connman Digest, Vol 10, Issue 26

[connman-request]

Send connman mailing list submissions to
        connman@lists.01.org

To subscribe or unsubscribe via the World Wide Web, visit
        https://lists.01.org/mailman/listinfo/connman
or, via email, send a message with subject or body 'help' to
        connman-requ...@lists.01.org

You can reach the person managing the list at
        connman-ow...@lists.01.org

When replying, please edit your Subject line so it is more specific
than "Re: Contents of connman digest..."


Today's Topics:

   1. Re: [PATCH 2/3] src/proxy.c: modify the proxy_lookup ()
      supporting non-browser schemes (David Woodhouse)
   2. Re: [PATCH] connman.service: Use ProtectSystem=true to allow
      writing /etc/localtime (Philip Withnall)


----------------------------------------------------------------------

Message: 1
Date: Mon, 22 Aug 2016 10:54:45 +0100
From: David Woodhouse <dw...@infradead.org>
To: Atul Anand <atul...@gmail.com>, conn...@ml01.01.org
Subject: Re: [PATCH 2/3] src/proxy.c: modify the proxy_lookup ()
        supporting non-browser schemes
Message-ID: <1471859685.61594.495.ca...@infradead.org>
Content-Type: text/plain; charset="utf-8"

On Sun, 2016-08-21 at 21:44 +0530, Atul Anand wrote:
> As discussed, the proxy lookup for browser and non browser schemes should
> be handled in an order as follows:
> A request for a "browser" protocol would match the following configs
> order of preference (if they exist):
> ?? Matching "Domains", BrowserOnly==TRUE
> ?? Matching "Domains", BrowserOnly==FALSE
> ?? Domains==NULL, BrowserOnly==TRUE
> ?? Domains==NULL, BrowserOnly==FALSE
> 
> A request for a non-browser protocol would match the following:
> ?? Matching "Domains", BrowserOnly==FALSE
> ?? Domains==NULL, BrowserOnly==FALSE (except if a config exists with
> ?? Matching "Domains", BrowserOnly==TRUE, in which case we need to
> ?? return NULL).
> ---

This version looks much better; thanks.

-- 
dwmw2
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 5760 bytes
Desc: not available
URL: 
<http://lists.01.org/pipermail/connman/attachments/20160822/fea28eba/attachment-0001.bin>

------------------------------

Message: 2
Date: Mon, 22 Aug 2016 11:54:09 +0100
From: Philip Withnall <philip.withn...@collabora.co.uk>
To: Patrik Flykt <patrik.fl...@linux.intel.com>, connman@lists.01.org
Subject: Re: [PATCH] connman.service: Use ProtectSystem=true to allow
        writing /etc/localtime
Message-ID: <1471863249.5881.20.ca...@collabora.co.uk>
Content-Type: text/plain; charset="utf-8"

On Mon, 2016-07-18 at 19:33 +0100, Philip Withnall wrote:
> On Wed, 2016-07-13 at 13:20 +0300, Patrik Flykt wrote:
> > 
> >     Hi,
> > 
> > On Mon, 2016-07-11 at 18:27 +0100, Philip Withnall wrote:
> > > 
> > > Setting the timezone requires unlinking and relinking
> > > /etc/localtime,
> > > so we need /etc to be mounted read?write. This means that commit
> > > dc8f151e has to be softened to ProtectSystem=true rather than
> > > ProtectSystem=full. This mounts most of the filesystem as read-
> > > only,
> > > apart from /etc, which is read?write.
> > > 
> > > Signed-off-by: Philip Withnall <philip.withn...@collabora.co.uk>
> > > ---
> > > ?src/connman.service.in | 2 +-
> > > ?1 file changed, 1 insertion(+), 1 deletion(-)
> > > 
> > > diff --git a/src/connman.service.in b/src/connman.service.in
> > > index 57eaaf9..d5d6d44 100644
> > > --- a/src/connman.service.in
> > > +++ b/src/connman.service.in
> > > @@ -15,7 +15,7 @@ ExecStart=@sbindir@/connmand -n
> > > ?StandardOutput=null
> > > ?CapabilityBoundingSet=CAP_KILL CAP_NET_ADMIN
> > > CAP_NET_BIND_SERVICE
> > > CAP_NET_RAW CAP_SYS_TIME CAP_SYS_MODULE
> > > ?ProtectHome=true
> > > -ProtectSystem=full
> > > +ProtectSystem=true
> > > ?
> > > ?[Install]
> > > ?WantedBy=multi-user.target
> > > --?
> > > 2.5.5
> > 
> > Yes, this will fix the problem. On the other hand there is also a
> > desired use case that ConnMan has write access only to as few
> > places
> > as
> > possible, for run-time information that would be /var/run/connman.
> > In
> > order to keep in line with that, I suggest something similar that
> > was
> > done for resolv.conf handling. See a few commits
> > from?3a9ad49c8c8448875375a67913af98f74bca0ad7 forwards.
> > 
> > So this could be handled by copying the symlink/file from
> > /etc/localtime to /var/run with tmpfiles.d and create the link to
> > /etc
> > (see e.g. scripts/connman_resolvconf.conf.in).
> > 
> > What do you think?
> 
> I think that sounds feasible, and definitely better than downgrading
> from ProtectSystem=full. I?m away for the next couple of weeks, but
> will try and look at this when I get back. Sorry for the delay.

After looking more closely, I don't think it will be possible to set up
an additional symlink:
? ?/etc/localtime -> /var/run/connman/localtime ->
/usr/share/zoneinfo/blah
because systemd apparently parses the symlink target of /etc/localtime
to find the timezone. See localtime(5).

I wonder if a better solution would be to use the
org.freedesktop.timedate1 interface to set the timezone via systemd. On
platforms which don't use systemd, we can continue to use the existing
/etc/localtime code, and we won't hit the ProtectSystem=full problem.

Philip
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: This is a digitally signed message part
URL: 
<http://lists.01.org/pipermail/connman/attachments/20160822/b0d9f5e4/attachment-0001.asc>

------------------------------

Subject: Digest Footer

_______________________________________________
connman mailing list
connman@lists.01.org
https://lists.01.org/mailman/listinfo/connman


------------------------------

End of connman Digest, Vol 10, Issue 26
***************************************