diff options
Diffstat (limited to 'src')
29 files changed, 62 insertions, 74 deletions
diff --git a/src/analyze/analyze-has-tpm2.c b/src/analyze/analyze-has-tpm2.c new file mode 100644 index 0000000000..3e13be9f16 --- /dev/null +++ b/src/analyze/analyze-has-tpm2.c @@ -0,0 +1,9 @@ +/* SPDX-License-Identifier: LGPL-2.1-or-later */ + +#include "analyze.h" +#include "analyze-has-tpm2.h" +#include "tpm2-util.h" + +int verb_has_tpm2(int argc, char **argv, void *userdata) { + return verb_has_tpm2_generic(arg_quiet); +} diff --git a/src/analyze/analyze-has-tpm2.h b/src/analyze/analyze-has-tpm2.h new file mode 100644 index 0000000000..c7c639228d --- /dev/null +++ b/src/analyze/analyze-has-tpm2.h @@ -0,0 +1,4 @@ +/* SPDX-License-Identifier: LGPL-2.1-or-later */ +#pragma once + +int verb_has_tpm2(int argc, char *argv[], void *userdata); diff --git a/src/analyze/analyze.c b/src/analyze/analyze.c index 1e199e30b7..24188311ff 100644 --- a/src/analyze/analyze.c +++ b/src/analyze/analyze.c @@ -26,6 +26,7 @@ #include "analyze-exit-status.h" #include "analyze-fdstore.h" #include "analyze-filesystems.h" +#include "analyze-has-tpm2.h" #include "analyze-image-policy.h" #include "analyze-inspect-elf.h" #include "analyze-log-control.h" @@ -253,6 +254,7 @@ static int help(int argc, char *argv[], void *userdata) { "\n%3$sExecutable Analysis:%4$s\n" " inspect-elf FILE... Parse and print ELF package metadata\n" "\n%3$sTPM Operations:%4$s\n" + " has-tpm2 Report whether TPM2 support is available\n" " pcrs [PCR...] Show TPM2 PCRs and their names\n" " srk [>FILE] Write TPM2 SRK (to FILE)\n" "\n%3$sOptions:%4$s\n" @@ -700,6 +702,7 @@ static int run(int argc, char *argv[]) { { "malloc", VERB_ANY, VERB_ANY, 0, verb_malloc }, { "fdstore", 2, VERB_ANY, 0, verb_fdstore }, { "image-policy", 2, 2, 0, verb_image_policy }, + { "has-tpm2", VERB_ANY, 1, 0, verb_has_tpm2 }, { "pcrs", VERB_ANY, VERB_ANY, 0, verb_pcrs }, { "srk", VERB_ANY, 1, 0, verb_srk }, { "architectures", VERB_ANY, VERB_ANY, 0, verb_architectures }, diff --git a/src/analyze/meson.build b/src/analyze/meson.build index a307923c22..c42db1a633 100644 --- a/src/analyze/meson.build +++ b/src/analyze/meson.build @@ -14,6 +14,7 @@ systemd_analyze_sources = files( 'analyze-exit-status.c', 'analyze-fdstore.c', 'analyze-filesystems.c', + 'analyze-has-tpm2.c', 'analyze-image-policy.c', 'analyze-inspect-elf.c', 'analyze-log-control.c', diff --git a/src/basic/syscall-list.txt b/src/basic/syscall-list.txt index d7e09f4b19..48fee3aa95 100644 --- a/src/basic/syscall-list.txt +++ b/src/basic/syscall-list.txt @@ -95,7 +95,6 @@ fsopen fspick fstat fstat64 -fstatat fstatat64 fstatfs fstatfs64 @@ -247,7 +246,6 @@ munlockall munmap name_to_handle_at nanosleep -newfstat newfstatat nice old_adjtimex diff --git a/src/basic/syscalls-alpha.txt b/src/basic/syscalls-alpha.txt index 764ab4ba9d..1c15c2cbb5 100644 --- a/src/basic/syscalls-alpha.txt +++ b/src/basic/syscalls-alpha.txt @@ -95,7 +95,6 @@ fsopen 540 fspick 543 fstat 91 fstat64 427 -fstatat fstatat64 455 fstatfs 329 fstatfs64 529 @@ -247,7 +246,6 @@ munlockall 317 munmap 73 name_to_handle_at 497 nanosleep 340 -newfstat newfstatat nice old_adjtimex 303 diff --git a/src/basic/syscalls-arc.txt b/src/basic/syscalls-arc.txt index 