1
0
mirror of https://github.com/systemd/systemd.git synced 2024-12-22 17:35:35 +03:00
Commit Graph

67016 Commits

Author SHA1 Message Date
Michael Vasseur
c91d636fad pkg.m4 macro needs brackets
See documentation at: https://manpages.debian.org/testing/pkgconf/pkg.m4.7.en.html

Without this the macro was not always correctly resolved so the correct command was not used in the rest of the snippet.
2023-08-28 10:07:26 +01:00
Luca Boccassi
4c427929e0
Merge pull request #28977 from keszybz/drop-versiondep
meson: simplify handling of the version tag
2023-08-28 10:02:01 +01:00
Zbigniew Jędrzejewski-Szmek
7abb0eef8f man/gpt-auto-generator: avoid saying "negative" for boolean
Fixes #28928.
2023-08-28 09:46:54 +01:00
Zbigniew Jędrzejewski-Szmek
6f420b5f75
Merge pull request #28968 from DaanDeMeyer/rlimit
Limit rlim_max in rlimit_nofile_safe() to nr_open
2023-08-27 16:06:58 +02:00
Alvin Alvarado
c766e05f29 man: Fix typo in config file example for ukify
or else it would output 'Unknown config setting [UKI] SecureBootCerificate=' or just an error outright if not overrode.
2023-08-27 15:03:49 +08:00
Topi Miettinen
97f7fe97ab
shared/firewall-util: promote failure to init ipv6 NAT to error 2023-08-26 21:37:51 +03:00
Topi Miettinen
c742d7e801
test: testing for networkd NFTSet feature 2023-08-26 21:37:35 +03:00
Topi Miettinen
fc289dd0ad
network: firewall integration with NFT sets
New directive `NFTSet=` provides a method for integrating network configuration
into firewall rules with NFT sets. The benefit of using this setting is that
static network configuration or dynamically obtained network addresses can be
used in firewall rules with the indirection of NFT set types. For example,
access could be granted for hosts in the local subnetwork only. Firewall rules
using IP address of an interface are also instantly updated when the network
configuration changes, for example via DHCP.

This option expects a whitespace separated list of NFT set definitions. Each
definition consists of a colon-separated tuple of source type (one of
"address", "prefix", or "ifindex"), NFT address family (one of "arp", "bridge",
"inet", "ip", "ip6", or "netdev"), table name and set name. The names of tables
and sets must conform to lexical restrictions of NFT table names. The type of
the element used in the NFT filter must match the type implied by the
directive ("address", "prefix" or "ifindex") and address type (IPv4 or IPv6)
as shown type implied by the directive ("address", "prefix" or "ifindex") and
address type (IPv4 or IPv6) must also match the set definition.

When an interface is configured with IP addresses, the addresses, subnetwork
masks or interface index will be appended to the NFT sets. The information will
be removed when the interface is deconfigured. systemd-networkd only inserts
elements to (or removes from) the sets, so the related NFT rules, tables and
sets must be prepared elsewhere in advance. Failures to manage the sets will be
ignored.

/etc/systemd/network/eth.network
```
[DHCPv4]
...
NFTSet=prefix:netdev:filter:eth_ipv4_prefix
```

Example NFT rules:
```
table netdev filter {
        set eth_ipv4_prefix {
                type ipv4_addr
                flags interval
        }
        chain eth_ingress {
                type filter hook ingress device "eth0" priority filter; policy drop;
                ip saddr != @eth_ipv4_prefix drop
                accept
        }
}
```
```
$ sudo nft list set netdev filter eth_ipv4_prefix
table netdev filter {
        set eth_ipv4_prefix {
                type ipv4_addr
                flags interval
                elements = { 10.0.0.0/24 }
        }
}
```
2023-08-26 21:37:09 +03:00
Zbigniew Jędrzejewski-Szmek
3c1eee5bed meson: drop "versiondep" object
It was added to make sure that the version tag was built early
enough. Now that we use vcs_tag, meson should take care of building
it early enough.
2023-08-26 17:16:59 +02:00
Zbigniew Jędrzejewski-Szmek
1671799bee meson: simplify version_tag handling
Let's also use vcs_tag() when we're doing a non-git build. In those scenarios,
the build would normally be done just once in a given copy, so doing an extra
call does not matter. We can save a few lines of meson config.

