IF YOU WOULD LIKE TO GET AN ACCOUNT, please write an
email to Administrator. User accounts are meant only to access repo
and report issues and/or generate pull requests.
This is a purpose-specific Git hosting for
BaseALT
projects. Thank you for your understanding!
Только зарегистрированные пользователи имеют доступ к сервису!
Для получения аккаунта, обратитесь к администратору.
We already do in the same way for sd-dhcp-client and friends.
(cherry picked from commit 39ba10f19e7d384ad48aaad9ff6c0b3c3e6bbef1)
(cherry picked from commit a7117e29f59fa6a81eb7025ec446b95c6b35f91a)
Follow-up for fc35a9f8d1632c4e7a279228f869bfc77d8f5b9c.
Fixes the issue https://github.com/systemd/systemd/pull/29472#issuecomment-1759092138.
(cherry picked from commit 9bd91e34aaf7c759617d4763853e55f419c06ffe)
(cherry picked from commit f453cbc5162eca42c415b8dc2325a7d734aca3e5)
There's really no point in logging about one of the most common cases we
have: that no BPF-LSM policy was installed for a specific unit.
(cherry picked from commit 58f1bd9b4ab889d0378a236d759649d4b45395f9)
(cherry picked from commit 86a85cb2b56f582c3a1e09d17a7f544bad0c23a7)
Let's show which fds are closed as part of the left-over fd set logic on
daemon reload/reexec cycles.
This is useful to debug accidentally unclaimed fds.
(cherry picked from commit 91a6447607635802ac2278b7997cde687e2549a4)
(cherry picked from commit b4cdf320554f122700e9d12c81dccf2c7565860b)
We have the "tasks.max" cgroup attribute only if we run in a cgroup
namespace, but not on the host. Hence let's handle ENODATA silently
simply to reduce the debug noise generated.
(cherry picked from commit bde7e12255a82f9b714fb3e44c291a79f7647cc9)
(cherry picked from commit d3a5c9f0bc030d8ba0ef8abb190afacb9cd06682)
According to the respective change in the DPS:
<https://github.com/uapi-group/specifications/pull/86>
Signed-off-by: Roland Hieber <rhi@pengutronix.de>
(cherry picked from commit 7c6dd200468f88c189d042c7ee25547032e296cd)
(cherry picked from commit 9f415a6347f6dbe725da5ef632b33e422a2845e8)
The device-mapper driver can return a wild variety of errors when trying
to activate the same dm-verity volume concurrently, as it might happen
with an image. There is a fallback logic in place, but the original
return code was clobbered when userspace signature check was added.
Add it back.
Follow-up for c2fa92e7e8907d9
(cherry picked from commit ace07128ac014d5e7d7d1664beb58e5f3700d59c)
(cherry picked from commit c2155c19c06dfe5dd086f7b62c30762e3e5aad92)
I am seeing some failures and I don't know what is failing and why even
with debug logs, so add more details
(cherry picked from commit 15461b7f19272d39e59e4c6d87dfe9d48f4d1f99)
(cherry picked from commit 31f64d0bc81d5e40a03478206c7d805ce8595366)
When verifying seals produced with forward secure sealing, the verification
currently does not check that old entries are only sealed with the key for
their epoch and not a more recent one. This missing check allows an attacker
to remove seals, and create new ones with the currently available key, and
verify will claim everything is in order, although all entries could have
been modified.
This resolves CVE-2023-31439.
Co-authored-by: Felix Dörre <felix.doerre@kit.edu>
(cherry picked from commit 3846d3aa292a6daa1916f667bdd79ebee9cb4ac4)
(cherry picked from commit ea67d4755b5d81a42a9013d6ce72c9cf7adb56b9)
Grepping around showed a few extra entries that are not listed in the
remove_loader_variables() function. Namely:
- BootNext
- OsIndications
- LoaderConfigConsoleMode
- LoaderEntryLastBooted
Of which the latter two are systemd specific, even though they are
undocumented. Ensure they're removed - follow-up commits will add
documentation references.
Signed-off-by: Emil Velikov <emil.l.velikov@gmail.com>
(cherry picked from commit 976904bf26957e75dbed467334592badf108beee)
(cherry picked from commit c6540a35ab6913ccdc57720d2a9d4e3d86e9178e)
Currently some of the code base check for the variable presence before
removing it, and some do not.
More so, in all cases (being updated) we're dealing with non-volatile
variables where changing those attribute to NVRAM wear out.
From what information I could find, there is no definitive answer if the
UEFI implementation will write to the NVRAM even when the variable is
missing.
