1
0
mirror of https://github.com/systemd/systemd.git synced 2024-10-29 21:55:36 +03:00
Commit Graph

57513 Commits

Author SHA1 Message Date
Lennart Poettering
94602bff1f execute: add more debug logging 2022-04-22 11:32:47 +02:00
Lennart Poettering
1d68a2e168 execute: restore ability that SetCredential= can act as fallback for LoadCredential=
If SetCredential= and LoadCredentials= are combined for the same
credential name, then the former shall act as fallback for the latter in
case the source file does not exist. That's documented, but didn't work.
Let's fix that.
2022-04-22 11:32:47 +02:00
Lennart Poettering
f344f7fdca execute: restore ability to propagate creds from further up (i.e. container manager and such)
This was broken in 3989bdc1ad let's
restore the functionality.

Basically, we want that if a relative name is specified as source to
load from we take it relative to the credentials dir the service manager
itself got passed.
2022-04-22 11:32:47 +02:00
Lennart Poettering
61c5a49eb2 execute: share error path between reg file/dir credential loading 2022-04-22 11:32:47 +02:00
Lennart Poettering
9e6e9d61bd execute: correct comments
This is not done first, but second.

Also, while we are at it, explain why faccessat() is OK here.
2022-04-22 11:32:47 +02:00
Lennart Poettering
9883cbb203 execute: sort directory entries when loading credentials recursively
Given that the recusive credential loading allows two ways to load the
same credentials, it's important to define a clear order so that it is
always the same one that wins.

i.e. if you use LoadCredential=foobar:/tmp/xyz and there are two files
/tmp/xyz/abc/cde and /tmp/xyz/abc_cde these would both result in a
credential foobar_abc_cde being set, hence it is important to make clear
which one shall win, and that it is always the same one.
2022-04-22 11:32:47 +02:00
Lennart Poettering
5bec447afb execute: drop 'seen_creds' set
When checking whether we already loaded a credential before, let's just
use faccessat() in the credential dir we are populating. First of all,
we already do it exactly that way when appliying SetCredential= settings
later. Secondly, this is not performance relevant, and by using
faccessat() things simply become a lot simpler.
2022-04-22 11:32:46 +02:00
Lennart Poettering
461345a164 execute: simplify 'load_creds_args' struct a bit
Given we only need a single field off the ExecLoadCredential structure
we don't have to link it as a whole, but just copy that one bit over
directly, simplifying the struct a bit.
2022-04-22 11:32:46 +02:00
Lennart Poettering
1134838615 execute: let recurse_dir() concate the cred name for us
recurse_dir() allows specifiying a freely choosable initial path to
which to append the subdirs as it descends into the tree. If we pass the
configured id there, recurse_dir() will suffix the subdir to that for
us, so that we don't have to do that manually anymore in the callback,
simplifying things a bit.
2022-04-22 11:32:46 +02:00
Lennart Poettering
3691083ce5 execute: passing NULL as second argument for recurse_dir() is equivalent to "" 2022-04-22 11:32:46 +02:00
Lennart Poettering
1451435ca5 execute: debug log if a generated recursive cred name is too long 2022-04-22 11:32:46 +02:00
Lennart Poettering
10b44e1dc1 execute: rework load_credential() not to take an ExecLoadCredential object we must synthesize
Let's just simplify the logic and pass the fields we need as regular
arguments, even if that means the function now has a lot. It's otherwise
really weird that we have to fake a local ExecLoadCredential from the
real one.
2022-04-22 11:32:46 +02:00
Lennart Poettering
9a6994e971 execute: drop double empty line 2022-04-22 10:58:41 +02:00
Lennart Poettering
6394e5cd34 execute: use ASSERT_PTR where appropriate 2022-04-22 10:58:41 +02:00
Lennart Poettering
127927b2c2 update TODO 2022-04-22 10:56:47 +02:00
Lennart Poettering
44d5dd655e tpm2-util: if we run in a container, ignore /sys/class/tpmrm/* contents 2022-04-22 10:15:21 +02:00
davijosw
2338b8f9c5
hwdb: add resolutions for the Vaio FE14 touchpad (#23136) 2022-04-22 11:41:37 +10:00
Daan De Meyer
a2a9d54108 kernel-install: Skip execution if $KERNEL_INSTALL_BYPASS=1 2022-04-22 09:12:08 +09:00
Daan De Meyer
041456246c mkosi: Update to latest commit
We recently added caching for the dependencies we build from source
in mkosi's github action which speeds up builds by +-10 minutes. Let's
update to the latest commit so we benefit from this in systemd's mkosi
CI as well.
2022-04-22 09:09:13 +09:00
Evgeny Vereshchagin
ebd4541efe oss-fuzz: turn off fuzz-introspector
fuzz-introspector passes -fuse-ld=gold and -flto using CFLAGS/LDFLAGS and due to
https://github.com/mesonbuild/meson/issues/6377#issuecomment-575977919 and
https://github.com/mesonbuild/meson/issues/6377 it doesn't mix well with meson.
It's possible to build systemd with duct tape there using something like
https://github.com/google/oss-fuzz/pull/7583#issuecomment-1104011067 but
apparently even with gold and lto some parts of systemd are missing from
reports (presumably due to https://github.com/google/oss-fuzz/issues/7598).
Let's just fail here for now to make it clear that fuzz-introspector isn't supported.
2022-04-22 09:08:47 +09:00
Lennart Poettering
d43ea6c8ff man: make clear that encrypted credentials are also authenticated
We use authenticated encryption, and that deserves mention. This in
particular relevant as the fact they are authenticated makes the
credentials useful as initrd parameterization items.
2022-04-21 23:23:14 +02:00
Sonali Srivastava
92c9f47d05 hostnamed: update to use new style sd-bus macros 2022-04-21 23:22:52 +02:00
Lennart Poettering
255689ae92 bus-unit-util: make sure we can set LoadCredentials= property with a single string
LoadCredentials= in unit files supports a syntax passing a single string
only (in which case the credentials are propagated down from the host).
but systemd-run's --property= setting doesn't allow that yet. Fix that.
2022-04-21 15:28:57 +02:00
Lennart Poettering
6a25ce4380
Merge pull request #23148 from poettering/creds-util-mini-tweaks
creds-util: two minor tweaks
2022-04-21 15:07:45 +02:00
Matthew Blythe
6ae16e01b5 hwdb 60-keyboard Add HP/Compaq KBR0133 2022-04-21 20:56:17 +09:00
Lennart Poettering
fa998da2df creds-util: upgrade message about TPM2 not working 2022-04-21 10:51:00 +02:00
Lennart Poettering
d2cba923be creds-util: also warn about unencrypted creds host key if we are creating it
Previously we'd only warn when we consume it, but it's even more
relevant to warn if we save it to an unencrypted storage location.
2022-04-21 10:50:09 +02:00
Lennart Poettering
e921a00d41 main: voidify call to kmod_setup() 2022-04-21 10:37:32 +02:00
Lennart Poettering
7f40cb7c86 sd-bus: switch to a manual overflow check in sd_bus_track_add_name()
This is generally used in a directly client controllable way, hence we
should handle ref count overflow gracefully, instead of hitting an
assert().

