1
0
mirror of https://github.com/systemd/systemd.git synced 2024-12-25 01:34:28 +03:00
Commit Graph

77357 Commits

Author SHA1 Message Date
Daan De Meyer
a07864a4fe bootctl: Add --secure-boot-auto-enroll
When specified, bootctl install will also set up secure boot
auto-enrollment. For now, We sign all variables using the same
certificate and key pair.
2024-11-03 10:46:17 +01:00
Daan De Meyer
eac5336c27 openssl-util: Query engine/provider pin via ask-password
In mkosi, we want to support signing via a hardware token. We already
support this in systemd-repart and systemd-measure. However, if the
hardware token is protected by a pin, the pin is asked as many as 20
times when building an image as the pin is not cached and thus requested
again for every operation.

Let's introduce a custom openssl ui when we use engines and providers
and plug systemd-ask-password into the process. With systemd-ask-password,
the pin can be cached in the kernel keyring, allowing us to reuse it without
querying the user again every time to enter the pin.

We use the private key URI as the keyring identifier so that the cached pin
can be shared across multiple tools.

Note that if the private key is pin protected, openssl will prompt both when
loading the private key using the pkcs11 engine and when actually signing the
roothash. To make sure our custom UI is used when signing the roothash, we have
to also configure it with ENGINE_ctrl() which takes a non-owning pointer to
the UI_METHOD object and its userdata object which we have to keep alive so we
introduce a new AskPasswordUserInterface struct which we use to keep both objects
alive together with the EVP_PKEY object.

Because the AskPasswordRequest struct stores non-owning pointers to its fields,
we change repart to store the private key URI as a global variable again instead
of the EVP_PKEY object so that we can use the private key argument as the keyring
field of the AskPasswordRequest instance without running into lifetime issues.
2024-11-03 10:46:14 +01:00
Daan De Meyer
d5c12da904 efivars: Remove STRINGIFY() helper macros
The names of these conflict with macros from efi.h that we'll move
to efi-fundamental.h in a later commit. Let's avoid the conflict by
getting rid of these helpers. Arguably this also improves readability
by clearly indicating we're passing arbitrary strings and not constants
to the macros when we invoke them.
2024-11-02 23:20:57 +01:00
Daan De Meyer
36c6c696a7 ask-password: Add $SYSTEMD_ASK_PASSWORD_KEYRING_TYPE
Currently ask_password_auto() will always try to store the password into
the user keyring. Let's make this configurable so that we can configure
ask_password_auto() into the session keyring. This is required when working
with user namespaces, as the user keyring is namespaced by user namespaces
which makes it impossible to share cached keys across user namespaces by using
the user namespace while this is possible with the session keyring.
2024-11-02 23:20:57 +01:00
Daan De Meyer
01d138b990 ask-password: Drop "default" for SYSTEMD_ASK_PASSWORD_KEYRING_TIMEOUT_SEC
Users can simply unset the environment variable to achieve the same effect.
2024-11-02 23:20:57 +01:00
Daan De Meyer
b3bca11c18 ask-password: Use default timeout if SYSTEMD_ASK_PASSWORD_KEYRING_TIMEOUT_SEC is unset
Follow-up for d9f4dad986
2024-11-02 23:20:57 +01:00
Daan De Meyer
d980aee1e8 mkosi: Add extra tools tree packages required to run integration tests
With https://github.com/systemd/mkosi/pull/3164, we'll be able to run
arbitrary commands in the mkosi sandbox, which has /usr from the tools
tree if one is configured. Let's add the required packages to be able to
run meson to setup the integration tests. This allows running the integration
tests without having to install meson or other build dependencies on the
host system.

"""
mkosi sandbox meson setup build
mkosi sandbox meson compile -C build mkosi
mkosi sandbox env SYSTEMD_INTEGRATION_TESTS=1 meson test -C build ...
"""
2024-11-02 23:18:41 +01:00
dependabot[bot]
4839fb527f build(deps): bump systemd/mkosi
Bumps [systemd/mkosi](https://github.com/systemd/mkosi) from 2a35f9958bc6b82d95d1eac02dc245e9bb068765 to 8976a0abb19221e65300222f2d33067970cca0f1.
- [Release notes](https://github.com/systemd/mkosi/releases)
- [Commits](2a35f9958b...8976a0abb1)

---
updated-dependencies:
- dependency-name: systemd/mkosi
  dependency-type: direct:production
...

