1
1
mirror of https://github.com/systemd/systemd-stable.git synced 2024-12-23 17:34:00 +03:00
Commit Graph

60791 Commits

Author SHA1 Message Date
Yu Watanabe
1267b35273 fuzz: shorten filename of testcase
Follow-up for 46dc071985 and
76519cecc7.

(cherry picked from commit 029a7f5a0e)
2022-12-08 23:00:58 +01:00
Yu Watanabe
7fc478f751 resolve: optimize conversion of TXT fields to json
Fixes oss-fuzz#54080 (https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=54080).

Fixes #25654.

(cherry picked from commit b9152f2d63)
2022-12-08 23:00:35 +01:00
Yu Watanabe
772e89452e hexdecoct: fix NULL pointer dereferences in hexmem()
Fixes oss-fuzz#54090 (https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=54090).

Fixes #25655.

(cherry picked from commit 7d34567444)
2022-12-08 23:00:35 +01:00
Yu Watanabe
002fc46688 hexdecoct: add missing NULL check
Fixes oss-fuzz#54065 (https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=54065).

Fixes #25650.

(cherry picked from commit 45655e776f)
2022-12-08 23:00:35 +01:00
Yu Watanabe
be1088b7a0 test: add tests for base64_append()
(cherry picked from commit 6b0df52e58)
2022-12-08 23:00:35 +01:00
Yu Watanabe
acb0414a1f hexdecoct: several cleanups for base64_append()
- add missing assertions,
- use size_t for buffser size or memory index,
- handle empty input more gracefully,
- return the length or the result string,
- fix off-by-one issue when the prefix is already long enough.

(cherry picked from commit c21b316964)
2022-12-08 23:00:35 +01:00
Antonio Alvarez Feijoo
9410eb20eb cryptsetup: retry TPM2 unseal operation if it fails with TPM2_RC_PCR_CHANGED
Quoting "Trusted Platform Module Library - Part 3: Commands (Rev. 01.59)":

"pcrUpdateCounter – this parameter is updated by TPM2_PolicyPCR(). This value
may only be set once during a policy. Each time TPM2_PolicyPCR() executes, it
checks to see if policySession->pcrUpdateCounter has its default state,
indicating that this is the first TPM2_PolicyPCR(). If it has its default value,
then policySession->pcrUpdateCounter is set to the current value of
pcrUpdateCounter. If policySession->pcrUpdateCounter does not have its default
value and its value is not the same as pcrUpdateCounter, the TPM shall return
TPM_RC_PCR_CHANGED.

If this parameter and pcrUpdateCounter are not the same, it indicates that PCR
have changed since checked by the previous TPM2_PolicyPCR(). Since they have
changed, the previous PCR validation is no longer valid."

The TPM will return TPM_RC_PCR_CHANGED if any PCR value changes (no matter
which) between validating the PCRs binded to the enrollment and unsealing the
HMAC key, so this patch adds a retry mechanism in this case.

Fixes #24906

(cherry picked from commit 0254e4d66a)
2022-12-08 23:00:35 +01:00
Yu Watanabe
1c8abb343a man: mention that DefaultRouteOnDevice= create the IPv4 default route
And add an example setting for creating an IPv6 default route.

Closes #25440.

(cherry picked from commit 15f330cf87)
2022-12-08 23:00:35 +01:00
Lennart Poettering
6c869ad3bd selinux: accept the fact that getxyzcon() can return success and NULL
Inspired by #25664: let's check explicitly for NULL everywhere we do one
of those getXYZcon() calls.

We usually turn this into EOPNOTSUPP, as when selinux is off (which is
supposed to be the only case this can happen according to selinux docs)
we otherwise return EOPNOTSUPP in that case.

Note that in most cases we have an explicit mac_selinux_use() call
beforehand, hence this should mostly not be triggerable codepaths.

(cherry picked from commit af614e45c3)
2022-12-08 23:00:35 +01:00
Jade Lovelace
0fdeb7c640 oomd: print dry run output at INFO level
Otherwise, the dry run isn't much use since it would be logged at debug
and not seen.

(cherry picked from commit 3b703840d9)
2022-12-08 23:00:35 +01:00
Space Meyer
4119d25e62 journald: prevent segfault on empty attr/current
getpidcon() might set con to NULL, even when it returned a 0 return
code[0]. The subsequent strlen(con) will then cause a segfault.

