1
0
mirror of https://github.com/systemd/systemd.git synced 2024-10-30 14:55:37 +03:00
Commit Graph

56843 Commits

Author SHA1 Message Date
Lennart Poettering
0456118807 homed: permit inodes owned by UID_MAPPED_ROOT to be created in $HOME
If people use nspawn in their $HOME we should allow this inodes owned by
this special UID to be created temporarily, so that UID mapped nspawn
containers just work.
2022-03-17 19:08:12 +01:00
Lennart Poettering
50ae2966d2 nspawn: make sure host root can write to the uidmapped mounts we prepare for the container payload
When using user namespaces in conjunction with uidmapped mounts, nspawn
so far set up two uidmappings:

1. One that is used for the uidmapped mount and that maps the UID range
   0…65535 on the backing fs to some high UID range X…X+65535 on the
   uidmapped fs. (Let's call this mapping the "mount mapping")

2. One that is used for the userns namespace the container payload
   processes run in, that maps X…X+65535 back to 0…65535. (Let's call
   this one the "process mapping").

These mappings hence are pretty much identical, one just moves things up
and one back down. (Reminder: we do all this so that the processes can
run under high UIDs while running off file systems that require no
recursive chown()ing, i.e. we want processes with high UID range but
files with low UID range.)

This creates one problem, i.e. issue #20989: if nspawn (which runs as
host root, i.e. host UID 0) wants to add inodes to the uidmapped mount
it can't do that, since host UID 0 is not defined in the mount mapping
(only the X…X+65536 range is, after all, and X > 0), and processes whose
UID is not mapped in a uidmapped fs cannot create inodes in it since
those would be owned by an unmapped UID, which then triggers
the famous EOVERFLOW error.

Let's fix this, by explicitly including an entry for the host UID 0 in
the mount mapping. Specifically, we'll extend the mount mapping to map
UID 2147483646 (which is INT32_MAX-1, see code for an explanation why I
picked this one) of the backing fs to UID 0 on the uidmapped fs. This
way nspawn can creates inode on the uidmapped as it likes (which will
then actually be owned by UID 2147483646 on the backing fs), and as it
always did. Note that we do *not* create a similar entry in the process
mapping. Thus any files created by nspawn that way (and not chown()ed to
something better) will appear as unmapped (i.e. as overflowuid/"nobody")
in the container payload. And that's good. Of course, the latter is
mostly theoretic, as nspawn should generally chown() the inodes it
creates to UID ranges that actually make sense for the container (and we
generally already do this correctly), but it#s good to know that we are
safe here, given we might accidentally forget to chown() some inodes we
create.

Net effect: the two mappings will not be identical anymore. The mount
mapping has one entry more, and the only reason it exists is so that
nspawn can access the uidmapped fs reasonably independently from any
process mapping.

Fixes: #20989
2022-03-17 19:08:12 +01:00
Lennart Poettering
264caae299 base-filesystem: use uid_is_valid() at one more place 2022-03-17 19:08:12 +01:00
Lennart Poettering
aff7ae0d67 nspawn: if we refuse to operate on some directory, explain why
(Also, some refactoring to use safer path_join())
2022-03-17 19:08:12 +01:00
Lennart Poettering
1eb874b978 nspawn: make more stuff const
And if we make it const, we can also make it static.
2022-03-17 19:07:48 +01:00
Lennart Poettering
d1d0b895dc nspawn: rebreak all comments in outer_child() 2022-03-17 19:03:58 +01:00
David
19c510bec7 Changed wording in systemd-debug-generator manpage 2022-03-17 19:02:10 +01:00
Frantisek Sumsal
43b9b2053c core: add %d specifier for the $CREDENTIALS_DIRECTORY
Resolves: #22549
2022-03-17 17:45:01 +01:00
Yu Watanabe
b7ee9b3551 test: wait for loopback device being ready to manipulate
Follow-up for 6626ea08f6.
2022-03-17 16:11:12 +00:00
Lennart Poettering
63a185dc72 update TODO 2022-03-17 16:24:31 +01:00
Frantisek Sumsal
598a1d7633 core: drop an unnecessary initialization 2022-03-17 14:39:51 +01:00
Yu Watanabe
a1f4fd3876 udev: run the main process, workers, and spawned commands in /udev subcgroup
And enable cgroup delegation for udevd.
Then, processes invoked through ExecReload= are assigned .control
subcgroup, and they are not killed by cg_kill().

