On Devuan systemd itself isn't available. However, to test the experimental
dummy-systemd-dev which provides systemd they both need to be coinstallable.
This reverts commit 16320b8826.
Policykit-1 is not present or required at compile time, however we still use
the runtime interfaces. This was broken by upstream commit 8d405a5cf, so revert that.
Based on patch from Helmut Grohne <helmut@subdivi.de> in #980898 and the
updates to README.md.
- libblkid-dev and libmount-dev are unused (despite what was in README.md).
- libseccomp-dev is no longer required
- dbus and libglib2.0-dev are only used for tests. Mark <!nocheck>.
This is the second release of the version 246 series.
The latest upstream commit this version is synced to is
systemd-stable/v246-stable:574e89dd65
Changes and Additions
---------------------
* Makefile: The Makefile has been enhanced to become a meson/ninja
wrapper that is fully compatible with Makefile based IDEs like
CLion.
* sd-bus: make credential acquisition more graceful. This is useful
to make selinux authorization work for short-lived client
processes.
* bus-util: improve logging when we can't connect to the bus.
* README.md: Remove Travis-CI badge, Add Github CI badge.
* Add 'pt' to LINGUAS and add the 'pt.po' translation file (#202)
Many thanks to Hugo Carvalho (@hugok79) for the translation!
Fixed Bugs
----------
* Disable polkit support if libpolkit is not installed. (#167)
* Move vom Travis CI to Github Workflows. (#185)
* pam_elogind.c: annotate asprintf() to avoid -ftracer false
positive. (#189)
* Build system: Remove no longer needed dependencies and update the
README.md file accordingly. (#198)
* Add linux/btrfs* headers from upstream (#199)
* Add linux/if.h and linux/libc-compat.h headers from upstream (#205)
-----BEGIN PGP SIGNATURE-----
iQFMBAABCAA2FiEEHlpsqCyxkVj1Jl1rr7Wbuz3D47cFAmA+MpwYHHN2ZW4uZWRl
bkBwcnlkZXdvcnguY29tAAoJEK+1m7s9w+O3rzQH/igf1VKhsVST8bqMzABt/kf4
rRVSmaL3vViw7w+gHwoDiSa/uvtxKNfyFs2qEPU9BUenVWm86DYQVMCpC9aYEx77
bE2j9lByH/ahaM9r9WYw+JhrE1yvsuOHqPlPc7DGIW3Kchm2NevcCk6fxbJFa1Cg
Pco0KoXB+6PfTlttzQvI1DZ0AVvGoMN8nvLJ1Nowlmt50rGjOaWJHV1lWgajVm7i
4WEhDhV/ISWxxi2iot2X40GHiAYpuXKQrvcKXJ9JjJX/0d8dckqz3APYKHbBFMl/
HfDpzbrwWyre6rrqkVXhXWssovHTjGzP5PpseM0r/b+nO0M/v66tzoJHTvFdCvk=
=56xa
-----END PGP SIGNATURE-----
Merge tag 'v246.10'
Version 246.10 Release
This is the second release of the version 246 series.
The latest upstream commit this version is synced to is
systemd-stable/v246-stable:574e89dd65
Changes and Additions
---------------------
* Makefile: The Makefile has been enhanced to become a meson/ninja
wrapper that is fully compatible with Makefile based IDEs like
CLion.
* sd-bus: make credential acquisition more graceful. This is useful
to make selinux authorization work for short-lived client
processes.
* bus-util: improve logging when we can't connect to the bus.
* README.md: Remove Travis-CI badge, Add Github CI badge.
* Add 'pt' to LINGUAS and add the 'pt.po' translation file (#202)
Many thanks to Hugo Carvalho (@hugok79) for the translation!
Fixed Bugs
----------
* Disable polkit support if libpolkit is not installed. (#167)
* Move vom Travis CI to Github Workflows. (#185)
* pam_elogind.c: annotate asprintf() to avoid -ftracer false
positive. (#189)
* Build system: Remove no longer needed dependencies and update the
README.md file accordingly. (#198)
* Add linux/btrfs* headers from upstream (#199)
* Add linux/if.h and linux/libc-compat.h headers from upstream (#205)
If __USE_MISC is defined on the build system, the standard linux/if.h
header clashes with net/if.h.
Add linux/if.h and linux/libc-compat.h from upstream to circumvent
the clash.
Closes: #205
Signed-off-by: Sven Eden <sven.eden@prydeworx.com>
* remove no longer used dependencies
* mask not used libraries in meson.build
* clean up README.md listed dependencies (#198)
Closes: #198
Signed-off-by: Sven Eden <sven.eden@prydeworx.com>
(cherry picked from commit fbccf921c4afb379d2d48e70ec9e144409a9d72a)
Quote "Martin Sebor":
The assertion that the runtime pointer is nonnull is in
export_legacy_dbus_address()'s caller, configure_runtime_directory(),
which is inlined into its caller, and has no effect on the code in
export_legacy_dbus_address().
Adding:
`if (!runtime) __builtin_unreachable ();`
just before the problematic call to asprintf() avoids the warning.
Closes: #189
Signed-off-by: Sven Eden <sven.eden@prydeworx.com>
(cherry picked from commit d0a16322e8315f2c7e725fc51298378defffbc26)
* Github Workflow: Set CGDEFAULT=hybrid
* Github Workflow: Install pip and upgrade meson
* Github Workflow: Use local meson-0.46
* Makefile: Use provided meson
* Github Workflow: Add libudev-dev
* Github Workflow: Update ninja to 1.10.2
* Github Workflow: Utilize locally built ninja-1.10.2
* Github Workflow: Add -lpthread to LDFLAGS in the Makefile wrapper
Closes: #185
Signed-off-by: Sven Eden <sven.eden@prydeworx.com>
(cherry picked from commit 4d125215ec57edc5df57806182913be92868ea21)
If -Dpolkit is set to 'auto', the library libpolkit is searched, but
there are no consequences if it was not found.
In that case polkit support is activated, which can not work without
polkit being installed.
This commit adds an elogind specific check to disable polkit support
if the library was not found, and to error out if polkit support was
requested via `-DPolkit=true` without polkit being installed.
Closes: #167
Signed-off-by: Sven Eden <sven.eden@prydeworx.com>
(cherry picked from commit 1194dec4f8f2d1b8bd14e1625f34418ecfce817e)
So the currentl and only fd_is_mount_point() check is actually entirely
bogus: it passes "/" as filename argument, but that's not actually a
a valid filename, but an absolute path.
fd_is_mount_point() is written in a way tha the fd refers to a directory
and the specified path is a file directly below it that shall be
checked. The test call actually violated that rule, but still expected
success.
Let's fix this, and check for this explicitly, and refuse it.
Let's extend the test and move it to test-mountpoint-util.c where the
rest of the tests for related calls are placed.
Replaces: #18004Fixes: #17950
(cherry picked from commit 95231c7215c3ff14c491eb1d2a93312a8fe0c4f6)
(cherry picked from commit 551dd873b0bdfb9e7e47431b2933c8b910228f0c)
I mean, the old code at least used O_PATH, but still, we shouldn't
allocate/close an fd if we don't have to.
(cherry picked from commit 15308e5083391f6a1b9ce25c5b7323f37544eab8)
(cherry picked from commit a2f0da2de006c74bca64b3ce5b023e99bcca4498)
Previously, we'd already have explicit logging for the case where
$XDG_RUNTIME_DIR is not set. Let's also add some explicit logging for
the EPERM/ACCESS case. Let's also in both cases suggest the
--machine=<user>@.host syntax.
And while we are at it, let's remove side-effects from the macro.
By checking for both the EPERM/EACCES case and the $XDG_RUNTIME_DIR case
we will now catch both the cases where people use "su" to issue a
"systemctl --user" operation, and those where they (more correctly, but
still not good enough) call "su -".
Fixes: #17901
(cherry picked from commit 1ecb46724cae151606bc825f0e39f14d4dfe1a0e)
(cherry picked from commit 36bc4a18fd8117cab0d4ff02eac89579a86cd399)
So far when asked for augmented bus credentials and the process was
already gone we'd fail fatally. Let's make this graceful instead, and
never allow augmenting fail due to PID having vanished — unless the
augmenting is the explicit and only purpose of the requested operation.
This should be safe as clients have to explicitly query the acquired
creds anyway and handle if they couldn't be acquired. Moreover we
already handle permission problems gracefully, thus clients must be
ready to deal with missing creds.
This is useful to make selinux authorization work for short-lived client
proceses. PReviously we'd augment creds to have more info to log about
(the selinux decision would not be based on augmented data however,
because that'd be unsafe), and would fail if we couldn't get it. Now,
we'll try to acquire the data, but if we cannot acquire it, we'll still
do the selinux check, except that logging will be more limited.
(cherry picked from commit f8ecc2c00df7bd810557f3056ec12f6a0730812d)
(cherry picked from commit a1b1ef65a4371e8aec4b0df1326e4cb5de005e80)
If elogind has not been started, yet, pam will call CreateSession via
dbus, and dbus will start elogind.
Closes: #188
Signed-off-by: Sven Eden <sven.eden@prydeworx.com>
(cherry picked from commit af660607dc12e1d77861ee4946be8e8560808412)
This is a small service release, that fixes the default log target
back to syslog. A stupid mistake while cleaning up code lead to
elogind logging to kmsg *again*.
-----BEGIN PGP SIGNATURE-----
iQFMBAABCAA2FiEEHlpsqCyxkVj1Jl1rr7Wbuz3D47cFAl/gz/0YHHN2ZW4uZWRl
bkBwcnlkZXdvcnguY29tAAoJEK+1m7s9w+O3xz8H/RsbsYpmjcaF6AD2fDUu2YxP
JB8eeB5RAcbvjkL3+/qMFjq9lXSLAGY42cV6YwrVoa9RHCM78SczLiMMWPd/KvIb
xX900VNUnyiNmERlXz2tbr8ApBhupsYqGe0R4x//OFUJPJhIKa03qYKp40BJDOam
UANrGudPb2gosL02FCuH+OCmJoHKoaxILyb5BZT7cztlDu39lEK9NBXhLPbM0534
2qwXDixMRyc3YPnMKkXfm4/UJYx+25oVopQuw9zT3kvA2SWdCg9iTb32QthSWf48
5Rj1/XpvtIYD89YXcIhYRbfHTOiSTAkdSHhvfY+B77GsfhnVyPeFaVDYbLZ5yDU=
=YW+1
-----END PGP SIGNATURE-----
Merge tag 'v246.9.1'
Version 246.9.1 Service Release
This is a small service release, that fixes the default log target
back to syslog. A stupid mistake while cleaning up code lead to
elogind logging to kmsg *again*.
# gpg: Signature made Mon 21 Dec 2020 16:40:29 GMT
# gpg: using RSA key 1E5A6CA82CB19158F5265D6BAFB59BBB3DC3E3B7
# gpg: issuer "sven.eden@prydeworx.com"
# gpg: requesting key AFB59BBB3DC3E3B7 from hkps server keys.openpgp.org
# gpg: key AFB59BBB3DC3E3B7: new key but contains no user ID - skipped
# gpg: Total number processed: 1
# gpg: w/o user IDs: 1
# gpg: Can't check signature: No public key
This is a small service release, that fixes the default log target
back to syslog. A stupid mistake while cleaning up code lead to
elogind logging to kmsg *again*.
Signed-off-by: Sven Eden <sven.eden@prydeworx.com>
This reverts commit e29dcd4517 which caused
lintian to complain:-
W: libelogind0: lacks-unversioned-link-to-shared-library lib/x86_64-linux-gnu/libelogind.so.0.29.0 usr/lib/x86_64-linux-gnu/libelogind.so
This is the first release of the new version 246 series.
We start with 246.9 to be in sync with upstream systemd tagging.
The latest upstream commit this version is synced to is
systemd-stable/v246-stable:90f7f6c577
One important note: If you have a localized Linux with translated man
pages installed, you have to use `LC_ALL=C` when calling `man` for
elogind manuals about `logind.conf` or `loginctl`. Otherwise you will
see the translated pages for the systemd versions.
Changes and Additions
---------------------
* Removed unused source files and headers.
* pam_elogind: Do not ask for 'elogind-user-record', nothing sets
that up.
* suspend/hibernate: Read current config before acting. This way
users can change their configurations and have them applied without
the need to restart or SIGHUP elogind.
