[systemd-commits] 2 commits - TODO man/systemd-system.conf.xml src/core
Lennart Poettering
lennart at kemper.freedesktop.org
Thu Feb 13 01:41:33 CET 2014
TODO | 6 -
man/systemd-system.conf.xml | 121 ++++++++++++++-------
src/core/load-fragment-gperf.gperf.m4 | 2
src/core/load-fragment.c | 10 -
src/core/main.c | 191 +++++++++++++++++++++-------------
src/core/system.conf | 5
src/core/user.conf | 19 +++
7 files changed, 235 insertions(+), 119 deletions(-)
New commits:
commit bcd02123e10a23d79b0317072ed8d4a250163475
Author: Lennart Poettering <lennart at poettering.net>
Date: Thu Feb 13 01:41:24 2014 +0100
update TODO
diff --git a/TODO b/TODO
index 4abc27d..d1681f4 100644
--- a/TODO
+++ b/TODO
@@ -486,11 +486,7 @@ Features:
* rename "userspace" to "core-os"
-* syscall filter:
- - syscall filter: add knowledge about compat syscalls
- - syscall filter: don't enforce no new privs?
- - syscall filter: option to return EPERM rather than SIGSYS?
- - system-wide seccomp filter
+* syscall filter: optionally don't enforce no new privs?
* load-fragment: when loading a unit file via a chain of symlinks
verify that it isn't masked via any of the names traversed.
commit d3b1c5083359faa6cfca81810cf87ef70d0290f6
Author: Lennart Poettering <lennart at poettering.net>
Date: Thu Feb 13 01:35:27 2014 +0100
core: add a system-wide SystemCallArchitectures= setting
This is useful to prohibit execution of non-native processes on systems,
for example 32bit binaries on 64bit systems, this lowering the attack
service on incorrect syscall and ioctl 32→64bit mappings.
diff --git a/man/systemd-system.conf.xml b/man/systemd-system.conf.xml
index fd898f7..c33e010 100644
--- a/man/systemd-system.conf.xml
+++ b/man/systemd-system.conf.xml
@@ -94,42 +94,6 @@
</varlistentry>
<varlistentry>
- <term><varname>DefaultTimeoutStartSec=</varname></term>
- <term><varname>DefaultTimeoutStopSec=</varname></term>
- <term><varname>DefaultRestartSec=</varname></term>
-
- <listitem><para>Configures the default
- time-outs for starting and stopping of
- units, as well as the default time to
- sleep between automatic restarts of
- units, as configured per-unit in
- <varname>TimeoutStartSec=</varname>,
- <varname>TimeoutStopSec=</varname> and
- <varname>RestartSec=</varname> (for
- service units, see
- <citerefentry><refentrytitle>systemd.service</refentrytitle><manvolnum>5</manvolnum></citerefentry>
- for details on the per-unit
- settings). For non-service units,
- <varname>DefaultTimeoutStartSec=</varname>
- sets the default
- <varname>TimeoutSec=</varname> value.
- </para></listitem>
- </varlistentry>
- <varlistentry>
- <term><varname>DefaultStartLimitInterval=</varname></term>
- <term><varname>DefaultStartLimitBurst=</varname></term>
-
- <listitem><para>Configure the default start rate
- limiting, as configured per-service by
- <varname>StartLimitInterval=</varname> and
- <varname>StartLimitBurst=</varname>. See
- <citerefentry><refentrytitle>systemd.service</refentrytitle><manvolnum>5</manvolnum></citerefentry>
- for details on the per-service
- settings).
