1
0
mirror of https://github.com/systemd/systemd.git synced 2024-12-22 17:35:35 +03:00
Commit Graph

76135 Commits

Author SHA1 Message Date
Mike Yuan
4c8dc66438
networkd-state-file: use ASSERT_PTR where appropriate 2024-09-09 21:45:42 +02:00
Lennart Poettering
8b29949a41 machinectl: suppress redirection notice if --quiet is specified 2024-09-09 18:58:57 +02:00
Daan De Meyer
fa693fdc7e core: Add support for PrivateUsers=identity
This configures an indentity mapping similar to
systemd-nspawn --private-users=identity.
2024-09-09 18:31:01 +02:00
Yanqing Jing
d8b4be38dd update keyboard hwdb to add acer Predator PHN16-72 2024-09-09 17:19:28 +02:00
Lennart Poettering
7a3223f509
Merge pull request #34258 from yuwata/nspawn-volatile-u
nspawn: make --volatile work with -U
2024-09-09 17:11:11 +02:00
Daan De Meyer
c1852f9d5f sysupdate: Add --transfer-source=
In mkosi, I want to add a sysupdate verb to wrap systemd-sysupdate.
The definitions will be picked up from mkosi.sysupdate/ and passed
to systemd-sysupdate. I want users to be able to write transfer
definitions that are independent of the output directory used by
mkosi. To make this possible, it should be possible to specify the
directory that transfer sources should be looked up in on the sysupdate
command line. Let's allow this via a new --transfer-source= option.

Additionally, transfer sources that want to take advantage of this
feature should specify PathRelativeTo=directory to indicate the configured
Path= is interpreted relative to the tranfer source directory specified
on the CLI.

This allows for the following transfer definition to be put in
mkosi.sysupdate:

"""
[Transfer]
ProtectVersion=%A

[Source]
Type=regular-file
Path=/
PathRelativeTo=directory
MatchPattern=ParticleOS_@v.usr-%a.@u.raw

[Target]
Type=partition
Path=auto
MatchPattern=ParticleOS_@v
MatchPartitionType=usr
PartitionFlags=0
ReadOnly=1
"""
2024-09-09 16:41:52 +02:00
Mike Yuan
4ec630bfba
Merge pull request #33833 from YHNdnzj/manager-reload-assert
core/manager: do not re-init Manager.lookup_paths when manager_reload(), minor assorted cleanups
2024-09-09 14:21:57 +02:00
Daan De Meyer
6e4d47b5ae repart: Initialize split_name_format in copy_from_one()
Let's allow splitting the partitions from an existing disk image
by initializing split_name_format when using --copy-from=.
2024-09-09 13:22:26 +02:00
Yu Watanabe
c1062559a9
Merge pull request #34307 from yuwata/linux-more-network-headers
linux: import more network headers
2024-09-09 19:33:14 +09:00
Yu Watanabe
ef32235db1
Merge pull request #34067 from LukeShu/lukeshu/nspawn-fuse
nspawn: enable FUSE in containers
2024-09-09 19:32:16 +09:00
Yu Watanabe
85fd8df03d missing_socket: drop unnecessary definitions
Now, we have copy of vm_sockets.h, hence these definitions are not
necessary anymore.
2024-09-09 14:52:18 +09:00
Yu Watanabe
47a71f9852 missing_network: drop unnecessary definition
Now we have ipv6.h, hence the definition is not necessary anymore.
2024-09-09 14:52:18 +09:00
Yu Watanabe
0ca88780d6 arphrd-list: use imported linux/if_arp.h 2024-09-09 14:52:18 +09:00
Yu Watanabe
a84649592c linux: import more network related headers from v6.11-rc6
Hopefully, no effective change.
2024-09-09 14:52:18 +09:00
Mike Yuan
978e7d166c terminal-util: correct fd validity check
Follow-up for 14f594b995
2024-09-08 20:45:33 +02:00
samuelvw01
54ada3d13a Fix typo in escape.c 2024-09-08 18:55:13 +09:00
Erik Sjölund
fdc1b714d4 TODO: fix typo 2024-09-08 18:54:20 +09:00
marginaldev
5bad3c4222 Fix grammar in udevadm settle timeout message 2024-09-08 12:28:22 +09:00
Luke T. Shumaker
dc3223919f nspawn: enable FUSE in containers
Linux kernel v4.18 (2018-08-12) added user-namespace support to FUSE, and
bumped the FUSE version to 7.27 (see: da315f6e0398 (Merge tag
'fuse-update-4.18' of
git://git.kernel.org/pub/scm/linux/kernel/git/mszeredi/fuse, Linus Torvalds,
2018-06-07).  This means that on such kernels it is safe to enable FUSE in
nspawn containers.

