1
0
mirror of https://github.com/systemd/systemd.git synced 2025-01-03 05:18:09 +03:00

Compare commits

...

97 Commits

Author SHA1 Message Date
Lennart Poettering
9db8c687f9 test: add CI test validating the new varlink interface and more 2024-12-20 23:14:45 +01:00
Lennart Poettering
f097a122a8 ask-password: add comment with well-known errors from ask_password_auto() 2024-12-20 23:14:45 +01:00
Lennart Poettering
a776781898 ask-password: add Varlink API for querying passwords from the user
This turns systemd-ask-password into a small Varlink service, so that
there's an standard IPC way to ask for a password. It mostly directly
exposes the functionality of the Varlink service.
2024-12-20 23:14:45 +01:00
Lennart Poettering
9ff99eb1e7 ask-password-api: add new "hup_fd" field to AskPasswordReq
This new field allows specification of an fd on which the password
prompt logic will look for POLLHUP events for, and if seen will abort
the query.

The usecase for this is that when we query for a pw on behalf of a
Varlink client we can abort the query automatically if the client dies.
2024-12-20 23:14:06 +01:00
Lennart Poettering
ebe40c02f8 ask-password-api: move timeout into AskPasswordRequest structure too 2024-12-20 23:14:06 +01:00
Lennart Poettering
187bfa7b0d ask-password-api: move tty_fd into AskPasswordRequest structure, too 2024-12-20 23:14:06 +01:00
Lennart Poettering
975301170f ask-password-api: move 'flag_file' from function parameter into AskPasswordRequest structure 2024-12-20 23:14:06 +01:00
Lennart Poettering
c4859de8dd ask-password-agent: send READY=1 when we established inotify watch 2024-12-20 23:14:06 +01:00
Lennart Poettering
fbae5e64c4 ask-password-agent: optionally read pw to reply from env var 2024-12-20 23:14:06 +01:00
Lennart Poettering
501e250a9e pcrextend: split out varlink server setup into its own function 2024-12-20 23:14:06 +01:00
Lennart Poettering
b7d7f327a3 sd-varlink: expose api to get input/output fd separately 2024-12-20 23:09:43 +01:00
Lennart Poettering
ccaa76ac48
image-discovery: add per-user scope (#35510) 2024-12-20 22:12:35 +01:00
Lennart Poettering
2232038187
pid1: complete per-user credentials support (#35536)
Fixes: #33887 #33796 #33318
2024-12-20 22:12:08 +01:00
Lennart Poettering
1563404159
analyze: extend CHID support to more types (#35699)
Let's implement the spec more comprehensively.

This is piece by piece work, There's more to do on the EFI side before
all CHID types are supported, but in userspace it should be reasonably
complete now.
2024-12-20 22:11:39 +01:00
Daan De Meyer
2138278d25
Various mkosi improvements (#35684) 2024-12-20 21:24:51 +01:00
Daan De Meyer
34b5a27b0b docs: Simplify hacking documentation
Let's use "mkosi sandbox" in the docs so that users can build systemd
without having to install anything except mkosi. Using mkosi sandbox
will use tools and dependencies from the tools tree which is also used
in CI and thus has a higher chance of working from the first try compared
to whatever tools might be installed on the host system of a new contributor.
2024-12-20 20:09:36 +01:00
Daan De Meyer
ba3f148307 mkosi.clangd: Fail on command errors 2024-12-20 20:09:36 +01:00
Daan De Meyer
b133f57544 mkosi.clangd: Don't pass --host if we're not using flatpak-spawn 2024-12-20 20:09:36 +01:00
Daan De Meyer
8c5b4df543 mkosi: Use build/ as extra search path by default
Building systemd with mkosi generally requires a very recent version
of systemd which might not be installed on the host. Let's configure
mkosi to look for extra executables in the build/ directory by default
so that we prefer systemd executables from the build directory over those
on the host as those on the host are likely to be too old.
2024-12-20 20:09:36 +01:00
Daan De Meyer
1995084a9e mkosi: Use tools tree by default
Let's enable usage of a tools tree by default to simplify the setup
for new contributors and save them from having to install or upgrade
a bunch of extra tools to get mkosi working as expected.
2024-12-20 20:09:35 +01:00
Daan De Meyer
ac1a711d9a mkosi: Enable EPEL for CentOS Stream tools tree
We need packages from EPEL to be able to build CentOS Stream images
with a CentOS Stream tools tree so enable it. This is broken on CentOS
Stream 10 but given using a CentOS Stream tools tree is broken without
EPEL as well, we might as well enable it and just wait until the packages
are added to EPEL 10.
2024-12-20 20:09:35 +01:00
Daan De Meyer
d4dda34854 mkosi: Add libz1 to opensuse tools tree
Without meson fails to configure properly.
2024-12-20 20:09:35 +01:00
Daan De Meyer
7337f4b197 mkosi: Add gdb to tools tree 2024-12-20 20:09:35 +01:00
Daan De Meyer
3ee5cab490 docs: Move fuzzers documentation to test README.md 2024-12-20 20:09:35 +01:00
Daan De Meyer
3add2d73b3 coverage: Run on pull request in a few cases
If we're changing the integration test wrapper or coverage.yml, let's
run the coverage workflow on PRs as well to make sure it doesn't break.
2024-12-20 20:09:35 +01:00
Daan De Meyer
1dd345b00d mkosi: Update to latest 2024-12-20 20:09:35 +01:00
Lennart Poettering
8ca50bde48 analyze-chid: fully support all CHID types
This adds logic to read the missing SMBIOS fields from userspace, too.
With this we should have full CHID coverage now, matching fwupd's output
fully.
2024-12-20 18:13:18 +01:00
Lennart Poettering
0eb51d9913 analyze-chid: split out code that reads smbios into helper 2024-12-20 18:13:18 +01:00
Lennart Poettering
6b99f3ba5a analyze: C escape weird chars in SMBIOS fields
just in case, let's not write garbled crap to the TTY but escape and
potential weird chars before output.
2024-12-20 18:13:18 +01:00
Lennart Poettering
95cd07e772 chid: add missing CHID type definitions
This add he missing CHID types to our tables, but doesn't add all
necessary code to calculate them yet.

This brings us closer to what the CHID spec documents, and what
"fupwdtool hwids" outputs.
2024-12-20 18:13:18 +01:00
Lennart Poettering
0f55038c84 analyze-chid: show friendly smbios field names
Some of the field names between kernel and smbios spec differ. Kinda
confusing. Let's use the smbios field names, to match the CHID spec,
which also uses them, and thus be least confusing, treating kernel
attribute fields as an internal Linux thing only.
2024-12-20 18:13:18 +01:00
Lennart Poettering
37e02b455b analyze: not all smbios fields are always defined, deal with that
As per previous commit, accept that not all SMBIOS fields are alwaysa
available (or set, but empty), hence handle this gracefully and don't
generate relevant CHIDs, as per docs.
2024-12-20 18:13:18 +01:00
Lennart Poettering
a04af8516e chid-fundamental: rework bit checking to use FLAGS_SET() 2024-12-20 18:13:16 +01:00
Lennart Poettering
094e2ace12 chid-fundamental: use right type to iterate through smbios fields 2024-12-20 18:06:34 +01:00
Lennart Poettering
f8988a5e45 chid-fundamental: make namespace GUID static, too 2024-12-20 18:06:34 +01:00
Lennart Poettering
d1bbfaeba5 chid-fundamental: not all SMBIOS fields are available on all systems
And the CHID documentation says that CHIDs that require fields that are
not available on the local system should not be generated. Follow that,
and generate a NULL CHID in that case (which we generally ignore
otherwise).
2024-12-20 18:06:34 +01:00
Lennart Poettering
2b717a7f14 update TODO 2024-12-20 18:04:01 +01:00
Lennart Poettering
1c0ade2e1f discover-image: introduce per-user image directories
We nowadays support unprivileged invocation of systemd-nspawn +
systemd-vmspawn, but there was no support for discovering suitable disk
images (i.e. no per-user counterpart of /var/lib/machines). Add this
now, and hook it up everywhere.

Instead of hardcoding machined's, importd's, portabled's, sysupdated's
image discovery to RUNTIME_SCOPE_SYSTEM I introduced a field that make
the scope variable, even if this field is always initialized to
RUNTIME_SCOPE_SYSTEM for now. I think these four services should
eventually be updated to support a per-user concept too, this is
preparation for that, even though it doesn't outright add support for
this.

This is for the largest part not user visible, except for in nspawn,
vmspawn and the dissect tool. For the latter I added a pair of
--user/--system switches to select the discovery scope.
2024-12-20 18:04:01 +01:00
Lennart Poettering
8cbcdc78db update TODO 2024-12-20 17:52:09 +01:00
Lennart Poettering
4103bf9f2f man: document the new per-use credstore paths
(And some other minor tweaks)
2024-12-20 17:52:07 +01:00
Lennart Poettering
026dfd60d4 test: add integration test that makes sure unpriv creds work correctly
This checks both the per-user credstore directory logic, and that
unprivileged, encrypted credentials work.
2024-12-20 17:52:04 +01:00
Lennart Poettering
1af989e8de pid1: add support for decrypting per-user credentials
When I added support for unprivileged credentials I apparently never
hooked them up to service management correctly. Let's fix that.

Fixes: #33796 #33318
2024-12-20 17:52:01 +01:00
Lennart Poettering
8506a9955c execute: introduce a user-scoped credstore
Fixes: #33887
2024-12-20 17:51:58 +01:00
Lennart Poettering
d2cd189324 sd-path: expose credential store in sd-path 2024-12-20 17:51:54 +01:00
Lennart Poettering
b226b7fb6d systemd-path: add the usual ANSI sequences to --help text 2024-12-20 17:51:52 +01:00
Lennart Poettering
060e2512cd systemd-path: guarantee that tool exit status is zero on success
Let's not inherit the error code from an earlier function invocation.
2024-12-20 17:51:50 +01:00
Lennart Poettering
81082f2dc2 systemd-path: order all listed paths by their ID alphabetically
Let's add some system to the madness, given we added user-specific dirs
to the end of the list, but they should really be listed together with
the other user-specific ones.
2024-12-20 17:51:48 +01:00
Lennart Poettering
616586b910 sd-path: don't chop off trailing slash in sd_path apis, when user provided them
This is a minor compat break, but given the slow adoption of the
sd-path.h APIs I think it's one we should take. Basically, the idea is
that if the user provides a suffix path with a trailing slash (thus
encoding in the path that the last element must be a dir), we should
keep it in place, and not suppress it, in order to not willy nilly
reduce the amount of information contained in the path.

Simplifications that do not alter meaning, and do not suppress
information should be fine to apply to a path, but otherwise we really
should be conservative on this.
2024-12-20 17:51:46 +01:00
Lennart Poettering
cf7d0a2d2e pid1: normalize oom error handling a bit 2024-12-20 17:51:42 +01:00
Ricky Tigg
06ffa66a5b po: Translated using Weblate (Finnish)
Currently translated at 100.0% (257 of 257 strings)

Co-authored-by: Ricky Tigg <ricky.tigg@gmail.com>
Translate-URL: https://translate.fedoraproject.org/projects/systemd/main/fi/
Translation: systemd/main
2024-12-21 00:51:18 +09:00
Septatrix
33bfa69b2e Add .venv to gitignore
This directory is commonly used for virtual Python environments.
These are useful when developing to install different Python versions
as well as install tooling like mkosi and mypy in an isolated fashion
without influencing the global system.
2024-12-20 15:33:32 +00:00
Lennart Poettering
f108996319
core/device: handle ID_PROCESSING udev property (#35351)
Continuation of #35332.
2024-12-20 10:12:39 +01:00
Daan De Meyer
dec47e58a6
debug-generator: add a kernel cmdline option to pause the boot process (#35410)
Introduce the `systemd.break=` kernel command line option to allow
stopping the boot process at a certain point and spawn a debug shell.
After exiting this shell, the system will resume booting.

It accepts the following values:
- `pre-udev`: before starting to process kernel uevents (initrd and
host).
- `pre-basic`: before leaving early boot and regular services start
(initrd and host).
- `pre-mount`: before the root filesystem is mounted (initrd).
- `pre-switch-root`: before switching root (initrd).
2024-12-20 10:04:41 +01:00
Lennart Poettering
cdcb1eeeb8
[RFC] better naming for Azure MANA network devices (#34255)
The Azure MANA folks would like the PCI domain to be suppressed from
naming network interfaces. Let's introduce a somewhat generic way to do
this, without hardcoding anything to Azure.

Specifically: we'll ship a new hwdb entry that sets a new
ID_NET_NAME_INCLUDE_DOMAIN=0 property on relevant MANA devices. Then we
make net_id look for that property, and if it is set we simply suppress
the PCI domain.

(Untested as of now, needs feedback from Azure MANA folks that this
actually works and does what is requested here).
2024-12-20 09:52:40 +01:00
Matteo Croce
77d4a263c1 mkosi: move config options
Move some config option in the right section, fixes the following warning:
```
mkosi.conf: Setting Credentials should be configured in [Runtime], not [Host].
mkosi.conf: Setting RuntimeBuildSources should be configured in [Runtime], not [Host].
mkosi.conf: Setting RuntimeScratch should be configured in [Runtime], not [Host].
mkosi.conf: Setting QemuSmp should be configured in [Runtime], not [Host].
mkosi.conf: Setting QemuSwtpm should be configured in [Runtime], not [Host].
mkosi.conf: Setting QemuVsock should be configured in [Runtime], not [Host].
mkosi.conf: Setting QemuKvm should be configured in [Runtime], not [Host].
```
2024-12-20 09:38:11 +01:00
Yu Watanabe
5f29c86ace audit-util: rename output parameter
To make them consistent with in audit-util.c.

Follow-up for 7e02ee98d8.
2024-12-20 09:37:25 +01:00
Yu Watanabe
182ffb5819 TEST-71-HOSTNAME: do not start user session
The user session may trigger hostnamed, and the job of stopping
hostnamed may be cancelled, and the test may fail:
```
[ 4633.613578] TEST-71-HOSTNAME.sh[175]: + stop_hostnamed
[ 4633.613578] TEST-71-HOSTNAME.sh[175]: + systemctl stop systemd-hostnamed.service
[ 4633.664670] systemd[1]: Stopping systemd-hostnamed.service - Hostname Service...
[ 4636.022277] systemd-logind[121]: New session c2 of user root.
[ 4636.032532] systemd[1]: Created slice user-0.slice - User Slice of UID 0.
[ 4636.042675] systemd[1]: Starting user-runtime-dir@0.service - User Runtime Directory /run/user/0...
[ 4636.176140] systemd[1]: Finished user-runtime-dir@0.service - User Runtime Directory /run/user/0.
[ 4636.202951] systemd[1]: Starting user@0.service - User Manager for UID 0...
[ 4636.292204] systemd-logind[121]: New session c3 of user root.
[ 4636.300065] (systemd)[268]: pam_unix(systemd-user:session): session opened for user root(uid=0) by root(uid=0)
[ 4636.757667] systemd[268]: Queued start job for default target default.target.
[ 4636.774419] systemd[268]: Created slice app.slice - User Application Slice.
[ 4636.774579] systemd[268]: Started systemd-tmpfiles-clean.timer - Daily Cleanup of User's Temporary Directories.
[ 4636.774747] systemd[268]: Reached target paths.target - Paths.
[ 4636.776418] systemd[268]: Reached target sysinit.target - System Initialization.
[ 4636.776604] systemd[268]: Reached target timers.target - Timers.
[ 4636.784997] systemd[268]: Starting dbus.socket - D-Bus User Message Bus Socket...
[ 4636.799472] systemd[268]: Starting systemd-tmpfiles-setup.service - Create User Files and Directories...
[ 4637.027125] systemd[268]: Finished systemd-tmpfiles-setup.service - Create User Files and Directories.
[ 4637.031721] systemd[268]: Listening on dbus.socket - D-Bus User Message Bus Socket.
[ 4637.036189] systemd[268]: Reached target sockets.target - Sockets.
[ 4637.036373] systemd[268]: Reached target basic.target - Basic System.
[ 4637.036558] systemd[268]: Reached target default.target - Main User Target.
[ 4637.036646] systemd[268]: Startup finished in 702ms.
[ 4637.049075] systemd[1]: Started user@0.service - User Manager for UID 0.
[ 4637.075263] systemd[1]: Started session-c2.scope - Session c2 of User root.
[ 4637.084917] login[136]: pam_unix(login:session): session opened for user root(uid=0) by root(uid=0)
[ 4637.117348] login[136]: ROOT LOGIN ON pts/0
[ 4637.238572] systemctl[261]: Job for systemd-hostnamed.service canceled.
[ 4637.290369] systemd[1]: TEST-71-HOSTNAME.service: Main process exited, code=exited, status=1/FAILURE
```

Fixes #35643.
2024-12-20 09:36:51 +01:00
Antonio Alvarez Feijoo
e9f781a5a4
debug-generator: add a kernel cmdline option to pause the boot process
Introduce the `systemd.break=` kernel command line option to allow stopping the
boot process at a certain point and spawn a debug shell. After exiting this
shell, the system will resume booting.

It accepts the following values:
- `pre-udev`: before starting to process kernel uevents (initrd and host).
- `pre-basic`: before leaving early boot and regular services start (initrd and
host).
- `pre-mount`: before the root filesystem is mounted (initrd).
- `pre-switch-root`: before switching root (initrd).
2024-12-20 08:51:23 +01:00
Antonio Alvarez Feijoo
cb3801a4c9
man/debug-generator: add a section for kernel command line options 2024-12-20 08:48:23 +01:00
Yu Watanabe
8a135111ca
capability-util: generalize helper to acquire local caps (#35403)
This generalizes and modernizes the code to acquire set of local caps,
based on the code for this in the condition logic. Uses PidRef, and
acquires the full quintuplet of caps.

This can be considered preparation to one day maybe build without
libcap.
2024-12-20 11:52:24 +09:00
Yu Watanabe
5e837858e7
analyze: add "chid" verb to display CHIDs of the local system (#35175)
We already have the code for it, expose it in systemd-analyze, because
it's useful.
2024-12-20 11:47:03 +09:00
Yu Watanabe
a3fecea5e2
Small fixes to nspawn and other stuff (#35686)
Split out ouf #35685.
2024-12-20 11:03:59 +09:00
Yu Watanabe
f01132aacf TEST-17: add test case for ID_PROCESSING flag on add uevent
Also, check the state of the device units on change event.
2024-12-20 10:52:57 +09:00
Yu Watanabe
ad920b4cb3 core/device: handle ID_PROCESSING udev property
If an enumerated device has ID_PROCESSING=1 property, and the service
manager does not know if the device has been processed by udevd
previously (that is, Device.deserialized_found does not have
DEVICE_FOUND_UDEV), then drop DEVICE_FOUND_UDEV flag from the device and
make the device not enter the active state.

Follow-up for 405be62f05, which was
reverted by c4fc22c4de.
2024-12-20 10:52:57 +09:00
Yu Watanabe
a7396f8364 core/device: use path_equal() to compare sysfs path
The hashmap Manager.devices_by_sysfs uses path_hash_ops.
Let's consistent compare function.
2024-12-20 10:52:57 +09:00
Yu Watanabe
71ec342d13 core/device: rename output parameters of device_setup_units() to ret_xyz
No functional change, just refactoring.
2024-12-20 10:52:57 +09:00
Yu Watanabe
3b9010b170
udev: support reloading udev.conf (#35458)
This makes systemd-udevd reload udev.conf when explicitly requested by
e.g. `udevadm control --reload`.
2024-12-20 09:00:48 +09:00
Yu Watanabe
cf89e48028 ptyfwd: reset writable/readable flag before shovel() on exit
Follow-up for 12807b5a49.

Otherwise, if a call of shovel() disabled the flags, the subsequent
calls do nothing even if there is something we need to read or write.

Fixes the following error:
```
Dec 19 02:19:39 run0[5618]: Error on PTY forwarding logic: Too many levels of symbolic links
```
2024-12-20 08:59:41 +09:00
Ivan Kruglov
3cbf00a30c machine: make TEST-13-NSPAWN wqlong-running code more verbose
Need this to debug https://github.com/systemd/systemd/issues/35115
2024-12-19 17:09:04 +00:00
Luca Boccassi
0f67cb3606
Minor fixes in man pages, example scripts, error log (#35683)
No functional changes.
2024-12-19 17:08:13 +00:00
Lennart Poettering
5ceb38cb1e nspawn: switch to read_virtual_file() for reading audit loginuid 2024-12-19 15:37:00 +01:00
Lennart Poettering
312cf91005 nsresource: print nicer error message when trying to acquire an unpriv user ns range where this isn't possible 2024-12-19 15:35:23 +01:00
Lennart Poettering
b1b128d0e2 mount-util: add debug message to make_userns() failure 2024-12-19 15:33:52 +01:00
Lennart Poettering
91cdc8ab0f mount-util: add debug output when we switched root 2024-12-19 15:33:44 +01:00
Lennart Poettering
009a02b263 nspawn: trivial improvements 2024-12-19 15:33:34 +01:00
Lennart Poettering
b83358b87f nspawn: rename pin_fully_visible_fs() → pin_fully_visible_api_fs()
This function pins the *API* FS, i.e. /proc/ + /sys/, not just any fs.
Hence clarify this in the name.

(At least we call these two fs "API (V)FS" in our codebase, hence
continue to do so here)
2024-12-19 15:33:24 +01:00
Lennart Poettering
bf1ef54d30 nspawn: add some additional useful debug logging 2024-12-19 15:33:10 +01:00
Lennart Poettering
8f9ea89ce4 nspawn: make unexpected mkdir() failures fatal
THis is just to make things easier to debug.
2024-12-19 15:33:06 +01:00
Lennart Poettering
5229cd839a nspawn: rename 'fd' variable to something more descriptive 2024-12-19 15:32:50 +01:00
Lennart Poettering
595ca10f37 nspawn: use DEVNUM_FORMAT_STR/DEVNUM_FORMAT_VAL more 2024-12-19 15:32:05 +01:00
Matthias Lisin
6e3f32cc56
man/sysupdate.features: fix typos 2024-12-19 12:39:32 +01:00
Matthias Lisin
1462736c7e
sysupdate: fix args order of formatted error 2024-12-19 12:39:31 +01:00
Matthias Lisin
f441831c9e
man/sysupdate.d: fix wrong PathRelativeTo value 2024-12-19 12:39:31 +01:00
Matthias Lisin
4bc06da775
man: fix args order for udevadm info cmd 2024-12-19 12:39:31 +01:00
Yu Watanabe
ced0ef3b35 TEST-17: use 'udevadm control --reload' or 'systemctl reload systemd-udevd.service' for reloading udev.conf
These should be equivalent. For coverage, one subtest uses systemctl and
another uses udevadm.
2024-12-19 19:00:38 +09:00
Yu Watanabe
e95861d909 udev: also reload udev.conf when explicitly requested
When reloading is explicitly requested, e.g. by 'udevadm control --reload',
then also reload udev.conf.
2024-12-19 18:57:32 +09:00
Yu Watanabe
0f72af536f udev: reload .rules files and builtins only when necessary
Previously, even if e.g. .rules files are unchanged, all .rules files
are reloaded when other kind of config files like .link files or
.hwdb.bin are changed, vice versa.
2024-12-19 18:55:18 +09:00
Yu Watanabe
b5ea69f5ac
udev: move config parsers and related things to udev-config.c (#35624)
No functional change, just refactoring and preparation for later
changes.
2024-12-19 18:41:52 +09:00
Yu Watanabe
04fa5c1580 udev-config: introduce UdevConfig
Then, save configurations by their source: udev.conf, command line
arguments, kernel command line options, and udev control.

Preparation to support reloading udev.conf in a later commit.
2024-12-19 12:28:44 +09:00
Yu Watanabe
394a678aec udev: move parsers for config file, kerenel command line, and positional arguments to udev-config.c
No functional change, just refactoring and preparation for later
commits.
2024-12-19 12:28:44 +09:00
Lennart Poettering
0e5a83f510 analyze: drop conditioning of --no-legend and --json= on specific verbs
First of all, the list of verbs was badly out of date, in particular for
--no-legend. But second if it, I think such minor switches that alter
some detail of the output should not result in failure when the specific
tweak does not apply on some command. It should be fine for scripts and
suchlike to dumbly always pass --no-legend to all invocations of our
tools without having to consider if a specific subtool of ours actually
supports it or not.
2024-12-18 17:39:22 +01:00
Lennart Poettering
8f114904fc analyze: add verb for showing system's CHIDs
We have the code already, expose it in systemd-analyze too.

This should make it easier to debug the CHID use in the UKIs with
onboard tooling.
2024-12-18 17:38:42 +01:00
Lennart Poettering
25b1a73f71 journald: get rid of get_process_capeff(), use pidref_get_capability() instead
This does pretty much the same, but is nicer, since it parses things
properly.
2024-12-17 19:06:54 +01:00
Lennart Poettering
a5370d35d6 capability-util: introduce capability_is_set() helper 2024-12-17 19:06:54 +01:00
Lennart Poettering
1184626a26 capability-util: generalize helper to acquire local caps
This generalizes and modernizes the code to acquire set of local caps,
based on the code for this in the condition logic. Uses PidRef, and
acquires the full quintuplet of caps.

This can be considered preparation to one day maybe build without
libcap.
2024-12-17 19:06:54 +01:00
Lennart Poettering
9311c28b34 hwdb: disable inclusion of the PCI domain in MANA network interface naming 2024-12-11 16:38:25 +01:00
Lennart Poettering
19491cc90f net_id: depending on new udev prop, include/exclude PCI domain from netif names 2024-12-11 16:37:59 +01:00
152 changed files with 3214 additions and 1005 deletions

View File

@ -7,6 +7,14 @@ on:
# Calculate coverage daily at midnight # Calculate coverage daily at midnight
- cron: '0 0 * * *' - cron: '0 0 * * *'
pull_request:
branches:
- main
- v[0-9]+-stable
paths:
- .github/workflows/coverage.yml
- test/integration-test-wrapper.py
permissions: permissions:
contents: read contents: read
@ -16,7 +24,7 @@ jobs:
steps: steps:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
- uses: systemd/mkosi@07ef37c4c0dad5dfc6cec86c967a7600df1cd88c - uses: systemd/mkosi@ba07d53000b6c560ad0b9f07550aca93c0284e88
# Freeing up disk space with rm -rf can take multiple minutes. Since we don't need the extra free space # Freeing up disk space with rm -rf can take multiple minutes. Since we don't need the extra free space
# immediately, we remove the files in the background. However, we first move them to a different location # immediately, we remove the files in the background. However, we first move them to a different location
@ -49,7 +57,6 @@ jobs:
Distribution=arch Distribution=arch
[Build] [Build]
ToolsTree=default
ToolsTreeDistribution=arch ToolsTreeDistribution=arch
UseSubvolumes=yes UseSubvolumes=yes
WithTests=no WithTests=no
@ -64,7 +71,7 @@ jobs:
MESON_OPTIONS=--werror MESON_OPTIONS=--werror
COVERAGE=1 COVERAGE=1
[Host] [Runtime]
QemuMem=4G QemuMem=4G
EOF EOF

View File

@ -113,7 +113,7 @@ jobs:
steps: steps:
- uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683
- uses: systemd/mkosi@c4bbf3b71a3e2cf947995caedf10f69da3c4957a - uses: systemd/mkosi@ba07d53000b6c560ad0b9f07550aca93c0284e88
# Freeing up disk space with rm -rf can take multiple minutes. Since we don't need the extra free space # Freeing up disk space with rm -rf can take multiple minutes. Since we don't need the extra free space
# immediately, we remove the files in the background. However, we first move them to a different location # immediately, we remove the files in the background. However, we first move them to a different location
@ -152,7 +152,6 @@ jobs:
[Build] [Build]
UseSubvolumes=yes UseSubvolumes=yes
ToolsTree=default
ToolsTreeDistribution=fedora ToolsTreeDistribution=fedora
ToolsTreeRelease=rawhide ToolsTreeRelease=rawhide
@ -171,7 +170,7 @@ jobs:
[Content] [Content]
SELinuxRelabel=${{ matrix.relabel }} SELinuxRelabel=${{ matrix.relabel }}
[Host] [Runtime]
QemuMem=4G QemuMem=4G
EOF EOF

1
.gitignore vendored
View File

@ -7,6 +7,7 @@
.config.args .config.args
.gdb_history .gdb_history
.deps/ .deps/
.venv/
.mypy_cache/ .mypy_cache/
__pycache__/ __pycache__/
/*.gcda /*.gcda

20
TODO
View File

@ -122,6 +122,18 @@ Deprecations and removals:
Features: Features:
* importd: introduce a per-user instance, that downloads into per-user DDI dirs
* sysupdated: similar
* portabled: similar
* machined: implement a per-user instance, that manages per-user DDI dirs for
images. systemd-nspawn/systemd-vmspawn should probably register with both the
system and the user scoped machined instance. The former to get the machine
name registered as hostname, and the latter so that the image stuff is nicely
per-user managed.
* resolved: make resolved process DNR DHCP info * resolved: make resolved process DNR DHCP info
* Teach systemd-ssh-generator to generated an /run/issue.d/ drop-in telling * Teach systemd-ssh-generator to generated an /run/issue.d/ drop-in telling
@ -391,8 +403,6 @@ Features:
the bg via vmspawn/nspawn if not done so yet and then requests a shell inside the bg via vmspawn/nspawn if not done so yet and then requests a shell inside
it for the invoking user. it for the invoking user.
* importd/…: define per-user dirs for container/VM images too.
* add a new specifier to unit files that figures out the DDI the unit file is * add a new specifier to unit files that figures out the DDI the unit file is
from, tracing through overlayfs, DM, loopback block device. from, tracing through overlayfs, DM, loopback block device.
@ -446,10 +456,6 @@ Features:
* credentials: add a flag to the scoped credentials that if set require PK * credentials: add a flag to the scoped credentials that if set require PK
reauthentication when unlocking a secret. reauthentication when unlocking a secret.
* teach systemd --user to properly load credentials off disk, with
/etc/credstore equivalent and similar. Make sure that $CREDENTIALS_DIRECTORY=
actually works too when run with user privs.
* extend the smbios11 logic for passing credentials so that instead of passing * extend the smbios11 logic for passing credentials so that instead of passing
the credential data literally it can also just reference an AF_VSOCK CID/port the credential data literally it can also just reference an AF_VSOCK CID/port
to read them from. This way the data doesn't remain in the SMBIOS blob during to read them from. This way the data doesn't remain in the SMBIOS blob during
@ -795,7 +801,7 @@ Features:
* udevd: extend memory pressure logic: also kill any idle worker processes * udevd: extend memory pressure logic: also kill any idle worker processes
* udevadm: to make symlink querying with udevadm nicer: * udevadm: to make symlink querying with udevadm nicer:
- do not enable the pager for queries like 'udevadm info -q -r symlink' - do not enable the pager for queries like 'udevadm info -q symlink -r'
- add mode with newlines instead of spaces (for grep)? - add mode with newlines instead of spaces (for grep)?
* SIGRTMIN+18 and memory pressure handling should still be added to: hostnamed, * SIGRTMIN+18 and memory pressure handling should still be added to: hostnamed,