4baeaa5734..53b39ee86d 100644 --- a/src/basic/syscalls-arc.txt +++ b/src/basic/syscalls-arc.txt @@ -95,7 +95,6 @@ fsopen 430 fspick 433 fstat fstat64 80 -fstatat fstatat64 79 fstatfs fstatfs64 44 @@ -247,7 +246,6 @@ munlockall 231 munmap 215 name_to_handle_at 264 nanosleep 101 -newfstat newfstatat nice old_adjtimex diff --git a/src/basic/syscalls-arm.txt b/src/basic/syscalls-arm.txt index d8ddfac402..f7a2e8ee51 100644 --- a/src/basic/syscalls-arm.txt +++ b/src/basic/syscalls-arm.txt @@ -95,7 +95,6 @@ fsopen 430 fspick 433 fstat 108 fstat64 197 -fstatat fstatat64 327 fstatfs 100 fstatfs64 267 @@ -247,7 +246,6 @@ munlockall 153 munmap 91 name_to_handle_at 370 nanosleep 162 -newfstat newfstatat nice 34 old_adjtimex diff --git a/src/basic/syscalls-arm64.txt b/src/basic/syscalls-arm64.txt index 187e7820cf..4ec8b1035d 100644 --- a/src/basic/syscalls-arm64.txt +++ b/src/basic/syscalls-arm64.txt @@ -93,9 +93,8 @@ fsetxattr 7 fsmount 432 fsopen 430 fspick 433 -fstat +fstat 80 fstat64 -fstatat fstatat64 fstatfs 44 fstatfs64 @@ -247,7 +246,6 @@ munlockall 231 munmap 215 name_to_handle_at 264 nanosleep 101 -newfstat 80 newfstatat 79 nice old_adjtimex diff --git a/src/basic/syscalls-i386.txt b/src/basic/syscalls-i386.txt index c05b6a50fe..c370cfc13a 100644 --- a/src/basic/syscalls-i386.txt +++ b/src/basic/syscalls-i386.txt @@ -95,7 +95,6 @@ fsopen 430 fspick 433 fstat 108 fstat64 197 -fstatat fstatat64 300 fstatfs 100 fstatfs64 269 @@ -247,7 +246,6 @@ munlockall 153 munmap 91 name_to_handle_at 341 nanosleep 162 -newfstat newfstatat nice 34 old_adjtimex diff --git a/src/basic/syscalls-loongarch64.txt b/src/basic/syscalls-loongarch64.txt index b9224f13a4..bf478e8785 100644 --- a/src/basic/syscalls-loongarch64.txt +++ b/src/basic/syscalls-loongarch64.txt @@ -93,9 +93,8 @@ fsetxattr 7 fsmount 432 fsopen 430 fspick 433 -fstat +fstat 80 fstat64 -fstatat fstatat64 fstatfs 44 fstatfs64 @@ -247,7 +246,6 @@ munlockall 231 munmap 215 name_to_handle_at 264 nanosleep 101 -newfstat 80 newfstatat 79 nice old_adjtimex diff --git a/src/basic/syscalls-m68k.txt b/src/basic/syscalls-m68k.txt index 5c467dcf72..cd4aecf910 100644 --- a/src/basic/syscalls-m68k.txt +++ b/src/basic/syscalls-m68k.txt @@ -95,7 +95,6 @@ fsopen 430 fspick 433 fstat 108 fstat64 197 -fstatat fstatat64 293 fstatfs 100 fstatfs64 264 @@ -247,7 +246,6 @@ munlockall 153 munmap 91 name_to_handle_at 340 nanosleep 162 -newfstat newfstatat nice 34 old_adjtimex diff --git a/src/basic/syscalls-mips64.txt b/src/basic/syscalls-mips64.txt index a5d549b85b..fd64b49b5e 100644 --- a/src/basic/syscalls-mips64.txt +++ b/src/basic/syscalls-mips64.txt @@ -95,7 +95,6 @@ fsopen 5430 fspick 5433 fstat 5005 fstat64 -fstatat fstatat64 fstatfs 5135 fstatfs64 @@ -247,7 +246,6 @@ munlockall 5149 munmap 5011 name_to_handle_at 5298 nanosleep 5034 -newfstat newfstatat 5252 nice old_adjtimex diff --git a/src/basic/syscalls-mips64n32.txt b/src/basic/syscalls-mips64n32.txt index db7235bb59..43c45fdeeb 100644 --- a/src/basic/syscalls-mips64n32.txt +++ b/src/basic/syscalls-mips64n32.txt @@ -95,7 +95,6 @@ fsopen 6430 fspick 6433 fstat 6005 fstat64 -fstatat fstatat64 fstatfs 6135 fstatfs64 6218 @@ -247,7 +246,6 @@ munlockall 6149 munmap 6011 name_to_handle_at 6303 nanosleep 6034 -newfstat