In outer_child(), before calling copy_devnodes(), check the FUSE version to
decide whether enable (>=7.27) or disable (<7.27) FUSE in the container.  We
look at the FUSE version instead of the kernel version in order to enable FUSE
support on older-versioned kernels that may have the mentioned patchset
backported ([as requested by @poettering][1]).  However, I am not sure that
this is safe; user-namespace support is not a documented part of the FUSE
protocol, which is what FUSE_KERNEL_VERSION/FUSE_KERNEL_MINOR_VERSION are meant
to capture.  While the same patchset
 - added FUSE_ABORT_ERROR (which is all that the 7.27 version bump
   is documented as including),
 - bumped FUSE_KERNEL_MINOR_VERSION from 26 to 27, and
 - added user-namespace support
these 3 things are not inseparable; it is conceivable to me that a backport
could include the first 2 of those things and exclude the 3rd; perhaps it would
be safer to check the kernel version.

Do note that our get_fuse_version() function uses the fsopen() family of
syscalls, which were not added until Linux kernel v5.2 (2019-07-07); so if
nothing has been backported, then the minimum kernel version for FUSE-in-nspawn
is actually v5.2, not v4.18.

Pass whether or not to enable FUSE to copy_devnodes(); have copy_devnodes()
copy in /dev/fuse if enabled.

Pass whether or not to enable FUSE back over fd_outer_socket to run_container()
so that it can pass that to append_machine_properties() (via either
register_machine() or allocate_scope()); have append_machine_properties()
append "DeviceAllow=/dev/fuse rw" if enabled.

For testing, simply check that /dev/fuse can be opened for reading and writing,
but that actually reading from it fails with EPERM.  The test assumes that if
FUSE is supported (/dev/fuse exists), then the testsuite is running on a kernel
with FUSE >= 7.27; I am unsure how to go about writing a test that validates
that the version check disables FUSE on old kernels.

[1]: https://github.com/systemd/systemd/issues/17607#issuecomment-745418835

Closes #17607
2024-09-07 10:18:35 -06:00
Yu Watanabe
a9987de62c NEWS: fix typo
Follow-up for 7a3a49386c.
2024-09-07 22:26:24 +09:00
Yu Watanabe
c8f2409574 man/varlinkctl: fix typo
Follow-up for 39ce86d19c.
2024-09-07 22:24:58 +09:00
Yu Watanabe
14a499ed77 network/route: fix typo
Follow-up for 195bb6f97e.
2024-09-07 22:22:44 +09:00
Mike Yuan
30b55e98d1
core/manager: do not re-init Manager.lookup_paths when manager_reload()
Follow-up for 99aad9a2b9

The commit changed lookup_paths_init_or_warn() call to
be fatal to manager_reload(), but invoke_main_loop()
assumes that manager_reload() would only return
recoverable error, and put the manager back to
MANAGER_OK in that case, which is spurious.

Looking at it more, it appears to be utterly unnecessary
to reinitialize LookupPaths here, given that nothing during
the reload process would change the search dirs. Let's drop
the path altogether hence.
2024-09-07 14:52:50 +02:00
Mike Yuan
e634df9f16
core/manager: rename NOTIFY_RCVBUF_SIZE to MANAGER_SOCKET_RCVBUF_SIZE
This is used for all our sockets, hence rename as so.
2024-09-07 14:52:50 +02:00
Mike Yuan
ebf0e859da
varlinkctl: downgrade ignored error msg to LOG_WARNING
Follow-up for 39ce86d19c
2024-09-07 14:46:18 +02:00
Mike Yuan
5bab5e4ac3
chattr-util: use BIT_FOREACH where appropriate 2024-09-07 14:46:18 +02:00
Mike Yuan
26f5897767
chattr-util: set O_NOCTTY when reopening O_PATH fd
Follow-up for 07862c9fc2
2024-09-07 14:46:18 +02:00
Daan De Meyer
517e892210 mkosi: Drop _fixperms workaround
This was added to deal with a bug in the rpm 4.20 rc in Rawhide
but since that's been fixed, let's drop the workaround.
2024-09-07 21:20:09 +09:00
Michal Sekletar
887a18b0d3 docs: use actual docs/HACKING.md URL 2024-09-07 12:14:42 +02:00
Luke T. Shumaker
f1bf6054ce nspawn: register_machine() and allocate_scope() bools to flags 2024-09-06 18:33:50 -06:00
Luke T. Shumaker
14762b27d3 nspawn: re-flow comments that are wrapped weird 2024-09-06 18:33:50 -06:00
Luke T. Shumaker
93c15c6d43 test: add a testcase for unprivileged nspawn
Right now it mostly duplicates a test that already exists in
TEST-50-DISSECT.mountfsd.sh, but it serves as a template for more unprivileged
nspawn tests.
2024-09-06 18:33:50 -06:00
Luke T. Shumaker
6cb5c6aeef nspawn: convert copy_devnodes():devnodes from nulstr to strv 2024-09-06 18:33:50 -06:00
Luke T. Shumaker
cde9210efd nspawn: fix the comment about which namespaces outer_child is in
The comment says that it is still in the host's CLONE_NEWUSER namespace,
which is not true if !arg_privileged.  Also, it says that the CLONE_NEWNS
namespace was created by clone(), but if !arg_privileged then it was
actually created by nsresource_allocate_userns() and switched into by
setns().  Fix those inaccuracies.

