1
0
mirror of https://github.com/systemd/systemd.git synced 2024-12-22 17:35:35 +03:00
Commit Graph

70725 Commits

Author SHA1 Message Date
Lennart Poettering
b45f47aaad
Merge pull request #30968 from poettering/per-user-creds
per-user encrypted credentials
2024-01-31 09:47:12 +01:00
Franck Bui
d537bf72ae meson: fix installation of html doc aliases
Apparently since 9289e093ae, "ln_s" takes
*absolute* paths only.
2024-01-30 17:56:48 +00:00
Frantisek Sumsal
62670a7752 meson: don't install broken tmpfiles config with sshd?confdir == 'no'
20-systemd-ssh-generator.conf expands SSHCONFDIR, which is bogus when we
build with -Dsshconfdir=no. Similarly, avoid expanding SSHDCONFDIR in
20-systemd-userdb.conf when building with -Dsshconfdir=no.

Follow-up 6c7fc5d5f2.
2024-01-30 17:56:21 +00:00
Frantisek Sumsal
cb3244c0dc test: explicitly set nsec3-iterations to 0
knot v3.2 and later does this by default. knot v3.1 still has the default set to
10, but it also introduced a warning that the default will be changed to 0 in
later versions, so it effectively complains about its own default, which then
fails the config check. Let's just set the value explicitly to zero to avoid
that.

~# knotc --version
knotc (Knot DNS), version 3.1.6
~# grep nsec3-iterations test/knot-data/knot.conf || echo nope
nope
~# knotc -c /build/test/knot-data/knot.conf conf-check
warning: config, policy[auto_rollover_nsec3].nsec3-iterations defaults to 10, since version 3.2 the default becomes 0
Configuration is valid

Follow-up to 0652cf8e7b.
2024-01-30 17:53:10 +00:00
Adrian Vovk
4cb2e6af8d
core: Fail to start/stop/reload unit if frozen
Previously, unit_{start,stop,reload} would call the low-level cgroup
unfreeze function whenever a unit was started, stopped, or reloaded. It
did so with no error checking. This call would ultimately recurse up the
cgroup tree, and unfreeze all the parent cgroups of the unit, unless an
error occurred (in which case I have no idea what would happen...)

After the freeze/thaw rework in a previous commit, this can no longer
work. If we recursively thaw the parent cgroups of the unit, there may
be sibling units marked as PARENT_FROZEN which will no longer actually
have frozen parents. Fixing this is a lot more complicated than simply
disallowing start/stop/reload on a frozen unit

Fixes https://github.com/systemd/systemd/issues/15849
2024-01-30 11:18:16 -05:00
Adrian Vovk
16b6af6ade
core: Rework recursive freeze/thaw
This commit overhauls the way freeze/thaw works recursively:

First, it introduces new FreezerActions that are like the existing
FREEZE and THAW but indicate that the action was initiated by a parent
unit. We also refactored the code to pass these FreezerActions through
the whole call stack so that we can make use of them. FreezerState was
extended similarly, to be able to differentiate between a unit that's
frozen manually and a unit that's frozen because a parent is frozen.

Next, slices were changed to check recursively that all their child
units can be frozen before it attempts to freeze them. This is different
from the previous behavior, that would just check if the unit's type
supported freezing at all. This cleans up the code, and also ensures
that the behavior of slices corresponds to the unit's actual ability
to be frozen

Next, we make it so that if you FREEZE a slice, it'll PARENT_FREEZE
all of its children. Similarly, if you THAW a slice it will PARENT_THAW
its children.

Finally, we use the new states available to us to refactor the code
that actually does the cgroup freezing. The code now looks at the unit's
existing freezer state and the action being requested, and decides what
next state is most appropriate. Then it puts the unit in that state.
For instance, a RUNNING unit with a request to PARENT_FREEZE will
put the unit into the PARENT_FREEZING state. As another example, a
FROZEN unit who's parent is also FROZEN will transition to
PARENT_FROZEN in response to a request to THAW.