* Enable checking for BTRFS before calculating an offset to a
swap_file before hibernating.
* Makefile: Allow parallel debug and release builds.
* cgroup controller detection has been enhanced to be more reliable.
* Makefile: Fully wrap meson/ninja to be compatible with JetBrains
CLion IDE.
* Support config files in .d directories: (#170, #172)
Configuration loading has been enhanced to additionally search for
configuration files (*.conf) in:
* /etc/elogind/logind.conf.d
* /run/elogind/logind.conf.d
* /usr/local/lib/elogind/logind.conf.d
* /usr/lib/elogind/logind.conf.d
* /lib/elogind/logind.conf.d (if split-usr is set)
Additionally elogind now looks into the following paths for
configuration files with [Sleep] configurations:
* /etc/elogind/sleep.conf.d
* /run/elogind/sleep.conf.d
* /usr/local/lib/elogind/sleep.conf.d
* /usr/lib/elogind/sleep.conf.d
* /lib/elogind/sleep.conf.d (if split-usr is set)
Additional to the system shutdown skript directory, elogind will
now also look into `/etc/elogind/system-shutdown` for shutdown
hook skripts.
* Add functionality to try to lay present nvidia cards to sleep when
suspending/hibernating (#140)
New logind.conf entry: `HandleNvidiaSleep` default: `no`
* Actually heed SuspendMode= settings in logind.conf
* Prefer syslog over kmsg, elogind is a daemon, not a kernel module.
* Make broadcasting of PowerOff/Suspend cancellation optional. (#175)
New logind.conf entryies:
* `BroadcastPowerOffInterrupts` default: `yes`
* `BroadcastSuspendInterrupts` default: `yes`
Fixed Bugs
----------
* Fix two potential NULL pointer issues.
* Execute wakeup skripts in serial order. (#72)
* Fix creation of user runtime directories.
* Fix elogind double fork, so logging works as expected.
* Make privilege check on suspend/hibernate optional. (#167)
* `man logind.conf`: Document sleep modes/states (#180)
(You might need to use `LC_ALL=C` to actually see this, as
translations installed are for systemd logind.conf.)
-----BEGIN PGP SIGNATURE-----
iQFMBAABCAA2FiEEHlpsqCyxkVj1Jl1rr7Wbuz3D47cFAl/d8uAYHHN2ZW4uZWRl
bkBwcnlkZXdvcnguY29tAAoJEK+1m7s9w+O3qwAIANBZDtEhHnH7MK/nJm8leNA8
XRbG5BEGppU5h9uPRVNeu9G3DV/cea3Uhr6Hz0pczyZ/NmVEmvZFnKMP9jcZ8WIu
CY9k6/LW/Z0XCi++R4yePHpm+xh/4B3bo8NADzTctf85FLlgpu9mmt5/m+dBr5a+
nyyh5IR0NW02ngRmQTGq9/CqLV4Mr8MEQplIAeINNSPsc47pqXO3d1B4MUaMC4gU
q4cYtDjJ+41deVi/4bTaW4NZrrWdCF3EWUSWqiRTW47Q8Ck5fxxTuC+N2GwCSVgo
SwWtDvtsymmmfwvoETBLDBGNZedcoB+3ZiRF1w4lktUn6xT7T2SVLSFDqstFySc=
=QSYG
-----END PGP SIGNATURE-----
Merge tag 'v246.9'
Version 246.9 Release
This is the first release of the new version 246 series.
We start with 246.9 to be in sync with upstream systemd tagging.
The latest upstream commit this version is synced to is
systemd-stable/v246-stable:90f7f6c577
One important note: If you have a localized Linux with translated man
pages installed, you have to use `LC_ALL=C` when calling `man` for
elogind manuals about `logind.conf` or `loginctl`. Otherwise you will
see the translated pages for the systemd versions.
Changes and Additions
---------------------
* Removed unused source files and headers.
* pam_elogind: Do not ask for 'elogind-user-record', nothing sets
that up.
* suspend/hibernate: Read current config before acting. This way
users can change their configurations and have them applied without
the need to restart or SIGHUP elogind.
* Enable checking for BTRFS before calculating an offset to a
swap_file before hibernating.
* Makefile: Allow parallel debug and release builds.
* cgroup controller detection has been enhanced to be more reliable.
* Makefile: Fully wrap meson/ninja to be compatible with JetBrains
CLion IDE.
* Support config files in .d directories: (#170, #172)
Configuration loading has been enhanced to additionally search for
configuration files (*.conf) in:
* /etc/elogind/logind.conf.d
* /run/elogind/logind.conf.d
* /usr/local/lib/elogind/logind.conf.d
* /usr/lib/elogind/logind.conf.d
* /lib/elogind/logind.conf.d (if split-usr is set)
Additionally elogind now looks into the following paths for
configuration files with [Sleep] configurations:
* /etc/elogind/sleep.conf.d
* /run/elogind/sleep.conf.d
* /usr/local/lib/elogind/sleep.conf.d
* /usr/lib/elogind/sleep.conf.d
* /lib/elogind/sleep.conf.d (if split-usr is set)
Additional to the system shutdown skript directory, elogind will
now also look into `/etc/elogind/system-shutdown` for shutdown
hook skripts.
* Add functionality to try to lay present nvidia cards to sleep when
suspending/hibernating (#140)
New logind.conf entry: `HandleNvidiaSleep` default: `no`
* Actually heed SuspendMode= settings in logind.conf
* Prefer syslog over kmsg, elogind is a daemon, not a kernel module.
* Make broadcasting of PowerOff/Suspend cancellation optional. (#175)
New logind.conf entryies:
* `BroadcastPowerOffInterrupts` default: `yes`
* `BroadcastSuspendInterrupts` default: `yes`
Fixed Bugs
----------
* Fix two potential NULL pointer issues.
* Execute wakeup skripts in serial order. (#72)
* Fix creation of user runtime directories.
* Fix elogind double fork, so logging works as expected.
* Make privilege check on suspend/hibernate optional. (#167)
* `man logind.conf`: Document sleep modes/states (#180)
(You might need to use `LC_ALL=C` to actually see this, as
translations installed are for systemd logind.conf.)
This is the first release of the new version 246 series.
We start with 246.9 to be in sync with upstream systemd tagging.
The latest upstream commit this version is synced to is
systemd-stable/v246-stable:90f7f6c577
One important note: If you have a localized Linux with translated man
pages installed, you have to use `LC_ALL=C` when calling `man` for
elogind manuals about `logind.conf` or `loginctl`. Otherwise you will
see the translated pages for the systemd versions.
Changes and Additions
---------------------
* Removed unused source files and headers.
* pam_elogind: Do not ask for 'elogind-user-record', nothing sets
that up.
* suspend/hibernate: Read current config before acting. This way
users can change their configurations and have them applied without
the need to restart or SIGHUP elogind.
* Enable checking for BTRFS before calculating an offset to a
swap_file before hibernating.
* Makefile: Allow parallel debug and release builds.
* cgroup controller detection has been enhanced to be more reliable.
* Makefile: Fully wrap meson/ninja to be compatible with JetBrains
CLion IDE.
* Support config files in .d directories: (#170, #172)
Configuration loading has been enhanced to additionally search for
configuration files (*.conf) in:
* /etc/elogind/logind.conf.d
* /run/elogind/logind.conf.d
* /usr/local/lib/elogind/logind.conf.d
* /usr/lib/elogind/logind.conf.d
* /lib/elogind/logind.conf.d (if split-usr is set)
Additionally elogind now looks into the following paths for
configuration files with [Sleep] configurations:
* /etc/elogind/sleep.conf.d
* /run/elogind/sleep.conf.d
* /usr/local/lib/elogind/sleep.conf.d
* /usr/lib/elogind/sleep.conf.d
* /lib/elogind/sleep.conf.d (if split-usr is set)
Additional to the system shutdown skript directory, elogind will
now also look into `/etc/elogind/system-shutdown` for shutdown
hook skripts.
* Add functionality to try to lay present nvidia cards to sleep when
suspending/hibernating (#140)
New logind.conf entry: `HandleNvidiaSleep` default: `no`
* Actually heed SuspendMode= settings in logind.conf
* Prefer syslog over kmsg, elogind is a daemon, not a kernel module.
* Make broadcasting of PowerOff/Suspend cancellation optional. (#175)
New logind.conf entryies:
* `BroadcastPowerOffInterrupts` default: `yes`
* `BroadcastSuspendInterrupts` default: `yes`
Fixed Bugs
----------
* Fix two potential NULL pointer issues.
* Execute wakeup skripts in serial order. (#72)
* Fix creation of user runtime directories.
* Fix elogind double fork, so logging works as expected.
* Make privilege check on suspend/hibernate optional. (#167)
* `man logind.conf`: Document sleep modes/states (#180)
(You might need to use `LC_ALL=C` to actually see this, as
translations installed are for systemd logind.conf.)
Signed-off-by: Sven Eden <sven.eden@prydeworx.com>
sleep-config.c : Check for BTRFS to not allow swap file hibernation,
as the detection of swap file offsets is not
supported on BTRFS.
copy.c : Utilize btrfs_reflink() and btrfs_clone_range() if
supported.
rm-rf.c : Utilize subvolume removal if possible.
Signed-off-by: Sven Eden <sven.eden@prydeworx.com>
There are two ways in swich sd_login_* functions acquire data:
some are derived from the cgroup path, but others use the data serialized
by logind.
When the tests are executed under Fedora's mock, without systemd-spawn
but instead in a traditional chroot, test-login gets confused:
the "outside" cgroup path is visible, so sd_pid_get_unit() and
sd_pid_get_session() work, but sd_session_is_active() and other functions
that need logind data fail.
Such a buildroot setup is fairly bad, but it can be encountered in the wild, so
let's just skip the tests in that case.
/* Information printed is from the live system */
sd_pid_get_unit(0, …) → "session-237.scope"
sd_pid_get_user_unit(0, …) → "n/a"
sd_pid_get_slice(0, …) → "user-1000.slice"
sd_pid_get_session(0, …) → "237"
sd_pid_get_owner_uid(0, …) → 1000
sd_pid_get_cgroup(0, …) → "/user.slice/user-1000.slice/session-237.scope"
sd_uid_get_display(1000, …) → "(null)"
sd_uid_get_sessions(1000, …) → [0] ""
sd_uid_get_seats(1000, …) → [0] ""
Assertion 'r >= 0' failed at src/libsystemd/sd-login/test-login.c:104, function test_login(). Aborting.
(cherry picked from commit ac5644635dba54ce5eb0ff394fc0bc772a984849)
(based on 4275f1c95e730ca9422463be29747ad4b6b1fb91)
These two judgement can't judge that two entries are repeating fully.
So i think seqnum is needed to make full judgement.
(cherry picked from commit b17f651a17cd6ec0ceac7835f2f8607fbd9ddb95)
(cherry picked from commit 60fc09f5db900d622aa956fdc98283f149b4a8b2)
reallocarray() is defined in stdlib.h, so that would be right header to
check for its presense.
Signed-off-by: Khem Raj <raj.khem@gmail.com>
(cherry picked from commit 5bb20fd3d33f7e866a0845f15c1ab5b595147f1e)
(cherry picked from commit 1d8cfe817861a0b0de2b561f6770e33d1242db63)
In some cases it is not defined. Eg in a yocto build:
src/systemd/meson.build:61:15: ERROR: Unknown variable cxx.
(cherry picked from commit 442bc2afee6c5f731c7b3e76ccab7301703a45a7)
(cherry picked from commit dad90a476e667b9c570cf236c90b50ccae7e8817)
This is a fix of #17751. Specifically:
1. Sort #include headers again
2. Remove tabs, as per coding style
3. Don't install fds in half-initialized objects
4. Use asynchronous_close() everywhere
That all said:
Quit frankly, I am not convinced we should do all this at all. If
close()ing of these input devices is really that slow, then this should
probably be fixed in the kernel, not worked around in userspace like
this.
(cherry picked from commit c74d5fe25d53263c143f0a9c2698d8bb483e398c)
Commit [1] added a workaround when unified cgroups are used but missed
legacy cgroups where there is the same issue.