View File

@ -7,94 +7,97 @@ SPDX-License-Identifier: LGPL-2.1-or-later
# Hacking on systemd # Hacking on systemd
We welcome all contributions to systemd. We welcome all contributions to systemd. If you notice a bug or a missing
If you notice a bug or a missing feature, please feel invited to fix it, and submit your work as a feature, please feel invited to fix it, and submit your work as a
[GitHub Pull Request (PR)](https://github.com/systemd/systemd/pull/new). [GitHub Pull Request (PR)](https://github.com/systemd/systemd/pull/new).
Please make sure to follow our [Coding Style](/CODING_STYLE) when submitting patches. Please make sure to follow our [Coding Style](/CODING_STYLE) when submitting
Also have a look at our [Contribution Guidelines](/CONTRIBUTING). patches. Also have a look at our [Contribution Guidelines](/CONTRIBUTING).
When adding new functionality, tests should be added. When adding new functionality, tests should be added. For shared functionality
For shared functionality (in `src/basic/` and `src/shared/`) unit tests should be sufficient. (in `src/basic/` and `src/shared/`) unit tests should be sufficient. The general
The general policy is to keep tests in matching files underneath `src/test/`, policy is to keep tests in matching files underneath `src/test/`, e.g.
e.g. `src/test/test-path-util.c` contains tests for any functions in `src/basic/path-util.c`. `src/test/test-path-util.c` contains tests for any functions in
If adding a new source file, consider adding a matching test executable. `src/basic/path-util.c`. If adding a new source file, consider adding a matching
For features at a higher level, tests in `src/test/` are very strongly recommended. test executable. For features at a higher level, tests in `src/test/` are very
If that is not possible, integration tests in `test/` are encouraged. strongly recommended. If that is not possible, integration tests in `test/` are
encouraged. Please always test your work before submitting a PR.
Please always test your work before submitting a PR. ## Hacking on systemd with mkosi
For many of the components of systemd testing is straightforward as you can simply compile systemd and run the relevant tool from the build directory.
For some components (most importantly, systemd/PID 1 itself) this is not possible, however. [mkosi](https://mkosi.systemd.io/) is our swiss army knife for hacking on
In order to simplify testing for cases like this we provide a set of `mkosi` config files directly in the source tree. systemd. It makes sure all necessary dependencies are available to build systemd
[mkosi](https://mkosi.systemd.io/) and allows building and booting an OS image with the latest systemd installed
is a tool for building clean OS images from an upstream distribution in combination with a fresh build of the project in the local working directory. for testing purposes.
To make use of this, please install `mkosi` from the [GitHub repository](https://github.com/systemd/mkosi#running-mkosi-from-the-repository).
`mkosi` will build an image for the host distro by default. First, install `mkosi` from the
First, run `mkosi genkey` to generate a key and certificate to be used for secure boot and verity signing. [GitHub repository](https://github.com/systemd/mkosi#running-mkosi-from-the-repository).
After that is done, it is sufficient to type `mkosi` in the systemd project directory to generate a disk image you can boot either in `systemd-nspawn` or in a UEFI-capable VM: Note that it's not possible to use your distribution's packaged version of mkosi
as mkosi has to be installed outside of `/usr` for the following steps to work.
Then, you can build and run systemd executables as follows:
```sh ```sh
$ sudo mkosi boot # nspawn still needs sudo for now $ mkosi -f sandbox meson setup build
$ mkosi -f sandbox ninja -C build
$ mkosi -f sandbox build/systemctl --version
``` ```
or: To build and boot an OS image with the latest systemd installed:
```sh ```sh
$ mkosi qemu $ mkosi -f genkey # Generate signing keys once.
$ mkosi -f sandbox ninja -C build mkosi # (re-)build the OS image
$ sudo mkosi boot # Boot the image with systemd-nspawn.
$ mkosi qemu # Boot the image with qemu.
``` ```
By default, the tools from your host system are used to build the image. Putting this all together, here's a series of commands for preparing a patch for
Sometimes we start using mkosi features that rely on functionality in systemd systemd:
tools that's not in an official release yet. In that case, you'll need to build
systemd from source on the host and configure mkosi to use the tools from the
systemd build directory.
To do a local build, most distributions provide very simple and convenient ways
to install most development packages necessary to build systemd:
```sh ```sh
# Fedora $ git clone https://github.com/systemd/mkosi.git
$ sudo dnf builddep systemd $ ln -s $PWD/mkosi/bin/mkosi ~/.local/bin/mkosi # Make sure ~/.local/bin is in $PATH.
# Debian/Ubuntu $ git clone https://github.com/systemd/systemd.git
$ sudo apt-get build-dep systemd
# Arch
$ sudo pacman -S devtools
$ pkgctl repo clone --protocol=https systemd
$ cd systemd $ cd systemd
$ makepkg -seoc $ git checkout -b <BRANCH> # where BRANCH is the name of the branch
$ $EDITOR src/core/main.c # or wherever you'd like to make your changes
$ mkosi -f sandbox meson setup build # Set up meson
$ mkosi -f genkey # Generate signing keys once.
$ mkosi -f sandbox ninja -C build mkosi # (re-)build the test image
$ mkosi qemu # Boot the image in qemu
$ git add -p # interactively put together your patch
$ git commit # commit it
$ git push -u <REMOTE> # where REMOTE is your "fork" on GitHub
``` ```
After installing the development packages, systemd can be built from source as follows: And after that, head over to your repo on GitHub and click "Compare & pull
request"
```sh Happy hacking!
$ meson setup build <options>
$ ninja -C build
$ meson test -C build
```
To have `mkosi` use the systemd tools from the `build/` directory, add the The following sections contain advanced topics on how to speed up development or
following to `mkosi.local.conf`: streamline debugging. Feel free to read them if you're interested but they're
not required to write basic patches.
## Building the OS image without a tools tree
By default, `mkosi` will first build a tools tree and use it build the image and
provide the environment for `mkosi sandbox`. To disable the tools tree and use
binaries from your host instead, write the following to `mkosi.local.conf`:
```conf ```conf
[Host] [Build]
ExtraSearchPaths=build/ ToolsTree=
``` ```
And if you want `mkosi` to build a tools image and use the tools from there ## Rebuilding systemd without rebuilding the OS image
instead of looking for tools on the host, add the following to
`mkosi.local.conf`:
```conf Every time the `mkosi` target is built, a fresh image is built. To build the
[Host] latest changes and re-install systemd without rebuilding the image, run one of
ToolsTree=default the following commands in another terminal on your host after booting the image
``` (choose the right one depending on the distribution of the container or virtual
machine):
Every time you rerun the `mkosi` command a fresh image is built, incorporating
all current changes you made to the project tree. To build the latest changes
and re-install after booting the image, run one of the following commands in
another terminal on your host (choose the right one depending on the
distribution of the container or virtual machine):
```sh ```sh
mkosi -t none && mkosi ssh dnf upgrade --disablerepo="*" --assumeyes "/work/build/*.rpm" # CentOS/Fedora mkosi -t none && mkosi ssh dnf upgrade --disablerepo="*" --assumeyes "/work/build/*.rpm" # CentOS/Fedora
@ -107,26 +110,6 @@ and optionally restart the daemon(s) you're working on using
`systemctl restart <units>` or `systemctl daemon-reexec` if you're working on `systemctl restart <units>` or `systemctl daemon-reexec` if you're working on
pid1 or `systemctl soft-reboot` to restart everything. pid1 or `systemctl soft-reboot` to restart everything.
Putting this all together, here's a series of commands for preparing a patch for systemd:
```sh
$ git clone https://github.com/systemd/mkosi.git
$ ln -s $PWD/mkosi/bin/mkosi /usr/local/bin/mkosi
$ git clone https://github.com/systemd/systemd.git
$ cd systemd
$ git checkout -b <BRANCH> # where BRANCH is the name of the branch
$ vim src/core/main.c # or wherever you'd like to make your changes
$ mkosi -f qemu # (re-)build and boot up the test image in qemu
$ mkosi -t none # Build new packages without rebuilding the image
$ git add -p # interactively put together your patch
$ git commit # commit it
$ git push -u <REMOTE> # where REMOTE is your "fork" on GitHub
```
And after that, head over to your repo on GitHub and click "Compare & pull request"
Happy hacking!
## Building distribution packages with mkosi ## Building distribution packages with mkosi
To build distribution packages for a specific distribution and release without To build distribution packages for a specific distribution and release without
@ -201,67 +184,6 @@ Those are not useful when compiling for distribution and can be disabled by sett
See [Testing systemd using sanitizers](/TESTING_WITH_SANITIZERS) for more information on how to build with sanitizers enabled in mkosi. See [Testing systemd using sanitizers](/TESTING_WITH_SANITIZERS) for more information on how to build with sanitizers enabled in mkosi.
## Fuzzers
systemd includes fuzzers in `src/fuzz/` that use libFuzzer and are automatically run by [OSS-Fuzz](https://github.com/google/oss-fuzz) with sanitizers.
To add a fuzz target, create a new `src/fuzz/fuzz-foo.c` file with a `LLVMFuzzerTestOneInput` function and add it to the list in `src/fuzz/meson.build`.
Whenever possible, a seed corpus and a dictionary should also be added with new fuzz targets.
The dictionary should be named `src/fuzz/fuzz-foo.dict` and the seed corpus should be built and exported as `$OUT/fuzz-foo_seed_corpus.zip` in `tools/oss-fuzz.sh`.
The fuzzers can be built locally if you have libFuzzer installed by running `tools/oss-fuzz.sh`, or by running:
```sh
CC=clang CXX=clang++ \
meson setup build-libfuzz -Dllvm-fuzz=true -Db_sanitize=address,undefined -Db_lundef=false \
-Dc_args='-fno-omit-frame-pointer -DFUZZING_BUILD_MODE_UNSAFE_FOR_PRODUCTION'
ninja -C build-libfuzz fuzzers
```
Each fuzzer then can be then run manually together with a directory containing the initial corpus:
```
export UBSAN_OPTIONS=print_stacktrace=1:print_summary=1:halt_on_error=1
build-libfuzz/fuzz-varlink-idl test/fuzz/fuzz-varlink-idl/
```
Note: the `halt_on_error=1` UBSan option is especially important,
otherwise the fuzzer won't crash when undefined behavior is triggered.
You should also confirm that the fuzzers can be built and run using
[the OSS-Fuzz toolchain](https://google.github.io/oss-fuzz/advanced-topics/reproducing/#building-using-docker):
```sh
path_to_systemd=...
git clone --depth=1 https://github.com/google/oss-fuzz
cd oss-fuzz
for sanitizer in address undefined memory; do
for engine in libfuzzer afl honggfuzz; do
./infra/helper.py build_fuzzers --sanitizer "$sanitizer" --engine "$engine" \
--clean systemd "$path_to_systemd"
./infra/helper.py check_build --sanitizer "$sanitizer" --engine "$engine" \
-e ALLOWED_BROKEN_TARGETS_PERCENTAGE=0 systemd
done
done
./infra/helper.py build_fuzzers --clean --architecture i386 systemd "$path_to_systemd"
./infra/helper.py check_build --architecture i386 -e ALLOWED_BROKEN_TARGETS_PERCENTAGE=0 systemd
./infra/helper.py build_fuzzers --clean --sanitizer coverage systemd "$path_to_systemd"
./infra/helper.py coverage --no-corpus-download systemd
```
If you find a bug that impacts the security of systemd,
please follow the guidance in [CONTRIBUTING.md](/CONTRIBUTING) on how to report a security vulnerability.
For more details on building fuzzers and integrating with OSS-Fuzz, visit:
- [Setting up a new project - OSS-Fuzz](https://google.github.io/oss-fuzz/getting-started/new-project-guide/)
- [Tutorials - OSS-Fuzz](https://google.github.io/oss-fuzz/reference/useful-links/#tutorials)
## Debugging binaries that need to run as root in vscode ## Debugging binaries that need to run as root in vscode
When trying to debug binaries that need to run as root, When trying to debug binaries that need to run as root,

View File

@ -3,3 +3,7 @@
# Dell iDRAC Virtual USB NIC # Dell iDRAC Virtual USB NIC
usb:v413CpA102* usb:v413CpA102*
ID_NET_NAME_FROM_DATABASE=idrac ID_NET_NAME_FROM_DATABASE=idrac
# Disable inclusion of PCI domain in interface names on Azure MANA
pci:v00001414d000000BA*
ID_NET_NAME_INCLUDE_DOMAIN=0

View File

@ -10,7 +10,7 @@ sudo systemd-cryptsetup attach mytest /dev/sdXn - fido2-device=auto
# If that worked, let's now add the same line persistently to /etc/crypttab, # If that worked, let's now add the same line persistently to /etc/crypttab,
# for the future. We don't want to use the (unstable) /dev/sdX name, so let's # for the future. We don't want to use the (unstable) /dev/sdX name, so let's
# figure out a stable link: # figure out a stable link:
udevadm info -q -r symlink /dev/sdXn udevadm info -q symlink -r /dev/sdXn
# Now add the line using the by-uuid symlink to /etc/crypttab: # Now add the line using the by-uuid symlink to /etc/crypttab:
sudo bash -c 'echo "mytest /dev/disk/by-uuid/... - fido2-device=auto" >>/etc/crypttab' sudo bash -c 'echo "mytest /dev/disk/by-uuid/... - fido2-device=auto" >>/etc/crypttab'

View File

@ -97,6 +97,18 @@
</listitem> </listitem>
</varlistentry> </varlistentry>
<varlistentry>
<term><varname>systemd.break=</varname></term>
<term><varname>rd.systemd.break=</varname></term>
<listitem>
<para>Parameters understood by
<citerefentry><refentrytitle>systemd-debug-generator</refentrytitle><manvolnum>8</manvolnum></citerefentry>,
to pause the boot process at a certain point and spawn a debug shell.</para>
<xi:include href="version-info.xml" xpointer="v258"/>
</listitem>
</varlistentry>
<varlistentry> <varlistentry>
<term><varname>systemd.run=</varname></term> <term><varname>systemd.run=</varname></term>
<term><varname>systemd.run_success_action=</varname></term> <term><varname>systemd.run_success_action=</varname></term>

View File

@ -205,6 +205,11 @@
<arg choice="opt" rep="repeat">OPTIONS</arg> <arg choice="opt" rep="repeat">OPTIONS</arg>
<arg choice="plain">smbios11</arg> <arg choice="plain">smbios11</arg>
</cmdsynopsis> </cmdsynopsis>
<cmdsynopsis>
<command>systemd-analyze</command>
<arg choice="opt" rep="repeat">OPTIONS</arg>
<arg choice="plain">chid</arg>
</cmdsynopsis>
</refsynopsisdiv> </refsynopsisdiv>
<refsect1> <refsect1>
@ -1084,6 +1089,37 @@ io.systemd.credential:vmm.notify_socket=vsock-stream:2:254570042
<xi:include href="version-info.xml" xpointer="v257"/> <xi:include href="version-info.xml" xpointer="v257"/>
</refsect2> </refsect2>
<refsect2>
<title><command>systemd-analyze chid</command></title>
<para>Shows a list of Computer Hardware IDs (CHIDs) of the local system. These IDs identify the
system's computer hardware, based on SMBIOS data. See <ulink
url="https://learn.microsoft.com/en-us/windows-hardware/drivers/dashboard/using-chids">Using Computer
Hardware IDs (CHIDs)</ulink> for details about CHIDs.</para>
<example>
<title>Example output</title>
<programlisting>$ systemd-analyze chid
TYPE INPUT CHID
3 MFPSmp 520537c0-3b59-504f-b062-9682ea236b21
4 MFPS-- edf05dc8-a53d-5b2c-8023-630bca2a2463
5 MFP--- ebc6a4d9-ec48-537a-916b-c69fa4fdd814
6 M--Smp 5ebe4bba-f598-5e90-9ff2-9fd0d3211465
7 M--S-- 1a3fb835-b42a-5f9c-a38c-eff5bfd5c41d
8 M-P-mp 2a831dce-8163-5bad-8406-435b8c752dd8
9 M-P--- 7c21c878-4a75-50f7-9816-21e811588da0
10 MF--mp 9a003537-bcc5-500e-b10a-8d8892e4fc64
11 MF---- bb9122bb-8a5c-50d2-a742-a85beb719909
13 M---mp bfc36935-5032-5987-a0a3-6311f01de33a
LEGEND: M → sys_vendor (LENOVO) ┄ F → product_family (ThinkPad X1 Carbon Gen 9) ┄ P → product_name (20XW0055GE)
S → product_sku (LENOVO_MT_20XW_BU_Think_FM_ThinkPad X1 Carbon Gen 9) ┄ m → board_vendor (LENOVO)
p → board_name (20XW0055GE)</programlisting>
</example>
<xi:include href="version-info.xml" xpointer="v258"/>
</refsect2>
</refsect1> </refsect1>
<refsect1> <refsect1>

View File

@ -31,45 +31,131 @@
<refsect1> <refsect1>
<title>Description</title> <title>Description</title>
<para><filename>systemd-debug-generator</filename> is a generator <para><command>systemd-debug-generator</command> is a generator that provides some debugging
that reads the kernel command line and understands three functionality.</para>
options:</para>
<para>If the <option>systemd.mask=</option> or <option>rd.systemd.mask=</option> <para><command>systemd-debug-generator</command> implements
option is specified and followed by a unit name, this unit is
masked for the runtime (i.e. for this session — from boot to shutdown), similarly to the effect of
<citerefentry><refentrytitle>systemctl</refentrytitle><manvolnum>1</manvolnum></citerefentry>'s
<command>mask</command> command. This is useful to boot with
certain units removed from the initial boot transaction for
debugging system startup. May be specified more than once.
<option>rd.systemd.mask=</option> is honored only by initial
RAM disk (initrd) while <option>systemd.mask=</option> is
honored only in the main system.</para>
<para>If the <option>systemd.wants=</option> or
<option>rd.systemd.wants=</option> option is specified
and followed by a unit name, a start job for this unit is added to
the initial transaction. This is useful to start one or more
additional units at boot. May be specified more than once.
<option>rd.systemd.wants=</option> is honored only by initial
RAM disk (initrd) while <option>systemd.wants=</option> is
honored only in the main system.</para>
<para>If the <option>systemd.debug_shell</option> or <option>rd.systemd.debug_shell</option> option is
specified, the debug shell service <literal>debug-shell.service</literal> is pulled into the boot
transaction and a debug shell will be spawned during early boot. By default,
<filename>&DEBUGTTY;</filename> is used, but a specific tty can also be specified, either with or without
the <filename>/dev/</filename> prefix. To set the tty to use without enabling the debug shell, the
<option>systemd.default_debug_tty=</option> option can be used which also takes a tty with or without the
<filename>/dev/</filename> prefix. Note that the shell may also be turned on persistently by enabling it
with <citerefentry><refentrytitle>systemctl</refentrytitle><manvolnum>1</manvolnum></citerefentry>'s
<command>enable</command> command. <option>rd.systemd.debug_shell</option> is honored only by initial
RAM disk (initrd) while <option>systemd.debug_shell</option> is honored only in the main system.</para>
<para><filename>systemd-debug-generator</filename> implements
<citerefentry><refentrytitle>systemd.generator</refentrytitle><manvolnum>7</manvolnum></citerefentry>.</para> <citerefentry><refentrytitle>systemd.generator</refentrytitle><manvolnum>7</manvolnum></citerefentry>.</para>
</refsect1> </refsect1>
<refsect1>
<title>Kernel Command Line</title>
<para><command>systemd-debug-generator</command> understands the following kernel command line
parameters:</para>
<variablelist class='kernel-commandline-options'>
<varlistentry>
<term><varname>systemd.mask=</varname></term>
<term><varname>rd.systemd.mask=</varname></term>
<listitem><para>These options take a unit name as argument. The unit specified is masked for the
runtime (i.e. for this session — from boot to shutdown), similarly to the effect of
<citerefentry><refentrytitle>systemctl</refentrytitle><manvolnum>1</manvolnum></citerefentry>'s
<command>mask</command> command. This is useful to boot with certain units removed from the initial
boot transaction for debugging system startup. May be specified more than once. The option prefixed
with <literal>rd.</literal> is honored only in the initrd, while the one without prefix is only
honored in the main system.</para>
<xi:include href="version-info.xml" xpointer="v215"/></listitem>
</varlistentry>
<varlistentry>
<term><varname>systemd.wants=</varname></term>
<term><varname>rd.systemd.wants=</varname></term>
<listitem><para>These options take a unit name as argument. A start job for this unit is added to the
initial transaction. This is useful to start one or more additional units at boot. May be specified
more than once. The option prefixed with <literal>rd.</literal> is honored only in the initrd, while
the one that is not prefixed only in the main system.</para>
<xi:include href="version-info.xml" xpointer="v215"/></listitem>
</varlistentry>
<varlistentry>
<term><varname>systemd.debug_shell</varname></term>
<term><varname>rd.systemd.debug_shell</varname></term>
<term><varname>systemd.default_debug_tty=</varname></term>
<term><varname>rd.systemd.default_debug_tty=</varname></term>
<listitem><para>If the <option>systemd.debug_shell</option> or
<option>rd.systemd.debug_shell</option> option is specified, the debug shell service
<literal>debug-shell.service</literal> is pulled into the boot transaction and a debug shell will be
spawned during early boot. By default, <filename>&DEBUGTTY;</filename> is used, but a specific tty
can also be specified, either with or without the <filename>/dev/</filename> prefix. To set the tty
to use without enabling the debug shell, the <option>systemd.default_debug_tty=</option> option can
be used which also takes a tty with or without the <filename>/dev/</filename> prefix. Note that the
shell may also be turned on persistently by enabling it with
<citerefentry><refentrytitle>systemctl</refentrytitle><manvolnum>1</manvolnum></citerefentry>'s
<command>enable</command> command. The options prefixed with <literal>rd.</literal> are honored only
in the initrd, while the ones without prefix are only honored in the main system.</para>
<xi:include href="version-info.xml" xpointer="v215"/></listitem>
</varlistentry>
<varlistentry>
<term><varname>systemd.break=</varname></term>
<term><varname>rd.systemd.break=</varname></term>
<listitem><para>Takes one of <option>pre-udev</option>, <option>pre-basic</option>,
<option>pre-mount</option>, or <option>pre-switch-root</option> (the default for the
<literal>rd.</literal> option). It also accepts multiple values separated by comma
(<literal>,</literal>). These options allow to pause the boot process at a certain point and spawn a
debug shell. After exiting this shell, the system will resume booting. The option prefixed with
<literal>rd.</literal> is honored only in the initrd, while the one without prefix is only honored in
the main system.</para>
<table>
<title>Available breakpoints</title>
<tgroup cols='4'>
<colspec colname='breakpoint' />
<colspec colname='description' />
<colspec colname='initrd' />
<colspec colname='main' />
<thead>
<row>
<entry>Breakpoints</entry>
<entry>Description</entry>
<entry>Can be used in the initrd</entry>
<entry>Can be used in the main system</entry>
</row>
</thead>
<tbody>
<row>
<entry><option>pre-udev</option></entry>
<entry>Before starting to process kernel uevents, i.e., before <filename>systemd-udevd.service</filename> starts.</entry>
<entry></entry>
<entry></entry>
</row>
<row>
<entry><option>pre-basic</option></entry>
<entry>Before leaving early boot and regular services start, i.e., before <filename>basic.target</filename> is reached.</entry>
<entry></entry>
<entry></entry>
</row>
<row>
<entry><option>pre-mount</option></entry>
<entry>Before the root filesystem is mounted, i.e., before <filename>sysroot.mount</filename> starts.</entry>
<entry></entry>
<entry></entry>
</row>
<row>
<entry><option>pre-switch-root</option></entry>
<entry>Before switching from the initrd to the real root.</entry>
<entry></entry>
<entry></entry>
</row>
</tbody>
</tgroup>
</table>
<xi:include href="version-info.xml" xpointer="v258"/></listitem>
</varlistentry>
</variablelist>
</refsect1>
<refsect1> <refsect1>
<title>System Credentials</title> <title>System Credentials</title>
@ -108,6 +194,8 @@
<member><citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry></member> <member><citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry></member>
<member><citerefentry><refentrytitle>systemctl</refentrytitle><manvolnum>1</manvolnum></citerefentry></member> <member><citerefentry><refentrytitle>systemctl</refentrytitle><manvolnum>1</manvolnum></citerefentry></member>
<member><citerefentry><refentrytitle>kernel-command-line</refentrytitle><manvolnum>7</manvolnum></citerefentry></member> <member><citerefentry><refentrytitle>kernel-command-line</refentrytitle><manvolnum>7</manvolnum></citerefentry></member>
<member><citerefentry><refentrytitle>systemd.system-credentials</refentrytitle><manvolnum>7</manvolnum></citerefentry></member>
<member><citerefentry><refentrytitle>bootup</refentrytitle><manvolnum>7</manvolnum></citerefentry></member>
</simplelist></para> </simplelist></para>
</refsect1> </refsect1>

View File

@ -503,6 +503,17 @@
<xi:include href="version-info.xml" xpointer="v254"/></listitem> <xi:include href="version-info.xml" xpointer="v254"/></listitem>
</varlistentry> </varlistentry>
<varlistentry>
<term><option>--system</option></term>
<term><option>--user</option></term>
<listitem><para>When used together with <option>--discover</option> controls whether to search for
images installed system-wide or in the user's directories in <varname>$HOME</varname>. If neither
switch is specified, will search within both scopes.</para>
<xi:include href="version-info.xml" xpointer="v258"/></listitem>
</varlistentry>
<xi:include href="standard-options.xml" xpointer="image-policy-open" /> <xi:include href="standard-options.xml" xpointer="image-policy-open" />
<xi:include href="standard-options.xml" xpointer="no-pager" /> <xi:include href="standard-options.xml" xpointer="no-pager" />
<xi:include href="standard-options.xml" xpointer="no-legend" /> <xi:include href="standard-options.xml" xpointer="no-legend" />

View File

@ -3468,37 +3468,43 @@ StandardInputData=V2XigLJyZSBubyBzdHJhbmdlcnMgdG8gbG92ZQpZb3Uga25vdyB0aGUgcnVsZX
<term><varname>LoadCredentialEncrypted=</varname><replaceable>ID</replaceable><optional>:<replaceable>PATH</replaceable></optional></term> <term><varname>LoadCredentialEncrypted=</varname><replaceable>ID</replaceable><optional>:<replaceable>PATH</replaceable></optional></term>
<listitem><para>Pass a credential to the unit. Credentials are limited-size binary or textual objects <listitem><para>Pass a credential to the unit. Credentials are limited-size binary or textual objects
that may be passed to unit processes. They are primarily used for passing cryptographic keys (both that may be passed to unit processes. They are primarily intended for passing cryptographic keys
public and private) or certificates, user account information or identity information from host to (both public and private) or certificates, user account information or identity information from host
services. The data is accessible from the unit's processes via the file system, at a read-only to services, but can be freely used to pass any kind of limited-size information to a service. The
location that (if possible and permitted) is backed by non-swappable memory. The data is only data is accessible from the unit's processes via the file system, at a read-only location that (if
accessible to the user associated with the unit, via the possible and permitted) is backed by non-swappable memory. The data is only accessible to the user
<varname>User=</varname>/<varname>DynamicUser=</varname> settings (as well as the superuser). When associated with the unit, via the <varname>User=</varname>/<varname>DynamicUser=</varname> settings
available, the location of credentials is exported as the <varname>$CREDENTIALS_DIRECTORY</varname> (as well as the superuser). When available, the location of credentials is exported as the
environment variable to the unit's processes.</para> <varname>$CREDENTIALS_DIRECTORY</varname> environment variable to the unit's processes.</para>
<para>The <varname>LoadCredential=</varname> setting takes a textual ID to use as name for a <para>The <varname>LoadCredential=</varname> setting takes a textual ID to use as name for a
credential plus a file system path, separated by a colon. The ID must be a short ASCII string credential plus a file system path, separated by a colon. The ID must be a short ASCII string
suitable as filename in the filesystem, and may be chosen freely by the user. If the specified path suitable as filename in the filesystem, and may be chosen freely by the user. If the specified path
is absolute it is opened as regular file and the credential data is read from it. If the absolute is absolute it is opened as regular file and the credential data is read from it. If the absolute
path refers to an <constant>AF_UNIX</constant> stream socket in the file system a connection is made path refers to an <constant>AF_UNIX</constant> stream socket in the file system a connection is made
to it (only once at unit start-up) and the credential data read from the connection, providing an to it (once at process invocation) and the credential data read from the connection, providing an
easy IPC integration point for dynamically transferring credentials from other services.</para> easy IPC integration point for dynamically transferring credentials from other services.</para>
<para>If the specified path is not absolute and itself qualifies as valid credential identifier it is <para>If the specified path is not absolute and itself qualifies as valid credential identifier it is
attempted to find a credential that the service manager itself received under the specified name — attempted to find a credential that the service manager itself received under the specified name —