Fixes https://github.com/systemd/systemd/issues/30640
Fixes https://github.com/systemd/systemd/issues/15850
2024-01-30 11:18:15 -05:00
Lennart Poettering
4d8f4e02ba
Merge pull request #31109 from yuwata/nspawn-resolve-network-interface-before-move
nspawn: resolve network interface names before move to container namespace
2024-01-30 17:09:11 +01:00
Lennart Poettering
f669b6e7bb
Merge pull request #31120 from YHNdnzj/strv-env-non-pure
env-util: drop _pure_ for strv_env_get_n
2024-01-30 17:08:49 +01:00
Lennart Poettering
f65d44d1f6
Merge pull request #31124 from keszybz/various-small-tweaks
Various small tweaks
2024-01-30 17:08:21 +01:00
Lennart Poettering
fd40e7da6e update TODO 2024-01-30 17:07:47 +01:00
Lennart Poettering
7704c3474d man: document new user-scoped credentials 2024-01-30 17:07:47 +01:00
Lennart Poettering
6ab41e38e9 test: add integration test for per-user creds 2024-01-30 17:07:47 +01:00
Lennart Poettering
19f16c9935 creds: go via IPC service when unprivileged and trying to access services
Fixes: #30191
2024-01-30 17:07:47 +01:00
Lennart Poettering
2c3cbc5c01 creds-util: add IPC client wrapper for new varlink apis 2024-01-30 17:07:47 +01:00
Lennart Poettering
8464f7cbd6 creds: allow Varlink clients to encrypt/decrypt their own credentials without polkit authentication
Now that we have the concept of scoped credentials, we can allow
unprivileged clients to encrypt/decrypt them as longed as they are
scoped to them.
2024-01-30 17:07:47 +01:00
Lennart Poettering
c85b68f630 creds-tool: add --user/--uid= to operate with scoped credentials 2024-01-30 17:07:47 +01:00
Lennart Poettering
48d67957d5 creds-util: add a concept of "user-scoped" credentials
So far credentials are a concept for system services only: to encrypt or
decrypt credential you must be privileged, as only then you can access
the TPM and the host key.

Let's break this up a bit: let's add a "user-scoped" credential, that
are specific to users. Internally this works by adding another step to
the acquisition of the symmetric encryption key for the credential: if a
"user-scoped" credential is used we'll generate an symmetric encryption
key K as usual, but then we'll use it to calculate

    K' = HMAC(K, flags || uid || machine-id || username)

and then use the resulting K' as encryption key instead. This basically
includes the (public) user's identity in the encryption key, ensuring
that only if the right user credentials are specified the correct key
can be acquired.
2024-01-30 17:07:47 +01:00
Lennart Poettering
740b7870c9
Merge pull request #31121 from YHNdnzj/notify-man
notify: a few cleanups
2024-01-30 17:04:31 +01:00
Lennart Poettering
ee5252f854
Merge pull request #31126 from poettering/sleep-error-msg
sleep: change log level of some log messages
2024-01-30 17:04:15 +01:00
Yu Watanabe
613d953988 varlink: add short comment that the log message is checked in test
Follow-up for 038e455462.
2024-01-30 15:41:52 +00:00
Luca Boccassi
9c41e4eb2f socket-util: check for sysconf() error before using value
Otherwise -1 will be casted to uint32_t. Found by coverity.

CID#1533989

Follow-up for 7e8aa5c2ee
2024-01-30 15:19:16 +00:00
Antonio Alvarez Feijoo
0fa25bd5f4 conf-parser: fix OOM check 2024-01-30 12:46:24 +00:00
Yu Watanabe
a342d9e087 nspawn: resolve network interface names before moving to container network namespace
To escape a kernel issue fixed by
8e15aee621,
let's resolve provided interface names earlier, and adjust the interface
name pairs with the result.