[1] <2dbc45aea7>
Signed-off-by: Pavel Hrdina <phrdina@redhat.com>
(cherry picked from commit 35e7a62ca32a30169a94693b831e53c832251984)
THis doesn't change the condition's logic at all, but is an attempt to
make things a bit more readable: instead of checking log_target !=
LOG_TARGET_AUTO let's actually list the targets where we want to
consider journal/syslog/kmsg, to make things a bit less confusing. After
all the message here is not to avoid them if LOG_TARGET_AUTO is set, but
to definitely do them in the other cases.
(cherry picked from commit ef9bddb79984aa1b9d605d44b8c0890e8289bef1)
The logic was changed in bc694c06e60505efeb09e5278a7b22cdfa23975e, let's
update the comment accordingly.
(cherry picked from commit 27ffec083140467a03f463a446c6d19dc5e437ab)
This extracts the IP address (as union in_addr_union) from a socket
address (i.e. a struct sockaddr).
(cherry picked from commit 3132597182c806e5193aebb0b67cdc0f73154a51)
This follows more closely what web browsers do, and makes sure emojis in
domains work.
Fixes: #14483
(cherry picked from commit d80e72ec602c2af2983842ad87e4443fce89d423)
UML runs as a user-process so it can quite easily be ran inside of
another hypervisor, for instance inside a KVM instance. UML passes
through the CPUID from the host machine so in this case detect_vm
incorrectly identifies as running under KVM. So check we are running
a UML kernel first, before we check any other hypervisors.
Resolves: #17754
Signed-off-by: Christopher Obbard <chris.obbard@collabora.com>
(cherry picked from commit c8037dbf05da586b6a210ac04f145d99f424971f)
Follow-up for d448888924c1d4815cb97bcd5d94419812c053b9 and ca121e20c42219e3bc4e5cb63dcc96cc5eae2879.
Fixes#17568.
(cherry picked from commit 0f82a2ab5c8d812791aca9686bdcc45f39c62431)
This test assumes capability_list_length() is an invalid cap number,
but that isn't true if the running kernel supports more caps than we were
compiled with, which results in the test failing.
Instead use cap_last_cap() + 1.
If cap_last_cap() is 63, there are no more 'invalid' cap numbers to test with,
so the invalid cap number test part is skipped.
(cherry picked from commit ebc815cd1c647faa934a446ceea91ff4bc9dffa4)
If /sys/class/OOO node is created and destroyed during booting (kernle driver initialization fails),
systemd-udev-trigger.service fails due to race condition.
***** race condition ***********************************************************************************
1. kernel driver create /sys/class/OOO
2. systemd-udev-trigger.service execues "/usr/bin/udevadm trigger --type=devices --action=add"
3. device_enumerator_scan_devices() => enumerator_scan_devices_all() => enumerator_scan_dir("class") =>
opendir("/sys/class") and iterate all subdirs ==> enumerator_scan_dir_and_add_devices("/sys/class/OOO")
4. kernel driver fails and destroy /sys/class/OOO
5. enumerator_scan_dir_and_add_devices("/sys/class/OOO") fails in opendir("/sys/class/OOO")
6. "systemd-udev-trigger.service" fails
7. udev coldplug fails and some device units not ready
8. mount units asociated with device units fail
9. local-fs.target fails
10. enters emergency mode
********************************************************************************************************
***** status of systemd-udev-trigger.service unit ******************************************************
$ systemctl status systemd-udev-trigger.service
systemd-udev-trigger.service - udev Coldplug all Devices
Loaded: loaded (/usr/lib/systemd/system/systemd-udev-trigger.service; static; vendor preset: enabled)
Active: failed (Result: exit-code) since Thu 2020-01-02 13:16:54 KST; 22min ago
Docs: man:udev(7)
man:systemd-udevd.service(8)
Process: 2162 ExecStart=/usr/bin/udevadm trigger --type=subsystems --action=add (code=exited, status=0/SUCCESS)
Process: 2554 ExecStart=/usr/bin/udevadm trigger --type=devices --action=add (code=exited, status=1/FAILURE)
Main PID: 2554 (code=exited, status=1/FAILURE)
Jan 02 13:16:54 localhost udevadm[2554]: Failed to scan devices: No such file or directory
Jan 02 13:16:54 localhost systemd[1]: systemd-udev-trigger.service: Main process exited, code=exited, status=1/FAILURE
Jan 02 13:16:54 localhost systemd[1]: systemd-udev-trigger.service: Failed with result 'exit-code'.
Jan 02 13:16:54 localhost systemd[1]: Failed to start udev Coldplug all Devices.
*******************************************************************************************************
***** journal log with Environment=SYSTEMD_LOG_LEVEL=debug in systemd-udev-trigger.service ***********
Jan 01 21:57:20 localhost udevadm[2039]: sd-device-enumerator: Scanning /sys/bus
Jan 01 21:57:20 localhost udevadm[2522]: sd-device-enumerator: Scan all dirs
Jan 01 21:57:20 localhost udevadm[2522]: sd-device-enumerator: Scanning /sys/bus
Jan 01 21:57:21 localhost udevadm[2522]: sd-device-enumerator: Scanning /sys/class
Jan 01 21:57:21 localhost udevadm[2522]: sd-device-enumerator: Failed to scan /sys/class: No such file or directory
Jan 01 21:57:21 localhost udevadm[2522]: Failed to scan devices: No such file or directory
*******************************************************************************************************
(cherry picked from commit cfb6197bc31eb6b2631dec7bf8d7a253e7891016)
If StartLimitIntervalSec is huge, or more specifically, set to "infinity", we need to take care about overflows.
(cherry picked from commit e2357b1c8a87b610066b8b2a59517bcfb20b832e)
":" is prettier, but meson 0.56+ doesn't like it:
src/systemd/meson.build:73: DEPRECATION: ":" is not allowed in test name "cc-sd-bus.h:c", it has been replaced with "_"
src/systemd/meson.build:73: DEPRECATION: ":" is not allowed in test name "cc-sd-bus.h:c-ansi", it has been replaced with "_"
...
Fixes#17568.
(cherry picked from commit ca121e20c42219e3bc4e5cb63dcc96cc5eae2879)
We do not allow machine names with "_", so the command would fail as written.
Share the example with the systemd-nspawn page instead.
(cherry picked from commit 5fadff3352cfeb82844b6d475056bb18f2eba0dc)
The idea is that we have strvs like list of server names or addresses, where
the majority of strings is rather short, but some are long and there can
potentially be many strings. So formattting them either all on one line or all
in separate lines leads to output that is either hard to read or uses way too
many rows. We want to wrap them, but relying on the pager to do the wrapping is
not nice. Normal text has a lot of redundancy, so when the pager wraps a line
in the middle of a word the read can understand what is going on without any
trouble. But for a high-density zero-redundancy text like an IP address it is
much nicer to wrap between words. This also makes c&p easier.
This adds a variant of TABLE_STRV which is wrapped on output (with line breaks
inserted between different strv entries).
The change table_print() is quite ugly. A second pass is added to re-calculate
column widths. Since column size is now "soft", i.e. it can adjust based on
available columns, we need to two passes:
- first we figure out how much space we want
- in the second pass we figure out what the actual wrapped columns
widths will be.
To avoid unnessary work, the second pass is only done when we actually have
wrappable fields.
A test is added in test-format-table.
(cherry picked from commit b0e3d799891c4633bd2b0d88e4ed2c741bbcd532)
The status string is modeled after our --version output: +enabled -disabled equals=more-info
For example:
Protocols: -DefaultRoute +LLMNR -mDNS -DNSOverTLS DNSSEC=allow-downgrade/supported
(cherry picked from commit fe37e5a5d192ec55f87cd57893688a865b7f72d2)
We would print the whole string as a single super-long line. Let's nicely
break the text into lines that fit on the screen.
$ COLUMNS=70 build/resolvectl --no-pager nta
Global: home local intranet 23.172.in-addr.arpa lan
18.172.in-addr.arpa 16.172.in-addr.arpa 19.172.in-addr.arpa
25.172.in-addr.arpa 21.172.in-addr.arpa d.f.ip6.arpa
20.172.in-addr.arpa 30.172.in-addr.arpa 17.172.in-addr.arpa
internal 168.192.in-addr.arpa 28.172.in-addr.arpa
22.172.in-addr.arpa 24.172.in-addr.arpa 26.172.in-addr.arpa
corp 10.in-addr.arpa private 29.172.in-addr.arpa test
27.172.in-addr.arpa 31.172.in-addr.arpa
Link 2 (hub0):
Link 4 (enp0s31f6):
Link 5 (wlp4s0):
Link 7 (virbr0): adsfasdfasdfasd.com 21.172.in-addr.arpa lan j b
a.com home d.f.ip6.arpa b.com local 16.172.in-addr.arpa
19.172.in-addr.arpa 18.172.in-addr.arpa 25.172.in-addr.arpa
20.172.in-addr.arpa k i h 23.172.in-addr.arpa
168.192.in-addr.arpa d g intranet 17.172.in-addr.arpa c e.com
30.172.in-addr.arpa a f d.com e internal
Link 8 (virbr0-nic):
Link 9 (vnet0):
Link 10 (vb-rawhide):
Link 15 (wwp0s20f0u2i12):
(cherry picked from commit 7c5023037815228280dcf461bf9b9f2b3575f600)
By making them unsigned comparing them with other sizes is less likely
to trigger compiler warnings regarding signed/unsigned comparisons.
After all sizes (i.e. size_t) are generally assumed to be unsigned, so
these should be too.
Prompted-by: https://github.com/systemd/systemd/pull/17345#issuecomment-709402332
(cherry picked from commit 67bd5620f6cf481c0a59cedbcf63ddcab355cc55)
We would return ENOENT, which is extremely confusing. Strace is not helpful because
no *file* is actually missing. So let's add some logs at debug level and also use
a custom return code. Let all user-facing utilities print a custom error message
in that case.
(cherry picked from commit ab4a88eb920e2f64a79a60c1ea9aecb7907a9635)
When connection to the bus fails it can be mighty hard to figure out
what went wrong because we have many different connection mechanisms and
we don't log what is happenning.
(cherry picked from commit 165fee860a384b2e1ea4317551bc4463b3d53b61)
Let's mark the whole /run/host hierarchy as something to ignore by PID 1
for generation of .mount units, i.e. consider it as "extrinsic".
By unifying container mgr supplied resources in one dir it's also easy
to exclude the whole lot from PID1's management inside the container.
This is the right thing to do, since from the payload's PoV these mounts
are just API and not manipulatable as they are established, managed and
owned by the container manager, not the payload.
(While we are it, also add the boot ID mount to the existing list, as
nspawn and other container managers overmount that too, typically, and
it is thus owned by the container manager and not the payload
typically.)
(cherry picked from commit 6f997852c8830ca073c55241b0068ebbf1f94a72)
While a server is in the VARLINK_PENDING_METHOD or VARLINK_PENDING_METHOD_MORE
states and its write end is disconnected and it gets a POLLHUP, we
should disconnect since it can't write anymore.
In the case of systemd-oomd disconnecting while pid1 was pending-more, this
condition left pid1 in a state where it started throttling from
continually getting POLLHUP.
(cherry picked from commit e8e9227f5c3f8d47bec1d57a2801b22d53d0b341)
I can't think of any real vulnerability about this, but it still feels
better to check a variable with "secure" in its name with
secure_getenv() rather than plain getenv().
Paranoia FTW!
(cherry picked from commit b8f736b30e20a2b44e7c34bb4e43b0d97ae77e3c)
This might fix#17025:
> the call trace is
> bus_ensure_running -> sd_bus_process -> bus_process_internal -> process_closeing --> sd_bus_close
> |
> \-> process_match
We ended doing callouts to the Disconnected matches from bus_ensure_running()
and shouldn't. bus_ensure_running() should never do callouts. This change
should fix this however: once we notice that the connection is going down we
will now fail instantly with ENOTOCONN instead of calling any callbacks.
(cherry picked from commit 93a59b1ae5d3bcb0ec1488ebc13d0d1ff4d1729a)
The variable is renamed to SYSTEMD_PAGERSECURE (because it's not just about
less now), and we automatically enable secure mode in certain cases, but not
otherwise.
This approach is more nuanced, but should provide a better experience for
users:
- Previusly we would set LESSSECURE=1 and trust the pager to make use of
it. But this has an effect only on less. We need to not start pagers which
are insecure when in secure mode. In particular more is like that and is a
very popular pager.
- We don't enable secure mode always, which means that those other pagers can
reasonably used.
- We do the right thing by default, but the user has ultimate control by
setting SYSTEMD_PAGERSECURE.
