1
1
mirror of https://github.com/systemd/systemd-stable.git synced 2025-01-06 13:17:44 +03:00
Commit Graph

60933 Commits

Author SHA1 Message Date
Yu Watanabe
63e6a653e3 core/unit: merge two loops into one
No functional change, just refactoring.

(cherry picked from commit 4b7918a65c)
2022-12-20 19:15:44 +01:00
Yu Watanabe
30a545965b core/unit: fix logic of dropping self-referencing dependencies
Fixes a bug in 15ed3c3a18.

(cherry picked from commit 53e0e6ef0e)
2022-12-20 19:15:44 +01:00
Yu Watanabe
1d7b1ee1a7 core/unit: drop dependency to the unit being merged
Fixes a bug in 15ed3c3a18.

Fixes #24990. Also, hopefully fixes #24577.

(cherry picked from commit c8b3b52413)
2022-12-20 19:15:44 +01:00
Yu Watanabe
0014192404 timesync: ignore IPv6 addresses when the kernel does not support IPv6
Fixes #25728.

(cherry picked from commit 713e6e631d)
2022-12-20 19:15:43 +01:00
Yu Watanabe
966afb965e timesync: downgrade log message about unsupported address family
As this is mostly not user's fault.

(cherry picked from commit 7a12328735)
2022-12-20 19:15:43 +01:00
Zbigniew Jędrzejewski-Szmek
b1cf593b11 basic: do not output emojis if not on a proper terminal
$TERM would generally be set if we're connected to a proper graphical terminal
emulator. In all other cases, in particular if $TERM is not set, we almost
certainly are not connected to something that can output emojis. In particular
the text console is unlikely to ever do it correctly.

So let's invert the check, and only write emojis if $TERM is set.

Fixes #25521.

(cherry picked from commit 7a14db9cfd)
2022-12-20 19:15:43 +01:00
Felix Riemann
1b7c8d9c3a timesync: Keep trying to connect even if the socket cannot be opened
This makes sure that after a server could not be contacted due to a
socket error, other (possibly working) NTP servers in the list of
configured NTP servers are (re-)tried.

Fixes #25728.

(cherry picked from commit 9b4e04f0cd)
2022-12-20 19:15:43 +01:00
Zbigniew Jędrzejewski-Szmek
9b75a3d050 coredump: do not allow user to access coredumps with changed uid/gid/capabilities
When the user starts a program which elevates its permissions via setuid,
setgid, or capabilities set on the file, it may access additional information
which would then be visible in the coredump. We shouldn't make the the coredump
visible to the user in such cases.

Reported-by: Matthias Gerstner <mgerstner@suse.de>

This reads the /proc/<pid>/auxv file and attaches it to the process metadata as
PROC_AUXV. Before the coredump is submitted, it is parsed and if either
at_secure was set (which the kernel will do for processes that are setuid,
setgid, or setcap), or if the effective uid/gid don't match uid/gid, the file
is not made accessible to the user. If we can't access this data, we assume the
file should not be made accessible either. In principle we could also access
the auxv data from a note in the core file, but that is much more complex and
it seems better to use the stand-alone file that is provided by the kernel.

Attaching auxv is both convient for this patch (because this way it's passed
between the stages along with other fields), but I think it makes sense to save
it in general.

We use the information early in the core file to figure out if the program was
32-bit or 64-bit and its endianness. This way we don't need heuristics to guess
whether the format of the auxv structure. This test might reject some cases on
fringe architecutes. But the impact would be limited: we just won't grant the
user permissions to view the coredump file. If people report that we're missing
some cases, we can always enhance this to support more architectures.

I tested auxv parsing on amd64, 32-bit program on amd64, arm64, arm32, and
ppc64el, but not the whole coredump handling.

