1
0
mirror of https://github.com/systemd/systemd.git synced 2024-12-22 17:35:35 +03:00
Commit Graph

76188 Commits

Author SHA1 Message Date
Lennart Poettering
8e6587679b cryptenroll/cryptsetup: allow combined signed TPM2 PCR policy + pcrlock policy
So far you had to pick:

1. Use a signed PCR TPM2 policy to lock your disk to (i.e. UKI vendor
   blesses your setup via signature)
or
2. Use a pcrlock policy (i.e. local system blesses your setup via
   dynamic local policy stored in NV index)

It was not possible combine these two, because TPM2 access policies do
not allow the combination of PolicyAuthorize (used to implement #1
above) and PolicyAuthorizeNV (used to implement #2) in a single policy,
unless one is "further upstream" (and can simply remove the other from
the policy freely).

This is quite limiting of course, since we actually do want to enforce
on each TPM object that both the OS vendor policy and the local policy
must be fulfilled, without the chance for the vendor or the local system
to disable the other.

This patch addresses this: instead of trying to find a way to come up
with some adventurous scheme to combine both policy into one TPM2
policy, we simply shard the symmetric LUKS decryption key: one half we
protect via the signed PCR policy, and the other we protect via the
pcrlock policy. Only if both halves can be acquired the disk can be
decrypted.

This means:

1. we simply double the unlock key in length in case both policies shall
   be used.
2. We store two resulting TPM policy hashes in the LUKS token JSON, one
   for each policy
3. We store two sealed TPM policy key blobs in the LUKS token JSON, for
   both halves of the LUKS unlock key.

This patch keeps the "sharding" logic relatively generic (i.e. the low
level logic is actually fine with more than 2 shards), because I figure
sooner or later we might have to encode more shards, for example if we
add further TPM2-based access policies, for example when combining FIDO2
with TPM2, or implementing TOTP for this.
2024-09-06 15:55:28 +02:00
Lennart Poettering
664570f531 iovec-util: add iovec_append() for appending to an existing iovec 2024-09-06 15:23:14 +02:00
Lennart Poettering
9a78f9e10c
Merge pull request #34291 from poettering/utmpx-all-the-way
tree-wide: complete the switch to utmpx
2024-09-06 15:22:52 +02:00
Lennart Poettering
22f3f2cebd man: document that sd_bus_message_read_strv() happily spits out empty arrays as NULL
Fixes: #34163
2024-09-06 14:10:12 +02:00
Lennart Poettering
51da613bc4 tree-wide: use UTMPX_FILE rather than _PATH_UTMPX
Apparently _PATH_UTMPX is a glibc'ism. UTMPX_FILE is the same thing and
what everyone else uses. Since they are otherwise equivalent, let's just
switch.
2024-09-06 13:54:19 +02:00
Lennart Poettering
98dc726902 test-utmp: replace UT_LINESIZE/UT_NAMESIZE/UT_HOSTSIZE with sizeof_field()
utmpx doesn't know these defines, hence fix them.
2024-09-06 13:54:15 +02:00
Lennart Poettering
983fee2e94 tree-wide: drop unnecessary utmp includes 2024-09-06 13:54:12 +02:00
Lennart Poettering
f3389fffd6 user-util: switch from utmp to utmpx
We generally use utmpx instead of utmp (both are actually identical on
Linux, but utmpx is POSIX, while utmp is not). Let's fix one left-over
case.

UT_NAMESIZE does not exist in utmpx world, it has no direct counterpart,
hence let's just sizeof_field() to determine the size of the actual
field. (which comes to the same result of course: 32).
2024-09-06 13:54:09 +02:00
Etienne Cordonnier
4ac1755be2 coredump: set ProtectHome to read-only
In 924453c225
ProtectHome was set to true for systemd-coredump in order to reduce risk, since an attacker could craft a malicious binary in order to compromise systemd-coredump.
At that point the object analysis was done in the main systemd-coredump process.
Because of this systemd-coredump is unable to product symbolicated call-stacks for binaries running under /home ("n/a" is shown instead of function names).

However, later in 61aea456c1 systemd-coredump was changed to do the object analysis in a forked process,
covering those security concerns.