So add a simple helper that checks for the variable presence before
removing it. While also having a bit cleaner API than the current
efivar_set(..., NULL, ...);
efivar_unset() follows the design from efivar_set*() where it returns an
EFI_STATUS even though its (presently) unused.
v2:
- add inline comment, use early return
v3:
- typos? typos!
Signed-off-by: Emil Velikov <emil.velikov@collabora.com>
(cherry picked from commit 5ee3c914a4e904567e66654177b07777dde0d100)
(cherry picked from commit 917569e3c1e1361d2c7bac584b99e075a4cb0b0d)
note that this slightly changes the semantic of assert when NDEBUG is
defined. if there's an extern function call (without attribute pure or
similar) then the compiler has to assume it has side effects and still
emit the function call.
whereas the old assert guaranteed that nothing will be evaluated on
NDEBUG.
Closes: https://github.com/systemd/systemd/issues/29408
(cherry picked from commit be1666886b3f4355ab33f571187e3de8aae3ad40)
(cherry picked from commit a9b83fc26ccdb6ef83c8eb2b505ee4c25a320276)
The second half of `chown_recursive` works only if the kernel has ACL support.
(cherry picked from commit ec757e920c9f57a89a4378c10cd96264b058f418)
(cherry picked from commit 756a42cd1ea7d66d93337791fbe03e0f648bfb36)
'[[ not found'
(cherry picked from commit c7986bc9b64e095399c3e380441b4de26d1276a1)
(cherry picked from commit 52d4f5ec539c746c9a61a3bb4607f965a36675fe)
Debugging mount unit failures caused by systemd not being able to
create the mount point is currently rather hard. Let's log about
failures to create mount points to simplify debugging.
(cherry picked from commit ce427d0e73667e1b125c82c5c77f98dd9fbe561d)
(cherry picked from commit 915f25da9ebbe93d9768eca3b82897bb9fddc42b)
Before this fix, when recursive-errors was set to 'no' during a systemd-analyze
verification, the parent slice was checked regardless. The 'no' setting means that,
only the specified unit should be looked at and verified and errors in the slices should be
ignored. This commit fixes that issue.
Example:
Say we have a sample.service file:
[Unit]
Description=Sample Service
[Service]
ExecStart=/bin/echo "a"
Slice=support.slice
Before Change:
systemd-analyze verify --recursive-errors=no maanya/sample.service
Assertion 'u' failed at src/core/unit.c:153, function unit_has_name(). Aborting.
Aborted (core dumped)
After Change:
systemd-analyze verify --recursive-errors=no maanya/sample.service
{No errors}
(cherry picked from commit f660c7fa56b247c278fdb2ebcfea37912f249524)
(cherry picked from commit e48c57c5c2f6af3601f6e0f66d77e548efe14f93)
kernel-install uses do_execute(). We would log whenever a spawned child
finished, but we would not log anything when the child is launched. When the
children log output without a prefix (as the kernel-install plugins do), it
is hard to see where that output is coming from.
(cherry picked from commit 9ec4f7c7a4f4d56de6d00adbfe5d316edd0ec314)
(cherry picked from commit da0536a111605666b3ef165d494d5bacb262076b)
Follow-up for 38f901791f3c4b1cbd04b71323bbef2fdab65f83
(cherry picked from commit 1f998158a988fcf4cd182d9de27e1d8b16cfe474)
(cherry picked from commit 839117de6c93fcdac201f38e84c0cc1a4b2db638)
I was missing an example of how to use cryptenroll. We have that, but in
another page. Instead of repeating, let's just direct the user to the right
place.
Also, reformat synopsis to the "official" non-nested syntax.
(cherry picked from commit 38e3c61dbb1ad69e7df910d07fa8b47f3d97f660)
(cherry picked from commit ddfbdad6bbbad1b92f8cad64582edba93bfd3221)
Both styles were mixed in the file, but I find the latter much nicer,
because it's not the func that is the pointer, but the return type.
(cherry picked from commit 00d811a5482fda1a6c2b9362d047da2dcd1d7418)
(cherry picked from commit 3fec10d500a48aefc88beaa02ea6e623641125b5)
"/dev" or "/dev/" is the mount point, not a device path. In particular,
'systemctl status /dev' clearly does not refer to a device, so let's tweak
the code a bit to say that those are not device paths.
(Treating "/../dev" same as "/dev" would be also be reasonable, but that
requires chase(), which requires disk access, which we don't want to do from
this lightweight function.)
(cherry picked from commit 8f1998b8d3a5bfe61ee4d6d6aa6bb2efb94074c0)
(cherry picked from commit fc13a268128c25e9da18f7dd11c5b524cc8ae1c2)
I think that those functions should be adjusted, but let's first add a test to
establish current behaviour.
