| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| | |
|
| |
|
|
|
|
| |
Let's make sure that when cryptenroll asks for the TPM2 or FIDO2 token
PIN it uses cryptenroll.* credential namespace, and cryptsetup uses
cryptsetup.*.
|
| |
|
|
|
|
| |
similar as the previous commit, let's clean up the credential name we
use. Use home.token-pin in case of homectl, and cryptenroll.pkcs11-pin
in case of cryptenroll.
|
| |
|
|
|
|
|
|
|
| |
The TPM2 enrollment is the only of the three token enrollments where the
user picks a PIN at enrollment time (the others have a PIN set for the
token, not for the enrollment). Let's make sure it uses a different
credential for retrieving this PIN, in order to make sure people can
programmatically change PINs via credentials (in which case they need to
supply both).
|
| |
|
|
|
|
|
|
|
|
|
|
| |
Querying a fido2 PIN via askpw for enrolling is currently used in two
places: cryptenroll and homectl. So far we sloppily used the same fixed
credential name "fido2-pin" in both cases. Let's tweak that and make the
credential name match the other credentials cryptenroll or home query,
i.e. using the cryptenroll.* and home.* namespaces.
This is particular done in light of #31370, which wants to make the
credential name public. We really should get the name in order before
making it public.
|
| |
|
|
|
|
|
|
| |
Let's drop the "systemd-" prefix from the credential name. We do not
prefix credentials that way so far. Don't do so here either.
The name is not really API, it's not documented, hence change it now
where we still can.
|
| |
|
|
|
|
|
|
|
|
|
| |
The "id" is used in the askpw protocol to recognize password prompts, in
case a service is replying to them and needs some id. Previously we set
an incorrect id, the one of cryptsetup. Fix that.
(I guess the id is not used much, it comes from a time where we had no
credentials, and thus some people wanted to supply passphrases
programmatically rather interactively. The usecase is probably gone, but
we should still set some valid id I guess.)
|
| | |
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
| |
Rather than adding more and more parameters to ask_password_auto(), let's
pass a structure of the fields that often are constant anyway.
This way, callers can fill in what they need, and we take the filled
structure which we can pass around internally as one.
This is in particular preparation for adding one more field in one of
the next commits.
|
| |
|
|
| |
Fixes #31337
|
| |
|
|
| |
Add accel orientation quirk for the METAPHYUNI MetawillBook01 2-in-1 laptop
|
| |
|
|
|
|
|
| |
If the default boot entry name doesnt leave enough space for the
indicator arrow, it overwrote the first two characters of the entry
Now every line will always have enough padding.
|
| |\
| |
| | |
Bitfield cleanup
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
As in other cases, this is simpler but better.
pahole:
- /* size: 336, cachelines: 6, members: 50 */
- /* sum members: 316, holes: 4, sum holes: 19 */
- /* sum bitfield members: 4 bits, bit holes: 1, sum bit holes: 4 bits */
- /* last cacheline: 16 bytes */
+ /* size: 328, cachelines: 6, members: 50 */
+ /* sum members: 320, holes: 3, sum holes: 8 */
+ /* last cacheline: 8 bytes */
|
| | |
| |
| |
| |
| |
| |
| |
| |
| | |
Because of alignment, those bitfields were not doing anything useful,
and were causing the generated code to be more complicated. But in this
case, at least potentially there might be a number of copies of those
structs (if we have a bunch of time servers configured), so let's actually
implement the intended space savings by reording the fields to reduce the
size of holes.
|
| | | |
|
| | |
| |
| |
| |
| | |
Again, even without considering how many copies of the struct there
can be, this bitfield is useless because of alignment.
|
| | |
| |
| |
| |
| |
| |
| |
| |
| | |
We have two bools followed by a func pointer, which is aligned to e.g. 8 bytes,
so whether the two bools take one bit, one byte, or even a full word, makes no
difference in storage size. But the code generated to service a bitfield is
more complicated.