which may be used to propagate credentials from an invoking environment (e.g. a container manager which may be used to propagate credentials from an invoking environment (e.g. a container manager
that invoked the service manager) into a service. If no matching system credential is found, the that invoked the service manager) into a service. If no matching passed credential is found, the
directories <filename>/etc/credstore/</filename>, <filename>/run/credstore/</filename> and system service manager will search the directories <filename>/etc/credstore/</filename>,
<filename>/usr/lib/credstore/</filename> are searched for files under the credential's name — which <filename>/run/credstore/</filename> and <filename>/usr/lib/credstore/</filename> for files under the
hence are recommended locations for credential data on disk. If credential's name — which hence are recommended locations for credential data on disk. If
<varname>LoadCredentialEncrypted=</varname> is used <filename>/run/credstore.encrypted/</filename>, <varname>LoadCredentialEncrypted=</varname> is used <filename>/run/credstore.encrypted/</filename>,
<filename>/etc/credstore.encrypted/</filename>, and <filename>/etc/credstore.encrypted/</filename>, and
<filename>/usr/lib/credstore.encrypted/</filename> are searched as well.</para> <filename>/usr/lib/credstore.encrypted/</filename> are searched as well. The per-user service manager
will search <filename>$XDG_CONFIG_HOME/credstore/</filename>,
<filename>$XDG_RUNTIME_DIR/credstore/</filename>, <filename>$HOME/.local/lib/credstore/</filename>
(and the counterparts ending with <filename>…/credstore.encrypted/</filename>) instead. The
<citerefentry><refentrytitle>systemd-path</refentrytitle><manvolnum>1</manvolnum></citerefentry> tool
may be used to query the precise credential store search path.</para>
<para>If the file system path is omitted it is chosen identical to the credential name, i.e. this is <para>If the file system path is omitted it is chosen identical to the credential name, i.e. this is
a terse way to declare credentials to inherit from the service manager into a service. This option a terse way to declare credentials to inherit from the service manager or credstore directories into
may be used multiple times, each time defining an additional credential to pass to the unit.</para> a service. This option may be used multiple times, each time defining an additional credential to
pass to the unit.</para>
<para>Note that if the path is not specified or a valid credential identifier is given, i.e. <para>Note that if the path is not specified or a valid credential identifier is given, i.e.
in the above two cases, a missing credential is not considered fatal.</para> in the above two cases, a missing credential is not considered fatal.</para>

View File

@ -672,7 +672,7 @@
<listitem><para>Specifies what anchor point <varname>Path=</varname> should be relative to. Takes one <listitem><para>Specifies what anchor point <varname>Path=</varname> should be relative to. Takes one
of <constant>root</constant>, <constant>esp</constant>, <constant>xbootldr</constant>, of <constant>root</constant>, <constant>esp</constant>, <constant>xbootldr</constant>,
<constant>boot</constant> or <constant>directory</constant>. If unspecified, defaults to <constant>boot</constant> or <constant>explicit</constant>. If unspecified, defaults to
<constant>root</constant>.</para> <constant>root</constant>.</para>
<para>If set to <constant>root</constant>, <constant>esp</constant>, <constant>xbootldr</constant>, <para>If set to <constant>root</constant>, <constant>esp</constant>, <constant>xbootldr</constant>,

View File

@ -93,7 +93,7 @@
XML file. XML file.
This may be used by software centers (such as GNOME Software or KDE Discover) to present rich This may be used by software centers (such as GNOME Software or KDE Discover) to present rich
metadata about this feature. metadata about this feature.
This includes display names, chagnelogs, icons, and more. This includes display names, changelogs, icons, and more.
This setting supports specifier expansion; see below for details on supported specifiers.</para> This setting supports specifier expansion; see below for details on supported specifiers.</para>
<xi:include href="version-info.xml" xpointer="v257"/></listitem> <xi:include href="version-info.xml" xpointer="v257"/></listitem>
@ -177,7 +177,7 @@ Enabled=false
</programlisting></para> </programlisting></para>
<para>The above defines the <literal>devel</literal> feature, and disables it by default. <para>The above defines the <literal>devel</literal> feature, and disables it by default.
Now let's a define a transfer that's associated with this feature:</para> Now let's define a transfer that's associated with this feature:</para>
<para><programlisting># /usr/lib/sysupdate.d/50-devel.transfer <para><programlisting># /usr/lib/sysupdate.d/50-devel.transfer
[Transfer] [Transfer]

View File

@ -10,7 +10,7 @@ sudo systemd-cryptsetup attach mytest /dev/sdXn - tpm2-device=auto
# If that worked, let's now add the same line persistently to /etc/crypttab, # If that worked, let's now add the same line persistently to /etc/crypttab,
# for the future. We don't want to use the (unstable) /dev/sdX name, so let's # for the future. We don't want to use the (unstable) /dev/sdX name, so let's
# figure out a stable link: # figure out a stable link:
udevadm info -q -r symlink /dev/sdXn udevadm info -q symlink -r /dev/sdXn
# Now add the line using the by-uuid symlink to /etc/crypttab: # Now add the line using the by-uuid symlink to /etc/crypttab:
sudo bash -c 'echo "mytest /dev/disk/by-uuid/... - tpm2-device=auto" >>/etc/crypttab' sudo bash -c 'echo "mytest /dev/disk/by-uuid/... - tpm2-device=auto" >>/etc/crypttab'

View File

@ -26,7 +26,7 @@ sudo systemd-cryptsetup attach mytest /dev/sdXn - pkcs11-uri=auto
# If that worked, let's now add the same line persistently to /etc/crypttab, # If that worked, let's now add the same line persistently to /etc/crypttab,
# for the future. We don't want to use the (unstable) /dev/sdX name, so let's # for the future. We don't want to use the (unstable) /dev/sdX name, so let's
# figure out a stable link: # figure out a stable link:
udevadm info -q -r symlink /dev/sdXn udevadm info -q symlink -r /dev/sdXn
# Now add the line using the by-uuid symlink to /etc/crypttab: # Now add the line using the by-uuid symlink to /etc/crypttab:
sudo bash -c 'echo "mytest /dev/disk/by-uuid/... - pkcs11-uri=auto" >>/etc/crypttab' sudo bash -c 'echo "mytest /dev/disk/by-uuid/... - pkcs11-uri=auto" >>/etc/crypttab'

View File

@ -1,5 +1,6 @@
#!/bin/bash #!/bin/bash
# SPDX-License-Identifier: LGPL-2.1-or-later # SPDX-License-Identifier: LGPL-2.1-or-later
set -e
if command -v flatpak-spawn >/dev/null; then if command -v flatpak-spawn >/dev/null; then
SPAWN=(flatpak-spawn --host) SPAWN=(flatpak-spawn --host)
@ -7,7 +8,7 @@ else
SPAWN=() SPAWN=()
fi fi
MKOSI_CONFIG="$("${SPAWN[@]}" --host mkosi --json summary | jq -r .Images[-1])" MKOSI_CONFIG="$("${SPAWN[@]}" mkosi --json summary | jq -r .Images[-1])"
DISTRIBUTION="$(jq -r .Distribution <<< "$MKOSI_CONFIG")" DISTRIBUTION="$(jq -r .Distribution <<< "$MKOSI_CONFIG")"
RELEASE="$(jq -r .Release <<< "$MKOSI_CONFIG")" RELEASE="$(jq -r .Release <<< "$MKOSI_CONFIG")"
ARCH="$(jq -r .Architecture <<< "$MKOSI_CONFIG")" ARCH="$(jq -r .Architecture <<< "$MKOSI_CONFIG")"

View File

@ -29,6 +29,7 @@ RepartDirectories=mkosi.repart
OutputDirectory=build/mkosi.output OutputDirectory=build/mkosi.output
[Build] [Build]
ToolsTree=default
BuildDirectory=build/mkosi.builddir BuildDirectory=build/mkosi.builddir
CacheDirectory=build/mkosi.cache CacheDirectory=build/mkosi.cache
BuildSourcesEphemeral=yes BuildSourcesEphemeral=yes
@ -130,7 +131,7 @@ Packages=
zsh zsh
zstd zstd
[Host] [Runtime]
Credentials= Credentials=
journal.storage=persistent journal.storage=persistent
tty.serial.hvc0.agetty.autologin=root tty.serial.hvc0.agetty.autologin=root

View File

@ -3,6 +3,7 @@
[Build] [Build]
ToolsTreePackages= ToolsTreePackages=
gcc gcc
gdb
gperf gperf
lcov lcov
llvm llvm

View File

@ -0,0 +1,7 @@
# SPDX-License-Identifier: LGPL-2.1-or-later
[Match]
ToolsTreeDistribution=centos
[Build]
ToolsTreeRepositories=epel,epel-next

View File

@ -5,6 +5,7 @@ ToolsTreeDistribution=opensuse
[Build] [Build]
ToolsTreePackages= ToolsTreePackages=
libz1
gh gh
mypy mypy
pkgconfig(blkid) pkgconfig(blkid)

View File

@ -0,0 +1,7 @@
# SPDX-License-Identifier: LGPL-2.1-or-later
[Match]
PathExists=build/
[Build]
ExtraSearchPaths=build/

View File

@ -8,8 +8,8 @@ msgid ""
msgstr "" msgstr ""
"Report-Msgid-Bugs-To: \n" "Report-Msgid-Bugs-To: \n"
"POT-Creation-Date: 2024-11-28 18:16+0900\n" "POT-Creation-Date: 2024-11-28 18:16+0900\n"
"PO-Revision-Date: 2024-11-20 19:13+0000\n" "PO-Revision-Date: 2024-12-20 15:38+0000\n"
"Last-Translator: Jiri Grönroos <jiri.gronroos@iki.fi>\n" "Last-Translator: Ricky Tigg <ricky.tigg@gmail.com>\n"
"Language-Team: Finnish <https://translate.fedoraproject.org/projects/systemd/" "Language-Team: Finnish <https://translate.fedoraproject.org/projects/systemd/"
"main/fi/>\n" "main/fi/>\n"
"Language: fi\n" "Language: fi\n"
@ -17,7 +17,7 @@ msgstr ""
"Content-Type: text/plain; charset=UTF-8\n" "Content-Type: text/plain; charset=UTF-8\n"
"Content-Transfer-Encoding: 8bit\n" "Content-Transfer-Encoding: 8bit\n"
"Plural-Forms: nplurals=2; plural=n != 1;\n" "Plural-Forms: nplurals=2; plural=n != 1;\n"
"X-Generator: Weblate 5.8.2\n" "X-Generator: Weblate 5.9.1\n"
#: src/core/org.freedesktop.systemd1.policy.in:22 #: src/core/org.freedesktop.systemd1.policy.in:22
msgid "Send passphrase back to system" msgid "Send passphrase back to system"
@ -1176,9 +1176,8 @@ msgid "Manage optional features"
msgstr "Hallitse valinnaisia ominaisuuksia" msgstr "Hallitse valinnaisia ominaisuuksia"
#: src/sysupdate/org.freedesktop.sysupdate1.policy:76 #: src/sysupdate/org.freedesktop.sysupdate1.policy:76
#, fuzzy
msgid "Authentication is required to manage optional features." msgid "Authentication is required to manage optional features."
msgstr "Todennus vaaditaan valinnaisten ominaisuuksien hallintaan" msgstr "Todennus vaaditaan valinnaisten ominaisuuksien hallintaan."
#: src/timedate/org.freedesktop.timedate1.policy:22 #: src/timedate/org.freedesktop.timedate1.policy:22
msgid "Set system time" msgid "Set system time"

View File

@ -67,7 +67,7 @@ _systemd_analyze() {
) )
local -A VERBS=( local -A VERBS=(
[STANDALONE]='time blame unit-files unit-paths exit-status compare-versions calendar timestamp timespan pcrs srk has-tpm2 smbios11' [STANDALONE]='time blame unit-files unit-paths exit-status compare-versions calendar timestamp timespan pcrs srk has-tpm2 smbios11 chid'
[CRITICAL_CHAIN]='critical-chain' [CRITICAL_CHAIN]='critical-chain'
[DOT]='dot' [DOT]='dot'
[DUMP]='dump' [DUMP]='dump'

View File

@ -29,6 +29,8 @@ _systemd_dissect() {
local cur=${COMP_WORDS[COMP_CWORD]} prev_1=${COMP_WORDS[COMP_CWORD-1]} prev_2=${COMP_WORDS[COMP_CWORD-2]} words cword local cur=${COMP_WORDS[COMP_CWORD]} prev_1=${COMP_WORDS[COMP_CWORD-1]} prev_2=${COMP_WORDS[COMP_CWORD-2]} words cword
local -A OPTS=( local -A OPTS=(
[STANDALONE]='-h --help --version [STANDALONE]='-h --help --version
--user
--system
--discover --discover
--no-pager --no-pager
--no-legend --no-legend

343
src/analyze/analyze-chid.c Normal file
View File

@ -0,0 +1,343 @@
/* SPDX-License-Identifier: LGPL-2.1-or-later */
#include "analyze.h"
#include "analyze-chid.h"
#include "chid-fundamental.h"
#include "efi-api.h"
#include "escape.h"
#include "fd-util.h"
#include "fileio.h"
#include "format-table.h"
#include "parse-util.h"
#include "strv.h"
#include "utf8.h"
#include "virt.h"
static int parse_chid_type(const char *s, size_t *ret) {
unsigned u;
int r;
assert(s);
r = safe_atou(s, &u);
if (r < 0)
return r;
if (u >= CHID_TYPES_MAX)
return -ERANGE;
if (ret)
*ret = u;
return 0;
}
static const char *const chid_smbios_friendly[_CHID_SMBIOS_FIELDS_MAX] = {
[CHID_SMBIOS_MANUFACTURER] = "manufacturer",
[CHID_SMBIOS_FAMILY] = "family",
[CHID_SMBIOS_PRODUCT_NAME] = "product-name",
[CHID_SMBIOS_PRODUCT_SKU] = "product-sku",
[CHID_SMBIOS_BASEBOARD_MANUFACTURER] = "baseboard-manufacturer",
[CHID_SMBIOS_BASEBOARD_PRODUCT] = "baseboard-product",
[CHID_SMBIOS_BIOS_VENDOR] = "bios-vendor",
[CHID_SMBIOS_BIOS_VERSION] = "bios-version",
[CHID_SMBIOS_BIOS_MAJOR] = "bios-major",
[CHID_SMBIOS_BIOS_MINOR] = "bios-minor",
[CHID_SMBIOS_ENCLOSURE_TYPE] = "enclosure-type",
};
static const char chid_smbios_fields_char[_CHID_SMBIOS_FIELDS_MAX] = {
[CHID_SMBIOS_MANUFACTURER] = 'M',
[CHID_SMBIOS_FAMILY] = 'F',
[CHID_SMBIOS_PRODUCT_NAME] = 'P',
[CHID_SMBIOS_PRODUCT_SKU] = 'S',
[CHID_SMBIOS_BASEBOARD_MANUFACTURER] = 'm',
[CHID_SMBIOS_BASEBOARD_PRODUCT] = 'p',
[CHID_SMBIOS_BIOS_VENDOR] = 'B',
[CHID_SMBIOS_BIOS_VERSION] = 'v',
[CHID_SMBIOS_BIOS_MAJOR] = 'R',
[CHID_SMBIOS_BIOS_MINOR] = 'r',
[CHID_SMBIOS_ENCLOSURE_TYPE] = 'e',
};
static char *chid_smbios_fields_string(uint32_t combination) {
_cleanup_free_ char *s = NULL;
for (ChidSmbiosFields f = 0; f < _CHID_SMBIOS_FIELDS_MAX; f++) {
char c;
c = (combination & (UINT32_C(1) << f)) ? chid_smbios_fields_char[f] : '-';
if (!strextend(&s, CHAR_TO_STR(c)))
return NULL;
}
return TAKE_PTR(s);
}
static int add_chid(Table *table, const EFI_GUID guids[static CHID_TYPES_MAX], size_t t) {
int r;
assert(table);
assert(guids);
assert(t < CHID_TYPES_MAX);
sd_id128_t id = efi_guid_to_id128(guids + t);
if (sd_id128_is_null(id))
return 0;
_cleanup_free_ char *flags = chid_smbios_fields_string(chid_smbios_table[t]);
if (!flags)
return log_oom();
r = table_add_many(table,
TABLE_UINT, (unsigned) t,
TABLE_STRING, flags,
TABLE_UUID, id);
if (r < 0)
return table_log_add_error(r);
return 0;
}
static void smbios_fields_free(char16_t *(*fields)[_CHID_SMBIOS_FIELDS_MAX]) {
assert(fields);
FOREACH_ARRAY(i, *fields, _CHID_SMBIOS_FIELDS_MAX)
free(*i);
}
static int smbios_fields_acquire(char16_t *fields[static _CHID_SMBIOS_FIELDS_MAX]) {
static const char *const smbios_files[_CHID_SMBIOS_FIELDS_MAX] = {
[CHID_SMBIOS_MANUFACTURER] = "sys_vendor",
[CHID_SMBIOS_FAMILY] = "product_family",
[CHID_SMBIOS_PRODUCT_NAME] = "product_name",
[CHID_SMBIOS_PRODUCT_SKU] = "product_sku",
[CHID_SMBIOS_BASEBOARD_MANUFACTURER] = "board_vendor",
[CHID_SMBIOS_BASEBOARD_PRODUCT] = "board_name",
[CHID_SMBIOS_BIOS_VENDOR] = "bios_vendor",
[CHID_SMBIOS_BIOS_VERSION] = "bios_version",
[CHID_SMBIOS_BIOS_MAJOR] = "bios_release",
[CHID_SMBIOS_BIOS_MINOR] = "bios_release",
[CHID_SMBIOS_ENCLOSURE_TYPE] = "chassis_type",
};
int r;
_cleanup_close_ int smbios_fd = open("/sys/class/dmi/id", O_RDONLY|O_DIRECTORY|O_CLOEXEC);
if (smbios_fd < 0)
return log_error_errno(errno, "Failed to open SMBIOS sysfs object: %m");
for (ChidSmbiosFields f = 0; f < _CHID_SMBIOS_FIELDS_MAX; f++) {
_cleanup_free_ char *buf = NULL;
size_t size;
/* According to the CHID spec we should not generate CHIDs for SMBIOS fields that aren't set
* or are set to an empty string. Hence leave them NULL here. */
if (!smbios_files[f])
continue;
r = read_virtual_file_at(smbios_fd, smbios_files[f], SIZE_MAX, &buf, &size);
if (r == -ENOENT) {
log_debug_errno(r, "SMBIOS field '%s' not set, skipping.", smbios_files[f]);
continue;
}
if (r < 0)
return log_error_errno(r, "Failed to read SMBIOS field '%s': %m", smbios_files[f]);
if (size == 0 || (size == 1 && buf[0] == '\n')) {
log_debug("SMBIOS field '%s' is empty, skipping.", smbios_files[f]);
continue;
}
if (buf[size-1] != '\n')
return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "Expected SMBIOS field '%s' to end in newline, but it doesn't, refusing.", smbios_files[f]);
buf[size-1] = 0;
size--;
switch (f) {
case CHID_SMBIOS_BIOS_MAJOR:
case CHID_SMBIOS_BIOS_MINOR: {
/* The kernel exposes this a string <major>.<minor>, split them apart again. */
char *dot = memchr(buf, '.', size);
if (!dot)
return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "BIOS release field '%s' contains no dot?", smbios_files[f]);
const char *p;
if (f == CHID_SMBIOS_BIOS_MAJOR) {
*dot = 0;
p = buf;
} else {
assert(f == CHID_SMBIOS_BIOS_MINOR);
p = dot + 1;
}
/* The kernel exports the enclosure in decimal, we need it in hex (zero left-padded) */
uint8_t u;
r = safe_atou8(p, &u);
if (r < 0)
return log_error_errno(r, "Failed to parse BIOS release: %s", p);
buf = mfree(buf);
if (asprintf(&buf, "%02x", u) < 0)
return log_oom();
size = strlen(buf);
break;
}
case CHID_SMBIOS_ENCLOSURE_TYPE: {
/* The kernel exports the enclosure in decimal, we need it in hex (no padding!) */
uint8_t u;
r = safe_atou8(buf, &u);
if (r < 0)
return log_error_errno(r, "Failed to parse enclosure type: %s", buf);
buf = mfree(buf);
if (u == 0)
buf = strdup(""); /* zero is mapped to empty string */
else
(void) asprintf(&buf, "%x", u);
if (!buf)
return log_oom();
size = strlen(buf);
break;
}
default:
break;
}
fields[f] = utf8_to_utf16(buf, size);
if (!fields[f])
return log_oom();
}
return 0;
}
int verb_chid(int argc, char *argv[], void *userdata) {
_cleanup_(table_unrefp) Table *table = NULL;
int r;
if (detect_container() > 0)
return log_error_errno(SYNTHETIC_ERRNO(ENOTRECOVERABLE), "Container environments do not have SMBIOS.");
table = table_new("type", "input", "chid");
if (!table)
return log_oom();
(void) table_set_align_percent(table, table_get_cell(table, 0, 0), 100);
(void) table_set_align_percent(table, table_get_cell(table, 0, 1), 50);
_cleanup_(smbios_fields_free) char16_t* smbios_fields[_CHID_SMBIOS_FIELDS_MAX] = {};
r = smbios_fields_acquire(smbios_fields);
if (r < 0)
return r;
EFI_GUID chids[CHID_TYPES_MAX] = {};
chid_calculate((const char16_t* const*) smbios_fields, chids);
if (strv_isempty(strv_skip(argv, 1)))
for (size_t t = 0; t < CHID_TYPES_MAX; t++) {
r = add_chid(table, chids, t);
if (r < 0)
return r;
}
else {
STRV_FOREACH(as, strv_skip(argv, 1)) {
size_t t;
r = parse_chid_type(*as, &t);
if (r < 0)
return log_error_errno(r, "Failed to pare CHID type: %s", *as);
r = add_chid(table, chids, t);
if (r < 0)
return r;
}
(void) table_set_sort(table, (size_t) 0);
}
r = table_print_with_pager(table, arg_json_format_flags, arg_pager_flags, arg_legend);
if (r < 0)
return log_error_errno(r, "Failed to output table: %m");
if (!sd_json_format_enabled(arg_json_format_flags)) {
_cleanup_free_ char *legend = NULL;
bool separator = false;
size_t w = 0;
legend = strjoin(ansi_grey(), "LEGEND: ", ansi_normal());
if (!legend)
return log_oom();
for (ChidSmbiosFields f = 0; f < _CHID_SMBIOS_FIELDS_MAX; f++) {
_cleanup_free_ char *c = NULL;
if (smbios_fields[f]) {
_cleanup_free_ char *u = NULL;
u = utf16_to_utf8(smbios_fields[f], SIZE_MAX);
if (!u)
return log_oom();
c = cescape(u);
if (!c)
return log_oom();
}
if (!strextend(&legend,
ansi_grey(),
separator ? " " : "",
separator ? special_glyph(SPECIAL_GLYPH_HORIZONTAL_DOTTED) : "",
separator ? " " : "",
ansi_normal(),
CHAR_TO_STR(chid_smbios_fields_char[f]),
ansi_grey(),
" ",
special_glyph(SPECIAL_GLYPH_ARROW_RIGHT),
" ",
ansi_normal(),
chid_smbios_friendly[f],
ansi_grey(),
" (",
c ? ansi_highlight() : ansi_grey(),
strna(c),
ansi_grey(),
")",
ansi_normal()))
return log_oom();
w += separator * 3 +
4 +
utf8_console_width(chid_smbios_friendly[f]) +
2 +
utf8_console_width(strna(c)) +
1;
if (w > 79) {
if (!strextend(&legend, "\n "))
return log_oom();
separator = false;
w = 8;
} else
separator = true;
}
putchar('\n');
puts(legend);
}
return EXIT_SUCCESS;
}

View File

@ -0,0 +1,4 @@
/* SPDX-License-Identifier: LGPL-2.1-or-later */
#pragma once
int verb_chid(int argc, char *argv[], void *userdata);

View File

@ -18,6 +18,7 @@
#include "analyze-calendar.h" #include "analyze-calendar.h"
#include "analyze-capability.h" #include "analyze-capability.h"
#include "analyze-cat-config.h" #include "analyze-cat-config.h"
#include "analyze-chid.h"
#include "analyze-compare-versions.h" #include "analyze-compare-versions.h"
#include "analyze-condition.h" #include "analyze-condition.h"
#include "analyze-critical-chain.h" #include "analyze-critical-chain.h"
@ -219,6 +220,7 @@ static int help(int argc, char *argv[], void *userdata) {
" filesystems [NAME...] List known filesystems\n" " filesystems [NAME...] List known filesystems\n"
" architectures [NAME...] List known architectures\n" " architectures [NAME...] List known architectures\n"
" smbios11 List strings passed via SMBIOS Type #11\n" " smbios11 List strings passed via SMBIOS Type #11\n"
" chid List local CHIDs\n"
"\n%3$sExpression Evaluation:%4$s\n" "\n%3$sExpression Evaluation:%4$s\n"
" condition CONDITION... Evaluate conditions and asserts\n" " condition CONDITION... Evaluate conditions and asserts\n"
" compare-versions VERSION1 [OP] VERSION2\n" " compare-versions VERSION1 [OP] VERSION2\n"
@ -593,10 +595,6 @@ static int parse_argv(int argc, char *argv[]) {
return log_error_errno(SYNTHETIC_ERRNO(EINVAL), return log_error_errno(SYNTHETIC_ERRNO(EINVAL),
"Option --offline= requires one or more units to perform a security review."); "Option --offline= requires one or more units to perform a security review.");
if (sd_json_format_enabled(arg_json_format_flags) && !STRPTR_IN_SET(argv[optind], "security", "inspect-elf", "plot", "fdstore", "pcrs", "architectures", "capability", "exit-status"))
return log_error_errno(SYNTHETIC_ERRNO(EINVAL),
"Option --json= is only supported for security, inspect-elf, plot, fdstore, pcrs, architectures, capability, exit-status right now.");
if (arg_threshold != 100 && !streq_ptr(argv[optind], "security")) if (arg_threshold != 100 && !streq_ptr(argv[optind], "security"))
return log_error_errno(SYNTHETIC_ERRNO(EINVAL), return log_error_errno(SYNTHETIC_ERRNO(EINVAL),
"Option --threshold= is only supported for security right now."); "Option --threshold= is only supported for security right now.");
@ -631,10 +629,6 @@ static int parse_argv(int argc, char *argv[]) {
if (streq_ptr(argv[optind], "condition") && arg_unit && optind < argc - 1) if (streq_ptr(argv[optind], "condition") && arg_unit && optind < argc - 1)
return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "No conditions can be passed if --unit= is used."); return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "No conditions can be passed if --unit= is used.");
if ((!arg_legend && !STRPTR_IN_SET(argv[optind], "plot", "architectures")) ||
(streq_ptr(argv[optind], "plot") && !arg_legend && !arg_table && !sd_json_format_enabled(arg_json_format_flags)))
return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "Option --no-legend is only supported for plot with either --table or --json=.");
if (arg_table && !streq_ptr(argv[optind], "plot")) if (arg_table && !streq_ptr(argv[optind], "plot"))
return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "Option --table is only supported for plot right now."); return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "Option --table is only supported for plot right now.");
@ -691,6 +685,7 @@ static int run(int argc, char *argv[]) {
{ "srk", VERB_ANY, 1, 0, verb_srk }, { "srk", VERB_ANY, 1, 0, verb_srk },
{ "architectures", VERB_ANY, VERB_ANY, 0, verb_architectures }, { "architectures", VERB_ANY, VERB_ANY, 0, verb_architectures },
{ "smbios11", VERB_ANY, 1, 0, verb_smbios11 }, { "smbios11", VERB_ANY, 1, 0, verb_smbios11 },
{ "chid", VERB_ANY, VERB_ANY, 0, verb_chid },
{} {}
}; };

View File

@ -6,6 +6,7 @@ systemd_analyze_sources = files(
'analyze-calendar.c', 'analyze-calendar.c',
'analyze-capability.c', 'analyze-capability.c',
'analyze-cat-config.c', 'analyze-cat-config.c',
'analyze-chid.c',
'analyze-compare-versions.c', 'analyze-compare-versions.c',
'analyze-condition.c', 'analyze-condition.c',
'analyze-critical-chain.c', 'analyze-critical-chain.c',

View File

@ -5,16 +5,23 @@
#include <stddef.h> #include <stddef.h>
#include <unistd.h> #include <unistd.h>
#include "sd-varlink.h"
#include "ask-password-api.h" #include "ask-password-api.h"
#include "build.h" #include "build.h"
#include "bus-polkit.h"
#include "constants.h" #include "constants.h"
#include "json-util.h"
#include "log.h" #include "log.h"
#include "macro.h" #include "macro.h"
#include "main-func.h" #include "main-func.h"
#include "parse-argument.h" #include "parse-argument.h"
#include "pretty-print.h" #include "pretty-print.h"
#include "string-table.h"
#include "strv.h" #include "strv.h"
#include "terminal-util.h" #include "terminal-util.h"
#include "varlink-io.systemd.AskPassword.h"
#include "varlink-util.h"
static const char *arg_icon = NULL; static const char *arg_icon = NULL;
static const char *arg_id = NULL; /* identifier for 'ask-password' protocol */ static const char *arg_id = NULL; /* identifier for 'ask-password' protocol */
@ -26,6 +33,7 @@ static bool arg_multiple = false;
static bool arg_no_output = false; static bool arg_no_output = false;
static AskPasswordFlags arg_flags = ASK_PASSWORD_PUSH_CACHE; static AskPasswordFlags arg_flags = ASK_PASSWORD_PUSH_CACHE;
static bool arg_newline = true; static bool arg_newline = true;
static bool arg_varlink = false;
STATIC_DESTRUCTOR_REGISTER(arg_message, freep); STATIC_DESTRUCTOR_REGISTER(arg_message, freep);
@ -213,7 +221,7 @@ static int parse_argv(int argc, char *argv[]) {
else { else {
r = parse_boolean_argument("--emoji=", emoji, NULL); r = parse_boolean_argument("--emoji=", emoji, NULL);
if (r < 0) if (r < 0)
return r; return r;
SET_FLAG(arg_flags, ASK_PASSWORD_HIDE_EMOJI, !r); SET_FLAG(arg_flags, ASK_PASSWORD_HIDE_EMOJI, !r);
} }
@ -232,9 +240,162 @@ static int parse_argv(int argc, char *argv[]) {
return log_oom(); return log_oom();
} }
r = sd_varlink_invocation(SD_VARLINK_ALLOW_ACCEPT);
if (r < 0)
return log_error_errno(r, "Failed to check if invoked in Varlink mode: %m");
if (r > 0)
arg_varlink = true;
return 1; return 1;
} }
typedef enum EchoMode {
ECHO_OFF,
ECHO_ON,
ECHO_MASKED,
_ECHO_MODE_MAX,
_ECHO_MODE_INVALID = -EINVAL,
} EchoMode;
static const char* echo_mode_table[_ECHO_MODE_MAX] = {
[ECHO_OFF] = "off",
[ECHO_ON] = "on",
[ECHO_MASKED] = "masked",
};
DEFINE_PRIVATE_STRING_TABLE_LOOKUP_FROM_STRING_WITH_BOOLEAN(echo_mode, EchoMode, ECHO_ON);
static JSON_DISPATCH_ENUM_DEFINE(dispatch_echo_mode, EchoMode, echo_mode_from_string);
typedef struct MethodAskParameters {
const char *message;
const char *keyring;
const char *icon;
const char *id;
uint64_t timeout_usec;
uint64_t until_usec;
int accept_cached;
int push_cache;
EchoMode echo_mode;
} MethodAskParameters;
static int vl_method_ask(sd_varlink *link, sd_json_variant *parameters, sd_varlink_method_flags_t flags, void *userdata) {
static const sd_json_dispatch_field dispatch_table[] = {
{ "message", SD_JSON_VARIANT_STRING, sd_json_dispatch_const_string, offsetof(MethodAskParameters, message), 0 },
{ "keyname", SD_JSON_VARIANT_STRING, sd_json_dispatch_const_string, offsetof(MethodAskParameters, keyring), 0 },
{ "icon", SD_JSON_VARIANT_STRING, sd_json_dispatch_const_string, offsetof(MethodAskParameters, icon), 0 },
{ "id", SD_JSON_VARIANT_STRING, sd_json_dispatch_const_string, offsetof(MethodAskParameters, id), 0 },
{ "timeoutUSec", _SD_JSON_VARIANT_TYPE_INVALID, sd_json_dispatch_uint64, offsetof(MethodAskParameters, timeout_usec), 0 },
{ "untilUSec", _SD_JSON_VARIANT_TYPE_INVALID, sd_json_dispatch_uint64, offsetof(MethodAskParameters, until_usec), 0 },
{ "acceptCached", SD_JSON_VARIANT_BOOLEAN, sd_json_dispatch_tristate, offsetof(MethodAskParameters, accept_cached), 0 },
{ "pushCache", SD_JSON_VARIANT_BOOLEAN, sd_json_dispatch_tristate, offsetof(MethodAskParameters, push_cache) , 0 },
{ "echo", SD_JSON_VARIANT_STRING, dispatch_echo_mode, offsetof(MethodAskParameters, echo_mode), 0 },
VARLINK_DISPATCH_POLKIT_FIELD,
{}
};
Hashmap **polkit_registry = ASSERT_PTR(userdata);
MethodAskParameters p = {
.timeout_usec = DEFAULT_TIMEOUT_USEC,
.until_usec = UINT64_MAX,
.accept_cached = -1,
.push_cache = -1,
.echo_mode = _ECHO_MODE_INVALID,
};
int r;
assert(link);
r = sd_varlink_dispatch(link, parameters, dispatch_table, &p);
if (r != 0)
return r;
r = varlink_verify_polkit_async_full(
link,
/* bus= */ NULL,
"io.systemd.ask-password.ask",
/* details= */ NULL,
/* good_user= */ FLAGS_SET(arg_flags, ASK_PASSWORD_USER) ? getuid() : UID_INVALID,
/* flags= */ 0,
polkit_registry);
if (r <= 0)
return r;
AskPasswordRequest req = {
.tty_fd = -EBADF,
.message = p.message ?: arg_message,
.icon = p.icon ?: arg_icon,
.id = p.id ?: arg_id,
.keyring = p.keyring ?: arg_key_name,
.credential = arg_credential_name,
.hup_fd = sd_varlink_get_input_fd(link),
};
if (p.timeout_usec != 0 && p.until_usec != 0)
req.until = MIN(usec_add(now(CLOCK_MONOTONIC), p.timeout_usec), p.until_usec);
/* If the timeout is set to zero, don't ask agents, just stick to cache */
SET_FLAG(arg_flags, ASK_PASSWORD_NO_AGENT, req.until == 0);
if (p.accept_cached >= 0)
SET_FLAG(arg_flags, ASK_PASSWORD_ACCEPT_CACHED, p.accept_cached);
if (p.push_cache >= 0)
SET_FLAG(arg_flags, ASK_PASSWORD_PUSH_CACHE, p.push_cache);
if (p.echo_mode >= 0) {
SET_FLAG(arg_flags, ASK_PASSWORD_ECHO, p.echo_mode == ECHO_ON);
SET_FLAG(arg_flags, ASK_PASSWORD_SILENT, p.echo_mode == ECHO_OFF);
}
_cleanup_strv_free_erase_ char **l = NULL;
r = ask_password_auto(&req, arg_flags, &l);
if (r == -EUNATCH)
return sd_varlink_error(link, "io.systemd.AskPassword.NoPasswordAvailable", NULL);
if (r == -ETIME)
return sd_varlink_error(link, "io.systemd.AskPassword.TimeoutReached", NULL);
if (r == -ECONNRESET) { /* POLLHUP on the varlink fd we passed in via .hup_fd */
sd_varlink_close(link);
return 1;
}
if (r < 0)
return r;
_cleanup_(sd_json_variant_unrefp) sd_json_variant *vl = NULL;
r = sd_json_variant_new_array_strv(&vl, l);
if (r < 0)
return r;
sd_json_variant_sensitive(vl);
return sd_varlink_replybo(link, SD_JSON_BUILD_PAIR("passwords", SD_JSON_BUILD_VARIANT(vl)));
}
static int vl_server(void) {
_cleanup_(sd_varlink_server_unrefp) sd_varlink_server *varlink_server = NULL;
