summaryrefslogtreecommitdiffstats
path: root/docs/SECURITY.md (unfollow)
Commit message (Collapse)AuthorFilesLines
2024-11-11network: reorder dropping dynamic configurationYu Watanabe1-2/+2
Follow-up for 451c2baf30f50b95d73e648058c7c2348dbf0c31.
2024-11-11test-network: reconfigure interface cleanly to drop previous DHCP lease and ↵Yu Watanabe1-6/+12
friends Follow-up for 451c2baf30f50b95d73e648058c7c2348dbf0c31. With the commits, reloading .network files does not release previously acquired DHCP lease and friends if possible. On graceful reconfigure triggered by the reload, the interface may acquire a new DHCPv4 lease earlier than DHCPv6 lease. In that case, the check will fail as it is done with the new DHCPv4 lease and old DHCPv6 lease, which does not contain any IPv6 DNS servers or so. So, when switching from no -> yes, we need to wait a new lease with DNS servers or so. To achieve that, we need to clean reconfigure the interface.
2024-11-11network: reset 'configured' flags even if we keep DHCP lease and friends on ↵Yu Watanabe2-1/+9
reconfigure Follow-up for 451c2baf30f50b95d73e648058c7c2348dbf0c31. With the commits, reloading .network files does not release previously acquired DHCP lease and friends if possible. If previously a DHCP client was configured as not requesting DNS servers or so, then the previously acquired lease might not contain any DNS servers. In that case, if the new .network file enables UseDNS=, then the interface should enter the configured state after a new lease is acquired. To achieve that, we need to reset the flags. With this change, the workaround applied to the test by the commit 451c2baf30f50b95d73e648058c7c2348dbf0c31 can be dropped.
2024-11-11network: drop unnecessary size specifierYu Watanabe1-1/+1
It does not save any memory usage but increase code complexity.
2024-11-11netwrok: call link_drop_unmanaged_config() earlier in link_configure()Yu Watanabe1-4/+4
Otherwise, even if a link enters the configuring state at the beginning of link_configure(), link_check_ready() may be called before link_drop_unmanaged_config() is called, and the link may enter the configured state. Fixes #35092.
2024-11-10login: fix session_kill(..., KILL_LEADER,...) (#35105)12paper1-3/+13
`loginctl kill-session --kill-whom=leader <N>` (or the D-Bus equivalent) doesn't work because logind ends up calling `KillUnit(..., "main", ...)` on a scope unit and these don't have a `MainPID` property. Here, I just make it send a signal to the `Leader` directly.
2024-11-09ukify: Fix broken assert when building a signed addonValentin David1-2/+1
An assert always expected a kernel when signature key was present in command line. That prevented building signed addons. Fixes #35041
2024-11-09po: Translated using Weblate (German)Weblate Translation Memory1-6/+7
Currently translated at 93.7% (241 of 257 strings) Co-authored-by: Weblate Translation Memory <noreply-mt-weblate-translation-memory@weblate.org> Translate-URL: https://translate.fedoraproject.org/projects/systemd/main/de/ Translation: systemd/main
2024-11-09po: Translated using Weblate (German)Ettore Atalan1-15/+12
Currently translated at 93.7% (241 of 257 strings) Co-authored-by: Ettore Atalan <atalanttore@googlemail.com> Translate-URL: https://translate.fedoraproject.org/projects/systemd/main/de/ Translation: systemd/main
2024-11-09meson.build: add a few features to summaryMike Yuan1-0/+4
2024-11-09udev: skipping empty udev rules file while collecting the statsLidong Zhong1-0/+4
To keep align with the logic used in udev_rules_parse_file(), we also should skip the empty udev rules file while collecting the stats during manager reload. Otherwise all udev rules files will be parsed again whenever reloading udev manager with an empty udev rules file. It's time consuming and the following uevents will fail with timeout.
2024-11-09uid-classification: properly classify *all* container UIDsLennart Poettering3-4/+14
A bit confusingly CONTAINER_UID_BASE_MAX is just the maximum *base* UID for a container. Thus, with the usual 64K UID assignments, the last actual container UID is CONTAINER_UID_BASE_MAX+0xFFFF. To make this less confusing define CONTAINER_UID_MIN/MAX that add the missing extra space. Also adjust two uses where this was mishandled so far, due to this confusion. With this change the UID ranges we default to should properly match what is documented on https://systemd.io/UIDS-GIDS/.
