[systemd-commits] 4 commits - TODO src/core src/libsystemd units/systemd-bus-driverd.service.in units/systemd-bus-proxyd at .service.in units/systemd-hostnamed.service.in units/systemd-localed.service.in units/systemd-machined.service.in units/systemd-timedated.service.in

Lennart Poettering lennart at kemper.freedesktop.org
Wed Mar 19 11:09:22 PDT 2014 

 TODO                                 |    5 +++--
 src/core/unit.c                      |   21 ++++++++++++++++-----
 src/libsystemd/sd-bus/sd-bus.c       |    2 +-
 units/systemd-bus-driverd.service.in |    2 ++
 units/systemd-bus-proxyd at .service.in |    2 ++
 units/systemd-hostnamed.service.in   |    2 ++
 units/systemd-localed.service.in     |    2 ++
 units/systemd-machined.service.in    |    2 ++
 units/systemd-timedated.service.in   |    1 +
 9 files changed, 31 insertions(+), 8 deletions(-)

New commits:
commit ae439c9f9b8a9cbb320d66290e3f9ad0e2f37378
Author: Lennart Poettering <lennart at poettering.net>
Date:   Wed Mar 19 18:31:54 2014 +0100

    sd-bus: properly translate high-level attach flags into kdbus attach flags

diff --git a/src/libsystemd/sd-bus/sd-bus.c b/src/libsystemd/sd-bus/sd-bus.c
index 6f5ba5b..fa6d43a 100644
--- a/src/libsystemd/sd-bus/sd-bus.c
+++ b/src/libsystemd/sd-bus/sd-bus.c
@@ -320,7 +320,7 @@ _public_ int sd_bus_negotiate_creds(sd_bus *bus, uint64_t mask) {
         /* The well knowns we need unconditionally, so that matches can work */
         bus->creds_mask = mask | SD_BUS_CREDS_WELL_KNOWN_NAMES|SD_BUS_CREDS_UNIQUE_NAME;
 
-        return kdbus_translate_attach_flags(bus->creds_mask, &bus->creds_mask);
+        return kdbus_translate_attach_flags(bus->creds_mask, &bus->attach_flags);
 }
 
 _public_ int sd_bus_set_server(sd_bus *bus, int b, sd_id128_t server_id) {

commit 5a2e420c1f0961c2819d0c5e35bcf911a7ba559d
Author: Lennart Poettering <lennart at poettering.net>
Date:   Wed Mar 19 16:56:16 2014 +0100

    update TODO

diff --git a/TODO b/TODO
index f6e6203..08c78c5 100644
--- a/TODO
+++ b/TODO
@@ -27,6 +27,8 @@ External:
 
 Features:
 
+* move notify sockets to the file system, so that PrivateNetwork= doesn't conflict with sd_notify() usage
+
 * add bus api to query unit file's X fields.
 
 * consider adding RuntimeDirectoryUser= + RuntimeDirectoryGroup=
@@ -47,8 +49,7 @@ Features:
 
 * support transient mount units
 
-* Imply DevicePolicy=closed when PrivateDevices= is used. Mount
-  pts+kdbus+shm+mqueue into /dev namespace
+* Imply DevicePolicy=closed when PrivateDevices= is used
 
 * add an "input" group to udev logic and add all input devices to it
 

commit b46a529c7c2d8e1db000ff00ddf42fc9f86d54e1
Author: Lennart Poettering <lennart at poettering.net>
Date:   Wed Mar 19 16:55:43 2014 +0100

    core: when PrivateTmp= is set for a unit, make sure to order it after /tmp and /var/tmp are mounted

diff --git a/src/core/unit.c b/src/core/unit.c
index 20b139d..4c1754f 100644
--- a/src/core/unit.c
+++ b/src/core/unit.c
@@ -686,6 +686,19 @@ int unit_add_exec_dependencies(Unit *u, ExecContext *c) {
                         return r;
         }
 
+        if (u->manager->running_as != SYSTEMD_SYSTEM)
+                return 0;
+
+        if (c->private_tmp) {
+                r = unit_require_mounts_for(u, "/tmp");
+                if (r < 0)
+                        return r;
+
+                r = unit_require_mounts_for(u, "/var/tmp");
+                if (r < 0)
+                        return r;
+        }
+
         if (c->std_output != EXEC_OUTPUT_KMSG &&
             c->std_output != EXEC_OUTPUT_SYSLOG &&
             c->std_output != EXEC_OUTPUT_JOURNAL &&
@@ -703,11 +716,9 @@ int unit_add_exec_dependencies(Unit *u, ExecContext *c) {
         /* If syslog or kernel logging is requested, make sure our own
          * logging daemon is run first. */
 