Fixes #31104.
2024-01-30 20:37:13 +09:00
Yu Watanabe
3652891c39 sd-device: use new interface name resolvers 2024-01-30 20:37:13 +09:00
Yu Watanabe
4e235561d6 sd-netlink: unify network interface name getter and resolvers
This makes rtnl_resolve_interface() always check the existence of the
resolved interface, which previously did not when a decimal formatted
ifindex is provided, e.g. "1" or "42".
2024-01-30 20:37:04 +09:00
Lennart Poettering
e7be86519d sleep: upgrade fatal log message to LOG_ERR 2024-01-30 11:32:56 +01:00
Lennart Poettering
75d2752814 sleep: upgrade some unexpected errors to LOG_WARNING log messages 2024-01-30 11:32:41 +01:00
Lennart Poettering
b782080b7a sleep: remove redundant debug log message 2024-01-30 11:31:56 +01:00
Lennart Poettering
032bf2da46 sleep: add mising error message 2024-01-30 11:31:36 +01:00
Zbigniew Jędrzejewski-Szmek
8835a6ff0c man/networkd.conf: remove strange comment
Does anyone even read those pages‽
2024-01-30 11:27:31 +01:00
Zbigniew Jędrzejewski-Szmek
9af1281ed7 pstore: align table 2024-01-30 10:11:30 +01:00
Zbigniew Jędrzejewski-Szmek
e9dc98c56b journald: inline one variable declaration 2024-01-30 10:11:30 +01:00
Zbigniew Jędrzejewski-Szmek
2673d6fae0 shared/pretty-print: inline one more variable declaration 2024-01-30 10:11:30 +01:00
Zbigniew Jędrzejewski-Szmek
f3663c0ec9 shared/pretty-print: use normal else-if cascade
This is not a hot path, but it seems silly to evalute subsequent branches,
which can never match once one has matched. Also, it makes the code harder to
read, because the reader has to first figure out that only one branch can
match.
2024-01-30 10:11:30 +01:00
Zbigniew Jędrzejewski-Szmek
e1054a8bcd bsod: do not use STRLEN
The compiler optimizes strlen away, so we can use the simplest form that is
type safe and more natural. STRLEN is only for array initialization.
2024-01-30 10:11:07 +01:00
Zbigniew Jędrzejewski-Szmek
534fc25ad9 basic/alloc-util: drop unnecessary parens
By definition, a parameter cannot contain a comma because commas
are used to delimit parameters. So we also don't need to use parens
when the use site is delimited by commas.
2024-01-30 10:06:44 +01:00
Mike Yuan
70e80269aa
env-util: drop _pure_ for strv_env_get_n
This function calls getenv() internally, making it
non-pure, as envvars can change between two calls
even if passed arguments are the same.
2024-01-30 03:30:02 +08:00
Mike Yuan
17ca151733
env-util: don't use strlen_ptr if known non-NULL 2024-01-30 03:29:53 +08:00
Mike Yuan
ed5f10973b
notify: warn if notify msg specified along with --booted 2024-01-30 03:28:57 +08:00
Mike Yuan
953134a585
notify: don't exit silently when --exec but no msg
Before this commit, if --exec is used but no message shall
be sent, we silently ignore --exec and exit, which is pretty
surprising. Therefore, let's emit clear error instead.
2024-01-30 03:28:16 +08:00
Mike Yuan
5d4cf5a87d
man/systemd-notify: don't say "the latter" if more than 2 options 2024-01-30 03:27:36 +08:00
Mike Yuan
a3158ff36e
notify: if execve() failed, always show original error 2024-01-30 03:27:36 +08:00
Mike Yuan
7e26863e9c
notify: deduplicate ppid handling 2024-01-30 03:27:35 +08:00
Mike Yuan
08ba0a951c
notify: minor modernizations 2024-01-30 03:27:35 +08:00
Luca Boccassi
17f3e91e81
Merge pull request #31106 from poettering/bus-creds-pidref
sd-bus: port "sd_bus_creds" object to pidfds and use it everywhere
2024-01-29 19:19:17 +00:00
Lennart Poettering
c496e5f67f update TODO 2024-01-29 14:43:22 +01:00
Lennart Poettering
a667107594 man: document the new APIs 2024-01-29 14:43:05 +01:00
Lennart Poettering
4ac08d8ad6 tree-wide: port various things over to new pidref helpers
THis not only mkaes a lot of code shorter, but also safer, as we pin the
clients via a pidfd.
2024-01-29 14:42:59 +01:00
Lennart Poettering
1b78be0bb5 bus-util: add helper for getting PidRef structs from bus
This adds two helpers: one for extracting a PidRef from an sd_bus_creds
object, and one from doing this from and sd_bus_message object.
2024-01-29 14:42:42 +01:00
Lennart Poettering
75e00d5e32 sd-bus: tighten rules on sd_bus_query_sender_creds() a bit
Let's always derive credentials from a bus name or a conneciton fd if we
can, because they pin things.

Let's not go via PID really, because it's always racy to do so.

Note that this doesn't change much, since we wouldn't use such augmented
data for auth anyway (because it will be masked in the
sd_bus_creds.augmented mask as untrusted). But still, let's prefer
trusted data over untrusted data.
2024-01-29 14:42:37 +01:00