1
1
mirror of https://github.com/systemd/systemd-stable.git synced 2024-12-22 13:33:56 +03:00
Commit Graph

51628 Commits

Author SHA1 Message Date
scootergrisen
a22bcf503b po: Translated using Weblate (Danish)
Currently translated at 100.0% (189 of 189 strings)

Co-authored-by: scootergrisen <scootergrisen@gmail.com>
Translate-URL: https://translate.fedoraproject.org/projects/systemd/master/da/
Translation: systemd/main
2021-06-03 01:31:51 +09:00
Luca Boccassi
c17b4f4b0e
Merge pull request #19783 from yuwata/efi-build-options
efi: constify several functions and enable more warnings
2021-06-02 17:02:57 +01:00
Luca Boccassi
357f5b07ae
Merge pull request #19779 from poettering/unit-name-length-tweak
improve logging when encountering mount points we cannot convert to unit names due to length
2021-06-02 11:32:52 +01:00
Yu Watanabe
7bbcaee307 cryptsetup: fix typo 2021-06-02 11:35:14 +02:00
Yu Watanabe
505ab9dda2 meson: sort compiler flags 2021-06-02 15:53:29 +09:00
Yu Watanabe
6526736397 meson: enable more warnings when building efi binary 2021-06-02 15:49:44 +09:00
Yu Watanabe
ca474d5114 efi: constify several arguments of functions which handle loader entries 2021-06-02 15:45:47 +09:00
Yu Watanabe
cfb7fa289d efi: drop const qualifiers from arguments in uefi_call_wrapper() 2021-06-02 15:43:21 +09:00
Yu Watanabe
edad24c61e efi: add const qualifier to EFI variable handling functions 2021-06-02 15:41:39 +09:00
Yu Watanabe
ef53d52b01 efi: add const qualifier to string utils 2021-06-02 15:40:56 +09:00
Yu Watanabe
72dc626b3d efi: include endian.h to handle endian correctly
The macro __BYTE_ORDER__ is defined in endian.h.
2021-06-02 15:38:32 +09:00
Yu Watanabe
959ab90bbc efi: do not use _STRING_ARCH_unaligned macro
It is already removed from glibc. See,
https://sourceware.org/git/?p=glibc.git;a=commit;h=16396c41deab45f715ffd813280d9d685b3b281e
https://sourceware.org/git/?p=glibc.git;a=commit;h=09a596cc2cf4e0f9f8e9f3bba4b1a97efcb13bcb
2021-06-02 15:36:29 +09:00
Yu Watanabe
122dbd92c9 string-util: trivial optimizations for strverscmp_improved() 2021-06-02 14:20:25 +09:00
Lennart Poettering
3ebc9b9b30 mount: be more descriptive when logging about overly long mount point paths
This is prompted by #17684: let's very explicitly say that the name is
too long for us, and that we'll ignore it.
2021-06-01 23:08:21 +02:00
Lennart Poettering
598a6a8491 core: when looping over mount/swap names, continue if we find one which doesn't translate to a valid unit name 2021-06-01 23:08:21 +02:00
Lennart Poettering
9d5acfab20 unit-name: generate a clear error code when converting an overly long fs path to a unit name 2021-06-01 23:08:13 +02:00
Lennart Poettering
3fe398cec0 dissect: if dissecting without udev, don't look for usec timestamp on db record
There will likely be none, hence don't bother.

This fixes an issue in systemd-gpt-auto-generator where we'll try to
wait for the udev db for the partitions even though though udev might
simplynot be around and via the DISSECT_IMAGE_NO_UDEV flag were
explicitly told not to bother.

Fixes: #19377
2021-06-01 22:52:16 +02:00
Zbigniew Jędrzejewski-Szmek
71889176e4 pam: do not require a non-expired password for user@.service
Without this parameter, we would allow user@ to start if the user
has no password (i.e. the password is "locked"). But when the user does have a password,
and it is marked as expired, we would refuse to start the service.
There are other authentication mechanisms and we should not tie this service to
the password state.

The documented way to disable an *account* is to call 'chage -E0'. With a disabled
account, user@.service will still refuse to start:

systemd[16598]: PAM failed: User account has expired
systemd[16598]: PAM failed: User account has expired
systemd[16598]: user@1005.service: Failed to set up PAM session: Operation not permitted
systemd[16598]: user@1005.service: Failed at step PAM spawning /usr/lib/systemd/systemd: Operation not permitted
systemd[1]: user@1005.service: Main process exited, code=exited, status=224/PAM
systemd[1]: user@1005.service: Failed with result 'exit-code'.
systemd[1]: Failed to start user@1005.service.
systemd[1]: Stopping user-runtime-dir@1005.service...