Let's set ProtectHome to read-only so that systemd-coredump produces symbolicated call-stacks for processes running under /home.
2024-09-06 13:30:36 +02:00
Lennart Poettering
b9ea646808
Merge pull request #34279 from yuwata/ask-password
ask-password: refuse empty password strv
2024-09-06 13:30:15 +02:00
Lennart Poettering
5bef96b939
Merge pull request #34285 from poettering/boot-measure-profile
measure: introduce support for a new ".profile" section
2024-09-06 13:06:58 +02:00
Léane GRASSER
cb8ec50632 po: Translated using Weblate (French)
Currently translated at 100.0% (253 of 253 strings)

Co-authored-by: Léane GRASSER <leane.grasser@proton.me>
Translate-URL: https://translate.fedoraproject.org/projects/systemd/main/fr/
Translation: systemd/main
2024-09-06 18:53:32 +09:00
Lennart Poettering
0f0bed8be6 measure: introduce support for a new ".profile" section
This introduces the concept, and makes sure systemd-measure covers it.
See a later commit for details on the new section.
2024-09-06 11:15:45 +02:00
Lennart Poettering
c334b9912a uki: add new ".profile" PE section type
This is the most basic preparatory work for supporting multi-profile
UKIs.

(This temporarily drops an assert_cc() check which we'll address in the
next commit)
2024-09-06 11:15:06 +02:00
Yu Watanabe
195bb6f97e network/route: ignore EEXIST reply when the corresponding request is already detached
Follow-ups for db8dc7c1dd.
Fixes #34275.
2024-09-06 16:07:25 +09:00
Daan De Meyer
b798f658a2
Merge pull request #34278 from yuwata/timesync-log
timesync: downgrade log level for several messages
2024-09-06 08:09:56 +02:00
Daan De Meyer
c81c2ed1eb
Merge pull request #34280 from yuwata/cleanups
tree-wide: trivial cleanups
2024-09-06 08:08:56 +02:00
Yu Watanabe
204529d0fc tree-wide: check if non-empty password is acquired 2024-09-06 15:00:32 +09:00
Yu Watanabe
623a8b1922 ask-password: refuse empty password strv
Fixes #34270.
2024-09-06 14:58:46 +09:00
Yu Watanabe
20040416e9 sd-netlink: fix typo
Fixes #34273.
2024-09-06 07:37:13 +02:00
Yu Watanabe
efedb6b0f3 nspawn: refuse to bind mount device node from host when --private-users= is specified
Also do not chown if a device node is bind-mounted.

Fixes #34243.
2024-09-06 13:28:17 +09:00
Yu Watanabe
48878074d6 test: add test cases for --volatile= with -U
For issue #34254.
2024-09-06 13:24:36 +09:00
Yu Watanabe
025be2361b nspawn: only remount /usr/ with idmap when --volatile=yes
The root directory is already mounted with a picked UID shift, hence
it is not necessary to remount with idmap. However, /usr/ is a bind-mount,
hence it must be remounted with idmap.

With this change, now '-U --volatile=yes' works fine.

Fixes #34254.
2024-09-06 13:24:12 +09:00
Yu Watanabe
2c2511aa73 nspawn: mount /var/ after remount_idmap() when --volatile=state
Previously, remount_idmap() failed as /var/ was already mounted, thus
remounting (strictly speaking, unmounting old root directory) failed
with -EBUSY.

As tmpfs /var/ is mounted with picked UID shift, it should not be
remounted with idmap, but needs to be mounted after the root directory
being remounted.

