1
1
mirror of https://github.com/systemd/systemd-stable.git synced 2024-12-24 21:34:08 +03:00
Commit Graph

60753 Commits

Author SHA1 Message Date
Jan Janssen
e0521346ec stub: Detect empty LoadOptions when run from EFI shell
The EFI shell will pass the entire command line to the application it
starts, which includes the file path of the stub binary. This prevents
us from using the built-in cmdline if the command line is otherwise
empty.

Fortunately, the EFI shell registers a protocol on any images it starts
this way. The protocol even lets us access the args individually, making
it easy to strip the stub path off.

Fixes: #25201
(cherry picked from commit b17f3b3d80)
2022-12-02 14:17:12 +01:00
Jan Janssen
7ca40a8b08 stub: Fix cmdline handling
This fixes some bugs that could lead to garbage getting appended to the
command line passed to the kernel:
 1. The .cmdline section is not guaranteed to be NUL-terminated, but it
    was used as if it was.
 2. The conversion of the command line to ASCII that was passed to the
    stub ate the NUL at the end.
 3. LoadOptions is not guaranteed to be a NUL-terminated EFI string (it
    really should be and generally always is, though).

This also fixes the inconsistent mangling of the command line. If the
.cmdline section was used ASCII controls chars (new lines in particular)
would not be converted to spaces.

As part of this commit, we optimize conversion for the generic code
instead of the (deprecated) EFI handover protocol. Previously we would
convert to ASCII/UTF-8 and then back to EFI string for the (now) default
generic code path. Instead we now convert to EFI string and mangle that
back to ASCII in the EFI handover protocol path.

(cherry picked from commit 927ebebe58)
2022-12-02 14:17:12 +01:00
Jan Janssen
b39f2ab98f boot: Use xstr8_to_16 for path conversion
(cherry picked from commit 7444e10611)
2022-12-02 14:17:12 +01:00
Jan Janssen
6387a74d2c boot: Use xstr8_to_16
(cherry picked from commit aee515bbb5)
2022-12-02 14:17:12 +01:00
Jan Janssen
ff7469af96 boot: Add xstrn8_to_16
(cherry picked from commit 8ad7deffa9)
2022-12-02 14:17:12 +01:00
Christian Göttsche
475c130003 core: update audit messages
Pass getuid() instead of literal `0` as auid, since user session
managers also issue audit messages on SELinux denials.

(cherry picked from commit c826b7ef32)
2022-11-24 17:38:34 +01:00
Lennart Poettering
c74bc2cd49 dissect: fix fsck
Since f7725647bb when dissecting a disk
image we operate with fds to the device nodes in question wherever we
can. This includes when we fork off fsck, where we pass a /proc/self/fd/
path as argument. This only works if we keep that fd open however and
disable O_CLOEXEC on the fd. Hence do so, and fix fsck this way.

(Without this, all fsck will fail, since the fd path is invalid)

(cherry picked from commit f8ab781223)
2022-11-24 17:38:34 +01:00
Lennart Poettering
ce55eb4ebd process-util: add new FORK_CLOEXEC_OFF flag for disabling O_CLOEXEC on remaining fds
Often the fds that shall stay around in the child shall be passed
to a process over execve(), hence add an option to explicitly disable
O_CLOEXEC on them in the child.

(cherry picked from commit 981cfbe046)
2022-11-24 17:38:34 +01:00
Lennart Poettering
36c3c4172d fd-util: add new fd_cloexec_many() helper
(cherry picked from commit ed18c22c98)
2022-11-24 17:38:34 +01:00
Lennart Poettering
57b4329b38 fd-util: make fd_in_set() (and thus close_all_fds()) handle invalidated fds in the array
let's handle gracefully if fds in the specified array are already
invalidated (i.e. negative). This is handy when putting together arrays
on the fly.

(cherry picked from commit d11c14a981)
2022-11-24 17:38:34 +01:00
Luca Boccassi
12c41564cd tmpfiles: log at info level when some allowed failures occur
In provision.conf we ship:

d- /root :0700 root :root -
d- /root/.ssh :0700 root :root -

These are allowed to fail, for example on a read-only filesystem. But they still
log at error level, which is annoying and gets flagged. Tune those specific errors
down to info.

There are likely more that could be tuned down, but the important thing is to cover
the tmpfiles.d that we ship right now.