_cleanup_(hashmap_freep) Hashmap *polkit_registry = NULL;
int r;
r = varlink_server_new(&varlink_server, SD_VARLINK_SERVER_INHERIT_USERDATA, /* userdata= */ &polkit_registry);
if (r < 0)
return log_error_errno(r, "Failed to allocate Varlink server: %m");
r = sd_varlink_server_add_interface(varlink_server, &vl_interface_io_systemd_AskPassword);
if (r < 0)
return log_error_errno(r, "Failed to add Varlink interface: %m");
r = sd_varlink_server_bind_method(varlink_server, "io.systemd.AskPassword.Ask", vl_method_ask);
if (r < 0)
return log_error_errno(r, "Failed to bind Varlink method: %m");
r = sd_varlink_server_loop_auto(varlink_server);
if (r < 0)
return log_error_errno(r, "Failed to run Varlink event loop: %m");
return 0;
}
static int run(int argc, char *argv[]) { static int run(int argc, char *argv[]) {
_cleanup_strv_free_erase_ char **l = NULL; _cleanup_strv_free_erase_ char **l = NULL;
usec_t timeout; usec_t timeout;
@ -249,17 +410,23 @@ static int run(int argc, char *argv[]) {
if (r <= 0) if (r <= 0)
return r; return r;
if (arg_varlink)
return vl_server(); /* Invocation as Varlink service */
timeout = arg_timeout > 0 ? usec_add(now(CLOCK_MONOTONIC), arg_timeout) : 0; timeout = arg_timeout > 0 ? usec_add(now(CLOCK_MONOTONIC), arg_timeout) : 0;
AskPasswordRequest req = { AskPasswordRequest req = {
.tty_fd = -EBADF,
.message = arg_message, .message = arg_message,
.icon = arg_icon, .icon = arg_icon,
.id = arg_id, .id = arg_id,
.keyring = arg_key_name, .keyring = arg_key_name,
.credential = arg_credential_name ?: "password", .credential = arg_credential_name ?: "password",
.until = timeout,
.hup_fd = -EBADF,
}; };
r = ask_password_auto(&req, timeout, arg_flags, &l); r = ask_password_auto(&req, arg_flags, &l);
if (r < 0) if (r < 0)
return log_error_errno(r, "Failed to query password: %m"); return log_error_errno(r, "Failed to query password: %m");

View File

@ -0,0 +1,31 @@
<?xml version="1.0" encoding="UTF-8"?> <!--*-nxml-*-->
<!DOCTYPE policyconfig PUBLIC "-//freedesktop//DTD PolicyKit Policy Configuration 1.0//EN"
"https://www.freedesktop.org/standards/PolicyKit/1/policyconfig.dtd">
<!--
SPDX-License-Identifier: LGPL-2.1-or-later
This file is part of systemd.
systemd is free software; you can redistribute it and/or modify it
under the terms of the GNU Lesser General Public License as published by
the Free Software Foundation; either version 2.1 of the License, or
(at your option) any later version.
-->
<policyconfig>
<vendor>The systemd Project</vendor>
<vendor_url>https://systemd.io</vendor_url>
<action id="io.systemd.ask-password.ask">
<description gettext-domain="systemd">Allow to query the user interactively for a password</description>
<message gettext-domain="systemd">Authentication is required for an application to ask the user interactively for a password.</message>
<defaults>
<allow_any>auth_admin_keep</allow_any>
<allow_inactive>auth_admin_keep</allow_inactive>
<allow_active>yes</allow_active>
</defaults>
</action>
</policyconfig>

View File

@ -9,8 +9,8 @@
#define AUDIT_SESSION_INVALID UINT32_MAX #define AUDIT_SESSION_INVALID UINT32_MAX
int audit_session_from_pid(const PidRef *pid, uint32_t *id); int audit_session_from_pid(const PidRef *pid, uint32_t *ret_id);
int audit_loginuid_from_pid(const PidRef *pid, uid_t *uid); int audit_loginuid_from_pid(const PidRef *pid, uid_t *ret_uid);
bool use_audit(void); bool use_audit(void);

View File

@ -8,8 +8,9 @@
#include <unistd.h> #include <unistd.h>
#include "alloc-util.h" #include "alloc-util.h"
#include "capability-util.h"
#include "cap-list.h" #include "cap-list.h"
#include "capability-util.h"
#include "fd-util.h"
#include "fileio.h" #include "fileio.h"
#include "log.h" #include "log.h"
#include "logarithm.h" #include "logarithm.h"
@ -17,6 +18,8 @@
#include "missing_prctl.h" #include "missing_prctl.h"
#include "missing_threads.h" #include "missing_threads.h"
#include "parse-util.h" #include "parse-util.h"
#include "pidref.h"
#include "stat-util.h"
#include "user-util.h" #include "user-util.h"
int have_effective_cap(int value) { int have_effective_cap(int value) {
@ -607,3 +610,78 @@ int capability_get_ambient(uint64_t *ret) {
*ret = a; *ret = a;
return 1; return 1;
} }
int pidref_get_capability(const PidRef *pidref, CapabilityQuintet *ret) {
int r;
if (!pidref_is_set(pidref))
return -ESRCH;
if (pidref_is_remote(pidref))
return -EREMOTE;
const char *path = procfs_file_alloca(pidref->pid, "status");
_cleanup_fclose_ FILE *f = fopen(path, "re");
if (!f) {
if (errno == ENOENT && proc_mounted() == 0)
return -ENOSYS;
return -errno;
}
CapabilityQuintet q = CAPABILITY_QUINTET_NULL;
for (;;) {
_cleanup_free_ char *line = NULL;
r = read_line(f, LONG_LINE_MAX, &line);
if (r < 0)
return r;
if (r == 0)
break;
static const struct {
const char *field;
size_t offset;
} fields[] = {
{ "CapBnd:", offsetof(CapabilityQuintet, bounding) },
{ "CapInh:", offsetof(CapabilityQuintet, inheritable) },
{ "CapPrm:", offsetof(CapabilityQuintet, permitted) },
{ "CapEff:", offsetof(CapabilityQuintet, effective) },
{ "CapAmb:", offsetof(CapabilityQuintet, ambient) },
};
FOREACH_ELEMENT(i, fields) {
const char *p = first_word(line, i->field);
if (!p)
continue;
uint64_t *v = (uint64_t*) ((uint8_t*) &q + i->offset);
if (*v != CAP_MASK_UNSET)
return -EBADMSG;
r = safe_atoux64(p, v);
if (r < 0)
return r;
if (*v == CAP_MASK_UNSET)
return -EBADMSG;
}
}
if (q.effective == CAP_MASK_UNSET ||
q.inheritable == CAP_MASK_UNSET ||
q.permitted == CAP_MASK_UNSET ||
q.effective == CAP_MASK_UNSET ||
q.ambient == CAP_MASK_UNSET)
return -EBADMSG;
r = pidref_verify(pidref);
if (r < 0)
return r;
if (ret)
*ret = q;
return 0;
}

View File

@ -8,6 +8,7 @@
#include "macro.h" #include "macro.h"
#include "missing_capability.h" #include "missing_capability.h"
#include "pidref.h"
/* Special marker used when storing a capabilities mask as "unset" */ /* Special marker used when storing a capabilities mask as "unset" */
#define CAP_MASK_UNSET UINT64_MAX #define CAP_MASK_UNSET UINT64_MAX
@ -66,14 +67,18 @@ typedef struct CapabilityQuintet {
assert_cc(CAP_LAST_CAP < 64); assert_cc(CAP_LAST_CAP < 64);
#define CAPABILITY_QUINTET_NULL { CAP_MASK_UNSET, CAP_MASK_UNSET, CAP_MASK_UNSET, CAP_MASK_UNSET, CAP_MASK_UNSET } #define CAPABILITY_QUINTET_NULL (CapabilityQuintet) { CAP_MASK_UNSET, CAP_MASK_UNSET, CAP_MASK_UNSET, CAP_MASK_UNSET, CAP_MASK_UNSET }
static inline bool capability_is_set(uint64_t v) {
return v != CAP_MASK_UNSET;
}
static inline bool capability_quintet_is_set(const CapabilityQuintet *q) { static inline bool capability_quintet_is_set(const CapabilityQuintet *q) {
return q->effective != CAP_MASK_UNSET || return capability_is_set(q->effective) ||
q->bounding != CAP_MASK_UNSET || capability_is_set(q->bounding) ||
q->inheritable != CAP_MASK_UNSET || capability_is_set(q->inheritable) ||
q->permitted != CAP_MASK_UNSET || capability_is_set(q->permitted) ||
q->ambient != CAP_MASK_UNSET; capability_is_set(q->ambient);
} }
/* Mangles the specified caps quintet taking the current bounding set into account: /* Mangles the specified caps quintet taking the current bounding set into account:
@ -84,3 +89,5 @@ bool capability_quintet_mangle(CapabilityQuintet *q);
int capability_quintet_enforce(const CapabilityQuintet *q); int capability_quintet_enforce(const CapabilityQuintet *q);
int capability_get_ambient(uint64_t *ret); int capability_get_ambient(uint64_t *ret);
int pidref_get_capability(const PidRef *pidref, CapabilityQuintet *ret);

View File

@ -500,22 +500,6 @@ int pidref_is_kernel_thread(const PidRef *pid) {
return result; return result;
} }
int get_process_capeff(pid_t pid, char **ret) {
const char *p;
int r;
assert(pid >= 0);
assert(ret);
p = procfs_file_alloca(pid, "status");
r = get_proc_field(p, "CapEff", WHITESPACE, ret);
if (r == -ENOENT)
return -ESRCH;
return r;
}
static int get_process_link_contents(pid_t pid, const char *proc_file, char **ret) { static int get_process_link_contents(pid_t pid, const char *proc_file, char **ret) {
const char *p; const char *p;
int r; int r;

View File

@ -50,7 +50,6 @@ int get_process_exe(pid_t pid, char **ret);
int pid_get_uid(pid_t pid, uid_t *ret); int pid_get_uid(pid_t pid, uid_t *ret);
int pidref_get_uid(const PidRef *pid, uid_t *ret); int pidref_get_uid(const PidRef *pid, uid_t *ret);
int get_process_gid(pid_t pid, gid_t *ret); int get_process_gid(pid_t pid, gid_t *ret);
int get_process_capeff(pid_t pid, char **ret);
int get_process_cwd(pid_t pid, char **ret); int get_process_cwd(pid_t pid, char **ret);
int get_process_root(pid_t pid, char **ret); int get_process_root(pid_t pid, char **ret);
int get_process_environ(pid_t pid, char **ret); int get_process_environ(pid_t pid, char **ret);

View File

@ -984,9 +984,12 @@ int verb_install(int argc, char *argv[], void *userdata) {
arg_private_key_source, arg_private_key_source,
arg_private_key, arg_private_key,
&(AskPasswordRequest) { &(AskPasswordRequest) {
.tty_fd = -EBADF,
.id = "bootctl-private-key-pin", .id = "bootctl-private-key-pin",
.keyring = arg_private_key, .keyring = arg_private_key,
.credential = "bootctl.private-key-pin", .credential = "bootctl.private-key-pin",
.until = USEC_INFINITY,
.hup_fd = -EBADF,
}, },
&private_key, &private_key,
&ui); &ui);

View File

@ -85,7 +85,9 @@ static int device_set_sysfs(Device *d, const char *sysfs) {
Unit *u = UNIT(ASSERT_PTR(d)); Unit *u = UNIT(ASSERT_PTR(d));
int r; int r;
if (streq_ptr(d->sysfs, sysfs)) assert(sysfs);
if (path_equal(d->sysfs, sysfs))
return 0; return 0;
Hashmap **devices = &u->manager->devices_by_sysfs; Hashmap **devices = &u->manager->devices_by_sysfs;
@ -332,6 +334,20 @@ static void device_catchup(Unit *u) {
Device *d = ASSERT_PTR(DEVICE(u)); Device *d = ASSERT_PTR(DEVICE(u));
/* Second, let's update the state with the enumerated state */ /* Second, let's update the state with the enumerated state */
/* If Device.found (set from Device.deserialized_found) does not have DEVICE_FOUND_UDEV, and the
* device has not been processed by udevd while enumeration, it indicates the unit was never active
* before reexecution, hence we can safely drop the flag from Device.enumerated_found. The device
* will be set up later when udev finishes processing (see also comment in
* device_setup_devlink_unit_one()).
*
* NB: 💣💣💣 If Device.found already contains udev, i.e. the unit was fully ready before
* reexecution, do not unset the flag. Otherwise, e.g. if systemd-udev-trigger.service is started
* just before reexec, reload, and so on, devices being reprocessed (carrying ID_PROCESSING=1
* property) on enumeration and will enter dead state. See issue #35329. */
if (!FLAGS_SET(d->found, DEVICE_FOUND_UDEV) && !d->processed)
d->enumerated_found &= ~DEVICE_FOUND_UDEV;
device_update_found_one(d, d->enumerated_found, _DEVICE_FOUND_MASK); device_update_found_one(d, d->enumerated_found, _DEVICE_FOUND_MASK);
} }
@ -777,8 +793,16 @@ static int device_setup_devlink_unit_one(Manager *m, const char *devlink, Set **
assert(ready_units); assert(ready_units);
assert(not_ready_units); assert(not_ready_units);
if (sd_device_new_from_devname(&dev, devlink) >= 0 && device_is_ready(dev)) if (sd_device_new_from_devname(&dev, devlink) >= 0 && device_is_ready(dev)) {
if (MANAGER_IS_RUNNING(m) && device_is_processed(dev) <= 0)
/* The device is being processed by udevd. We will receive relevant uevent for the
* device later when completed. Let's ignore the device now. */
return 0;
/* Note, even if the device is being processed by udevd, setup the unit on enumerate.
* See also the comments in device_catchup(). */
return device_setup_unit(m, dev, devlink, /* main = */ false, ready_units); return device_setup_unit(m, dev, devlink, /* main = */ false, ready_units);
}
/* the devlink is already removed or not ready */ /* the devlink is already removed or not ready */
if (device_by_path(m, devlink, &u) < 0) if (device_by_path(m, devlink, &u) < 0)
@ -874,14 +898,15 @@ static int device_setup_extra_units(Manager *m, sd_device *dev, Set **ready_unit
return 0; return 0;
} }
static int device_setup_units(Manager *m, sd_device *dev, Set **ready_units, Set **not_ready_units) { static int device_setup_units(Manager *m, sd_device *dev, Set **ret_ready_units, Set **ret_not_ready_units) {
_cleanup_set_free_ Set *ready_units = NULL, *not_ready_units = NULL;
const char *syspath, *devname = NULL; const char *syspath, *devname = NULL;
int r; int r;
assert(m); assert(m);
assert(dev); assert(dev);
assert(ready_units); assert(ret_ready_units);
assert(not_ready_units); assert(ret_not_ready_units);
r = sd_device_get_syspath(dev, &syspath); r = sd_device_get_syspath(dev, &syspath);
if (r < 0) if (r < 0)
@ -901,13 +926,13 @@ static int device_setup_units(Manager *m, sd_device *dev, Set **ready_units, Set
/* Add the main unit named after the syspath. If this one fails, don't bother with the rest, /* Add the main unit named after the syspath. If this one fails, don't bother with the rest,
* as this one shall be the main device unit the others just follow. (Compare with how * as this one shall be the main device unit the others just follow. (Compare with how
* device_following() is implemented, see below, which looks for the sysfs device.) */ * device_following() is implemented, see below, which looks for the sysfs device.) */
r = device_setup_unit(m, dev, syspath, /* main = */ true, ready_units); r = device_setup_unit(m, dev, syspath, /* main = */ true, &ready_units);
if (r < 0) if (r < 0)
return r; return r;
/* Add an additional unit for the device node */ /* Add an additional unit for the device node */
if (sd_device_get_devname(dev, &devname) >= 0) if (sd_device_get_devname(dev, &devname) >= 0)
(void) device_setup_unit(m, dev, devname, /* main = */ false, ready_units); (void) device_setup_unit(m, dev, devname, /* main = */ false, &ready_units);
} else { } else {
Unit *u; Unit *u;
@ -915,28 +940,30 @@ static int device_setup_units(Manager *m, sd_device *dev, Set **ready_units, Set
/* If the device exists but not ready, then save the units and unset udev bits later. */ /* If the device exists but not ready, then save the units and unset udev bits later. */
if (device_by_path(m, syspath, &u) >= 0) { if (device_by_path(m, syspath, &u) >= 0) {
r = set_ensure_put(not_ready_units, NULL, DEVICE(u)); r = set_ensure_put(&not_ready_units, NULL, DEVICE(u));
if (r < 0) if (r < 0)
log_unit_debug_errno(u, r, "Failed to store unit, ignoring: %m"); log_unit_debug_errno(u, r, "Failed to store unit, ignoring: %m");
} }
if (sd_device_get_devname(dev, &devname) >= 0 && if (sd_device_get_devname(dev, &devname) >= 0 &&
device_by_path(m, devname, &u) >= 0) { device_by_path(m, devname, &u) >= 0) {
r = set_ensure_put(not_ready_units, NULL, DEVICE(u)); r = set_ensure_put(&not_ready_units, NULL, DEVICE(u));
if (r < 0) if (r < 0)
log_unit_debug_errno(u, r, "Failed to store unit, ignoring: %m"); log_unit_debug_errno(u, r, "Failed to store unit, ignoring: %m");
} }
} }
/* Next, add/update additional .device units point to aliases and symlinks. */ /* Next, add/update additional .device units point to aliases and symlinks. */
(void) device_setup_extra_units(m, dev, ready_units, not_ready_units); (void) device_setup_extra_units(m, dev, &ready_units, &not_ready_units);
/* Safety check: no unit should be in ready_units and not_ready_units simultaneously. */ /* Safety check: no unit should be in ready_units and not_ready_units simultaneously. */
Unit *u; Unit *u;
SET_FOREACH(u, *not_ready_units) SET_FOREACH(u, not_ready_units)
if (set_remove(*ready_units, u)) if (set_remove(ready_units, u))
log_unit_error(u, "Cannot activate and deactivate the unit simultaneously. Deactivating."); log_unit_error(u, "Cannot activate and deactivate the unit simultaneously. Deactivating.");
*ret_ready_units = TAKE_PTR(ready_units);
*ret_not_ready_units = TAKE_PTR(not_ready_units);
return 0; return 0;
} }
@ -1046,13 +1073,32 @@ static void device_enumerate(Manager *m) {
FOREACH_DEVICE(e, dev) { FOREACH_DEVICE(e, dev) {
_cleanup_set_free_ Set *ready_units = NULL, *not_ready_units = NULL; _cleanup_set_free_ Set *ready_units = NULL, *not_ready_units = NULL;
const char *syspath;
bool processed;
Device *d; Device *d;
r = sd_device_get_syspath(dev, &syspath);
if (r < 0) {
log_device_debug_errno(dev, r, "Failed to get syspath of enumerated device, ignoring: %m");
continue;
}
r = device_is_processed(dev);
if (r < 0)
log_device_debug_errno(dev, r, "Failed to check if device is processed by udevd, assuming not: %m");
processed = r > 0;
if (device_setup_units(m, dev, &ready_units, &not_ready_units) < 0) if (device_setup_units(m, dev, &ready_units, &not_ready_units) < 0)
continue; continue;
SET_FOREACH(d, ready_units) SET_FOREACH(d, ready_units) {
device_update_found_one(d, DEVICE_FOUND_UDEV, DEVICE_FOUND_UDEV); device_update_found_one(d, DEVICE_FOUND_UDEV, DEVICE_FOUND_UDEV);
/* Why we need to check the syspath here? Because the device unit may be generated by
* a devlink, and the syspath may be different from the one of the original device. */
if (path_equal(d->sysfs, syspath))
d->processed = processed;
}
SET_FOREACH(d, not_ready_units) SET_FOREACH(d, not_ready_units)
device_update_found_one(d, DEVICE_NOT_FOUND, DEVICE_FOUND_UDEV); device_update_found_one(d, DEVICE_NOT_FOUND, DEVICE_FOUND_UDEV);
} }
@ -1097,7 +1143,6 @@ static void device_remove_old_on_move(Manager *m, sd_device *dev) {
} }
static int device_dispatch_io(sd_device_monitor *monitor, sd_device *dev, void *userdata) { static int device_dispatch_io(sd_device_monitor *monitor, sd_device *dev, void *userdata) {
_cleanup_set_free_ Set *ready_units = NULL, *not_ready_units = NULL;
Manager *m = ASSERT_PTR(userdata); Manager *m = ASSERT_PTR(userdata);
sd_device_action_t action; sd_device_action_t action;
const char *sysfs; const char *sysfs;
@ -1150,6 +1195,7 @@ static int device_dispatch_io(sd_device_monitor *monitor, sd_device *dev, void *
* change events */ * change events */
ready = device_is_ready(dev); ready = device_is_ready(dev);
_cleanup_set_free_ Set *ready_units = NULL, *not_ready_units = NULL;
(void) device_setup_units(m, dev, &ready_units, &not_ready_units); (void) device_setup_units(m, dev, &ready_units, &not_ready_units);
if (action == SD_DEVICE_REMOVE) { if (action == SD_DEVICE_REMOVE) {

View File

@ -29,7 +29,9 @@ struct Device {
DeviceState state, deserialized_state; DeviceState state, deserialized_state;
DeviceFound found, deserialized_found, enumerated_found; DeviceFound found, deserialized_found, enumerated_found;
bool processed; /* Whether udevd has done processing the device, i.e. the device has database and
* ID_PROCESSING=1 udev property is not set. This is used only by enumeration and
* subsequent catchup process. */
bool bind_mounts; bool bind_mounts;
/* The SYSTEMD_WANTS udev property for this device the last time we saw it */ /* The SYSTEMD_WANTS udev property for this device the last time we saw it */

View File

@ -117,10 +117,9 @@ int exec_context_put_load_credential(ExecContext *c, const char *id, const char
return -ENOMEM; return -ENOMEM;
r = hashmap_ensure_put(&c->load_credentials, &exec_load_credential_hash_ops, lc->id, lc); r = hashmap_ensure_put(&c->load_credentials, &exec_load_credential_hash_ops, lc->id, lc);
if (r < 0) { assert(r != -EEXIST);
assert(r != -EEXIST); if (r < 0)
return r; return r;
}
TAKE_PTR(lc); TAKE_PTR(lc);
} }
@ -167,10 +166,9 @@ int exec_context_put_set_credential(
return -ENOMEM; return -ENOMEM;
r = hashmap_ensure_put(&c->set_credentials, &exec_set_credential_hash_ops, sc->id, sc); r = hashmap_ensure_put(&c->set_credentials, &exec_set_credential_hash_ops, sc->id, sc);
if (r < 0) { assert(r != -EEXIST);
assert(r != -EEXIST); if (r < 0)
return r; return r;
}
TAKE_PTR(sc); TAKE_PTR(sc);
} }
@ -193,19 +191,22 @@ int exec_context_put_import_credential(ExecContext *c, const char *glob, const c
*ic = (ExecImportCredential) { *ic = (ExecImportCredential) {
.glob = strdup(glob), .glob = strdup(glob),
.rename = rename ? strdup(rename) : NULL,
}; };
if (!ic->glob || (rename && !ic->rename)) if (!ic->glob)
return -ENOMEM; return -ENOMEM;
if (rename) {
ic->rename = strdup(rename);
if (!ic->rename)
return -ENOMEM;
}
if (ordered_set_contains(c->import_credentials, ic)) if (ordered_set_contains(c->import_credentials, ic))
return 0; return 0;
r = ordered_set_ensure_put(&c->import_credentials, &exec_import_credential_hash_ops, ic); r = ordered_set_ensure_put(&c->import_credentials, &exec_import_credential_hash_ops, ic);
if (r < 0) { assert(r != -EEXIST);
assert(r != -EEXIST); if (r < 0)
return r; return r;
}
TAKE_PTR(ic); TAKE_PTR(ic);
@ -383,30 +384,46 @@ typedef enum CredentialSearchPath {
_CREDENTIAL_SEARCH_PATH_INVALID = -EINVAL, _CREDENTIAL_SEARCH_PATH_INVALID = -EINVAL,
} CredentialSearchPath; } CredentialSearchPath;
static char** credential_search_path(const ExecParameters *params, CredentialSearchPath path) { static int credential_search_path(const ExecParameters *params, CredentialSearchPath path, char ***ret) {
_cleanup_strv_free_ char **l = NULL; _cleanup_strv_free_ char **l = NULL;
int r;
assert(params); assert(params);
assert(path >= 0 && path < _CREDENTIAL_SEARCH_PATH_MAX); assert(path >= 0 && path < _CREDENTIAL_SEARCH_PATH_MAX);
assert(ret);
/* Assemble a search path to find credentials in. For non-encrypted credentials, We'll look in /* Assemble a search path to find credentials in. For non-encrypted credentials, We'll look in
* /etc/credstore/ (and similar directories in /usr/lib/ + /run/). If we're looking for encrypted * /etc/credstore/ (and similar directories in /usr/lib/ + /run/). If we're looking for encrypted
* credentials, we'll look in /etc/credstore.encrypted/ (and similar dirs). */ * credentials, we'll look in /etc/credstore.encrypted/ (and similar dirs). */
if (IN_SET(path, CREDENTIAL_SEARCH_PATH_ENCRYPTED, CREDENTIAL_SEARCH_PATH_ALL)) { if (IN_SET(path, CREDENTIAL_SEARCH_PATH_ENCRYPTED, CREDENTIAL_SEARCH_PATH_ALL)) {
if (strv_extend(&l, params->received_encrypted_credentials_directory) < 0) r = strv_extend(&l, params->received_encrypted_credentials_directory);
return NULL; if (r < 0)
return r;
if (strv_extend_strv(&l, CONF_PATHS_STRV("credstore.encrypted"), /* filter_duplicates= */ true) < 0) _cleanup_strv_free_ char **add = NULL;
return NULL; r = credential_store_path_encrypted(params->runtime_scope, &add);
if (r < 0)
return r;
r = strv_extend_strv_consume(&l, TAKE_PTR(add), /* filter_duplicates= */ false);
if (r < 0)
return r;
} }
if (IN_SET(path, CREDENTIAL_SEARCH_PATH_TRUSTED, CREDENTIAL_SEARCH_PATH_ALL)) { if (IN_SET(path, CREDENTIAL_SEARCH_PATH_TRUSTED, CREDENTIAL_SEARCH_PATH_ALL)) {
if (strv_extend(&l, params->received_credentials_directory) < 0) r = strv_extend(&l, params->received_credentials_directory);
return NULL; if (r < 0)
return r;
if (strv_extend_strv(&l, CONF_PATHS_STRV("credstore"), /* filter_duplicates= */ true) < 0) _cleanup_strv_free_ char **add = NULL;
return NULL; r = credential_store_path(params->runtime_scope, &add);
if (r < 0)
return r;
r = strv_extend_strv_consume(&l, TAKE_PTR(add), /* filter_duplicates= */ false);
if (r < 0)
return r;
} }
if (DEBUG_LOGGING) { if (DEBUG_LOGGING) {
@ -414,7 +431,8 @@ static char** credential_search_path(const ExecParameters *params, CredentialSea
log_debug("Credential search path is: %s", strempty(t)); log_debug("Credential search path is: %s", strempty(t));
} }
return TAKE_PTR(l); *ret = TAKE_PTR(l);
return 0;
} }
struct load_cred_args { struct load_cred_args {
@ -445,15 +463,38 @@ static int maybe_decrypt_and_write_credential(
assert(data || size == 0); assert(data || size == 0);
if (args->encrypted) { if (args->encrypted) {
r = decrypt_credential_and_warn( switch (args->params->runtime_scope) {
id,
now(CLOCK_REALTIME), case RUNTIME_SCOPE_SYSTEM:
/* tpm2_device= */ NULL, /* In system mode talk directly to the TPM */
/* tpm2_signature_path= */ NULL, r = decrypt_credential_and_warn(
getuid(), id,
&IOVEC_MAKE(data, size), now(CLOCK_REALTIME),
CREDENTIAL_ANY_SCOPE, /* tpm2_device= */ NULL,
&plaintext); /* tpm2_signature_path= */ NULL,
getuid(),
&IOVEC_MAKE(data, size),
CREDENTIAL_ANY_SCOPE,
&plaintext);
break;
case RUNTIME_SCOPE_USER:
/* In per user mode we'll not have access to the machine secret, nor to the TPM (most
* likely), hence go via the IPC service instead. Do this if we are run in root's
* per-user invocation too, to minimize differences and because isolating this logic
* into a separate process is generally a good thing anyway. */
r = ipc_decrypt_credential(
id,
now(CLOCK_REALTIME),
getuid(),
&IOVEC_MAKE(data, size),
/* flags= */ 0, /* only allow user creds in user scope */
&plaintext);
break;
default:
assert_not_reached();
}
if (r < 0) if (r < 0)
return r; return r;
@ -611,9 +652,9 @@ static int load_credential(
* directory we received ourselves. We don't support the AF_UNIX stuff in this mode, since we * directory we received ourselves. We don't support the AF_UNIX stuff in this mode, since we
* are operating on a credential store, i.e. this is guaranteed to be regular files. */ * are operating on a credential store, i.e. this is guaranteed to be regular files. */
search_path = credential_search_path(args->params, CREDENTIAL_SEARCH_PATH_ALL); r = credential_search_path(args->params, CREDENTIAL_SEARCH_PATH_ALL, &search_path);
if (!search_path) if (r < 0)
return -ENOMEM; return r;
missing_ok = true; missing_ok = true;
} else } else
@ -797,9 +838,9 @@ static int acquire_credentials(
ORDERED_SET_FOREACH(ic, context->import_credentials) { ORDERED_SET_FOREACH(ic, context->import_credentials) {
_cleanup_free_ char **search_path = NULL; _cleanup_free_ char **search_path = NULL;
search_path = credential_search_path(params, CREDENTIAL_SEARCH_PATH_TRUSTED); r = credential_search_path(params, CREDENTIAL_SEARCH_PATH_TRUSTED, &search_path);
if (!search_path) if (r < 0)
return -ENOMEM; return r;
args.encrypted = false; args.encrypted = false;
@ -811,9 +852,10 @@ static int acquire_credentials(
return r; return r;
search_path = strv_free(search_path); search_path = strv_free(search_path);
search_path = credential_search_path(params, CREDENTIAL_SEARCH_PATH_ENCRYPTED);
if (!search_path) r = credential_search_path(params, CREDENTIAL_SEARCH_PATH_ENCRYPTED, &search_path);
return -ENOMEM; if (r < 0)
return r;
args.encrypted = true; args.encrypted = true;

View File

@ -55,11 +55,14 @@ int load_volume_key_password(
return log_oom(); return log_oom();
AskPasswordRequest req = { AskPasswordRequest req = {
.tty_fd = -EBADF,
.message = question, .message = question,
.icon = "drive-harddisk", .icon = "drive-harddisk",
.id = id, .id = id,
.keyring = "cryptenroll", .keyring = "cryptenroll",
.credential = "cryptenroll.passphrase", .credential = "cryptenroll.passphrase",
.until = USEC_INFINITY,
.hup_fd = -EBADF,
}; };
for (;;) { for (;;) {
@ -69,7 +72,7 @@ int load_volume_key_password(
return log_error_errno(SYNTHETIC_ERRNO(ENOKEY), return log_error_errno(SYNTHETIC_ERRNO(ENOKEY),
"Too many attempts, giving up."); "Too many attempts, giving up.");
r = ask_password_auto(&req, USEC_INFINITY, ask_password_flags, &passwords); r = ask_password_auto(&req, ask_password_flags, &passwords);
if (r < 0) if (r < 0)
return log_error_errno(r, "Failed to query password: %m"); return log_error_errno(r, "Failed to query password: %m");
@ -130,10 +133,13 @@ int enroll_password(
return log_oom(); return log_oom();
AskPasswordRequest req = { AskPasswordRequest req = {
.tty_fd = -EBADF,
.icon = "drive-harddisk", .icon = "drive-harddisk",
.id = id, .id = id,
.keyring = "cryptenroll", .keyring = "cryptenroll",
.credential = "cryptenroll.new-passphrase", .credential = "cryptenroll.new-passphrase",
.until = USEC_INFINITY,
.hup_fd = -EBADF,
}; };
for (;;) { for (;;) {
@ -150,7 +156,7 @@ int enroll_password(
req.message = question; req.message = question;
r = ask_password_auto(&req, USEC_INFINITY, /* flags= */ 0, &passwords); r = ask_password_auto(&req, /* flags= */ 0, &passwords);
if (r < 0) if (r < 0)
return log_error_errno(r, "Failed to query password: %m"); return log_error_errno(r, "Failed to query password: %m");
@ -163,7 +169,7 @@ int enroll_password(
req.message = question; req.message = question;
r = ask_password_auto(&req, USEC_INFINITY, /* flags= */ 0, &passwords2); r = ask_password_auto(&req, /* flags= */ 0, &passwords2);
if (r < 0) if (r < 0)
return log_error_errno(r, "Failed to query password: %m"); return log_error_errno(r, "Failed to query password: %m");

View File

@ -119,16 +119,18 @@ static int get_pin(char **ret_pin_str, TPM2Flags *ret_flags) {
SYNTHETIC_ERRNO(ENOKEY), "Too many attempts, giving up."); SYNTHETIC_ERRNO(ENOKEY), "Too many attempts, giving up.");
AskPasswordRequest req = { AskPasswordRequest req = {
.tty_fd = -EBADF,
.message = "Please enter TPM2 PIN:", .message = "Please enter TPM2 PIN:",
.icon = "drive-harddisk", .icon = "drive-harddisk",
.keyring = "tpm2-pin", .keyring = "tpm2-pin",
.credential = "cryptenroll.new-tpm2-pin", .credential = "cryptenroll.new-tpm2-pin",
.until = USEC_INFINITY,
.hup_fd = -EBADF,
}; };
pin = strv_free_erase(pin); pin = strv_free_erase(pin);
r = ask_password_auto( r = ask_password_auto(
&req, &req,
/* until= */ USEC_INFINITY,
/* flags= */ 0, /* flags= */ 0,
&pin); &pin);
if (r < 0) if (r < 0)
@ -139,7 +141,6 @@ static int get_pin(char **ret_pin_str, TPM2Flags *ret_flags) {
r = ask_password_auto( r = ask_password_auto(
&req, &req,
USEC_INFINITY,
/* flags= */ 0, /* flags= */ 0,
&pin2); &pin2);
if (r < 0) if (r < 0)

View File

@ -906,17 +906,20 @@ static int get_password(
return log_oom(); return log_oom();
AskPasswordRequest req = { AskPasswordRequest req = {
.tty_fd = -EBADF,
.message = text, .message = text,
.icon = "drive-harddisk", .icon = "drive-harddisk",
.id = id, .id = id,
.keyring = "cryptsetup", .keyring = "cryptsetup",
.credential = "cryptsetup.passphrase", .credential = "cryptsetup.passphrase",
.until = until,