As discussed:

https://github.com/systemd/systemd/pull/23099#discussion_r854341850
2022-04-21 08:58:35 +09:00
Lennart Poettering
7d3e856e82 macro: upgrade ref counting overflow check assert() → assert_se()
The overflow check for ref counting should not be subject to NDEBUG,
hence upgrade assert() → assert_se(). (The check for zero is an
immediate bug in our code, and should be impossible to trigger, hence
it's fine if the check is optimized away if people are crazy enough to
set NDEBUG, so that can stay assert())

https://github.com/systemd/systemd/pull/23099#discussion_r854341850
2022-04-21 08:56:32 +09:00
Lennart Poettering
55fc776bbc update TODO 2022-04-20 23:20:08 +02:00
Lennart Poettering
231a1caf5e
Merge pull request #23122 from poettering/creds-has-tpm2
tpm2: beef up tpm2 support checks
2022-04-20 23:18:02 +02:00
Lennart Poettering
ebf3ee4105 man: update TPM2 PCR documentation
The assignments were partly simply incorrectly documented, partly changed
with 4d32507f51 and partly missing.
Moreover kernel 5.17 now measures all initrds to PCR 9 on its own
(https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=f046fff8bc4c4d8f8a478022e76e40b818f692df)

Let's correct all this and bring it up-to-date.

And while we are at it extend the docs about this in systemd-stub, with
a new table that indicates which OS resource is protected by which PCR.
2022-04-20 21:30:49 +02:00
Yu Watanabe
f4bdbae725
Merge pull request #23084 from poettering/creds-no-tpm2-fallback
creds: add semi-automatic fallback support for initrd credentials on systems lacking TPM2
2022-04-21 04:11:19 +09:00
Lennart Poettering
947914cb44
Merge pull request #23099 from yuwata/sd-bus-track-fixlets
sd-bus: fix counter
2022-04-20 18:23:05 +02:00
Lennart Poettering
fe43a638c5 update TODO 2022-04-20 17:49:17 +02:00
Lennart Poettering
b6553329c0 creds-util: permit credentials encrypted/signed by fixed zero length keys as fallback for systems lacking TPM2
This is supposed to be useful when generating credentials for immutable
initrd environments, where it is is relevant to support credentials even
on systems lacking a TPM2 chip.