(cherry picked from commit bf9a49a5534316353b9fdda1c40026781bc6bda8)
(cherry picked from commit 1025ef21a2aae52ff9a71547f8faa728e0477557)
Fixes a bug introduced by 0843ec6c44c7b41b14f6f32d3ee7039e5e615296.
Fixes https://github.com/systemd/systemd/issues/29145.
(In upstream, the issue is fixed by 8d3c5b39b9bbc89953d1da3e9fbff1524c952ac6).
Realistically, the only thing that the caller can do is ignore failures related
to missing credentials. If the caller requires some credentials to be present,
they should just check which output variables are not NULL. One of the callers
was already doing that, and the other wanted to, but missed -ENOENT. By
suppressing -ENOENT and -ENXIO, both callers are simplified.
Fixes a warning at boot:
systemd-vconsole-setup[221]: Failed to import credentials, ignoring: No such file or directory
(cherry picked from commit 55ace8e5c58441d1a2c64b297a38b232ef0c0e28)
Once we've flushed the runtime journal to /var, stop trying to open
it since that will just fail with ENOENT all the time.
(cherry picked from commit 418a4987775280adef4e6ac4e474937ea89f0f5c)
(cherry picked from commit 01469405c7b9ef175a16c89c4a518798d2c8f65d)
...
uint8_t c;
struct trie_node *child;
for (p = 0; (c = trie->strings->buf[node->prefix_off + p]); p++) {
_cleanup_free_ struct trie_node *new_child = NULL;
_cleanup_free_ char *s = NULL;
ssize_t off;
if (c == search[i + p])
continue;
...
When '®' is present in search, c is 194, search[i + p] is -62, c is not equal
to search[i + p], but c should be equal to search[i + p].
(cherry picked from commit b53a80966e8a2d68b66bf1b47c2ee633a71fad49)
(cherry picked from commit 3cc2aa3998aa179a726c8637dfd66a01fabb5246)
We might need a lot of fds on large systems, hence raise RLIMIT_NOFILE
to what the service manager allows us, which is quite a lot these days.
udev already sets FORK_RLIMIT_NOFILE_SAFE when forking of chilren, thus
ensuring that forked off processes get their RLIMIT_NOFILE soft limit
reset to 1K for compat with crappy old select().
Replaces: #29298Fixes: #28583
(cherry picked from commit 1617424ce76d797d081dd6cb1082b954c4d2bf38)
(cherry picked from commit c98a24bdbdb830a5081d5ec972d62d08547d7255)
- Add synopsis to `--discover` and `--validate` options.
- `-l` is for `--list`, not for `--mtree`.
(cherry picked from commit a0582220f5fe4927487bbfd4d56d2c1abd964e4a)
(edited to remove --validate for v253, where it doesn't exist)
(cherry picked from commit 44b29d93c39d826d69734dbab88b94ad56d529b4)
This fixes sd_bus_error_add_map and man/sd_uid_get_state
(cherry picked from commit 0ee42394374db269fc85f9cdbe5d7249fee541b3)
(cherry picked from commit 0144678b04c2193bf89e0666e7c0e9f5dce19ffa)
It is defined later in the same file
(cherry picked from commit d511acdf8257389a4b670c120717e5b6bc224986)
(cherry picked from commit b283661e01dbb5f2de166e0e25bdc01bf0dde4b1)
On slower/overloaded systems it may take a bit for the swtpm socket
to show up:
I: Started swtpm as PID 189419 with state dir /tmp/tmp.pWqUutuGUj
I: Configured emulated TPM2 device tpm-spapr
+ tee /var/tmp/systemd-test-TEST-70-TPM2_1/console.log
+ timeout --foreground 1200 /bin/qemu-system-ppc64le -smp 4 ...
qemu-system-ppc64le: -chardev socket,id=chrtpm,path=/tmp/tmp.pWqUutuGUj/sock: Failed to connect to '/tmp/tmp.pWqUutuGUj/sock': No such file or directory
E: qemu failed with exit code 1
Spotted regularly in the ppc64le cron job and in some Ubuntu CI/CentOS CI
pr runs [0].
[0] https://github.com/systemd/systemd/pull/29183#issuecomment-1721727927
(cherry picked from commit 18c3ffbfcc2d4d6d1a4680092123e510945f7a78)
(cherry picked from commit 2171f689b8596458e21ac75766326431c7d151cc)
We can't do anything about them anyway, and most importantly this seems
to alleviate systemd/systemd-centos-ci#660, which should make the CIs
a bit less angry (at least until the issue is addressed properly).
(cherry picked from commit 3a89904e45cbbd96fb1c5d0768de5e5fcdaaa508)
(cherry picked from commit af7d007f897818068965a6500798815cc1335b72)
