00
Lennart Poettering
8e471c6a9f socket-util: add more careful parsers for AF_VSOCK cid/port 
Let's handle the magic CIDs, and filter out invalid ports.
 2024-01-05 22:29:55 +01:00
Lennart Poettering
41dd51f8f5 missing: add a bunch of vsock related defines 2024-01-05 22:29:55 +01:00
Yu Watanabe
92a39246ad Merge pull request #30790 from poettering/null-creds-allow-with-tpm 
creds: allow using NULL encryption if explicitly requested even if TPM is available, and add a comprehensive credential encryption/decrpytion test
 2024-01-06 04:26:38 +09:00
Frantisek Sumsal
178c8c24ec shell-completion: provide completion for journalctl --namespace= 
Resolves: #30381
 2024-01-05 19:21:51 +01:00
Frantisek Sumsal
2fe03e25fb shell-completion: fix mixed indent 2024-01-05 19:21:51 +01:00
Frantisek Sumsal
68f66a1713 journalctl: implement --list-namespaces 
Apart from being useful on its own, this will be used in the following
commit for shell completions.
 2024-01-05 19:21:51 +01:00
Lennart Poettering
05794f5c48 nspawn: set read-only access mode on two /run/host/ files 
The diectory is mounted read-only anyway, hence this doesn't do much,
but let's lock this down on every level we can.
 2024-01-05 17:31:08 +01:00
Lennart Poettering
2148c669d2 fileio: add new flag WRITE_STRING_FILE_MODE_0444 
With this write_string_file() will create the file with 0444 access mode
(i.e. read-only).
 2024-01-05 17:30:41 +01:00
Lennart Poettering
3a3315c705 test: add credential encryption/decryption test 2024-01-05 17:20:05 +01:00
Lennart Poettering
9c3d8db990 creds-util: optionally, allow NULL credentials even with TPM 2024-01-05 17:20:05 +01:00
Lennart Poettering
3289aba5a0 Merge pull request #30754 from poettering/iovecification 
tpm2-util: convert various things over to struct iovec rather that data ptr + size
 2024-01-05 14:45:15 +01:00
Lennart Poettering
53cea64542 Merge pull request #30784 from poettering/json-dispatch-enum 
json: add macro for automatically defining a dispatcher for an enum
 2024-01-05 14:44:59 +01:00
Lennart Poettering
fe10493ca8 Merge pull request #30785 from poettering/json-allow-extensions 
json: add flag for allowing extension of json objects when dispatching, without otherwise being permissive
 2024-01-05 14:44:50 +01:00