|
 |
17b0f1 |
From be9fad86ae9ab721cd295210962da85706b839e9 Mon Sep 17 00:00:00 2001
|
|
|
17b0f1 |
From: =?UTF-8?q?Luk=C3=A1=C5=A1=20Nykr=C3=BDn?= <lnykryn@redhat.com>
|
|
|
17b0f1 |
Date: Fri, 7 Oct 2016 03:08:21 +0200
|
|
|
17b0f1 |
Subject: [PATCH] core: add possibility to set action for ctrl-alt-del burst
|
|
|
17b0f1 |
(#4105)
|
|
|
17b0f1 |
|
|
|
17b0f1 |
For some certification, it should not be possible to reboot the machine through ctrl-alt-delete. Currently we suggest our customers to mask the ctrl-alt-delete target, but that is obviously not enough.
|
|
|
17b0f1 |
|
|
|
17b0f1 |
Patching the keymaps to disable that is really not a way to go for them, because the settings need to be easily checked by some SCAP tools.
|
|
|
17b0f1 |
|
|
|
17b0f1 |
Cherry-picked from: 24dd31c19ede505143833346ff850af942694aa6
|
|
|
17b0f1 |
Resolves: #1353028
|
|
|
17b0f1 |
---
|
|
|
17b0f1 |
man/systemd-system.conf.xml | 11 ++++++++
|
|
|
17b0f1 |
src/core/main.c | 5 ++++
|
|
|
17b0f1 |
src/core/manager.c | 51 +++++++++++++++++++++++++++----------
|
|
|
17b0f1 |
src/core/manager.h | 14 +++++++++-
|
|
|
17b0f1 |
src/core/system.conf | 1 +
|
|
|
17b0f1 |
5 files changed, 68 insertions(+), 14 deletions(-)
|
|
|
17b0f1 |
|
|
|
17b0f1 |
diff --git a/man/systemd-system.conf.xml b/man/systemd-system.conf.xml
|
|
|
17b0f1 |
index 39d19bc71a..236c20d5f9 100644
|
|
|
17b0f1 |
--- a/man/systemd-system.conf.xml
|
|
|
17b0f1 |
+++ b/man/systemd-system.conf.xml
|
|
|
17b0f1 |
@@ -101,6 +101,17 @@
|
|
|
17b0f1 |
arguments.</para></listitem>
|
|
|
17b0f1 |
</varlistentry>
|
|
|
17b0f1 |
|
|
|
17b0f1 |
+ <varlistentry>
|
|
|
17b0f1 |
+ <term><varname>CtrlAltDelBurstAction=</varname></term>
|
|
|
17b0f1 |
+
|
|
|
17b0f1 |
+ <listitem><para>Defines what action will be performed
|
|
|
17b0f1 |
+ if user presses Ctr-Alt-Delete more than 7 times in 2s.
|
|
|
17b0f1 |
+ Can be set to <literal>reboot-force</literal>, <literal>poweroff-force</literal>
|
|
|
17b0f1 |
+ or disabled with <literal>ignore</literal>. Defaults to
|
|
|
17b0f1 |
+ <literal>reboot-force</literal>.
