1
0
mirror of https://github.com/systemd/systemd.git synced 2024-10-31 16:21:26 +03:00
Commit Graph

51726 Commits

Author SHA1 Message Date
Lennart Poettering
72c1542267 man: document that FIDO2 uv/up/clientPin feature support is now handled gracefully 2021-05-28 16:45:12 +02:00
Lennart Poettering
3cc00ba605 cryptsetup: revert to systemd 248 up/pin/uv FIDO2 settings when we don't have LUKS2 JSON data telling us the precise configuration
Let's improve compatibility with systemd 248 enrollments of FIDO2 keys:
if we have no information about the up/uv/pin settings, let's try to
determine them automatically, i.e. use up and pin if needed.

This only has an effect on LUKS2 volumes where a FIDO2 key was enrolled
with systemd 248 and thus the JSON data lacks the up/uv/pin fields. It
also matters if the user configured FIDO2 parameters explicitly via
crypttab options, so that the JSON data is not used.

For newer enrollments we'll stick to the explicit settings, as that's
generally much safer and robust.
2021-05-28 16:36:52 +02:00
Lennart Poettering
1ce8f69dbd fido2: properly handle case when no PINs are specified during auth
Also, drop redundant check for has_client_pin, which can never happen,
since we already filtered this case a bit further up.
2021-05-28 16:36:52 +02:00
Lennart Poettering
ec543d18d4 fido2: make misadvertised clientPin feature fatal
We need really need to trust the feature set, since we are about to set
it in stone storing the result in JSON, hence react a bit more allergic
about token that misadvertise the feature.

Note that I added this to be defensive, I am not aware any token that
actually misadvertises this. hence it should be safe to make this fatal,
and should this not work we can always revisit things.
2021-05-28 16:36:51 +02:00
Lennart Poettering
0735ed950a cryptenroll: handle FIDO2 tokens gracefully that lack requested features
Let's try to handle keys gracefully that do not implement all features
we ask for: simply turn the feature off, and continue.

This is in particular relevant since we enroll with PIN and UP by
default, and on devices that don't support that we should just work.

Replaces: #18509
2021-05-28 16:36:25 +02:00
Yu Watanabe
304e637c88
Merge pull request #19754 from yuwata/fix-coverity-issues-and-typo
Fix coverity issues and typo
2021-05-28 23:03:01 +09:00
Yu Watanabe
48008c1cbf tree-wide: fix typo 2021-05-28 19:52:12 +09:00
Yu Watanabe
7f1238bd04 basic/unit-file: fix use-after-free
This fixes a bug introduced by e8630e6952.

Fixes CID#1453292.
2021-05-28 19:48:38 +09:00
Yu Watanabe
a04842dfb2 network,sd-hwdb: voidify fchmod()
Fixes CID#1453294.
2021-05-28 19:41:07 +09:00
Yu Watanabe
50fd596efc path-util: add missing varargs cleanup
Fixes CID#1453293.
2021-05-28 19:38:37 +09:00
Lennart Poettering
18503cac41
Merge pull request #19485 from yuwata/path-util
path-util: introduce several path utilities and handle "." more gracefully
2021-05-28 09:31:06 +02:00
Yu Watanabe
cb71ed91f7 path-util: make path_simplify() use path_find_first_component() 2021-05-28 13:44:38 +09:00
Yu Watanabe
4ff361cc86 tree-wide: always drop unnecessary dot in path 2021-05-28 13:44:38 +09:00
Yu Watanabe
0195046449 path-util: make path_extract_filename/directory() handle "." gracefully
This makes the functions handle "xx/" and "xx/." as equivalent.
Moreover, now path_extract_directory() returns normalized path, that is
no redundant "/" or "/./" are contained.
2021-05-28 13:44:38 +09:00
Yu Watanabe
484cd43cae path-util: introduce path_find_last_component() 2021-05-28 13:44:38 +09:00
Yu Watanabe
15bac3e8fd path-util: use path_equal() in empty_or_root() 2021-05-28 13:44:38 +09:00
Yu Watanabe
39d7af99c2 fs-util: make chase_symlinks() use path_find_first_component()
The previous commit about path_compare() breaks chase_symlinks().
This commit fixes it.
2021-05-28 13:44:19 +09:00
Yu Watanabe
353df4438e path-util: make path_compare() and path_hash_func() ignore "."
This also makes path_compare() may return arbitrary integer as it now
simply pass the result of strcmp() or memcmp().

