1
0
mirror of https://github.com/systemd/systemd.git synced 2024-12-23 21:35:11 +03:00
Commit Graph

69976 Commits

Author SHA1 Message Date
Lennart Poettering
2a1ffd3e3a bus-polkit: port polkit_registry to use value destructors in hash_ops 2024-01-03 11:53:52 +01:00
Lennart Poettering
d04c1a1c8e bus-polkit: add support for authenticating varlink peers via polkit
This extends our current polkit logic, so that we can in a very similar
fashion as we already can authenticate dbus peers authenticate varlink
connection peers.

polkit natively speaks dbus and can authentication dbus peers. To get
the same level of support for varlink we'll use authentication by
pidfd+uid. This requires polkit v124, and if that's not available it
will fallback to authorizing root only as before.

Co-authored-by: Luca Boccassi <bluca@debian.org>
2024-01-03 11:53:29 +01:00
Mike Yuan
7c2e495c75
Merge pull request #30694 from yuwata/sd-netlink-move-macro-and-introduce-tos-getter
sd-netlink: two cleanups
2024-01-03 18:47:12 +08:00
Mike Yuan
f6ce1ad033
Merge pull request #30686 from poettering/uki-measured-check-imply-tpm2
efi-loader: when detecting if we are booted in UKI measured boot mode, imply a check for TPM2
2024-01-03 18:39:22 +08:00
Lennart Poettering
d4fee8941a confext: make sure we pick up configuration extensions passed to us from the stub
With fixes from Maanya Goenka.
2024-01-03 11:23:27 +01:00
Lennart Poettering
39e0c237f1 stub: pick up confexts from the ESP as well
This does what we do for system extension also for configuration
extension.

This is complicated by the fact that we previously looked for
<uki-binary>.d/*.raw for system extensions. We want to measure sysexts
and confexts to different PCRs (13 vs. 12) hence we must distinguish
them, but *.raw would match both kinds.

This commit solves this via the following mechanism: we'll load confexts
from *.confext.raw and sysexts from *.raw but will then enclude
*.confext.raw from the latter. This preserves compatibility but allows
us to somewhat reasonable distinguish both types of images.

The documentation is updated not going into this detail though, and
instead now claims that sysexts shall be *.sysext.raw and confexts
*.confext.raw even though we actually are more lenient than this. This
is simply to push people towards using the longer, more descriptive
suffixes.

I added an XML comment (<!-- … -->) about this to the docs, so that
whenever somebody notices the difference between code and docs
understands why and leaves it that way.
2024-01-03 10:38:34 +01:00
Yu Watanabe
dd8ab4a206 sd-dhcp-server: rename DHCPLease -> sd_dhcp_server_lease
Then, move basic functions for the object to sd-dhcp-server-lease.[ch].

No effective funcional changes.
2024-01-03 15:20:31 +09:00
Yu Watanabe
95c48613f4 sd-dhcp-server: use sd_dhcp_client_id 2024-01-03 15:20:31 +09:00
Rose
cb924b9b6a fundamental: prefer byte swap builtins over byte swapping manually
This builtin reduces complexity and GCC/Clang have supported these builtins for a long time.
2024-01-03 15:11:55 +09:00
Yu Watanabe
12fb1fc5dd
Merge pull request #30702 from yuwata/sd-dhcp-client-id
dhcp: introduce sd_dhcp_client_id and relevant functions
2024-01-03 15:10:46 +09:00
Yu Watanabe
778823fd52 backlight: supprt ID_LEDS_CLAMP udev property for leds subsystem devices
Closes #30507.
2024-01-03 09:30:41 +09:00
Yu Watanabe
e0feaedbd9 udev/dmi-memory-id: update table with latest SMBIOS specification
Closes #30699.
2024-01-03 08:43:17 +09:00
Yu Watanabe
7e08a337b2
Merge pull request #30700 from yuwata/storagetm-fixlets
storagetm: several trivial fixlets
2024-01-03 08:42:58 +09:00
Yu Watanabe
cb0a3b8c14 network/route: drop TTL propagate support for MPLS routes
This effectively reverts 9b88f20aba.

We do not support MPLS routes, only IPv4 or IPv6 routes are supported.
2024-01-03 08:41:53 +09:00
Yu Watanabe
6ba147485e network/queue: fix potential double-free on oom
Currently, link_queue_request_safe(), which is a wrapper of
request_new(), is called with a free function at
- link_request_stacked_netdev() at netdev/netdev.c,
- link_request_address() at networkd-address.c,
- link_request_nexthop() at networkd-nexthop.c,
- link_request_neighbor() at networkd-networkd.c.

For the netdev case, the reference counter of the passed object is increased
only when the function returns 1. So, on failure (with -ENOMEM)
previously we unexpectedly dropped the reference of the NetDev object.
Similarly, for Address and friends, the ownership of the object is moved to the
Request object only when the function returns 1. And on failure, previously
the object was freed twice.

Also, netdev_queue_request(), which is another wrapper of request_new()
potentially leaks memory when the same NetDev object is queued twice.
Fortunately, that should not happen as the function is called only once
per object.