Signed-off-by: dependabot[bot] <support@github.com>
2024-11-02 23:18:12 +01:00
Daan De Meyer
e1a105a6f9
Two integration test fixes (#34984) 2024-11-02 22:12:27 +01:00
Daan De Meyer
2ec809dd3b TEST-64-UDEV-STORAGE: Don't hardcode device name in long-sysfs-path test
There's no guarantee our device will be named /dev/vda, so give it
a serial so we can query for its devname inside the test.
2024-11-02 20:43:22 +01:00
Daan De Meyer
29a8e71d9c TEST-17-UDEV: Don't hardcode root device name
There's no guarantee the root device will be /dev/sda, so let's use
bootctl to get the actual path instead of harcoding it.
2024-11-02 20:43:19 +01:00
Ronan Pigott
f4092cb974 pam: quiet a spurious debug message
This singular debug message gets printed even if debug is not enabled.
Quiet this message when debug is not enabled for consistency.
2024-11-02 22:47:17 +09:00
Luca Boccassi
5cae569818 user-record: add missing comma to list of strings
Follow-up for ad03f2d5f0
2024-11-02 22:46:45 +09:00
Luca Boccassi
89099136d7
machine: introduce io.systemd.MachineImage.{Clone, Remove} methods (#34853)
This PR introduces io.systemd.MachineImage.Clone and Remove methods.
They are 1:1 mapping to DBus alternatives.
2024-11-02 12:06:23 +00:00
Luca Boccassi
c7e818fc1a
Add support for id-mapped mounts to Exec directories (#34078)
Currently, bind-mounted directories within a user/mount namespace get
the uid/gid stored on their files. If the host creates a file in the
source directory, it will still show as root in the namespace.
Id-mapping is a filesystem feature that allows a mount namespace to show
a different uid than what is actually stored on a file. Add support for
id-mappings to exec directories, so that the files within the mount
namespace are owned by the unprivileged uid/gid.

Example:

Using unit:
```
[Unit]
Description=Sample service

[Service]
MountAPIVFS=yes
DynamicUser=yes
PrivateUsers=yes
TemporaryFileSystem=/run /var/opt /var/lib /vol
UMask=0000
ExecStart=/bin/bash -c 'while true; do echo "ping"; sleep 5; done'
StateDirectory=andresstatedir:sampleservice

[Install]
WantedBy=multi-user.target
```

In the host namespace, creating a file "test":
```
root@abeltran-test:/var/lib/andresstatedir# ls -lah
total 8.0K
drwxr-xr-x 2 root root 4.0K Aug 21 23:48 .
drwx------ 3 root root 4.0K Aug 21 23:47 ..
-rw-r--r-- 1 root root    0 Aug 21 23:48 test
```

Within the unit namespace:
```
root@abeltran-test:/var/lib/sampleservice# ls -lah
total 4.0K
drwxr-xr-x 2 63750 63750 4.0K Aug 21 23:48 .
drwxr-xr-x 3 root  root    60 Aug 21 23:47 ..
-rw-r--r-- 1 63750 63750    0 Aug 21 23:48 test
```
```
root@abeltran-test:/# mount | grep and
/dev/sda1 on /var/lib/private/andresstatedir type ext4 (rw,nosuid,noexec,relatime,idmapped,discard,errors=remount-ro,commit=30)
```
2024-11-02 12:04:49 +00:00
Luca Boccassi
c166969137
logind: respect SD_LOGIND_ROOT_CHECK_INHIBITORS with weak blockers (#34969)
The check for the old flag was not restored when the weak blocker was
added, add it back. Also skip polkit check for root for the weak
blocker, to keep compatibility with the previous behaviour.

