| Commit message (Collapse) | Author | Files | Lines |
|---|
|
|
|
Follow-up for d4c8de21a07d015f2f2c787e0735be5e4d02fb3c.
|
|
Follow-up for fa8ff98ea4886442bebecd337da78e4dac3d0cb1.
|
|
Follow-up for 7704c3474d0f3176f5d84efee5f44f9d815e615f.
|
|
Follow-up for 34bbda18a5f07fa5a52e8d85d20637ce1c00c4ec.
|
|
Follow-up for 25fd5343ca3a3481d2e0d3f3aebab2fcf4e42bc7.
|
|
Follow-up for 71be64064c9e22c9edcb0c25d7ccc9e3c9ed1978.
|
|
Follow-up for 8464f7cbd652af75566017c62bec5308d1c30775.
|
|
Follow-up for 5cb56068d0aae4c85e97a4ae16e33a7614cdc0bb.
|
|
Follow-up for d37c312b87aeba4a470ad720eda56cdbc9ea2290.
|
|
Follow-up for d4c8de21a07d015f2f2c787e0735be5e4d02fb3c.
|
|
Follow-up for a575f2148f5bf619c75b3c2edadd7a94518ae74d.
|
|
Follow-up for 16b6af6adefa4068b10e1a04f46fc895cb9a3af7.
|
|
Follow-up for 677e6c14b199c1fa637b7c4c8cae39c31213a79d.
|
|
Follow-up for 75673cd8aee5c6174538e71dd36c7a353c836973.
|
|
Follow-up for fd40e7da6e005644445d2f6cb3363daf1e170b8c.
|
|
|
|
If the toplevel_path is empty we end up with doubled leading slash,
which looks weird:
[ 4737.028985] testsuite-74.sh[102]: Inode '//var/lib/machines/mytree.v/mytree_37.0_arm64+2-3' has wrong type, found 'dir'.
[ 4737.028985] testsuite-74.sh[102]: Failed to pick version for '/var/lib/machines/mytree.v': Is a directory
...
[ 4316.957536] testsuite-74.sh[99]: Failed to open '//var/lib/machines/mytree.v/mytree_37.0': No such file or directory
...
|
|
Since we might edit the string later on by inserting NULs, which then
leads up to using an invalid dname when opening the potential chosen
directory:
[ 4316.957536] testsuite-74.sh[99]: make_choice: entry: mytree_37.0_arm64+2-3
[ 4316.957536] testsuite-74.sh[99]: make_choice: best_version: 37.0
[ 4316.957536] testsuite-74.sh[99]: make_choice: best_filename: mytree_37.0
[ 4316.957536] testsuite-74.sh[99]: Failed to open '//var/lib/machines/mytree.v/mytree_37.0': No such file or directory
Uncovered by vpick tests from TEST-74-AUX-UTILS when run on aarch64.
|
|
|
|
Bumps [actions/upload-artifact](https://github.com/actions/upload-artifact) from 4.0.0 to 4.3.0.
- [Release notes](https://github.com/actions/upload-artifact/releases)
- [Commits](https://github.com/actions/upload-artifact/compare/c7d193f32edcb7bfad88892161225aeda64e9392...26f96dfa697d77e81fd5907df203aa23a56210a8)
---
updated-dependencies:
- dependency-name: actions/upload-artifact
dependency-type: direct:production
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com>
|
|
Bumps [redhat-plumbers-in-action/advanced-issue-labeler](https://github.com/redhat-plumbers-in-action/advanced-issue-labeler) from 2.0.6 to 3.0.0.
- [Release notes](https://github.com/redhat-plumbers-in-action/advanced-issue-labeler/releases)
- [Commits](https://github.com/redhat-plumbers-in-action/advanced-issue-labeler/compare/71bcf99aef4b9ea844db9a43755e8ac02c8e661e...9e55064634b67244f7deb4211452b4a7217b93de)
---
updated-dependencies:
- dependency-name: redhat-plumbers-in-action/advanced-issue-labeler
dependency-type: direct:production
update-type: version-update:semver-major
...
Signed-off-by: dependabot[bot] <support@github.com>
|
|
|
|
In pam_systemd.so and pam_systemd_home.so, we open a bus connection on
session close, which is called after fork. Closing the connection is
harmless, and should not warn about that.
This suppresses the following log message:
===
(sd-pam)[127]: PAM Attempted to close sd-bus after fork, this should not happen.
===
|
|
|
|
The man page pam_setcred(3) states:
> The credentials should be deleted after the session has been closed
> (with pam_close_session(3)).
Follow-up for 3bb39ea936a51a6a63a8b65a135521df098c32c4.
|
|
this patch adds the interface name of the interface to be modified
to *details* when verifying dbus calls to the `org.freedesktop.resolve1`
D-Bus interface for all `Set*` and the `Revert` method.
when defining a polkit rule, this allows limiting the access to a specific
interface:
```js
// This rule prevents the user "vpn" to disable DNSoverTLS for any
// other interface than "vpn0". The vpn service should be allowed
// to disable DNSoverTLS on its own as it provides a local DNS
// server with search domains on the interface and this server does
// not support DNSoverTLS.
polkit.addRule(function(action, subject) {
if (action.id == "org.freedesktop.resolve1.set-dns-over-tls" &&
action.lookup("interface") == "vpn0" &&
subject.user == "vpn") {
return polkit.Result.YES;
}
});
```
|
|
Underline the sections, as we nowadays do.
|
|
It's easy to add. Let's do so.
