1
0
mirror of https://github.com/systemd/systemd.git synced 2024-12-25 01:34:28 +03:00
Commit Graph

48383 Commits

Author SHA1 Message Date
Lennart Poettering
d2fafc423d cryptenroll: support listing and wiping tokens 2020-12-17 20:01:52 +01:00
Lennart Poettering
5e521624f2 cryptenroll: add support for TPM2 enrolling 2020-12-17 20:01:31 +01:00
Lennart Poettering
2d64d2b955 json: add APIs for quickly inserting hex blobs into as JSON strings
This is similar to the base64 support, but fixed-size hash values are
typically preferably presented as series of hex values, hence store them
here like that too.
2020-12-17 20:01:17 +01:00
Lennart Poettering
1403d48d61 sort-util: make cmp_int() generic, so that we can reuse it elsewhere 2020-12-17 20:01:02 +01:00
Lennart Poettering
8710a6818e cryptenroll: add new "systemd-cryptenroll" tool for enrolling FIDO2+PKCS#11 security tokens 2020-12-17 20:00:51 +01:00
Lennart Poettering
2bc5c425e6 cryptsetup: add fido2 support 2020-12-17 20:00:41 +01:00
Lennart Poettering
e3fb662b67 fido2: don't use up/uv/rk when device doesn't support it
Apparently devices are supposed to generate failures if we try to turn
off features they don't have. Thus don't.

Prompted-by: https://github.com/systemd/systemd/issues/17784#issuecomment-737730395
2020-12-17 20:00:27 +01:00
Lennart Poettering
ebcb3f38d2 homed: split out HMAC-HASH fido2 decode code into src/shared/
That way we can use it later on in systemd-cryptsetup to unlock devices
with FIDO2 tokens.
2020-12-17 20:00:15 +01:00
Lennart Poettering
17599e129b homed: move fido2 setup code to src/shared/
That way we can reuse it from systemd-cryptenroll
2020-12-17 20:00:03 +01:00
Lennart Poettering
fb2d839c06 homed: move fido2 device enumeration logic to shared code 2020-12-17 19:59:50 +01:00
Lennart Poettering
69cb28965b homed: turn libfido2 into a dlopen() type dependency 2020-12-17 19:59:32 +01:00
Lennart Poettering
b8c80b56d1 cryptsetup: split up attach_luks_or_plain_or_bitlk() into smaller functions
Just some refactoring.
2020-12-17 19:59:28 +01:00
Lennart Poettering
b997d1115b cryptsetup: read PKCS#11 key and token info from LUKS2 metadata
Optionally, embedd PKCS#11 token URI and encrypted key in LUKS2 JSON
metadata header. That way it becomes very easy to unlock properly set up
PKCS#11-enabled LUKS2 volumes, a simple /etc/crypttab line like the
following suffices:

    mytest /dev/disk/by-partuuid/41c1df55-e628-4dbb-8492-bc69d81e172e - pkcs11-uri=auto

Such a line declares that unlocking via PKCS#11 shall be attempted, and
the token URI and the encrypted key shall be read from the LUKS2 header.
An external key file for the encrypted PKCS#11 key is hence no longer
necessary, nor is specifying the precise URI to use.
2020-12-17 19:59:24 +01:00
Lennart Poettering
d3ad474f0c cryptsetup: be more careful with erasing key material from memory 2020-12-17 19:59:20 +01:00
Lennart Poettering
8414cd48e9 cryptsetup: split code that allocates udev security device monitor into its own function 2020-12-17 19:59:17 +01:00
Lennart Poettering
4760384d53 cryptsetup-util: add helper for setting minimal PBKDF 2020-12-17 19:59:04 +01:00
Lennart Poettering
4098bc134e cryptsetup-util: add helper call for extracting/parsing token JSON 2020-12-17 19:58:52 +01:00
Lennart Poettering
f240cbb645 homed: move code to list and resolve "auto" pkcs#11 URL into common code
That way we can reuse it from systemd-cryptenroll.
2020-12-17 19:58:39 +01:00
Lennart Poettering
d041e4fc4a homed: split out code that determines suitable LUKS passphrase size from RSA key
We can use this in cryptenroll later on, hence let's make this generic.
2020-12-17 19:58:26 +01:00
Lennart Poettering
2289a78473 homed: move pkcs11 LUKS glue into shared code
That way we can lter reuse it from cryptsetup/cryptenroll too.
2020-12-17 19:58:14 +01:00
Lennart Poettering
f2d5df8a30 homed: move helper calls for RSA encryption to shared code 2020-12-17 19:57:57 +01:00
Lennart Poettering
73d874bacd homed: move homectl's recovery key generation/modhex code to src/shared/
This allows us to later reuse the code to generate recovery keys for
traditional LUKS volumes, too and share the code.
2020-12-17 19:57:18 +01:00
Lennart Poettering
95231c7215 test: fix fd_is_mount_point() check
So the currentl and only fd_is_mount_point() check is actually entirely
bogus: it passes "/" as filename argument, but that's not actually a
a valid filename, but an absolute path.

