IF YOU WOULD LIKE TO GET AN ACCOUNT, please write an
email to Administrator. User accounts are meant only to access repo
and report issues and/or generate pull requests.
This is a purpose-specific Git hosting for
BaseALT
projects. Thank you for your understanding!
Только зарегистрированные пользователи имеют доступ к сервису!
Для получения аккаунта, обратитесь к администратору.
The -mkernel option was dropped in
da445a5858
We also need to ensure that the include paths are properly set for the
linux kernel headers.
Fixes: #31869
Rate limiting authentication attempts in the test can cause somewhat
sporadic test failures: adding a test case might suddenly cause future
test cases to fail because of too many authentication attempts too
quickly
We're not trying to test the rate-limiting, we're trying to test the
functionality of homed. So we effectively disable rate-limiting on all
the home areas we create
This makes it possible to update a home record (and blob directory) of a
home area that's either completely absent (i.e. on a USB stick that's
unplugged) or just inaccessible due to lack of authentication
This bypasses authentication (i.e. user_record_authenticate) if the
volume key was loaded from the keyring and no secret section is
provided.
This also changes Update() and Resize() to always try and load the
volume key from the keyring. This makes the secret section optional for
these methods while still letting them function (as long as the home
area is active)
This commit makes homework always upload the LUKS volume key into the
kernel keyring. This is different from previous behavior in three
notable ways:
- Previously, we'd only upload if auto-resize was on. In preparation for
upcoming changes, now we always upload
- Previously, we'd upload the user's actual password (or a password
obtained from a FIDO key or similar). Now, we upload the LUKS volume key
itself, to remove a layer of unnecessary indirection.
- Previously, Lock() wouldn't remove the key from the kernel keyring.
This, of course, defeats the purpose of Lock(), so now it removes the
key
This commit also allows the LUKS volume to be unlocked using the volume
key we obtained from the keyring.
Before this fix, the following sequence of events was possible:
1. A client holding a Ref() FD closes their FD
2. kernel sends notification that all clients closed their FDs
3. Another client obtains its own Ref() FD from homed
4. homed handles the notification that all clients have closed their
Ref() FDs. Thus it loses track of the fact that the session is
actually still being held open by the client from step 3
This change makes sure that homed won't respond to bus messages (and
thus won't open more Ref() FDs) until it has handled all notifications
about the existing FDs being closed.
logind has had a very similar fix applied to it in
e11544a8305ab9dea097c74bb16e296150c9cc10
Fixes https://github.com/systemd/systemd/issues/31518
Resolves https://github.com/systemd/systemd/issues/31637.
lld-18 does the section setup differently than older versions. There is a bunch
of ordering chagnes, but it also inserts the following:
Sections:
Idx Name Size VMA LMA File off Algn
...
9 .got 00000000 00000000000283c0 00000000000283c0 000283c0 2**3
CONTENTS, ALLOC, LOAD, DATA
10 .relro_padding 00000c40 00000000000283c0 00000000000283c0 000283c0 2**0
ALLOC
11 .data 00000024 00000000000293c0 00000000000293c0 000283c0 2**4
CONTENTS, ALLOC, LOAD, DATA
...
This causes a problem for us, because we try to map the .got to .rodata,
and the subsequent .data to .data, and round down the VMA to the nearest
page, which causes the PE sections to overlap.
https://github.com/llvm/llvm-project/pull/66042 adds .relro_padding to make
sure that the RELRO segment is properly write protected and allocated. For our
binaries, the .got section is empty, so we can skip it safely, and the
.relro_padding section is not useful once .got has been dropped.
We don't expect .got sections, but they are apparently inserted on i386 and
aarch64 builds. Emit a warning until we figure out why they are there.
For CI in mkosi, I want to configure systemd to log at debug level
to the journal, but not to the console. While we already have max
level settings for journald's forwarding settings, not every log line
goes to the journal, specifically during early boot and when units
are connected directly to the console (think systemd-firstboot), so
let's extend the log level options we already have to allow specifying
a comma separated list of values and lets allow prefixing values with
the log target they apply to to make this possible.
usage:
(1) get latest revocation list for your architecture
from https://uefi.org/revocationlistfile
(2) copy the file to $ESP/loader/keys/$name/dbx.auth
logind is not zero-downtime restartable yet, specifically it's not yet
restarted in the Fedora spec, so we can end up in situations where we're
running newer logind with older pid1 which doesn't know about the PIDFDs=
property, so let's make sure we have a fallback in place for when that
happens.