- </para></listitem>
- </varlistentry>
-
- <varlistentry>
<term><varname>CPUAffinity=</varname></term>
<listitem><para>Configures the initial
@@ -248,6 +212,50 @@
</varlistentry>
<varlistentry>
+ <term><varname>SystemCallArchitectures=</varname></term>
+
+ <listitem><para>Takes a
+ space-separated list of architecture
+ identifiers. Selects of which
+ architectures system calls may be
+ invoked on this system. This may be
+ used as an effective way to disable
+ invocation of non-native binaries
+ system-wide, for example to prohibit
+ execution of 32bit x86 binaries on
+ 64bit x86-64 systems. This option
+ operates system wide, and acts
+ similar to the
+ <varname>SystemCallArchitectures=</varname>
+ setting of unit files, see
+ <citerefentry><refentrytitle>systemd.exec</refentrytitle><manvolnum>5</manvolnum></citerefentry>
+ for details. This setting defaults to
+ the empty list in which case no
+ filtering of system calls based on
+ architecture is applied. Known
+ architecture identifiers are
+ <literal>x86</literal>,
+ <literal>x86-64</literal>,
+ <literal>x32</literal>,
+ <literal>arm</literal> and the special
+ identifier
+ <literal>native</literal>. The latter
+ implicitly maps to the native
+ architecture of the system (or more
+ specifically, the architecture the
+ system manager was compiled for). Set
+ this setting to
+ <literal>native</literal> to prohibit
+ execution of any non-native
+ binaries. When a binary executes a
+ system call of an architecture that is
+ not listed in this setting it will be
+ immediately terminated with the SIGSYS
+ signal.</para></listitem>
+ </varlistentry>
+
+
+ <varlistentry>
<term><varname>TimerSlackNSec=</varname></term>
<listitem><para>Sets the timer slack
@@ -272,6 +280,42 @@
</varlistentry>
<varlistentry>
+ <term><varname>DefaultTimeoutStartSec=</varname></term>
+ <term><varname>DefaultTimeoutStopSec=</varname></term>
+ <term><varname>DefaultRestartSec=</varname></term>
+
+ <listitem><para>Configures the default
+ time-outs for starting and stopping of
+ units, as well as the default time to
+ sleep between automatic restarts of
+ units, as configured per-unit in
+ <varname>TimeoutStartSec=</varname>,
+ <varname>TimeoutStopSec=</varname> and
+ <varname>RestartSec=</varname> (for
+ service units, see
+ <citerefentry><refentrytitle>systemd.service</refentrytitle><manvolnum>5</manvolnum></citerefentry>
+ for details on the per-unit
+ settings). For non-service units,
+ <varname>DefaultTimeoutStartSec=</varname>
+ sets the default
+ <varname>TimeoutSec=</varname> value.
+ </para></listitem>
+ </varlistentry>
+ <varlistentry>
+ <term><varname>DefaultStartLimitInterval=</varname></term>
+ <term><varname>DefaultStartLimitBurst=</varname></term>
+
+ <listitem><para>Configure the default start rate
+ limiting, as configured per-service by
+ <varname>StartLimitInterval=</varname> and
+ <varname>StartLimitBurst=</varname>. See
+ <citerefentry><refentrytitle>systemd.service</refentrytitle><manvolnum>5</manvolnum></citerefentry>
+ for details on the per-service
+ settings).
+ </para></listitem>
+ </varlistentry>
+
+ <varlistentry>
<term><varname>DefaultEnvironment=</varname></term>
<listitem><para>Sets manager
@@ -334,7 +378,10 @@
<para>
<citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
