[systemd-commits] 5 commits - src/cryptsetup-generator.c src/execute.c src/hostnamed.c src/mount.c TODO units/systemd-hostnamed.service.in
Lennart Poettering
lennart at kemper.freedesktop.org
Tue Apr 19 11:53:10 PDT 2011
TODO | 11 +++++
src/cryptsetup-generator.c | 2 -
src/execute.c | 73 +++++++++++++++++++++++++++++++++----
src/hostnamed.c | 20 +++++++---
src/mount.c | 39 +++++++++++++++++++
units/systemd-hostnamed.service.in | 1
6 files changed, 132 insertions(+), 14 deletions(-)
New commits:
commit 2286fdf7c5d36864b5c46c4c784774a7cfc55213
Author: Lennart Poettering <lennart at poettering.net>
Date: Tue Apr 19 06:07:29 2011 +0200
hostnamed: drop all caps but CAP_SYS_ADMIN
diff --git a/units/systemd-hostnamed.service.in b/units/systemd-hostnamed.service.in
index 32a3ab5..6efab1e 100644
--- a/units/systemd-hostnamed.service.in
+++ b/units/systemd-hostnamed.service.in
@@ -14,3 +14,4 @@ Description=Hostname Service
ExecStart=@rootlibexecdir@/systemd-hostnamed
Type=dbus
BusName=org.freedesktop.hostname1
+CapabilityBoundingSet=CAP_SYS_ADMIN
commit 4f34ed54f854ff7eeede44cbb99a9fd27a5dce71
Author: Lennart Poettering <lennart at poettering.net>
Date: Tue Apr 19 06:07:06 2011 +0200
hostnamed: improve error logging
diff --git a/src/hostnamed.c b/src/hostnamed.c
index d7e553e..8c0035a 100644
--- a/src/hostnamed.c
+++ b/src/hostnamed.c
@@ -192,6 +192,7 @@ static int write_data_static_hostname(void) {
}
static int write_data_other(void) {
+
static const char * const name[_PROP_MAX] = {
[PROP_PRETTY_HOSTNAME] = "PRETTY_HOSTNAME",
[PROP_ICON_NAME] = "ICON_NAME"
@@ -476,10 +477,12 @@ static DBusHandlerResult hostname_message_handler(
data[PROP_HOSTNAME] = h;
r = write_data_hostname();
- if (r < 0)
+ if (r < 0) {
+ log_error("Failed to set host name: %s", strerror(-r));
return bus_send_error_reply(connection, message, NULL, r);
+ }
- log_info("Changed host name to '%s'", data[PROP_HOSTNAME]);
+ log_info("Changed host name to '%s'", strempty(data[PROP_HOSTNAME]));
changed = bus_properties_changed_new(
"/org/freedesktop/hostname1",
@@ -528,10 +531,12 @@ static DBusHandlerResult hostname_message_handler(
}
r = write_data_static_hostname();
- if (r < 0)
+ if (r < 0) {
+ log_error("Failed to write static host name: %s", strerror(-r));
return bus_send_error_reply(connection, message, NULL, r);
+ }
- log_info("Changed static host name to '%s'", data[PROP_HOSTNAME]);
+ log_info("Changed static host name to '%s'", strempty(data[PROP_HOSTNAME]));
changed = bus_properties_changed_new(
"/org/freedesktop/hostname1",
@@ -582,10 +587,12 @@ static DBusHandlerResult hostname_message_handler(
}
r = write_data_other();
- if (r < 0)
+ if (r < 0) {
+ log_error("Failed to write machine info: %s", strerror(-r));
return bus_send_error_reply(connection, message, NULL, r);
+ }
- log_info("Changed %s to '%s'", k == PROP_PRETTY_HOSTNAME ? "pretty host name" : "icon name", data[k]);
+ log_info("Changed %s to '%s'", k == PROP_PRETTY_HOSTNAME ? "pretty host name" : "icon name", strempty(data[k]));
changed = bus_properties_changed_new(
"/org/freedesktop/hostname1",
@@ -673,6 +680,7 @@ int main(int argc, char *argv[]) {
if (dbus_bus_request_name(bus, "org.freedesktop.hostname1", DBUS_NAME_FLAG_DO_NOT_QUEUE, &error) < 0) {
log_error("Failed to register name on bus: %s", error.message);
+ r = -EEXIST;
goto finish;
}
commit 73090dc815390f4fca4e3ed8a7e1d3806605daaa
Author: Lennart Poettering <lennart at poettering.net>
Date: Tue Apr 19 06:06:41 2011 +0200
execute: when we run as PID 1 the kernel doesn't give us CAP_SETPCAP by default. Get that temporarily when dropping capabilities for good
diff --git a/TODO b/TODO
index 80faf0f..b4a5e3a 100644
--- a/TODO
+++ b/TODO
@@ -32,8 +32,16 @@ F15:
* don't trim empty cgroups
https://bugzilla.redhat.com/show_bug.cgi?id=678555
+* drop cap bounding set in logger, hostnamed, readahead, ...
+
+* timeout value is incorrectly parsed in /etc/fstab
+
Features:
+* Add ListenSpecial to .socket units for /proc/kmsg and similar friends?
+
+* avoid DefaultStandardOutput=syslog to have any effect on StandardInput=socket services
+
* use pivot_root on shutdown so that we can unmount the root directory.
* fix alsa mixer restore to not print error when no config is stored
@@ -43,8 +51,11 @@ Features:
* write blog stories about:
- enabling dbus services
- status update
+ - the new configuration files
- you are a distro: why switch?
+* maybe add tiny dbus services similar to hostnamed for locale?