.hup_fd = -EBADF,
}; };
if (ignore_cached) if (ignore_cached)
flags &= ~ASK_PASSWORD_ACCEPT_CACHED; flags &= ~ASK_PASSWORD_ACCEPT_CACHED;
r = ask_password_auto(&req, until, flags, &passwords); r = ask_password_auto(&req, flags, &passwords);
if (r < 0) if (r < 0)
return log_error_errno(r, "Failed to query password: %m"); return log_error_errno(r, "Failed to query password: %m");
@ -937,7 +940,7 @@ static int get_password(
req.message = text; req.message = text;
req.id = id; req.id = id;
r = ask_password_auto(&req, until, flags, &passwords2); r = ask_password_auto(&req, flags, &passwords2);
if (r < 0) if (r < 0)
return log_error_errno(r, "Failed to query verification password: %m"); return log_error_errno(r, "Failed to query verification password: %m");
@ -1422,13 +1425,16 @@ static int crypt_activate_by_token_pin_ask_password(
pins = strv_free_erase(pins); pins = strv_free_erase(pins);
AskPasswordRequest req = { AskPasswordRequest req = {
.tty_fd = -EBADF,
.message = message, .message = message,
.icon = "drive-harddisk", .icon = "drive-harddisk",
.keyring = keyring, .keyring = keyring,
.credential = credential, .credential = credential,
.until = until,
.hup_fd = -EBADF,
}; };
r = ask_password_auto(&req, until, flags, &pins); r = ask_password_auto(&req, flags, &pins);
if (r < 0) if (r < 0)
return r; return r;

View File

@ -3,9 +3,11 @@
#include <unistd.h> #include <unistd.h>
#include "alloc-util.h" #include "alloc-util.h"
#include "bitfield.h"
#include "creds-util.h" #include "creds-util.h"
#include "dropin.h" #include "dropin.h"
#include "errno-util.h" #include "errno-util.h"
#include "extract-word.h"
#include "fd-util.h" #include "fd-util.h"
#include "fileio.h" #include "fileio.h"
#include "generator.h" #include "generator.h"
@ -27,6 +29,7 @@ static char **arg_wants = NULL;
static bool arg_debug_shell = false; static bool arg_debug_shell = false;
static char *arg_debug_tty = NULL; static char *arg_debug_tty = NULL;
static char *arg_default_debug_tty = NULL; static char *arg_default_debug_tty = NULL;
static uint32_t arg_breakpoints = 0;
STATIC_DESTRUCTOR_REGISTER(arg_default_unit, freep); STATIC_DESTRUCTOR_REGISTER(arg_default_unit, freep);
STATIC_DESTRUCTOR_REGISTER(arg_mask, strv_freep); STATIC_DESTRUCTOR_REGISTER(arg_mask, strv_freep);
@ -34,6 +37,91 @@ STATIC_DESTRUCTOR_REGISTER(arg_wants, strv_freep);
STATIC_DESTRUCTOR_REGISTER(arg_debug_tty, freep); STATIC_DESTRUCTOR_REGISTER(arg_debug_tty, freep);
STATIC_DESTRUCTOR_REGISTER(arg_default_debug_tty, freep); STATIC_DESTRUCTOR_REGISTER(arg_default_debug_tty, freep);
typedef enum BreakpointType {
BREAKPOINT_PRE_UDEV,
BREAKPOINT_PRE_BASIC,
BREAKPOINT_PRE_SYSROOT_MOUNT,
BREAKPOINT_PRE_SWITCH_ROOT,
_BREAKPOINT_TYPE_MAX,
_BREAKPOINT_TYPE_INVALID = -EINVAL,
} BreakpointType;
typedef enum BreakpointValidity {
BREAKPOINT_DEFAULT = 1 << 0,
BREAKPOINT_IN_INITRD = 1 << 1,
BREAKPOINT_ON_HOST = 1 << 2,
} BreakpointValidity;
typedef struct BreakpointInfo {
BreakpointType type;
const char *name;
const char *unit;
BreakpointValidity validity;
} BreakpointInfo;
static const struct BreakpointInfo breakpoint_info_table[_BREAKPOINT_TYPE_MAX] = {
{ BREAKPOINT_PRE_UDEV, "pre-udev", "breakpoint-pre-udev.service", BREAKPOINT_IN_INITRD | BREAKPOINT_ON_HOST },
{ BREAKPOINT_PRE_BASIC, "pre-basic", "breakpoint-pre-basic.service", BREAKPOINT_IN_INITRD | BREAKPOINT_ON_HOST },
{ BREAKPOINT_PRE_SYSROOT_MOUNT, "pre-mount", "breakpoint-pre-mount.service", BREAKPOINT_IN_INITRD },
{ BREAKPOINT_PRE_SWITCH_ROOT, "pre-switch-root", "breakpoint-pre-switch-root.service", BREAKPOINT_IN_INITRD | BREAKPOINT_DEFAULT },
};
static BreakpointType parse_breakpoint_from_string_one(const char *s) {
assert(s);
FOREACH_ARRAY(i, breakpoint_info_table, ELEMENTSOF(breakpoint_info_table))
if (streq(i->name, s))
return i->type;
return _BREAKPOINT_TYPE_INVALID;
}
static int parse_breakpoint_from_string(const char *s, uint32_t *ret_breakpoints) {
uint32_t breakpoints = 0;
int r;
assert(ret_breakpoints);
/* Empty value? set default breakpoint */
if (isempty(s)) {
if (in_initrd()) {
FOREACH_ARRAY(i, breakpoint_info_table, ELEMENTSOF(breakpoint_info_table))
if (i->validity & BREAKPOINT_DEFAULT) {
breakpoints |= 1 << i->type;
break;
}
} else
log_warning("No default breakpoint defined on the host, ignoring breakpoint request from kernel command line.");
} else
for (;;) {
_cleanup_free_ char *t = NULL;
BreakpointType tt;
r = extract_first_word(&s, &t, ",", EXTRACT_DONT_COALESCE_SEPARATORS);
if (r < 0)
return r;
if (r == 0)
break;
tt = parse_breakpoint_from_string_one(t);
if (tt < 0) {
log_warning("Invalid breakpoint value '%s', ignoring.", t);
continue;
}
if (in_initrd() && !FLAGS_SET(breakpoint_info_table[tt].validity, BREAKPOINT_IN_INITRD))
log_warning("Breakpoint '%s' not valid in the initrd, ignoring.", t);
else if (!in_initrd() && !FLAGS_SET(breakpoint_info_table[tt].validity, BREAKPOINT_ON_HOST))
log_warning("Breakpoint '%s' not valid on the host, ignoring.", t);
else
breakpoints |= 1 << tt;
}
*ret_breakpoints = breakpoints;
return 0;
}
static int parse_proc_cmdline_item(const char *key, const char *value, void *data) { static int parse_proc_cmdline_item(const char *key, const char *value, void *data) {
int r; int r;
@ -88,6 +176,15 @@ static int parse_proc_cmdline_item(const char *key, const char *value, void *dat
return free_and_strdup_warn(&arg_default_unit, value); return free_and_strdup_warn(&arg_default_unit, value);
} else if (streq(key, "systemd.break")) {
uint32_t breakpoints = 0;
r = parse_breakpoint_from_string(value, &breakpoints);
if (r < 0)
return log_warning_errno(r, "Failed to parse breakpoint value '%s': %m", value);
arg_breakpoints |= breakpoints;
} else if (!value) { } else if (!value) {
const char *target; const char *target;
@ -269,6 +366,10 @@ static int run(const char *dest, const char *dest_early, const char *dest_late)
RET_GATHER(r, install_debug_shell_dropin()); RET_GATHER(r, install_debug_shell_dropin());
} }
BIT_FOREACH(i, arg_breakpoints)
if (strv_extend(&arg_wants, breakpoint_info_table[i].unit) < 0)
return log_oom();
if (get_credentials_dir(&credentials_dir) >= 0) if (get_credentials_dir(&credentials_dir) >= 0)
RET_GATHER(r, process_unit_credentials(credentials_dir)); RET_GATHER(r, process_unit_credentials(credentials_dir));

View File

@ -95,6 +95,7 @@ static char *arg_loop_ref = NULL;
static ImagePolicy *arg_image_policy = NULL; static ImagePolicy *arg_image_policy = NULL;
static bool arg_mtree_hash = true; static bool arg_mtree_hash = true;
static bool arg_via_service = false; static bool arg_via_service = false;
static RuntimeScope arg_runtime_scope = _RUNTIME_SCOPE_INVALID;
STATIC_DESTRUCTOR_REGISTER(arg_image, freep); STATIC_DESTRUCTOR_REGISTER(arg_image, freep);
STATIC_DESTRUCTOR_REGISTER(arg_root, freep); STATIC_DESTRUCTOR_REGISTER(arg_root, freep);
@ -151,6 +152,8 @@ static int help(void) {
" Generate JSON output\n" " Generate JSON output\n"
" --loop-ref=NAME Set reference string for loopback device\n" " --loop-ref=NAME Set reference string for loopback device\n"
" --mtree-hash=BOOL Whether to include SHA256 hash in the mtree output\n" " --mtree-hash=BOOL Whether to include SHA256 hash in the mtree output\n"
" --user Discover user images\n"
" --system Discover system images\n"
"\n%3$sCommands:%4$s\n" "\n%3$sCommands:%4$s\n"
" -h --help Show this help\n" " -h --help Show this help\n"
" --version Show package version\n" " --version Show package version\n"
@ -274,6 +277,8 @@ static int parse_argv(int argc, char *argv[]) {
ARG_VALIDATE, ARG_VALIDATE,
ARG_MTREE_HASH, ARG_MTREE_HASH,
ARG_MAKE_ARCHIVE, ARG_MAKE_ARCHIVE,
ARG_SYSTEM,
ARG_USER,
}; };
static const struct option options[] = { static const struct option options[] = {
@ -307,10 +312,13 @@ static int parse_argv(int argc, char *argv[]) {
{ "validate", no_argument, NULL, ARG_VALIDATE }, { "validate", no_argument, NULL, ARG_VALIDATE },
{ "mtree-hash", required_argument, NULL, ARG_MTREE_HASH }, { "mtree-hash", required_argument, NULL, ARG_MTREE_HASH },
{ "make-archive", no_argument, NULL, ARG_MAKE_ARCHIVE }, { "make-archive", no_argument, NULL, ARG_MAKE_ARCHIVE },
{ "system", no_argument, NULL, ARG_SYSTEM },
{ "user", no_argument, NULL, ARG_USER },
{} {}
}; };
_cleanup_free_ char **buf = NULL; /* we use free(), not strv_free() here, as we don't copy the strings here */ _cleanup_free_ char **buf = NULL; /* we use free(), not strv_free() here, as we don't copy the strings here */
bool system_scope_requested = false, user_scope_requested = false;
int c, r; int c, r;
assert(argc >= 0); assert(argc >= 0);
@ -531,7 +539,6 @@ static int parse_argv(int argc, char *argv[]) {
break; break;
case ARG_MAKE_ARCHIVE: case ARG_MAKE_ARCHIVE:
r = dlopen_libarchive(); r = dlopen_libarchive();
if (r < 0) if (r < 0)
return log_error_errno(r, "Archive support not available (compiled without libarchive, or libarchive not installed?)."); return log_error_errno(r, "Archive support not available (compiled without libarchive, or libarchive not installed?).");
@ -539,6 +546,14 @@ static int parse_argv(int argc, char *argv[]) {
arg_action = ACTION_MAKE_ARCHIVE; arg_action = ACTION_MAKE_ARCHIVE;
break; break;
case ARG_SYSTEM:
system_scope_requested = true;
break;
case ARG_USER:
user_scope_requested = true;
break;
case '?': case '?':
return -EINVAL; return -EINVAL;
@ -547,6 +562,10 @@ static int parse_argv(int argc, char *argv[]) {
} }
} }
if (system_scope_requested || user_scope_requested)
arg_runtime_scope = system_scope_requested && user_scope_requested ? _RUNTIME_SCOPE_INVALID :
system_scope_requested ? RUNTIME_SCOPE_SYSTEM : RUNTIME_SCOPE_USER;
switch (arg_action) { switch (arg_action) {
case ACTION_DISSECT: case ACTION_DISSECT:
@ -1851,7 +1870,7 @@ static int action_discover(void) {
return log_oom(); return log_oom();
for (ImageClass cl = 0; cl < _IMAGE_CLASS_MAX; cl++) { for (ImageClass cl = 0; cl < _IMAGE_CLASS_MAX; cl++) {
r = image_discover(cl, NULL, images); r = image_discover(arg_runtime_scope, cl, NULL, images);
if (r < 0) if (r < 0)
return log_error_errno(r, "Failed to discover images: %m"); return log_error_errno(r, "Failed to discover images: %m");
} }

View File

@ -735,10 +735,13 @@ static int prompt_root_password(int rfd) {
_cleanup_free_ char *error = NULL; _cleanup_free_ char *error = NULL;
AskPasswordRequest req = { AskPasswordRequest req = {
.tty_fd = -EBADF,
.message = msg1, .message = msg1,
.until = USEC_INFINITY,
.hup_fd = -EBADF,
}; };
r = ask_password_tty(-EBADF, &req, /* until= */ 0, /* flags= */ 0, /* flag_file= */ NULL, &a); r = ask_password_tty(&req, /* flags= */ 0, &a);
if (r < 0) if (r < 0)
return log_error_errno(r, "Failed to query root password: %m"); return log_error_errno(r, "Failed to query root password: %m");
if (strv_length(a) != 1) if (strv_length(a) != 1)
@ -760,7 +763,7 @@ static int prompt_root_password(int rfd) {
req.message = msg2; req.message = msg2;
r = ask_password_tty(-EBADF, &req, /* until= */ 0, /* flags= */ 0, /* flag_file= */ NULL, &b); r = ask_password_tty(&req, /* flags= */ 0, &b);
if (r < 0) if (r < 0)
return log_error_errno(r, "Failed to query root password: %m"); return log_error_errno(r, "Failed to query root password: %m");
if (strv_length(b) != 1) if (strv_length(b) != 1)

View File

@ -28,23 +28,36 @@
#include "memory-util-fundamental.h" #include "memory-util-fundamental.h"
#include "sha1-fundamental.h" #include "sha1-fundamental.h"
static void get_chid(const char16_t *const smbios_fields[static _CHID_SMBIOS_FIELDS_MAX], uint32_t mask, EFI_GUID *ret_chid) { static void get_chid(
const char16_t *const smbios_fields[static _CHID_SMBIOS_FIELDS_MAX],
uint32_t mask,
EFI_GUID *ret_chid) {
assert(mask != 0); assert(mask != 0);
assert(ret_chid); assert(ret_chid);
const EFI_GUID namespace = { UINT32_C(0x12d8ff70), UINT16_C(0x7f4c), UINT16_C(0x7d4c), {} }; /* Swapped to BE */
struct sha1_ctx ctx = {}; struct sha1_ctx ctx = {};
sha1_init_ctx(&ctx); sha1_init_ctx(&ctx);
static const EFI_GUID namespace = { UINT32_C(0x12d8ff70), UINT16_C(0x7f4c), UINT16_C(0x7d4c), {} }; /* Swapped to BE */
sha1_process_bytes(&namespace, sizeof(namespace), &ctx); sha1_process_bytes(&namespace, sizeof(namespace), &ctx);
for (unsigned i = 0; i < _CHID_SMBIOS_FIELDS_MAX; i++) for (ChidSmbiosFields i = 0; i < _CHID_SMBIOS_FIELDS_MAX; i++) {
if ((mask >> i) & 1) { if (!FLAGS_SET(mask, UINT32_C(1) << i))
if (i > 0) continue;
sha1_process_bytes(L"&", 2, &ctx);
sha1_process_bytes(smbios_fields[i], strlen16(smbios_fields[i]) * sizeof(char16_t), &ctx); if (!smbios_fields[i]) {
/* If some SMBIOS field is missing, don't generate the CHID, as per spec */
memzero(ret_chid, sizeof(EFI_GUID));
return;
} }
if (i > 0)
sha1_process_bytes(L"&", 2, &ctx);
sha1_process_bytes(smbios_fields[i], strlen16(smbios_fields[i]) * sizeof(char16_t), &ctx);
}
uint8_t hash[SHA1_DIGEST_SIZE]; uint8_t hash[SHA1_DIGEST_SIZE];
sha1_finish_ctx(&ctx, hash); sha1_finish_ctx(&ctx, hash);
@ -61,7 +74,31 @@ static void get_chid(const char16_t *const smbios_fields[static _CHID_SMBIOS_FIE
ret_chid->Data4[0] = (ret_chid->Data4[0] & UINT8_C(0x3f)) | UINT8_C(0x80); ret_chid->Data4[0] = (ret_chid->Data4[0] & UINT8_C(0x3f)) | UINT8_C(0x80);
} }
static const uint32_t chid_smbios_table[CHID_TYPES_MAX] = { const uint32_t chid_smbios_table[CHID_TYPES_MAX] = {
[0] = (UINT32_C(1) << CHID_SMBIOS_MANUFACTURER) |
(UINT32_C(1) << CHID_SMBIOS_FAMILY) |
(UINT32_C(1) << CHID_SMBIOS_PRODUCT_NAME) |
(UINT32_C(1) << CHID_SMBIOS_PRODUCT_SKU) |
(UINT32_C(1) << CHID_SMBIOS_BIOS_VENDOR) |
(UINT32_C(1) << CHID_SMBIOS_BIOS_VERSION) |
(UINT32_C(1) << CHID_SMBIOS_BIOS_MAJOR) |
(UINT32_C(1) << CHID_SMBIOS_BIOS_MINOR),
[1] = (UINT32_C(1) << CHID_SMBIOS_MANUFACTURER) |
(UINT32_C(1) << CHID_SMBIOS_FAMILY) |
(UINT32_C(1) << CHID_SMBIOS_PRODUCT_NAME) |
(UINT32_C(1) << CHID_SMBIOS_BIOS_VENDOR) |
(UINT32_C(1) << CHID_SMBIOS_BIOS_VERSION) |
(UINT32_C(1) << CHID_SMBIOS_BIOS_MAJOR) |
(UINT32_C(1) << CHID_SMBIOS_BIOS_MINOR),
[2] = (UINT32_C(1) << CHID_SMBIOS_MANUFACTURER) |
(UINT32_C(1) << CHID_SMBIOS_PRODUCT_NAME) |
(UINT32_C(1) << CHID_SMBIOS_BIOS_VENDOR) |
(UINT32_C(1) << CHID_SMBIOS_BIOS_VERSION) |
(UINT32_C(1) << CHID_SMBIOS_BIOS_MAJOR) |
(UINT32_C(1) << CHID_SMBIOS_BIOS_MINOR),
[3] = (UINT32_C(1) << CHID_SMBIOS_MANUFACTURER) | [3] = (UINT32_C(1) << CHID_SMBIOS_MANUFACTURER) |
(UINT32_C(1) << CHID_SMBIOS_FAMILY) | (UINT32_C(1) << CHID_SMBIOS_FAMILY) |
(UINT32_C(1) << CHID_SMBIOS_PRODUCT_NAME) | (UINT32_C(1) << CHID_SMBIOS_PRODUCT_NAME) |
@ -102,18 +139,26 @@ static const uint32_t chid_smbios_table[CHID_TYPES_MAX] = {
[11] = (UINT32_C(1) << CHID_SMBIOS_MANUFACTURER) | [11] = (UINT32_C(1) << CHID_SMBIOS_MANUFACTURER) |
(UINT32_C(1) << CHID_SMBIOS_FAMILY), (UINT32_C(1) << CHID_SMBIOS_FAMILY),
[12] = (UINT32_C(1) << CHID_SMBIOS_MANUFACTURER) |
(UINT32_C(1) << CHID_SMBIOS_ENCLOSURE_TYPE),
[13] = (UINT32_C(1) << CHID_SMBIOS_MANUFACTURER) | [13] = (UINT32_C(1) << CHID_SMBIOS_MANUFACTURER) |
(UINT32_C(1) << CHID_SMBIOS_BASEBOARD_MANUFACTURER) | (UINT32_C(1) << CHID_SMBIOS_BASEBOARD_MANUFACTURER) |
(UINT32_C(1) << CHID_SMBIOS_BASEBOARD_PRODUCT), (UINT32_C(1) << CHID_SMBIOS_BASEBOARD_PRODUCT),
[14] = (UINT32_C(1) << CHID_SMBIOS_MANUFACTURER),
}; };
void chid_calculate(const char16_t *const smbios_fields[static _CHID_SMBIOS_FIELDS_MAX], EFI_GUID ret_chids[static CHID_TYPES_MAX]) { void chid_calculate(const char16_t *const smbios_fields[static _CHID_SMBIOS_FIELDS_MAX], EFI_GUID ret_chids[static CHID_TYPES_MAX]) {
assert(smbios_fields); assert(smbios_fields);
assert(ret_chids); assert(ret_chids);
for (size_t i = 0; i < CHID_TYPES_MAX; i++) for (size_t i = 0; i < CHID_TYPES_MAX; i++) {
if (chid_smbios_table[i] != 0) if (chid_smbios_table[i] == 0) {
get_chid(smbios_fields, chid_smbios_table[i], &ret_chids[i]);
else
memzero(&ret_chids[i], sizeof(EFI_GUID)); memzero(&ret_chids[i], sizeof(EFI_GUID));
continue;
}
get_chid(smbios_fields, chid_smbios_table[i], &ret_chids[i]);
}
} }

View File

@ -20,8 +20,15 @@ typedef enum ChidSmbiosFields {
CHID_SMBIOS_PRODUCT_SKU, CHID_SMBIOS_PRODUCT_SKU,
CHID_SMBIOS_BASEBOARD_MANUFACTURER, CHID_SMBIOS_BASEBOARD_MANUFACTURER,
CHID_SMBIOS_BASEBOARD_PRODUCT, CHID_SMBIOS_BASEBOARD_PRODUCT,
CHID_SMBIOS_BIOS_VENDOR,
CHID_SMBIOS_BIOS_VERSION,
CHID_SMBIOS_BIOS_MAJOR,
CHID_SMBIOS_BIOS_MINOR,
CHID_SMBIOS_ENCLOSURE_TYPE,
_CHID_SMBIOS_FIELDS_MAX, _CHID_SMBIOS_FIELDS_MAX,
} ChidSmbiosFields; } ChidSmbiosFields;
extern const uint32_t chid_smbios_table[CHID_TYPES_MAX];
/* CHID (also called HWID by fwupd) is described at https://github.com/fwupd/fwupd/blob/main/docs/hwids.md */ /* CHID (also called HWID by fwupd) is described at https://github.com/fwupd/fwupd/blob/main/docs/hwids.md */
void chid_calculate(const char16_t *const smbios_fields[static _CHID_SMBIOS_FIELDS_MAX], EFI_GUID ret_chids[static CHID_TYPES_MAX]); void chid_calculate(const char16_t *const smbios_fields[static _CHID_SMBIOS_FIELDS_MAX], EFI_GUID ret_chids[static CHID_TYPES_MAX]);

View File

@ -263,13 +263,16 @@ static int acquire_existing_password(
return log_oom(); return log_oom();
AskPasswordRequest req = { AskPasswordRequest req = {
.tty_fd = -EBADF,
.message = question, .message = question,
.icon = "user-home", .icon = "user-home",
.keyring = "home-password", .keyring = "home-password",
.credential = "home.password", .credential = "home.password",
.until = USEC_INFINITY,
.hup_fd = -EBADF,
}; };
r = ask_password_auto(&req, USEC_INFINITY, flags, &password); r = ask_password_auto(&req, flags, &password);
if (r == -EUNATCH) { /* EUNATCH is returned if no password was found and asking interactively was if (r == -EUNATCH) { /* EUNATCH is returned if no password was found and asking interactively was
* disabled via the flags. Not an error for us. */ * disabled via the flags. Not an error for us. */
log_debug_errno(r, "No passwords acquired."); log_debug_errno(r, "No passwords acquired.");
@ -321,13 +324,16 @@ static int acquire_recovery_key(
return log_oom(); return log_oom();
AskPasswordRequest req = { AskPasswordRequest req = {
.tty_fd = -EBADF,
.message = question, .message = question,
.icon = "user-home", .icon = "user-home",
.keyring = "home-recovery-key", .keyring = "home-recovery-key",
.credential = "home.recovery-key", .credential = "home.recovery-key",
.until = USEC_INFINITY,
.hup_fd = -EBADF,
}; };
r = ask_password_auto(&req, USEC_INFINITY, flags, &recovery_key); r = ask_password_auto(&req, flags, &recovery_key);
if (r == -EUNATCH) { /* EUNATCH is returned if no recovery key was found and asking interactively was if (r == -EUNATCH) { /* EUNATCH is returned if no recovery key was found and asking interactively was
* disabled via the flags. Not an error for us. */ * disabled via the flags. Not an error for us. */
log_debug_errno(r, "No recovery keys acquired."); log_debug_errno(r, "No recovery keys acquired.");
@ -375,13 +381,16 @@ static int acquire_token_pin(
return log_oom(); return log_oom();
AskPasswordRequest req = { AskPasswordRequest req = {
.tty_fd = -EBADF,
.message = question, .message = question,
.icon = "user-home", .icon = "user-home",
.keyring = "token-pin", .keyring = "token-pin",
.credential = "home.token-pin", .credential = "home.token-pin",
.until = USEC_INFINITY,
.hup_fd = -EBADF,
}; };
r = ask_password_auto(&req, USEC_INFINITY, flags, &pin); r = ask_password_auto(&req, flags, &pin);
if (r == -EUNATCH) { /* EUNATCH is returned if no PIN was found and asking interactively was disabled if (r == -EUNATCH) { /* EUNATCH is returned if no PIN was found and asking interactively was disabled
* via the flags. Not an error for us. */ * via the flags. Not an error for us. */
log_debug_errno(r, "No security token PINs acquired."); log_debug_errno(r, "No security token PINs acquired.");
@ -1229,15 +1238,17 @@ static int acquire_new_password(
return log_oom(); return log_oom();
AskPasswordRequest req = { AskPasswordRequest req = {
.tty_fd = -EBADF,
.message = question, .message = question,
.icon = "user-home", .icon = "user-home",
.keyring = "home-password", .keyring = "home-password",
.credential = "home.new-password", .credential = "home.new-password",
.until = USEC_INFINITY,
.hup_fd = -EBADF,
}; };
r = ask_password_auto( r = ask_password_auto(
&req, &req,
USEC_INFINITY,
/* flags= */ 0, /* no caching, we want to collect a new password here after all */ /* flags= */ 0, /* no caching, we want to collect a new password here after all */
&first); &first);
if (r < 0) if (r < 0)
@ -1253,7 +1264,6 @@ static int acquire_new_password(
r = ask_password_auto( r = ask_password_auto(
&req, &req,
USEC_INFINITY,
/* flags= */ 0, /* no caching */ /* flags= */ 0, /* no caching */
&second); &second);
if (r < 0) if (r < 0)

View File

@ -25,6 +25,7 @@
static ImportCompressType arg_compress = IMPORT_COMPRESS_UNKNOWN; static ImportCompressType arg_compress = IMPORT_COMPRESS_UNKNOWN;
static ImageClass arg_class = IMAGE_MACHINE; static ImageClass arg_class = IMAGE_MACHINE;
static RuntimeScope arg_runtime_scope = _RUNTIME_SCOPE_INVALID;
static void determine_compression_from_filename(const char *p) { static void determine_compression_from_filename(const char *p) {
@ -66,7 +67,7 @@ static int export_tar(int argc, char *argv[], void *userdata) {
local = argv[1]; local = argv[1];
if (image_name_is_valid(local)) { if (image_name_is_valid(local)) {
r = image_find(arg_class, local, NULL, &image); r = image_find(arg_runtime_scope, arg_class, local, NULL, &image);
if (r == -ENOENT) if (r == -ENOENT)
return log_error_errno(r, "Image %s not found.", local); return log_error_errno(r, "Image %s not found.", local);
if (r < 0) if (r < 0)
@ -139,7 +140,7 @@ static int export_raw(int argc, char *argv[], void *userdata) {
local = argv[1]; local = argv[1];
if (image_name_is_valid(local)) { if (image_name_is_valid(local)) {
r = image_find(arg_class, local, NULL, &image); r = image_find(arg_runtime_scope, arg_class, local, NULL, &image);
if (r == -ENOENT) if (r == -ENOENT)
return log_error_errno(r, "Image %s not found.", local); return log_error_errno(r, "Image %s not found.", local);
if (r < 0) if (r < 0)

View File

@ -34,6 +34,7 @@ static bool arg_sync = true;
static bool arg_direct = false; static bool arg_direct = false;
static const char *arg_image_root = NULL; static const char *arg_image_root = NULL;
static ImageClass arg_class = IMAGE_MACHINE; static ImageClass arg_class = IMAGE_MACHINE;
static RuntimeScope arg_runtime_scope = _RUNTIME_SCOPE_INVALID;
typedef struct ProgressInfo { typedef struct ProgressInfo {
RateLimit limit; RateLimit limit;
@ -145,7 +146,7 @@ static int import_fs(int argc, char *argv[], void *userdata) {
return log_oom(); return log_oom();
if (!arg_force) { if (!arg_force) {
r = image_find(arg_class, local, NULL, NULL); r = image_find(arg_runtime_scope, arg_class, local, NULL, NULL);
if (r < 0) { if (r < 0) {
if (r != -ENOENT) if (r != -ENOENT)
return log_error_errno(r, "Failed to check whether image '%s' exists: %m", local); return log_error_errno(r, "Failed to check whether image '%s' exists: %m", local);

View File

@ -30,6 +30,7 @@ static const char *arg_image_root = NULL;
static ImportFlags arg_import_flags = IMPORT_BTRFS_SUBVOL | IMPORT_BTRFS_QUOTA | IMPORT_CONVERT_QCOW2 | IMPORT_SYNC; static ImportFlags arg_import_flags = IMPORT_BTRFS_SUBVOL | IMPORT_BTRFS_QUOTA | IMPORT_CONVERT_QCOW2 | IMPORT_SYNC;
static uint64_t arg_offset = UINT64_MAX, arg_size_max = UINT64_MAX; static uint64_t arg_offset = UINT64_MAX, arg_size_max = UINT64_MAX;
static ImageClass arg_class = IMAGE_MACHINE; static ImageClass arg_class = IMAGE_MACHINE;
static RuntimeScope arg_runtime_scope = _RUNTIME_SCOPE_INVALID;
static int normalize_local(const char *local, char **ret) { static int normalize_local(const char *local, char **ret) {
_cleanup_free_ char *ll = NULL; _cleanup_free_ char *ll = NULL;
@ -63,7 +64,7 @@ static int normalize_local(const char *local, char **ret) {
local = "imported"; local = "imported";
if (!FLAGS_SET(arg_import_flags, IMPORT_FORCE)) { if (!FLAGS_SET(arg_import_flags, IMPORT_FORCE)) {
r = image_find(arg_class, local, NULL, NULL); r = image_find(arg_runtime_scope, arg_class, local, NULL, NULL);
if (r < 0) { if (r < 0) {
if (r != -ENOENT) if (r != -ENOENT)
return log_error_errno(r, "Failed to check whether image '%s' exists: %m", local); return log_error_errno(r, "Failed to check whether image '%s' exists: %m", local);

View File

@ -111,6 +111,8 @@ struct Manager {
bool use_btrfs_subvol; bool use_btrfs_subvol;
bool use_btrfs_quota; bool use_btrfs_quota;
RuntimeScope runtime_scope; /* for now: always RUNTIME_SCOPE_SYSTEM */
}; };
#define TRANSFERS_MAX 64 #define TRANSFERS_MAX 64
@ -721,6 +723,7 @@ static int manager_new(Manager **ret) {
*m = (Manager) { *m = (Manager) {
.use_btrfs_subvol = true, .use_btrfs_subvol = true,
.use_btrfs_quota = true, .use_btrfs_quota = true,
.runtime_scope = RUNTIME_SCOPE_SYSTEM,
}; };
r = sd_event_default(&m->event); r = sd_event_default(&m->event);
@ -1332,6 +1335,7 @@ static int method_cancel_transfer(sd_bus_message *msg, void *userdata, sd_bus_er
static int method_list_images(sd_bus_message *msg, void *userdata, sd_bus_error *error) { static int method_list_images(sd_bus_message *msg, void *userdata, sd_bus_error *error) {
_cleanup_(sd_bus_message_unrefp) sd_bus_message *reply = NULL; _cleanup_(sd_bus_message_unrefp) sd_bus_message *reply = NULL;
ImageClass class = _IMAGE_CLASS_INVALID; ImageClass class = _IMAGE_CLASS_INVALID;
Manager *m = ASSERT_PTR(userdata);
int r; int r;
assert(msg); assert(msg);
@ -1372,7 +1376,7 @@ static int method_list_images(sd_bus_message *msg, void *userdata, sd_bus_error
if (!h) if (!h)
return -ENOMEM; return -ENOMEM;
r = image_discover(c, /* root= */ NULL, h); r = image_discover(m->runtime_scope, c, /* root= */ NULL, h);
if (r < 0) { if (r < 0) {
if (class >= 0) if (class >= 0)
return r; return r;

View File

@ -33,6 +33,7 @@ static ImportFlags arg_import_flags = IMPORT_PULL_SETTINGS | IMPORT_PULL_ROOTHAS
static uint64_t arg_offset = UINT64_MAX, arg_size_max = UINT64_MAX; static uint64_t arg_offset = UINT64_MAX, arg_size_max = UINT64_MAX;
static char *arg_checksum = NULL; static char *arg_checksum = NULL;
static ImageClass arg_class = IMAGE_MACHINE; static ImageClass arg_class = IMAGE_MACHINE;
static RuntimeScope arg_runtime_scope = _RUNTIME_SCOPE_INVALID;
STATIC_DESTRUCTOR_REGISTER(arg_checksum, freep); STATIC_DESTRUCTOR_REGISTER(arg_checksum, freep);
@ -66,7 +67,7 @@ static int normalize_local(const char *local, const char *url, char **ret) {
local); local);
if (!FLAGS_SET(arg_import_flags, IMPORT_FORCE)) { if (!FLAGS_SET(arg_import_flags, IMPORT_FORCE)) {
r = image_find(arg_class, local, NULL, NULL); r = image_find(arg_runtime_scope, arg_class, local, NULL, NULL);
if (r < 0) { if (r < 0) {
if (r != -ENOENT) if (r != -ENOENT)
return log_error_errno(r, "Failed to check whether image '%s' exists: %m", local); return log_error_errno(r, "Failed to check whether image '%s' exists: %m", local);

View File

@ -132,6 +132,7 @@ static int client_context_new(Server *s, pid_t pid, ClientContext **ret) {
.log_level_max = -1, .log_level_max = -1,
.log_ratelimit_interval = s->ratelimit_interval, .log_ratelimit_interval = s->ratelimit_interval,
.log_ratelimit_burst = s->ratelimit_burst, .log_ratelimit_burst = s->ratelimit_burst,
.capability_quintet = CAPABILITY_QUINTET_NULL,
}; };
r = hashmap_ensure_put(&s->client_contexts, NULL, PID_TO_PTR(pid), c); r = hashmap_ensure_put(&s->client_contexts, NULL, PID_TO_PTR(pid), c);
@ -154,7 +155,6 @@ static void client_context_reset(Server *s, ClientContext *c) {
c->comm = mfree(c->comm); c->comm = mfree(c->comm);
c->exe = mfree(c->exe); c->exe = mfree(c->exe);
c->cmdline = mfree(c->cmdline); c->cmdline = mfree(c->cmdline);
c->capeff = mfree(c->capeff);
c->auditid = AUDIT_SESSION_INVALID; c->auditid = AUDIT_SESSION_INVALID;
c->loginuid = UID_INVALID; c->loginuid = UID_INVALID;
@ -184,6 +184,8 @@ static void client_context_reset(Server *s, ClientContext *c) {
c->log_filter_allowed_patterns = set_free_free(c->log_filter_allowed_patterns); c->log_filter_allowed_patterns = set_free_free(c->log_filter_allowed_patterns);
c->log_filter_denied_patterns = set_free_free(c->log_filter_denied_patterns); c->log_filter_denied_patterns = set_free_free(c->log_filter_denied_patterns);
c->capability_quintet = CAPABILITY_QUINTET_NULL;
} }
static ClientContext* client_context_free(Server *s, ClientContext *c) { static ClientContext* client_context_free(Server *s, ClientContext *c) {
@ -233,8 +235,7 @@ static void client_context_read_basic(ClientContext *c) {
if (pid_get_cmdline(c->pid, SIZE_MAX, PROCESS_CMDLINE_QUOTE, &t) >= 0) if (pid_get_cmdline(c->pid, SIZE_MAX, PROCESS_CMDLINE_QUOTE, &t) >= 0)
free_and_replace(c->cmdline, t); free_and_replace(c->cmdline, t);
if (get_process_capeff(c->pid, &t) >= 0) (void) pidref_get_capability(&PIDREF_MAKE_FROM_PID(c->pid), &c->capability_quintet);
free_and_replace(c->capeff, t);
} }
static int client_context_read_label( static int client_context_read_label(

View File

@ -7,6 +7,7 @@
#include "sd-id128.h" #include "sd-id128.h"
#include "capability-util.h"
#include "set.h" #include "set.h"
#include "time-util.h" #include "time-util.h"
@ -27,7 +28,7 @@ struct ClientContext {
char *comm; char *comm;
char *exe; char *exe;
char *cmdline; char *cmdline;
char *capeff; CapabilityQuintet capability_quintet;
uint32_t auditid; uint32_t auditid;
uid_t loginuid; uid_t loginuid;

View File

@ -1109,7 +1109,7 @@ static void server_dispatch_message_real(
* Let's use a heap allocation for this one. */ * Let's use a heap allocation for this one. */
cmdline1 = set_iovec_string_field(iovec, &n, "_CMDLINE=", c->cmdline); cmdline1 = set_iovec_string_field(iovec, &n, "_CMDLINE=", c->cmdline);
IOVEC_ADD_STRING_FIELD(iovec, n, c->capeff, "_CAP_EFFECTIVE"); /* Read from /proc/.../status */ IOVEC_ADD_NUMERIC_FIELD(iovec, n, c->capability_quintet.effective, uint64_t, capability_is_set, "%" PRIx64, "_CAP_EFFECTIVE");