2024-11-08man: drop whitespace from final <programlisting> linesZbigniew Jędrzejewski-Szmek44-145/+146
In the troff output, this doesn't seem to make any difference. But in the html output, the whitespace is sometimes preserved, creating an additional gap before the following content. Drop it everywhere to avoid this.
2024-11-08mount-util: make path_get_mount_info() work arbitrary inodeYu Watanabe3-41/+106
Follow-up for d49d95df0a260aaca9a3fdd1e6ce535592a53bca. Replaces 9a032ec55a9820a0424309670fe551c99203e5f1. Fixes #35075.
2024-11-08test: install integration-test-setup.sh in testdata/Franck Bui2-7/+9
integration-test-setup.sh is an auxiliary script that tests rely on at runtime. As such, install the script in testdata/. Follow-up for af153e36ae67c242251951c12d6d6b6ae4783845.
2024-11-08update TODOLennart Poettering1-20/+5
2024-11-08fs-util: add comment about XO_NOCOWLennart Poettering1-0/+2
2024-11-08Fix PrivatePIDs=yes integration test for kernels with no /proc/scsiRyan Wilson1-5/+16
2024-11-07fundamental: Fix buffer size in get_chidanonymix0071-2/+2
NUL byte should not be hashed
2024-11-07fundamental: Fix iteration count in chid_calculateanonymix0071-1/+2
2024-11-07fundamental: move string includes from chid-fundamental.c to headeranonymix0072-2/+6
2024-11-07test: Add chid-fundamental testanonymix0073-0/+108
2024-11-07sd-varlink: allow that method handles call sd_varlink_close()Lennart Poettering1-0/+3
It's fine if a method handler closes the connection, deal with it gracefully.
2024-11-07fundamental: Add userspace efi_guid_equalanonymix0071-0/+7
2024-11-07boot: Fix .dtbauto section number for error reportinganonymix0071-1/+1
2024-11-07boot: Fix overflow check for FDT_PROP in devicetree_get_compatibleanonymix0071-1/+2
2024-11-07boot: Drop const modifier for smbios_fields and fix smbios_info_doneanonymix0071-3/+3
2024-11-07ukify: Introduce --certificate-provider= optionDaan De Meyer3-48/+72
This translates to --certificate-source=provider:<provider> for signing tools invoked by ukify.
2024-11-07measure: Add pcrpkey verbDaan De Meyer2-0/+99
This verb writes a public key to stdout extracted from either a public key path, from a certificate (path or provider) or from a private key (path, engine, provider). We'll use this in ukify to get rid of the use of the python cryptography module to convert a private key or certificate to a public key.
2024-11-07tree-wide: Introduce --certificate-source= optionDaan De Meyer12-61/+336
This allows loading the X.509 certificate from an OpenSSL provider instead of a file system path. This allows loading certficates directly from hardware tokens instead of having to export them to a file on disk first.
2024-11-07openssl-util: Set expected object type to private keysDaan De Meyer1-0/+3
Configures the store to only try to fetch private keys and nothing else.
2024-11-07bootctl: Validate private key pathDaan De Meyer1-0/+6
2024-11-07mkosi: Add pytest to toolsDaan De Meyer4-0/+4
2024-11-07hwdb: fix broken numpad paren keys on Lenovo Thinkbook 16 G6+ 2024Vursc1-0/+5
2024-11-07man: update Fedora links to F41Zbigniew Jędrzejewski-Szmek2-3/+3
2024-11-07NEWS: add specific versions in key codes entryZbigniew Jędrzejewski-Szmek1-8/+7
This should be easier for folks to consume. Refs: https://lists.x.org/archives/xorg-announce/2024-October/003543.html https://lists.x.org/archives/xorg-announce/2024-October/003544.html
2024-11-07po: Translated using Weblate (German)Anselm Schueler1-5/+4
Currently translated at 89.8% (231 of 257 strings) Co-authored-by: Anselm Schueler <mail@anselmschueler.com> Translate-URL: https://translate.fedoraproject.org/projects/systemd/main/de/ Translation: systemd/main
2024-11-07github: adjust version number in templatesZbigniew Jędrzejewski-Szmek2-2/+2
Most people are probably on stable releases, but we don't want to update the minor version all the time, so just specify 256.x as a hint to fill in the full version.
