[systemd-commits] 6 commits - TODO src/core src/libsystemd src/systemctl src/systemd
Lennart Poettering
lennart at kemper.freedesktop.org
Mon Oct 13 08:19:39 PDT 2014
TODO | 6 +--
src/core/org.freedesktop.systemd1.policy.in.in | 11 ------
src/libsystemd/sd-bus/bus-message.c | 19 ++++++++++
src/libsystemd/sd-bus/bus-protocol.h | 3 +
src/libsystemd/sd-bus/bus-util.c | 19 ++++++++--
src/systemctl/systemctl.c | 45 +++++++++++++------------
src/systemd/sd-bus.h | 6 ++-
7 files changed, 68 insertions(+), 41 deletions(-)
New commits:
commit b911eb15602ad173b1b938f351e2116789bd2c71
Author: Lennart Poettering <lennart at poettering.net>
Date: Mon Oct 13 17:17:48 2014 +0200
bus: check allow-interactive-auhtorization flag when doing polkit
diff --git a/src/libsystemd/sd-bus/bus-util.c b/src/libsystemd/sd-bus/bus-util.c
index 9018bce..b8559e9 100644
--- a/src/libsystemd/sd-bus/bus-util.c
+++ b/src/libsystemd/sd-bus/bus-util.c
@@ -212,13 +212,19 @@ int bus_verify_polkit(
#ifdef ENABLE_POLKIT
else {
_cleanup_bus_message_unref_ sd_bus_message *reply = NULL;
- int authorized = false, challenge = false;
+ int authorized = false, challenge = false, c;
const char *sender;
sender = sd_bus_message_get_sender(call);
if (!sender)
return -EBADMSG;
+ c = sd_bus_message_get_allow_interactive_authorization(call);
+ if (c < 0)
+ return c;
+ if (c > 0)
+ interactive = true;
+
r = sd_bus_call_method(
call->bus,
"org.freedesktop.PolicyKit1",
@@ -231,7 +237,7 @@ int bus_verify_polkit(
"system-bus-name", 1, "name", "s", sender,
action,
0,
- interactive ? 1 : 0,
+ !!interactive,
"");
if (r < 0) {
@@ -334,6 +340,7 @@ int bus_verify_polkit_async(
const char *sender;
sd_bus_message_handler_t callback;
void *userdata;
+ int c;
#endif
int r;
@@ -399,6 +406,12 @@ int bus_verify_polkit_async(
if (!sender)
return -EBADMSG;
+ c = sd_bus_message_get_allow_interactive_authorization(call);
+ if (c < 0)
+ return c;
+ if (c > 0)
+ interactive = true;
+
r = hashmap_ensure_allocated(registry, NULL);
if (r < 0)
return r;
@@ -419,7 +432,7 @@ int bus_verify_polkit_async(
"system-bus-name", 1, "name", "s", sender,
action,
0,
- interactive ? 1 : 0,
+ !!interactive,
NULL);
if (r < 0)
return r;
commit 53a83f4bc037379b48a078b748287d333569ccfb
Author: Lennart Poettering <lennart at poettering.net>
Date: Mon Oct 13 17:16:56 2014 +0200
sd-bus: add support for new allow-interactive-authorization message header flag
diff --git a/src/libsystemd/sd-bus/bus-message.c b/src/libsystemd/sd-bus/bus-message.c
index c7cb2e6..1362a60 100644
--- a/src/libsystemd/sd-bus/bus-message.c
+++ b/src/libsystemd/sd-bus/bus-message.c
@@ -849,6 +849,13 @@ _public_ int sd_bus_message_get_auto_start(sd_bus_message *m) {
return !(m->header->flags & BUS_MESSAGE_NO_AUTO_START);
}
+_public_ int sd_bus_message_get_allow_interactive_authorization(sd_bus_message *m) {
+ assert_return(m, -EINVAL);
+
+ return m->header->type == SD_BUS_MESSAGE_METHOD_CALL &&
+ (m->header->flags & BUS_MESSAGE_ALLOW_INTERACTIVE_AUTHORIZATION);
+}
+
_public_ const char *sd_bus_message_get_path(sd_bus_message *m) {
assert_return(m, NULL);
@@ -999,6 +1006,18 @@ _public_ int sd_bus_message_set_auto_start(sd_bus_message *m, int b) {
return 0;
}
+_public_ int sd_bus_message_set_allow_interactive_authorization(sd_bus_message *m, int b) {
+ assert_return(m, -EINVAL);
+ assert_return(!m->sealed, -EPERM);
+
+ if (b)
+ m->header->flags |= BUS_MESSAGE_ALLOW_INTERACTIVE_AUTHORIZATION;
+ else
+ m->header->flags &= ~BUS_MESSAGE_ALLOW_INTERACTIVE_AUTHORIZATION;
+
+ return 0;
+}
+