<citerefentry><refentrytitle>systemd.directives</refentrytitle><manvolnum>7</manvolnum></citerefentry>,
- <citerefentry><refentrytitle>environ</refentrytitle><manvolnum>7</manvolnum></citerefentry>
+ <citerefentry><refentrytitle>systemd.exec</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
+ <citerefentry><refentrytitle>systemd.service</refentrytitle><manvolnum>5</manvolnum></citerefentry>,
+ <citerefentry><refentrytitle>environ</refentrytitle><manvolnum>7</manvolnum></citerefentry>,
+ <citerefentry><refentrytitle>capabilities</refentrytitle><manvolnum>7</manvolnum></citerefentry>
</para>
</refsect1>
diff --git a/src/core/load-fragment-gperf.gperf.m4 b/src/core/load-fragment-gperf.gperf.m4
index fa559e5..c8add14 100644
--- a/src/core/load-fragment-gperf.gperf.m4
+++ b/src/core/load-fragment-gperf.gperf.m4
@@ -51,7 +51,7 @@ $1.TimerSlackNSec, config_parse_nsec, 0,
$1.NoNewPrivileges, config_parse_bool, 0, offsetof($1, exec_context.no_new_privileges)
m4_ifdef(`HAVE_SECCOMP',
`$1.SystemCallFilter, config_parse_syscall_filter, 0, offsetof($1, exec_context)
-$1.SystemCallArchitectures, config_parse_syscall_archs, 0, offsetof($1, exec_context)
+$1.SystemCallArchitectures, config_parse_syscall_archs, 0, offsetof($1, exec_context.syscall_archs)
$1.SystemCallErrorNumber, config_parse_syscall_errno, 0, offsetof($1, exec_context)',
`$1.SystemCallFilter, config_parse_warn_compat, 0, 0
$1.SystemCallArchitectures, config_parse_warn_compat, 0, 0
diff --git a/src/core/load-fragment.c b/src/core/load-fragment.c
index ec04ad2..c923874 100644
--- a/src/core/load-fragment.c
+++ b/src/core/load-fragment.c
@@ -2045,18 +2045,18 @@ int config_parse_syscall_archs(
void *data,
void *userdata) {
- ExecContext *c = data;
+ Set **archs = data;
char *w, *state;
size_t l;
int r;
if (isempty(rvalue)) {
- set_free(c->syscall_archs);
- c->syscall_archs = NULL;
+ set_free(*archs);
+ *archs = NULL;
return 0;
}
- r = set_ensure_allocated(&c->syscall_archs, trivial_hash_func, trivial_compare_func);
+ r = set_ensure_allocated(archs, trivial_hash_func, trivial_compare_func);
if (r < 0)
return log_oom();
@@ -2074,7 +2074,7 @@ int config_parse_syscall_archs(
continue;
}
- r = set_put(c->syscall_archs, UINT32_TO_PTR(a + 1));
+ r = set_put(*archs, UINT32_TO_PTR(a + 1));
if (r == -EEXIST)
continue;
if (r < 0)
diff --git a/src/core/main.c b/src/core/main.c
index 404fee7..99cf9a1 100644
--- a/src/core/main.c
+++ b/src/core/main.c
@@ -82,10 +82,8 @@ static enum {
ACTION_DUMP_CONFIGURATION_ITEMS,
ACTION_DONE
} arg_action = ACTION_RUN;
-
static char *arg_default_unit = NULL;
static SystemdRunningAs arg_running_as = _SYSTEMD_RUNNING_AS_INVALID;
-
static bool arg_dump_core = true;
static bool arg_crash_shell = false;
static int arg_crash_chvt = -1;
@@ -106,11 +104,10 @@ static char **arg_default_environment = NULL;
static struct rlimit *arg_default_rlimit[RLIMIT_NLIMITS] = {};
static uint64_t arg_capability_bounding_set_drop = 0;
static nsec_t arg_timer_slack_nsec = (nsec_t) -1;
+static Set* arg_syscall_archs = NULL;
+static FILE* arg_serialization = NULL;
-static FILE* serialization = NULL;
-
-static void nop_handler(int sig) {
-}
+static void nop_handler(int sig) {}
noreturn static void crash(int sig) {
@@ -632,45 +629,46 @@ static int config_parse_join_controllers(const char *unit,
static int parse_config_file(void) {