This fixes the above issue, and now the ownership or the reference
counter of the object is changed only when it is succeeded with 1.
2024-01-03 08:41:36 +09:00
Yu Watanabe
ff49e703ff
Merge pull request #30691 from yuwata/resolve-ipv6
resolve: do not listen to IPv6 when disabled by sysctl
2024-01-03 08:41:14 +09:00
Frantisek Sumsal
995bf013a1 test: rewrite test-exec-deserialization.py
Rewrite the test in bash and make it part of our integration test suite,
so it's actually executed in all our upstream CI environments.

The original test is flaky in environments where daemon-reload might
occur during the test runtime (e.g. when running the test in parallel
with the systemd-networkd test suite). Also, it was run only in CentOS
CI in limited way (i.e. without sanitizers), since it tests the host's
systemd, instead of the just built one.

Resolves: #29943
2024-01-03 08:40:55 +09:00
Mike Yuan
0e3638380d various: unexport a few internal structs
We don't expose destructors for these internal structs already.
Let's make the struct itself implementation detail too.
2024-01-03 08:40:33 +09:00
Yu Watanabe
d59a2b3bf5 sd-dhcp-lease: use sd_dhcp_client_id 2024-01-03 06:06:39 +09:00
Yu Watanabe
1809132064 dhcp: move sd_dhcp_client_id_to_string() to sd-dhcp-client-id.[ch]
Then, this makes it take sd_dhcp_client_id object, and introduce
sd_dhcp_client_id_to_string_from_raw().
2024-01-03 06:06:36 +09:00
Yu Watanabe
6efa51f862 dhcp: introduce sd_dhcp_client_id and relevant functions
This splits out client ID handling from sd-dhcp-client.c to
sd-dhcp-client-id.[ch]. This will be used later in other places.
2024-01-03 06:06:34 +09:00
Mike Gilbert
049f178b80 storagetm: ensure we pass dev_t* to sd_device_get_devnum
On MIPS32 OABI, st_rdev is unsigned long, not dev_t. Use a temporary
variable to avoid an incompatible pointer.

Bug: https://bugs.gentoo.org/920576
Bug: https://sourceware.org/bugzilla/show_bug.cgi?id=21278
Fixes: https://github.com/systemd/systemd/issues/30626
2024-01-03 05:37:25 +09:00
Yu Watanabe
69f4a87c8c storagetm: fix use of wrong stat element 2024-01-03 05:19:00 +09:00
Yu Watanabe
30c1cded77 storagetm: always hash stat.st_mode
To make the hash function consistent with the compare function.
2024-01-03 05:07:43 +09:00
Yu Watanabe
f22b586a21 network/address: introduce address_remove_and_cancel()
Then, replace address_remove_and_drop() with it.

If an address is requested, and the request is already called,
we may not received its reply and notification from the kernel, and
the corresponding address object may not be remmbered. Even in such
case, we need to remove the address, otherwise the address will come
later after the function called.
2024-01-03 04:43:34 +09:00
Yu Watanabe
f1b73dbbc9 network/address: not necessary to remmber address before remove 2024-01-03 04:43:34 +09:00
Yu Watanabe
7f74b00ab0 network/address: make address_remove() take Link object that the address assigned to
No functional change. Preparation for later commits.
2024-01-03 04:43:34 +09:00
Yu Watanabe
5592608bdc test: update test case for failed udev event 2024-01-03 04:23:26 +09:00
Yu Watanabe
b16c6076cb udev: wait for an extra time before the manager kills workers
Otherwise, udev workers cannot detect slow programs invoked by
IMPORT{program}=, PROGRAM=, or RUN=, and whole worker process may be
killed.

Fixes #30436.

Co-authored-by: sushmbha <sushmita.bhattacharya@oracle.com>
2024-01-03 04:23:22 +09:00
Yu Watanabe
11706971e8 udev-spawn: skip executing RUN= if exec_delay= is too long
To prevent the worker process killed by the manager.
2024-01-03 04:23:18 +09:00
Yu Watanabe
406c96e329 udev-spawn: refuse to spawn commands if the event already takes too long
Also, calculate the timeout for warning based on the remaining time for
the timeout of the event, rather than the timeout itself.

Currently, udev manager kills the worker if the timeout exceeds. So,
this does not change anything except for the timing of the warning.

Just refactoring and preparation for later commits.
2024-01-03 04:23:12 +09:00
Yu Watanabe
ef4e0b7e4f sd-netlink: introduce sd_rtnl_message_route_set_tos()
We already have the getter for the parameter, but forgot to introduce the setter.
2024-01-03 04:21:51 +09:00
Yu Watanabe
8f8b39c86b sd-netlink: move definitions of RTA_TYPE() and RTA_FLAGS() to netlink-util.h 2024-01-03 04:21:28 +09:00
Yu Watanabe
6e6b59ed00 unit: order systemd-resolved after systemd-sysctl
Otherwise, IPv6 enable/disable setting may be changed after resolved is
started.
2024-01-03 04:07:15 +09:00
Yu Watanabe
a53082f07d resolve: do not listen to IPv6 when disabled by sysctl
Fixes #30669.
2024-01-03 04:03:30 +09:00
Yu Watanabe
e40a67809b
Merge pull request #30689 from mrc0mmand/even-more-cocci-tweaks
coccinelle: drop a couple of FIXMEs
2024-01-03 03:25:30 +09:00
Frantisek Sumsal
eddecf4f6c coccinelle: add a rule for in_addr_hash_func()
Follow-up for c01a5c0.
2024-01-02 19:12:05 +01:00
Frantisek Sumsal
cd4b16c082 coccinelle: drop a couple of FIXMEs
Turns out Coccinelle can handle compound literals just fine, the parsing
errors were caused by incorrectly parsed macros in code before the
literals, so let's just provide simplified versions for such macros.