(cherry picked from commit 3e4d0f6cf9)
2022-12-20 19:15:43 +01:00
Zbigniew Jędrzejewski-Szmek
cc2eb7a9b5 coredump: adjust whitespace
(cherry picked from commit 510a146634)
2022-12-20 19:15:43 +01:00
Frantisek Sumsal
864c10add7 mkosi: work around a file conflict between systemd and systemd-boot
(cherry picked from commit a32831ae1d)
2022-12-16 17:05:11 +01:00
Frantisek Sumsal
7c208311d4 packit: drop/replace deprecated directives
(cherry picked from commit 0969bb4246)
2022-12-16 17:05:11 +01:00
Frantisek Sumsal
689161a301 packit: ignore unpackaged files
It may take a bit for newly introduced binaries/other files to get
properly integrated into the Rawhide specfile, so don't choke up in the
meantime when rpmbuild detects unpackaged files.

(cherry picked from commit ed7c45a8c8)
2022-12-16 17:05:11 +01:00
Lennart Poettering
31bb2ef7ea mkosi: pull in libbpf1 instead of legacy libbpf0 on debian
(cherry picked from commit 0d9e6d76be)
2022-12-14 23:22:28 +00:00
Lennart Poettering
2ffbfd532b dissect-image: probe file system via main block device fd/image file fd
let's make sure we can probe file systems also when unprivileged:
instead of probing the partition block devices for file system
signatures, let's go via the original "whole" fd.

libblkid makes this easy actually, as it allows us to specify the
offset/size of the area to probe. And we have the partition
offsets/sizes anyway, so it's trivial for us to make use of.

This thus enables fs probing also when lacking privs and operating on
naked regular files without loopback devices or anything like this.

(cherry picked from commit c80c9079c8)
2022-12-14 17:47:43 +01:00
Lennart Poettering
93dd7983c3 test-loop-block: let's explicitly flush buffer cache on whole block device
Let's explicitly flush the kernel's buffer cache on the whole block
device once we ran "mkfs". This is necessary, because partition and
whole block devices maintain separate buffer caches, and thus writing
to one will not be visible on the other if cached there already, until
the latter's cache is explicitly flushed.

This is preparation for later adding support for probing file sytems
also if we have no open partition block devices, and hence want to use
the whole block device instead.

(cherry picked from commit 59a4c0d7e3)
2022-12-14 17:46:02 +01:00
Lennart Poettering
da8a00c612 test-loop-block: also test dissection without ADD/PIN of partition block devices
Let's extend the test further, and try the codepaths where we do not
pin/add the partition block devices (i.e. which is the codepaths we use
when running without privs)

(cherry picked from commit 9f2d9a4aab)
2022-12-14 17:46:02 +01:00
Lennart Poettering
b5abadf573 test-loop-block: tighten tests a bit - check fstype, too
Let's verify that we properly created the file systems once we did so.
And tets this way that our dissector works correctly.

(cherry picked from commit 02c15120a1)
2022-12-14 17:46:02 +01:00
msizanoen1
14cff81877 core/unit: allow overriding an ongoing freeze operation
Sometimes a freeze operation can hang due to the presence of kernel
threads inside the unit cgroup (e.g. QEMU-KVM). This ensures that the
ThawUnit operation invoked by systemd-sleep at wakeup always thaws the
unit.

(cherry picked from commit 3d19e122cf)
2022-12-14 17:18:59 +01:00
msizanoen1
d9c1baec66 core/cgroup: ignore kernel cgroup.events when thawing
The `frozen` state can be `0` while the processes are indeed frozen (see
last commit). Therefore do not respect cgroup.events when checking
whether thawing is necessary.

(cherry picked from commit 7fcd269784)
2022-12-14 17:18:35 +01:00
msizanoen1
8798badd2c core/cgroup: thaw slice of unit when thawing unit
This ensures starting a new unit under a frozen slice work as expected.

(cherry picked from commit a14137d90e)
2022-12-14 17:18:35 +01:00
msizanoen1
5c1e5944c0 sleep: always thaw user.slice even if freezing failed
`FreezeUnit` can fail even when some units did got frozen, causing some
user units to be frozen. A possible symptom is `user@.service` being
frozen while still being able to log in over SSH.

(cherry picked from commit efa736d383)
2022-12-14 17:18:35 +01:00
Luca Boccassi
c55426445a pid1: add env var to override default mount rate limit burst
I am hitting the rate limit on a busy system with low resources, and
it stalls the boot process which is Very Bad (TM).