Fixes#5666.
v2:
- also check $PKEXEC_UID
v3:
- use 'sd_pid_get_owner_uid() != geteuid()' as the condition
(cherry picked from commit 0a42426d797406b4b01a0d9c13bb759c2629d108)
Some extra safety when invoked via "sudo". With this we address a
genuine design flaw of sudo, and we shouldn't need to deal with this.
But it's still a good idea to disable this surface given how exotic it
is.
Prompted by #5666
(cherry picked from commit 612ebf6c913dd0e4197c44909cb3157f5c51a2f0)
It's not clear what libc's make of this. We clamp to 1 byte allocations
in most cases already, let's add this for a few where this was missing.
(cherry picked from commit 562b01e99646a21ba8a0f4f52c578a38b3f7d03d)
This fixes an issue caused by eb1c1dc029c91750e6255c3fd844b4f4bf238fab.
Before the commit, multiple values can be specified for the same
sysattr or property.
Fixes#17259.
(cherry picked from commit a0887abbd8bd9f1a9a975af08e6b4a43960bb3e2)
My logs have lines like this:
Oct 10 09:38:38 krowka systemd-logind[1889]: External (2) displays connected.
Oct 10 09:38:38 krowka systemd-logind[1889]: Refusing operation, as it is turned off.
Without some hint *what* operation is ignored, this is not very informative.
(I remember this came up before, but I don't remember why we didn't change this
log line back then...)
(cherry picked from commit bf135d82585f9a6356fa818fe4c130d3e3524918)
Currently systemd-detect-virt fails to detect running under PowerVM.
Add code to detect PowerVM based on code in util-linux.
Signed-off-by: Michal Suchanek <msuchanek@suse.de>
(cherry picked from commit 3224e38bb6b3287ca253cbafb460a150544d5818)
Completions for systemd-id128 and homectl have been available for a
while, but weren’t being installed.
(cherry picked from commit 7c57a030e0d654ce0e4d557da826170fb5ac5bc2)
The RTC is like just off, it's a weird system state, let's continue
without requiring pw change.
(cherry picked from commit 3e0b54867e22523cffda3b80e179df89b6d81bcd)
This likely indicates that the system clock is simply wrong, hence allow
access in this case.
Fixes: #15917
(cherry picked from commit 61a29a020c5c6611a22a84c1456e8da7aa656194)
This might happen if the system clock is wrong, and we should allow
access in this case (though certainly log about it).
(cherry picked from commit 51a95db6dcb720608eccaac01328b66ef7cc0d30)
musl [added support for reallocarray][0], but the function prototype is
declared in `stdlib.h` instead of `malloc.h`.
Update the check for reallocarray to check both in `malloc.h` and
`stdlib.h`.
[0]:https://git.musl-libc.org/cgit/musl/commit/?id=821083ac7b54eaa040d5a8ddc67c6206a175e0ca
(cherry picked from commit b49f2b64c1547613182076a6f1bce3b2ec8cb863)
Generally speaking, polkit is optional. If it is not installed, the
privilege checking done by elogind is limited to UID and capability
checks.
But users on single-user systems without polkit should be perfectly
capable to suspend/hibernate their machine without the need to use
sudo or similar, as this would make triggering suspension on critical
battery levels, or when closing the lid of a laptop, almost useless.
Before commit b187de7 elogind did not check on suspend/hibernate
actions, because an issue with the policies made elogind asking for
super-user credentials, which was basically the same issue.
Bug: #149Closes: #167
Signed-off-by: Sven Eden <sven.eden@prydeworx.com>
Although elogind can now handle /proc/driver/nvidia/suspend, its
interface is considered experimental, and should not be writen to by
elogind unless it is really needed.
The new option therefore defaults to "no", and thus lets users opt-in
to elogind taking care of writing suspend/hibernate/resume to that
interface.
See more information at:
https://download.nvidia.com/XFree86/Linux-x86_64/455.38/README/powermanagement.html
Bug: #140
Signed-off-by: Sven Eden <sven.eden@prydeworx.com>
Whenever a hook script fails while being allowed to interrupt the
power/sleep action it was triggered by, a broadcast message is
issued, which informs all users about the cancellation.
This commit adds two new options to the [Sleep] section of
logind.conf:
#BroadcastPowerOffInterrupts=yes
#BroadcastSuspendInterrupts=yes
These two values default to "yes" and can be set to "no", which
causes elogind to no longer broadcast the corresponding failures.
Bug: #175
Signed-off-by: Sven Eden <sven.eden@prydeworx.com>
Unfortunately a WM started with `startx`, while being a GUI session,
is listed (correctly) as Type 'tty'.
So to be on the safe side, always try to switch VT before suspension
when nvidia drivers are detected.
Bug: #140
Signed-off-by: Sven Eden <sven.eden@prydeworx.com>
The system won't resume after suspend when nvidia drivers are in use.
This is, because nvidia cards have to be told to go into suspension
or hibernation before putting the computer to sleep.
After waking up, the cards have to be reactivated, or the display
would not come back online.
Modern nvidia driver installments provide a script for this at
`/usr/bin/nvidia-sleep.sh`, but the script is not guaranteed to
exist.
With this patch elogind will do the following, if the path
`/proc/driver/nvidia/suspend`
exists:
* Save the active VT if possible
* Switch to a neutral VT '63'
* If the switch succeeded, write either either "suspend" or
"hibernate" to `/proc/driver/nvidia/suspend`
And when waking up:
* If a VT was saved, switch back to it
* Write "resume" to `/proc/driver/nvidia/suspend`
This basically recreates the functionality of
`/usr/bin/nvidia-sleep.sh` within elogind.
Closes: #140
Although this can slow down the wake up process of any machine, the
order in which hook skripts are executed might matter enough to not
allow parallel execution.
Also: If a system setup really needs hook skripts, then a second
longer weakeup time is certainly nothing to worry about.
Closes: #72
Additional to the system sleep skript directory, elogind will now
also look into `/etc/elogind/system-sleep` for sleep hook skripts.
Additional to the system shutdown skript directory, elogind will now
also look into `/etc/elogind/system-shutdown` for shutdown hook
skripts.
Bug: #172
Signed-off-by: Sven Eden <sven.eden@prydeworx.com>
Configuration loading has been enhanced to additionally search for
configuration files (*.conf) in:
* /etc/elogind/logind.conf.d
* /run/elogind/logind.conf.d
* /usr/local/lib/elogind/logind.conf.d
* /usr/lib/elogind/logind.conf.d
* /lib/elogind/logind.conf.d (if split-usr is set)
Additionally elogind now looks into the following paths for
configuration files with [Sleep] configurations:
* /etc/elogind/sleep.conf.d
* /run/elogind/sleep.conf.d
* /usr/local/lib/elogind/sleep.conf.d
* /usr/lib/elogind/sleep.conf.d
* /lib/elogind/sleep.conf.d (if split-usr is set)
Closes: #172
This also fixes the log messages about unknown Sections in
Bug: #170
Signed-off-by: Sven Eden <sven.eden@prydeworx.com>
This is a pre-release, and explicitly not meant for daily usage!
* Startup problems when daemonizing elogind have been fixed
-----BEGIN PGP SIGNATURE-----
iQFMBAABCAA2FiEEHlpsqCyxkVj1Jl1rr7Wbuz3D47cFAl+uVk0YHHN2ZW4uZWRl
bkBwcnlkZXdvcnguY29tAAoJEK+1m7s9w+O3c7YIAL/6F7X/gftE2C+vPXxEn3YB
RtZ6SHBLPdFioyWMmk4CdIbXvTrosiYaotX5jrH+JtCU4p44gsaKJKvXmr44W+jl
VClVg7y0svro2i79ZfN4dKrZw4rSRf5+yNXvgnWkTePK2T+HQXh9nU2pSEhesBXP
a8ITT+GXdpR+Lpoc3w9KbU52VRwKk5bGJ3LMrWerV6zaDQ1XfbvU3ZMfpfazbHke
7mm5MlyuNZgr8SyfKaMAT0BfCpQ4eDfBA1V4PpjjmN+XETF2GPJQbDeS2aNNf10L
WGC0h7kPOYt+YhAPbGwzD17C9UjjTIToIjKmtraIjtP/zFJ7i1EH19FPl5ebvQ4=
=ndwY
-----END PGP SIGNATURE-----
Merge tag 'v246.0-rc2'
Version v246.0 Release Candidate 2
This is a pre-release, and explicitly not meant for daily usage!
* Startup problems when daemonizing elogind have been fixed
# gpg: Signature made Fri 13 Nov 2020 09:47:57 GMT
# gpg: using RSA key 1E5A6CA82CB19158F5265D6BAFB59BBB3DC3E3B7
# gpg: issuer "sven.eden@prydeworx.com"
# gpg: requesting key AFB59BBB3DC3E3B7 from hkps server keys.openpgp.org
# gpg: key AFB59BBB3DC3E3B7: new key but contains no user ID - skipped
# gpg: Total number processed: 1
# gpg: w/o user IDs: 1
# gpg: Can't check signature: No public key
This is a pre-release, and explicitly not meant for daily usage!
* elogind has been synced up to systemd/systemd-stable/v246-stable
commit 9353607ef3cff4902296268bab0ccc82dc8b04c2
* cgroup controller detection has been enhanced to be more reliable
* Prior each sleep command the sleep configuration is re-read, so
that changes do no longer need to be made known by reloading or
restarting elogind.
-----BEGIN PGP SIGNATURE-----
iQFMBAABCAA2FiEEHlpsqCyxkVj1Jl1rr7Wbuz3D47cFAl+q38sYHHN2ZW4uZWRl
bkBwcnlkZXdvcnguY29tAAoJEK+1m7s9w+O3+OAH/j4xZU4QLIaTjaM1GBPYxLhY
i0ofzWdHSWYsbfZHHNl7qAziwCBxue+W6bFlCU0Q1tpJbUd5uIyeGd6ZKY51urR9
tKuMSVEJlTePtjH/jB5EayIbZUB83NfNxoMFs9qmbZLrNqj/7ktoa0jfygUcqiNZ
cacxsMZfCk6rcx89DbSi20ZUlxYDBeGwyr6XowgGbknDuhUBJ94hb+1Yw48/hbXF
DxyZ410D83eXZh1bsC/3Kcd4XekolvuPldlhYBg2YqURjEgD6rOJKMZj9bCXw/vZ
Sguakz3dBW0EeIQXCdI/ubkPcYeRTO1VhHIa4vc7r6BNkpPoMJBvYGQac3AsRNY=
=3ja7
-----END PGP SIGNATURE-----
Merge tag 'v246.0-rc1'
Version v246.0 Release Candidate 1
This is a pre-release, and explicitly not meant for daily usage!
* elogind has been synced up to systemd/systemd-stable/v246-stable
commit 9353607ef3cff4902296268bab0ccc82dc8b04c2
* cgroup controller detection has been enhanced to be more reliable
* Prior each sleep command the sleep configuration is re-read, so
that changes do no longer need to be made known by reloading or
restarting elogind.
This is a pre-release, and explicitly not meant for daily usage!
* elogind has been synced up to systemd/systemd-stable/v246-stable
commit 9353607ef3cff4902296268bab0ccc82dc8b04c2
* cgroup controller detection has been enhanced to be more reliable
* Prior each sleep command the sleep configuration is re-read, so
that changes do no longer need to be made known by reloading or
restarting elogind.
Signed-off-by: Sven Eden <sven.eden@prydeworx.com>
By syncing our variables with upstream SleepConfig, much of the mess
sleep.c was coukld be reduced.
Also always load the current configuration, so users no longer need
to reload elogind when they change the sleep configuration.
Signed-off-by: Sven Eden <sven.eden@prydeworx.com>
There must not be a default, as the default is already set in
/sys/power/mem_sleep. This was a misunderstanding on my side.
This reverts commit b038b2d479.
Different systems use different paths for it and users are confused when the
man page has a path different than the one on the local system.
https://bugzilla.redhat.com/show_bug.cgi?id=1876905
(cherry picked from commit c2ee27a5e7fa1c6a71341579baa2d941c6e3e6e6)
RC_LOCAL_SCRIPT_PATH_START and RC_LOCAL_SCRIPT_PATH_STOP were was originally
added in the conversion to meson based on the autotools name. In
44508946534eee032927c263b79464832656dd6e RC_LOCAL_SCRIPT_PATH_STOP was dropped.