Alternatively the behaviour could also be changed in getpidcon. I
don't know whether the libselinux folks are comitted to the current
behaviour, but the getpidcon man page doesn't really make it obvious
this case could happen.

[0] fb7f35495f/libselinux/src/procattr.c (L155-L158)

(cherry picked from commit ff868eaade)
2022-12-08 23:00:35 +01:00
Yu Watanabe
6fdf196f99 core: use correct scope of looking up units
Fixes a bug introduced by 3b3557c410.

Fixes #25625.

(cherry picked from commit 47c57b4813)
2022-12-08 23:00:35 +01:00
Jian Zhang
6d7b0dacc6 test-network: add test for bond mac address config
Signed-off-by: Jian Zhang <zhangjian.3032@bytedance.com>
(cherry picked from commit 23b6bf274f)
2022-12-08 23:00:35 +01:00
Jian Zhang
6405eba4b6 network: Fix set bond device MAC address failed
Issue:
When device is in bond mode and booting up, there is a probability of
set bond MAC address failed due to `Device or resource busy` error.

In systemd-networkd, set MAC address steps are:
1. Try to set MAC address to device.
2. If failed with `Device or resource busy`, then `Down` the device.
3. Try to set MAC address to device again.

Currently, Even down the bond device, the bond device is still return
`Device or resource busy` error. So the MAC address set failed.

The root cause is that this not enough to down the bond device. We need
to down all the slaves of the bond device.
About this descprition, we could use those commands to check:
```shell
We have two network devices: eth0, bond1, eth0 is slave of bond1.
They are all up.

1. Down bond1, and set MAC address to bond1.
~# ip link set bond1 down
~# ip link set bond1 address 00:11:22:33:44:55
ip: SIOCSIFHWADDR: Device or resource busy

2. Down eth0, and set MAC address to bond1.
~# ip link set eth0 down
~# ip link set bond1 address 00:11:22:33:44:55
Set okay.
```

Fix:
When setting the mac for the second time, if the device kind is bond,
then we need to down the slave devices of bond device.

Tested: Verified in a long time test( reboot cycles ).

Fixes: #25627

Signed-off-by: Jian Zhang <zhangjian.3032@bytedance.com>
(cherry picked from commit f1a69d5acc)
2022-12-08 23:00:35 +01:00
Daan De Meyer
dbc59253ec test-fs-util: Add relative path chase_symlinks() tests
(cherry picked from commit 94799c305a)
2022-12-08 23:00:35 +01:00
Lennart Poettering
6e99f9c8fb chase-symlink: when converting directory O_PATH fd to real fd, don't bother with /proc/
Replaces: #25581
(cherry picked from commit 2075b6dd39)
2022-12-08 23:00:35 +01:00
Yu Watanabe
bc6fc812fd test: add basic tests for octescape()
(cherry picked from commit 4f438c638b)
2022-12-08 23:00:35 +01:00
Yu Watanabe
2ea5de7881 escape: fix wrong octescape of bad character
Fixes a bug introduced by 95052df376.

This also makes octescape() support NULL or zero length string.

Fixes [oss-fuzz#54059](https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=54059).

Fixes #25643.

(cherry picked from commit 76519cecc7)
2022-12-08 23:00:20 +01:00
Yu Watanabe
8999727a82 network: drop REMOVING flag when a netlink message is sent to kernel
When an interface goes to down, the kernel drops several routes
automatically, and at the same time networkd requests to remove
them, but the kernel sometimes does not respond the requests. Hence,
the routes cannot drop the REMOVING flag, and networkd will never try
to configure other routes which depend on the previously removed
routes even if they are already reconfigured.

With this patch, when networkd sends a request to configure a route
(or any other network settings), REMOVING flag for the route is dropped
without waiting for the reply about the previous remove request, as we
can expect it will appear even if it is already removed or under removing.

Fixes #24999.