|
|
|
17b0f1 |
+ </para></listitem>
|
|
|
17b0f1 |
+ </varlistentry>
|
|
|
17b0f1 |
+
|
|
|
17b0f1 |
<varlistentry>
|
|
|
17b0f1 |
<term><varname>CPUAffinity=</varname></term>
|
|
|
17b0f1 |
|
|
|
17b0f1 |
diff --git a/src/core/main.c b/src/core/main.c
|
|
|
17b0f1 |
index c9d8ce4a40..6ac9c9d44f 100644
|
|
|
17b0f1 |
--- a/src/core/main.c
|
|
|
17b0f1 |
+++ b/src/core/main.c
|
|
|
17b0f1 |
@@ -115,6 +115,7 @@ static FILE* arg_serialization = NULL;
|
|
|
17b0f1 |
static bool arg_default_cpu_accounting = false;
|
|
|
17b0f1 |
static bool arg_default_blockio_accounting = false;
|
|
|
17b0f1 |
static bool arg_default_memory_accounting = false;
|
|
|
17b0f1 |
+static CADBurstAction arg_cad_burst_action = CAD_BURST_ACTION_REBOOT;
|
|
|
17b0f1 |
|
|
|
17b0f1 |
static void nop_handler(int sig) {}
|
|
|
17b0f1 |
|
|
|
17b0f1 |
@@ -625,6 +626,8 @@ static int config_parse_join_controllers(const char *unit,
|
|
|
17b0f1 |
return 0;
|
|
|
17b0f1 |
}
|
|
|
17b0f1 |
|
|
|
17b0f1 |
+static DEFINE_CONFIG_PARSE_ENUM(config_parse_cad_burst_action, cad_burst_action, CADBurstAction, "Failed to parse service restart specifier");
|
|
|
17b0f1 |
+
|
|
|
17b0f1 |
static int parse_config_file(void) {
|
|
|
17b0f1 |
|
|
|
17b0f1 |
const ConfigTableItem items[] = {
|
|
|
17b0f1 |
@@ -673,6 +676,7 @@ static int parse_config_file(void) {
|
|
|
17b0f1 |
{ "Manager", "DefaultCPUAccounting", config_parse_bool, 0, &arg_default_cpu_accounting },
|
|
|
17b0f1 |
{ "Manager", "DefaultBlockIOAccounting", config_parse_bool, 0, &arg_default_blockio_accounting },
|
|
|
17b0f1 |
{ "Manager", "DefaultMemoryAccounting", config_parse_bool, 0, &arg_default_memory_accounting },
|
|
|
17b0f1 |
+ { "Manager", "CtrlAltDelBurstAction", config_parse_cad_burst_action, 0, &arg_cad_burst_action},
|
|
|
17b0f1 |
{}
|
|
|
17b0f1 |
};
|
|
|
17b0f1 |
|
|
|
17b0f1 |
@@ -1690,6 +1694,7 @@ int main(int argc, char *argv[]) {
|
|
|
17b0f1 |
m->initrd_timestamp = initrd_timestamp;
|
|
|
17b0f1 |
m->security_start_timestamp = security_start_timestamp;
|
|
|
17b0f1 |
m->security_finish_timestamp = security_finish_timestamp;
|
|
|
17b0f1 |
+ m->cad_burst_action = arg_cad_burst_action;
|
|
|
17b0f1 |
|
|
|
17b0f1 |
manager_set_default_rlimits(m, arg_default_rlimit);
|
|
|
17b0f1 |
manager_environment_add(m, NULL, arg_default_environment);
|
|
|
17b0f1 |
diff --git a/src/core/manager.c b/src/core/manager.c
|
|
|
17b0f1 |
index 6d045fdf35..9048dde96e 100644
|
|
|
17b0f1 |
--- a/src/core/manager.c
|
|
|
17b0f1 |
+++ b/src/core/manager.c
|
|
|
17b0f1 |
@@ -1859,6 +1859,35 @@ static int manager_start_target(Manager *m, const char *name, JobMode mode) {
|
|
|
17b0f1 |
return r;
|
|
|
17b0f1 |
}
|
|
|
17b0f1 |
|
|
|
17b0f1 |
+static void manager_handle_ctrl_alt_del(Manager *m) {