We don't need to use such a long name.
(cherry picked from commit 452d2dfd52f1cc686395663a6cd4c778306bd309)
By settings AI_ADDRCONFIG in hints we cannot for example resolve "localhost"
when the local machine only has a loopback interface. This seems like an
unnecessary restriction, drop it.
Inspired by https://bugzilla.redhat.com/show_bug.cgi?id=1839007.
(cherry picked from commit d0e5db44d9e1cf61ca75c8a86ffed19cc1b7fe5f)
In shell, inside of double quotes only a select few chars should be
escaped. If other chars are escaped this has no effect. Correct the list
of chars that need such escaping.
Also, make sure we can read back the stuff we wrote out without loss.
Fixes: #16788
(cherry picked from commit de008e537dc6e3504f988fa9bd358f783016df8a)
We already have rootprefix_noslash as meson variable, export it so that
we can also use it in C code.
Fixes: #16773
(cherry picked from commit b612c26ceb9f56af0271fc9f07c1724d2d260a8a)
if we allocate a bunch of hash tables all at the same time, with none
earlier than the other, there's a good chance we'll initialize the
shared hash key multiple times, so that some threads will see a
different shared hash key than others.
Let's fix that, and make sure really everyone sees the same hash key.
Fixes: #17007
(cherry picked from commit ae0b700a856c0ae460d271bb50dccfaae84dbcab)
Up to now the capability CAP_SETPCAP was raised implicitly in the
function capability_bounding_set_drop.
This functionality is moved into a new function
(capability_gain_cap_setpcap).
The new function optionally provides the capability set as it was
before raisining CAP_SETPCAP.
(cherry picked from commit 57d4d284c95a3dfdb9a4e3f74978623cbb3f918a)
When 4dfaa528d45 was first commited its callers relied on `errno` instead of the
return value for error reporting. Which worked fine, since internally
under all conditions base were set — even if ugly and not inline with
our coding style. Things then got broken in
f8606626ed3c2582e06543550d58fe9886cdca5f where suddenly additional
syscalls might end up being done in the function, thus corrupting `errno`.
(cherry picked from commit dee00c1939c6194404c15a80650d0c04bb01b0db)
cryptsetup: Fix null pointer dereference
Fix null pointer dereference in the pkcs11 related code of systemd-cryptsetup
(cherry picked from commit 664ad0f6f54257643fa069d9e1e9cad0f6fd7cc3)
The commit 10ce2e0681ac16e7bb3619b7bb1a72a6f98a2f2c inverts the order of
SO_{RCV,SND}BUFFORCE and SO_{RCV,SND}BUF. However, setting buffer size with
SO_{RCV,SND}BUF does not fail even if the requested size is larger than
the kernel limit. Hence, SO_{RCV,SND}BUFFORCE will not use anymore and
the buffer size is always limited by the kernel limit even if we have
the priviledge to ignore the limit.
This makes the buffer size is checked after configuring it with
SO_{RCV,SND}BUF, and if it is still not sufficient, then try to set it
with FORCE command. With this commit, if we have enough priviledge, the
requested buffer size is correctly set.
Hopefully fixes#14417.
(cherry picked from commit b92f350789e33942be0cf85af22a580c1fd483d6)
log_debug still returns 0. I think it is legitimate to use 'return log_debug()' to
return 0. It is different than the other functions, since we often want to supress
errors logged at debug level. This case is quite common in the codebase and
we could use 'return log_debug_errno()' to make the code more consise.
For all other variants, a separate return line is required.
Previous commit changes all the non-conforming instances, now we can make it mandatory.
(cherry picked from commit 44f0dd628ce4ca9565b0e02b8cb63ed8272529cd)
In various cases, we would say 'return log_warning()' or 'return log_error()'. Those
functions return 0 if no error is passed in. For log_warning or log_error this doesn't
make sense, and we generally want to propagate the error. In the few cases where
the error should be ignored, I think it's better to split it in two, and call 'return 0'
on a separate line.
(cherry picked from commit c413bb28df0996be99fd6b3f2335dfe8739d62fb)
Previously, we'd create them from user-runtime-dir@.service. That has
one benefit: since this service runs privileged, we can create the full
set of device nodes. It has one major drawback though: it security-wise
problematic to create files/directories in directories as privileged
user in directories owned by unprivileged users, since they can use
symlinks to redirect what we want to do. As a general rule we hence
avoid this logic: only unpriv code should populate unpriv directories.
Hence, let's move this code to an appropriate place in the service
manager. This means we lose the inaccessible block device node, but
since there's already a fallback in place, this shouldn't be too bad.
(cherry picked from commit 3242980582d501ec2adbcc0f794c7161056812e8)
Let's make /run/host the sole place we pass stuff from host to container
in and place the "inaccessible" nodes in /run/host too.
In contrast to the previous two commits this is a minor compat break, but
not a relevant one I think. Previously the container manager would place
these nodes in /run/systemd/inaccessible/ and that's where PID 1 in the
container would try to add them too when missing. Container manager and
PID 1 in the container would thus manage the same dir together.
With this change the container manager now passes an immutable directory
to the container and leaves /run/systemd entirely untouched, and managed
exclusively by PID 1 inside the container, which is nice to have clear
separation on who manages what.
In order to make sure systemd then usses the /run/host/inaccesible/
nodes this commit changes PID 1 to look for that dir and if it exists
will symlink it to /run/systemd/inaccessible.
Now, this will work fine if new nspawn and new pid 1 in the container
work together. as then the symlink is created and the difference between
the two dirs won't matter.
For the case where an old nspawn invokes a new PID 1: in this case
things work as they always worked: the dir is managed together.
For the case where different container manager invokes a new PID 1: in
this case the nodes aren't typically passed in, and PID 1 in the
container will try to create them and will likely fail partially (though
gracefully) when trying to create char/block device nodes. THis is fine
though as there are fallbacks in place for that case.
For the case where a new nspawn invokes an old PID1: this is were the
(minor) incompatibily happens: in this case new nspawn will place the
nodes in the /run/host/inaccessible/ subdir, but the PID 1 in the
container won't look for them there. Since the nodes are also not
pre-created in /run/systed/inaccessible/ PID 1 will try to create them
there as if a different container manager sets them up. This is of
course not sexy, but is not a total loss, since as mentioned fallbacks
are in place anyway. Hence I think it's OK to accept this minor
incompatibility.
(cherry picked from commit 9fac502920a648d82e21b207989bfc3c00fbdebc)
Upon reception of a message which fails in json_parse(), we would proceed to
parse it again from a deferred callback and hang. Once we have realized that
the message is invalid, let's move the pointer in the buffer even if the
message is invalid. We don't want to look at this data again.
(before) $ build-rawhide/userdbctl --output=json user test.user
n/a: varlink: setting state idle-client
/run/systemd/userdb/io.systemd.Multiplexer: Sending message: {"method":"io.systemd.UserDatabase.GetUserRecord","parameters":{"userName":"test.user","service":"io.systemd.Multiplexer"}}
/run/systemd/userdb/io.systemd.Multiplexer: varlink: changing state idle-client → awaiting-reply
/run/systemd/userdb/io.systemd.Multiplexer: New incoming message: {...}
/run/systemd/userdb/io.systemd.Multiplexer: varlink: changing state awaiting-reply → pending-disconnect
/run/systemd/userdb/io.systemd.Multiplexer: New incoming message: {...}
/run/systemd/userdb/io.systemd.Multiplexer: varlink: changing state pending-disconnect → disconnected
^C
(after) $ n/a: varlink: setting state idle-client
/run/systemd/userdb/io.systemd.Multiplexer: Sending message: {"method":"io.systemd.UserDatabase.GetUserRecord","parameters":{"userName":"test.user","service":"io.systemd.Multiplexer"}}
/run/systemd/userdb/io.systemd.Multiplexer: varlink: changing state idle-client → awaiting-reply
/run/systemd/userdb/io.systemd.Multiplexer: New incoming message: {...}
/run/systemd/userdb/io.systemd.Multiplexer: Failed to parse JSON: Invalid argument
/run/systemd/userdb/io.systemd.Multiplexer: varlink: changing state awaiting-reply → pending-disconnect
/run/systemd/userdb/io.systemd.Multiplexer: varlink: changing state pending-disconnect → processing-disconnect
Got lookup error: io.systemd.Disconnected
/run/systemd/userdb/io.systemd.Multiplexer: varlink: changing state processing-disconnect → disconnected
Failed to find user test.user: Input/output error
This should fix#16683 and https://bugs.gentoo.org/735072.
(cherry picked from commit 77472d06a4740d820ebccdb04e217d6b7d66dd50)
We would reject various passwords that glibc accepts, for example ""
or any descrypted password. Accounts with empty password are definitely
useful, for example for testing or in scenarios where a password is not
needed. Also, using weak encryption methods is probably not a good idea,
it's not the job of our nss helpers to decide that: they should just
faithfully forward whatever data is there.
Also rename the function to make it more obvious that the returned answer
is not in any way certain.
(cherry picked from commit 8f796e40a561bd9200fde3c8885e6255a2dd4250)
Let's make sure the sd_listen_fd() docs are really found from the
.socket file documentation as well as the FileDescriptorStoreMax=
documentation.
Let's also emphasize that that's where the order in which the fds are
passed are documented.
Fixes: #16647
(cherry picked from commit df2f58176d0093f5798240d4d0a69aba21a8f2e2)
Instead of assuming that more-recently modified directories have higher mtime,
just look for any mtime changes, up or down. Since we don't want to remember
individual mtimes, hash them to obtain a single value.
This should help us behave properly in the case when the time jumps backwards
during boot: various files might have mtimes that in the future, but we won't
care. This fixes the following scenario:
We have /etc/systemd/system with T1. T1 is initially far in the past.
We have /run/systemd/generator with time T2.
The time is adjusted backwards, so T2 will be always in the future for a while.
Now the user writes new files to /etc/systemd/system, and T1 is updated to T1'.
Nevertheless, T1 < T1' << T2.
We would consider our cache to be up-to-date, falsely.
(cherry picked from commit c2911d48ff0fc61fb3cfab7050110992a7390417)
Let's document the discrepancy between the Sec and USec suffixing of
unit files and D-Bus properties at three places: in "systemctl show"
(where it already was briefly mentioned), in the D-Bus interface
description (at one place at least, i.e. the most prominent of
properties that encapsulate time values, there are many more) and in the
general man page explaining time values.
By documenting this at all three places I think we now do as much as we
can do about this highlighting the discrepancy of the naming and the
reasons behind it.
Fixes: #2047
(cherry picked from commit 3c719357dcd56d4c826ec6a4e6870111c2ee8a36)
We need to include `<sys/stat.h>` for usage of the `struct stat` in
the Manager struct, much as we already include `<stdbool.h>` for C99
booleans.
This helps alleviate another minor build failure on non-glibc systems.
(cherry picked from commit 97207ac85cb8f8cba9459694255ff0396f020279)
Yet another new capability coming in Linux kernel v5.9.
Make sure we can recongize them even when built with older kernel headers.
(cherry picked from commit 94d21c2ef6cd6bb035d4c21c98ab001c0abd4cbe)
Previously:
1. last_error wouldn't be updated with errors from is_dir;
2. We'd always issue a stat(), even for binaries without execute;
3. We used stat() instead of access(), which is cheaper.
This change avoids all of those, by only checking inside X_OK-positive
case whether access() works on the path with an extra slash appended.
Thanks to Lennart for the suggestion.
(cherry picked from commit 33e1a5d8d3f792e1d98377fe439e123231032ec7)
Imagine $PATH /a:/b. There is an echo command at /b/echo. Under this
configuration, this works fine:
% systemd-run --user --scope echo .
Running scope as unit: run-rfe98e0574b424d63a641644af511ff30.scope
.
However, if I do `mkdir /a/echo`, this happens:
% systemd-run --user --scope echo .
Running scope as unit: run-rcbe9369537ed47f282ee12ce9f692046.scope
Failed to execute: Permission denied
We check whether the resulting file is executable for the performing
user, but of course, most directories are anyway, since that's needed to
list within it. As such, another is_dir() check is needed prior to
considering the search result final.
Another approach might be to check S_ISREG, but there may be more gnarly
edge cases there than just eliminating this obviously pathological
example, so let's just do this for now.