(cherry picked from commit f4ee7b98c4)
2022-12-08 21:29:56 +01:00
Lennart Poettering
a064abff76 dissect: show color in log output
(cherry picked from commit 5acb31a683)
2022-12-08 21:29:56 +01:00
Richard Phibel
278a97708b log: Switch logging to runtime when FS becomes read-only
The journal has a mechanism to log to the runtime journal if it fails to
log to the system journal. This mechanism is not triggered when the file
system becomes read-only. We enable it here.

When appending an entry fails if shall_try_append_again returns true,
the journal is rotated. If the FS is read-only, rotation will fail and
s->system_journal will be set to NULL. After that, when find_journal
will try to open the journal since s->system_journal will be NULL, it
will open the runtime journal.

(cherry picked from commit 379864f890)
2022-12-08 21:29:56 +01:00
Evgeny Vereshchagin
44984e15bb resolve: format zero-length RDATA according to rfc3597
If the RDATA is of zero length, the text representation contains only
the \# token and the single zero representing the length.

(cherry picked from commit 84f788d669)
2022-12-08 21:29:56 +01:00
Zbigniew Jędrzejewski-Szmek
d59009dc1d manager: do not append '\n' when writing sysctl settings
When booting with debug logs, we print:

   Setting '/proc/sys/fs/file-max' to '9223372036854775807
   '
   Setting '/proc/sys/fs/nr_open' to '2147483640
   '
   Couldn't write fs.nr_open as 2147483640, halving it.
   Setting '/proc/sys/fs/nr_open' to '1073741816
   '
   Successfully bumped fs.nr_open to 1073741816

The strange formatting is because we explicitly appended a newline in those two
places. It seems that the kernel doesn't care. In fact, we have a few dozen other
writes to sysctl where we don't append a newline. So let's just drop those here
too, to make the code a bit simpler and avoid strange output in the logs.

(cherry picked from commit b47e0fac03)
2022-12-08 21:29:56 +01:00
Frantisek Sumsal
2a66b4c894 test: check if we can use SHA1 MD for signing before using it
Some distributions have started phasing out SHA1, which breaks
the systemd-measure test case in its current form. Let's make sure we
can use SHA1 for signing beforehand to mitigate this.

Spotted on RHEL 9, where SHA1 signatures are disallowed by [0]:
```
openssl genpkey -algorithm RSA -pkeyopt rsa_keygen_bits:2048 -out "/tmp/pcrsign-private.pem"
...
openssl rsa -pubout -in "/tmp/pcrsign-private.pem" -out "/tmp/pcrsign-public.pem"
writing RSA key
/usr/lib/systemd/systemd-measure sign --current --bank=sha1 --private-key="/tmp/pcrsign-private.pem" --public-key="/tmp/pcrsign-public.pem"
Failed to initialize signature context.
```

[0] https://gitlab.com/redhat/centos-stream/rpms/openssl/-/blob/c9s/0049-Selectively-disallow-SHA1-signatures.patch

(cherry picked from commit d19e5540f2)
2022-12-08 21:29:56 +01:00
Yu Watanabe
d0b80bf81e dissect-image: log expected UUID for /var
Closes #25443.

(cherry picked from commit a52efa813d)
2022-12-08 21:29:56 +01:00
Yu Watanabe
b0b97848e8 bootspec: fix null-dereference-read
Fixes [oss-fuzz#53578](https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=53578).
Fixes #25450.

(cherry picked from commit 46dc071985)
2022-12-08 21:29:56 +01:00
Neil Moore
0ba8e9ecff virt: Support detection of LMHS SRE guests
(cherry picked from commit d833ed781f)
2022-12-08 21:29:56 +01:00
Ray Strode
787b2c32f3 terminal-util: Set OPOST when setting ONLCR
reset_terminal_fd sets certain minimum required terminal attributes
that systemd relies on.

One of those attributes is `ONLCR` which ensures that when a new line
is sent to the terminal, that the cursor not only moves to the next
line, but also moves to the very beginning of that line.

In order for `ONLCR` to work, the terminal needs to perform output
post-processing. That requires an additional attribute, `OPOST`,
which reset_terminal_fd currently fails to ensure is set.

In most cases `OPOST` (and `ONLCR` actually) are both set anyway, so
it's not an issue, but it could be a problem if, e.g., the terminal was
put in raw mode by a program and the program unexpectedly died before
restoring settings.

This commit ensures when `ONLCR` is set `OPOST` is set too, which is
the only thing that really makes sense to do.