Also switch to FOREACH_ARRAY().
|
| | |
| |
| |
| |
| |
| |
| |
| | |
They are not set by a unit file, but dynamically generated.
Fixes a bug caused by abf0ccc1c6fb81fdcb801566695600a518a28b43.
Fixes #31396.
|
| | |
| |
| |
| |
| |
| |
| |
| | |
Precedence for example in https://github.com/systemd/systemd/blob/ac63c8df309e37960618610d8b57ac19ac657254/rules.d/99-systemd.rules.in#L75.
Add ENV to the list of keys where string substitutions can be used.
While I'm at it, also sort the list in that paragraph alphabetically.
|
| | |
| |
| |
| |
| | |
Follow-up for 25c89b89771adf3251b2398eaddc3a49c22752e3 and
a4d72746c776f820a440d72eaadd49ad158e10dc.
|
| | |
| |
| |
| | |
Follow-up for 190ff0d0a8d1fc367ec04296f24cd1cab5b7543b.
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Follow-ups for e1634bb8321c5534a8e5d16b474c7e9d43ef3baa.
- Allow to call the method without "name" and "type".
- Allow to specify SD_RESOLVE_NO_TXT and SD_RESOLVE_NO_ADDRESS.
- Allow to provide multiple services, and fix memory leak.
- Rearrange the return value format.
- Encode TXT field with octescape() to make the field matches with the
io.systemd.Resolve.Monitor interface.
Fixes #31371.
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Otherwise:
```
Feb 19 16:35:34 localhost systemd-gpt-auto-generator[188]: Assertion 's' failed at src/shared/image-policy.c:656, function parse_image_policy_argument(). Aborting.
```
Fixes 06e78680e3c36589b785f90ecda64d124905a3f7
|
| |\ \
| | |
| | | |
core/exec-invoke: record correct exit status when failed to locate executable
|
| | | |
| | |
| | |
| | | |
Also drop unused log_exec_struct_iovec().
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | | |
Suggested in
https://github.com/systemd/systemd/pull/31351#discussion_r1494450831:
> one above just informational, but also not a warning yet.
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
Follow-up for 4d8b0f0f7aeadc401ac02f67576ccb1de8cf79e6
After the mentioned commit, when the ExecCommand executable is missing,
and failure will be ignored by manager, we exit with EXIT_SUCCESS at executor
side too. The behavior however contradicts systemd.service(5), which states:
> If the executable path is prefixed with "-", an exit code of the command
> normally considered a failure (i.e. non-zero exit status or abnormal exit
> due to signal is _recorded_, but has no further effect and is considered
> equivalent to success.
and thus makes debugging unexpected failures harder. Therefore, let's still
exit with EXIT_EXEC, but just skip LOG_ERR level log.
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
Avoid the following warning on C9S by explicitly initializing
"object".
"""
[389/2801] Compiling C object src/shared/libsystemd-shared-256-devel.a.p/pkcs11-util.c.o
../src/src/shared/pkcs11-util.c: In function ‘pkcs11_token_find_private_key’:
../src/src/shared/pkcs11-util.c:983:21: warning: ‘object’ may be used uninitialized in this function [-Wmaybe-uninitialized]
983 | *ret_object = object;
| ~~~~~~~~~~~~^~~~~~~~
"""
|
| | | |
| | |
| | |
| | | |
initial_restrict_ifaces_link_fds
|
| |\ \ \
| | | |
| | | | |
Cleanups vmspawn
|
| | | | | |
|
| | | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
In this context, "VM" doesn't need explaining. Make the texts more precise
and try to make them fit in one line. Help output is much easier to read
when it's not wrapped.
|
| | | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
The previous text did not look right when rendered.