const ConfigTableItem items[] = {
- { "Manager", "LogLevel", config_parse_level2, 0, NULL },
- { "Manager", "LogTarget", config_parse_target, 0, NULL },
- { "Manager", "LogColor", config_parse_color, 0, NULL },
- { "Manager", "LogLocation", config_parse_location, 0, NULL },
- { "Manager", "DumpCore", config_parse_bool, 0, &arg_dump_core },
- { "Manager", "CrashShell", config_parse_bool, 0, &arg_crash_shell },
- { "Manager", "ShowStatus", config_parse_show_status, 0, &arg_show_status },
- { "Manager", "CrashChVT", config_parse_int, 0, &arg_crash_chvt },
- { "Manager", "CPUAffinity", config_parse_cpu_affinity2, 0, NULL },
- { "Manager", "DefaultStandardOutput", config_parse_output, 0, &arg_default_std_output },
- { "Manager", "DefaultStandardError", config_parse_output, 0, &arg_default_std_error },
- { "Manager", "DefaultTimeoutStartSec", config_parse_sec, 0, &arg_default_timeout_start_usec },
- { "Manager", "DefaultTimeoutStopSec", config_parse_sec, 0, &arg_default_timeout_stop_usec },
- { "Manager", "DefaultRestartSec", config_parse_sec, 0, &arg_default_restart_usec },
- { "Manager", "DefaultStartLimitInterval", config_parse_sec, 0, &arg_default_start_limit_interval },
- { "Manager", "DefaultStartLimitBurst", config_parse_unsigned, 0, &arg_default_start_limit_burst },
- { "Manager", "JoinControllers", config_parse_join_controllers, 0, &arg_join_controllers },
- { "Manager", "RuntimeWatchdogSec", config_parse_sec, 0, &arg_runtime_watchdog },
- { "Manager", "ShutdownWatchdogSec", config_parse_sec, 0, &arg_shutdown_watchdog },
- { "Manager", "CapabilityBoundingSet", config_parse_bounding_set, 0, &arg_capability_bounding_set_drop },
- { "Manager", "TimerSlackNSec", config_parse_nsec, 0, &arg_timer_slack_nsec },
- { "Manager", "DefaultEnvironment", config_parse_environ, 0, &arg_default_environment },
- { "Manager", "DefaultLimitCPU", config_parse_limit, 0, &arg_default_rlimit[RLIMIT_CPU]},
- { "Manager", "DefaultLimitFSIZE", config_parse_limit, 0, &arg_default_rlimit[RLIMIT_FSIZE]},
- { "Manager", "DefaultLimitDATA", config_parse_limit, 0, &arg_default_rlimit[RLIMIT_DATA]},
- { "Manager", "DefaultLimitSTACK", config_parse_limit, 0, &arg_default_rlimit[RLIMIT_STACK]},
- { "Manager", "DefaultLimitCORE", config_parse_limit, 0, &arg_default_rlimit[RLIMIT_CORE]},
- { "Manager", "DefaultLimitRSS", config_parse_limit, 0, &arg_default_rlimit[RLIMIT_RSS]},
- { "Manager", "DefaultLimitNOFILE", config_parse_limit, 0, &arg_default_rlimit[RLIMIT_NOFILE]},
- { "Manager", "DefaultLimitAS", config_parse_limit, 0, &arg_default_rlimit[RLIMIT_AS]},
- { "Manager", "DefaultLimitNPROC", config_parse_limit, 0, &arg_default_rlimit[RLIMIT_NPROC]},
- { "Manager", "DefaultLimitMEMLOCK", config_parse_limit, 0, &arg_default_rlimit[RLIMIT_MEMLOCK]},
- { "Manager", "DefaultLimitLOCKS", config_parse_limit, 0, &arg_default_rlimit[RLIMIT_LOCKS]},
- { "Manager", "DefaultLimitSIGPENDING",config_parse_limit, 0, &arg_default_rlimit[RLIMIT_SIGPENDING]},
- { "Manager", "DefaultLimitMSGQUEUE", config_parse_limit, 0, &arg_default_rlimit[RLIMIT_MSGQUEUE]},
- { "Manager", "DefaultLimitNICE", config_parse_limit, 0, &arg_default_rlimit[RLIMIT_NICE]},
- { "Manager", "DefaultLimitRTPRIO", config_parse_limit, 0, &arg_default_rlimit[RLIMIT_RTPRIO]},
- { "Manager", "DefaultLimitRTTIME", config_parse_limit, 0, &arg_default_rlimit[RLIMIT_RTTIME]},