Fixes #16867 and #22686.
2022-03-17 20:24:38 +09:00
Vishal Chillara Srinivas
e8aba093b4 varlink_error_invalid_parameter(...) always returns EINVAL
varlink_error(...) expects a json object as the third parameter. Passing a string variant causes
parameter sanitization to fail, and it returns -EINVAL. Pass object variant instead.
2022-03-17 20:12:26 +09:00
Yu Watanabe
ac33e14754 repart: use assert() when no state is changed 2022-03-17 20:10:17 +09:00
Yu Watanabe
8fe84dc8de core: ExecContext::restrict_filesystems is set of string 2022-03-17 20:09:59 +09:00
Yu Watanabe
3cef19b369
Merge pull request #22770 from yuwata/sd-radv-fixes
sd-radv: several fixes
2022-03-17 20:09:41 +09:00
Yu Watanabe
8b9afa5524 timedate: use cleanup attribute at one more place 2022-03-17 20:09:18 +09:00
Yu Watanabe
4267084642 Revert "udev: do not kill "udevadm control" process in the same cgroup"
This reverts commit ccadf9ac0d.

The fix is not insufficient. See #22686.
2022-03-17 14:42:56 +09:00
Yu Watanabe
faaf3d66ce sd-radv: fix indentation 2022-03-17 14:34:58 +09:00
Yu Watanabe
56aa51432e sd-radv: do not use iterater outside of the loop 2022-03-17 14:34:58 +09:00
Yu Watanabe
95931532aa sd-radv: voidify sd_radv_remove_prefix()
If the prefix is only referenced by sd_radv, then the returned pointer
is already freed.

networkd does not uses the returned value. Let's voidify the function.
2022-03-17 14:34:58 +09:00
Grigori Goronzy
da29de23ef tpm2: enable parameter encryption
Use a salted, unbound HMAC session with the primary key used as tpmKey,
which mean that the random salt will be encrypted with the primary
key while in transit. Decrypt/encrypt flags are set on the new session
with AES in CFB mode. There is no fallback to XOR mode.

This provides confidentiality and replay protection, both when sealing
and unsealing. There is no protection against man in the middle
attacks since we have no way to authenticate the TPM at the moment.
The exception is unsealing with PIN, as an attacker will be unable
to generate the proper HMAC digest.
2022-03-16 22:52:42 +01:00
Anita Zhang
c68ac12a0e
Merge pull request #22768 from poettering/cgls-delegate-xattr
make "delegate" xattr also available for unpriv programs
2022-03-16 14:49:00 -07:00
Lennart Poettering
e127ac90ef
Merge pull request #22761 from poettering/pcr-fix
sd-boot: change kernel cmdline PCR from 8 to 12
2022-03-16 22:32:43 +01:00
Yu Watanabe
06fb09cf40
Merge pull request #22765 from medhefgo/test
test: Use TEST macros in more places
2022-03-17 03:07:36 +09:00
Lennart Poettering
deb5c820ca sd-boot: disable bitlocker reboot feature for now
Conceptually the feature is great and should exist, but in its current
form should be worked to be generic (i.e. not specific to
Windows/Bitlocker, but appliable to any boot entry), not be global (but
be a per-entry thing), not require a BootXXXX entry to exist, and not
check for the BitLocker signature (as TPMs are not just used for
BitLocker).

Since we want to get 251 released, mark it in the documentation, in NEWS
and in code as experimental and make clear it will be reworked in a
future release. Also, make it opt-in to make it less likely people come
to rely on it without reading up on it, and understanding that it will
likely change sooner or later.

Follow-up for: #22043
See: #22390
2022-03-16 18:39:57 +01:00
Lennart Poettering
c2c7eea1e9
Merge pull request #22563 from grigorig/cryptenroll-tpm2-pin
sd-cryptenroll TPM2 PIN protected unlock
2022-03-16 18:04:28 +01:00
Lennart Poettering
bbfabc4498 NEWS: add entry announcing PCR change 2022-03-16 17:44:46 +01:00
Lennart Poettering
27818e2ece man: only document new PCR 12 2022-03-16 17:44:46 +01:00
Lennart Poettering
4d32507f51 sd-boot: measure kernel cmdline into PCR 12 rather than 8
Apparently Grub is measuring all kinds of garbage into PCR 8. Since people
apparently chainload sd-boot from grub, let's thus stay away from PCR 8,
and use PCR 12 instead for the kernel command line.

As discussed here: #22635

Fixes: #22635
2022-03-16 17:44:32 +01:00
Lennart Poettering
34604d6af7 boot: use UINT32 as type for PCR indexes
Thisis what the TPM2/UEFI headers use, and most of our EFI codebase.
Let's also use the same type here in cpio.[ch]
2022-03-16 17:33:28 +01:00
Lennart Poettering
c5a408ee35 boot: drop const from EFI_PHYSICAL_ADDRESS parameter
It's not a pointer after all, but a numeric value. As such the const
applies to the value and not the target, but we genreally don#t do that
for value parameters. Hence drop the const.
2022-03-16 17:33:28 +01:00
Lennart Poettering
1fa3b6c247 cgroup: also set user.invocation_id in addition to trusted.invocation_id
Similar thinking as the preceeding commit.