Partially fixes https://github.com/systemd/systemd/issues/34091

Follow-up for 804874d26a
2024-11-02 11:27:28 +00:00
Andres Beltran
eae5127246 core: add id-mapped mount support for Exec directories 2024-11-01 18:45:28 +00:00
Andres Beltran
edae62120f namespace-util: add util function to check if id-mapped mounts are supported for a given path 2024-11-01 18:41:27 +00:00
Lennart Poettering
acc35e5129
core/service: don't propagate stop jobs if RestartMode=direct (#34768)
Fixes https://github.com/systemd/systemd/issues/34758
2024-11-01 17:25:49 +01:00
Luca Boccassi
ffd81a1202 resolve: remove always-true superflous check and rename label
Fixes https://github.com/systemd/systemd/security/code-scanning/2900
2024-11-01 15:44:01 +00:00
Luca Boccassi
93445c2e89 logind: ensure the stronger inhibitor currently in place is taken into account 2024-11-01 15:43:14 +00:00
Luca Boccassi
845f95b9e0 logind: respect SD_LOGIND_ROOT_CHECK_INHIBITORS with weak blockers
The check for the old flag was not restored when the weak
blocker was added, add it back. Also skip polkit check for
root for the weak blocker, to keep compatibility with the
previous behaviour.

Partially fixes https://github.com/systemd/systemd/issues/34091

Follow-up for 804874d26a
2024-11-01 15:43:14 +00:00
Ivan Kruglov
b50fe8a0d9 machine: remove redundant --more in TEST-13-NSPAWN.machined 2024-11-01 15:30:39 +01:00
Ivan Kruglov
0c16936acc machine: tests for io.systemd.MachineImage.{Clone, Remove} methods 2024-11-01 15:30:39 +01:00
Ivan Kruglov
88d0b72833 machine: use ImageUpdateParameters in io.systemd.MachineImage.Update 2024-11-01 15:30:39 +01:00
Ivan Kruglov
cc060c2910 machine: reuse VARLINK_DEFINE_IMAGE_LOOKUP_AND_POLKIT_FIELDS in io.systemd.MachineImage.Update declaration 2024-11-01 15:30:39 +01:00
Ivan Kruglov
1663455b63 machine: introduce io.systemd.MachineImage.Remove method 2024-11-01 15:30:39 +01:00
Ivan Kruglov
38a0cf4172 machine: introduce io.systemd.MachineImage.Clone method 2024-11-01 15:30:34 +01:00
Ivan Kruglov
95d5b9097b machine: use report_errno_and_exit() in dbus code 2024-11-01 15:21:22 +01:00
Ivan Kruglov
30a34657b8 machine: introduce report_errno_and_exit() 2024-11-01 15:21:22 +01:00
Ivan Kruglov
a52ce4a29d machine: align polkit verb of io.systemd.MachineImage.Update with the rest of the code 2024-11-01 15:20:59 +01:00
Luca Boccassi
74a17f875f
hwdb: update for v257 (#34976) 2024-11-01 12:32:56 +00:00
Lennart Poettering
d248e1a8d6 update hwdb 2024-11-01 12:32:06 +00:00
Lennart Poettering
2e4432507b hwdb: import newest autosuspend rules from chromeos 2024-11-01 12:32:06 +00:00
Daan De Meyer
70af6703b0 mkosi: Set BuildSourcesEphemeral=no in mkosi.clangd
We're just running a language server so no need to put a writable
overlay on top of the build sources to prevent modifications. This
hopefully helps the language server track modifications to the source
files better.
2024-11-01 13:30:45 +01:00
Luca Boccassi
c77f4f5df7
coredump: lock down EnterNamespace= mount even more (#34975)
Let's disable symlink following if we attach a container's mount tree to
our own mount namespace. We afte rall mount the tree to a different
location in the mount tree than where it was inside the container, hence
symlinks (if they exist) will all point to the wrong places (even if
relative, some might point to other places). And since symlink attacks
are a thing, and we let libdw operate on the tree, let's lock this down
as much as we can and simply disable symlink traversal entirely.
2024-11-01 12:25:35 +00:00
dependabot[bot]
593b125a30 build(deps): bump meson from 1.5.2 to 1.6.0 in /.github/workflows
Bumps [meson](https://github.com/mesonbuild/meson) from 1.5.2 to 1.6.0.
- [Release notes](https://github.com/mesonbuild/meson/releases)
- [Commits](https://github.com/mesonbuild/meson/compare/1.5.2...1.6.0)