- { NULL, NULL, NULL, 0, NULL }
+ { "Manager", "LogLevel", config_parse_level2, 0, NULL },
+ { "Manager", "LogTarget", config_parse_target, 0, NULL },
+ { "Manager", "LogColor", config_parse_color, 0, NULL },
+ { "Manager", "LogLocation", config_parse_location, 0, NULL },
+ { "Manager", "DumpCore", config_parse_bool, 0, &arg_dump_core },
+ { "Manager", "CrashShell", config_parse_bool, 0, &arg_crash_shell },
+ { "Manager", "ShowStatus", config_parse_show_status, 0, &arg_show_status },
+ { "Manager", "CrashChVT", config_parse_int, 0, &arg_crash_chvt },
+ { "Manager", "CPUAffinity", config_parse_cpu_affinity2, 0, NULL },
+ { "Manager", "JoinControllers", config_parse_join_controllers, 0, &arg_join_controllers },
+ { "Manager", "RuntimeWatchdogSec", config_parse_sec, 0, &arg_runtime_watchdog },
+ { "Manager", "ShutdownWatchdogSec", config_parse_sec, 0, &arg_shutdown_watchdog },
+ { "Manager", "CapabilityBoundingSet", config_parse_bounding_set, 0, &arg_capability_bounding_set_drop },
+ { "Manager", "SystemCallArchitectures", config_parse_syscall_archs, 0, &arg_syscall_archs },
+ { "Manager", "TimerSlackNSec", config_parse_nsec, 0, &arg_timer_slack_nsec },
+ { "Manager", "DefaultStandardOutput", config_parse_output, 0, &arg_default_std_output },
+ { "Manager", "DefaultStandardError", config_parse_output, 0, &arg_default_std_error },
+ { "Manager", "DefaultTimeoutStartSec", config_parse_sec, 0, &arg_default_timeout_start_usec },
+ { "Manager", "DefaultTimeoutStopSec", config_parse_sec, 0, &arg_default_timeout_stop_usec },
+ { "Manager", "DefaultRestartSec", config_parse_sec, 0, &arg_default_restart_usec },
+ { "Manager", "DefaultStartLimitInterval", config_parse_sec, 0, &arg_default_start_limit_interval },
+ { "Manager", "DefaultStartLimitBurst", config_parse_unsigned, 0, &arg_default_start_limit_burst },
+ { "Manager", "DefaultEnvironment", config_parse_environ, 0, &arg_default_environment },
+ { "Manager", "DefaultLimitCPU", config_parse_limit, 0, &arg_default_rlimit[RLIMIT_CPU] },
+ { "Manager", "DefaultLimitFSIZE", config_parse_limit, 0, &arg_default_rlimit[RLIMIT_FSIZE] },
+ { "Manager", "DefaultLimitDATA", config_parse_limit, 0, &arg_default_rlimit[RLIMIT_DATA] },
+ { "Manager", "DefaultLimitSTACK", config_parse_limit, 0, &arg_default_rlimit[RLIMIT_STACK] },
+ { "Manager", "DefaultLimitCORE", config_parse_limit, 0, &arg_default_rlimit[RLIMIT_CORE] },
+ { "Manager", "DefaultLimitRSS", config_parse_limit, 0, &arg_default_rlimit[RLIMIT_RSS] },
+ { "Manager", "DefaultLimitNOFILE", config_parse_limit, 0, &arg_default_rlimit[RLIMIT_NOFILE] },
+ { "Manager", "DefaultLimitAS", config_parse_limit, 0, &arg_default_rlimit[RLIMIT_AS] },
+ { "Manager", "DefaultLimitNPROC", config_parse_limit, 0, &arg_default_rlimit[RLIMIT_NPROC] },
+ { "Manager", "DefaultLimitMEMLOCK", config_parse_limit, 0, &arg_default_rlimit[RLIMIT_MEMLOCK] },
+ { "Manager", "DefaultLimitLOCKS", config_parse_limit, 0, &arg_default_rlimit[RLIMIT_LOCKS] },
+ { "Manager", "DefaultLimitSIGPENDING", config_parse_limit, 0, &arg_default_rlimit[RLIMIT_SIGPENDING] },
+ { "Manager", "DefaultLimitMSGQUEUE", config_parse_limit, 0, &arg_default_rlimit[RLIMIT_MSGQUEUE] },
+ { "Manager", "DefaultLimitNICE", config_parse_limit, 0, &arg_default_rlimit[RLIMIT_NICE] },