IOVEC_ADD_SIZED_FIELD(iovec, n, c->label, c->label_size, "_SELINUX_CONTEXT"); IOVEC_ADD_SIZED_FIELD(iovec, n, c->label, c->label_size, "_SELINUX_CONTEXT");
IOVEC_ADD_NUMERIC_FIELD(iovec, n, c->auditid, uint32_t, audit_session_is_valid, "%" PRIu32, "_AUDIT_SESSION"); IOVEC_ADD_NUMERIC_FIELD(iovec, n, c->auditid, uint32_t, audit_session_is_valid, "%" PRIu32, "_AUDIT_SESSION");
IOVEC_ADD_NUMERIC_FIELD(iovec, n, c->loginuid, uid_t, uid_is_valid, UID_FMT, "_AUDIT_LOGINUID"); IOVEC_ADD_NUMERIC_FIELD(iovec, n, c->loginuid, uid_t, uid_is_valid, UID_FMT, "_AUDIT_LOGINUID");
@ -1144,7 +1144,7 @@ static void server_dispatch_message_real(
if (o->cmdline) if (o->cmdline)
cmdline2 = set_iovec_string_field(iovec, &n, "OBJECT_CMDLINE=", o->cmdline); cmdline2 = set_iovec_string_field(iovec, &n, "OBJECT_CMDLINE=", o->cmdline);
IOVEC_ADD_STRING_FIELD(iovec, n, o->capeff, "OBJECT_CAP_EFFECTIVE"); IOVEC_ADD_NUMERIC_FIELD(iovec, n, o->capability_quintet.effective, uint64_t, capability_is_set, "%" PRIx64, "OBJECT_CAP_EFFECTIVE");
IOVEC_ADD_SIZED_FIELD(iovec, n, o->label, o->label_size, "OBJECT_SELINUX_CONTEXT"); IOVEC_ADD_SIZED_FIELD(iovec, n, o->label, o->label_size, "OBJECT_SELINUX_CONTEXT");
IOVEC_ADD_NUMERIC_FIELD(iovec, n, o->auditid, uint32_t, audit_session_is_valid, "%" PRIu32, "OBJECT_AUDIT_SESSION"); IOVEC_ADD_NUMERIC_FIELD(iovec, n, o->auditid, uint32_t, audit_session_is_valid, "%" PRIu32, "OBJECT_AUDIT_SESSION");
IOVEC_ADD_NUMERIC_FIELD(iovec, n, o->loginuid, uid_t, uid_is_valid, UID_FMT, "OBJECT_AUDIT_LOGINUID"); IOVEC_ADD_NUMERIC_FIELD(iovec, n, o->loginuid, uid_t, uid_is_valid, UID_FMT, "OBJECT_AUDIT_LOGINUID");

View File

@ -182,9 +182,12 @@ static int verb_validate(int argc, char *argv[], void *userdata) {
arg_private_key_source, arg_private_key_source,
arg_private_key, arg_private_key,
&(AskPasswordRequest) { &(AskPasswordRequest) {
.tty_fd = -EBADF,
.id = "keyutil-private-key-pin", .id = "keyutil-private-key-pin",
.keyring = arg_private_key, .keyring = arg_private_key,
.credential = "keyutil.private-key-pin", .credential = "keyutil.private-key-pin",
.until = USEC_INFINITY,
.hup_fd = -EBADF,
}, },
&private_key, &private_key,
&ui); &ui);
@ -238,9 +241,12 @@ static int verb_public(int argc, char *argv[], void *userdata) {
arg_private_key_source, arg_private_key_source,
arg_private_key, arg_private_key,
&(AskPasswordRequest) { &(AskPasswordRequest) {
.tty_fd = -EBADF,
.id = "keyutil-private-key-pin", .id = "keyutil-private-key-pin",
.keyring = arg_private_key, .keyring = arg_private_key,
.credential = "keyutil.private-key-pin", .credential = "keyutil.private-key-pin",
.until = USEC_INFINITY,
.hup_fd = -EBADF,
}, },
&private_key, &private_key,
&ui); &ui);

View File

@ -1062,8 +1062,10 @@ global:
LIBSYSTEMD_258 { LIBSYSTEMD_258 {
global: global:
sd_device_enumerator_add_all_parents;
sd_json_variant_type_from_string; sd_json_variant_type_from_string;
sd_json_variant_type_to_string; sd_json_variant_type_to_string;
sd_varlink_get_input_fd;
sd_varlink_get_output_fd;
sd_varlink_reset_fds; sd_varlink_reset_fds;
sd_device_enumerator_add_all_parents;
} LIBSYSTEMD_257; } LIBSYSTEMD_257;

View File

@ -84,3 +84,19 @@ static inline char** generator_binary_paths(RuntimeScope runtime_scope) {
static inline char** env_generator_binary_paths(RuntimeScope runtime_scope) { static inline char** env_generator_binary_paths(RuntimeScope runtime_scope) {
return generator_binary_paths_internal(runtime_scope, true); return generator_binary_paths_internal(runtime_scope, true);
} }
static inline int credential_store_path(RuntimeScope runtime_scope, char ***ret) {
return sd_path_lookup_strv(
runtime_scope == RUNTIME_SCOPE_SYSTEM ?
SD_PATH_SYSTEM_SEARCH_CREDENTIAL_STORE : SD_PATH_USER_SEARCH_CREDENTIAL_STORE,
/* suffix= */ NULL,
ret);
}
static inline int credential_store_path_encrypted(RuntimeScope runtime_scope, char ***ret) {
return sd_path_lookup_strv(
runtime_scope == RUNTIME_SCOPE_SYSTEM ?
SD_PATH_SYSTEM_SEARCH_CREDENTIAL_STORE_ENCRYPTED : SD_PATH_USER_SEARCH_CREDENTIAL_STORE_ENCRYPTED,
/* suffix= */ NULL,
ret);
}

View File

@ -36,7 +36,12 @@ static int from_environment(const char *envname, const char *fallback, const cha
return -ENXIO; return -ENXIO;
} }
static int from_home_dir(const char *envname, const char *suffix, char **buffer, const char **ret) { static int from_home_dir(
const char *envname,
const char *suffix,
char **buffer,
const char **ret) {
_cleanup_free_ char *h = NULL; _cleanup_free_ char *h = NULL;
int r; int r;
@ -350,6 +355,30 @@ static int get_path(uint64_t type, char **buffer, const char **ret) {
case SD_PATH_SYSTEMD_USER_ENVIRONMENT_GENERATOR: case SD_PATH_SYSTEMD_USER_ENVIRONMENT_GENERATOR:
*ret = USER_ENV_GENERATOR_DIR; *ret = USER_ENV_GENERATOR_DIR;
return 0; return 0;
case SD_PATH_SYSTEM_CREDENTIAL_STORE:
*ret = "/etc/credstore";
return 0;
case SD_PATH_SYSTEM_CREDENTIAL_STORE_ENCRYPTED:
*ret = "/etc/credstore.encrypted";
return 0;
case SD_PATH_USER_CREDENTIAL_STORE:
r = xdg_user_config_dir("credstore", buffer);
if (r < 0)
return r;
*ret = *buffer;
return 0;
case SD_PATH_USER_CREDENTIAL_STORE_ENCRYPTED:
r = xdg_user_config_dir("credstore.encrypted", buffer);
if (r < 0)
return r;
*ret = *buffer;
return 0;
} }
return -EOPNOTSUPP; return -EOPNOTSUPP;
@ -366,12 +395,12 @@ static int get_path_alloc(uint64_t type, const char *suffix, char **ret) {
if (r < 0) if (r < 0)
return r; return r;
if (suffix) { if (!isempty(suffix)) {
char *suffixed = path_join(p, suffix); char *suffixed = path_join(p, suffix);
if (!suffixed) if (!suffixed)
return -ENOMEM; return -ENOMEM;
path_simplify(suffixed); path_simplify_full(suffixed, PATH_SIMPLIFY_KEEP_TRAILING_SLASH);
free_and_replace(buffer, suffixed); free_and_replace(buffer, suffixed);
} else if (!buffer) { } else if (!buffer) {
@ -601,8 +630,55 @@ static int get_search(uint64_t type, char ***ret) {
case SD_PATH_SYSTEMD_SEARCH_NETWORK: case SD_PATH_SYSTEMD_SEARCH_NETWORK:
return strv_from_nulstr(ret, NETWORK_DIRS_NULSTR); return strv_from_nulstr(ret, NETWORK_DIRS_NULSTR);
case SD_PATH_SYSTEM_SEARCH_CREDENTIAL_STORE:
case SD_PATH_SYSTEM_SEARCH_CREDENTIAL_STORE_ENCRYPTED: {
const char *suffix =
type == SD_PATH_SYSTEM_SEARCH_CREDENTIAL_STORE_ENCRYPTED ? "credstore.encrypted" : "credstore";
_cleanup_strv_free_ char **l = NULL;
FOREACH_STRING(d, CONF_PATHS("")) {
char *j = path_join(d, suffix);
if (!j)
return -ENOMEM;
r = strv_consume(&l, TAKE_PTR(j));
if (r < 0)
return r;
}
*ret = TAKE_PTR(l);
return 0;
} }
case SD_PATH_USER_SEARCH_CREDENTIAL_STORE:
case SD_PATH_USER_SEARCH_CREDENTIAL_STORE_ENCRYPTED: {
const char *suffix =
type == SD_PATH_USER_SEARCH_CREDENTIAL_STORE_ENCRYPTED ? "credstore.encrypted" : "credstore";
static const uint64_t dirs[] = {
SD_PATH_USER_CONFIGURATION,
SD_PATH_USER_RUNTIME,
SD_PATH_USER_LIBRARY_PRIVATE,
};
_cleanup_strv_free_ char **l = NULL;
FOREACH_ELEMENT(d, dirs) {
_cleanup_free_ char *p = NULL;
r = sd_path_lookup(*d, suffix, &p);
if (r == -ENXIO)
continue;
if (r < 0)
return r;
r = strv_consume(&l, TAKE_PTR(p));
if (r < 0)
return r;
}
*ret = TAKE_PTR(l);
return 0;
}}
return -EOPNOTSUPP; return -EOPNOTSUPP;
} }
@ -637,7 +713,7 @@ _public_ int sd_path_lookup_strv(uint64_t type, const char *suffix, char ***ret)
if (!path_extend(i, suffix)) if (!path_extend(i, suffix))
return -ENOMEM; return -ENOMEM;
path_simplify(*i); path_simplify_full(*i, PATH_SIMPLIFY_KEEP_TRAILING_SLASH);
} }
*ret = TAKE_PTR(l); *ret = TAKE_PTR(l);

View File

@ -1673,6 +1673,30 @@ _public_ int sd_varlink_get_fd(sd_varlink *v) {
return v->input_fd; return v->input_fd;
} }
_public_ int sd_varlink_get_input_fd(sd_varlink *v) {
assert_return(v, -EINVAL);
if (v->state == VARLINK_DISCONNECTED)
return varlink_log_errno(v, SYNTHETIC_ERRNO(ENOTCONN), "Not connected.");
if (v->input_fd < 0)
return varlink_log_errno(v, SYNTHETIC_ERRNO(EBADF), "No valid input fd.");
return v->input_fd;
}
_public_ int sd_varlink_get_output_fd(sd_varlink *v) {
assert_return(v, -EINVAL);
if (v->state == VARLINK_DISCONNECTED)
return varlink_log_errno(v, SYNTHETIC_ERRNO(ENOTCONN), "Not connected.");
if (v->output_fd < 0)
return varlink_log_errno(v, SYNTHETIC_ERRNO(EBADF), "No valid output fd.");
return v->output_fd;
}
_public_ int sd_varlink_get_events(sd_varlink *v) { _public_ int sd_varlink_get_events(sd_varlink *v) {
int ret = 0; int ret = 0;

View File

@ -178,7 +178,7 @@ int bus_image_method_clone(
return sd_bus_error_set_errnof(error, r, "Failed to fork(): %m"); return sd_bus_error_set_errnof(error, r, "Failed to fork(): %m");
if (r == 0) { if (r == 0) {
errno_pipe_fd[0] = safe_close(errno_pipe_fd[0]); errno_pipe_fd[0] = safe_close(errno_pipe_fd[0]);
r = image_clone(image, new_name, read_only); r = image_clone(image, new_name, read_only, m->runtime_scope);
report_errno_and_exit(errno_pipe_fd[1], r); report_errno_and_exit(errno_pipe_fd[1], r);
} }
@ -402,6 +402,7 @@ char* image_bus_path(const char *name) {
static int image_node_enumerator(sd_bus *bus, const char *path, void *userdata, char ***nodes, sd_bus_error *error) { static int image_node_enumerator(sd_bus *bus, const char *path, void *userdata, char ***nodes, sd_bus_error *error) {
_cleanup_hashmap_free_ Hashmap *images = NULL; _cleanup_hashmap_free_ Hashmap *images = NULL;
_cleanup_strv_free_ char **l = NULL; _cleanup_strv_free_ char **l = NULL;
Manager *m = ASSERT_PTR(userdata);
Image *image; Image *image;
int r; int r;
@ -413,7 +414,7 @@ static int image_node_enumerator(sd_bus *bus, const char *path, void *userdata,
if (!images) if (!images)
return -ENOMEM; return -ENOMEM;
r = image_discover(IMAGE_MACHINE, NULL, images); r = image_discover(m->runtime_scope, IMAGE_MACHINE, NULL, images);
if (r < 0) if (r < 0)
return r; return r;

View File

@ -148,7 +148,7 @@ int vl_method_clone_image(sd_varlink *link, sd_json_variant *parameters, sd_varl
return log_debug_errno(r, "Failed to fork: %m"); return log_debug_errno(r, "Failed to fork: %m");
if (r == 0) { if (r == 0) {
errno_pipe_fd[0] = safe_close(errno_pipe_fd[0]); errno_pipe_fd[0] = safe_close(errno_pipe_fd[0]);
r = image_clone(image, p.new_name, p.read_only > 0); r = image_clone(image, p.new_name, p.read_only > 0, manager->runtime_scope);
report_errno_and_exit(errno_pipe_fd[1], r); report_errno_and_exit(errno_pipe_fd[1], r);
} }

View File

@ -440,7 +440,7 @@ int manager_acquire_image(Manager *m, const char *name, Image **ret) {
return log_debug_errno(r, "Failed to enable source: %m") ; return log_debug_errno(r, "Failed to enable source: %m") ;
_cleanup_(image_unrefp) Image *image = NULL; _cleanup_(image_unrefp) Image *image = NULL;
r = image_find(IMAGE_MACHINE, name, NULL, &image); r = image_find(m->runtime_scope, IMAGE_MACHINE, name, NULL, &image);
if (r < 0) if (r < 0)
return log_debug_errno(r, "Failed to find image: %m"); return log_debug_errno(r, "Failed to find image: %m");
@ -467,7 +467,7 @@ int rename_image_and_update_cache(Manager *m, Image *image, const char* new_name
/* The image is cached with its name, hence it is necessary to remove from the cache before renaming. */ /* The image is cached with its name, hence it is necessary to remove from the cache before renaming. */
assert_se(hashmap_remove_value(m->image_cache, image->name, image)); assert_se(hashmap_remove_value(m->image_cache, image->name, image));
r = image_rename(image, new_name); r = image_rename(image, new_name, m->runtime_scope);
if (r < 0) { if (r < 0) {
image = image_unref(image); image = image_unref(image);
return r; return r;

View File

@ -123,7 +123,7 @@ static int method_get_image(sd_bus_message *message, void *userdata, sd_bus_erro
if (r < 0) if (r < 0)
return r; return r;
r = image_find(IMAGE_MACHINE, name, NULL, NULL); r = image_find(m->runtime_scope, IMAGE_MACHINE, name, NULL, NULL);
if (r == -ENOENT) if (r == -ENOENT)
return sd_bus_error_setf(error, BUS_ERROR_NO_SUCH_IMAGE, "No image '%s' known", name); return sd_bus_error_setf(error, BUS_ERROR_NO_SUCH_IMAGE, "No image '%s' known", name);
if (r < 0) if (r < 0)
@ -476,7 +476,7 @@ static int method_list_images(sd_bus_message *message, void *userdata, sd_bus_er
if (!images) if (!images)
return -ENOMEM; return -ENOMEM;
r = image_discover(IMAGE_MACHINE, NULL, images); r = image_discover(m->runtime_scope, IMAGE_MACHINE, NULL, images);
if (r < 0) if (r < 0)
return r; return r;
@ -753,7 +753,7 @@ static int method_clean_pool(sd_bus_message *message, void *userdata, sd_bus_err
goto child_fail; goto child_fail;
} }
r = image_discover(IMAGE_MACHINE, NULL, images); r = image_discover(m->runtime_scope, IMAGE_MACHINE, NULL, images);
if (r < 0) if (r < 0)
goto child_fail; goto child_fail;

View File

@ -641,6 +641,7 @@ static int list_image_one_and_maybe_read_metadata(sd_varlink *link, Image *image
} }
static int vl_method_list_images(sd_varlink *link, sd_json_variant *parameters, sd_varlink_method_flags_t flags, void *userdata) { static int vl_method_list_images(sd_varlink *link, sd_json_variant *parameters, sd_varlink_method_flags_t flags, void *userdata) {
Manager *m = ASSERT_PTR(userdata);
struct params { struct params {
const char *image_name; const char *image_name;
AcquireMetadata acquire_metadata; AcquireMetadata acquire_metadata;
@ -667,7 +668,7 @@ static int vl_method_list_images(sd_varlink *link, sd_json_variant *parameters,
if (!image_name_is_valid(p.image_name)) if (!image_name_is_valid(p.image_name))
return sd_varlink_error_invalid_parameter_name(link, "name"); return sd_varlink_error_invalid_parameter_name(link, "name");
r = image_find(IMAGE_MACHINE, p.image_name, /* root = */ NULL, &found); r = image_find(m->runtime_scope, IMAGE_MACHINE, p.image_name, /* root = */ NULL, &found);
if (r == -ENOENT) if (r == -ENOENT)
return sd_varlink_error(link, "io.systemd.MachineImage.NoSuchImage", NULL); return sd_varlink_error(link, "io.systemd.MachineImage.NoSuchImage", NULL);
if (r < 0) if (r < 0)
@ -683,7 +684,7 @@ static int vl_method_list_images(sd_varlink *link, sd_json_variant *parameters,
if (!images) if (!images)
return -ENOMEM; return -ENOMEM;
r = image_discover(IMAGE_MACHINE, /* root = */ NULL, images); r = image_discover(m->runtime_scope, IMAGE_MACHINE, /* root = */ NULL, images);
if (r < 0) if (r < 0)
return log_debug_errno(r, "Failed to discover images: %m"); return log_debug_errno(r, "Failed to discover images: %m");

View File

@ -40,10 +40,14 @@ static int manager_new(Manager **ret) {
assert(ret); assert(ret);
m = new0(Manager, 1); m = new(Manager, 1);
if (!m) if (!m)
return -ENOMEM; return -ENOMEM;
*m = (Manager) {
.runtime_scope = RUNTIME_SCOPE_SYSTEM,
};
m->machines = hashmap_new(&machine_hash_ops); m->machines = hashmap_new(&machine_hash_ops);
if (!m->machines) if (!m->machines)
return -ENOMEM; return -ENOMEM;

View File

@ -42,6 +42,8 @@ struct Manager {
sd_varlink_server *varlink_userdb_server; sd_varlink_server *varlink_userdb_server;
sd_varlink_server *varlink_machine_server; sd_varlink_server *varlink_machine_server;
RuntimeScope runtime_scope; /* for now: always RUNTIME_SCOPE_SYSTEM */
}; };
int manager_add_machine(Manager *m, const char *name, Machine **ret); int manager_add_machine(Manager *m, const char *name, Machine **ret);

View File

@ -888,9 +888,12 @@ static int verb_sign(int argc, char *argv[], void *userdata) {
arg_private_key_source, arg_private_key_source,
arg_private_key, arg_private_key,
&(AskPasswordRequest) { &(AskPasswordRequest) {
.tty_fd = -EBADF,
.id = "measure-private-key-pin", .id = "measure-private-key-pin",
.keyring = arg_private_key, .keyring = arg_private_key,
.credential = "measure.private-key-pin", .credential = "measure.private-key-pin",
.until = USEC_INFINITY,
.hup_fd = -EBADF,
}, },
&privkey, &privkey,
&ui); &ui);

View File

@ -475,7 +475,8 @@ int mount_sysfs(const char *dest, MountSettingsMask mount_settings) {
if (!full) if (!full)
return log_oom(); return log_oom();
(void) mkdir(full, 0755); if (mkdir(full, 0755) < 0 && errno != EEXIST)
return log_error_errno(errno, "Failed to create directory '%s': %m", full);
if (FLAGS_SET(mount_settings, MOUNT_APPLY_APIVFS_RO)) if (FLAGS_SET(mount_settings, MOUNT_APPLY_APIVFS_RO))
extra_flags |= MS_RDONLY; extra_flags |= MS_RDONLY;
@ -1405,9 +1406,11 @@ done:
#define NSPAWN_PRIVATE_FULLY_VISIBLE_PROCFS "/run/host/proc" #define NSPAWN_PRIVATE_FULLY_VISIBLE_PROCFS "/run/host/proc"
#define NSPAWN_PRIVATE_FULLY_VISIBLE_SYSFS "/run/host/sys" #define NSPAWN_PRIVATE_FULLY_VISIBLE_SYSFS "/run/host/sys"
int pin_fully_visible_fs(void) { int pin_fully_visible_api_fs(void) {
int r; int r;
log_debug("Pinning fully visible API FS");
(void) mkdir_p(NSPAWN_PRIVATE_FULLY_VISIBLE_PROCFS, 0755); (void) mkdir_p(NSPAWN_PRIVATE_FULLY_VISIBLE_PROCFS, 0755);
(void) mkdir_p(NSPAWN_PRIVATE_FULLY_VISIBLE_SYSFS, 0755); (void) mkdir_p(NSPAWN_PRIVATE_FULLY_VISIBLE_SYSFS, 0755);
@ -1422,7 +1425,7 @@ int pin_fully_visible_fs(void) {
return 0; return 0;
} }
static int do_wipe_fully_visible_fs(void) { static int do_wipe_fully_visible_api_fs(void) {
if (umount2(NSPAWN_PRIVATE_FULLY_VISIBLE_PROCFS, MNT_DETACH) < 0) if (umount2(NSPAWN_PRIVATE_FULLY_VISIBLE_PROCFS, MNT_DETACH) < 0)
return log_error_errno(errno, "Failed to unmount temporary proc: %m"); return log_error_errno(errno, "Failed to unmount temporary proc: %m");
@ -1438,10 +1441,12 @@ static int do_wipe_fully_visible_fs(void) {
return 0; return 0;
} }
int wipe_fully_visible_fs(int mntns_fd) { int wipe_fully_visible_api_fs(int mntns_fd) {
_cleanup_close_ int orig_mntns_fd = -EBADF; _cleanup_close_ int orig_mntns_fd = -EBADF;
int r, rr; int r, rr;
log_debug("Wiping fully visible API FS");
r = namespace_open(0, r = namespace_open(0,
/* ret_pidns_fd = */ NULL, /* ret_pidns_fd = */ NULL,
&orig_mntns_fd, &orig_mntns_fd,
@ -1459,7 +1464,7 @@ int wipe_fully_visible_fs(int mntns_fd) {
if (r < 0) if (r < 0)
return log_error_errno(r, "Failed to enter mount namespace: %m"); return log_error_errno(r, "Failed to enter mount namespace: %m");
rr = do_wipe_fully_visible_fs(); rr = do_wipe_fully_visible_api_fs();
r = namespace_enter(/* pidns_fd = */ -EBADF, r = namespace_enter(/* pidns_fd = */ -EBADF,
orig_mntns_fd, orig_mntns_fd,

View File

@ -73,5 +73,6 @@ int pivot_root_parse(char **pivot_root_new, char **pivot_root_old, const char *s
int setup_pivot_root(const char *directory, const char *pivot_root_new, const char *pivot_root_old); int setup_pivot_root(const char *directory, const char *pivot_root_new, const char *pivot_root_old);
int tmpfs_patch_options(const char *options,uid_t uid_shift, const char *selinux_apifs_context, char **ret); int tmpfs_patch_options(const char *options,uid_t uid_shift, const char *selinux_apifs_context, char **ret);
int pin_fully_visible_fs(void);
int wipe_fully_visible_fs(int mntns_fd); int pin_fully_visible_api_fs(void);
int wipe_fully_visible_api_fs(int mntns_fd);

View File

@ -42,6 +42,7 @@
#include "copy.h" #include "copy.h"
#include "cpu-set-util.h" #include "cpu-set-util.h"
#include "dev-setup.h" #include "dev-setup.h"
#include "devnum-util.h"
#include "discover-image.h" #include "discover-image.h"
#include "dissect-image.h" #include "dissect-image.h"
#include "env-util.h" #include "env-util.h"
@ -1250,7 +1251,7 @@ static int parse_argv(int argc, char *argv[]) {
arg_uid_range = UINT32_C(0x10000); arg_uid_range = UINT32_C(0x10000);
} else if (streq(optarg, "identity")) { } else if (streq(optarg, "identity")) {
/* identity: User namespaces on, UID range is map the 0…0xFFFF range to /* identity: User namespaces on, UID range is map of the 0…0xFFFF range to
* itself, i.e. we don't actually map anything, but do take benefit of * itself, i.e. we don't actually map anything, but do take benefit of
* isolation of capability sets. */ * isolation of capability sets. */
arg_userns_mode = USER_NAMESPACE_FIXED; arg_userns_mode = USER_NAMESPACE_FIXED;
@ -2323,7 +2324,7 @@ static int copy_devnode_one(const char *dest, const char *node, bool ignore_mkno
return log_error_errno(r, "Failed to create '%s': %m", dn); return log_error_errno(r, "Failed to create '%s': %m", dn);
_cleanup_free_ char *sl = NULL; _cleanup_free_ char *sl = NULL;
if (asprintf(&sl, "%s/%u:%u", dn, major(st.st_rdev), minor(st.st_rdev)) < 0) if (asprintf(&sl, "%s/" DEVNUM_FORMAT_STR, dn, DEVNUM_FORMAT_VAL(st.st_rdev)) < 0)
return log_oom(); return log_oom();
_cleanup_free_ char *prefixed = path_join(dest, sl); _cleanup_free_ char *prefixed = path_join(dest, sl);
@ -2847,7 +2848,7 @@ static int reset_audit_loginuid(void) {
if (!arg_privileged) if (!arg_privileged)
return 0; return 0;
r = read_one_line_file("/proc/self/loginuid", &p); r = read_virtual_file("/proc/self/loginuid", SIZE_MAX, &p, /* ret_size= */ NULL);
if (r == -ENOENT) if (r == -ENOENT)
return 0; return 0;
if (r < 0) if (r < 0)
@ -3166,7 +3167,8 @@ static int determine_names(void) {
if (arg_machine) { if (arg_machine) {
_cleanup_(image_unrefp) Image *i = NULL; _cleanup_(image_unrefp) Image *i = NULL;
r = image_find(IMAGE_MACHINE, arg_machine, NULL, &i); r = image_find(arg_privileged ? RUNTIME_SCOPE_SYSTEM : RUNTIME_SCOPE_USER,
IMAGE_MACHINE, arg_machine, NULL, &i);
if (r == -ENOENT) if (r == -ENOENT)
return log_error_errno(r, "No image for machine '%s'.", arg_machine); return log_error_errno(r, "No image for machine '%s'.", arg_machine);
if (r < 0) if (r < 0)
@ -3254,6 +3256,7 @@ static int chase_and_update(char **p, unsigned flags) {
} }
static int determine_uid_shift(const char *directory) { static int determine_uid_shift(const char *directory) {
assert(directory);
if (arg_userns_mode == USER_NAMESPACE_NO) { if (arg_userns_mode == USER_NAMESPACE_NO) {
arg_uid_shift = 0; arg_uid_shift = 0;
@ -3932,7 +3935,7 @@ static int outer_child(
_cleanup_(bind_user_context_freep) BindUserContext *bind_user_context = NULL; _cleanup_(bind_user_context_freep) BindUserContext *bind_user_context = NULL;
_cleanup_strv_free_ char **os_release_pairs = NULL; _cleanup_strv_free_ char **os_release_pairs = NULL;
_cleanup_close_ int fd = -EBADF, mntns_fd = -EBADF; _cleanup_close_ int mntns_fd = -EBADF;
bool idmap = false, enable_fuse; bool idmap = false, enable_fuse;
const char *p; const char *p;
pid_t pid; pid_t pid;
@ -4325,6 +4328,7 @@ static int outer_child(
* visible. Hence there we do it the other way round: we first allocate a new set of namespaces * visible. Hence there we do it the other way round: we first allocate a new set of namespaces
* (and fork for it) for which we then mount sysfs/procfs, and only then switch root. */ * (and fork for it) for which we then mount sysfs/procfs, and only then switch root. */
_cleanup_close_ int notify_fd = -EBADF;
if (arg_privileged) { if (arg_privileged) {
/* Mark everything as shared so our mounts get propagated down. This is required to make new /* Mark everything as shared so our mounts get propagated down. This is required to make new
* bind mounts available in systemd services inside the container that create a new mount * bind mounts available in systemd services inside the container that create a new mount
@ -4355,16 +4359,16 @@ static int outer_child(
* Note, the inner child wouldn't be able to unmount the instances on its own since * Note, the inner child wouldn't be able to unmount the instances on its own since
* it doesn't own the originating mount namespace. IOW, the outer child needs to do * it doesn't own the originating mount namespace. IOW, the outer child needs to do
* this. */ * this. */
r = pin_fully_visible_fs(); r = pin_fully_visible_api_fs();
if (r < 0) if (r < 0)
return r; return r;
} }
fd = setup_notify_child(NULL); notify_fd = setup_notify_child(NULL);
} else } else
fd = setup_notify_child(directory); notify_fd = setup_notify_child(directory);
if (fd < 0) if (notify_fd < 0)
return fd; return notify_fd;
pid = raw_clone(SIGCHLD|CLONE_NEWNS| pid = raw_clone(SIGCHLD|CLONE_NEWNS|
arg_clone_ns_flags | arg_clone_ns_flags |
@ -4429,7 +4433,7 @@ static int outer_child(
return log_error_errno(SYNTHETIC_ERRNO(EIO), return log_error_errno(SYNTHETIC_ERRNO(EIO),
"Short write while sending machine ID."); "Short write while sending machine ID.");
l = send_one_fd(fd_outer_socket, fd, 0); l = send_one_fd(fd_outer_socket, notify_fd, 0);
if (l < 0) if (l < 0)
return log_error_errno(l, "Failed to send notify fd: %m"); return log_error_errno(l, "Failed to send notify fd: %m");
@ -5623,7 +5627,7 @@ static int run_container(
return log_error_errno(SYNTHETIC_ERRNO(ESRCH), "Child died too early."); return log_error_errno(SYNTHETIC_ERRNO(ESRCH), "Child died too early.");
if (arg_userns_mode != USER_NAMESPACE_NO) { if (arg_userns_mode != USER_NAMESPACE_NO) {
r = wipe_fully_visible_fs(mntns_fd); r = wipe_fully_visible_api_fs(mntns_fd);
if (r < 0) if (r < 0)
return r; return r;
mntns_fd = safe_close(mntns_fd); mntns_fd = safe_close(mntns_fd);

View File

@ -14,6 +14,7 @@
#include "main-func.h" #include "main-func.h"
#include "pager.h" #include "pager.h"
#include "pretty-print.h" #include "pretty-print.h"
#include "sort-util.h"
#include "string-util.h" #include "string-util.h"
static const char *arg_suffix = NULL; static const char *arg_suffix = NULL;
@ -101,27 +102,50 @@ static const char* const path_table[_SD_PATH_MAX] = {
[SD_PATH_SYSTEMD_USER_ENVIRONMENT_GENERATOR] = "systemd-user-environment-generator", [SD_PATH_SYSTEMD_USER_ENVIRONMENT_GENERATOR] = "systemd-user-environment-generator",
[SD_PATH_SYSTEMD_SEARCH_SYSTEM_ENVIRONMENT_GENERATOR] = "systemd-search-system-environment-generator", [SD_PATH_SYSTEMD_SEARCH_SYSTEM_ENVIRONMENT_GENERATOR] = "systemd-search-system-environment-generator",
[SD_PATH_SYSTEMD_SEARCH_USER_ENVIRONMENT_GENERATOR] = "systemd-search-user-environment-generator", [SD_PATH_SYSTEMD_SEARCH_USER_ENVIRONMENT_GENERATOR] = "systemd-search-user-environment-generator",
[SD_PATH_SYSTEM_CREDENTIAL_STORE] = "system-credential-store",
[SD_PATH_SYSTEM_SEARCH_CREDENTIAL_STORE] = "system-search-credential-store",
[SD_PATH_SYSTEM_CREDENTIAL_STORE_ENCRYPTED] = "system-credential-store-encrypted",
[SD_PATH_SYSTEM_SEARCH_CREDENTIAL_STORE_ENCRYPTED] = "system-search-credential-store-encrypted",
[SD_PATH_USER_CREDENTIAL_STORE] = "user-credential-store",
[SD_PATH_USER_SEARCH_CREDENTIAL_STORE] = "user-search-credential-store",
[SD_PATH_USER_CREDENTIAL_STORE_ENCRYPTED] = "user-credential-store-encrypted",
[SD_PATH_USER_SEARCH_CREDENTIAL_STORE_ENCRYPTED] = "user-search-credential-store-encrypted",
}; };
static int order_cmp(const size_t *a, const size_t *b) {
assert(*a < ELEMENTSOF(path_table));
assert(*b < ELEMENTSOF(path_table));
return strcmp(path_table[*a], path_table[*b]);
}
static int list_paths(void) { static int list_paths(void) {
int r = 0; int ret = 0, r;
pager_open(arg_pager_flags); pager_open(arg_pager_flags);
for (size_t i = 0; i < ELEMENTSOF(path_table); i++) { size_t order[ELEMENTSOF(path_table)];
_cleanup_free_ char *p = NULL;
int q;
q = sd_path_lookup(i, arg_suffix, &p); for (size_t i = 0; i < ELEMENTSOF(order); i++)
if (q < 0) { order[i] = i;
log_full_errno(q == -ENXIO ? LOG_DEBUG : LOG_ERR,
q, "Failed to query %s: %m", path_table[i]); typesafe_qsort(order, ELEMENTSOF(order), order_cmp);
if (q != -ENXIO)
RET_GATHER(r, q); for (size_t i = 0; i < ELEMENTSOF(order); i++) {
size_t j = order[i];
const char *t = ASSERT_PTR(path_table[j]);
_cleanup_free_ char *p = NULL;
r = sd_path_lookup(j, arg_suffix, &p);
if (r < 0) {
log_full_errno(r == -ENXIO ? LOG_DEBUG : LOG_ERR, r, "Failed to query %s, proceeding: %m", t);
if (r != -ENXIO)
RET_GATHER(ret, r);
continue; continue;
} }
printf("%s%s:%s %s\n", ansi_highlight(), path_table[i], ansi_normal(), p); printf("%s%s:%s %s\n", ansi_highlight(), t, ansi_normal(), p);
} }
return r; return r;
@ -154,14 +178,16 @@ static int help(void) {
if (r < 0) if (r < 0)
return log_oom(); return log_oom();
printf("%s [OPTIONS...] [NAME...]\n\n" printf("%s [OPTIONS...] [NAME...]\n"
"Show system and user paths.\n\n" "\n%sShow system and user paths.%s\n\n"
" -h --help Show this help\n" " -h --help Show this help\n"
" --version Show package version\n" " --version Show package version\n"
" --suffix=SUFFIX Suffix to append to paths\n" " --suffix=SUFFIX Suffix to append to paths\n"
" --no-pager Do not pipe output into a pager\n" " --no-pager Do not pipe output into a pager\n"
"\nSee the %s for details.\n", "\nSee the %s for details.\n",
program_invocation_short_name, program_invocation_short_name,
ansi_highlight(),
ansi_normal(),
link); link);
return 0; return 0;
@ -224,10 +250,11 @@ static int run(int argc, char* argv[]) {
if (r <= 0) if (r <= 0)
return r; return r;
if (argc > optind) if (argc > optind) {
r = 0;
for (int i = optind; i < argc; i++) for (int i = optind; i < argc; i++)
RET_GATHER(r, print_path(argv[i])); RET_GATHER(r, print_path(argv[i]));
else } else
r = list_paths(); r = list_paths();
return r; return r;

View File

@ -297,6 +297,29 @@ static int vl_method_extend(sd_varlink *link, sd_json_variant *parameters, sd_va
return sd_varlink_reply(link, NULL); return sd_varlink_reply(link, NULL);
} }
static int vl_server(void) {
_cleanup_(sd_varlink_server_unrefp) sd_varlink_server *varlink_server = NULL;
int r;
r = varlink_server_new(&varlink_server, SD_VARLINK_SERVER_ROOT_ONLY, /* userdata= */ NULL);
if (r < 0)
return log_error_errno(r, "Failed to allocate Varlink server: %m");
r = sd_varlink_server_add_interface(varlink_server, &vl_interface_io_systemd_PCRExtend);
if (r < 0)
return log_error_errno(r, "Failed to add Varlink interface: %m");
r = sd_varlink_server_bind_method(varlink_server, "io.systemd.PCRExtend.Extend", vl_method_extend);
if (r < 0)
return log_error_errno(r, "Failed to bind Varlink method: %m");
r = sd_varlink_server_loop_auto(varlink_server);
if (r < 0)
return log_error_errno(r, "Failed to run Varlink event loop: %m");
return 0;
}
static int run(int argc, char *argv[]) { static int run(int argc, char *argv[]) {
_cleanup_free_ char *word = NULL; _cleanup_free_ char *word = NULL;
Tpm2UserspaceEventType event; Tpm2UserspaceEventType event;