Fixes https://bugzilla.redhat.com/show_bug.cgi?id=1961746.
2021-06-01 19:27:25 +02:00
Lennart Poettering
fedfd21a1f
Merge pull request #19774 from poettering/tpm2-tweaks
cryptsetup: two minor tpm2 tweaks
2021-06-01 19:27:06 +02:00
Lennart Poettering
cbb6c000c7 logind-dbus: correctly calculate when to create /etc/nologin file in all cases
Fixes: #19258
2021-06-01 19:26:47 +02:00
Lennart Poettering
abc50cf6c8 cryptsetup: add missing error branch
Found in the process of trying to figure out #19193, but I doubt it's
going to fix that.
2021-06-01 18:04:06 +02:00
Lennart Poettering
71b25deae3 cryptsetup: don't bother waiting for TPM2 devices if we are on EFI and EFI says there is no TPM2 device
Note that this means EFI-systems with a manually added TPM device won't
be supported automatically, but given that the TPM2 trust model kinda
requires firmware support I doubt it matters supporting this. And in all
other cases it speeds things up a bit.
2021-06-01 16:36:18 +02:00
Lennart Poettering
cad105442d cryptsetup: if TPM2 support is not compiled in, fallback to non-TPM2 mode gracefully
Fixes: #19177
2021-06-01 16:34:34 +02:00
Lennart Poettering
8e1422036a
Merge pull request #19768 from poettering/homectl-fido2-lock-with
homed: catch up with FIDO2 features in cryptsetup + other fixes
2021-06-01 15:53:36 +02:00
Ondrej Kozina
358b1f68b0 cryptsetup-util: disable pbkdf benchmark in cryptsetup_set_minimal_pbkdf.
No need to benchmark pbkdf when asking for minimal values
anyway.

1000 iterations count is minimum for both LUKS1 and LUKS2
pbkdf2 keyslot parameters according to NIST SP 800-132, ch. 5.2.

Iterations count can not be lower than recommended minimum
when benchmark is disabled. The time_ms member is ignored with
benchmark disabled.
2021-06-01 15:53:14 +02:00
Lennart Poettering
c719805ecb dissect: the libcryptsetup code for Verity crypt_device objects too
Across the codebase we are pretty good at setting the per-crypt_device
log functions once we allocated the object. But we forgot one case. Fix
that.
2021-06-01 13:33:13 +02:00
Lennart Poettering
2f67864064 cryptsetup: explicitl set default log functions wherever needed
Code using libcryptsetup already sets the global log function if it uses
dlopen_cryptsetup(). Make sure we do the same for the three programs
that explicitly link against libcryptsetup and hence to not use
dlopen_cryptsetup().
2021-06-01 13:33:09 +02:00
Lennart Poettering
e9252faee9 cryptsetup: implicitly set global log functions when loading libcryptsetup dynamically
So far we only set the per-crypt_device log functions, but some
libcryptsetup calls we invoke without a crypt_device objects, and we
want those to redirect to our infra too.
2021-06-01 13:33:05 +02:00
Lennart Poettering
0608e2d3a5 homework: only default to LUKS storage if libcryptsetup is installed 2021-06-01 13:33:01 +02:00
Lennart Poettering
71eceff645 homework: make libcryptsetup dep runtime optional 2021-06-01 13:32:40 +02:00
Lennart Poettering
e49614278d homework: fix return codes when using fido2/pkcs11 cached passwords
Otherwise we'll accidently report a record we can safely decrypt as not
decrypted.
2021-06-01 13:32:36 +02:00
Lennart Poettering
bfc0cc1a25 userdb: make most loading of JSON user record data "permissive"
We want user records to be extensible, hence we shouldn't complain about
fields we can't parse. In particular we want them to be extensible for
our own future extensions.

Some code already turned the permissive flag when parsing the JSON data,
but most did not. Fix that. A few select cases remain where the bit is
not set: where we just gnerated the JSON data ourselves, and thus can be
reasonably sure that if we can't parse it it's our immediate programming
error and not just us processing a user record from some other tool or a
newer version of ourselves.
2021-06-01 13:32:31 +02:00
Lennart Poettering
17e7561a97 homectl: store FIDO2 up/uv/clientPin fields in user records too
This catches up homed's FIDO2 support with cryptsetup's: we'll now store
the uv/up/clientPin configuration at enrollment in the user record JSON
data, and use it when authenticating with it.

This also adds explicit "uv" support: we'll only allow it to happen when
the client explicity said it's OK. This is then used by clients to print
a nice message suggesting "uv" has to take place before retrying
allowing it this time. This is modelled after the existing handling for
"up".
2021-06-01 13:31:53 +02:00
Lennart Poettering
7dba77a67e
Merge pull request #17096 from eworm-de/ask-password
ask-password: allow to control emoji
2021-06-01 11:44:00 +02:00
Yu Watanabe
a8f76a8db7
Merge pull request #19766 from keszybz/fuzz-fixes
Fuzz fixes
2021-06-01 11:14:45 +09:00
Lennart Poettering
6f2ef23a4e udevadm: output trigger UUID in UUID format, instead of ID128
The SYNTH_UUID property also shows it in UUID format, and so does the
kernel and its docs otherwise, hence accept our fate and also output it
in UUID.
2021-06-01 11:14:03 +09:00
Luca Boccassi
6c498f6d89
Merge pull request #19765 from keszybz/early-boot-logging-improvements
Early boot logging improvements
2021-05-31 22:59:51 +01:00
Christian Hesse
9cb5bf913d ask-password: use FLAGS_SET()
Check for flags with FLAGS_SET() where possible.
2021-05-31 21:13:31 +02:00
Christian Hesse
e390c34d00 ask-password: allow to control lock and key emoji
Giving --echo to systemd-ask-password allows to echo the user input.
There's nothing secret, so do not show a lock and key emoji by default.