newfstatat 6256 nice old_adjtimex diff --git a/src/basic/syscalls-mipso32.txt b/src/basic/syscalls-mipso32.txt index 194470caf2..be5a41475f 100644 --- a/src/basic/syscalls-mipso32.txt +++ b/src/basic/syscalls-mipso32.txt @@ -95,7 +95,6 @@ fsopen 4430 fspick 4433 fstat 4108 fstat64 4215 -fstatat fstatat64 4293 fstatfs 4100 fstatfs64 4256 @@ -247,7 +246,6 @@ munlockall 4157 munmap 4091 name_to_handle_at 4339 nanosleep 4166 -newfstat newfstatat nice 4034 old_adjtimex diff --git a/src/basic/syscalls-parisc.txt b/src/basic/syscalls-parisc.txt index 5d52fc65e4..afa367bacc 100644 --- a/src/basic/syscalls-parisc.txt +++ b/src/basic/syscalls-parisc.txt @@ -95,7 +95,6 @@ fsopen 430 fspick 433 fstat 28 fstat64 112 -fstatat fstatat64 280 fstatfs 100 fstatfs64 299 @@ -247,7 +246,6 @@ munlockall 153 munmap 91 name_to_handle_at 325 nanosleep 162 -newfstat newfstatat nice 34 old_adjtimex diff --git a/src/basic/syscalls-powerpc.txt b/src/basic/syscalls-powerpc.txt index b4c9a40f9e..58f0b86a7e 100644 --- a/src/basic/syscalls-powerpc.txt +++ b/src/basic/syscalls-powerpc.txt @@ -95,7 +95,6 @@ fsopen 430 fspick 433 fstat 108 fstat64 197 -fstatat fstatat64 291 fstatfs 100 fstatfs64 253 @@ -247,7 +246,6 @@ munlockall 153 munmap 91 name_to_handle_at 345 nanosleep 162 -newfstat newfstatat nice 34 old_adjtimex diff --git a/src/basic/syscalls-powerpc64.txt b/src/basic/syscalls-powerpc64.txt index 0df48c07f6..713db64b92 100644 --- a/src/basic/syscalls-powerpc64.txt +++ b/src/basic/syscalls-powerpc64.txt @@ -95,7 +95,6 @@ fsopen 430 fspick 433 fstat 108 fstat64 -fstatat fstatat64 fstatfs 100 fstatfs64 253 @@ -247,7 +246,6 @@ munlockall 153 munmap 91 name_to_handle_at 345 nanosleep 162 -newfstat newfstatat 291 nice 34 old_adjtimex diff --git a/src/basic/syscalls-riscv32.txt b/src/basic/syscalls-riscv32.txt index b38740ebc9..bb8e4ecb27 100644 --- a/src/basic/syscalls-riscv32.txt +++ b/src/basic/syscalls-riscv32.txt @@ -95,7 +95,6 @@ fsopen 430 fspick 433 fstat fstat64 -fstatat fstatat64 fstatfs fstatfs64 44 @@ -247,7 +246,6 @@ munlockall 231 munmap 215 name_to_handle_at 264 nanosleep -newfstat newfstatat nice old_adjtimex diff --git a/src/basic/syscalls-riscv64.txt b/src/basic/syscalls-riscv64.txt index d948e524da..1849da4384 100644 --- a/src/basic/syscalls-riscv64.txt +++ b/src/basic/syscalls-riscv64.txt @@ -93,9 +93,8 @@ fsetxattr 7 fsmount 432 fsopen 430 fspick 433 -fstat +fstat 80 fstat64 -fstatat fstatat64 fstatfs 44 fstatfs64 @@ -247,7 +246,6 @@ munlockall 231 munmap 215 name_to_handle_at 264 nanosleep 101 -newfstat 80 newfstatat 79 nice old_adjtimex diff --git a/src/basic/syscalls-s390.txt b/src/basic/syscalls-s390.txt index 67a3ac56e5..5713f65122 100644 --- a/src/basic/syscalls-s390.txt +++ b/src/basic/syscalls-s390.txt @@ -95,7 +95,6 @@ fsopen 430 fspick 433 fstat 108 fstat64 197 -fstatat fstatat64 293 fstatfs 100 fstatfs64 266 @@ -247,7 +246,6 @@ munlockall 153 munmap 91 name_to_handle_at 335 nanosleep 162 -newfstat newfstatat nice 34 old_adjtimex diff --git a/src/basic/syscalls-s390x.txt b/src/basic/syscalls-s390x.txt index b93e029f57..6912988cfc 100644 --- a/src/basic/syscalls-s390x.txt +++ b/src/basic/syscalls-s390x.txt @@ -95,7 +95,6 @@ fsopen 430 fspick 433 fstat 108 fstat64 -fstatat fstatat64 fstatfs 