2024-11-07Rename src/boot/efi to just src/bootZbigniew Jędrzejewski-Szmek79-1/+1
I very much dislike the approach in which we were mixing Linux and UEFI C code in the same subdirectory. No code was shared between two environments. This layout was created in e7dd673d1e0acfe5420599588c559fd85a3a9e8f, with the justification of "being more consistent with the rest of systemd", but I don't see how it's supposed to be so. Originally, when the C code was just a single bootctl.c file, this wasn't so bad. But over time the userspace code grew quite a bit. With the moves done in previuos commits, the intermediate subdirectory is now empty except for the efi/ subdir, and this additional subdirectory level doesn't have a good justification. The components is called "systemd-boot", not "systemd-efi", and we can remove one level of indentation.
2024-11-07Move systemd-sbsign to its own source subdirectoryZbigniew Jędrzejewski-Szmek4-1/+1
It's already two files, and I expect that more will come. It's nicer to give its own subdirectory to maintain consistent structure.
2024-11-07Move systemd-measure to its own source subdirectoryZbigniew Jędrzejewski-Szmek4-10/+15
We have other subdirectories with just a single C file. And I expect that systemd-measure will only grow over time, adding new functionality. It's nicer to give its own subdirectory to maintain consistent structure.
2024-11-07Move bless-boot components to their own source subdirectoryZbigniew Jędrzejewski-Szmek6-33/+38
2024-11-07Move bootctl to its own source subdirectoryZbigniew Jędrzejewski-Szmek21-22/+27
It's been split into a bunch of files and deserves its own subdirectory similarly to systemctl.
2024-11-07man: fix typos flagged by LintianLuca Boccassi2-2/+2
2024-11-07test: fix assertion on build systemLuca Boccassi1-1/+0
/* test_path_is_network_fs_harder */ src/test/test-mount-util.c:541: Assertion failed: expected "path_is_network_fs_harder("/")" to succeed but got the following error: Invalid argument https://buildd.debian.org/status/fetch.php?pkg=systemd&arch=all&ver=257%7Erc1-1&stamp=1730945197&raw=0 Follow-up for d49d95df0a260aaca9a3fdd1e6ce535592a53bca
2024-11-07po: Translated using Weblate (Turkish)Oğuz Ersen1-11/+6
Currently translated at 100.0% (257 of 257 strings) Co-authored-by: Oğuz Ersen <oguz@ersen.moe> Translate-URL: https://translate.fedoraproject.org/projects/systemd/main/tr/ Translation: systemd/main
2024-11-07po: Translated using Weblate (Swedish)Luna Jernberg1-11/+7
Currently translated at 100.0% (257 of 257 strings) Co-authored-by: Luna Jernberg <bittin@reimu.nl> Translate-URL: https://translate.fedoraproject.org/projects/systemd/main/sv/ Translation: systemd/main
2024-11-07po: Translated using Weblate (Russian)Sergey A1-10/+5
Currently translated at 100.0% (257 of 257 strings) Co-authored-by: Sergey A <Ser82-png@yandex.ru> Translate-URL: https://translate.fedoraproject.org/projects/systemd/main/ru/ Translation: systemd/main
2024-11-07po: Translated using Weblate (Polish)Piotr Drąg1-11/+6
Currently translated at 100.0% (257 of 257 strings) Co-authored-by: Piotr Drąg <piotrdrag@gmail.com> Translate-URL: https://translate.fedoraproject.org/projects/systemd/main/pl/ Translation: systemd/main
2024-11-07po: Translated using Weblate (Indonesian)Andika Triwidada1-9/+6
Currently translated at 100.0% (257 of 257 strings) Co-authored-by: Andika Triwidada <andika@gmail.com> Translate-URL: https://translate.fedoraproject.org/projects/systemd/main/id/ Translation: systemd/main