(cherry picked from commit 9fe26523a1)
2022-12-08 21:29:56 +01:00
Lennart Poettering
c7bf13b2d9 units: change Requires=systemd-networkd.service → BindsTo= one more time
Follow-up for da15f8406e which did the
change for systemd-networkd-wait-online.service, let's also do this for
systemd-networkd-wait-online@.service

(cherry picked from commit 51f3dc2234)
2022-12-08 21:29:56 +01:00
Yu Watanabe
e3d9376692 core/device: verify device syspath on switching root
Otherwise, if a device is removed while switching root, then the
corresponding .device unit will never go to inactive state.

This replaces the code dropped by cf1ac0cfe4.

Fixes #25106.

(cherry picked from commit b6c86ae281)
2022-12-08 21:29:56 +01:00
Yu Watanabe
9523f85b2e core/device: also serialize/deserialize device syspath
The field will be used in later commits.

(cherry picked from commit 1ea74fca3a)
2022-12-08 21:29:56 +01:00
Yu Watanabe
10b3ce781b core/device: update comment
(cherry picked from commit 54a4d71509)
2022-12-08 21:29:56 +01:00
Yu Watanabe
2505010178 sd-netlink: fix segfault
(cherry picked from commit 766417bd76)
2022-12-08 21:29:56 +01:00
Michal Koutný
4b885f3591 test: Add tests for systemd-cgtop args parsing
(cherry picked from commit d4e32838e8)
2022-12-08 21:29:56 +01:00
Michal Koutný
b97c1c427c cgtop: Do not rewrite -P or -k options
--recursive=no will overwrite possible -P or -k option hence making the
recursive disabling impossible.

Check what counting types the system supports (encoded in the ordering
of our enum) of and pick whatever user requests but is also supported.

Fixes: #25248
(cherry picked from commit 48600b3524)
2022-12-08 21:29:56 +01:00
Michal Koutný
6cbf72a8d9 logind: Properly unescape names of lingering users
Filenames to store user linger requests are created with C-escaping.
When we enumerate the files to acquire ligering users, we use the
filenames verbatim. In the case C-escaping is not an identity map (such
as "DOMAIN\User"), we won't be able to start user instances of
such mangled users.

Unescape filenames when we treat them as usernames again.

Fixes: #25448
(cherry picked from commit f38e89c23c)
2022-12-08 21:29:56 +01:00
Daan De Meyer
01a39e96b5 units: Use BindsTo=systemd-networkd in systemd-networkd-wait-online.service
We don't want systemd-networkd-wait-online to start if systemd-networkd
is skipped due to condition failures. This is only guaranteed by BindsTo=
and not Requires=, so let's use BindsTo=

(cherry picked from commit da15f8406e)
2022-12-08 21:29:56 +01:00
Lennart Poettering
b0c39ffc54 resolved: remove inappropriate assert()
A NULL Bitmap object is by all our code considered identical to an empty
bitmap. Hence let's remove the entirely unnecessary assert().

The assert() can be triggered if debug monitoring is used an an empty
NSEC or NSEC3 RR is included in an answer resolved returns.

it's not really a security issue since enabling debug monitoring is a
manual step requiring root privileges, that is off by default. Moreover,
it's a "clean" assert(), i.e. the worst that happens is tha a coredump
is generated and resolved restarted.

Fixes: #25449
(cherry picked from commit fb896517ae)
2022-12-08 21:29:56 +01:00
Jan Janssen
e0521346ec stub: Detect empty LoadOptions when run from EFI shell
The EFI shell will pass the entire command line to the application it
starts, which includes the file path of the stub binary. This prevents
us from using the built-in cmdline if the command line is otherwise
empty.

Fortunately, the EFI shell registers a protocol on any images it starts
this way. The protocol even lets us access the args individually, making
it easy to strip the stub path off.

Fixes: #25201
(cherry picked from commit b17f3b3d80)
2022-12-02 14:17:12 +01:00
Jan Janssen
7ca40a8b08 stub: Fix cmdline handling
This fixes some bugs that could lead to garbage getting appended to the
command line passed to the kernel:
 1. The .cmdline section is not guaranteed to be NUL-terminated, but it
    was used as if it was.
 2. The conversion of the command line to ASCII that was passed to the
    stub ate the NUL at the end.
 3. LoadOptions is not guaranteed to be a NUL-terminated EFI string (it
    really should be and generally always is, though).