fd_is_mount_point() is written in a way tha the fd refers to a directory
and the specified path is a file directly below it that shall be
checked. The test call actually violated that rule, but still expected
success.

Let's fix this, and check for this explicitly, and refuse it.

Let's extend the test and move it to test-mountpoint-util.c where the
rest of the tests for related calls are placed.

Replaces: #18004
Fixes: #17950
2020-12-17 19:29:24 +01:00
Lennart Poettering
8b08be4052 tree-wide: suggest meson command lines instead of ninja ones
This only changes documentation. In various places we call "ninja"
directly. I figured it would be safer to leave those in place for now,
given the meson replacement commands lines appears to be supported in
newer meson versions only.
2020-12-17 16:51:48 +01:00
Zbigniew Jędrzejewski-Szmek
68f18549c5
Merge pull request #18001 from systemd/wip/hadess/unsupported-dmi
meson: Disable dmi_memory_id on arches without DMI
2020-12-17 09:16:33 +01:00
Lennart Poettering
ddbf960574 terminal-util: use 256 color mode for PID 1 output, too
Follow-up for: #17702

Alsoe, see earlier review comment: https://github.com/systemd/systemd/pull/17702#pullrequestreview-552329600
2020-12-17 09:15:26 +01:00
Frantisek Sumsal
0ce96f4152
Merge pull request #17998 from mrc0mmand/qemu-drop-trailing-whitespace
test: drop the trailing whitespace from the QEMU version check
2020-12-16 23:48:17 +01:00
Lennart Poettering
e4dde4e87d
Merge pull request #17702 from rnhmjoj/master
Extend $SYSTEMD_COLORS to switch colors mode
2020-12-16 19:26:40 +01:00
Bastien Nocera
2bfb92a978 meson: Disable dmi_memory_id on arches without DMI 2020-12-16 19:21:19 +01:00
Lennart Poettering
a8af734e75
Merge pull request #17026 from fw-strlen/nft_16
add networkd/nspawn nftables backend
2020-12-16 19:18:22 +01:00
Bastien Nocera
2f1bcc4d4d meson: Split off udev helper programs array 2020-12-16 18:43:26 +01:00
Bastien Nocera
4dd465cb4e udev: Extract RAM properties from DMI information
Add memory_id program to set properties about the physical memory
devices in the system. This is useful on machines with removable memory
modules to show how the machine can be upgraded, and on all devices to
detect the actual RAM size, without relying on the OS accessible amount.

Closes: #16651
2020-12-16 18:32:29 +01:00
Yu Watanabe
84a1ff9457 tree-wide: fix typo 2020-12-16 18:30:15 +01:00
Zbigniew Jędrzejewski-Szmek
ac5644635d test-login: skip consistency checks when logind is not active
There are two ways in swich sd_login_* functions acquire data:
some are derived from the cgroup path, but others use the data serialized
by logind.