The special path was added in 064b8e2c99, with
the justifaction that vcs_tag() is slow and -Dversion-tag=foo can be used to
fix the version tag and speed up partial rebuilds. I think the justification
for this is weak: having an accurate version tag is particularly useful when
developing the code. Shaving of a fraction of a second at the cost of having to
manually update the version seems iffy.

Secondly, with vcs_tag() we can be pretty sure that meson will build the
version file first and that it'll be available to all build steps. Because we
didn't use version tag, we had to manually specify the dependency on version.h
in various places. It seems nicer to use vcs_tag() and not have to deal with
this problem at all.

Finally, the savings in time seem much smaller than back when
064b8e2c99 was made. It reported a change
from 94 ms to 521 ms. But now the difference seems to be about 50 ms:

Before this patch:
$ time ninja -C build
ninja: Entering directory `build'
ninja: no work to do.
ninja -C build  0.04s user 0.02s system 97% cpu 0.057 total
ninja -C build  0.03s user 0.01s system 97% cpu 0.049 total
ninja -C build  0.03s user 0.02s system 96% cpu 0.051 total
ninja -C build  0.03s user 0.01s system 96% cpu 0.049 total
ninja -C build  0.03s user 0.01s system 97% cpu 0.046 total

With the two patches in this PR:
systemd-stable [drop-versiondep] time ninja -C build
ninja: Entering directory `build'
[1/669] Generating version.h with a custom command
ninja -C build  0.08s user 0.03s system 98% cpu 0.106 total
ninja -C build  0.08s user 0.03s system 98% cpu 0.104 total
ninja -C build  0.09s user 0.02s system 98% cpu 0.116 total
ninja -C build  0.08s user 0.02s system 97% cpu 0.108 total

Overall, I think the tiny time savings are not worth the complexity.
2023-08-26 17:09:10 +02:00
Juno Computers
8a76d3cc70
Update 60-sensor.hwdb (#28804)
Updated T11/Juno Tab 2.
2023-08-26 22:35:57 +09:00
Jan Janssen
c78b611e48 meson: Bring back use of vcs_tag
The use of vcs_tag was dropped in #28567, which results in builds having
stale version information once new commit are made.

This also fixes a case where CI builds would have no version information
because they are checked out without any tags for git-describe to use.

Additionally, use `--git-dir` now, as that particular issues seems to
have been fixed by now.
2023-08-26 13:53:42 +09:00
Mike Yuan
82007efa44 mount/mount-tool: return correct errno
Follow-up for 9269296df0
2023-08-26 09:27:23 +09:00
Zbigniew Jędrzejewski-Szmek
3b9b33a143
Merge pull request #28913 from keszybz/tmpfs-top-level-dir-mode
systemd-mount: do not create tmpfs mounts with sticky permission bit
2023-08-25 18:36:30 +02:00
Susant Sahani
1925f829ab network: sd-radv - Introduce pref64 support (RFC8781)
Implements: https://datatracker.ietf.org/doc/html/rfc8781

```

[IPv6PREF64Prefix]
Prefix=2003:da8:1:0::/64
ValidLifetimeSec=30m

Frame 16: 126 bytes on wire (1008 bits), 126 bytes captured (1008 bits) on interface veth99, id 0
Ethernet II, Src: 06:c7:41:95:1d:7f (06:c7:41:95:1d:7f), Dst: IPv6mcast_01 (33:33:00:00:00:01)
Internet Protocol Version 6, Src: fe80::4c7:41ff:fe95:1d7f, Dst: ff02::1
Internet Control Message Protocol v6
    Type: Router Advertisement (134)
    Code: 0
    Checksum: 0x0ca0 [correct]
    [Checksum Status: Good]
    Cur hop limit: 0
    Flags: 0x00, Prf (Default Router Preference): Medium
    Router lifetime (s): 1800
    Reachable time (ms): 0
    Retrans timer (ms): 0
    ICMPv6 Option (Source link-layer address : 06:c7:41:95:1d:7f)
    ICMPv6 Option (Prefix information : 2002:da8:1::/64)
    ICMPv6 Option (PREF64 Option)
        Type: PREF64 Option (38)
        Length: 2 (16 bytes)
        0000 0111 0000 1... = Scaled Lifetime: 225
        .... .... .... .001 = PLC (Prefix Length Code): 64 bits prefix length (0x1)
        Prefix: 64:ff9b::