(cherry picked from commit 8b5cb69bc8b70d1dcc39ed2165907723099bd9d8)
We return BUS_ERROR_NO_SUCH_UNIT a.k.a. org.freedesktop.systemd1.NoSuchUnit
in various places. In #16813:
Aug 22 06:14:48 core sudo[2769199]: pam_systemd_home(sudo:account): Failed to query user record: Unit dbus-org.freedesktop.home1.service not found.
Aug 22 06:14:48 core dbus-daemon[5311]: [system] Activation via systemd failed for unit 'dbus-org.freedesktop.home1.service': Unit dbus-org.freedesktop.home1.service not found.
Aug 22 06:14:48 core dbus-daemon[5311]: [system] Activating via systemd: service name='org.freedesktop.home1' unit='dbus-org.freedesktop.home1.service' requested by ':1.6564' (uid=0 pid=2769199 comm="sudo su ")
This particular error comes from bus_unit_validate_load_state() in pid1:
case UNIT_NOT_FOUND:
return sd_bus_error_setf(error, BUS_ERROR_NO_SUCH_UNIT, "Unit %s not found.", u->id);
It seems possible that we should return a different error, but it doesn't really
matter: if we change pid1 to return a different error, we still need to handle
BUS_ERROR_NO_SUCH_UNIT as in this patch to handle pid1 with current code.
(cherry picked from commit 73d3ac8e2440cda3b7f2310f329f0798de6c041c)
let's make sure we collect the right error code from errno, otherwise
we'll see EPERM (i.e. error 1) for all errors readv() returns (since it
returns -1 on error), including EAGAIN.
This is definitely backport material.
A fix-up for 3691bcf3c5eebdcca5b4f1c51c745441c57a6cd1.
Fixes: #16699
(cherry picked from commit c1093c34d7d81b5b13cc72d4d1941000813001da)
Was trying to run src/partition/test-repart.sh on CentOS 8 and the first
resize call kept failing with ERANGE. Turned out that CentOS 8 comes
with libfdisk-devel-2.32.1 which is missing
2f35c1ead6
(in libfdisk 2.33 and up).
(cherry picked from commit e71f5585b9b0580428f9530d0a485265c9c25165)
This was done for all replacements back in 5187dd2c403caf92d09f3491e41f1ceb3f10491f,
but some newer stuff didn't do this.
(cherry picked from commit faeae444ea452139519718ceb681e8b5831b6890)
Also order the syscalls by syscall number for easier comparisons with the
kernel headers.
Fixup for 5f152f43d04e5aad6a3f98f45f020a66e3aac717.
(cherry picked from commit 23654cee136862996d92e7f1e9887786ddb3dfe6)
Unprivileged test-fs-util fails on my system since /sys/dev/block is
inaccessible for unprivileged users, so let's skip encrypted path test if we
get EACCES or similar.
(cherry picked from commit 209650b7200115d2cad9081cb97e22608fce41f8)
Let's fix up invalid GECOS fields both when we convert from NSS to JSON
and the other way round.
Kinda sucks we have to do that, but NSS does it when writing data to
/etc/passwd, so let's do the same.
Fixes: #16668
(cherry picked from commit 5cd12abaa0c0f3a06c9ff2048941fbe6e8b3577e)
The commit 1070d271fa8fa553d57dd5f74dd1e3f60732d0b9 which was supposed
too fix this does not seem to take effect any more. We get again 34%
compilation success rate while scanning systemd itself. Moreover, the
installed header file breaks compilation of programs that include it:
"/usr/include/systemd/_sd-common.h", line 23: error #35: #error directive: "Do
not include _sd-common.h directly; it is a private header."
# error "Do not include _sd-common.h directly; it is a private header."
^
(cherry picked from commit 4191b3282afbca9f1ef333f91bb6566c374da1fe)
The explicit limit is dropped, which means that we return to the kernel default
of 50% of RAM. See 362a55fc14 for a discussion why that is not as much as it
seems. It turns out various applications need more space in /dev/shm and we
would break them by imposing a low limit.
While at it, rename the define and use a single macro for various tmpfs mounts.
We don't really care what the purpose of the given tmpfs is, so it seems
reasonable to use a single macro.
This effectively reverts part of 7d85383edbab7. Fixes#16617.
Currently, each change to NEWS triggers a meson reconfigure that
changes SOURCE_EPOCH which causes a full rebuild. Since NEWS changes
relatively often, we have a full rebuild each time we pull from
master even if we pull semi-regularly. This is further compounded
when using branches since NEWS has a relatively high chance to
differ between branches which causes git to update the modification
time, leading to a full rebuild when switching between branches.
We fix this by using the creation time of the latest git tag instead.
The CI occasionally fail in test-path with a timeout. test-path loads
units from the filesystem, and this conceivably might take more than
the default limit of 3 s. Increase the timeout substantially to see if
this helps.
The docs for XZ don't seem to answer this at first blush, or maybe
I'm looking in the wrong place... This might make XZ less terribly slow,
but on the other hand, almost nobody uses it, so it doesn't matter that
much.
SD_JOURNAL_FOREACH_DATA() and SD_JOURNAL_FOREACH_UNIQUE() would immediately
terminate when a field couldn't be accessed. This can happen for example when a
field is compressed with an unavailable compression format. But it's likely
that this is the wrong thing to do: the caller for example might want to
iterate over the fields but isn't interested in all of them. coredumpctl is
like this: it uses SD_JOURNAL_FOREACH_DATA() but only uses a subset of the
fields.
Add two new functions sd_journal_enumerate_good_data() and
sd_journal_enumerate_good_unique() that retry sd_journal_enumerate_data() and
sd_journal_enumerate_unique() if the return value is something that applies to
a single field: ENOBUS, E2BIG, EOPNOTSUPP.
Fixes https://bugzilla.redhat.com/show_bug.cgi?id=1856037.
An alternative would be to make the macros themselves smarter instead of adding
new symbols, and do the looping internally in the macro. I don't like that
approach for two reasons. First, it would embed the logic in the macro, so
recompilation would be required if we decide to update the logic. With the
current version of the patch, recompilation is required to use the new symbols,
but after that, library upgrades are enough. So the current approach is safer
in case further updates are needed. Second, our headers use primitive C, and it
is hard to do the macros without using newer features.
Let's split this out into its own helper function we can reuse at
various places.
Also, let's avoid signed values where we can so that we can cover more
of the available time range.
According to the docs, and to the
org.freedesktop.login1.get-reboot-to-boot-loader-menu code, the
(oneshot) boot-loader-menu timeout should be stored in
/run/systemd/reboot-to-boot-loader-menu, but the set method was storing it
in /run/systemd/reboot-to-loader-menu.
This commit fixes this. Note that the fixed name also is a better match
for the dbus call names and matches the related
/run/systemd/reboot-to-boot-loader-entry structure, so fixing the set code,
rather then the get code + docs seems like the right thing to do here.
The test binary has two modes: in the default argument-less mode, it
just checks that "root" can be resolved. When invoked manually, a root
prefix and user/group names can be specified.
Defaulting to fedora makes it a pain to override mkosi.default
point to one of the other mkosi settings files. Instead, have
every developer manually add the symlink to his distro
of choice and don't commit the symlink to the repository by
putting it in the .gitignore.
We use LOG_PRI() in all log_*() functions, so let's do that here too for
consistency. Effectively this doesn't change anything since we only use
LOG_{INFO,DEBUG,...} as the argument.
The test is failing in koji, and the line from printf() does not end up
in the logs for some reason. log_info() works fine, so let's just use
that here too.
sssd people don't like enumeration and for some other cases it's not
nice to support either, in particular when synthesizing records for
container/userns UID/GID ranges.
Hence, let's make enumeration optional.
Let's add a catalog entry explaining further details.
Most importantly though: talk to PID 1 directly, via the private D-Bus
socket, so that this actually works correctly during early boot, where
D-Bus is not around.
_label wrappers return -errno on failure instead of returning -1 and
setting global errno.
Fixes: 8d9cbd809db492df9d94c0c664bd0d2e53416531
Follow up: #16426
Currently systemd-user-runtime-dir does not create the files in
/run/user/$UID/systemd/inaccessible with the default SELinux label.
The user and role part of these labels should be based on the user
related to $UID and not based on the process context of
systemd-user-runtime-dir.
Since v246-rc1 (9664be199af6) /run/user/$UID/systemd is also created by
systemd-user-runtime-dir and should also be created with the default
SELinux context.
We never return anything higher than 63, so using "long unsigned"
as the type only confused the reader. (We can still use "long unsigned"
and safe_atolu() to parse the kernel file.)
We would refuse to print capabilities which were didn't have a name
for. The kernel adds new capabilities from time to time, most recently
cap_bpf. 'systmectl show -p CapabilityBoundingSet ...' would fail with
"Failed to parse bus message: Invalid argument" because
capability_set_to_string_alloc() would fail with -EINVAL. So let's
print such capabilities in hexadecimal:
CapabilityBoundingSet=cap_chown cap_dac_override cap_dac_read_search
cap_fowner cap_fsetid cap_kill cap_setgid cap_setuid cap_setpcap
cap_linux_immutable cap_net_bind_service cap_net_broadcast cap_net_admin
cap_net_raw cap_ipc_lock cap_ipc_owner 0x10 0x11 0x12 0x13 0x14 0x15 0x16
0x17 0x18 0x19 0x1a ...
For symmetry, also allow capabilities that we don't know to be specified.
Fixes https://bugzilla.redhat.com/show_bug.cgi?id=1853736.
The call would always fail with:
systemd-userwork[780]: Failed to dlopen(libnss_systemd.so.2), ignoring: /usr/lib64libnss_systemd.so.2: cannot open shared object file: No such file or directory
The desktop file specification allows entries like ";;;;;;", full of empty strings.
But looking at the actual list of supported keys [1], empty entries are meaningless
(unless we would allow e.g. the desktop name to be the empty string. But that doesn't
seem very useful either). So let's just simplify our life and skip any empty substrings
entirely.
This would also resolve the fuzzer case:
$ valgrind build/fuzz-xdg-desktop test/fuzz/fuzz-xdg-desktop/oss-fuzz-22812
test/fuzz/fuzz-xdg-desktop/oss-fuzz-22812... ok
==2899241== HEAP SUMMARY:
==2899241== in use at exit: 0 bytes in 0 blocks
==2899241== total heap usage: 484,385 allocs, 484,385 frees, 12,411,330 bytes allocated
↓
==2899650== HEAP SUMMARY:
==2899650== in use at exit: 0 bytes in 0 blocks
==2899650== total heap usage: 1,325 allocs, 1,325 frees, 1,463,602 bytes allocated
For users, the square brackets already serve as markup and clearly delineate
the section name from surrounding text. Putting additional markup around that
only adds clutter. Also, we were very inconsistent in using the quotes. Let's
just drop them altogether.
Right now systemd-update-utmp.service would fail on read-only /var because
it was not able to write the wtmp record. But it still writes the utmp
record just fine, so runtime information is OK. I don't think we need to
make too much fuss about not being able to save wtmp info.
We'd like to use it for FIDO2 tokens too, and the concept is entirely
generic, hence let's just reuse the field, but rename it. Read the old
name for compatibility, and treat the old name and the new name as
identical for most purposes.
../src/shared/efi-loader.c:738:5: error: redefinition of 'efi_loader_get_config_timeout_one_shot'
int efi_loader_get_config_timeout_one_shot(usec_t *ret) {
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
In file included from ../src/shared/efi-loader.c:9:
../src/shared/efi-loader.h:85:19: note: previous definition of 'efi_loader_get_config_timeout_one_shot' was here
static inline int efi_loader_get_config_timeout_one_shot(usec_t *ret) {
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
../src/shared/efi-loader.c:776:5: error: redefinition of 'efi_loader_update_entry_one_shot_cache'
int efi_loader_update_entry_one_shot_cache(char **cache, struct stat *cache_stat) {
^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
In file included from ../src/shared/efi-loader.c:9:
../src/shared/efi-loader.h:89:19: note: previous definition of 'efi_loader_update_entry_one_shot_cache' was here
static inline int efi_loader_update_entry_one_shot_cache(char **cache, struct stat *cache_stat) {
With this we are now caching all EFI variables that we expose as
property in logind. Thus a client invoking GetAllProperties() should
only trgger a single read of each variable, but never repeated ones.