When the tests are executed under Fedora's mock, without systemd-spawn
but instead in a traditional chroot, test-login gets confused:
the "outside" cgroup path is visible, so sd_pid_get_unit() and
sd_pid_get_session() work, but sd_session_is_active() and other functions
that need logind data fail.

Such a buildroot setup is fairly bad, but it can be encountered in the wild, so
let's just skip the tests in that case.

/* Information printed is from the live system */
sd_pid_get_unit(0, …) → "session-237.scope"
sd_pid_get_user_unit(0, …) → "n/a"
sd_pid_get_slice(0, …) → "user-1000.slice"
sd_pid_get_session(0, …) → "237"
sd_pid_get_owner_uid(0, …) → 1000
sd_pid_get_cgroup(0, …) → "/user.slice/user-1000.slice/session-237.scope"
sd_uid_get_display(1000, …) → "(null)"
sd_uid_get_sessions(1000, …) → [0] ""
sd_uid_get_seats(1000, …) → [0] ""
Assertion 'r >= 0' failed at src/libsystemd/sd-login/test-login.c:104, function test_login(). Aborting.
2020-12-16 18:22:32 +01:00
Devon Pringle
221019166f networkd: handle ignoring ll gateway being link ll
In the event where network discovery gets a route with the gateway being
the interfaces local link address, networkd will fail the interface.

systemd-networkd[44319]: br_lan: Configuring route: dst: fdcd:41a4:5559:ec03::/64, src: n/a, gw: fe80::e4da:7eff:fe77:5c5e, prefsrc: n/a, scope: global, table: main, proto: ra, type: unicast
systemd-networkd[44319]: br_lan: Could not set NDisc route or address: Gateway can not be a local address. Invalid argument
systemd-networkd[44319]: br_lan: Failed
systemd-networkd[44319]: br_lan: State changed: configuring -> failed

This patch, instead of allowing the interface to fail, will instead log
the event and skip setting the route.
2020-12-16 17:56:01 +01:00
Zbigniew Jędrzejewski-Szmek
199f75205b
Merge pull request #17799 from yuwata/oss-fuzz-25353
logs-show: skip non-utf8 name entries
2020-12-16 17:52:35 +01:00
Luna Jernberg
91174d2803 Translated using Weblate (Swedish)
Currently translated at 67.3% (126 of 187 strings)

Co-authored-by: Luna Jernberg <bittin@reimu.nl>
Translate-URL: https://translate.fedoraproject.org/projects/systemd/master/sv/
Translation: systemd/master
2020-12-16 17:27:22 +01:00
Yu Watanabe
24ee0f9d16 tree-wide: fix typo 2020-12-16 17:21:48 +01:00
Yu Watanabe
ecfbbf098c
Merge pull request #17859 from keszybz/hostnamed-export-hostname-origin-and-simplify-logic
Export hostname origin and simplify logic in hostamed
2020-12-17 00:55:49 +09:00
Frantisek Sumsal
26b127245a test: s/MUMA/NUMA/ 2020-12-16 16:38:44 +01:00
Frantisek Sumsal
f26d091460 test: drop the trailing whitespace from the QEMU version check
I suspect the original version of the regex was written on a system,
which prints both the QEMU version and the QEMU package version in the
--version output, like Fedora:

$ /bin/qemu-system-x86_64 --version
QEMU emulator version 4.2.1 (qemu-4.2.1-1.fc32)
Copyright (c) 2003-2019 Fabrice Bellard and the QEMU Project developers

However, Arch Linux prints only the QEMU version:
$ /bin/qemu-system-x86_64 --version
QEMU emulator version 5.2.0
Copyright (c) 2003-2020 Fabrice Bellard and the QEMU Project developers

This causes the awk regex to not match the version string, since there's
no whitespace after it, causing the version check to fail (as well as the
TEST-36-NUMAPOLICY) as well.