|
|
|
17b0f1 |
+ /* If the user presses C-A-D more than
|
|
|
17b0f1 |
+ * 7 times within 2s, we reboot/shutdown immediately,
|
|
|
17b0f1 |
+ * unless it was disabled in system.conf */
|
|
|
17b0f1 |
+
|
|
|
17b0f1 |
+ if (ratelimit_test(&m->ctrl_alt_del_ratelimit) || m->cad_burst_action == CAD_BURST_ACTION_IGNORE)
|
|
|
17b0f1 |
+ manager_start_target(m, SPECIAL_CTRL_ALT_DEL_TARGET, JOB_REPLACE_IRREVERSIBLY);
|
|
|
17b0f1 |
+ else {
|
|
|
17b0f1 |
+ switch (m->cad_burst_action) {
|
|
|
17b0f1 |
+
|
|
|
17b0f1 |
+ case CAD_BURST_ACTION_REBOOT:
|
|
|
17b0f1 |
+ m->exit_code = MANAGER_REBOOT;
|
|
|
17b0f1 |
+ break;
|
|
|
17b0f1 |
+
|
|
|
17b0f1 |
+ case CAD_BURST_ACTION_POWEROFF:
|
|
|
17b0f1 |
+ m->exit_code = MANAGER_POWEROFF;
|
|
|
17b0f1 |
+ break;
|
|
|
17b0f1 |
+
|
|
|
17b0f1 |
+ default:
|
|
|
17b0f1 |
+ assert_not_reached("Unknown action.");
|
|
|
17b0f1 |
+ }
|
|
|
17b0f1 |
+
|
|
|
17b0f1 |
+ log_notice("Ctrl-Alt-Del was pressed more than 7 times within 2s, performing immediate %s.",
|
|
|
17b0f1 |
+ cad_burst_action_to_string(m->cad_burst_action));
|
|
|
17b0f1 |
+ status_printf(NULL, true, false, "Ctrl-Alt-Del was pressed more than 7 times within 2s, performing immediate %s.",
|
|
|
17b0f1 |
+ cad_burst_action_to_string(m->cad_burst_action));
|
|
|
17b0f1 |
+ }
|
|
|
17b0f1 |
+}
|
|
|
17b0f1 |
+
|
|
|
17b0f1 |
static int manager_dispatch_signal_fd(sd_event_source *source, int fd, uint32_t revents, void *userdata) {
|
|
|
17b0f1 |
Manager *m = userdata;
|
|
|
17b0f1 |
ssize_t n;
|
|
|
17b0f1 |
@@ -1909,19 +1938,7 @@ static int manager_dispatch_signal_fd(sd_event_source *source, int fd, uint32_t
|
|
|
17b0f1 |
|
|
|
17b0f1 |
case SIGINT:
|
|
|
17b0f1 |
if (m->running_as == SYSTEMD_SYSTEM) {
|
|
|
17b0f1 |
-
|
|
|
17b0f1 |
- /* If the user presses C-A-D more than
|
|
|
17b0f1 |
- * 7 times within 2s, we reboot
|
|
|
17b0f1 |
- * immediately. */
|
|
|
17b0f1 |
-
|
|
|
17b0f1 |
- if (ratelimit_test(&m->ctrl_alt_del_ratelimit))
|
|
|
17b0f1 |
- manager_start_target(m, SPECIAL_CTRL_ALT_DEL_TARGET, JOB_REPLACE_IRREVERSIBLY);
|
|
|
17b0f1 |
- else {
|
|
|
17b0f1 |
- log_notice("Ctrl-Alt-Del was pressed more than 7 times within 2s, rebooting immediately.");
|
|
|
17b0f1 |
- status_printf(NULL, true, false, "Ctrl-Alt-Del was pressed more than 7 times within 2s, rebooting immediately.");
|
|
|
17b0f1 |
- m->exit_code = MANAGER_REBOOT;
|
|
|
17b0f1 |
- }
|
|
|
17b0f1 |
-
|
|
|
17b0f1 |
+ manager_handle_ctrl_alt_del(m);
|
|
|
17b0f1 |
break;
|
|
|
17b0f1 |
}
|
|
|
17b0f1 |
|
|
|
17b0f1 |
@@ -3319,3 +3336,11 @@ static const char *const manager_state_table[_MANAGER_STATE_MAX] = {
|
|
|
17b0f1 |
};
|
|
|
17b0f1 |
|
|
|
17b0f1 |
DEFINE_STRING_TABLE_LOOKUP(manager_state, ManagerState);