Obsoletes: #16190Fixes: #14828
The data from this EFI variable is exposed as dbus property, and gdbus
clients are happy to issue GetAllProperties() as if it was free. Hence
make sure it's actually free and cache LoaderConfigTimeoutOneShot, since
it's easy.
Even with the new keyed hash table journal feature: if an attacker
manages to get access to the journal file id it could synthesize records
that result in hash collisions. Let's rotate automatically when we
notice that, so that a new journal file ID is generated, our performance
is restored and the attacker has to guess a new file ID before being
able to trigger the issue again.
That said, untrusted peers should never get access to journal files in
the first case...
This adds a new (incompatible) feature to journal files: if enabled the
hash function used for the hash tables is no longer jenkins hash with a
zero key, but siphash keyed by the file uuid that is included in the
file header anyway. This should make our hash tables more robust against
collision attacks, as long as the attacker has no read access to the
journal files. We switch from jenkins to siphash simply because it's
more well-known and we standardize for the rest of our codebase onto it.
This is hardening in order to make collision attacks harder for clients
that can forge log messages but have no read access to the logs. It has
no effect on clients that have read access.
Let's prefix this with "jenkins_" since it wraps the jenkins hash. We
want to add support for other hash functions to journald soon, hence
better be clear with what this is. In particular as all other symbols
defined by lookup3.h actually are prefixed "jenkins_".
The object flags field is a bitmask, hence don't sloppily define
_OBJECT_COMPRESSED_MAX as one mor than the previous flag. That worked OK
as long as we only had two flags, but will fall apart as soon as we have
three. Let's fix this.
(It's kinda sloppy how the string table is built here, as it will be
quite sparse as soon as we have more enum entries, but let's keep it for
now.)
Since cryptsetup 2.3.0 a new API to verify dm-verity volumes by a
pkcs7 signature, with the public key in the kernel keyring,
is available. Use it if libcryptsetup supports it.
https://tools.ietf.org/html/draft-knodel-terminology-02https://lwn.net/Articles/823224/
This gets rid of most but not occasions of these loaded terms:
1. scsi_id and friends are something that is supposed to be removed from
our tree (see #7594)
2. The test suite defines an API used by the ubuntu CI. We can remove
this too later, but this needs to be done in sync with the ubuntu CI.
3. In some cases the terms are part of APIs we call or where we expose
concepts the kernel names the way it names them. (In particular all
remaining uses of the word "slave" in our codebase are like this,
it's used by the POSIX PTY layer, by the network subsystem, the mount
API and the block device subsystem). Getting rid of the term in these
contexts would mean doing some major fixes of the kernel ABI first.
Regarding the replacements: when whitelist/blacklist is used as noun we
replace with with allow list/deny list, and when used as verb with
allow-list/deny-list.
Presently, CLI utilities such as systemctl will check whether they have a tty
attached or not to decide whether to parse /proc/cmdline or EFI variable
SystemdOptions looking for systemd.log_* entries.
But this check will be misleading if these tools are being launched by a
daemon, such as a monitoring daemon or automation service that runs in
background.
Make log handling of CLI tools uniform by never checking /proc/cmdline or EFI
variables to determine the logging level.
Furthermore, introduce a new log_setup_cli() shortcut to set up common options
used by most command-line utilities.
Also use double space before the tracking args at the end. Without
the comma this looks ugly, but it's a bit better with the double space.
At least it doesn't look like a variable with a type.
This combines set_ensure_allocated() with set_consume(). The cool thing is that
because we know the hash ops, we can correctly free the item if appropriate.
Similarly to set_consume(), the goal is to simplify handling of the case where
the item needs to be freed on error and if already present in the set.
* Drop mac_selinux_use() condition from mac_selinux_free(): if the
passed pointer holds memory we want to free it even if SELinux is
disabled
* Drop NULL-check cause man:freecon(3) states that freecon(NULL) is a
well-defined NOP
* Assert that on non-SELinux builds the passed pointer is always NULL,
to avoid memory leaks
Previously we'd used the existance of a specific AF_UNIX socket in the
abstract namespace as lock for disabling lookup recursions. (for
breaking out of the loop: userdb synthesized from nss → nss synthesized
from userdb → userdb synthesized from nss → …)
I did it like that because it promised to work the same both in static
and in dynmically linked environments and is accessible easily from any
programming language.
However, it has a weakness regarding reuse attacks: the socket is
securely hashed (siphash) from the thread ID in combination with the
AT_RANDOM secret. Thus it should not be guessable from an attacker in
advance. That's only true if a thread takes the lock only once and
keeps it forever. However, if a thread takes and releases it multiple
times an attacker might monitor that and quickly take the lock
after the first iteration for follow-up iterations.
It's not a big issue given that userdb (as the primary user for this)
never released the lock and we never made the concept a public
interface, and it was only included in one release so far, but it's
something that deserves fixing. (moreover it's a local DoS only, only
permitting to disable native userdb lookups)
With this rework the libnss_systemd.so.2 module will now export two
additional symbols. These symbols are not used by glibc, but can be used
by arbitrary programs: one can be used to disable nss-systemd, the other
to check if it is currently disabled.
The lock is per-thread. It's slightly less pretty, since it requires
people to manually link against C code via dlopen()/dlsym(), but it
should work safely without the aforementioned weakness.
This just adds a _cleanup_ helper call encapsulating dlclose().
This also means libsystemd-shared is linked against libdl now. I don't
think this is much of an issue, since libdl is part of glibc anyway, and
anything from exotic. It's not an optional part of the OS (think: NSS
requires dynamic linking), hence this pulls in no deps and is almost
certainly loaded into all process' memory anyway.
[zj: use DEFINE_TRIVIAL_CLEANUP_FUNC().]
This also adds a <citerefentry project="url"> type,
since the other btrfs manpages use man-pages/die-net and are alive,
and btrfs.w.k.o won't be used anywhere else
We'd try to map a zero-byte buffer from a NULL pointer, which is undefined behaviour.
src/systemd/src/libsystemd/sd-bus/bus-message.c:3161:60: runtime error: applying zero offset to null pointer
#0 0x7f6ff064e691 in find_part /work/build/../../src/systemd/src/libsystemd/sd-bus/bus-message.c:3161:60
#1 0x7f6ff0640788 in message_peek_body /work/build/../../src/systemd/src/libsystemd/sd-bus/bus-message.c:3283:16
#2 0x7f6ff064e8db in enter_struct_or_dict_entry /work/build/../../src/systemd/src/libsystemd/sd-bus/bus-message.c:3967:21
#3 0x7f6ff06444ac in bus_message_enter_struct /work/build/../../src/systemd/src/libsystemd/sd-bus/bus-message.c:4009:13
#4 0x7f6ff0641dde in sd_bus_message_enter_container /work/build/../../src/systemd/src/libsystemd/sd-bus/bus-message.c:4136:21
#5 0x7f6ff0619874 in sd_bus_message_dump /work/build/../../src/systemd/src/libsystemd/sd-bus/bus-dump.c:178:29
#6 0x4293d9 in LLVMFuzzerTestOneInput /work/build/../../src/systemd/src/fuzz/fuzz-bus-message.c:39:9
#7 0x441986 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/libfuzzer/FuzzerLoop.cpp:558:15
#8 0x44121e in fuzzer::Fuzzer::RunOne(unsigned char const*, unsigned long, bool, fuzzer::InputInfo*, bool*) /src/libfuzzer/FuzzerLoop.cpp:470:3
#9 0x443164 in fuzzer::Fuzzer::ReadAndExecuteSeedCorpora(std::__1::vector<fuzzer::SizedFile, fuzzer::fuzzer_allocator<fuzzer::SizedFile> >&) /src/libfuzzer/FuzzerLoop.cpp:770:7
#10 0x4434bc in fuzzer::Fuzzer::Loop(std::__1::vector<fuzzer::SizedFile, fuzzer::fuzzer_allocator<fuzzer::SizedFile> >&) /src/libfuzzer/FuzzerLoop.cpp:799:3
#11 0x42d2bc in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/libfuzzer/FuzzerDriver.cpp:846:6
#12 0x42978a in main /src/libfuzzer/FuzzerMain.cpp:19:10
#13 0x7f6fef13c82f in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x2082f)
#14 0x407808 in _start (out/fuzz-bus-message+0x407808)
This reverts commit a2dd991d0fde59dc0574bd4d0c1438f01dc0b8ff.
Creation of such messages is evidently useful, and at least sdbus-c++ test
suite depends on that.
Fixes#16193.
set_put()/set_ensure_put() return 0, not -EEXIST, if the entry is already
found in the set. In this case this does not make any difference, but let's
not confuse the reader.
Patch contains a coccinelle script, but it only works in some cases. Many
parts were converted by hand.
Note: I did not fix errors in return value handing. This will be done separate
to keep the patch comprehensible. No functional change is intended in this
patch.
It's such a common operation to allocate the set and put an item in it,
that it deserves a helper. set_ensure_put() has the same return values
as set_put().
Comes with tests!
../src/core/main.c: In function 'main':
../src/core/main.c:2637:32: error: implicit declaration of function 'cache_efi_options_variable'; did you mean 'systemd_efi_options_variable'? [-Werror=implicit-function-declaration]
(void) cache_efi_options_variable();
^~~~~~~~~~~~~~~~~~~~~~~~~~
systemd_efi_options_variable
The original logic was logging an "ignored" debug message, but it was still
going ahead and calling proc_cmdline_parse_given() on the NULL line. Fix that
to skip that explicitly when the EFI variable wasn't really read.
It stopped making sense when automake support was dropped and python started
being required to perform a build.
Follow-up for 72cdb3e783174dcf9223a49f03e3b0e2ca95ddb8.
Cache it early in startup of the system manager, right after `/run/systemd` is
created, so that further access to it can be done without accessing the EFI
filesystem at all.
half of find_hibernation_location() logged at debug level, the other
half logged at error level, and the third half didn't log at all.
Let's clean this up somewhat. Since can_sleep() is probably more
a library-style function let's downgrade everything to LOG_DEBUG and
then make sure sleep.c logs at error level, as the main program.
Prompted by the discussion on #16110, let's migrate more code to
fd_wait_for_event().
This only leaves 7 places where we call into poll()/poll() directly in
our entire codebase. (one of which is fd_wait_for_event() itself)
Use -Dstandalone-binaries=yes to enable building and installing this standalone
version of the binary without a dependency on the systemd-shared solib.
Also move the list of sources for systemd-tmpfiles to its own meson.build file.
This adds an option to build standalone binaries that do not depend on the
systemd-shared library. This option can be handy to build binaries that can be
useful on a non-systemd system, binaries such as systemd-sysusers and
systemd-tmpfiles have been previously requested, but installing them with all
the required dependencies pulls in too much code that isn't really relevant for
those use cases. The standalone use case is also relevant in containers, where
minimizing the size of the container image is quite relevant.
For now, only `systemd-sysusers` is also built as a standalone binary.
The standalone binaries are installed as `/usr/bin/%{name}.standalone`, the
packaging system is reponsible for renaming those into the correct names
during the packaging step. RPM is able to do so with RemovePathPostfixes:
The default behavior is to build shared binaries only, since this option is
mainly intended for building distribution packages.
Tested that a proper separate binary is built when using this option and
that having it disabled (or using the default Meson configuration) does not
produce a binary for this option.
"less" doesn't properly reset its terminal on SIGTERM, it does so only
on SIGINT. Let's thus configure SIGINT instead of SIGTERM.
I think this is something less should fix too, and clean up things
correctly on SIGTERM, too. However, given that we explicitly enable
SIGINT behaviour by passing "K" to $LESS I figure it makes sense if we
also send SIGINT instead of SIGTERM to match it.
Fixes: #16084
poll() sets POLLNVAL inside of the poll structures if an invalid fd is
passed. So far we generally didn't check for that, thus not taking
notice of the error. Given that this specific kind of error is generally
indication of a programming error, and given that our code is embedded
into our projects via NSS or because people link against our library,
let's explicitly check for this and convert it to EBADF.
(I ran into a busy loop because of this missing check when some of my
test code accidentally closed an fd it shouldn't close, so this is a
real thing)
Let systemd load a set of pre-compiled AppArmor profile files from a policy
cache at /etc/apparmor/earlypolicy. Maintenance of that policy cache must be
done outside of systemd.
After successfully loading the profiles systemd will attempt to change to a
profile named systemd.