With this, if `systemd-creds encrypt --with-key=auto-initrd` is used a
credential will be encrypted/signed with the TPM2 if it is available and
recognized by the firmware. Otherwise it will be encrypted/signed with
the fixed empty key, thus providing no confidentiality or authenticity.

The idea is that distributions use this mode to generically create
credentials that are as locked down as possible on the specific
platform.
2022-04-20 17:49:17 +02:00
Lennart Poettering
571d829ee4 creds-util: add an explicit 128bit ID for identifying "automatic" key determination
Previously, when encrypting creds you could pick which key to use for
this via a 128bit ID identifying the key type, and use an all zero ID
for rquesting automatic mode.

Let's change this to use an explicitly picked 128bit ID for automatic
mode, i.e. something other than all zeros. This is in preparation for
adding one further automatic mode with slightly different semantics.

no change in behaviour.

Note that the new 128bit id is never written to disk but only used
internally to indicate a specific case.
2022-04-20 17:49:16 +02:00
Lennart Poettering
7cac4a2e2d creds-util: refuse unexpected key types explicitly 2022-04-20 17:19:45 +02:00
Daan De Meyer
b9b156ea3c
Merge pull request #23124 from yuwata/fixes-for-post-merge-review
Fixes for post merge review
2022-04-20 17:15:40 +02:00
Lennart Poettering
eb81249e8a man: document new has-tpm2 verb 2022-04-20 16:58:18 +02:00
Lennart Poettering
6e0cb81505 creds-tool: add new "has-tpm2" verb
Sometimes it's useful from shell scripts to check if we have a working
TPM2 chip around. For example, when putting together encrypted
credentials for the initrd (after all: it might be wise to place the
root pw in a credential for the initrd to consume, but do so only if we
can lock it to the TPM2, and not otherwise, so that we risk nothing).

Hence, let's add a new "systemd-creds has-tpm2" verb: it returns zero if we
have a working TPM2 (which means: supported by kernel + firmware + us),
or non-zero otherwise. Also show which parts are available.

Use-case: in future the 'kernel-install' script should use this when
deciding whether to augment kernels with security sensitive credentials.
2022-04-20 16:58:18 +02:00
Lennart Poettering
0ea911d14c bootctl: use new tpm2_support() helper to show TPM2 info
Let's improve the output regarding TPM2 support in "bootctl": let's show
whether we have local driver support and/or firmware support, and
colorize it.

(For now, don't show if we natively support TPM2, since the tool is
mostly bout boot time stuff, where it dosn't really matter much what we
do in userspace)
2022-04-20 16:58:18 +02:00
Lennart Poettering
e1be2c779c condition: rework ConditionSecurity=tpm2 check on top of tpm2_support()
No change in behaviour. Let's just use our new helper here.
2022-04-20 16:58:18 +02:00
Lennart Poettering
ba57855628 tpm2-util: add helper that checks for the various facets of TPM2 support
So far we were a bit sloppy regarding checks for TPM2 support. Let's
make things more precise and introduce a single helper that checks for
three axis of TPM2 support: whether we have a loaded kernel driver,
whether the firmware used it, and whether we ourselves are compiled for
it.

This only adds the helper. Follow-up patches will use it at various
places.
2022-04-20 16:58:18 +02:00
Lennart Poettering
47a9f91760 update TODO 2022-04-20 15:45:10 +02:00
Lennart Poettering
8b82513375 update TODO 2022-04-20 14:49:53 +02:00
Luca Boccassi
7d40544643
Merge pull request #23126 from keszybz/clone3-prohibit
Prohibit clone3() when RestrictNamespaces is used
2022-04-20 11:27:58 +02:00
Luca Boccassi
da13d2ca07 compression: add separate pre-processor definitions
Follow-up for cd3c6322db

journal-def.h should be self-contained too, as it represents the journal object ABI.
Duplicate the enums, as they also need to be in config.h for it to be self-contained,
and enums are not available to the preprocessor. Use an assert to ensure they don't
diverge.
2022-04-19 23:18:19 +02:00
Zbigniew Jędrzejewski-Szmek
30193fe817 manager: prohibit clone3() in seccomp filters
RestrictNamespaces should block clone3() like flatpak:
a10f52a756

clone3() passes arguments in a structure referenced by a pointer, so we can't
filter on the flags as with clone(). Let's disallow the whole function call.
2022-04-19 22:04:31 +02:00