100 fstatfs64 266 @@ -247,7 +246,6 @@ munlockall 153 munmap 91 name_to_handle_at 335 nanosleep 162 -newfstat newfstatat 293 nice 34 old_adjtimex diff --git a/src/basic/syscalls-sparc.txt b/src/basic/syscalls-sparc.txt index d50fd5509b..a13677a372 100644 --- a/src/basic/syscalls-sparc.txt +++ b/src/basic/syscalls-sparc.txt @@ -95,7 +95,6 @@ fsopen 430 fspick 433 fstat 62 fstat64 63 -fstatat fstatat64 289 fstatfs 158 fstatfs64 235 @@ -247,7 +246,6 @@ munlockall 240 munmap 73 name_to_handle_at 332 nanosleep 249 -newfstat newfstatat nice 34 old_adjtimex diff --git a/src/basic/syscalls-x86_64.txt b/src/basic/syscalls-x86_64.txt index 14aed30f74..0dc45d6d4b 100644 --- a/src/basic/syscalls-x86_64.txt +++ b/src/basic/syscalls-x86_64.txt @@ -95,7 +95,6 @@ fsopen 430 fspick 433 fstat 5 fstat64 -fstatat fstatat64 fstatfs 138 fstatfs64 @@ -247,7 +246,6 @@ munlockall 152 munmap 11 name_to_handle_at 303 nanosleep 35 -newfstat newfstatat 262 nice old_adjtimex diff --git a/src/creds/creds.c b/src/creds/creds.c index 7eec323b9f..2e28ff3e0a 100644 --- a/src/creds/creds.c +++ b/src/creds/creds.c @@ -7,6 +7,7 @@ #include "sd-varlink.h" #include "build.h" +#include "build-path.h" #include "bus-polkit.h" #include "creds-util.h" #include "dirent-util.h" @@ -690,35 +691,10 @@ static int verb_setup(int argc, char **argv, void *userdata) { } static int verb_has_tpm2(int argc, char **argv, void *userdata) { - Tpm2Support s; + if (!arg_quiet) + log_notice("The 'systemd-creds %1$s' command has been replaced by 'systemd-analyze %1$s'. Redirecting invocation.", argv[optind]); - s = tpm2_support(); - - if (!arg_quiet) { - if (s == TPM2_SUPPORT_FULL) - puts("yes"); - else if (s == TPM2_SUPPORT_NONE) - puts("no"); - else - puts("partial"); - - printf("%sfirmware\n" - "%sdriver\n" - "%ssystem\n" - "%ssubsystem\n" - "%slibraries\n", - plus_minus(s & TPM2_SUPPORT_FIRMWARE), - plus_minus(s & TPM2_SUPPORT_DRIVER), - plus_minus(s & TPM2_SUPPORT_SYSTEM), - plus_minus(s & TPM2_SUPPORT_SUBSYSTEM), - plus_minus(s & TPM2_SUPPORT_LIBRARIES)); - } - - /* Return inverted bit flags. So that TPM2_SUPPORT_FULL becomes EXIT_SUCCESS and the other values - * become some reasonable values 1…7. i.e. the flags we return here tell what is missing rather than - * what is there, acknowledging the fact that for process exit statuses it is customary to return - * zero (EXIT_FAILURE) when all is good, instead of all being bad. */ - return ~s & TPM2_SUPPORT_FULL; + return verb_has_tpm2_generic(arg_quiet); } static int verb_help(int argc, char **argv, void *userdata) { @@ -739,7 +715,6 @@ static int verb_help(int argc, char **argv, void *userdata) { " ciphertext credential file\n" " decrypt INPUT [OUTPUT] Decrypt ciphertext credential file and write to\n" " plaintext credential file\n" - " has-tpm2 Report whether TPM2 support is available\n" " -h --help Show this help\n" " --version Show package version\n" "\n%3$sOptions:%4$s\n" @@ -774,7 +749,6 @@ static int verb_help(int argc, char **argv, void *userdata) { " --user Select user-scoped credential encryption\n" " --uid=UID Select user for scoped credentials\n" " --allow-null Allow decrypting credentials with empty key\n" - " -q --quiet Suppress output for 'has-tpm2' verb\n" "\nSee the %2$s for details.