+ { "Manager", "DefaultLimitRTPRIO", config_parse_limit, 0, &arg_default_rlimit[RLIMIT_RTPRIO] },
+ { "Manager", "DefaultLimitRTTIME", config_parse_limit, 0, &arg_default_rlimit[RLIMIT_RTTIME] },
+ {}
};
_cleanup_fclose_ FILE *f;
@@ -925,10 +923,10 @@ static int parse_argv(int argc, char *argv[]) {
return -errno;
}
- if (serialization)
- fclose(serialization);
+ if (arg_serialization)
+ fclose(arg_serialization);
- serialization = f;
+ arg_serialization = f;
break;
}
@@ -1194,6 +1192,39 @@ static int initialize_join_controllers(void) {
return 0;
}
+static int enforce_syscall_archs(Set *archs) {
+#ifdef HAVE_SECCOMP
+ scmp_filter_ctx *seccomp;
+ Iterator i;
+ void *id;
+ int r;
+
+ seccomp = seccomp_init(SCMP_ACT_ALLOW);
+ if (!seccomp)
+ return log_oom();
+
+ SET_FOREACH(id, arg_syscall_archs, i) {
+ r = seccomp_arch_add(seccomp, PTR_TO_UINT32(id) - 1);
+ if (r == -EEXIST)
+ continue;
+ if (r < 0) {
+ log_error("Failed to add architecture to seccomp: %s", strerror(-r));
+ goto finish;
+ }
+ }
+
+ r = seccomp_load(seccomp);
+ if (r < 0)
+ log_error("Failed to add install architecture seccomp: %s", strerror(-r));
+
+finish:
+ seccomp_release(seccomp);
+ return r;
+#else
+ return 0;
+#endif
+}
+
int main(int argc, char *argv[]) {
Manager *m = NULL;
int r, retval = EXIT_FAILURE;
@@ -1209,7 +1240,7 @@ int main(int argc, char *argv[]) {
dual_timestamp security_finish_timestamp = { 0ULL, 0ULL };
static char systemd[] = "systemd";
bool skip_setup = false;
- int j;
+ unsigned j;
bool loaded_policy = false;
bool arm_reboot_watchdog = false;
bool queue_default_job = false;
@@ -1437,8 +1468,8 @@ int main(int argc, char *argv[]) {
} else
fdset_cloexec(fds, true);
- if (serialization)
- assert_se(fdset_remove(fds, fileno(serialization)) >= 0);
+ if (arg_serialization)
+ assert_se(fdset_remove(fds, fileno(arg_serialization)) >= 0);
if (arg_running_as == SYSTEMD_SYSTEM)
/* Become a session leader if we aren't one yet. */
@@ -1520,6 +1551,12 @@ int main(int argc, char *argv[]) {
}
}
+ if (arg_syscall_archs) {
+ r = enforce_syscall_archs(arg_syscall_archs);
+ if (r < 0)
+ goto finish;
+ }
+
if (arg_running_as == SYSTEMD_USER) {
/* Become reaper of our children */
if (prctl(PR_SET_CHILD_SUBREAPER, 1) < 0) {
@@ -1564,11 +1601,11 @@ int main(int argc, char *argv[]) {
manager_set_show_status(m, arg_show_status);
/* Remember whether we should queue the default job */
- queue_default_job = !serialization || arg_switched_root;
+ queue_default_job = !arg_serialization || arg_switched_root;
before_startup = now(CLOCK_MONOTONIC);
- r = manager_startup(m, serialization, fds);
+ r = manager_startup(m, arg_serialization, fds);
if (r < 0)
log_error("Failed to fully start up daemon: %s", strerror(-r));
@@ -1577,9 +1614,9 @@ int main(int argc, char *argv[]) {
fdset_free(fds);
fds = NULL;
- if (serialization) {
- fclose(serialization);
- serialization = NULL;
+ if (arg_serialization) {
+ fclose(arg_serialization);
+ arg_serialization = NULL;
}
if (queue_default_job) {
@@ -1672,7 +1709,7 @@ int main(int argc, char *argv[]) {
case MANAGER_REEXECUTE:
- if (prepare_reexecute(m, &serialization, &fds, false) < 0)
+ if (prepare_reexecute(m, &arg_serialization, &fds, false) < 0)
goto finish;
reexecute = true;
@@ -1686,7 +1723,7 @@ int main(int argc, char *argv[]) {
m->switch_root = m->switch_root_init = NULL;
if (!switch_root_init)