This also fixes the inconsistent mangling of the command line. If the
.cmdline section was used ASCII controls chars (new lines in particular)
would not be converted to spaces.

As part of this commit, we optimize conversion for the generic code
instead of the (deprecated) EFI handover protocol. Previously we would
convert to ASCII/UTF-8 and then back to EFI string for the (now) default
generic code path. Instead we now convert to EFI string and mangle that
back to ASCII in the EFI handover protocol path.

(cherry picked from commit 927ebebe58)
2022-12-02 14:17:12 +01:00
Jan Janssen
b39f2ab98f boot: Use xstr8_to_16 for path conversion
(cherry picked from commit 7444e10611)
2022-12-02 14:17:12 +01:00
Jan Janssen
6387a74d2c boot: Use xstr8_to_16
(cherry picked from commit aee515bbb5)
2022-12-02 14:17:12 +01:00
Jan Janssen
ff7469af96 boot: Add xstrn8_to_16
(cherry picked from commit 8ad7deffa9)
2022-12-02 14:17:12 +01:00
Christian Göttsche
475c130003 core: update audit messages
Pass getuid() instead of literal `0` as auid, since user session
managers also issue audit messages on SELinux denials.

(cherry picked from commit c826b7ef32)
2022-11-24 17:38:34 +01:00
Lennart Poettering
c74bc2cd49 dissect: fix fsck
Since f7725647bb when dissecting a disk
image we operate with fds to the device nodes in question wherever we
can. This includes when we fork off fsck, where we pass a /proc/self/fd/
path as argument. This only works if we keep that fd open however and
disable O_CLOEXEC on the fd. Hence do so, and fix fsck this way.

(Without this, all fsck will fail, since the fd path is invalid)

(cherry picked from commit f8ab781223)
2022-11-24 17:38:34 +01:00
Lennart Poettering
ce55eb4ebd process-util: add new FORK_CLOEXEC_OFF flag for disabling O_CLOEXEC on remaining fds
Often the fds that shall stay around in the child shall be passed
to a process over execve(), hence add an option to explicitly disable
O_CLOEXEC on them in the child.

(cherry picked from commit 981cfbe046)
2022-11-24 17:38:34 +01:00
Lennart Poettering
36c3c4172d fd-util: add new fd_cloexec_many() helper
(cherry picked from commit ed18c22c98)
2022-11-24 17:38:34 +01:00
Lennart Poettering
57b4329b38 fd-util: make fd_in_set() (and thus close_all_fds()) handle invalidated fds in the array
let's handle gracefully if fds in the specified array are already
invalidated (i.e. negative). This is handy when putting together arrays
on the fly.

(cherry picked from commit d11c14a981)
2022-11-24 17:38:34 +01:00
Luca Boccassi
12c41564cd tmpfiles: log at info level when some allowed failures occur
In provision.conf we ship:

d- /root :0700 root :root -
d- /root/.ssh :0700 root :root -

These are allowed to fail, for example on a read-only filesystem. But they still
log at error level, which is annoying and gets flagged. Tune those specific errors
down to info.

There are likely more that could be tuned down, but the important thing is to cover
the tmpfiles.d that we ship right now.

Before:

$ echo -e "d- /root :0700 root :root - \nd- /root/.ssh :0700 root :root -" | SYSTEMD_LOG_LEVEL=err build/systemd-tmpfiles --root=/tmp/img --create -
Failed to create directory or subvolume "/tmp/img/root": Read-only file system
Failed to open path '/tmp/img/root': No such file or directory
$

After:

$ echo -e "d- /root :0700 root :root - \nd- /root/.ssh :0700 root :root -" | SYSTEMD_LOG_LEVEL=err build/systemd-tmpfiles --root=/tmp/img --create -
$

(cherry picked from commit 244c2a8344)
2022-11-24 17:38:34 +01:00
Yu Watanabe
77f524dda0 find-esp: include device sysname in the log message
(cherry picked from commit 388d14659d)
2022-11-24 17:38:34 +01:00