@ -308,29 +331,8 @@ static int run(int argc, char *argv[]) {
if (r <= 0) if (r <= 0)
return r; return r;
if (arg_varlink) { if (arg_varlink)
_cleanup_(sd_varlink_server_unrefp) sd_varlink_server *varlink_server = NULL; return vl_server(); /* Invocation as Varlink service */
/* Invocation as Varlink service */
r = varlink_server_new(&varlink_server, SD_VARLINK_SERVER_ROOT_ONLY, NULL);
if (r < 0)
return log_error_errno(r, "Failed to allocate Varlink server: %m");
r = sd_varlink_server_add_interface(varlink_server, &vl_interface_io_systemd_PCRExtend);
if (r < 0)
return log_error_errno(r, "Failed to add Varlink interface: %m");
r = sd_varlink_server_bind_method(varlink_server, "io.systemd.PCRExtend.Extend", vl_method_extend);
if (r < 0)
return log_error_errno(r, "Failed to bind Varlink method: %m");
r = sd_varlink_server_loop_auto(varlink_server);
if (r < 0)
return log_error_errno(r, "Failed to run Varlink event loop: %m");
return EXIT_SUCCESS;
}
if (arg_file_system) { if (arg_file_system) {
if (optind != argc) if (optind != argc)

View File

@ -4550,14 +4550,16 @@ static int make_policy(bool force, RecoveryPinMode recovery_pin_mode) {
_cleanup_(strv_free_erasep) char **l = NULL; _cleanup_(strv_free_erasep) char **l = NULL;
AskPasswordRequest req = { AskPasswordRequest req = {
.tty_fd = -EBADF,
.message = "Recovery PIN", .message = "Recovery PIN",
.id = "pcrlock-recovery-pin", .id = "pcrlock-recovery-pin",
.credential = "pcrlock.recovery-pin", .credential = "pcrlock.recovery-pin",
.until = USEC_INFINITY,
.hup_fd = -EBADF,
}; };
r = ask_password_auto( r = ask_password_auto(
&req, &req,
/* until= */ 0,
/* flags= */ 0, /* flags= */ 0,
&l); &l);
if (r < 0) if (r < 0)

View File

@ -173,6 +173,7 @@ DEFINE_PRIVATE_HASH_OPS_WITH_VALUE_DESTRUCTOR(portable_metadata_hash_ops, char,
PortableMetadata, portable_metadata_unref); PortableMetadata, portable_metadata_unref);
static int extract_now( static int extract_now(
RuntimeScope scope,
const char *where, const char *where,
char **matches, char **matches,
const char *image_name, const char *image_name,
@ -199,6 +200,7 @@ static int extract_now(
* parent. To handle both cases in one call this function also gets a 'socket_fd' parameter, which when >= 0 is * parent. To handle both cases in one call this function also gets a 'socket_fd' parameter, which when >= 0 is
* used to send the data to the parent. */ * used to send the data to the parent. */
assert(scope < _RUNTIME_SCOPE_MAX);
assert(where); assert(where);
/* First, find os-release/extension-release and send it upstream (or just save it). */ /* First, find os-release/extension-release and send it upstream (or just save it). */
@ -248,7 +250,7 @@ static int extract_now(
/* Then, send unit file data to the parent (or/and add it to the hashmap). For that we use our usual unit /* Then, send unit file data to the parent (or/and add it to the hashmap). For that we use our usual unit
* discovery logic. Note that we force looking inside of /lib/systemd/system/ for units too, as the * discovery logic. Note that we force looking inside of /lib/systemd/system/ for units too, as the
* image might have a legacy split-usr layout. */ * image might have a legacy split-usr layout. */
r = lookup_paths_init(&paths, RUNTIME_SCOPE_SYSTEM, LOOKUP_PATHS_SPLIT_USR, where); r = lookup_paths_init(&paths, scope, LOOKUP_PATHS_SPLIT_USR, where);
if (r < 0) if (r < 0)
return log_debug_errno(r, "Failed to acquire lookup paths: %m"); return log_debug_errno(r, "Failed to acquire lookup paths: %m");
@ -348,6 +350,7 @@ static int extract_now(
} }
static int portable_extract_by_path( static int portable_extract_by_path(
RuntimeScope scope,
const char *path, const char *path,
bool path_is_extension, bool path_is_extension,
bool relax_extension_release_check, bool relax_extension_release_check,
@ -381,7 +384,7 @@ static int portable_extract_by_path(
if (r < 0) if (r < 0)
return log_error_errno(r, "Failed to extract image name from path '%s': %m", path); return log_error_errno(r, "Failed to extract image name from path '%s': %m", path);
r = extract_now(path, matches, image_name, path_is_extension, /* relax_extension_release_check= */ false, -1, &os_release, &unit_files); r = extract_now(scope, path, matches, image_name, path_is_extension, /* relax_extension_release_check= */ false, -1, &os_release, &unit_files);
if (r < 0) if (r < 0)
return r; return r;
@ -458,7 +461,7 @@ static int portable_extract_by_path(
goto child_finish; goto child_finish;
} }
r = extract_now(tmpdir, matches, m->image_name, path_is_extension, relax_extension_release_check, seq[1], NULL, NULL); r = extract_now(scope, tmpdir, matches, m->image_name, path_is_extension, relax_extension_release_check, seq[1], NULL, NULL);
child_finish: child_finish:
_exit(r < 0 ? EXIT_FAILURE : EXIT_SUCCESS); _exit(r < 0 ? EXIT_FAILURE : EXIT_SUCCESS);
@ -549,6 +552,7 @@ static int portable_extract_by_path(
} }
static int extract_image_and_extensions( static int extract_image_and_extensions(
RuntimeScope scope,
const char *name_or_path, const char *name_or_path,
char **matches, char **matches,
char **extension_image_paths, char **extension_image_paths,
@ -595,7 +599,7 @@ static int extract_image_and_extensions(
name_or_path = result.path; name_or_path = result.path;
} }
r = image_find_harder(IMAGE_PORTABLE, name_or_path, /* root= */ NULL, &image); r = image_find_harder(scope, IMAGE_PORTABLE, name_or_path, /* root= */ NULL, &image);
if (r < 0) if (r < 0)
return r; return r;
@ -633,7 +637,7 @@ static int extract_image_and_extensions(
path = ext_result.path; path = ext_result.path;
} }
r = image_find_harder(IMAGE_PORTABLE, path, NULL, &new); r = image_find_harder(scope, IMAGE_PORTABLE, path, NULL, &new);
if (r < 0) if (r < 0)
return r; return r;
@ -645,6 +649,7 @@ static int extract_image_and_extensions(
} }
r = portable_extract_by_path( r = portable_extract_by_path(
scope,
image->path, image->path,
/* path_is_extension= */ false, /* path_is_extension= */ false,
/* relax_extension_release_check= */ false, /* relax_extension_release_check= */ false,
@ -687,6 +692,7 @@ static int extract_image_and_extensions(
const char *e; const char *e;
r = portable_extract_by_path( r = portable_extract_by_path(
scope,
ext->path, ext->path,
/* path_is_extension= */ true, /* path_is_extension= */ true,
relax_extension_release_check, relax_extension_release_check,
@ -754,6 +760,7 @@ static int extract_image_and_extensions(
} }
int portable_extract( int portable_extract(
RuntimeScope scope,
const char *name_or_path, const char *name_or_path,
char **matches, char **matches,
char **extension_image_paths, char **extension_image_paths,
@ -775,6 +782,7 @@ int portable_extract(
assert(name_or_path); assert(name_or_path);
r = extract_image_and_extensions( r = extract_image_and_extensions(
scope,
name_or_path, name_or_path,
matches, matches,
extension_image_paths, extension_image_paths,
@ -1426,6 +1434,7 @@ static int image_target_path(
} }
static int install_image( static int install_image(
RuntimeScope scope,
const char *image_path, const char *image_path,
PortableFlags flags, PortableFlags flags,
PortableChange **changes, PortableChange **changes,
@ -1434,13 +1443,14 @@ static int install_image(
_cleanup_free_ char *target = NULL; _cleanup_free_ char *target = NULL;
int r; int r;
assert(scope < _RUNTIME_SCOPE_MAX);
assert(image_path); assert(image_path);
/* If the image is outside of the image search also link it into it, so that it can be found with /* If the image is outside of the image search also link it into it, so that it can be found with
* short image names and is listed among the images. If we are operating in mixed mode, the image is * short image names and is listed among the images. If we are operating in mixed mode, the image is
* copied instead. */ * copied instead. */
if (image_in_search_path(IMAGE_PORTABLE, NULL, image_path)) if (image_in_search_path(scope, IMAGE_PORTABLE, NULL, image_path))
return 0; return 0;
r = image_target_path(image_path, flags, &target); r = image_target_path(image_path, flags, &target);
@ -1485,6 +1495,7 @@ static int install_image(
} }
static int install_image_and_extensions( static int install_image_and_extensions(
RuntimeScope scope,
const Image *image, const Image *image,
OrderedHashmap *extension_images, OrderedHashmap *extension_images,
PortableFlags flags, PortableFlags flags,
@ -1497,12 +1508,12 @@ static int install_image_and_extensions(
assert(image); assert(image);
ORDERED_HASHMAP_FOREACH(ext, extension_images) { ORDERED_HASHMAP_FOREACH(ext, extension_images) {
r = install_image(ext->path, flags, changes, n_changes); r = install_image(scope, ext->path, flags, changes, n_changes);
if (r < 0) if (r < 0)
return r; return r;
} }
r = install_image(image->path, flags, changes, n_changes); r = install_image(scope, image->path, flags, changes, n_changes);
if (r < 0) if (r < 0)
return r; return r;
@ -1595,6 +1606,7 @@ static void log_portable_verb(
} }
int portable_attach( int portable_attach(
RuntimeScope scope,
sd_bus *bus, sd_bus *bus,
const char *name_or_path, const char *name_or_path,
char **matches, char **matches,
@ -1615,7 +1627,10 @@ int portable_attach(
PortableMetadata *item; PortableMetadata *item;
int r; int r;
assert(scope < _RUNTIME_SCOPE_MAX);
r = extract_image_and_extensions( r = extract_image_and_extensions(
scope,
name_or_path, name_or_path,
matches, matches,
extension_image_paths, extension_image_paths,
@ -1672,13 +1687,13 @@ int portable_attach(
strempty(extensions_joined)); strempty(extensions_joined));
} }
r = lookup_paths_init(&paths, RUNTIME_SCOPE_SYSTEM, /* flags= */ 0, NULL); r = lookup_paths_init(&paths, scope, /* flags= */ 0, NULL);
if (r < 0) if (r < 0)
return r; return r;
if (!FLAGS_SET(flags, PORTABLE_REATTACH) && !FLAGS_SET(flags, PORTABLE_FORCE_ATTACH)) if (!FLAGS_SET(flags, PORTABLE_REATTACH) && !FLAGS_SET(flags, PORTABLE_FORCE_ATTACH))
HASHMAP_FOREACH(item, unit_files) { HASHMAP_FOREACH(item, unit_files) {
r = unit_file_exists(RUNTIME_SCOPE_SYSTEM, &paths, item->name); r = unit_file_exists(scope, &paths, item->name);
if (r < 0) if (r < 0)
return sd_bus_error_set_errnof(error, r, "Failed to determine whether unit '%s' exists on the host: %m", item->name); return sd_bus_error_set_errnof(error, r, "Failed to determine whether unit '%s' exists on the host: %m", item->name);
if (r > 0) if (r > 0)
@ -1700,7 +1715,7 @@ int portable_attach(
/* We don't care too much for the image symlink/copy, it's just a convenience thing, it's not necessary for /* We don't care too much for the image symlink/copy, it's just a convenience thing, it's not necessary for
* proper operation otherwise. */ * proper operation otherwise. */
(void) install_image_and_extensions(image, extension_images, flags, changes, n_changes); (void) install_image_and_extensions(scope, image, extension_images, flags, changes, n_changes);
log_portable_verb( log_portable_verb(
"attached", "attached",
@ -1844,6 +1859,7 @@ static int test_chroot_dropin(
} }
int portable_detach( int portable_detach(
RuntimeScope scope,
sd_bus *bus, sd_bus *bus,
const char *name_or_path, const char *name_or_path,
char **extension_image_paths, char **extension_image_paths,
@ -1857,12 +1873,12 @@ int portable_detach(
_cleanup_free_ char *extensions = NULL; _cleanup_free_ char *extensions = NULL;
_cleanup_closedir_ DIR *d = NULL; _cleanup_closedir_ DIR *d = NULL;
const char *where, *item; const char *where, *item;
int ret = 0; int r, ret = 0;
int r;
assert(scope < _RUNTIME_SCOPE_MAX);
assert(name_or_path); assert(name_or_path);
r = lookup_paths_init(&paths, RUNTIME_SCOPE_SYSTEM, /* flags= */ 0, NULL); r = lookup_paths_init(&paths, scope, /* flags= */ 0, NULL);
if (r < 0) if (r < 0)
return r; return r;
@ -1930,7 +1946,7 @@ int portable_detach(
if (r == 0) if (r == 0)
break; break;
if (path_is_absolute(image) && !image_in_search_path(IMAGE_PORTABLE, NULL, image)) { if (path_is_absolute(image) && !image_in_search_path(scope, IMAGE_PORTABLE, NULL, image)) {
r = set_ensure_consume(&markers, &path_hash_ops_free, TAKE_PTR(image)); r = set_ensure_consume(&markers, &path_hash_ops_free, TAKE_PTR(image));
if (r < 0) if (r < 0)
return r; return r;
@ -2031,6 +2047,7 @@ not_found:
} }
static int portable_get_state_internal( static int portable_get_state_internal(
RuntimeScope scope,
sd_bus *bus, sd_bus *bus,
const char *name_or_path, const char *name_or_path,
char **extension_image_paths, char **extension_image_paths,
@ -2045,10 +2062,11 @@ static int portable_get_state_internal(
const char *where; const char *where;
int r; int r;
assert(scope < _RUNTIME_SCOPE_MAX);
assert(name_or_path); assert(name_or_path);
assert(ret); assert(ret);
r = lookup_paths_init(&paths, RUNTIME_SCOPE_SYSTEM, /* flags= */ 0, NULL); r = lookup_paths_init(&paths, scope, /* flags= */ 0, NULL);
if (r < 0) if (r < 0)
return r; return r;
@ -2084,7 +2102,7 @@ static int portable_get_state_internal(
if (r == 0) if (r == 0)
continue; continue;
r = unit_file_lookup_state(RUNTIME_SCOPE_SYSTEM, &paths, de->d_name, &state); r = unit_file_lookup_state(scope, &paths, de->d_name, &state);
if (r < 0) if (r < 0)
return log_debug_errno(r, "Failed to determine unit file state of '%s': %m", de->d_name); return log_debug_errno(r, "Failed to determine unit file state of '%s': %m", de->d_name);
if (!IN_SET(state, UNIT_FILE_STATIC, UNIT_FILE_DISABLED, UNIT_FILE_LINKED, UNIT_FILE_LINKED_RUNTIME)) if (!IN_SET(state, UNIT_FILE_STATIC, UNIT_FILE_DISABLED, UNIT_FILE_LINKED, UNIT_FILE_LINKED_RUNTIME))
@ -2109,6 +2127,7 @@ static int portable_get_state_internal(
} }
int portable_get_state( int portable_get_state(
RuntimeScope scope,
sd_bus *bus, sd_bus *bus,
const char *name_or_path, const char *name_or_path,
char **extension_image_paths, char **extension_image_paths,
@ -2125,12 +2144,19 @@ int portable_get_state(
/* We look for matching units twice: once in the regular directories, and once in the runtime directories — but /* We look for matching units twice: once in the regular directories, and once in the runtime directories — but
* the latter only if we didn't find anything in the former. */ * the latter only if we didn't find anything in the former. */
r = portable_get_state_internal(bus, name_or_path, extension_image_paths, flags & ~PORTABLE_RUNTIME, &state, error); r = portable_get_state_internal(
scope,
bus,
name_or_path,
extension_image_paths,
flags & ~PORTABLE_RUNTIME,
&state,
error);
if (r < 0) if (r < 0)
return r; return r;
if (state == PORTABLE_DETACHED) { if (state == PORTABLE_DETACHED) {
r = portable_get_state_internal(bus, name_or_path, extension_image_paths, flags | PORTABLE_RUNTIME, &state, error); r = portable_get_state_internal(scope, bus, name_or_path, extension_image_paths, flags | PORTABLE_RUNTIME, &state, error);
if (r < 0) if (r < 0)
return r; return r;
} }

View File

@ -6,6 +6,7 @@
#include "dissect-image.h" #include "dissect-image.h"
#include "hashmap.h" #include "hashmap.h"
#include "macro.h" #include "macro.h"
#include "runtime-scope.h"
#include "set.h" #include "set.h"
#include "string-util.h" #include "string-util.h"
@ -69,12 +70,12 @@ DEFINE_TRIVIAL_CLEANUP_FUNC(PortableMetadata*, portable_metadata_unref);
int portable_metadata_hashmap_to_sorted_array(Hashmap *unit_files, PortableMetadata ***ret); int portable_metadata_hashmap_to_sorted_array(Hashmap *unit_files, PortableMetadata ***ret);
int portable_extract(const char *image, char **matches, char **extension_image_paths, const ImagePolicy *image_policy, PortableFlags flags, PortableMetadata **ret_os_release, OrderedHashmap **ret_extension_releases, Hashmap **ret_unit_files, char ***ret_valid_prefixes, sd_bus_error *error); int portable_extract(RuntimeScope scope, const char *image, char **matches, char **extension_image_paths, const ImagePolicy *image_policy, PortableFlags flags, PortableMetadata **ret_os_release, OrderedHashmap **ret_extension_releases, Hashmap **ret_unit_files, char ***ret_valid_prefixes, sd_bus_error *error);
int portable_attach(sd_bus *bus, const char *name_or_path, char **matches, const char *profile, char **extension_images, const ImagePolicy* image_policy, PortableFlags flags, PortableChange **changes, size_t *n_changes, sd_bus_error *error); int portable_attach(RuntimeScope scope, sd_bus *bus, const char *name_or_path, char **matches, const char *profile, char **extension_images, const ImagePolicy* image_policy, PortableFlags flags, PortableChange **changes, size_t *n_changes, sd_bus_error *error);
int portable_detach(sd_bus *bus, const char *name_or_path, char **extension_image_paths, PortableFlags flags, PortableChange **changes, size_t *n_changes, sd_bus_error *error); int portable_detach(RuntimeScope scope, sd_bus *bus, const char *name_or_path, char **extension_image_paths, PortableFlags flags, PortableChange **changes, size_t *n_changes, sd_bus_error *error);
int portable_get_state(sd_bus *bus, const char *name_or_path, char **extension_image_paths, PortableFlags flags, PortableState *ret, sd_bus_error *error); int portable_get_state(RuntimeScope scope, sd_bus *bus, const char *name_or_path, char **extension_image_paths, PortableFlags flags, PortableState *ret, sd_bus_error *error);
int portable_get_profiles(char ***ret); int portable_get_profiles(char ***ret);

View File

@ -165,6 +165,7 @@ static int method_list_images(sd_bus_message *message, void *userdata, sd_bus_er
return r; return r;
r = portable_get_state( r = portable_get_state(
m->runtime_scope,
sd_bus_message_get_bus(message), sd_bus_message_get_bus(message),
image->path, image->path,
NULL, NULL,
@ -225,6 +226,7 @@ static int method_get_image_metadata(sd_bus_message *message, void *userdata, sd
static int method_get_image_state(sd_bus_message *message, void *userdata, sd_bus_error *error) { static int method_get_image_state(sd_bus_message *message, void *userdata, sd_bus_error *error) {
_cleanup_strv_free_ char **extension_images = NULL; _cleanup_strv_free_ char **extension_images = NULL;
Manager *m = ASSERT_PTR(userdata);
const char *name_or_path; const char *name_or_path;
PortableState state; PortableState state;
int r; int r;
@ -254,6 +256,7 @@ static int method_get_image_state(sd_bus_message *message, void *userdata, sd_bu
} }
r = portable_get_state( r = portable_get_state(
m->runtime_scope,
sd_bus_message_get_bus(message), sd_bus_message_get_bus(message),
name_or_path, name_or_path,
extension_images, extension_images,
@ -330,6 +333,7 @@ static int method_detach_image(sd_bus_message *message, void *userdata, sd_bus_e
return 1; /* Will call us back */ return 1; /* Will call us back */
r = portable_detach( r = portable_detach(
m->runtime_scope,
sd_bus_message_get_bus(message), sd_bus_message_get_bus(message),
name_or_path, name_or_path,
extension_images, extension_images,

View File

@ -114,10 +114,8 @@ int bus_image_common_get_metadata(
assert(name_or_path || image); assert(name_or_path || image);
assert(message); assert(message);
if (!m) { if (!m)
assert(image); m = ASSERT_PTR(ASSERT_PTR(image)->userdata);
m = image->userdata;
}
bool have_exti = sd_bus_message_is_method_call(message, NULL, "GetImageMetadataWithExtensions") || bool have_exti = sd_bus_message_is_method_call(message, NULL, "GetImageMetadataWithExtensions") ||
sd_bus_message_is_method_call(message, NULL, "GetMetadataWithExtensions"); sd_bus_message_is_method_call(message, NULL, "GetMetadataWithExtensions");
@ -160,6 +158,7 @@ int bus_image_common_get_metadata(
return 1; return 1;
r = portable_extract( r = portable_extract(
m->runtime_scope,
image->path, image->path,
matches, matches,
extension_images, extension_images,
@ -264,6 +263,7 @@ static int bus_image_method_get_state(
_cleanup_strv_free_ char **extension_images = NULL; _cleanup_strv_free_ char **extension_images = NULL;
Image *image = ASSERT_PTR(userdata); Image *image = ASSERT_PTR(userdata);
Manager *m = ASSERT_PTR(image->userdata);
PortableState state; PortableState state;
int r; int r;
@ -288,6 +288,7 @@ static int bus_image_method_get_state(
} }
r = portable_get_state( r = portable_get_state(
m->runtime_scope,
sd_bus_message_get_bus(message), sd_bus_message_get_bus(message),
image->path, image->path,
extension_images, extension_images,
@ -385,6 +386,7 @@ int bus_image_common_attach(
return 1; return 1;
r = portable_attach( r = portable_attach(
m->runtime_scope,
sd_bus_message_get_bus(message), sd_bus_message_get_bus(message),
image->path, image->path,
matches, matches,
@ -463,6 +465,7 @@ static int bus_image_method_detach(
return 1; /* Will call us back */ return 1; /* Will call us back */
r = portable_detach( r = portable_detach(
m->runtime_scope,
sd_bus_message_get_bus(message), sd_bus_message_get_bus(message),
image->path, image->path,
extension_images, extension_images,
@ -513,6 +516,7 @@ int bus_image_common_remove(
return 1; /* Will call us back */ return 1; /* Will call us back */
r = portable_get_state( r = portable_get_state(
m->runtime_scope,
sd_bus_message_get_bus(message), sd_bus_message_get_bus(message),
image->path, image->path,
NULL, NULL,
@ -716,6 +720,7 @@ int bus_image_common_reattach(
return 1; return 1;
r = portable_detach( r = portable_detach(
m->runtime_scope,
sd_bus_message_get_bus(message), sd_bus_message_get_bus(message),
image->path, image->path,
extension_images, extension_images,
@ -727,6 +732,7 @@ int bus_image_common_reattach(
return r; return r;
r = portable_attach( r = portable_attach(
m->runtime_scope,
sd_bus_message_get_bus(message), sd_bus_message_get_bus(message),
image->path, image->path,
matches, matches,
@ -1039,7 +1045,7 @@ int bus_image_acquire(
if (image_name_is_valid(name_or_path)) { if (image_name_is_valid(name_or_path)) {
/* If it's a short name, let's search for it */ /* If it's a short name, let's search for it */
r = image_find(IMAGE_PORTABLE, name_or_path, NULL, &loaded); r = image_find(m->runtime_scope, IMAGE_PORTABLE, name_or_path, NULL, &loaded);
if (r == -ENOENT) if (r == -ENOENT)
return sd_bus_error_setf(error, BUS_ERROR_NO_SUCH_PORTABLE_IMAGE, return sd_bus_error_setf(error, BUS_ERROR_NO_SUCH_PORTABLE_IMAGE,
"No image '%s' found.", name_or_path); "No image '%s' found.", name_or_path);

View File

@ -91,7 +91,7 @@ int manager_image_cache_discover(Manager *m, Hashmap *images, sd_bus_error *erro
/* A wrapper around image_discover() (for finding images in search path) and portable_discover_attached() (for /* A wrapper around image_discover() (for finding images in search path) and portable_discover_attached() (for
* finding attached images). */ * finding attached images). */
r = image_discover(IMAGE_PORTABLE, NULL, images); r = image_discover(m->runtime_scope, IMAGE_PORTABLE, NULL, images);
if (r < 0) if (r < 0)
return r; return r;

View File

@ -28,10 +28,14 @@ static int manager_new(Manager **ret) {
assert(ret); assert(ret);
m = new0(Manager, 1); m = new(Manager, 1);
if (!m) if (!m)
return -ENOMEM; return -ENOMEM;
*m = (Manager) {
.runtime_scope = RUNTIME_SCOPE_SYSTEM,
};
r = sd_event_default(&m->event); r = sd_event_default(&m->event);
if (r < 0) if (r < 0)
return r; return r;

View File

@ -7,6 +7,7 @@
#include "bus-object.h" #include "bus-object.h"
#include "hashmap.h" #include "hashmap.h"
#include "list.h" #include "list.h"
#include "runtime-scope.h"
typedef struct Manager Manager; typedef struct Manager Manager;
@ -23,6 +24,8 @@ struct Manager {
LIST_HEAD(Operation, operations); LIST_HEAD(Operation, operations);
unsigned n_operations; unsigned n_operations;
RuntimeScope runtime_scope; /* for now always RUNTIME_SCOPE_SYSTEM */
}; };
extern const BusObjectImplementation manager_object; extern const BusObjectImplementation manager_object;

View File

@ -8572,9 +8572,12 @@ static int parse_argv(int argc, char *argv[], X509 **ret_certificate, EVP_PKEY *
arg_private_key_source, arg_private_key_source,
arg_private_key, arg_private_key,
&(AskPasswordRequest) { &(AskPasswordRequest) {
.tty_fd = -EBADF,
.id = "repart-private-key-pin", .id = "repart-private-key-pin",
.keyring = arg_private_key, .keyring = arg_private_key,
.credential = "repart.private-key-pin", .credential = "repart.private-key-pin",
.until = USEC_INFINITY,
.hup_fd = -EBADF,
}, },
&private_key, &private_key,
&ui); &ui);

View File

@ -203,9 +203,12 @@ static int verb_sign(int argc, char *argv[], void *userdata) {
arg_private_key_source, arg_private_key_source,
arg_private_key, arg_private_key,
&(AskPasswordRequest) { &(AskPasswordRequest) {
.tty_fd = -EBADF,
.id = "sbsign-private-key-pin", .id = "sbsign-private-key-pin",
.keyring = arg_private_key, .keyring = arg_private_key,
.credential = "sbsign.private-key-pin", .credential = "sbsign.private-key-pin",
.until = USEC_INFINITY,
.hup_fd = -EBADF,
}, },
&private_key, &private_key,
&ui); &ui);

View File

@ -309,9 +309,7 @@ static int backspace_string(int ttyfd, const char *str) {
int ask_password_plymouth( int ask_password_plymouth(
const AskPasswordRequest *req, const AskPasswordRequest *req,
usec_t until,
AskPasswordFlags flags, AskPasswordFlags flags,
const char *flag_file,
char ***ret) { char ***ret) {
_cleanup_close_ int fd = -EBADF, inotify_fd = -EBADF; _cleanup_close_ int fd = -EBADF, inotify_fd = -EBADF;
@ -328,12 +326,12 @@ int ask_password_plymouth(
const char *message = req && req->message ? req->message : "Password:"; const char *message = req && req->message ? req->message : "Password:";
if (flag_file) { if (req->flag_file) {
inotify_fd = inotify_init1(IN_CLOEXEC|IN_NONBLOCK); inotify_fd = inotify_init1(IN_CLOEXEC|IN_NONBLOCK);
if (inotify_fd < 0) if (inotify_fd < 0)
return -errno; return -errno;
if (inotify_add_watch(inotify_fd, flag_file, IN_ATTRIB) < 0) /* for the link count */ if (inotify_add_watch(inotify_fd, req->flag_file, IN_ATTRIB) < 0) /* for the link count */
return -errno; return -errno;
} }
@ -357,25 +355,40 @@ int ask_password_plymouth(
enum { enum {
POLL_SOCKET, POLL_SOCKET,
POLL_INOTIFY, /* Must be last, because optional */ POLL_TWO,
POLL_THREE,
_POLL_MAX, _POLL_MAX,
}; };
struct pollfd pollfd[_POLL_MAX] = { struct pollfd pollfd[_POLL_MAX] = {
[POLL_SOCKET] = { .fd = fd, .events = POLLIN }, [POLL_SOCKET] = {
[POLL_INOTIFY] = { .fd = inotify_fd, .events = POLLIN }, .fd = fd,
.events = POLLIN,
},
}; };
size_t n_pollfd = inotify_fd >= 0 ? _POLL_MAX : _POLL_MAX-1; size_t n_pollfd = POLL_SOCKET + 1, inotify_idx = SIZE_MAX, hup_fd_idx = SIZE_MAX;
if (inotify_fd >= 0)
pollfd[inotify_idx = n_pollfd++] = (struct pollfd) {
.fd = inotify_fd,
.events = POLLIN,
};
if (req->hup_fd >= 0)
pollfd[hup_fd_idx = n_pollfd++] = (struct pollfd) {
.fd = req->hup_fd,
.events = POLLHUP,
};
assert(n_pollfd <= _POLL_MAX);
for (;;) { for (;;) {
usec_t timeout; usec_t timeout;
if (until > 0) if (req->until > 0)
timeout = usec_sub_unsigned(until, now(CLOCK_MONOTONIC)); timeout = usec_sub_unsigned(req->until, now(CLOCK_MONOTONIC));
else else
timeout = USEC_INFINITY; timeout = USEC_INFINITY;
if (flag_file && access(flag_file, F_OK) < 0) if (req->flag_file && access(req->flag_file, F_OK) < 0)
return -errno; return -errno;
r = ppoll_usec(pollfd, n_pollfd, timeout); r = ppoll_usec(pollfd, n_pollfd, timeout);
@ -386,7 +399,10 @@ int ask_password_plymouth(
if (r == 0) if (r == 0)
return -ETIME; return -ETIME;
if (inotify_fd >= 0 && pollfd[POLL_INOTIFY].revents != 0) if (req->hup_fd >= 0 && pollfd[hup_fd_idx].revents & POLLHUP)
return -ECONNRESET;
if (inotify_fd >= 0 && pollfd[inotify_idx].revents != 0)
(void) flush_fd(inotify_fd); (void) flush_fd(inotify_fd);
if (pollfd[POLL_SOCKET].revents == 0) if (pollfd[POLL_SOCKET].revents == 0)
@ -464,11 +480,8 @@ int ask_password_plymouth(
#define SKIPPED "(skipped)" #define SKIPPED "(skipped)"
int ask_password_tty( int ask_password_tty(
int ttyfd,
const AskPasswordRequest *req, const AskPasswordRequest *req,
usec_t until,
AskPasswordFlags flags, AskPasswordFlags flags,
const char *flag_file,
char ***ret) { char ***ret) {
bool reset_tty = false, dirty = false, use_color = false, press_tab_visible = false; bool reset_tty = false, dirty = false, use_color = false, press_tab_visible = false;
@ -493,15 +506,14 @@ int ask_password_tty(
if (!FLAGS_SET(flags, ASK_PASSWORD_HIDE_EMOJI) && emoji_enabled()) if (!FLAGS_SET(flags, ASK_PASSWORD_HIDE_EMOJI) && emoji_enabled())
message = strjoina(special_glyph(SPECIAL_GLYPH_LOCK_AND_KEY), " ", message); message = strjoina(special_glyph(SPECIAL_GLYPH_LOCK_AND_KEY), " ", message);
if (flag_file || (FLAGS_SET(flags, ASK_PASSWORD_ACCEPT_CACHED) && keyring)) { if (req->flag_file || (FLAGS_SET(flags, ASK_PASSWORD_ACCEPT_CACHED) && keyring)) {
inotify_fd = inotify_init1(IN_CLOEXEC|IN_NONBLOCK); inotify_fd = inotify_init1(IN_CLOEXEC|IN_NONBLOCK);
if (inotify_fd < 0) if (inotify_fd < 0)
return -errno; return -errno;
} }
if (flag_file) { if (req->flag_file)
if (inotify_add_watch(inotify_fd, flag_file, IN_ATTRIB /* for the link count */) < 0) if (inotify_add_watch(inotify_fd, req->flag_file, IN_ATTRIB /* for the link count */) < 0)
return -errno; return -errno;
}
if (FLAGS_SET(flags, ASK_PASSWORD_ACCEPT_CACHED) && req && keyring) { if (FLAGS_SET(flags, ASK_PASSWORD_ACCEPT_CACHED) && req && keyring) {
r = ask_password_keyring(req, flags, ret); r = ask_password_keyring(req, flags, ret);
if (r >= 0) if (r >= 0)
@ -529,8 +541,11 @@ int ask_password_tty(
CLEANUP_ERASE(passphrase); CLEANUP_ERASE(passphrase);
/* If the caller didn't specify a TTY, then use the controlling tty, if we can. */ /* If the caller didn't specify a TTY, then use the controlling tty, if we can. */
if (ttyfd < 0) int ttyfd;
if (req->tty_fd < 0)
ttyfd = cttyfd = open("/dev/tty", O_RDWR|O_NOCTTY|O_CLOEXEC); ttyfd = cttyfd = open("/dev/tty", O_RDWR|O_NOCTTY|O_CLOEXEC);
else
ttyfd = req->tty_fd;
if (ttyfd >= 0) { if (ttyfd >= 0) {
if (tcgetattr(ttyfd, &old_termios) < 0) if (tcgetattr(ttyfd, &old_termios) < 0)
@ -570,28 +585,44 @@ int ask_password_tty(
enum { enum {
POLL_TTY, POLL_TTY,
POLL_INOTIFY, /* Must be last, because optional */ POLL_TWO,