\n", program_invocation_short_name, link, diff --git a/src/network/netdev/wireguard.c b/src/network/netdev/wireguard.c index f4b7045151..9715cf4034 100644 --- a/src/network/netdev/wireguard.c +++ b/src/network/netdev/wireguard.c @@ -1175,7 +1175,7 @@ static int wireguard_read_default_key_cred(NetDev *netdev, const char *filename) "%s: No private key specified and default key cannot be parsed, " "ignoring network device: %m", filename); - if (len != WG_KEY_LEN) + if (len != WG_KEY_LEN || memeqzero(key, len)) return log_netdev_error_errno(netdev, SYNTHETIC_ERRNO(EINVAL), "%s: No private key specified and default key is invalid. " "Ignoring network device.", diff --git a/src/shared/seccomp-util.c b/src/shared/seccomp-util.c index c047aa2288..1cd662513b 100644 --- a/src/shared/seccomp-util.c +++ b/src/shared/seccomp-util.c @@ -362,6 +362,7 @@ const SyscallFilterSet syscall_filter_sets[_SYSCALL_FILTER_SET_MAX] = { "mmap\0" "mmap2\0" "mprotect\0" + "mseal\0" "munmap\0" "nanosleep\0" "pause\0" @@ -506,6 +507,7 @@ const SyscallFilterSet syscall_filter_sets[_SYSCALL_FILTER_SET_MAX] = { "lgetxattr\0" "link\0" "linkat\0" + "listmount\0" "listxattr\0" "llistxattr\0" "lremovexattr\0" @@ -536,6 +538,7 @@ const SyscallFilterSet syscall_filter_sets[_SYSCALL_FILTER_SET_MAX] = { "stat64\0" "statfs\0" "statfs64\0" + "statmount\0" "statx\0" "symlink\0" "symlinkat\0" diff --git a/src/shared/tpm2-util.c b/src/shared/tpm2-util.c index 10de296124..38e4da4012 100644 --- a/src/shared/tpm2-util.c +++ b/src/shared/tpm2-util.c @@ -7907,6 +7907,38 @@ Tpm2Support tpm2_support(void) { return support; } +int verb_has_tpm2_generic(bool quiet) { + Tpm2Support s; + + s = tpm2_support(); + + if (!quiet) { + if (s == TPM2_SUPPORT_FULL) + puts("yes"); + else if (s == TPM2_SUPPORT_NONE) + puts("no"); + else + puts("partial"); + + printf("%sfirmware\n" + "%sdriver\n" + "%ssystem\n" + "%ssubsystem\n" + "%slibraries\n", + plus_minus(s & TPM2_SUPPORT_FIRMWARE), + plus_minus(s & TPM2_SUPPORT_DRIVER), + plus_minus(s & TPM2_SUPPORT_SYSTEM), + plus_minus(s & TPM2_SUPPORT_SUBSYSTEM), + plus_minus(s & TPM2_SUPPORT_LIBRARIES)); + } + + /* Return inverted bit flags. So that TPM2_SUPPORT_FULL becomes EXIT_SUCCESS and the other values + * become some reasonable values 1…7. i.e. the flags we return here tell what is missing rather than + * what is there, acknowledging the fact that for process exit statuses it is customary to return + * zero (EXIT_FAILURE) when all is good, instead of all being bad. */ + return ~s & TPM2_SUPPORT_FULL; +} + #if HAVE_TPM2 static void tpm2_pcr_values_apply_default_hash_alg(Tpm2PCRValue *pcr_values, size_t n_pcr_values) { TPMI_ALG_HASH default_hash = 0; diff --git a/src/shared/tpm2-util.h b/src/shared/tpm2-util.h index 6ab6c00af3..31ce2e89db 100644 --- a/src/shared/tpm2-util.h +++ b/src/shared/tpm2-util.h @@ -463,6 +463,8 @@ typedef enum Tpm2Support { Tpm2Support tpm2_support(void); +int verb_has_tpm2_generic(bool quiet); + int tpm2_parse_pcr_argument(const char *arg, Tpm2PCRValue **ret_pcr_values, size_t *ret_n_pcr_values); int tpm2_parse_pcr_argument_append(const char *arg, Tpm2PCRValue **ret_pcr_values, size_t *ret_n_pcr_values); int tpm2_parse_pcr_argument_to_mask(const char *arg, uint32_t *mask); |