This changes the behavior of path_extract_filename/directory() when
e.g. "/." or "/./" are input. But the change should be desired.
2021-05-28 13:41:23 +09:00
Yu Watanabe
fe69c41ee8 path-util: use path_find_first_component() in path_make_relative()
This also makes the function checks the result is a valid path or not.
2021-05-28 13:41:23 +09:00
Yu Watanabe
63f11e354a path-util: use path_find_first_component() in path_startswith()
This makes path_startswith() stricter. If one of the path component in
arguments is longer than NAME_MAX, it returns NULL.
2021-05-28 13:41:23 +09:00
Yu Watanabe
0b8696256b path-util: use path_is_safe() in path_is_normalized() 2021-05-28 13:41:23 +09:00
Yu Watanabe
32df2e1447 path-util: introduce path_is_safe()
The function is similar to path_is_valid(), but it refuses paths which
contain ".." component.
2021-05-28 13:41:23 +09:00
Yu Watanabe
6636883564 path-util: use path_find_first_component() in path_is_valid() 2021-05-28 13:41:23 +09:00
Yu Watanabe
0ee54dd4e2 path-util: introduce path_find_first_component()
The function may be useful to iterate on each path component.
2021-05-28 13:41:23 +09:00
Yu Watanabe
340cd6b6f9 path-util: fix off by one issue to detect slash at the end in path_extend() 2021-05-28 13:41:23 +09:00
Dan Streetman
05575a104b test/networkd-test: in bridge test, wait for online after restart systemd-networkd
without waiting for online, there is a race condition between systemd-networkd
actually setting the new values and the test checking those values

This also sets the link down before restarting systemd-networkd, to avoid
the wait for online being a no-op
2021-05-28 12:26:33 +09:00
Peter Kjellerstedt
b2d7487071 meson: Correctly validate that prefix is a child of rootprefix
In commit d895e10a a test was introduced to validate that prefix is a
child of rootprefix. However, it only works when rootprefix is "/".
Since the test is ignored when rootprefix is equal to prefix, this is
only noticed if specifying both -Drootprefix= and -Dprefix=, e.g.:

  $ meson foo -Drootprefix=/foo -Dprefix=/foo/bar
  meson.build:111:8: ERROR: Problem encountered: Prefix is not below
  root prefix (now rootprefix=/foo prefix=/foo/bar)
2021-05-28 06:29:45 +09:00
Yu Watanabe
4e95bc56df
Merge pull request #19749 from poettering/path-extend
add path_extend() helper which is a like if path_join() and strextend() had a baby
2021-05-28 05:53:57 +09:00
Lennart Poettering
4ede980249 tree-wide: make use of path_extend() at many places
This is not a comprehensive port, but mostly some low-hanging fruit.
2021-05-27 17:05:38 +02:00
Lennart Poettering
7ae2768028 path-util: add path_extend(), inspired by strextend(), but using path_join() 2021-05-27 16:02:18 +02:00
Yu Watanabe
38dd7673b3
Merge pull request #19703 from yuwata/network-ndisc-valid-time
network: ndisc: always honor valid time
2021-05-27 18:42:31 +09:00
Yu Watanabe
facaf083f0
Merge pull request #19743 from yuwata/dhcpv4-static-leases
network: dhcp-server:  support static lease
2021-05-27 18:41:22 +09:00
Yu Watanabe
a19b1ac7c8 network: ndisc: update log message 2021-05-27 16:33:36 +09:00
Yu Watanabe
25db3aeaf3 network: ndisc: always honor valid time
See draft-ietf-6man-slaac-renum-02, section 4.2.
https://datatracker.ietf.org/doc/html/draft-ietf-6man-slaac-renum#section-4.2

Replaces #15260.
2021-05-27 16:33:33 +09:00
borna-blazevic
ffaece68bc test-network: add a testcase for DHCP static lease 2021-05-27 15:57:33 +09:00
borna-blazevic
c517a49bf7 network: dhcp-server: introduce [DHCPServerStaticLease] section 2021-05-27 15:51:26 +09:00
borna-blazevic
65a0ef2341 sd-dhcp-server: support static address to DHCPv4 offer 2021-05-27 15:15:27 +09:00
Yu Watanabe
e954939b9e
Merge pull request #19736 from poettering/udev-trigger-uuid
sd-device: add support for triggering devices with UUID support
2021-05-27 13:05:00 +09:00
Christian Hesse
9fff026d60 man: fix tag type
This is an option, not a command.
2021-05-27 12:50:57 +09:00
Lennart Poettering
74bbc85ca6 hash-func: change value type of string_hash_ops_free_free to void*
The generic string_hash_ops_free_free hash operations vtable currently
assumes the data pointer is of type char*. There's really no reason to
assume that though, we regularly store non-string data as value in a
hashmap. Hence, to accomodate for that, use void* as pointer for the
value (and keep char* for the key, as that's what
string_hash_ops_free_free is for, after all).
2021-05-26 21:44:36 +02:00
Lennart Poettering
730b9c1e14 udevadm: make use of the new uuid-enabled triggering for "udevadm trigger"
This adds two things:

- A new switch --uuid is added to "udevadm trigger". If specified a
  random UUID is associated with the synthettic uevent and it is printed
  to stdout. It may then be used manually to match up uevents as they
  propagate through the system.

- The UUID logic is now implicitly enabled if "udevadm trigger --settle"
  is used, in order to wait for precisely the uevents we actually
  trigger. Fallback support is kept for pre-4.13 kernels (where the
  requests for trigger uevents with uuids results in EINVAL).
2021-05-26 21:44:36 +02:00
Lennart Poettering
b485fd932a sd-device: add API for triggering synthetic uevents with UUID
Since kernel 4.13 the kerne allows passing a UUID to generated uevents.
Optionally do so via a new sd_device_trigger_with_uuid() call, and add
sd_device_get_trigger_uuid() as helper to retrieve the UUID from a
uevent we receive.

This is useful for tracking uevents through the udev system, and waiting
for specific triggers.

(Note that the 4.13 patch allows passing arbitrary meta-info into the
uevent as well. This does not add an API for that, because I am not
convinced it makes sense — as it conflicts with our general rule that
events are "stateless" if you so will — and it complicates the interface
quite a bit).

This replaces #13881 in a way, which added a similar infra, but which
stalled, and whose synchronous settling APIs are somewhat problematic
and probably not material to merge.
2021-05-26 21:44:36 +02:00
Lennart Poettering
6f75309295 man: document that it is guaranteed that generated ID128 are never all-zero or all-one
This is the case because the ID128 we generate are all marked as v4 UUID
which requires that some bits are zero and others are one. Let's
document this so that people can rely on SD_ID128_NULL being a special
value for "uninitialized" that is always distinguishable from generated
UUIDs.
2021-05-26 21:44:15 +02:00
Lennart Poettering
997c2d5625 update TODO 2021-05-26 21:42:44 +02:00
Lennart Poettering
83aab043d3
Merge pull request #19737 from poettering/default-specifiers-env
pid1: add specifier expansion for DefaultEnvironment=
2021-05-26 21:38:38 +02:00
Topi Miettinen
d8e3c31bd8 Mount all fs nosuid when NoNewPrivileges=yes
When `NoNewPrivileges=yes`, the service shouldn't have a need for any
setuid/setgid programs, so in case there will be a new mount namespace anyway,
mount the file systems with MS_NOSUID.
2021-05-26 17:42:39 +02:00
Lennart Poettering
aa6dc3ec33 man: fix list of escaped characters in unit names
The code works differently than the docs, and the code is right here.
Fix the doc hence.

See VALID_CHARS in unit-name.c for details about allowed chars in unit
names, but keep in mind that "-" and "\" are special, since generated by
the escaping logic: they are OK to show up in unit names, but need to be
escaped when converting foreign strings to unit names to make sure
things remain reversible.

Fixes: #19623
2021-05-26 17:27:24 +02:00
Lennart Poettering
36c357b486
Merge pull request #19729 from poettering/networkctl-netns-check
networkctl: check that client netns matches networkd netns
2021-05-26 17:26:34 +02:00
Lennart Poettering
46a9ee5d9b core: support specifier expansion in DefaultEnvironment= and ManagerEnvironment=
Strictly speaking adding this is a compatibility break, given that
previously % weren't special. But I'd argue that was simply a bug, as
for the much more prominent Environment= service setting we always
resolved specifiers, and DEfaultEnvironment= is explicitly listed as
being the default for that. Hence, let's fix that.

Replaces: #16787
2021-05-26 17:20:36 +02:00
Lennart Poettering
b3e22322b6 repart: resolve $TMP specifiers too
This might be useful for CopyFiles=, to reference some subdir of $TMP in
a generic way. This allows us to use the new common
system_and_tmp_specifier_table[].
2021-05-26 17:20:36 +02:00