(While we are at it, let's unify some code we use over and over again in
two helper functions)
2022-03-16 16:47:07 +01:00
Lennart Poettering
200aa3583f docs: document the user.delegate xattr 2022-03-16 16:32:47 +01:00
Lennart Poettering
d9bc1c3614 cgroup: also indicate cgroup delegation state in user-accessible xattr
So far we set the "trusted.delegate" xattr on cgroups where delegation
is on. This duplicates this behaviour with the "user.delegate" xattr.
This has two benefits:

1. unprivileged clients can *read* the xattr. "systemd-cgls" can thus
   show delegated cgroups as such properly, even when invoked without
   privs

2. unprivileged systemd instances can set the xattr, i.e. when systemd
   --user delegates a cgroup to further payloads.

This weakens security a tiny bit, given that code that got a cgroup
delegated can manipulate the xattr, but I think that's OK, given they
have a higher trust level regarding cgroups anyway, if they got a
subtree delegated, and access controls on the cgroup itself are still
enforced. Moreover PID 1 as the cgroup manager only sets these xattrs,
never reads them — the xattr is primarily a way to tell payloads about
the delegation, and it's strictly this one way.
2022-03-16 16:32:44 +01:00
Jan Janssen
b405e3aae1 test-journal-syslog: Add some valid priority cases 2022-03-16 14:50:12 +01:00
Jan Janssen
3df208468f test: Use C11 UTF-16 string literal 2022-03-16 14:50:12 +01:00
Jan Janssen
68da8adf54 test: Use TEST macros in more places 2022-03-16 14:50:12 +01:00
Lennart Poettering
bde2607563 cgroup-show: split out delegation xattr check into its own function
Just some refactoring.
2022-03-16 14:30:01 +01:00
Lennart Poettering
45cab6e3c1 update TODO 2022-03-16 11:33:27 +01:00
Lennart Poettering
4bb37359f6 docs: s/straight-forward/straightforward/
Inspired by https://github.com/systemd/systemd/pull/20156#discussion_r810878846
2022-03-15 22:46:09 +00:00
Luca Boccassi
3b1276c28b
Merge pull request #22746 from yuwata/home-cleanups
home: two cleanups
2022-03-15 22:44:58 +00:00
Lennart Poettering
69811f4763 import: improve error message
As suggested: https://github.com/systemd/systemd/pull/20156#discussion_r810941489
2022-03-15 22:43:48 +00:00
Luca Boccassi
2979c852a4
Merge pull request #22757 from DaanDeMeyer/bpf-error
BPF error logging improvements
2022-03-15 22:42:48 +00:00
Grigori Goronzy
fd8b924820 cryptenroll: add tests for TPM2 unlocking
Add tests for enrolling and unlocking. Various cases are tested:

- Default PCR 7 policy w/o PIN, good and bad cases (wrong PCR)
- PCR 7 + PIN policy, good and bad cases (wrong PCR, wrong PIN)
- Non-default PCR 0+7 policy w/o PIN, good and bad cases (wrong PCR 0)

v2: rename test, fix tss2 library installation, fix CI failures
v3: fix ppc64, load module
2022-03-15 21:17:00 +01:00
Grigori Goronzy
4005d41ef0 cryptsetup: add manual TPM2 PIN configuration
Handle the case where TPM2 metadata is not available and explicitly
provided in crypttab. This adds a new "tpm2-pin" option to crypttab
options for this purpose.
2022-03-15 21:17:00 +01:00
Grigori Goronzy
caeb5604f9 cryptenroll: add TPM2 PIN documentation 2022-03-15 21:17:00 +01:00
Grigori Goronzy
1f895adac2 cryptsetup: add libcryptsetup TPM2 PIN support
This is unfinished: we don't have any way to actually query for PINs
interactively this way. It is similar to FIDO2 and PKCS#11 in this
regard.

Nonetheless, this code is capable of validating and dumping tokens, so
it is already useful as-is.
2022-03-15 21:17:00 +01:00
Grigori Goronzy
bea344a1a4 cryptsetup: add support for TPM2 pin
Extend cryptsetup for TPM2 pin entry, similar to FIDO2.
2022-03-15 21:17:00 +01:00
Grigori Goronzy
6c7a168105 cryptenroll: add support for TPM2 pin
Add support for PIN enrollment with TPM2. A new "tpm2-pin" field is
introduced into metadata to signal that the policy needs to include a
PIN.

v2: fix tpm2_make_luks2_json in sd-repart
2022-03-15 21:17:00 +01:00