Follow-up for 43b49470d1.
2020-12-16 16:38:26 +01:00
Susant Sahani
b43dfb6e6e sd-netlink: routing policy rule port to fib_rule_hdr 2020-12-17 00:17:32 +09:00
Lennart Poettering
5777c6130b resolved: always take a timestamp when first seeing a packet
This is later useful if we want to adjust the TTLs of packets we want to
propagate to clients.
2020-12-16 14:20:49 +01:00
Dan Streetman
8bc63a0b13 sd-dhcp-client: fix renew/rebind timeout calculation to avoid infinite loop
unfortunately I missed adding the timeout to 'now' which results in
an endless loop of renewal timeouts.

Fixes: 3a23834d6b
2020-12-16 19:49:31 +09:00
Zbigniew Jędrzejewski-Szmek
60e4fb4240 hostnamed,shared/hostname-setup: expose the origin of the current hostname
In hostnamed this is exposed as a dbus property, and in the logs in both
places.

This is of interest to network management software and such: if the fallback
hostname is used, it's not as useful as the real configured thing. Right now
various programs try to guess the source of hostname by looking at the string.
E.g. "localhost" is assumed to be not the real hostname, but "fedora" is. Any
such attempts are bound to fail, because we cannot distinguish "fedora" (a
fallback value set by a distro), from "fedora" (received from reverse dns),
from "fedora" read from /etc/hostname.

/run/systemd/fallback-hostname is written with the fallback hostname when
either pid1 or hostnamed sets the kernel hostname to the fallback value. Why
remember the fallback value and not the transient hostname in /run/hostname
instead?
We have three hostname types: "static", "transient", fallback".
– Distinguishing "static" is easy: the hostname that is set matches what
  is in /etc/hostname.
– Distingiushing "transient" and "fallback" is not easy. And the
  "transient" hostname may be set outside of pid1+hostnamed. In particular,
  it may be set by container manager, some non-systemd tool in the initramfs,
  or even by a direct call. All those mechanisms count as "transient". Trying
  to get those cases to write /run/hostname is futile. It is much easier to
  isolate the "fallback" case which is mostly under our control.
And since the file is only used as a flag to mark the hostname as fallback,
it can be hidden inside of our /run/systemd directory.

For https://bugzilla.redhat.com/show_bug.cgi?id=1892235.
2020-12-16 11:03:36 +01:00
Zbigniew Jędrzejewski-Szmek
d39079fcaa hostnamed: stop discriminating against "localhost" in /etc/hostname
We would sometimes ignore localhost-style names in /etc/hostname. That is
brittle. If the user configured some hostname, it's most likely because they
want to use that as the hostname. If they don't want to use such a hostname,
they should just not create the config. Everything becomes simples if we just
use the configured hostname as-is.

This behaviour seems to have been a workaround for Anaconda installer and other
tools writing out /etc/hostname with the default of "localhost.localdomain".
Anaconda PR to stop doing that: https://github.com/rhinstaller/anaconda/pull/3040.
That might have been useful as a work-around for other programs misbehaving if
/etc/hostname was not present, but nowadays it's not useful because systemd
mostly controls the hostname and it is perfectly happy without that file.

Apart from making things simpler, this allows users to set a hostname like
"localhost" and have it honoured, if such a whim strikes them.
2020-12-16 11:02:18 +01:00
Zbigniew Jędrzejewski-Szmek
468695c8cd hostnamed: improve message about static hostname
Changed static hostname to 'n/a' is not very nice.
2020-12-16 11:02:18 +01:00
Zbigniew Jędrzejewski-Szmek
536970d4f9 hostnamed: minor style cleanups 2020-12-16 11:02:18 +01:00
Zbigniew Jędrzejewski-Szmek
efda832d4f hostnamed: when hostname is set to existing value, suppress notifications
When the hostname is set through network config or such, let's
optimize things a bit by suppressing the logs and dbus notifications.
2020-12-16 11:02:17 +01:00
Zbigniew Jędrzejewski-Szmek
39ede7cc37 shared/hostname-setup: leave the terminator byte alone
gethostname(3) says it's unspecified whether the string is properly terminated
when the hostname is too long. We created a buffer with one extra byte, and it
seems the intent was to let that byte serve as terminator even if we get an
unterminated string from gethostname().
2020-12-16 11:02:17 +01:00