- if (prepare_reexecute(m, &serialization, &fds, true) < 0)
+ if (prepare_reexecute(m, &arg_serialization, &fds, true) < 0)
goto finish;
reexecute = true;
@@ -1717,15 +1754,27 @@ int main(int argc, char *argv[]) {
}
finish:
- if (m)
+ if (m) {
manager_free(m);
+ m = NULL;
+ }
- for (j = 0; j < RLIMIT_NLIMITS; j++)
+ for (j = 0; j < ELEMENTSOF(arg_default_rlimit); j++) {
free(arg_default_rlimit[j]);
+ arg_default_rlimit[j] = NULL;
+ }
free(arg_default_unit);
+ arg_default_unit = NULL;
+
free_join_controllers();
+ strv_free(arg_default_environment);
+ arg_default_environment = NULL;
+
+ set_free(arg_syscall_archs);
+ arg_syscall_archs = NULL;
+
label_finish();
if (reexecute) {
@@ -1767,10 +1816,10 @@ finish:
* this only if the user didn't specify an
* explicit init to spawn. */
- assert(serialization);
+ assert(arg_serialization);
assert(fds);
- snprintf(sfd, sizeof(sfd), "%i", fileno(serialization));
+ snprintf(sfd, sizeof(sfd), "%i", fileno(arg_serialization));
char_array_0(sfd);
i = 0;
@@ -1796,9 +1845,9 @@ finish:
* getopt() in argv[], and some cleanups in envp[],
* but let's hope that doesn't matter.) */
- if (serialization) {
- fclose(serialization);
- serialization = NULL;
+ if (arg_serialization) {
+ fclose(arg_serialization);
+ arg_serialization = NULL;
}
if (fds) {
@@ -1809,7 +1858,7 @@ finish:
/* Reopen the console */
make_console_stdio();
- for (j = 1, i = 1; j < argc; j++)
+ for (j = 1, i = 1; j < (unsigned) argc; j++)
args[i++] = argv[j];
args[i++] = NULL;
assert(i <= args_size);
@@ -1834,11 +1883,15 @@ finish:
log_warning("Failed to execute /sbin/init, giving up: %m");
}
- if (serialization)
- fclose(serialization);
+ if (arg_serialization) {
+ fclose(arg_serialization);
+ arg_serialization = NULL;
+ }
- if (fds)
+ if (fds) {
fdset_free(fds);
+ fds = NULL;
+ }
#ifdef HAVE_VALGRIND_VALGRIND_H
/* If we are PID 1 and running under valgrind, then let's exit
diff --git a/src/core/system.conf b/src/core/system.conf
index 38bbca5..7a2d7b4 100644
--- a/src/core/system.conf
+++ b/src/core/system.conf
@@ -17,13 +17,14 @@
#ShowStatus=yes
#CrashChVT=1
#CPUAffinity=1 2
-#DefaultStandardOutput=journal
-#DefaultStandardError=inherit
#JoinControllers=cpu,cpuacct net_cls,net_prio
#RuntimeWatchdogSec=0
#ShutdownWatchdogSec=10min
#CapabilityBoundingSet=
+#SystemCallArchitectures=
#TimerSlackNSec=
+#DefaultStandardOutput=journal
+#DefaultStandardError=inherit
#DefaultTimeoutStartSec=90s
#DefaultTimeoutStopSec=90s
#DefaultRestartSec=100ms
diff --git a/src/core/user.conf b/src/core/user.conf
index 923ca66..f19ac75 100644
--- a/src/core/user.conf
+++ b/src/core/user.conf
@@ -12,6 +12,8 @@
#LogTarget=console
#LogColor=yes
#LogLocation=no
+#SystemCallArchitectures=
+#TimerSlackNSec=
#DefaultStandardOutput=inherit
#DefaultStandardError=inherit
#DefaultTimeoutStartSec=90s
@@ -19,3 +21,20 @@
#DefaultRestartSec=100ms
#DefaultStartLimitInterval=10s
#DefaultStartLimitBurst=5
+#DefaultEnvironment=
+#DefaultLimitCPU=
+#DefaultLimitFSIZE=
+#DefaultLimitDATA=
+#DefaultLimitSTACK=
+#DefaultLimitCORE=
+#DefaultLimitRSS=
+#DefaultLimitNOFILE=
+#DefaultLimitAS=
+#DefaultLimitNPROC=
+#DefaultLimitMEMLOCK=
+#DefaultLimitLOCKS=
+#DefaultLimitSIGPENDING=
+#DefaultLimitMSGQUEUE=
+#DefaultLimitNICE=
+#DefaultLimitRTPRIO=
+#DefaultLimitRTTIME=
More information about the systemd-commits
mailing list