```
2023-08-25 15:13:06 +02:00
Daan De Meyer
f470dafddc Limit rlim_max in rlimit_nofile_safe() to nr_open
We might inherit a max rlim value that's larger than the kernel's
maximum (nr_open). This will cause setrlimit() to fail as the given
maximum is larger than the kernel's maximum. To get around this,
let's limit the max rlim we pass to rlimit() to the value of nr_open.

Should fix #28965
2023-08-25 14:26:11 +02:00
Daan De Meyer
fbc6a75571 mkfs-util: Set FORK_REOPEN_LOG
We set FORK_CLOSE_ALL_FDS, so we should also set FORK_REOPEN_LOG to
reopen the log in the child process so we don't miss any logging
messages.
2023-08-25 14:25:33 +02:00
Dan Streetman
a11a2e059c cryptenroll: change man page example to remove leading 0x and lowercase hex 2023-08-24 12:35:58 -04:00
Dan Streetman
81e3d37211 tpm2: wrap (7) in UINT32_C() 2023-08-24 12:35:58 -04:00
Dan Streetman
26d8d71fa5 tpm2: add tpm2_pcr_values_has_(any|all)_values() functions 2023-08-24 12:35:58 -04:00
Dan Streetman
70cb382d36 tpm2: remove unnecessary void* cast 2023-08-24 12:35:58 -04:00
Dan Streetman
ed35ac3155 tpm2: make logging level consistent at debug for some functions 2023-08-24 12:35:58 -04:00
Dan Streetman
3f4d5dfd65 tpm2: use switch() instead of if-else 2023-08-24 12:35:58 -04:00
Dan Streetman
6761e1355e tpm2: use table for openssl<->tpm2 ecc curve id mappings 2023-08-24 12:35:54 -04:00
Dan Streetman
b030710295 openssl: use new(char, size) instead of malloc(size) 2023-08-24 12:33:26 -04:00
Dan Streetman
65fd657e0a tpm2: use memcpy_safe() instead of memcpy() 2023-08-24 12:33:26 -04:00
Dan Streetman
ae2b38e463 tpm2: remove ret_ prefix from input/output params 2023-08-24 12:33:26 -04:00
Dan Streetman
c6e5178220 tpm2: split TPM2_PCR_VALUE_MAKE() over multiple lines 2023-08-24 12:33:26 -04:00
Dan Streetman
85b6f299b2 tpm2: use strempty() 2023-08-24 12:33:26 -04:00
Dan Streetman
8e757259c3 tpm2: check pcr value hash != 0 before looking up hash algorithm name 2023-08-24 12:33:26 -04:00
Dan Streetman
495f2bf57c tpm2: simplify call to asprintf() 2023-08-24 12:33:26 -04:00
Dan Streetman
2b2ee3f265 tpm2: put !isempty() check inside previous !isempty() check 2023-08-24 12:33:26 -04:00
Dan Streetman
7001a7daf7 tpm2: use SIZE_MAX instead of strlen() for unhexmem() 2023-08-24 12:33:26 -04:00
Dan Streetman
193fd5730e tpm2: in tpm2_pcr_values_valid() use FOREACH_ARRAY() 2023-08-24 12:32:51 -04:00
Dan Streetman
064ac95d81 tpm2: in validator functions, return false instead of assert failure 2023-08-24 12:31:00 -04:00
Dan Streetman
3cd4145f34 tpm2: move cast from lhs to rhs in uint16_t/int comparison 2023-08-24 12:31:00 -04:00
Dan Streetman
cc1a78d5c4 tpm2: lowercase TPM2_PCR_VALUE[S]_VALID functions
As these are not macros, they should be lowercase.
2023-08-24 12:31:00 -04:00
Dan Streetman
7354a7ccd4 tpm2: change *alg_to_* functions to use switch() 2023-08-24 12:31:00 -04:00
Zbigniew Jędrzejewski-Szmek
ebbc92405b
Merge pull request #28917 from yuwata/network-address-pool
undefined
2023-08-24 15:58:31 +02:00
Yu Watanabe
927e20fa49 nspawn: check validity of the internal interface name only explicitly specified
Follow-up for 2f091b1b49.