(cherry picked from commit 24a4542cfa)

Included in the backport because it's a workaround for an issue introduced
in v249.
2022-12-14 17:15:23 +01:00
Luca Boccassi
7c0aacc733 test: double default image size
I am now hitting the 500MB limit on Debian stable.

(cherry picked from commit de28dd77c1)
2022-12-14 17:14:17 +01:00
Zbigniew Jędrzejewski-Szmek
57ab4e2d47 coredump: cescape invalid json data before logging
In both cases, the json string is short, so we can print it, which is useful
for diagnosing invalid data in packages. But we need escape non-printable
characters.

https://bugzilla.redhat.com/show_bug.cgi?id=2152685

I went over the rest of the codebase, and it seems that other calls to
json_parse() don't have this problem.

(cherry picked from commit c5966ab5bf)
2022-12-14 17:07:56 +01:00
Daan De Meyer
d78dc885b0 execute: Pass AT_FDCWD instead of -1
Let's enforce that callers pass AT_FDCWD as read_dfd to load_credential()
to avoid an assert() in read_full_file_full() if read_dfd is -1.

(cherry picked from commit 661e4251a5)
2022-12-14 17:07:46 +01:00
Zbigniew Jędrzejewski-Szmek
4cfdb1c73b udev: rework 60-evdev.rules to be "additive"
We would execute up to four hwdb match patterns (+ the keyboard builtin):
After the first hit, we would skip the other patterns, because of the GOTO="evdev_end"
action.

57bb707d48 (rules: Add extended evdev/input match
rules for event nodes with the same name), added an additional match with
":phys:<phys>:ev:<ev>" inserted. This breaks backwards compatibility for user
hwdb patterns, because we quit after the first match.

In general hwdb properties are "additive". We often have a general rule that
matches a wider class and then some specific overrides. E.g. in this particular
case, we have a match for all trackpoints, and then a bunch of model-specific
settings.

So let's change the rules to try all the match patterns and combine the
received properties. We execute builtin-keyboard once at the end, if there was
at least one match.

Fixes #25698. Fixes https://bugzilla.redhat.com/show_bug.cgi?id=2152226.

This also impacts other cases which I think would be very confusing for users.
Since we quit after a first successful match, if we had e.g. a match for
'evdev:input:b*v*p*' in out database, and the user added a match using
'evdev:name:*', which is the approach we document in the .hwdb files and which
users quite often use, it would be silently ignored. What's worse, if we added
our 'evdev:input:b*v*p*' match at a later point, user's match would stop
working. If we combine all the properties, we get more stable behaviour.

(cherry picked from commit 953c928c24)
2022-12-14 17:07:27 +01:00
Yu Watanabe
3f75b24979 test: add tests for "uninitialized" string handling by id128_read_fd()
(cherry picked from commit 66c7949e08)
2022-12-14 17:06:02 +01:00
Yu Watanabe
fe521adff9 sd-id128: make id128_read() or friends return -ENOPKG when the file contents is "uninitialized"
Then, this drops ID128_PLAIN_OR_UNINIT. Also, this renames
Id128Format -> Id128FormatFlag, and make it bitfield.

Fixes #25634.

(cherry picked from commit 057bf780e9)
2022-12-14 17:06:02 +01:00
Yu Watanabe
0c266197f5 sd-id128: several cleanups
- use SD_ID128_STRING_MAX or friend,
- use sizeof(sd_id128_t),
- use newly introduced ascii_ishex().

(cherry picked from commit 28bf2de201)
2022-12-14 17:06:02 +01:00
Yu Watanabe
8f69f14344 string-util: introduce ascii_ishex()
(cherry picked from commit 0ce8870f19)
2022-12-14 17:06:02 +01:00
Yu Watanabe
8ff529fb80 resolve: drop recursion in TXT field handling
Fixes #25683.

(cherry picked from commit 494ef16743)
2022-12-14 17:06:02 +01:00
Yu Watanabe
aeb3653744 sd-device: fix double-free
If an attribute is read but the value is not used (i.e. ret_value is NULL),
then sd_device_get_sysattr_value() mistakenly frees the read data even though
it is cached internally.

Fixes a bug introduced by acfc2a1d15.

Fixes #25702.

(cherry picked from commit eb18e7b782)
2022-12-14 17:06:02 +01:00
Yu Watanabe
13de548fca network: manage addresses in the way the kernel does
This effectively reverts 5d0030310c.