static struct bus_container *message_get_container(sd_bus_message *m) {
assert(m);
diff --git a/src/libsystemd/sd-bus/bus-protocol.h b/src/libsystemd/sd-bus/bus-protocol.h
index 4f46468..75c6ded 100644
--- a/src/libsystemd/sd-bus/bus-protocol.h
+++ b/src/libsystemd/sd-bus/bus-protocol.h
@@ -42,7 +42,8 @@ enum {
enum {
BUS_MESSAGE_NO_REPLY_EXPECTED = 1,
- BUS_MESSAGE_NO_AUTO_START = 2
+ BUS_MESSAGE_NO_AUTO_START = 2,
+ BUS_MESSAGE_ALLOW_INTERACTIVE_AUTHORIZATION = 4,
};
/* Header fields */
diff --git a/src/systemd/sd-bus.h b/src/systemd/sd-bus.h
index 036ab55..9d13e94 100644
--- a/src/systemd/sd-bus.h
+++ b/src/systemd/sd-bus.h
@@ -195,9 +195,11 @@ sd_bus_message* sd_bus_message_unref(sd_bus_message *m);
int sd_bus_message_get_type(sd_bus_message *m, uint8_t *type);
int sd_bus_message_get_cookie(sd_bus_message *m, uint64_t *cookie);
int sd_bus_message_get_reply_cookie(sd_bus_message *m, uint64_t *cookie);
+int sd_bus_message_get_priority(sd_bus_message *m, int64_t *priority);
+
int sd_bus_message_get_expect_reply(sd_bus_message *m);
int sd_bus_message_get_auto_start(sd_bus_message *m);
-int sd_bus_message_get_priority(sd_bus_message *m, int64_t *priority);
+int sd_bus_message_get_allow_interactive_authorization(sd_bus_message *m);
const char *sd_bus_message_get_signature(sd_bus_message *m, int complete);
const char *sd_bus_message_get_path(sd_bus_message *m);
@@ -221,6 +223,8 @@ int sd_bus_message_is_method_error(sd_bus_message *m, const char *name);
int sd_bus_message_set_expect_reply(sd_bus_message *m, int b);
int sd_bus_message_set_auto_start(sd_bus_message *m, int b);
+int sd_bus_message_set_allow_interactive_authorization(sd_bus_message *m, int b);
+
int sd_bus_message_set_destination(sd_bus_message *m, const char *destination);
int sd_bus_message_set_priority(sd_bus_message *m, int64_t priority);
commit b576fcf43a32c0bb2e3f8a4f61770d2cdac00fcb
Author: Lennart Poettering <lennart at poettering.net>
Date: Mon Oct 13 17:16:12 2014 +0200
polkit: as we dropped support for the polkit bus transport, also drop its polkit policy
diff --git a/src/core/org.freedesktop.systemd1.policy.in.in b/src/core/org.freedesktop.systemd1.policy.in.in
index 387677d..fd771b4 100644
--- a/src/core/org.freedesktop.systemd1.policy.in.in
+++ b/src/core/org.freedesktop.systemd1.policy.in.in
@@ -27,17 +27,6 @@
<annotate key="org.freedesktop.policykit.exec.path">@rootlibexecdir@/systemd-reply-password</annotate>
</action>
- <action id="org.freedesktop.systemd1.bus-access">
- <_description>Privileged system and service manager access</_description>
- <_message>Authentication is required to access the system and service manager.</_message>
- <defaults>
- <allow_any>no</allow_any>
- <allow_inactive>no</allow_inactive>
- <allow_active>auth_admin_keep</allow_active>
- </defaults>
- <annotate key="org.freedesktop.policykit.exec.path">@bindir@/systemd-stdio-bridge</annotate>
- </action>
-
<action id="org.freedesktop.systemd1.manage-units">
<_description>Manage system services or units</_description>
<_message>Authentication is required to manage system services or units.</_message>
commit 0f0cf2f00f576160661873bb2f15580145ee30a9
Author: Lennart Poettering <lennart at poettering.net>
Date: Mon Oct 13 15:45:56 2014 +0200
update TODO
diff --git a/TODO b/TODO
index 05a61a3..7787d3c 100644
--- a/TODO
+++ b/TODO
@@ -40,19 +40,17 @@ External:
Features:
+* rework journal-send.c to use memfds for large blobs if they are available instead of unlinked files in /tmp. Also, if we detect that the kernel knows memfds, refuse anything but sealed memfds.