Fixes #28844.
2023-08-24 15:55:32 +02:00
Zbigniew Jędrzejewski-Szmek
6d9829e724 man/repart: use <filename> and add missing <para> 2023-08-24 15:45:24 +02:00
Zbigniew Jędrzejewski-Szmek
12455d6e87
Merge pull request #28918 from yuwata/network-dhcp-custom-duid
network/dhcp: allow to specify custom duid type
2023-08-24 15:45:07 +02:00
Lennart Poettering
6b0651df60 gpt: move basic header/partition structure of GPT into common code
This way we can use it at other places too, not just when dissecting
images.
2023-08-24 15:25:38 +02:00
Lennart Poettering
24ae45cb65 alloc-util: add free_many() helper
We often free an array of things. Let's create a common helper for this,
and port some potential users over. (Not all, too lazy for that for
now).
2023-08-24 15:04:33 +02:00
Lennart Poettering
e0e1f4f7a2 fundamental: rename tpm-pcr.h → tpm2-pcr.h
I always found it confusing that most of our TPM related definitions are
in tpm2-util.h, but the PCR names in tpm-pcr.h, without the "2". Let's
fix that and make this systematic, in particular as the definitions in
the file all start with TPM2_ already.

No code flow changes, just some renaming.
2023-08-24 13:40:37 +02:00
Lennart Poettering
46c5a1383a fundemental: split out UKI defines into its own header
The UKI sections have little to do with the PCRs, hence give them their
own header.
2023-08-24 13:40:37 +02:00
Lennart Poettering
2099cd6289 tpm2: unify symbolic name infra for PCRs
We so far maintained two places for symboic names for PCRs. One in
tpm2-util.h and one in tpm-pcr.h.

Let's unify this into one, i.e. move the full list from tpm2-util.h into
tpm-pcr.h, replacing the short list placed so far there.

Systematically prefix the definitions with TPM2_ or tpm2_, to follow how
we do this for all other defines in this context.

No change in behaviour, just unification of tables.
2023-08-24 13:40:37 +02:00
Lennart Poettering
a16e19c61d
Merge pull request #28946 from poettering/json-variant-append-arrayb
add json_variant_append_arrayb() helper + more related
2023-08-24 13:37:10 +02:00
Lennart Poettering
f5fc7732b0 json: add json_variant_set_fieldb() helper
Let's a "b" helper for json_variant_set_field() that combines
json_build() with json_variant_set_field(), similar to the
json_variant_merge_objectb(), json_variant_append_arrayb().
2023-08-24 13:20:39 +02:00
Lennart Poettering
e931768eb4 json: rename json_append() → json_variant_merge_objectb()
json_append() is a useful wrapper around json_variant_merge(). However,
I think the naming sould be cleaned up a bit of both functions.

I thinker "merge" is the better word than "append", since it does
decidedly more than just append: it replaces existing fields of the same
name, hence "merge" sounds more appropriate. This is as opposed to the
similar operations for arrays, where no such override logic is applied
and we really just append, hence those functions are called "append"
already.

To make clearer that "merge" is about objects, and "append" about
arrays, also include "object" in the name.

Also, include "json_variant" in the name, like we do for almost all
other functions in the JSON API that take a JSON object as primary
input, and hence are kinda object methods.

Finally, let's follow the logic that helpers that combine json_build()
with some other operation get suffixed with "b" like we already have in
some cases.

Hence:

json_variant_merge() → json_variant_merge_object()
       json_append() → json_variant_merge_objectb()

This mirrors nicely the existing:
                       json_variant_append_array()
                       json_vairant_append_arrayb()

This also drops the variant of json_append() that takes a va_arg
parameter (i.e. json_appendv()). We have no user of that so far, and
given the nature as a helper function only I don#t see that happening,
and if it happens after all it's trivial to bring back.
2023-08-24 13:20:39 +02:00