With the commit 5d0030310c, networkd manages
addresses with the detailed hash and compare functions. But that causes
networkd cannot detect address update by the kernel or an external tool.
See issue
https://github.com/systemd/systemd/issues/481#issuecomment-1328132401.

With this commit, networkd (again) manages addresses in the way that the
kernel does. Hence, we can correctly detect address update.

(cherry picked from commit 42f8b6a808)
2022-12-08 23:01:13 +01:00
Ivan Shapovalov
fcc174cbdd import: wire up SYSTEMD_IMPORT_BTRFS_{SUBVOL,QUOTA} to importd
Btrfs quotas are actually being enabled in systemd-importd via
setup_machine_directory(), not in systemd-{import,pull} where those
environment variables are checked. Therefore, also check them in
systemd-importd and avoid enabling quotas if requested by the user.

Fixes: #18421
Fixes: #15903
Fixes: #24387
(cherry picked from commit c7779a61ac)
2022-12-08 23:01:13 +01:00
Ivan Shapovalov
6cb0724a06 machine-pool: simplify return values from setup_machine_directory()
Non-negative return values of setup_machine_directory() were never used
and never had clear meaning, so do not distinguish between various
non-error conditions and just return 0 in all cases.

(cherry picked from commit e9231901a2)
2022-12-08 23:01:13 +01:00
Jan Janssen
1c9e7fc8f2 boot: Only do full driver initialization in VMs
Doing the reconnect dance on some real firmware creates huge delays on
boot. This should not be needed anymore as we now ask the firmware to
make console devices and xbootldr partitions available explicitly in a
more targeted fashion.

Fixes: #25510
(cherry picked from commit f6d59e2ebf)

Note: I reapplied the original patch by hand, hopefully breaking nothing
in the process. In 'main' open_volume() was changed to call either
vmm_open() or open_volume(), and the call to reconnect_all_drivers() was
moved to vmm_open(). Here, that call is moved to the point where open_volume()
is called, guarded by is_direct_boot(().
2022-12-08 23:01:13 +01:00
Gerd Hoffmann
79b97ec652 boot: improve support for qemu (helpers only)
This adds some helpers added in a patch so that the subsequent patch
applies better. No functional change.

(cherry picked from commit 8fec4f95be)
2022-12-08 23:01:13 +01:00
Jan Janssen
87add68b39 boot: Make sure all partitions drivers are connected
(cherry picked from commit 7f19be808c)
2022-12-08 23:01:13 +01:00
Jan Janssen
989f0c52e1 boot: Use EFI_BOOT_MANAGER_POLICY_PROTOCOL to connect console devices
(cherry picked from commit b99bf58118)
2022-12-08 23:01:13 +01:00
Yu Watanabe
b89be71bf4 network: unset Link.ndisc_configured only when a new address or route is requested
This fixes an issue introduced by af2aea8bb6.

When an outdated address or route is passed to link_request_address()/route(),
then they return 0 and the address or route will not be assigned. Such
situation can happen when we receive RA with zero lifetime. In that
case, we should not unset Link.ndisc_configured flag, otherwise even
no new address nor route will assigned, the interface will enter to the
configuring state, and unnecessary DBus property change is emit and the state
file will be updated. That makes resolved or timesyncd triggered to
reconfigure the interface.

Fixes #25456.

(cherry picked from commit d9a95033bf)
2022-12-08 23:01:13 +01:00
Yu Watanabe
fc4f804b07 network: fix indentation
(cherry picked from commit d87c5cd8d9)
2022-12-08 23:01:13 +01:00
Lennart Poettering
fc60072926 dissect: rework DISSECT_IMAGE_ADD_PARTITION_DEVICES + DISSECT_IMAGE_OPEN_PARTITION_DEVICES
Curently, these two flags were implied by dissect_loop_device(), but
that's not right, because this means systemd-gpt-auto-generator will
dissect the root block device with these flags set and that's not
desirable: the generator should not cause the partition devices to be
created (we don't intend to use them right-away after all, but expect
udev to find/probe them first, and then mount them though .mount units).
And there's no point in opening the partition devices, since we do not
intend to mount them via fds either.