+
* maybe support a new very "soft" reboot mode, that simply kills all processes, disassembles everything, flushes /run and sysvipc, and then reexecs systemd again
* man: document that corrupted journal files is nothing to act on
-* systemctl isolate should use ".target" as completion suffix, not ".service"
-
* bus-proxy: when passing messages from kdbus, make sure we properly
handle the case where a large number of fds is appended that we
cannot pass into sendmsg() of the AF_UNIX sokcet (which only accepts
253 messages)
-* check for validity of ucred fields in bus-proxy, like we do in journald
-
* busctl: add a pcap writer, using LINKTYPE_DBUS/231
* man: maybe use the word "inspect" rather than "introspect"?
commit 08073121d8171f8e6be27b0c80e2ec283064760e
Author: Lennart Poettering <lennart at poettering.net>
Date: Mon Oct 13 15:43:09 2014 +0200
systemctl: when mangle unit names for the "isolate", suffix with ".target" rather than ".service" by default
After all, we set AllowIsolate exclusively for target units so far, and
this is more or less the only thing tht makes sense, hence also use
".target" as completion suffix by default.
diff --git a/src/systemctl/systemctl.c b/src/systemctl/systemctl.c
index 842ca6c..af3cc97 100644
--- a/src/systemctl/systemctl.c
+++ b/src/systemctl/systemctl.c
@@ -2704,7 +2704,7 @@ static enum action verb_to_action(const char *verb) {
static int start_unit(sd_bus *bus, char **args) {
_cleanup_set_free_free_ Set *s = NULL;
_cleanup_strv_free_ char **names = NULL;
- const char *method, *mode, *one_name;
+ const char *method, *mode, *one_name, *suffix = NULL;
char **name;
int r = 0;
@@ -2717,8 +2717,11 @@ static int start_unit(sd_bus *bus, char **args) {
method = verb_to_method(args[0]);
action = verb_to_action(args[0]);
- mode = streq(args[0], "isolate") ? "isolate" :
- action_table[action].mode ?: arg_job_mode;
+ if (streq(args[0], "isolate")) {
+ mode = "isolate";
+ suffix = ".target";
+ } else
+ mode = action_table[action].mode ?: arg_job_mode;
one_name = action_table[action].target;
} else {
@@ -2734,7 +2737,7 @@ static int start_unit(sd_bus *bus, char **args) {
if (one_name)
names = strv_new(one_name, NULL);
else {
- r = expand_names(bus, args + 1, NULL, &names);
+ r = expand_names(bus, args + 1, suffix, &names);
if (r < 0)
log_error("Failed to expand names: %s", strerror(-r));
}
commit 2fc9a280cc47f455e7dffd3c4321da3f8ab65a58
Author: Lennart Poettering <lennart at poettering.net>
Date: Mon Oct 13 15:41:42 2014 +0200
systemctl: move unit action table closer to the functions that use them
All other static tables we placed next to the functions that access
them, so let's do this for the unit action table too.
diff --git a/src/systemctl/systemctl.c b/src/systemctl/systemctl.c
index 8d6d162..842ca6c 100644
--- a/src/systemctl/systemctl.c
+++ b/src/systemctl/systemctl.c
@@ -137,23 +137,6 @@ static unsigned arg_lines = 10;
static OutputMode arg_output = OUTPUT_SHORT;
static bool arg_plain = false;
-static const struct {
- const char *verb;
- const char *method;
-} unit_actions[] = {
- { "start", "StartUnit" },
- { "stop", "StopUnit" },
- { "condstop", "StopUnit" },
- { "reload", "ReloadUnit" },
- { "restart", "RestartUnit" },
- { "try-restart", "TryRestartUnit" },
- { "condrestart", "TryRestartUnit" },
- { "reload-or-restart", "ReloadOrRestartUnit" },
- { "reload-or-try-restart", "ReloadOrTryRestartUnit" },
- { "condreload", "ReloadOrTryRestartUnit" },
- { "force-reload", "ReloadOrTryRestartUnit" }
-};
-
static bool original_stdout_is_tty;
static int daemon_reload(sd_bus *bus, char **args);
@@ -2539,6 +2522,23 @@ static int check_triggering_units(
return 0;
}
+static const struct {
+ const char *verb;
+ const char *method;
+} unit_actions[] = {
+ { "start", "StartUnit" },
+ { "stop", "StopUnit" },
+ { "condstop", "StopUnit" },
+ { "reload", "ReloadUnit" },
+ { "restart", "RestartUnit" },
+ { "try-restart", "TryRestartUnit" },
+ { "condrestart", "TryRestartUnit" },
+ { "reload-or-restart", "ReloadOrRestartUnit" },
+ { "reload-or-try-restart", "ReloadOrTryRestartUnit" },
+ { "condreload", "ReloadOrTryRestartUnit" },
+ { "force-reload", "ReloadOrTryRestartUnit" }
+};
+
static const char *verb_to_method(const char *verb) {
uint i;
More information about the systemd-commits
mailing list