Before:

$ echo -e "d- /root :0700 root :root - \nd- /root/.ssh :0700 root :root -" | SYSTEMD_LOG_LEVEL=err build/systemd-tmpfiles --root=/tmp/img --create -
Failed to create directory or subvolume "/tmp/img/root": Read-only file system
Failed to open path '/tmp/img/root': No such file or directory
$

After:

$ echo -e "d- /root :0700 root :root - \nd- /root/.ssh :0700 root :root -" | SYSTEMD_LOG_LEVEL=err build/systemd-tmpfiles --root=/tmp/img --create -
$

(cherry picked from commit 244c2a8344)
2022-11-24 17:38:34 +01:00
Yu Watanabe
77f524dda0 find-esp: include device sysname in the log message
(cherry picked from commit 388d14659d)
2022-11-24 17:38:34 +01:00
Yu Watanabe
8d23210a2e find-esp: downgrade and ignore error on retrieving PART_ENTRY_SCHEME when searching
Fixes #25332.

(cherry picked from commit 01f234c6f5)
2022-11-24 17:38:34 +01:00
Daan De Meyer
eea92b179d sd-bus: Use goto finish instead of return in bus_add_match_full
Fixes #25340

(cherry picked from commit 0f3c342903)
2022-11-24 17:38:34 +01:00
Daan De Meyer
0916514b8c strv: Make sure strv_make_nulstr() always returns a valid nulstr
strv_make_nulstr() is documented to always return a valid nulstr,
but if the input is `NULL` we return a string terminated with only
a single NUL terminator, so let's fix that and always terminate the
resulting string with two NUL bytes.

(cherry picked from commit 5ea173a91b)
2022-11-24 17:38:34 +01:00
Lennart Poettering
2ddd7b5def bootctl: rework how we handle referenced but absent EFI boot entries
Follow-up for #25368.

Let's consider ENOENT an expected error, and just debug log about it
(though, let's suffix it with `, ignoring.`). All other errors will log
loudly, as they are unexpected errors.

(cherry picked from commit af1bed8e83)
2022-11-24 17:38:34 +01:00
Yu Watanabe
2daecc7179 bootctl: downgrade log message when firmware reports non-existent or invalid boot entry
Fixes #25359.

(cherry picked from commit 78bfeeae50)
2022-11-24 17:38:34 +01:00
Yu Watanabe
9a7186e92a bootctl: make boot entry id logged in hex
To make consistent with the printed boot id below and other tools e.g.
efibootmgr.

(cherry picked from commit a7dcb75c53)
2022-11-24 17:38:34 +01:00
Yu Watanabe
62f58d94f8 dissect-image: do not try to close invalid fd
Fixes a bug introduced by f7725647bb.

Hopefully fixes #25348.

(cherry picked from commit 088377e092)
2022-11-24 17:38:34 +01:00
Jan Janssen
c1dd021d16 boot: Silence driver reconnect errors
(cherry picked from commit 98ac5192d5)
2022-11-24 17:38:34 +01:00
Franck Bui
a09a41c2f7 meson: install test-kernel-install only when -Dkernel-install=true
This patch fixes the following build failure:

  meson.build:3853:8: ERROR: Unknown variable "test_kernel_install_sh".

Fixes #25432.

(cherry picked from commit cc77a56532)
2022-11-24 17:38:34 +01:00
Lennart Poettering
9b6f12262f udev: make sure auto-root logic also works in UKIs booted from XBOOTLDR
If no root= switch is specified on the kernel command line we'll use the
root disk on which the partition the LoaderDevicePartUUID efi var is
located – as long as that partition is an ESP. Let's slightly liberalize
that and also allow it if that partition is an XBOOTLDR partition. This
ensures that UKIs spawned directly from XBOOTLDR work the same as those
from the ESP.

(Note that this makes no difference if sd-boot is in the mix, as in that
case LoaderDevicePartUUID is always set to the ESP, as that's where
sd-boot is located, and sd-boot will set the var first, sd-stub will
only set it later if it#s not set yet.)

(cherry picked from commit e4cb147a2e)
2022-11-24 17:38:34 +01:00
Luca Boccassi
d5e3625a61 repart: respect --discard=no also for block devices
It's only used to avoid BLKDISCARD on individual partitions at the moment.
It can take a lot of time to run on very slow devices, so avoid it for
them too.

(cherry picked from commit 0dce448bbc)
2022-11-24 17:38:34 +01:00
Luca Boccassi
79f161ac65 portable: add a few more useful debug log messages
When attaching and /etc/systemd/system.attached can't be created or used
(eg: dead symlink) the logs are pretty much useless as even at debug
level there's no indication of what is going wrong.
Add some debug logs, and return a more specific error string over D-Bus.