Hence, rework this: instead of implying the flags, specify them
explicitly.

While we are at it, let's also rename the flags to make them more
descriptive:

DISSECT_IMAGE_MANAGE_PARTITION_DEVICES becomes
DISSECT_IMAGE_ADD_PARTITION_DEVICES, since that's really all this does:
add the partition devices via BLKPG.

DISSECT_IMAGE_OPEN_PARTITION_DEVICES becomes
DISSECT_IMAGE_PIN_PARTITION_DEVICES, since we not only open the devices,
but keep the devices open continously (i.e. we "pin" them).

Also, drop the DISSECT_IMAGE_BLOCK_DEVICE combination flag, since it is
misleading, i.e. it suggests it was appropriate to specify on all
dissected blocking devices, but that's precisely not the case, see the
systemd-gpt-auto-generator case. My guess is that the confusion around
this was actually the cause for this bug we are addressing here.

Fixes: #25528
(cherry picked from commit 73d88b806b)
2022-12-08 23:01:13 +01:00
Yu Watanabe
1267b35273 fuzz: shorten filename of testcase
Follow-up for 46dc071985 and
76519cecc7.

(cherry picked from commit 029a7f5a0e)
2022-12-08 23:00:58 +01:00
Yu Watanabe
7fc478f751 resolve: optimize conversion of TXT fields to json
Fixes oss-fuzz#54080 (https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=54080).

Fixes #25654.

(cherry picked from commit b9152f2d63)
2022-12-08 23:00:35 +01:00
Yu Watanabe
772e89452e hexdecoct: fix NULL pointer dereferences in hexmem()
Fixes oss-fuzz#54090 (https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=54090).

Fixes #25655.

(cherry picked from commit 7d34567444)
2022-12-08 23:00:35 +01:00
Yu Watanabe
002fc46688 hexdecoct: add missing NULL check
Fixes oss-fuzz#54065 (https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=54065).

Fixes #25650.

(cherry picked from commit 45655e776f)
2022-12-08 23:00:35 +01:00
Yu Watanabe
be1088b7a0 test: add tests for base64_append()
(cherry picked from commit 6b0df52e58)
2022-12-08 23:00:35 +01:00
Yu Watanabe
acb0414a1f hexdecoct: several cleanups for base64_append()
- add missing assertions,
- use size_t for buffser size or memory index,
- handle empty input more gracefully,
- return the length or the result string,
- fix off-by-one issue when the prefix is already long enough.

(cherry picked from commit c21b316964)
2022-12-08 23:00:35 +01:00
Antonio Alvarez Feijoo
9410eb20eb cryptsetup: retry TPM2 unseal operation if it fails with TPM2_RC_PCR_CHANGED
Quoting "Trusted Platform Module Library - Part 3: Commands (Rev. 01.59)":

"pcrUpdateCounter – this parameter is updated by TPM2_PolicyPCR(). This value
may only be set once during a policy. Each time TPM2_PolicyPCR() executes, it
checks to see if policySession->pcrUpdateCounter has its default state,
indicating that this is the first TPM2_PolicyPCR(). If it has its default value,
then policySession->pcrUpdateCounter is set to the current value of
pcrUpdateCounter. If policySession->pcrUpdateCounter does not have its default
value and its value is not the same as pcrUpdateCounter, the TPM shall return
TPM_RC_PCR_CHANGED.

If this parameter and pcrUpdateCounter are not the same, it indicates that PCR
have changed since checked by the previous TPM2_PolicyPCR(). Since they have
changed, the previous PCR validation is no longer valid."

The TPM will return TPM_RC_PCR_CHANGED if any PCR value changes (no matter
which) between validating the PCRs binded to the enrollment and unsealing the
HMAC key, so this patch adds a retry mechanism in this case.

Fixes #24906

(cherry picked from commit 0254e4d66a)
2022-12-08 23:00:35 +01:00
Yu Watanabe
1c8abb343a man: mention that DefaultRouteOnDevice= create the IPv4 default route
And add an example setting for creating an IPv6 default route.

Closes #25440.

(cherry picked from commit 15f330cf87)
2022-12-08 23:00:35 +01:00