| Commit message (Collapse) | Author | Files | Lines |
|---|
|
fuzz-introspector passes -fuse-ld=gold and -flto using CFLAGS/LDFLAGS and due to
https://github.com/mesonbuild/meson/issues/6377#issuecomment-575977919 and
https://github.com/mesonbuild/meson/issues/6377 it doesn't mix well with meson.
It's possible to build systemd with duct tape there using something like
https://github.com/google/oss-fuzz/pull/7583#issuecomment-1104011067 but
apparently even with gold and lto some parts of systemd are missing from
reports (presumably due to https://github.com/google/oss-fuzz/issues/7598).
Let's just fail here for now to make it clear that fuzz-introspector isn't supported.
|
|
We use authenticated encryption, and that deserves mention. This in
particular relevant as the fact they are authenticated makes the
credentials useful as initrd parameterization items.
|
|
|
|
string
LoadCredentials= in unit files supports a syntax passing a single string
only (in which case the credentials are propagated down from the host).
but systemd-run's --property= setting doesn't allow that yet. Fix that.
|
|
|
|
|
|
Previously we'd only warn when we consume it, but it's even more
relevant to warn if we save it to an unencrypted storage location.
|
|
|
|
This is generally used in a directly client controllable way, hence we
should handle ref count overflow gracefully, instead of hitting an
assert().
As discussed:
https://github.com/systemd/systemd/pull/23099#discussion_r854341850
|
|
The overflow check for ref counting should not be subject to NDEBUG,
hence upgrade assert() → assert_se(). (The check for zero is an
immediate bug in our code, and should be impossible to trigger, hence
it's fine if the check is optimized away if people are crazy enough to
set NDEBUG, so that can stay assert())
https://github.com/systemd/systemd/pull/23099#discussion_r854341850
|
|
|
|
The assignments were partly simply incorrectly documented, partly changed
with 4d32507f5186a89e98093659fbbe386787a97b9f and partly missing.
Moreover kernel 5.17 now measures all initrds to PCR 9 on its own
(https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=f046fff8bc4c4d8f8a478022e76e40b818f692df)
Let's correct all this and bring it up-to-date.
And while we are at it extend the docs about this in systemd-stub, with
a new table that indicates which OS resource is protected by which PCR.
|
|
|
|
fallback for systems lacking TPM2
This is supposed to be useful when generating credentials for immutable
initrd environments, where it is is relevant to support credentials even
on systems lacking a TPM2 chip.
With this, if `systemd-creds encrypt --with-key=auto-initrd` is used a
credential will be encrypted/signed with the TPM2 if it is available and
recognized by the firmware. Otherwise it will be encrypted/signed with
the fixed empty key, thus providing no confidentiality or authenticity.
The idea is that distributions use this mode to generically create
credentials that are as locked down as possible on the specific
platform.
|
|
determination
Previously, when encrypting creds you could pick which key to use for
this via a 128bit ID identifying the key type, and use an all zero ID
for rquesting automatic mode.
Let's change this to use an explicitly picked 128bit ID for automatic
mode, i.e. something other than all zeros. This is in preparation for
adding one further automatic mode with slightly different semantics.
no change in behaviour.
Note that the new 128bit id is never written to disk but only used
internally to indicate a specific case.
|
|
|
|
|
|
Sometimes it's useful from shell scripts to check if we have a working
TPM2 chip around. For example, when putting together encrypted
credentials for the initrd (after all: it might be wise to place the
root pw in a credential for the initrd to consume, but do so only if we
can lock it to the TPM2, and not otherwise, so that we risk nothing).
Hence, let's add a new "systemd-creds has-tpm2" verb: it returns zero if we
have a working TPM2 (which means: supported by kernel + firmware + us),
or non-zero otherwise. Also show which parts are available.
Use-case: in future the 'kernel-install' script should use this when
deciding whether to augment kernels with security sensitive credentials.
|
|
Let's improve the output regarding TPM2 support in "bootctl": let's show
whether we have local driver support and/or firmware support, and
colorize it.
(For now, don't show if we natively support TPM2, since the tool is
mostly bout boot time stuff, where it dosn't really matter much what we
do in userspace)
|
|
No change in behaviour. Let's just use our new helper here.
|
|
So far we were a bit sloppy regarding checks for TPM2 support. Let's
make things more precise and introduce a single helper that checks for
three axis of TPM2 support: whether we have a loaded kernel driver,
whether the firmware used it, and whether we ourselves are compiled for
it.
This only adds the helper. Follow-up patches will use it at various
places.
|
|
|
|
|
|
Follow-up for https://github.com/systemd/systemd/commit/cd3c6322dbc6370448bafc216ee4e19e32a79d9e
journal-def.h should be self-contained too, as it represents the journal object ABI.
Duplicate the enums, as they also need to be in config.h for it to be self-contained,
and enums are not available to the preprocessor. Use an assert to ensure they don't
diverge.
|
|
RestrictNamespaces should block clone3() like flatpak:
https://github.com/flatpak/flatpak/commit/a10f52a7565c549612c92b8e736a6698a53db330
clone3() passes arguments in a structure referenced by a pointer, so we can't
filter on the flags as with clone(). Let's disallow the whole function call.
|
|
Follow-up for https://github.com/systemd/systemd/commit/2362fdde1bd4bf54772383ef29431f683729ba76
When --machine is specified with --ephemeral, no random suffix is added, so
the recently added assert would fail.
Add a top-level variable with the expected file name for nspawn files, and
compute it when the rest of the names are computed.
|
|
|
|
Addresses https://github.com/systemd/systemd/pull/23090#discussion_r853002631.
|
|
|
|
|
|
|
|
|
|
In both cases, it is expected that the symlink targets do not end with '/'.
Addresses https://github.com/systemd/systemd/pull/23089#discussion_r853007218.
|
|
path_extract_filename()
The function is now only used by sd-device.c and pam_systemd.c, and they
expects the result are not directory. Hence, it is safe to change the
behavior.
Addresses https://github.com/systemd/systemd/pull/23089#discussion_r853006017.
|
|
|
|
|
|
In case anyone else starts wondering whether it should be listed
as I did…
|
|
|
|
|
|
|
|
When 'recursive' is false, then sd_bus_track_remove_name() does not
return negative errno when unknown name is specified. Let's follow the
same pattern for the case that 'recursive' is true.
|
|
|
|
|
|
Fixes #23097.
|
|
|
|
For other places, we use unsigned for reference counter.
|
|
Add keymappings for the Acer Aspire One AO532h netbook.
Unmap the brightnesskeys because they send duplicate key events with
the ACPI video bus key events and add a mapping for the bluetooth
on/off hotkey.
|
|
When --ephemeral is used, a random 16 characters suffix is added to the image
name, so matching on .nspawn files based on the image name no longer works.
Fixes https://github.com/systemd/systemd/issues/13297
|
|
Fix Fn+F1 (toggle touchpad) that wasn't working.
Closes #23058
|
|
|