(cherry picked from commit 80d95fcd6e)
2022-11-24 17:38:34 +01:00
Nick Rosbrook
bcd42b3c88 oomd: fix unreachable test case in test-oomd-util
This conditional with !empty_or_root(ctx->path) always returns false
because the most recent oomd_cgroup_context_acquire() call was with the
root cgroup. Make sure this test case can be reached by checking cgroup
instead of ctx->path.

While here, use an unused uid (61183) instead of the nobody uid so the
test case does not fail in unprivileged LXD containers.

(cherry picked from commit f05bcc1894)
2022-11-24 17:38:34 +01:00
Nick Rosbrook
2bdf5b0382 oomd: always allow root-owned cgroups to set ManagedOOMPreference
Commit 652a4efb66 ("oomd: loosen the restriction on ManagedOOMPreference")
made the change to allow ManagedOOMPreference on a cgroup candidate when
the monitored cgroup and cgroup candidate are owned by the same user.

The commit assumed that this check was sufficient to continue allowing
ManagedOOMPreference on all cgroups owned by root. However, it caused a
regression for unprivileged LXD containers where e.g. /sys/fs/cgroup is
owned by nobody (uid=65534).

Fix this by explicitly allowing the ManagedOOMPreference if uid == 0 in
oomd_fetch_cgroup_oom_preference().

(cherry picked from commit 8918609348)
2022-11-24 17:38:34 +01:00
Yu Watanabe
da01d83ab4 network: wifi: try to reconfigure when connected
Sometimes, RTM_NEWLINK message with carrier is received earlier than
NL80211_CMD_CONNECT. To make SSID= or other WiFi related settings in
[Match] section work, let's try to reconfigure the interface.

Fixes a bug introduced by 96f5f9ef9a.

Fixes #25384.

(cherry picked from commit 8a4ad01a72)
2022-11-24 17:38:34 +01:00
Benjamin Fogle
595dd9b2b9 resolved: Fix OpenSSL error messages
(cherry picked from commit f4a49d1c58)
2022-11-24 17:38:34 +01:00
Zbigniew Jędrzejewski-Szmek
2ecb8fc841 basic/strv: check printf arguments to strv_extendf()
The second argument to _printf_() specifies where the arguments start. We need to
use 0 in two cases: when the args in a va_list and can't be checked, and with journald
logging functions which accept multiple format strings with multiple argument sets,
which the _printf_ checker does not understand. But strv_extendf() can be checked.

(cherry picked from commit 400102ec91)
2022-11-24 17:38:34 +01:00
Zbigniew Jędrzejewski-Szmek
81e2c87a47 manager: fix format strings for trigger metadata
Fixup for c8bc7519c8.

(cherry picked from commit 6457ce15be)
2022-11-24 17:38:34 +01:00
Lennart Poettering
d337ac02d6 resolved: when configuring 127.0.0.1 as per-interface DNS server, contact it via "lo" always
ussually if you specify a DNS server on some interface then we'll use
that interface to talk to it. Let's override this for localhost
addresses, as they only really make sense on "lo".

Fixes: #25397
(cherry picked from commit 6e32414a66)
2022-11-24 17:38:34 +01:00
Lennart Poettering
813d52dbf8 resolved: use right conditionalization when setting unicast ifindex on UDP sockets
(cherry picked from commit 5faaed5b62)
2022-11-24 17:38:34 +01:00
Sam James
2b52748d45 nspawn: allow sched_rr_get_interval_time64 through seccomp filter
We only allow a selected subset of syscalls from nspawn containers
and don't list any time64 variants (needed for 32-bit arches when
built using TIME_BITS=64, which is relatively new).

We allow sched_rr_get_interval which cpython's test suite makes
use of, but we don't allow sched_rr_get_interval_time64.

The test failures when run in an arm32 nspawn container on an arm64 host
were as follows:
```
======================================================================
ERROR: test_sched_rr_get_interval (test.test_posix.PosixTester.test_sched_rr_get_interval)
----------------------------------------------------------------------
Traceback (most recent call last):
  File "/var/tmp/portage/dev-lang/python-3.11.0_p1/work/Python-3.11.0/Lib/test/test_posix.py", line 1180, in test_sched_rr_get_interval
    interval = posix.sched_rr_get_interval(0)
               ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
PermissionError: [Errno 1] Operation not permitted
```

Then strace showed:
```
sched_rr_get_interval_time64(0, 0xffbbd4a0) = -1 EPERM (Operation not permitted)
```

This appears to be the only time64 syscall that isn't already included one of
the sets listed in nspawn-seccomp.c that has a non-time64 variant. Checked
over each of the time64 syscalls known to systemd and verified that none
of the others had a non-time64-variant whitelisted in nspawn other than
sched_rr_get_interval.