The behavior can be controlled with --emoji=yes|no|auto. The default is
auto, which defaults to yes, unless --echo is given.
2021-05-31 21:13:31 +02:00
Zbigniew Jędrzejewski-Szmek
2dd7a72d5a fuzz-journal-remote: print some kinds of errors
In https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=34803, we fail with:

  Assertion 'IN_SET(r, -ENOMEM, -EMFILE, -ENFILE)' failed at src/journal-remote/fuzz-journal-remote.c:69,
    function int LLVMFuzzerTestOneInput(const uint8_t *, size_t)(). Aborting.
  AddressSanitizer:DEADLYSIGNAL

Let's try to print the error, so maybe we can see what is going on.
With the previous commit we shouldn't print out anything.
2021-05-31 19:29:07 +02:00
Zbigniew Jędrzejewski-Szmek
23b8aa648d journal-remote: downgrade messages about input data to warnings
Those are unexpected, so a user-visible message seems appropriate.
But they are not our errors, and to some extent we can recover from
them, so "warning" seems more appropriate than "error".
2021-05-31 19:29:07 +02:00
Zbigniew Jędrzejewski-Szmek
a88f9dbae2 systemctl: unset const char* arguments in static destructors
When fuzzing, the following happens:
- we parse 'data' and produce an argv array,
- one of the items in argv is assigned to arg_host,
- the argv array is subsequently freed by strv_freep(), and arg_host has a dangling symlink.

In normal use, argv is static, so arg_host can never become a dangling pointer.
In fuzz-systemctl-parse-argv, if we repeatedly parse the same array, we
have some dangling pointers while we're in the middle of parsing. If we parse
the same array a second time, at the end all the dangling pointers will have been
replaced again. But for a short time, if parsing one of the arguments uses another
argument, we would use a dangling pointer.

Such a case occurs when we have --host=… --boot-loader-entry=help. The latter calls
acquire_bus() which uses arg_host.

I'm not particularly happy with making the code more complicated just for
fuzzing, but I think it's better to resolve this, even if the issue cannot
occur in normal invocations, than to deal with fuzzer reports.

Should fix https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=31714.
2021-05-31 19:29:07 +02:00
Zbigniew Jędrzejewski-Szmek
e7b18106f8 pid1: remove dot from initial announcement
This line is so long, that the end is usually not visible on
the terminal. The dot looks out of place, and dropping it saves one
column for more interesting content.
2021-05-31 19:22:51 +02:00
Zbigniew Jędrzejewski-Szmek
44a989e039 tty-ask-password-agent: log when starting a query on the console
When looking at logs from a boot with an encrypted device, I see
(with unrelevant messages snipped):
[    2.751692] systemd[1]: Started Dispatch Password Requests to Console.
[    7.929199] systemd-cryptsetup[258]: Set cipher aes, mode xts-plain64, key size 512 bits for device /dev/disk/by-uuid/2d9b648a-15b1-4204-988b-ec085089f8ce.
[    9.499483] systemd[1]: Finished Cryptography Setup for luks-2d9b648a-15b1-4204-988b-ec085089f8ce.

There is a hug gap in timing without any explanatory message. If I didn't type
in the password, there would be no way to figure out why things blocked from
this log, so let's log something to the log too.
2021-05-31 19:22:51 +02:00
Zbigniew Jędrzejewski-Szmek
0727077b53 tty-ask-password-agent: highlight summary in help 2021-05-31 19:22:51 +02:00
Zbigniew Jędrzejewski-Szmek
af88c399c0 tty-ask-password-agent: mention optional argument in help
0cf8469387 added --console.
6af621248f added an optional argument, but didn't
update the help texts.

Note that there is no ambiguity with the optional argument because no positional
arguments are allowed.
2021-05-31 19:22:51 +02:00
Sebastian Blunt
4858bc0d84 Respect option 'silent' on cryptsetup FIDO2 pin entry
Makes the silent flags behavior consistent between regular password
entry and FIDO2 pin entry.
2021-05-31 17:57:44 +02:00
Zbigniew Jędrzejewski-Szmek
6b42227edb systemctl: put static destructor in the order of variables 2021-05-31 12:17:19 +02:00
Yu Watanabe
d65c5d04f9
Merge pull request #19759 from poettering/emoji-token-text
fido2: add emoji to log message whenever "up" or "uv" is requested
2021-05-29 13:42:48 +09:00
Lennart Poettering
d2b278811f cryptenroll: remove a tiny bit of whitespace 2021-05-28 22:47:50 +02:00