---
updated-dependencies:
- dependency-name: meson
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2024-11-01 11:45:37 +00:00
Luca Boccassi
e7bbcbb27c Update NEWS 2024-11-01 11:39:26 +00:00
Luca Boccassi
fdccba15be
util-lib/systemd-run: implement race-free PTY peer opening (#34953)
This makes use of the new TIOCGPTPEER pty ioctl() for directly opening a
PTY peer, without going via path names. This is nice because it closes a
race around allocating and opening the peer. And also has the nice
benefit that if we acquired an fd originating from some other
namespace/container, we can directly derive the peer fd from it, without
having to reenter the namespace again.
2024-11-01 11:29:19 +00:00
Luca Boccassi
d86e9b64e4
tweaks to ANSI sequence (OSC) handling (#34964)
Fixes: #34604

Prompted by that I realized we do not correctly recognize both "ST"
sequences we want to recognize, fix that.
2024-11-01 11:18:57 +00:00
Luca Boccassi
1006022e4c
Homed update policy: user changing own settings (#31153)
Rework of #30109 to deal with changes in #30840 and discussed changes to
behavior

Depends on and includes #30840 

Fixes https://github.com/systemd/systemd/issues/34268
2024-11-01 11:14:04 +00:00
Luca Boccassi
57b908caef
network: update tunnel or vxlan with Local=dhcp4 and friends (#34957)
Fixes #24854.
2024-11-01 11:10:21 +00:00
Luca Boccassi
890bdd1d77 core: add read-only flag for exec directories
When an exec directory is shared between services, this allows one of the
service to be the producer of files, and the other the consumer, without
letting the consumer modify the shared files.
This will be especially useful in conjunction with id-mapped exec directories
so that fully sandboxed services can share directories in one direction, safely.
2024-11-01 10:46:55 +00:00
Adrian Vovk
6a2d4a233d test: Test user record selfModifiable behavior 2024-11-01 10:41:46 +00:00
Adrian Vovk
a192250eda homed: Allow user to change parts of their record
This allows an unprivileged user that is active at the console to change
the fields that are in the selfModifiable allowlists (introduced in a
previous commit) without authenticating as a system administrator.

Administrators can disable this behavior per-user by setting the
relevant selfModifiable allowlists, or system-wide by changing the
policy of the org.freedesktop.home1.update-home-by-owner Polkit action.
2024-11-01 10:41:46 +00:00
Adrian Vovk
ad03f2d5f0 user-record: Introduce selfModifiable fields
Allows the system administrator to configure what fields the user is
allowed to edit about themself, along with hard-coded defaults.
2024-11-01 10:41:46 +00:00
dependabot[bot]
7fdcd903ab build(deps): bump actions/checkout from 4.2.0 to 4.2.2
Bumps [actions/checkout](https://github.com/actions/checkout) from 4.2.0 to 4.2.2.
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](d632683dd7...11bd71901b)

---
updated-dependencies:
- dependency-name: actions/checkout
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2024-11-01 11:25:37 +01:00
Lennart Poettering
cbddc201e5 man: <strong> is not a valid docbook tag, but <emphasis> is 2024-11-01 10:12:44 +01:00
Lennart Poettering
f0a1d44939 update NEWS 2024-11-01 10:12:41 +01:00
Lennart Poettering
00f7398049 coredump: rename gather_pid_mount_tree_fd() → acquire_pid_mount_tree_fd()
From my understanding of the english language "gather" imples there are
multiple things to gather. But here there's only one, hence use
"acquire"
2024-11-01 10:07:55 +01:00