|
|
|
17b0f1 |
+
|
|
|
17b0f1 |
+static const char *const cad_burst_action_table[_CAD_BURST_ACTION_MAX] = {
|
|
|
17b0f1 |
+ [CAD_BURST_ACTION_IGNORE] = "ignore",
|
|
|
17b0f1 |
+ [CAD_BURST_ACTION_REBOOT] = "reboot-force",
|
|
|
17b0f1 |
+ [CAD_BURST_ACTION_POWEROFF] = "poweroff-force",
|
|
|
17b0f1 |
+};
|
|
|
17b0f1 |
+
|
|
|
17b0f1 |
+DEFINE_STRING_TABLE_LOOKUP(cad_burst_action, CADBurstAction);
|
|
|
17b0f1 |
diff --git a/src/core/manager.h b/src/core/manager.h
|
|
|
17b0f1 |
index 3e855db466..42be1fc437 100644
|
|
|
17b0f1 |
--- a/src/core/manager.h
|
|
|
17b0f1 |
+++ b/src/core/manager.h
|
|
|
17b0f1 |
@@ -64,6 +64,14 @@ typedef enum ManagerExitCode {
|
|
|
17b0f1 |
_MANAGER_EXIT_CODE_INVALID = -1
|
|
|
17b0f1 |
} ManagerExitCode;
|
|
|
17b0f1 |
|
|
|
17b0f1 |
+typedef enum CADBurstAction {
|
|
|
17b0f1 |
+ CAD_BURST_ACTION_IGNORE,
|
|
|
17b0f1 |
+ CAD_BURST_ACTION_REBOOT,
|
|
|
17b0f1 |
+ CAD_BURST_ACTION_POWEROFF,
|
|
|
17b0f1 |
+ _CAD_BURST_ACTION_MAX,
|
|
|
17b0f1 |
+ _CAD_BURST_ACTION_INVALID = -1
|
|
|
17b0f1 |
+} CADBurstAction;
|
|
|
17b0f1 |
+
|
|
|
17b0f1 |
typedef enum StatusType {
|
|
|
17b0f1 |
STATUS_TYPE_EPHEMERAL,
|
|
|
17b0f1 |
STATUS_TYPE_NORMAL,
|
|
|
17b0f1 |
@@ -300,8 +308,9 @@ struct Manager {
|
|
|
17b0f1 |
/* Used for processing polkit authorization responses */
|
|
|
17b0f1 |
Hashmap *polkit_registry;
|
|
|
17b0f1 |
|
|
|
17b0f1 |
- /* When the user hits C-A-D more than 7 times per 2s, reboot immediately... */
|
|
|
17b0f1 |
+ /* When the user hits C-A-D more than 7 times per 2s, do something immediately... */
|
|
|
17b0f1 |
RateLimit ctrl_alt_del_ratelimit;
|
|
|
17b0f1 |
+ CADBurstAction cad_burst_action;
|
|
|
17b0f1 |
};
|
|
|
17b0f1 |
|
|
|
17b0f1 |
int manager_new(SystemdRunningAs running_as, bool test_run, Manager **m);
|
|
|
17b0f1 |
@@ -372,3 +381,6 @@ ManagerState manager_state(Manager *m);
|
|
|
17b0f1 |
|
|
|
17b0f1 |
const char *manager_state_to_string(ManagerState m) _const_;
|
|
|
17b0f1 |
ManagerState manager_state_from_string(const char *s) _pure_;
|
|
|
17b0f1 |
+
|
|
|
17b0f1 |
+const char *cad_burst_action_to_string(CADBurstAction a) _const_;
|
|
|
17b0f1 |
+CADBurstAction cad_burst_action_from_string(const char *s) _pure_;
|
|
|
17b0f1 |
diff --git a/src/core/system.conf b/src/core/system.conf
|
|
|
17b0f1 |
index 231609033b..a11f599038 100644
|
|
|
17b0f1 |
--- a/src/core/system.conf
|
|
|
17b0f1 |
+++ b/src/core/system.conf
|
|
|
17b0f1 |
@@ -20,6 +20,7 @@
|
|
|
17b0f1 |
#CrashShell=no
|
|
|
17b0f1 |
#ShowStatus=yes
|
|
|
17b0f1 |
#CrashChVT=1
|
|
|
17b0f1 |
+#CtrlAltDelBurstAction=reboot-force
|
|
|
17b0f1 |
#CPUAffinity=1 2
|
|
|
17b0f1 |
#JoinControllers=cpu,cpuacct net_cls,net_prio
|
|
|
17b0f1 |
#RuntimeWatchdogSec=0
|