-        if (u->manager->running_as == SYSTEMD_SYSTEM) {
-                r = unit_add_dependency_by_name(u, UNIT_AFTER, SPECIAL_JOURNALD_SOCKET, NULL, true);
-                if (r < 0)
-                        return r;
-        }
+        r = unit_add_dependency_by_name(u, UNIT_AFTER, SPECIAL_JOURNALD_SOCKET, NULL, true);
+        if (r < 0)
+                return r;
 
         return 0;
 }

commit d99a70529637d44cdd8f6ade3b981ea33f09d90d
Author: Lennart Poettering <lennart at poettering.net>
Date:   Wed Mar 19 16:45:28 2014 +0100

    units: make use of PrivateTmp=yes and PrivateDevices=yes for all our long-running daemons

diff --git a/units/systemd-bus-driverd.service.in b/units/systemd-bus-driverd.service.in
index 0bda403..5226486 100644
--- a/units/systemd-bus-driverd.service.in
+++ b/units/systemd-bus-driverd.service.in
@@ -13,3 +13,5 @@ ExecStart=@rootlibexecdir@/systemd-bus-driverd
 BusName=org.freedesktop.DBus
 WatchdogSec=1min
 CapabilityBoundingSet=CAP_IPC_OWNER
+PrivateTmp=yes
+PrivateDevices=yes
diff --git a/units/systemd-bus-proxyd at .service.in b/units/systemd-bus-proxyd at .service.in
index 1bdb459..1a6458a 100644
--- a/units/systemd-bus-proxyd at .service.in
+++ b/units/systemd-bus-proxyd at .service.in
@@ -15,3 +15,5 @@ Description=Legacy D-Bus Protocol Compatibility Daemon
 ExecStart=@rootlibexecdir@/systemd-bus-proxyd xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
 NotifyAccess=main
 CapabilityBoundingSet=CAP_IPC_OWNER
+PrivateTmp=yes
+PrivateDevices=yes
diff --git a/units/systemd-hostnamed.service.in b/units/systemd-hostnamed.service.in
index 3f5ef75..c8bf848 100644
--- a/units/systemd-hostnamed.service.in
+++ b/units/systemd-hostnamed.service.in
@@ -15,3 +15,5 @@ ExecStart=@rootlibexecdir@/systemd-hostnamed
 BusName=org.freedesktop.hostname1
 CapabilityBoundingSet=CAP_SYS_ADMIN CAP_DAC_OVERRIDE CAP_SYS_PTRACE
 WatchdogSec=1min
+PrivateTmp=yes
+PrivateDevices=yes
diff --git a/units/systemd-localed.service.in b/units/systemd-localed.service.in
index 1951123..6fb0565 100644
--- a/units/systemd-localed.service.in
+++ b/units/systemd-localed.service.in
@@ -15,3 +15,5 @@ ExecStart=@rootlibexecdir@/systemd-localed
 BusName=org.freedesktop.locale1
 CapabilityBoundingSet=
 WatchdogSec=1min
+PrivateTmp=yes
+PrivateDevices=yes
diff --git a/units/systemd-machined.service.in b/units/systemd-machined.service.in
index 2679dce..2be1dcf 100644
--- a/units/systemd-machined.service.in
+++ b/units/systemd-machined.service.in
@@ -17,3 +17,5 @@ ExecStart=@rootlibexecdir@/systemd-machined
 BusName=org.freedesktop.machine1
 CapabilityBoundingSet=CAP_KILL
 WatchdogSec=1min
+PrivateTmp=yes
+PrivateDevices=yes
diff --git a/units/systemd-timedated.service.in b/units/systemd-timedated.service.in
index f7fb657..5c90290 100644
--- a/units/systemd-timedated.service.in
+++ b/units/systemd-timedated.service.in
@@ -15,3 +15,4 @@ ExecStart=@rootlibexecdir@/systemd-timedated
 BusName=org.freedesktop.timedate1
 CapabilityBoundingSet=CAP_SYS_TIME
 WatchdogSec=1min
+PrivateTmp=yes

More information about the systemd-commits mailing list