This makes '-U --volatile=state' work as expected.
2024-09-06 13:22:26 +09:00
Yu Watanabe
21cd84df69 nspawn: use strv_extend() and friends to build directories passed to remount_idmap()
No functional change, just refactoring and preparation for later change.
2024-09-06 13:13:15 +09:00
Yu Watanabe
31a9aedf03 test: fix copy-and-paste error in comment 2024-09-06 13:10:19 +09:00
Yu Watanabe
0e40a26341 nspawn: fix indentation 2024-09-06 13:10:04 +09:00
Yu Watanabe
fe7a126ce8 base-filesystem: use FOREACH_ELEMENT() 2024-09-06 13:09:36 +09:00
Yu Watanabe
dd86e6c45c mount-util: wrap long line 2024-09-06 13:09:36 +09:00
Yu Watanabe
74fe65480c
Merge pull request #34203 from yuwata/network-conf-parser
network: several cleanups for conf parser
2024-09-06 13:07:39 +09:00
Yu Watanabe
03ec7311f1
Merge pull request #34267 from DaanDeMeyer/script
mkosi: Install util-linux-script on Rawhide
2024-09-06 10:43:04 +09:00
Yu Watanabe
dd1de202d7 network/address: use log_section_warning() 2024-09-06 10:38:57 +09:00
Yu Watanabe
c6f2197fcf network/address: use generic section parser more
This also
- rename variable n -> address,
- use log_syntax_parse_error() where applicable,
- add one more assertion for lvalue in config_parse_address().
2024-09-06 10:38:15 +09:00
Yu Watanabe
6cf41d4603 network/address: introduce generic config parser for [Address] section
Then, use generic conf parsers defined in conf-parser.[ch].
2024-09-06 10:37:23 +09:00
Yu Watanabe
174c5c5f06 firewall-util: several cleanups for config_parse_nft_set()
- use log_syntax_parse_error(),
- return 1 on success,
- drop unnecessary or redundant assertions,
- add missing log_oom().
2024-09-06 10:35:02 +09:00
Yu Watanabe
ff616da459 conf-parser: introduce config_parse_uint32_invert_flag()
It is similar to config_parse_uint32_flag(), but drops the specified flag
when true.
2024-09-06 10:35:02 +09:00
Yu Watanabe
c2e8e1f020 network: align table in network-gperf 2024-09-06 10:35:02 +09:00
Yu Watanabe
e208fad798 network/address-label: use log_section_warning_errno() 2024-09-06 10:35:02 +09:00
Yu Watanabe
934cf1c06b network/address-label: introduce generic conf parser for [IPv6AddressLabel] section
This also
- renames n -> label,
- use log_syntax_parse_error().

No functional change, just refactoring.
2024-09-06 10:34:53 +09:00
Yu Watanabe
152b8a4e71 conf-parser: introduce config section parser wrapper
It will be used later.
2024-09-06 10:33:05 +09:00
Bastien Nocera
5a11437e2e hwdb: Mark Apple Wireless keyboards as not having NumLock LED
Mark those Apple Wireless keyboards as not having a NumLock key:
https://en.wikipedia.org/wiki/Apple_Wireless_Keyboard

You can see that they don't have a NumLock LED because they didn't even
have a NumLock in the first place:
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=0fea6fe7d5ef1b5fa5f78048d4729f85181c04ca
2024-09-06 10:22:43 +09:00
Yu Watanabe
b9f208643b timesync: make manager_is_connected() static 2024-09-06 10:21:07 +09:00
Yu Watanabe
c58f4100cc timesync: downgrade log level about network configuration change
These message may be unnecessarily shown multiple times when e.g.
networkd is restarted, system is wakeup from suspend, and so on.

Closes #34262.
2024-09-06 10:20:48 +09:00
Yu Watanabe
ccd62e6d4d
Merge pull request #34155 from poettering/gmtime-safe
handle gmtime_r() errors more robustly
2024-09-06 09:07:48 +09:00
A. Wilcox
d0e11b9e17 basic: Include <sys/file.h> for LOCK_* constants
This is needed to ensure LOCK_{EX,SH} are defined in certain
environments, including uclibc-ng and musl libc.
2024-09-06 08:37:25 +09:00
Yu Watanabe
a00006861b
Merge pull request #34261 from yuwata/repart-seed-random
repart: initialize seed earlier
2024-09-06 08:30:12 +09:00
A. Wilcox
79f0e94e27 edit-util: EditFileContext: avoid reserved 'stdin'
The identifier 'stdin' is reserved in C.  It can be #defined to any
statement that evaluates to a FILE*.  We do not want that for our field,
so change to a more descriptive name.
2024-09-06 08:29:45 +09:00
Peter Rajnoha
cbe65d38cf udev: allow persistent storage rules for rbd devices
The RADOS Block Device (rbd) can be used as any other block device with
further layers on top of it, hence allow the common persistent storage
rules to apply, including watching for changes.
2024-09-06 08:26:44 +09:00
Daan De Meyer
31e7a37480 mkosi: Remove rpm workaround
rpm 4.19.93 (4.20 rc) is in rawhide so let's drop the workaround.
2024-09-05 18:45:52 +02:00
Daan De Meyer
4eae2be0d7 mkosi: Install util-linux-script on Rawhide
It's now subpackaged so we can build images without pulling in
libutempter but we use script in the testsuite so let's install the
subpackage.
2024-09-05 18:38:33 +02:00