Bug: https://bugs.gentoo.org/880131
(cherry picked from commit b9e7f22c2d)
2022-11-24 17:38:34 +01:00
Li kunyu
5c34bc9bc3 boot/measure: fix oom check
(cherry picked from commit fc0cc6db1e)
2022-11-24 17:38:34 +01:00
Li kunyu
f68be4fd79 fuzz: fuzz-compress: fix copy-and-paste error: buf -> buf2 (#25431)
(cherry picked from commit f54f6d88b1)
2022-11-24 17:38:34 +01:00
Marcus Schäfer
132f0ec7de Handle MACHINE_ID=uninitialized
systemd supports /etc/machine-id to be set to: uninitialized
In this case the expectation is that systemd creates a new
machine ID and replaces the value 'uninitialized' with the
effective machine id. In the scope of kernel-install we
should also enforce the creation of a new machine id in this
condition

(cherry picked from commit 305dd91adf)
2022-11-24 17:38:34 +01:00
Vitaly Kuznetsov
25fcbdae7e shared/tpm2-util: Fix "Error: Esys invalid ESAPI handle (40000001)" warning
systemd-cryptenroll complains (but succeeds!) upon binding to a signed PCR
policy:

$ systemd-cryptenroll --unlock-key-file=/tmp/passphrase --tpm2-device=auto
  --tpm2-public-key=... --tpm2-signature=..." /tmp/tmp.img

ERROR:esys:src/tss2-esys/esys_iutil.c:394:iesys_handle_to_tpm_handle() Error: Esys invalid ESAPI handle (40000001).
WARNING:esys:src/tss2-esys/esys_iutil.c:415:iesys_is_platform_handle() Convert handle from TPM2_RH to ESYS_TR, got: 0x40000001
ERROR:esys:src/tss2-esys/esys_iutil.c:394:iesys_handle_to_tpm_handle() Error: Esys invalid ESAPI handle (40000001).
WARNING:esys:src/tss2-esys/esys_iutil.c:415:iesys_is_platform_handle() Convert handle from TPM2_RH to ESYS_TR, got: 0x4000000
New TPM2 token enrolled as key slot 1.

The problem seems to be that Esys_LoadExternal() function from tpm2-tss
expects a 'ESYS_TR_RH*' constant specifying the requested hierarchy and not
a 'TPM2_RH_*' one (see Esys_LoadExternal() -> Esys_LoadExternal_Async() ->
iesys_handle_to_tpm_handle() call chain).

It all works because Esys_LoadExternal_Async() falls back to using the
supplied values when iesys_handle_to_tpm_handle() fails:

    r = iesys_handle_to_tpm_handle(hierarchy, &tpm_hierarchy);
    if (r != TSS2_RC_SUCCESS) {
        ...
        tpm_hierarchy = hierarchy;
    }

Note, TPM2_RH_OWNER was used on purpose to support older tpm2-tss versions
(pre https://github.com/tpm2-software/tpm2-tss/pull/1531), use meson magic
to preserve compatibility.

Signed-off-by: Vitaly Kuznetsov <vkuznets@redhat.com>
(cherry picked from commit 155c51293d)
2022-11-24 17:38:34 +01:00
Jan Janssen
6189505d79 boot: Correctly handle @saved default patterns
(cherry picked from commit 7941f11acb)
2022-11-24 17:38:34 +01:00
Daan De Meyer
148b2d8ad3 Revert "journal: Make sd_journal_previous/next() return 0 at HEAD/TAIL"
This commit broke backwards compatibility so let's revert it until
we find a better solution.

This reverts commit 977ad21b5b.

(cherry picked from commit 1db6dbb1dc)
2022-11-24 17:38:34 +01:00
Marcus Schäfer
d34ea410f4 Fix reading /etc/machine-id in kernel-install (#25388)
* Fix reading /etc/machine-id in kernel-install

The kernel-install script has code to read the contents of
/etc/machine-id into the MACHINE_ID variable. Depending
on the variable content kernel-install either logs the
value or creates a new machine id via 'systemd-id128 new'.
In that logic there is one issue. If the file /etc/machine-id
exists but is empty, the script tries to call read on an
empty file which return with an exit code != 0. As the
script code also uses 'set -e', kernel-install will exit at
this point which is unexpected.