The text is much easier to read when paragraphs are separated by an empty
line, latex-style.
|
| | | | | |
|
| | | |/
| |/|
| | |
| | | |
Follow-up for f31cff849d3db074d0d8157e4117d9b8372c03e8.
|
| | |/
|/| |
|
| | | |
|
| | |
| |
| |
| |
| | |
If we're looking for output on stderr, let's make sure it's not
littered with debug logs if SYSTEMD_LOG_LEVEL=debug.
|
| |\ \
| | |
| | | |
Revert "test: use btrfs by default on Arch as well"
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
So the user daemon with the long-running service is not killed while we
test the journal:
[ 834.077080] testsuite-04.sh[10937]: Running as unit: user-sleep.service; invocation ID: b1f2c9c9a14a40ce836c867139d14dc8
[ 834.077687] systemd[10943]: Started user-sleep.service.
[ 834.078437] (sd-pam)[10952]: pam_unix(login:session): session closed for user testuser
[ 834.078643] systemd[1]: run-u3.service: Deactivated successfully.
[ 834.078710] testsuite-04.sh[10930]: + for _ in {0..9}
[ 834.078710] testsuite-04.sh[10930]: + journalctl --rotate
...
[ 834.081253] systemd[1]: session-7.scope: Deactivated successfully.
...
[ 844.602065] testsuite-04.sh[10930]: + journalctl --rotate
[ 844.630414] testsuite-04.sh[10930]: + journalctl --sync
[ 844.632005] systemd[1]: Stopping user@4711.service...
[ 844.634179] systemd[10943]: Activating special unit exit.target...
[ 844.635769] systemd[10943]: Stopped target default.target.
[ 844.636136] systemd[10943]: Stopped target timers.target.
[ 844.636479] systemd[10943]: Stopping user-sleep.service...
[ 844.636998] systemd[10943]: Stopped user-sleep.service.
...
[ 844.758893] testsuite-04.sh[10930]: + systemctl stop --user -M testuser@ user-sleep.service
[ 845.213399] systemctl[11066]: Failed to stop user-sleep.service: Unit user-sleep.service not loaded.
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
There's something very wrong going on when using btrfs for the test
images, namely:
- there's a significant performance hit, i.e. the Arch Linux run is
~20% slower, in the coverage run the situation is even worse
- intermittent boot failures
- intermittent "No space left on device" errors (even though there's
enough free space)
Since debugging this might take a while, let's temporarily revert back
to ext4 to make the CI stable again.
This reverts commit 7eb7e3ec4f5dbc13ee729557e1544527f3101187.
|
| |\ \ \
| | | |
| | | | |
Homed bulk directories v2
|
| | | | | |
|
| | | | | |
|
| | | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
This makes it possible to edit blob directories using homectl. The
following syntax is available:
* `--blob-directory=/path/somewhere`: Replaces the entire blob directory
with the contents of /path/somewhere
* `--blob-directory=foobar=/path/somewhere`: Replaces just the file
foobar in the blob directory with the contents of /path/somewhere
* `--blob-directory=foobar=`: Deletes the file foobar from the blob
directory
* `--blob-directory=`: Resets all previous flags
* `--avatar=`, etc: Shortcuts for `--blob-directory=FILENAME=` for the
known files in the blob directory
|
| | | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
Introduces new extended variants of the various incarnations of
Create and Update, which take a map of filenames to FDs. This map is
then used to populate the bulk directory.
FDs are used to prevent the client from abusing homed's blob directory
permissions (everything is made world-readable by homed) to open files
that they normally aren't allowed to open. Passing along an FD ensures
that the client has read access to the file it wants homed to make
world-readable.
Internally, homework uses the map to overwrite the system blob dir.
Later, homework's existing blob dir reconciliation logic will propagate
the new contents from the system blob dir into the embedded blob
dir
|
| | | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
Whenever the host & embedded records are reconciled, the host & embedded
blob directories are now reconciled too in the same direction.
Reconciling the blob directories serves exactly the same purpose as
reconciling the user records, and thus should behave in the same way.
|
| | | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
This ensures that a user-specific blob directory exists in
/var/cache/systemd/homed for as long as the user exists, and gets
deleted if the user gets deleted.
It also advertises this blob directory via the user record, so that
clients can find and use it.
|