If systemd is already confined in a profile, it will not load any profile files
and will not attempt to change it's profile.
If anything goes wrong, systemd will only log failures. It will not fail to
start.
Let's make sure $XDG_RUNTIME_DIR for the user instance and /run for the
system instance is always organized the same way: the "inaccessible"
device nodes should be placed in a subdir of either called "systemd" and
a subdir of that called "inaccessible".
This way we can emphasize the common behaviour, and only differ where
really necessary.
Follow-up for #13823
The usual behaviour when a timeout expires is to terminate/kill the
service. This is what user usually want in production systems. To debug
services that fail to start/stop (especially sporadic failures) it
might be necessary to trigger the watchdog machinery and write core
dumps, though. Likewise, it is usually just a waste of time to
gracefully stop a stuck service. Instead it might save time to go
directly into kill mode.
This commit adds two new options to services: TimeoutStartFailureMode=
and TimeoutStopFailureMode=. Both take the same values and tweak the
behavior of systemd when a start/stop timeout expires:
* 'terminate': is the default behaviour as it has always been,
* 'abort': triggers the watchdog machinery and will send SIGABRT
(unless WatchdogSignal was changed) and
* 'kill' will directly send SIGKILL.
To handle the stop failure mode in stop-post state too a new
final-watchdog state needs to be introduced.
Let's allow "-0" as alternative to "+0" and "0" when parsing integers,
unless the new SAFE_ATO_REFUSE_PLUS_MINUS flag is specified.
In cases where allowing the +/- syntax shall not be allowed
SAFE_ATO_REFUSE_PLUS_MINUS is the right flag to use, but this also means
that -0 as only negative integer that fits into an unsigned value should
be acceptable if the flag is not specified.
Six years ago we declared it obsolete and removed it from the docs
(c073a0c4a5) and added a note about it in
NEWS. Two years ago we add warning messages about it, indicating the
feature will be removed (41b283d0f1f4abd85d0bbeeb7f71bb30f87cfab9) and
mentioned it in NEWS again.
Let's now kill it for good.
This is a follow-up for 9f83091e3cceb646a66fa9df89de6d9a77c21d86.
Instead of reading the mtime off the configuration files after reading,
let's do so before reading, but with the fd we read the data from. This
is not only cleaner (as it allows us to save one stat()), but also has
the benefit that we'll detect changes that happen while we read the
files.
This also reworks unit file drop-ins to use the common code for
determining drop-in mtime, instead of reading system clock for that.
Quoting https://github.com/systemd/systemd/issues/14828#issuecomment-635212615:
> [kernel uses] msleep_interruptible() and that means when the process receives
> any kind of signal masked or not this will abort with EINTR. systemd-logind
> gets signals from the TTY layer all the time though.
> Here's what might be happening: while logind reads the EFI stuff it gets a
> series of signals from the TTY layer, which causes the read() to be aborted
> with EINTR, which means logind will wait 50ms and retry. Which will be
> aborted again, and so on, until quite some time passed. If we'd not wait for
> the 50ms otoh we wouldn't wait so long, as then on each signal we'd
> immediately retry again.
Since the separate binaries contain mostly the same code,
this almost halves the size of the installation.
before:
398K /bin/udevadm
391K /lib/systemd/systemd-udevd
after:
431K /bin/udevadm
0 /lib/systemd/systemd-udevd -> ../../bin/udevadm
Fixes: #14200
We would parse numbers with base prefixes as user identifiers. For example,
"0x2b3bfa0" would be interpreted as UID==45334432 and "01750" would be
interpreted as UID==1000. This parsing was used also in cases where either a
user/group name or number may be specified. This means that names like
0x2b3bfa0 would be ambiguous: they are a valid user name according to our
documented relaxed rules, but they would also be parsed as numeric uids.
This behaviour is definitely not expected by users, since tools generally only
accept decimal numbers (e.g. id, getent passwd), while other tools only accept
user names and thus will interpret such strings as user names without even
attempting to convert them to numbers (su, ssh). So let's follow suit and only
accept numbers in decimal notation. Effectively this means that we will reject
such strings as a username/uid/groupname/gid where strict mode is used, and try
to look up a user/group with such a name in relaxed mode.
Since the function changed is fairly low-level and fairly widely used, this
affects multiple tools: loginctl show-user/enable-linger/disable-linger foo',
the third argument in sysusers.d, fourth and fifth arguments in tmpfiles.d,
etc.
Fixes#15985.
"internal" is a lot of characters. Let's take a leaf out of the Python's book
and simply use _ to mean private. Much less verbose, but the meaning is just as
clear, or even more.
This is a safey net anyway, let's make it fully safe: if the data ends
on an uneven byte, then we need to complete the UTF-16 codepoint first,
before adding the final NUL byte pair. Hence let's suffix with three
NULs, instead of just two.
RFC: 8415
21.17. Vendor-specific Information Option
This option is used by clients and servers to exchange vendor-
specific information.
The format of the Vendor-specific Information option is:
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| OPTION_VENDOR_OPTS | option-len |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| enterprise-number |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
. .
. vendor-option-data .
. .
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Figure 30: Vendor-specific Information Option Format
option-code OPTION_VENDOR_OPTS (17).
option-len 4 + length of vendor-option-data field.
enterprise-number The vendor's registered Enterprise Number as
maintained by IANA [IANA-PEN]. A 4-octet
field containing an unsigned integer.
vendor-option-data Vendor options, interpreted by
vendor-specific code on the clients and
servers. A variable-length field (4 octets
less than the value in the option-len field).
The definition of the information carried in this option is vendor
specific. The vendor is indicated in the enterprise-number field.
Use of vendor-specific information allows enhanced operation,
utilizing additional features in a vendor's DHCP implementation. A
DHCP client that does not receive requested vendor-specific
information will still configure the node's IPv6 stack to be
functional.
The vendor-option-data field MUST be encoded as a sequence of
code/length/value fields of format identical to the DHCP options (see
Section 21.1). The sub-option codes are defined by the vendor
identified in the enterprise-number field and are not managed by
IANA. Each of the sub-options is formatted as follows:
0 1 2 3
0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
| sub-opt-code | sub-option-len |
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
. .
. sub-option-data .
. .
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+
Figure 31: Vendor-specific Options Format
sub-opt-code The code for the sub-option. A 2-octet
field.
sub-option-len An unsigned integer giving the length of the
sub-option-data field in this sub-option in
octets. A 2-octet field.
sub-option-data The data area for the sub-option. The
length, in octets, is specified by
sub-option-len.
Multiple instances of the Vendor-specific Information option may
appear in a DHCP message. Each instance of the option is interpreted
according to the option codes defined by the vendor identified by the
Enterprise Number in that option. Servers and clients MUST NOT send
more than one instance of the Vendor-specific Information option with
the same Enterprise Number. Each instance of the Vendor-specific
Information option MAY contain multiple sub-options.
A client that is interested in receiving a Vendor-specific
Information option:
- MUST specify the Vendor-specific Information option in an Option
Request option.
- MAY specify an associated Vendor Class option (see Section 21.16).
- MAY specify the Vendor-specific Information option with
appropriate data.
Servers only return the Vendor-specific Information options if
specified in Option Request options from clients and:
- MAY use the Enterprise Numbers in the associated Vendor Class
options to restrict the set of Enterprise Numbers in the
Vendor-specific Information options returned.
- MAY return all configured Vendor-specific Information options.
- MAY use other information in the packet or in its configuration to
determine which set of Enterprise Numbers in the Vendor-specific
Information options to return.
Tracking down #15931 confused the hell out of me, since running homed in
gdb from the command line worked fine, but doing so as a service failed.
Let's make this more debuggable and check if we live in the host netns
when allocating a new udev monitor.
This is just debug stuff, so that if things don't work, a quick debug
run will reveal what is going on.
That said, while we are at it, also fix unexpected closing of passed in
fd when failing.
Possibly fixes#15220. (There might be another leak. I'm still investigating.)
The leak would occur when the path cache was rebuilt. So in normal circumstances
it wouldn't be too bad, since usually the path cache is not rebuilt too often. But
the case in #15220, where new unit files are created in a loop and started, the leak
occurs once for each unit file:
$ for i in {1..300}; do cp ~/.config/systemd/user/test0001.service ~/.config/systemd/user/test$(printf %04d $i).service; systemctl --user start test$(printf %04d $i).service;done
sd-boot uses rdtsc to set those timestamps. There is no guarantee that the tsc
has any particular absolute value.
On my VM:
$ head /sys/firmware/efi/efivars/LoaderTime*
==> /sys/firmware/efi/efivars/LoaderTimeExecUSec-4a67b082-0a4c-41cf-b6c7-440b29bb8c4f <==
4397904074
==> /sys/firmware/efi/efivars/LoaderTimeInitUSec-4a67b082-0a4c-41cf-b6c7-440b29bb8c4f <==
4396386839
==> /sys/firmware/efi/efivars/LoaderTimeMenuUSec-4a67b082-0a4c-41cf-b6c7-440b29bb8c4f <==
4396392521
$ build/test-boot-timestamps
...
LoaderTimeExecUSec=4396386839 too large, refusing.
Failed to read EFI loader data: Input/output error
Assertion 'q >= 0' failed at src/test/test-boot-timestamps.c:84, function main(). Aborting.
(with patch)
$ build/test-boot-timestamps
...
EFI Loader: start=1h 13min 16.386s exit=1h 13min 17.904s duration=1.517s
Firmware began 1h 13min 17.904074s before kernel.
Loader began 1.517235s before kernel.
Firmware began Tue 2020-05-26 11:04:13 CEST.
Loader began Tue 2020-05-26 12:17:30 CEST.
Kernel began Tue 2020-05-26 12:17:31 CEST.
This generator can be used by desktop environments to launch autostart
applications and services. The feature is an opt-in, triggered by
xdg-desktop-autostart.target being activated.
Also included is the new binary xdg-autostart-condition. This binary is
used as an ExecCondition to test the OnlyShowIn and NotShowIn XDG
desktop file keys. These need to be evaluated against the
XDG_CURRENT_DESKTOP environment variable which may not be known at
generation time.
Co-authored-by: Henri Chain <henri.chain@enioka.com>
We'd start writing an entry line, then another one, then another one,
and then output the rest of the first one, and then some other random
stuff, and the rest of some other lines... Results were ...eh... random.
Let's define a helper to avoid some of the copy&paste madness, and separate
blocks that output a single line with /**********************************/.
This rework doesn't change what data is written, it only tries to fix the
format of the output. The fact that some entries only write data from
link->network, and some from either link->network or link, some stuff only
for dhpc4 leases while some for both dhpc4 and dhcp6, etc, looks rather
suspicious too, but I didn't touch this.
Whenever we pick up a new line in /proc/self/mountinfo and want to
synthesize a new mount unit from it, let's say which one it is.
Moreover, downgrade the log message when we encounter a mount point with
an overly long name to LOG_WARNING, since it's generally fine to ignore
such mount points.
Also, attach a catalog entry to explain the situation further.
Prompted-By: #15221
Let's be more thorough that whenever we build a unit name based on
parameters, that the result is actually a valid user name. If it isn't
fail early.
This should allows us to catch various issues earlier, in particular
when we synthesize mount units from /proc/self/mountinfo: instead of
actually attempting to allocate a mount unit we will fail much earlier
when we build the name to synthesize the unit under. Failing early is a
good thing generally.
We would print the error sometimes to stdout and sometimes to stderr. It *is*
useful to get the message if one of the names is not found on the bus to
stdout, so that this shows out in the pager. So let's do verification of args
early to catch invalid arguments, and then if we receive an error over the bus
(most likely that the name is not activatable), let's print to stdout so it
gets paged. E.g. 'busctl tree org.freedesktop.systemd1 org.freedesktop.systemd2'
gives a nicely usable output.
Each of bus_set_address_{user,system} had two users, and each of the two users
would set the internal flag manually. We should do that internally in the
functions instead.
While at it, only set the flag when setting the address is actually successful.
This doesn't change anything for current users, but it seems more correct.
Those are fairly trivial to reimplement, but any non-trivial user of sd-bus
is likely to need them. So let's expose them to save everyone the trouble.
I'm keeping the internal functions and making the public ones thin wrappers,
because for the internal uses we don't need the additional asserts, and also we
can't expose _pure_ annotation easily, and dropping it would likely make the
compiled code a bit less efficient.
Mark Hindley
Sven Eden