When trying to word it clearly, there are enough commas and nested clauses
that I think it's clearer to break it into a list/table.
2024-09-06 18:33:50 -06:00
Yu Watanabe
5573e067d0
Merge pull request #34295 from poettering/uki-with-many-ukify
ukify: add multi-profile UKI support
2024-09-07 08:08:48 +09:00
Lennart Poettering
39ce86d19c varlinkctl: add --timeout= switch to tweak time-out behaviour
Fixes: #33772
2024-09-07 07:35:39 +09:00
Lennart Poettering
925095a6db dm-util: get rid of flex array in middle of structure
Fixes: #33936
2024-09-07 07:34:43 +09:00
Takeo Kondo
71f43fc882 man: CAP_SYS_ADMIN does NOT grant any permission for dbus API 2024-09-06 21:16:53 +02:00
Lennart Poettering
d43bf17752
Merge pull request #34298 from poettering/pcrlock-cred-fix
pcrlock: be more careful when preparing credential name for pcrlock p…
2024-09-06 21:16:37 +02:00
Lennart Poettering
fc8ddae76b pcrlock: be more careful when preparing credential name for pcrlock policy
The .cred suffix is stripped from a credential as it is imported from
the ESP, hence it should not be included in the credential name embedded
in the credential.

Fixes: #33497
2024-09-06 18:55:32 +02:00
Lennart Poettering
456cd065bf
Merge pull request #34177 from poettering/pcrlock-and-signed
cryptenroll/cryptsetup: support combined signed PCR + pcrlock policies
2024-09-06 18:11:22 +02:00
Lennart Poettering
bc3e2c5a57 ukify: introduce new --measure-base= switch 2024-09-06 16:12:03 +02:00
Lennart Poettering
b6570095ce ukify: add new --extend= switch for importing an existing UKI's sections to later extend
This options is pretty simple, it allows specifying an UKI whose
sections to import first, and place at the beginning of the new UKI.

This is useful for generating multi-profile UKIs piecemeal: generate the
base UKI first, then append a profile, and another one and another one.

The sections imported this way are not included in any PCR signature,
the assumption is that that already happened before in the imported UKI.
2024-09-06 16:12:03 +02:00
Lennart Poettering
22b8236ff6 ukify: add basic .profile support
This just allows including .profile sections, but doesn't try to be
smart about it. This alone won't help you much to create valid
multi-profile UKIs.
2024-09-06 16:12:03 +02:00
Lennart Poettering
742e00e3f5 journald: mention the access mode we tried to open /dev/kmsg in
Let's make clearer what we are going to use /dev/kmsg for: read/write or just
writing. This hopefully should avoid confusion, such as the one #33975
is result of.

(Also while we are at it, add one extra debug message).

Fixes: #33975
2024-09-06 16:07:27 +02:00
Lennart Poettering
7a3a49386c NEWS: extend the userdb sshd_config NEWS entry a bit 2024-09-06 23:02:29 +09:00
Lennart Poettering
b52af7d243 tpm2-util: introduce tpm2b_sensitive_data_erase_and_esys_freep() destructor
Let's make sure we erase TPM2B_SENSITIVE_DATA structures reliably in all
code paths.
2024-09-06 15:55:28 +02:00
Lennart Poettering
8e6587679b cryptenroll/cryptsetup: allow combined signed TPM2 PCR policy + pcrlock policy
So far you had to pick:

1. Use a signed PCR TPM2 policy to lock your disk to (i.e. UKI vendor
   blesses your setup via signature)
or
2. Use a pcrlock policy (i.e. local system blesses your setup via
   dynamic local policy stored in NV index)

It was not possible combine these two, because TPM2 access policies do
not allow the combination of PolicyAuthorize (used to implement #1
above) and PolicyAuthorizeNV (used to implement #2) in a single policy,
unless one is "further upstream" (and can simply remove the other from
the policy freely).

This is quite limiting of course, since we actually do want to enforce
on each TPM object that both the OS vendor policy and the local policy
must be fulfilled, without the chance for the vendor or the local system
to disable the other.

This patch addresses this: instead of trying to find a way to come up
with some adventurous scheme to combine both policy into one TPM2
policy, we simply shard the symmetric LUKS decryption key: one half we
protect via the signed PCR policy, and the other we protect via the
pcrlock policy. Only if both halves can be acquired the disk can be
decrypted.

This means:

1. we simply double the unlock key in length in case both policies shall
   be used.
2. We store two resulting TPM policy hashes in the LUKS token JSON, one
   for each policy
3. We store two sealed TPM policy key blobs in the LUKS token JSON, for
   both halves of the LUKS unlock key.

This patch keeps the "sharding" logic relatively generic (i.e. the low
level logic is actually fine with more than 2 shards), because I figure
sooner or later we might have to encode more shards, for example if we
add further TPM2-based access policies, for example when combining FIDO2
with TPM2, or implementing TOTP for this.
2024-09-06 15:55:28 +02:00
Lennart Poettering
664570f531 iovec-util: add iovec_append() for appending to an existing iovec 2024-09-06 15:23:14 +02:00
Lennart Poettering
9a78f9e10c
Merge pull request #34291 from poettering/utmpx-all-the-way
tree-wide: complete the switch to utmpx
2024-09-06 15:22:52 +02:00