+
* allow port = 0 in .socket units
* rename systemd-logger to systemd-stdio-syslog-bridge
diff --git a/src/execute.c b/src/execute.c
index 1e376ff..745dcfc 100644
--- a/src/execute.c
+++ b/src/execute.c
@@ -904,6 +904,68 @@ fail:
}
#endif
+static int do_capability_bounding_set_drop(uint64_t drop) {
+ unsigned long i;
+ cap_t old_cap = NULL, new_cap = NULL;
+ cap_flag_value_t fv;
+ int r;
+
+ /* If we are run as PID 1 we will lack CAP_SETPCAP by default
+ * in the effective set (yes, the kernel drops that when
+ * executing init!), so get it back temporarily so that we can
+ * call PR_CAPBSET_DROP. */
+
+ old_cap = cap_get_proc();
+ if (!old_cap)
+ return -errno;
+
+ if (cap_get_flag(old_cap, CAP_SETPCAP, CAP_EFFECTIVE, &fv) < 0) {
+ r = -errno;
+ goto finish;
+ }
+
+ if (fv != CAP_SET) {
+ static const cap_value_t v = CAP_SETPCAP;
+
+ new_cap = cap_dup(old_cap);
+ if (!new_cap) {
+ r = -errno;
+ goto finish;
+ }
+
+ if (cap_set_flag(new_cap, CAP_EFFECTIVE, 1, &v, CAP_SET) < 0) {
+ r = -errno;
+ goto finish;
+ }
+
+ if (cap_set_proc(new_cap) < 0) {
+ r = -errno;
+ goto finish;
+ }
+ }
+
+ for (i = 0; i <= CAP_LAST_CAP; i++)
+ if (drop & ((uint64_t) 1ULL << (uint64_t) i)) {
+ if (prctl(PR_CAPBSET_DROP, i) < 0) {
+ r = -errno;
+ goto finish;
+ }
+ }
+
+ r = 0;
+
+finish:
+ if (new_cap)
+ cap_free(new_cap);
+
+ if (old_cap) {
+ cap_set_proc(old_cap);
+ cap_free(old_cap);
+ }
+
+ return r;
+}
+
int exec_spawn(ExecCommand *command,
char **argv,
const ExecContext *context,
@@ -1251,13 +1313,10 @@ int exec_spawn(ExecCommand *command,
}
if (context->capability_bounding_set_drop)
- for (i = 0; i <= CAP_LAST_CAP; i++)
- if (context->capability_bounding_set_drop & ((uint64_t) 1ULL << (uint64_t) i)) {
- if (prctl(PR_CAPBSET_DROP, i) < 0) {
- r = EXIT_CAPABILITIES;
- goto fail_child;
- }
- }
+ if (do_capability_bounding_set_drop(context->capability_bounding_set_drop) < 0) {
+ r = EXIT_CAPABILITIES;
+ goto fail_child;
+ }
if (context->user)
if (enforce_user(context, uid) < 0) {
commit 8024c3a71a57fd5ff09d022e998d302898606919
Author: Lennart Poettering <lennart at poettering.net>
Date: Sat Apr 16 04:39:50 2011 +0200
mount: make device timeout configurable
diff --git a/src/mount.c b/src/mount.c
index 2b19f49..ded8273 100644
--- a/src/mount.c
+++ b/src/mount.c
@@ -460,6 +460,43 @@ static int mount_add_default_dependencies(Mount *m) {
return 0;
}
+static void mount_fix_timeouts(Mount *m) {
+ MountParameters *p;
+ const char *timeout = NULL;
+ Unit *other;
+ Iterator i;
+ usec_t u;
+
+ assert(m);
+
+ if (!(p = get_mount_parameters_configured(m)))
+ return;
+
+ /* Allow configuration how long we wait for a device that
+ * backs a mount point to show up. This is useful to support
+ * endless device timeouts for devices that show up only after
+ * user input, like crypto devices. */
+
+ if ((timeout = mount_test_option(p->options, "comment=systemd.device-timeout")))
+ timeout += 31;
+ else if ((timeout = mount_test_option(p->options, "x-systemd-device-timeout")))
+ timeout += 25;
+ else
+ return;
+
+ if (parse_usec(timeout, &u) < 0) {
+ log_warning("Failed to parse timeout for %s, ignoring: %s", m->where, timeout);
+ return;
+ }
+
+ SET_FOREACH(other, m->meta.dependencies[UNIT_AFTER], i) {
+ if (other->meta.type != UNIT_DEVICE)
+ continue;
+
+ other->meta.job_timeout = u;
+ }
+}
+
static int mount_verify(Mount *m) {
bool b;
char *e;
@@ -555,6 +592,8 @@ static int mount_load(Unit *u) {
if (m->meta.default_dependencies)
if ((r = mount_add_default_dependencies(m)) < 0)
return r;
+
+ mount_fix_timeouts(m);
}
return mount_verify(m);
commit 4aa7c05c1e110467767e4f1ea016e3617e1bb310
Author: Lennart Poettering <lennart at poettering.net>
Date: Sat Apr 16 04:36:06 2011 +0200
cryptsetup: do not order crypto DM devices against the cryptsetup service
diff --git a/src/cryptsetup-generator.c b/src/cryptsetup-generator.c
index f7c3f23..858aed8 100644
--- a/src/cryptsetup-generator.c
+++ b/src/cryptsetup-generator.c
@@ -107,7 +107,7 @@ static int create_disk(
"DefaultDependencies=no\n"
"BindTo=%s dev-mapper-%%i.device\n"
"After=systemd-readahead-collect.service systemd-readahead-replay.service %s\n"
- "Before=dev-mapper-%%i.device shutdown.target cryptsetup.target\n",
+ "Before=shutdown.target cryptsetup.target\n",
d, d);
if (password && (streq(password, "/dev/urandom") ||
More information about the systemd-commits
mailing list