POLL_THREE,
_POLL_MAX, _POLL_MAX,
}; };
struct pollfd pollfd[_POLL_MAX] = { struct pollfd pollfd[_POLL_MAX] = {
[POLL_TTY] = { .fd = ttyfd >= 0 ? ttyfd : STDIN_FILENO, .events = POLLIN }, [POLL_TTY] = {
[POLL_INOTIFY] = { .fd = inotify_fd, .events = POLLIN }, .fd = ttyfd >= 0 ? ttyfd : STDIN_FILENO,
.events = POLLIN,
},
}; };
size_t n_pollfd = inotify_fd >= 0 ? _POLL_MAX : _POLL_MAX-1; size_t n_pollfd = POLL_TTY + 1, inotify_idx = SIZE_MAX, hup_fd_idx = SIZE_MAX;
if (inotify_fd >= 0)
pollfd[inotify_idx = n_pollfd++] = (struct pollfd) {
.fd = inotify_fd,
.events = POLLIN,
};
if (req->hup_fd >= 0)
pollfd[hup_fd_idx = n_pollfd++] = (struct pollfd) {
.fd = req->hup_fd,
.events = POLLHUP,
};
assert(n_pollfd <= _POLL_MAX);
for (;;) { for (;;) {
_cleanup_(erase_char) char c; _cleanup_(erase_char) char c;
usec_t timeout; usec_t timeout;
ssize_t n; ssize_t n;
if (until > 0) if (req->until > 0)
timeout = usec_sub_unsigned(until, now(CLOCK_MONOTONIC)); timeout = usec_sub_unsigned(req->until, now(CLOCK_MONOTONIC));
else else
timeout = USEC_INFINITY; timeout = USEC_INFINITY;
if (flag_file) { if (req->flag_file) {
r = RET_NERRNO(access(flag_file, F_OK)); r = RET_NERRNO(access(req->flag_file, F_OK));
if (r < 0) if (r < 0)
goto finish; goto finish;
} }
@ -606,7 +637,12 @@ int ask_password_tty(
goto finish; goto finish;
} }
if (inotify_fd >= 0 && pollfd[POLL_INOTIFY].revents != 0 && keyring) { if (req->hup_fd >= 0 && pollfd[hup_fd_idx].revents & POLLHUP) {
r = -ECONNRESET;
goto finish;
}
if (inotify_fd >= 0 && pollfd[inotify_idx].revents != 0 && keyring) {
(void) flush_fd(inotify_fd); (void) flush_fd(inotify_fd);
r = ask_password_keyring(req, flags, ret); r = ask_password_keyring(req, flags, ret);
@ -800,7 +836,6 @@ static int create_socket(const char *askpwdir, char **ret) {
int ask_password_agent( int ask_password_agent(
const AskPasswordRequest *req, const AskPasswordRequest *req,
usec_t until,
AskPasswordFlags flags, AskPasswordFlags flags,
char ***ret) { char ***ret) {
@ -820,6 +855,10 @@ int ask_password_agent(
if (FLAGS_SET(flags, ASK_PASSWORD_NO_AGENT)) if (FLAGS_SET(flags, ASK_PASSWORD_NO_AGENT))
return -EUNATCH; return -EUNATCH;
/* We don't support the flag file concept for now when querying via the agent logic */
if (req->flag_file)
return -EOPNOTSUPP;
assert_se(sigemptyset(&mask) >= 0); assert_se(sigemptyset(&mask) >= 0);
assert_se(sigset_add_many(&mask, SIGINT, SIGTERM) >= 0); assert_se(sigset_add_many(&mask, SIGINT, SIGTERM) >= 0);
assert_se(sigprocmask(SIG_BLOCK, &mask, &oldmask) >= 0); assert_se(sigprocmask(SIG_BLOCK, &mask, &oldmask) >= 0);
@ -891,7 +930,7 @@ int ask_password_agent(
socket_name, socket_name,
FLAGS_SET(flags, ASK_PASSWORD_ACCEPT_CACHED), FLAGS_SET(flags, ASK_PASSWORD_ACCEPT_CACHED),
FLAGS_SET(flags, ASK_PASSWORD_ECHO), FLAGS_SET(flags, ASK_PASSWORD_ECHO),
until, req->until,
FLAGS_SET(flags, ASK_PASSWORD_SILENT)); FLAGS_SET(flags, ASK_PASSWORD_SILENT));
if (req) { if (req) {
@ -924,16 +963,29 @@ int ask_password_agent(
enum { enum {
POLL_SOCKET, POLL_SOCKET,
POLL_SIGNAL, POLL_SIGNAL,
POLL_INOTIFY, /* Must be last, because optional */ POLL_THREE,
POLL_FOUR,
_POLL_MAX _POLL_MAX
}; };
struct pollfd pollfd[_POLL_MAX] = { struct pollfd pollfd[_POLL_MAX] = {
[POLL_SOCKET] = { .fd = socket_fd, .events = POLLIN }, [POLL_SOCKET] = { .fd = socket_fd, .events = POLLIN },
[POLL_SIGNAL] = { .fd = signal_fd, .events = POLLIN }, [POLL_SIGNAL] = { .fd = signal_fd, .events = POLLIN },
[POLL_INOTIFY] = { .fd = inotify_fd, .events = POLLIN },
}; };
size_t n_pollfd = inotify_fd >= 0 ? _POLL_MAX : _POLL_MAX - 1; size_t n_pollfd = POLL_SIGNAL + 1, inotify_idx = SIZE_MAX, hup_fd_idx = SIZE_MAX;
if (inotify_fd >= 0)
pollfd[inotify_idx = n_pollfd++] = (struct pollfd) {
.fd = inotify_fd,
.events = POLLIN,
};
if (req->hup_fd >= 0)
pollfd[hup_fd_idx = n_pollfd ++] = (struct pollfd) {
.fd = req->hup_fd,
.events = POLLHUP,
};
assert(n_pollfd <= _POLL_MAX);
for (;;) { for (;;) {
CMSG_BUFFER_TYPE(CMSG_SPACE(sizeof(struct ucred))) control; CMSG_BUFFER_TYPE(CMSG_SPACE(sizeof(struct ucred))) control;
@ -943,8 +995,8 @@ int ask_password_agent(
usec_t timeout; usec_t timeout;
ssize_t n; ssize_t n;
if (until > 0) if (req->until > 0)
timeout = usec_sub_unsigned(until, now(CLOCK_MONOTONIC)); timeout = usec_sub_unsigned(req->until, now(CLOCK_MONOTONIC));
else else
timeout = USEC_INFINITY; timeout = USEC_INFINITY;
@ -963,7 +1015,10 @@ int ask_password_agent(
goto finish; goto finish;
} }
if (inotify_fd >= 0 && pollfd[POLL_INOTIFY].revents != 0) { if (req->hup_fd >= 0 && pollfd[hup_fd_idx].revents & POLLHUP)
return -ECONNRESET;
if (inotify_fd >= 0 && pollfd[inotify_idx].revents != 0) {
(void) flush_fd(inotify_fd); (void) flush_fd(inotify_fd);
if (req && req->keyring) { if (req && req->keyring) {
@ -1103,7 +1158,6 @@ static int ask_password_credential(const AskPasswordRequest *req, AskPasswordFla
int ask_password_auto( int ask_password_auto(
const AskPasswordRequest *req, const AskPasswordRequest *req,
usec_t until,
AskPasswordFlags flags, AskPasswordFlags flags,
char ***ret) { char ***ret) {
@ -1111,6 +1165,17 @@ int ask_password_auto(
assert(ret); assert(ret);
/* Returns the following well-known errors:
*
* -ETIME a timeout was specified and hit
* -EUNATCH couldn't ask interactively and no cached password available either
* -ENOENT the specified flag file disappeared
* -ECANCELED the user explicitly cancelled the request
* -EINTR SIGINT/SIGTERM where received during the query
* -ENOEXEC headless mode was requested but no password could be acquired non-interactively
* -ECONNRESET a POLLHUP has been seen on the specified hup_fd
*/
if (!FLAGS_SET(flags, ASK_PASSWORD_NO_CREDENTIAL) && req && req->credential) { if (!FLAGS_SET(flags, ASK_PASSWORD_NO_CREDENTIAL) && req && req->credential) {
r = ask_password_credential(req, flags, ret); r = ask_password_credential(req, flags, ret);
if (r != -ENOKEY) if (r != -ENOKEY)
@ -1127,10 +1192,10 @@ int ask_password_auto(
} }
if (!FLAGS_SET(flags, ASK_PASSWORD_NO_TTY) && isatty_safe(STDIN_FILENO)) if (!FLAGS_SET(flags, ASK_PASSWORD_NO_TTY) && isatty_safe(STDIN_FILENO))
return ask_password_tty(-EBADF, req, until, flags, NULL, ret); return ask_password_tty(req, flags, ret);
if (!FLAGS_SET(flags, ASK_PASSWORD_NO_AGENT)) if (!FLAGS_SET(flags, ASK_PASSWORD_NO_AGENT))
return ask_password_agent(req, until, flags, ret); return ask_password_agent(req, flags, ret);
return -EUNATCH; return -EUNATCH;
} }

View File

@ -26,11 +26,15 @@ typedef struct AskPasswordRequest {
const char *icon; /* freedesktop icon spec name */ const char *icon; /* freedesktop icon spec name */
const char *id; /* some identifier used for this prompt for the "ask-password" protocol */ const char *id; /* some identifier used for this prompt for the "ask-password" protocol */
const char *credential; /* $CREDENTIALS_DIRECTORY credential name */ const char *credential; /* $CREDENTIALS_DIRECTORY credential name */
const char *flag_file; /* Once this flag file disappears abort the query */
int tty_fd; /* If querying on a TTY, the TTY to query on (or -EBADF) */
usec_t until; /* CLOCK_MONOTONIC time until which to show the prompt */
int hup_fd; /* An extra fd to watch for POLLHUP, in which case to abort the query */
} AskPasswordRequest; } AskPasswordRequest;
int ask_password_tty(int tty_fd, const AskPasswordRequest *req, usec_t until, AskPasswordFlags flags, const char *flag_file, char ***ret); int ask_password_tty(const AskPasswordRequest *req, AskPasswordFlags flags, char ***ret);
int ask_password_plymouth(const AskPasswordRequest *req, usec_t until, AskPasswordFlags flags, const char *flag_file, char ***ret); int ask_password_plymouth(const AskPasswordRequest *req, AskPasswordFlags flags, char ***ret);
int ask_password_agent(const AskPasswordRequest *req, usec_t until, AskPasswordFlags flag, char ***ret); int ask_password_agent(const AskPasswordRequest *req, AskPasswordFlags flag, char ***ret);
int ask_password_auto(const AskPasswordRequest *req, usec_t until, AskPasswordFlags flag, char ***ret); int ask_password_auto(const AskPasswordRequest *req, AskPasswordFlags flag, char ***ret);
int acquire_user_ask_password_directory(char **ret); int acquire_user_ask_password_directory(char **ret);

View File

@ -21,6 +21,7 @@
#include "battery-util.h" #include "battery-util.h"
#include "blockdev-util.h" #include "blockdev-util.h"
#include "cap-list.h" #include "cap-list.h"
#include "capability-util.h"
#include "cgroup-util.h" #include "cgroup-util.h"
#include "compare-operator.h" #include "compare-operator.h"
#include "condition.h" #include "condition.h"
@ -701,45 +702,23 @@ static int condition_test_security(Condition *c, char **env) {
} }
static int condition_test_capability(Condition *c, char **env) { static int condition_test_capability(Condition *c, char **env) {
unsigned long long capabilities = (unsigned long long) -1; int r;
_cleanup_fclose_ FILE *f = NULL;
int value, r;
assert(c); assert(c);
assert(c->parameter); assert(c->parameter);
assert(c->type == CONDITION_CAPABILITY); assert(c->type == CONDITION_CAPABILITY);
/* If it's an invalid capability, we don't have it */ /* If it's an invalid capability, we don't have it */
value = capability_from_name(c->parameter); int value = capability_from_name(c->parameter);
if (value < 0) if (value < 0)
return -EINVAL; return -EINVAL;
/* If it's a valid capability we default to assume CapabilityQuintet q;
* that we have it */ r = pidref_get_capability(&PIDREF_MAKE_FROM_PID(getpid_cached()), &q);
if (r < 0)
return r;
f = fopen("/proc/self/status", "re"); return !!(q.bounding & ((UINT64_C(1) << value)));
if (!f)
return -errno;
for (;;) {
_cleanup_free_ char *line = NULL;
r = read_line(f, LONG_LINE_MAX, &line);
if (r < 0)
return r;
if (r == 0)
break;
const char *p = startswith(line, "CapBnd:");
if (p) {
if (sscanf(p, "%llx", &capabilities) != 1)
return -EIO;
break;
}
}
return !!(capabilities & (1ULL << value));
} }
static int condition_test_needs_update(Condition *c, char **env) { static int condition_test_needs_update(Condition *c, char **env) {

View File

@ -111,15 +111,18 @@ int acquire_fido2_key(
if (FLAGS_SET(askpw_flags, ASK_PASSWORD_HEADLESS)) if (FLAGS_SET(askpw_flags, ASK_PASSWORD_HEADLESS))
return log_error_errno(SYNTHETIC_ERRNO(ENOPKG), "PIN querying disabled via 'headless' option. Use the '$PIN' environment variable."); return log_error_errno(SYNTHETIC_ERRNO(ENOPKG), "PIN querying disabled via 'headless' option. Use the '$PIN' environment variable.");
static const AskPasswordRequest req = { AskPasswordRequest req = {
.tty_fd = -EBADF,
.message = "Please enter security token PIN:", .message = "Please enter security token PIN:",
.icon = "drive-harddisk", .icon = "drive-harddisk",
.keyring = "fido2-pin", .keyring = "fido2-pin",
.credential = "cryptsetup.fido2-pin", .credential = "cryptsetup.fido2-pin",
.until = until,
.hup_fd = -EBADF,
}; };
pins = strv_free_erase(pins); pins = strv_free_erase(pins);
r = ask_password_auto(&req, until, askpw_flags, &pins); r = ask_password_auto(&req, askpw_flags, &pins);
if (r < 0) if (r < 0)
return log_error_errno(r, "Failed to ask for user password: %m"); return log_error_errno(r, "Failed to ask for user password: %m");

View File

@ -35,14 +35,17 @@ static int get_pin(
"Use the '$PIN' environment variable."); "Use the '$PIN' environment variable.");
AskPasswordRequest req = { AskPasswordRequest req = {
.tty_fd = -EBADF,
.message = "Please enter TPM2 PIN:", .message = "Please enter TPM2 PIN:",
.icon = "drive-harddisk", .icon = "drive-harddisk",
.keyring = "tpm2-pin", .keyring = "tpm2-pin",
.credential = askpw_credential, .credential = askpw_credential,
.until = until,
.hup_fd = -EBADF,
}; };
pin = strv_free_erase(pin); pin = strv_free_erase(pin);
r = ask_password_auto(&req, until, askpw_flags, &pin); r = ask_password_auto(&req, askpw_flags, &pin);
if (r < 0) if (r < 0)
return log_error_errno(r, "Failed to ask for user pin: %m"); return log_error_errno(r, "Failed to ask for user pin: %m");
assert(strv_length(pin) == 1); assert(strv_length(pin) == 1);

View File

@ -12,6 +12,8 @@
#include <sys/stat.h> #include <sys/stat.h>
#include <unistd.h> #include <unistd.h>
#include "sd-path.h"
#include "alloc-util.h" #include "alloc-util.h"
#include "blockdev-util.h" #include "blockdev-util.h"
#include "btrfs-util.h" #include "btrfs-util.h"
@ -553,12 +555,95 @@ static int image_make(
return -EMEDIUMTYPE; return -EMEDIUMTYPE;
} }
static const char *pick_image_search_path(ImageClass class) { static int pick_image_search_path(
if (class < 0 || class >= _IMAGE_CLASS_MAX) RuntimeScope scope,
return NULL; ImageClass class,
char ***ret) {
/* Use the initrd search path if there is one, otherwise use the common one */ int r;
return in_initrd() && image_search_path_initrd[class] ? image_search_path_initrd[class] : image_search_path[class];
assert(scope < _RUNTIME_SCOPE_MAX && scope != RUNTIME_SCOPE_GLOBAL);
assert(class < _IMAGE_CLASS_MAX);
assert(ret);
if (class < 0) {
*ret = NULL;
return 0;
}
if (scope < 0) {
_cleanup_strv_free_ char **a = NULL, **b = NULL;
r = pick_image_search_path(RUNTIME_SCOPE_USER, class, &a);
if (r < 0)
return r;
r = pick_image_search_path(RUNTIME_SCOPE_SYSTEM, class, &b);
if (r < 0)
return r;
r = strv_extend_strv(&a, b, /* filter_duplicates= */ false);
if (r < 0)
return r;
*ret = TAKE_PTR(a);
return 0;
}
switch (scope) {
case RUNTIME_SCOPE_SYSTEM: {
const char *ns;
/* Use the initrd search path if there is one, otherwise use the common one */
ns = in_initrd() && image_search_path_initrd[class] ?
image_search_path_initrd[class] :
image_search_path[class];
if (!ns)
break;
_cleanup_strv_free_ char **search = strv_split_nulstr(ns);
if (!search)
return -ENOMEM;
*ret = TAKE_PTR(search);
return 0;
}
case RUNTIME_SCOPE_USER: {
if (class != IMAGE_MACHINE)
break;
static const uint64_t dirs[] = {
SD_PATH_USER_RUNTIME,
SD_PATH_USER_STATE_PRIVATE,
SD_PATH_USER_LIBRARY_PRIVATE,
};
_cleanup_strv_free_ char **search = NULL;
FOREACH_ELEMENT(d, dirs) {
_cleanup_free_ char *p = NULL;
r = sd_path_lookup(*d, "machines", &p);
if (r == -ENXIO) /* No XDG_RUNTIME_DIR set */
continue;
if (r < 0)
return r;
r = strv_consume(&search, TAKE_PTR(p));
if (r < 0)
return r;
}
*ret = TAKE_PTR(search);
return 0;
}
default:
assert_not_reached();
}
*ret = NULL;
return 0;
} }
static char **make_possible_filenames(ImageClass class, const char *image_name) { static char **make_possible_filenames(ImageClass class, const char *image_name) {
@ -592,7 +677,8 @@ static char **make_possible_filenames(ImageClass class, const char *image_name)
return TAKE_PTR(l); return TAKE_PTR(l);
} }
int image_find(ImageClass class, int image_find(RuntimeScope scope,
ImageClass class,
const char *name, const char *name,
const char *root, const char *root,
Image **ret) { Image **ret) {
@ -602,6 +688,7 @@ int image_find(ImageClass class,
* some root directory.) */ * some root directory.) */
int open_flags = root ? O_NOFOLLOW : 0, r; int open_flags = root ? O_NOFOLLOW : 0, r;
assert(scope < _RUNTIME_SCOPE_MAX && scope != RUNTIME_SCOPE_GLOBAL);
assert(class >= 0); assert(class >= 0);
assert(class < _IMAGE_CLASS_MAX); assert(class < _IMAGE_CLASS_MAX);
assert(name); assert(name);
@ -614,11 +701,16 @@ int image_find(ImageClass class,
if (!names) if (!names)
return -ENOMEM; return -ENOMEM;
NULSTR_FOREACH(path, pick_image_search_path(class)) { _cleanup_strv_free_ char **search = NULL;
r = pick_image_search_path(scope, class, &search);
if (r < 0)
return r;
STRV_FOREACH(path, search) {
_cleanup_free_ char *resolved = NULL; _cleanup_free_ char *resolved = NULL;
_cleanup_closedir_ DIR *d = NULL; _cleanup_closedir_ DIR *d = NULL;
r = chase_and_opendir(path, root, CHASE_PREFIX_ROOT, &resolved, &d); r = chase_and_opendir(*path, root, CHASE_PREFIX_ROOT, &resolved, &d);
if (r == -ENOENT) if (r == -ENOENT)
continue; continue;
if (r < 0) if (r < 0)
@ -722,7 +814,7 @@ int image_find(ImageClass class,
} }
} }
if (class == IMAGE_MACHINE && streq(name, ".host")) { if (scope == RUNTIME_SCOPE_SYSTEM && class == IMAGE_MACHINE && streq(name, ".host")) {
r = image_make(class, r = image_make(class,
".host", ".host",
/* dir_fd= */ AT_FDCWD, /* dir_fd= */ AT_FDCWD,
@ -771,14 +863,21 @@ int image_from_path(const char *path, Image **ret) {
ret); ret);
} }
int image_find_harder(ImageClass class, const char *name_or_path, const char *root, Image **ret) { int image_find_harder(
RuntimeScope scope,
ImageClass class,
const char *name_or_path,
const char *root,
Image **ret) {
if (image_name_is_valid(name_or_path)) if (image_name_is_valid(name_or_path))
return image_find(class, name_or_path, root, ret); return image_find(scope, class, name_or_path, root, ret);
return image_from_path(name_or_path, ret); return image_from_path(name_or_path, ret);
} }
int image_discover( int image_discover(
RuntimeScope scope,
ImageClass class, ImageClass class,
const char *root, const char *root,
Hashmap *h) { Hashmap *h) {
@ -788,15 +887,21 @@ int image_discover(
* some root directory.) */ * some root directory.) */
int open_flags = root ? O_NOFOLLOW : 0, r; int open_flags = root ? O_NOFOLLOW : 0, r;
assert(scope < _RUNTIME_SCOPE_MAX && scope != RUNTIME_SCOPE_GLOBAL);
assert(class >= 0); assert(class >= 0);
assert(class < _IMAGE_CLASS_MAX); assert(class < _IMAGE_CLASS_MAX);
assert(h); assert(h);
NULSTR_FOREACH(path, pick_image_search_path(class)) { _cleanup_strv_free_ char **search = NULL;
r = pick_image_search_path(scope, class, &search);
if (r < 0)
return r;
STRV_FOREACH(path, search) {
_cleanup_free_ char *resolved = NULL; _cleanup_free_ char *resolved = NULL;
_cleanup_closedir_ DIR *d = NULL; _cleanup_closedir_ DIR *d = NULL;
r = chase_and_opendir(path, root, CHASE_PREFIX_ROOT, &resolved, &d); r = chase_and_opendir(*path, root, CHASE_PREFIX_ROOT, &resolved, &d);
if (r == -ENOENT) if (r == -ENOENT)
continue; continue;
if (r < 0) if (r < 0)
@ -946,7 +1051,7 @@ int image_discover(
} }
} }
if (class == IMAGE_MACHINE && !hashmap_contains(h, ".host")) { if (scope == RUNTIME_SCOPE_SYSTEM && class == IMAGE_MACHINE && !hashmap_contains(h, ".host")) {
_cleanup_(image_unrefp) Image *image = NULL; _cleanup_(image_unrefp) Image *image = NULL;
r = image_make(IMAGE_MACHINE, r = image_make(IMAGE_MACHINE,
@ -1063,7 +1168,7 @@ static int rename_auxiliary_file(const char *path, const char *new_name, const c
return rename_noreplace(AT_FDCWD, path, AT_FDCWD, rs); return rename_noreplace(AT_FDCWD, path, AT_FDCWD, rs);
} }
int image_rename(Image *i, const char *new_name) { int image_rename(Image *i, const char *new_name, RuntimeScope scope) {
_cleanup_(release_lock_file) LockFile global_lock = LOCK_FILE_INIT, local_lock = LOCK_FILE_INIT, name_lock = LOCK_FILE_INIT; _cleanup_(release_lock_file) LockFile global_lock = LOCK_FILE_INIT, local_lock = LOCK_FILE_INIT, name_lock = LOCK_FILE_INIT;
_cleanup_free_ char *new_path = NULL, *nn = NULL, *roothash = NULL; _cleanup_free_ char *new_path = NULL, *nn = NULL, *roothash = NULL;
_cleanup_strv_free_ char **settings = NULL; _cleanup_strv_free_ char **settings = NULL;
@ -1098,7 +1203,7 @@ int image_rename(Image *i, const char *new_name) {
if (r < 0) if (r < 0)
return r; return r;
r = image_find(IMAGE_MACHINE, new_name, NULL, NULL); r = image_find(scope, IMAGE_MACHINE, new_name, NULL, NULL);
if (r >= 0) if (r >= 0)
return -EEXIST; return -EEXIST;
if (r != -ENOENT) if (r != -ENOENT)
@ -1185,7 +1290,7 @@ static int clone_auxiliary_file(const char *path, const char *new_name, const ch
return copy_file_atomic(path, rs, 0664, COPY_REFLINK); return copy_file_atomic(path, rs, 0664, COPY_REFLINK);
} }
int image_clone(Image *i, const char *new_name, bool read_only) { int image_clone(Image *i, const char *new_name, bool read_only, RuntimeScope scope) {
_cleanup_(release_lock_file) LockFile name_lock = LOCK_FILE_INIT; _cleanup_(release_lock_file) LockFile name_lock = LOCK_FILE_INIT;
_cleanup_strv_free_ char **settings = NULL; _cleanup_strv_free_ char **settings = NULL;
_cleanup_free_ char *roothash = NULL; _cleanup_free_ char *roothash = NULL;
@ -1212,7 +1317,7 @@ int image_clone(Image *i, const char *new_name, bool read_only) {
if (r < 0) if (r < 0)
return r; return r;
r = image_find(IMAGE_MACHINE, new_name, NULL, NULL); r = image_find(scope, IMAGE_MACHINE, new_name, NULL, NULL);
if (r >= 0) if (r >= 0)
return -EEXIST; return -EEXIST;
if (r != -ENOENT) if (r != -ENOENT)
@ -1646,24 +1751,35 @@ int image_name_lock(const char *name, int operation, LockFile *ret) {
} }
bool image_in_search_path( bool image_in_search_path(
RuntimeScope scope,
ImageClass class, ImageClass class,
const char *root, const char *root,
const char *image) { const char *image) {
int r;
assert(scope < _RUNTIME_SCOPE_MAX && scope != RUNTIME_SCOPE_GLOBAL);
assert(class >= 0);
assert(class < _IMAGE_CLASS_MAX);
assert(image); assert(image);
NULSTR_FOREACH(path, pick_image_search_path(class)) { _cleanup_strv_free_ char **search = NULL;
r = pick_image_search_path(scope, class, &search);
if (r < 0)
return r;
STRV_FOREACH(path, search) {
const char *p, *q; const char *p, *q;
size_t k; size_t k;
if (!empty_or_root(root)) { if (!empty_or_root(root)) {
q = path_startswith(path, root); q = path_startswith(*path, root);
if (!q) if (!q)
continue; continue;
} else } else
q = path; q = *path;
p = path_startswith(q, path); p = path_startswith(q, *path);
if (!p) if (!p)
continue; continue;

View File

@ -13,6 +13,7 @@
#include "macro.h" #include "macro.h"
#include "os-util.h" #include "os-util.h"
#include "path-util.h" #include "path-util.h"
#include "runtime-scope.h"
#include "string-util.h" #include "string-util.h"
#include "time-util.h" #include "time-util.h"
@ -60,14 +61,14 @@ Image *image_ref(Image *i);
DEFINE_TRIVIAL_CLEANUP_FUNC(Image*, image_unref); DEFINE_TRIVIAL_CLEANUP_FUNC(Image*, image_unref);
int image_find(ImageClass class, const char *name, const char *root, Image **ret); int image_find(RuntimeScope scope, ImageClass class, const char *name, const char *root, Image **ret);
int image_from_path(const char *path, Image **ret); int image_from_path(const char *path, Image **ret);
int image_find_harder(ImageClass class, const char *name_or_path, const char *root, Image **ret); int image_find_harder(RuntimeScope scope, ImageClass class, const char *name_or_path, const char *root, Image **ret);
int image_discover(ImageClass class, const char *root, Hashmap *map); int image_discover(RuntimeScope scope, ImageClass class, const char *root, Hashmap *map);
int image_remove(Image *i); int image_remove(Image *i);
int image_rename(Image *i, const char *new_name); int image_rename(Image *i, const char *new_name, RuntimeScope scope);
int image_clone(Image *i, const char *new_name, bool read_only); int image_clone(Image *i, const char *new_name, bool read_only, RuntimeScope scope);
int image_read_only(Image *i, bool b); int image_read_only(Image *i, bool b);
const char* image_type_to_string(ImageType t) _const_; const char* image_type_to_string(ImageType t) _const_;
@ -80,7 +81,7 @@ int image_set_limit(Image *i, uint64_t referenced_max);
int image_read_metadata(Image *i, const ImagePolicy *image_policy); int image_read_metadata(Image *i, const ImagePolicy *image_policy);
bool image_in_search_path(ImageClass class, const char *root, const char *image); bool image_in_search_path(RuntimeScope scope, ImageClass class, const char *root, const char *image);
static inline char **image_extension_release(Image *image, ImageClass class) { static inline char **image_extension_release(Image *image, ImageClass class) {
assert(image); assert(image);

View File

@ -3077,13 +3077,16 @@ int dissected_image_decrypt_interactively(
z = strv_free_erase(z); z = strv_free_erase(z);
static const AskPasswordRequest req = { static const AskPasswordRequest req = {
.tty_fd = -EBADF,
.message = "Please enter image passphrase:", .message = "Please enter image passphrase:",
.id = "dissect", .id = "dissect",
.keyring = "dissect", .keyring = "dissect",
.credential = "dissect.passphrase", .credential = "dissect.passphrase",
.until = USEC_INFINITY,
.hup_fd = -EBADF,
}; };
r = ask_password_auto(&req, USEC_INFINITY, /* flags= */ 0, &z); r = ask_password_auto(&req, /* flags= */ 0, &z);
if (r < 0) if (r < 0)
return log_error_errno(r, "Failed to query for passphrase: %m"); return log_error_errno(r, "Failed to query for passphrase: %m");

View File

@ -857,13 +857,16 @@ int fido2_generate_hmac_hash(
for (;;) { for (;;) {
_cleanup_strv_free_erase_ char **pin = NULL; _cleanup_strv_free_erase_ char **pin = NULL;
AskPasswordRequest req = { AskPasswordRequest req = {
.tty_fd = -EBADF,
.message = "Please enter security token PIN:", .message = "Please enter security token PIN:",
.icon = askpw_icon, .icon = askpw_icon,
.keyring = "fido2-pin", .keyring = "fido2-pin",
.credential = askpw_credential, .credential = askpw_credential,
.until = USEC_INFINITY,
.hup_fd = -EBADF,
}; };
r = ask_password_auto(&req, USEC_INFINITY, /* flags= */ 0, &pin); r = ask_password_auto(&req, /* flags= */ 0, &pin);
if (r < 0) if (r < 0)
return log_error_errno(r, "Failed to acquire user PIN: %m"); return log_error_errno(r, "Failed to acquire user PIN: %m");

View File

@ -177,6 +177,7 @@ shared_sources = files(
'userdb-dropin.c', 'userdb-dropin.c',
'userdb.c', 'userdb.c',
'varlink-idl-common.c', 'varlink-idl-common.c',
'varlink-io.systemd.AskPassword.c',
'varlink-io.systemd.BootControl.c', 'varlink-io.systemd.BootControl.c',
'varlink-io.systemd.Credentials.c', 'varlink-io.systemd.Credentials.c',
'varlink-io.systemd.Hostname.c', 'varlink-io.systemd.Hostname.c',

View File

@ -536,6 +536,8 @@ int mount_switch_root_full(const char *path, unsigned long mount_propagation_fla
} }
} }
log_debug("Successfully switched root to '%s'.", path);
/* Finally, let's establish the requested propagation flags. */ /* Finally, let's establish the requested propagation flags. */
if (mount_propagation_flag == 0) if (mount_propagation_flag == 0)
return 0; return 0;
@ -1319,7 +1321,7 @@ int make_userns(uid_t uid_shift, uid_t uid_range, uid_t source_owner, uid_t dest
* process whose only purpose is to give us a new user namespace. It's killed when we got it. */ * process whose only purpose is to give us a new user namespace. It's killed when we got it. */
if (!userns_shift_range_valid(uid_shift, uid_range)) if (!userns_shift_range_valid(uid_shift, uid_range))
return -EINVAL; return log_debug_errno(SYNTHETIC_ERRNO(EINVAL), "Invalid UID range for user namespace.");
if (IN_SET(idmapping, REMOUNT_IDMAPPING_NONE, REMOUNT_IDMAPPING_HOST_ROOT)) { if (IN_SET(idmapping, REMOUNT_IDMAPPING_NONE, REMOUNT_IDMAPPING_HOST_ROOT)) {
if (asprintf(&line, UID_FMT " " UID_FMT " " UID_FMT "\n", 0u, uid_shift, uid_range) < 0) if (asprintf(&line, UID_FMT " " UID_FMT " " UID_FMT "\n", 0u, uid_shift, uid_range) < 0)

View File

@ -87,6 +87,8 @@ int nsresource_allocate_userns(const char *name, uint64_t size) {
SD_JSON_BUILD_PAIR("userNamespaceFileDescriptor", SD_JSON_BUILD_UNSIGNED(userns_fd_idx))); SD_JSON_BUILD_PAIR("userNamespaceFileDescriptor", SD_JSON_BUILD_UNSIGNED(userns_fd_idx)));
if (r < 0) if (r < 0)
return log_debug_errno(r, "Failed to call AllocateUserRange() varlink call: %m"); return log_debug_errno(r, "Failed to call AllocateUserRange() varlink call: %m");
if (streq_ptr(error_id, "io.systemd.NamespaceResource.UserNamespaceInterfaceNotSupported"))
return log_debug_errno(SYNTHETIC_ERRNO(EOPNOTSUPP), "Unprivileged user namespace delegation is not supported on this system.");
if (error_id) if (error_id)
return log_debug_errno(sd_varlink_error_to_errno(error_id, reply), "Failed to allocate user namespace with %" PRIu64 " users: %s", size, error_id); return log_debug_errno(sd_varlink_error_to_errno(error_id, reply), "Failed to allocate user namespace with %" PRIu64 " users: %s", size, error_id);

View File

@ -1399,7 +1399,7 @@ static int openssl_ask_password_ui_read(UI *ui, UI_STRING *uis) {
req->message = UI_get0_output_string(uis); req->message = UI_get0_output_string(uis);
_cleanup_(strv_freep) char **l = NULL; _cleanup_(strv_freep) char **l = NULL;
r = ask_password_auto(req, /*until=*/ 0, ASK_PASSWORD_ACCEPT_CACHED|ASK_PASSWORD_PUSH_CACHE, &l); r = ask_password_auto(req, ASK_PASSWORD_ACCEPT_CACHED|ASK_PASSWORD_PUSH_CACHE, &l);
if (r < 0) { if (r < 0) {
log_error_errno(r, "Failed to query for PIN: %m"); log_error_errno(r, "Failed to query for PIN: %m");
return 0; return 0;

View File

@ -380,15 +380,18 @@ int pkcs11_token_login(
return log_oom(); return log_oom();
AskPasswordRequest req = { AskPasswordRequest req = {
.tty_fd = -EBADF,
.message = text, .message = text,
.icon = askpw_icon, .icon = askpw_icon,
.id = id, .id = id,
.keyring = askpw_keyring, .keyring = askpw_keyring,
.credential = askpw_credential, .credential = askpw_credential,
.until = until,
.hup_fd = -EBADF,
}; };
/* We never cache PINs, simply because it's fatal if we use wrong PINs, since usually there are only 3 tries */ /* We never cache PINs, simply because it's fatal if we use wrong PINs, since usually there are only 3 tries */
r = ask_password_auto(&req, until, askpw_flags, &passwords); r = ask_password_auto(&req, askpw_flags, &passwords);
if (r < 0) if (r < 0)
return log_error_errno(r, "Failed to query PIN for security token '%s': %m", token_label); return log_error_errno(r, "Failed to query PIN for security token '%s': %m", token_label);
} }

View File

@ -840,6 +840,13 @@ static int on_exit_event(sd_event_source *e, void *userdata) {
if (drained(f)) if (drained(f))
return pty_forward_done(f, 0); return pty_forward_done(f, 0);
if (!f->master_hangup)
f->master_writable = f->master_readable = true;
if (!f->stdin_hangup)
f->stdin_readable = true;
if (!f->stdout_hangup)
f->stdout_writable = true;
r = shovel(f); r = shovel(f);
if (r < 0) if (r < 0)
return r; return r;

Some files were not shown because too many files have changed in this diff Show More