The condition of an empty /etc/machine-id file exists for
example when building OS images, which should initialize the
system id on first boot but not staticly inside of the image.
afaik an empty /etc/machine-id is also a common approach
to make systemd indicate that it should create a new system
id. Because of this, the commit makes sure the reading of
/etc/machine-id does not fail in any case such that the
handling of the MACHINE_ID variable takes place.

(cherry picked from commit 883e7cbfc0)
2022-11-24 17:38:34 +01:00
Yu Watanabe
7b99f68f1c systemctl: do not show unit properties with --all
Fixes a bug introduced by a6e334649d.

Fixes #25343.

(cherry picked from commit 0b51a1c8c4)
2022-11-24 17:38:34 +01:00
Yu Watanabe
f791ecd0c5 ac-power: check battery existence and status
If a battery is not present or its status is not discharging, then
the battery should not be used as a power source.
Let's count batteries currently discharging.

Fixes #25316.

(cherry picked from commit 1c03f7f4ba)
2022-11-24 17:38:34 +01:00
Zbigniew Jędrzejewski-Szmek
c2620a6bdb pid1: skip cleanup if root is not tmpfs/ramfs
in_initrd() was really doing two things: checking if we're in the initrd, and
also verifying that the initrd is set up correctly. But this second check is
complicated, in particular it would return false for overlayfs, even with an
upper tmpfs layer. It also doesn't support the use case of having an initial
initrd with tmpfs, and then transitioning into an intermediate initrd that is
e.g. a DDI, i.e. a filesystem possibly with verity arranged as a disk image.

We don't need to check if we're in initrd in every program. Instead, concerns
are separated:
- in_initrd() just does a simple check for /etc/initrd-release.
- When doing cleanup, pid1 checks if it's on a tmpfs before starting to wipe
  the old root. The only case where we want to remove the old root is when
  we're on a plain tempory filesystem. With an overlay, we'd be creating
  whiteout files, which is not very useful. (*)

This should resolve https://bugzilla.redhat.com/show_bug.cgi?id=2137631
which is caused by systemd refusing to treat the system as an initrd because
overlayfs is used.

(*) I think the idea of keeping the initrd fs around for shutdown is outdated.
We should just have a completely separate exitrd that is unpacked when we want
to shut down. This way, we don't waste memory at runtime, and we also don't
transition to a potentially older version of systemd. But we don't have support
for this yet.

This replaces 0fef5b0f0bd9ded1ae7bcb3e4e4b2893e36c51a6.

(cherry picked from commit a940f507fb)
2022-11-24 17:38:34 +01:00
Zbigniew Jędrzejewski-Szmek
83a772aae2 Revert "initrd: extend SYSTEMD_IN_INITRD to accept non-ramfs rootfs"
This reverts commit 1f22621ba3.

This is a replacement for b1fd5cd4ed. See that
commit for details.
2022-11-24 17:38:34 +01:00
Khem Raj
4d11c9b3cd networkd-ipv4acd.c: Use net/if.h for getting IFF_LOOPBACK definition
This helps in avoiding compiling errors on musl. Definition of
IFF_LOOPBACK is the reason for including linux/if_arp.h, this however
could be obtained from net/if.h glibc header equally and makes it
portable as well.

(cherry picked from commit 239e4a42a6)
2022-11-24 17:38:34 +01:00
Jan Janssen
aff1caf3fd boot: Replace firmware security hooks directly
For some firmware, replacing their own security arch instance with our
override using ReinstallProtocolInterface() is not enough as they will
not use it. This commit goes back to how this was done before by
directly modifying the security protocols.

Fixes: #25336
(cherry picked from commit 967a868563)
2022-11-22 15:00:53 +01:00
Jan Janssen
f9d9a68ecc boot: Rework security arch override
This simplifies the caller interface for security arch overrides by only
having to pass a validator and an optional context.

(cherry picked from commit 5489c13bae)
2022-11-22 15:00:53 +01:00
Jan Janssen
c6d7b4014c boot: Manually convert filepaths if needed
The conversion of a filepath device path to text is needed for the stub
loader to find credential files.

(cherry picked from commit 679007044f)
2022-11-22 15:00:53 +01:00
Jan Janssen
c8c5b79fb6 boot: Do not require a loaded image path
If the device path to text protocol is not available (looking angrily at
Apple) we would fail to boot because we cannot get the loaded image
path. As this is only used for cosmetic purposes, we can just silently
continue.

Fixes: #25363
(cherry picked from commit af7ef648cd)
2022-11-22 15:00:53 +01:00
Jan Janssen
5894d4bd79 boot: Fix memory leak
(cherry picked from commit b7b327f856)
2022-11-22 15:00:53 +01:00