The parsing error in `Type *foo[ELEMENTSOF(bar)] = {};` is actually
harmless; it occurs only when creating an array of pointers for a type
that's in an external header and it occurs only on the first parser's
pass, subsequent passes resolve the type correctly.

Also, unset ENABLE_DEBUG_HASHMAP, so Coccinelle doesn't expand the
hashmap debug macros.

As for the remaining FIXMEs, I opened a couple of issues in the
Coccinelle upstream to see if they can be fixed there (or at least
properly analyzed).
2024-01-02 19:12:05 +01:00
Lennart Poettering
35793c71e4 varlink: add two helpers for delayed processing of method calls
When we want to do Polkit authentication we want to temporarily pause
handling of a method call until we have the Polkit reply, and then start
again. Let's add some glue to make that easy. This adds two helpers:

varlink_dispatch_again() allows to ask for redispatching of the
currently queued incoming message. Usecase is this: if we don't process
a methd right away, we can come back later, and ask it to be processed
again with this function, in which case our handlers will be called a
2nd time, exactly like on the first time.

varlink_get_current_message() provides access to the currently processed
method call.

With this the polkit logic can look into the current message, do its
thing, and then restart the method handling.
2024-01-02 17:57:35 +01:00
Lennart Poettering
0eccf7259e varlink: add new helper varlink_get_peer_pidref() for getting PidRef of peer 2024-01-02 17:57:35 +01:00
Lennart Poettering
da5e0c442b socket-util: add helper for getting peer pidfd 2024-01-02 17:57:34 +01:00
Lennart Poettering
3dee63b762 process-util: add new pid{ref,}_get_start_time() helper
This also adds a test case that test pidref_safe_fork(), pidref_wait()
and related calls.
2024-01-02 17:57:34 +01:00
Lennart Poettering
f17132260f process-util: add pidref_safe_fork() helper
This combines safe_fork() with pidref_set_pid().

Eventually we really should switch this to use CLONE_PIDFD, but as that
is not wrapped by glibc yet, it's hard. But this is not crucial anyway,
as a child we just forked off can always safely be referenced also by
PID, given the reaping is under our own control.

A simple test case is added in a follow-up commit.
2024-01-02 17:57:34 +01:00
Lennart Poettering
a3f3243613 pidref: add helpers for waiting for pidref processes
A simple test case is added in a follow-up commit.
2024-01-02 17:57:34 +01:00
Lennart Poettering
9f32bb927c Revert "units: add ConditionSecurity=tpm2 to systemd-tpm2-setup units"
Now that the ConditionSecurity=uki-measured check is tighter we can drop
the explicit TPM2 check again.

This reverts commit aa735b0219.
2024-01-02 17:49:04 +01:00
Lennart Poettering
03d808c9f6 efi-loader: when detecting if we are booted in UKI measured boot mode, imply a check for TPM2
We simply don't carry any userspace support for TPM1.2 in our tree, and
we shouldn't given it's too weak by today's standards. Hence, if we
check if we are booted in UKI measured boot mode, don't just check if we
are booted in EFI, but also check that we have a TPM2 chip (as opposed
to none or only a TPM1.2 chip).

This is an alternative to #30652 but more comprehensive (and simpler),
since it covers all invocations of efi_measured_uki().

Fixes: #30650
Replaces: #30652
2024-01-02 17:48:53 +01:00
Luca Boccassi
c0d672f161
Merge pull request #30684 from systemd/update-labeler-configuration
ci: migrate labeler configuration to the new format
2024-01-02 13:24:48 +01:00
Frantisek Sumsal
b3fb73a5f2 ci: allow testing changes made to labeler configuration 2024-01-02 12:52:03 +01:00
Frantisek Sumsal
17b056a340 ci: use a boolean value for the boolean field
The issue[0] behind this workaround has been resolved[1], so we can set it
to a proper boolean field.

[0] https://github.com/systemd/systemd/issues/18671
[1] https://github.com/actions/labeler/pull/480
2024-01-02 12:42:03 +01:00
Frantisek Sumsal
d151d6ce6f ci: migrate labeler configuration to the new format
Turns out updating the labeler action is a bit annoying[0], so the
breaking change wasn't detected in the version bump PR.

[0] https://github.com/actions/labeler/#notes-regarding-pull_request_target-event

Follow-up to f88c9b0728.
2024-01-02 12:42:03 +01:00