This only covers record lookups, i.e. with the --type= switch.
The higher level lookups are not covered, I opted instead to print a
message there to use --type= instead.
I am a bit reluctant to defining a new JSON format for the high-level
lookups, hence I figured for now a helpful error is good enough, that
points people to the right use.
Fixes: #29755
|
|
The original way of appending to /etc/systemd/journald.conf doesn't work
anymore, since we no longer ship the default configs in /etc/.
|
|
|
|
namespace
It doesn't really make sense to initialize the loopback device if we are
not called for a network namespace.
Follow-up for 54c2459d560283f556e331246f64776cebd6eba6
|
|
Since dedb925eafee8214ae565b861dfacfc02085f158 /usr/bin/bootctl is always built
so does its man page.
|
|
|
|
dnf5 does not download filelists metadata by default anymore as this
consists of a pretty big chunk of the repository metadata. Let's make
sure the filelists metadata doesn't have to be downloaded by dnf5 by
removing any usage of file provides from our package lists.
|
|
This returns an FD that can be used to temporarily inhibit the automatic
locking on system suspend behavior of homed. As long as the FD is open,
LockAllHomes() won't lock that home directory on suspend. This allows
desktop environments to implement custom more complicated behavior
|
|
Apparently since 9289e093ae6fd5484f9119e1ee07d1dffe37cd10, "ln_s" takes
*absolute* paths only.
|
|
20-systemd-ssh-generator.conf expands SSHCONFDIR, which is bogus when we
build with -Dsshconfdir=no. Similarly, avoid expanding SSHDCONFDIR in
20-systemd-userdb.conf when building with -Dsshconfdir=no.
Follow-up 6c7fc5d5f2.
|
|
knot v3.2 and later does this by default. knot v3.1 still has the default set to
10, but it also introduced a warning that the default will be changed to 0 in
later versions, so it effectively complains about its own default, which then
fails the config check. Let's just set the value explicitly to zero to avoid
that.
~# knotc --version
knotc (Knot DNS), version 3.1.6
~# grep nsec3-iterations test/knot-data/knot.conf || echo nope
nope
~# knotc -c /build/test/knot-data/knot.conf conf-check
warning: config, policy[auto_rollover_nsec3].nsec3-iterations defaults to 10, since version 3.2 the default becomes 0
Configuration is valid
Follow-up to 0652cf8e7b.
|
|
Previously, unit_{start,stop,reload} would call the low-level cgroup
unfreeze function whenever a unit was started, stopped, or reloaded. It
did so with no error checking. This call would ultimately recurse up the
cgroup tree, and unfreeze all the parent cgroups of the unit, unless an
error occurred (in which case I have no idea what would happen...)
After the freeze/thaw rework in a previous commit, this can no longer
work. If we recursively thaw the parent cgroups of the unit, there may
be sibling units marked as PARENT_FROZEN which will no longer actually
have frozen parents. Fixing this is a lot more complicated than simply
disallowing start/stop/reload on a frozen unit
Fixes https://github.com/systemd/systemd/issues/15849
|
|
This commit overhauls the way freeze/thaw works recursively:
First, it introduces new FreezerActions that are like the existing
FREEZE and THAW but indicate that the action was initiated by a parent
unit. We also refactored the code to pass these FreezerActions through
the whole call stack so that we can make use of them. FreezerState was
extended similarly, to be able to differentiate between a unit that's
frozen manually and a unit that's frozen because a parent is frozen.
Next, slices were changed to check recursively that all their child
units can be frozen before it attempts to freeze them. This is different
from the previous behavior, that would just check if the unit's type
supported freezing at all. This cleans up the code, and also ensures
that the behavior of slices corresponds to the unit's actual ability
to be frozen
Next, we make it so that if you FREEZE a slice, it'll PARENT_FREEZE
all of its children. Similarly, if you THAW a slice it will PARENT_THAW
its children.
Finally, we use the new states available to us to refactor the code
that actually does the cgroup freezing. The code now looks at the unit's
existing freezer state and the action being requested, and decides what
next state is most appropriate. Then it puts the unit in that state.
For instance, a RUNNING unit with a request to PARENT_FREEZE will
put the unit into the PARENT_FREEZING state. As another example, a
FROZEN unit who's parent is also FROZEN will transition to
PARENT_FROZEN in response to a request to THAW.
Fixes https://github.com/systemd/systemd/issues/30640
Fixes https://github.com/systemd/systemd/issues/15850
|
|
|
|
|
|
|
|
Fixes: #30191
|
|
|
|
without polkit authentication
Now that we have the concept of scoped credentials, we can allow
unprivileged clients to encrypt/decrypt them as longed as they are
scoped to them.
|
|
|
|
So far credentials are a concept for system services only: to encrypt or
decrypt credential you must be privileged, as only then you can access
the TPM and the host key.
Let's break this up a bit: let's add a "user-scoped" credential, that
are specific to users. Internally this works by adding another step to
the acquisition of the symmetric encryption key for the credential: if a
"user-scoped" credential is used we'll generate an symmetric encryption
key K as usual, but then we'll use it to calculate
K' = HMAC(K, flags || uid || machine-id || username)
and then use the resulting K' as encryption key instead. This basically
includes the (public) user's identity in the encryption key, ensuring
that only if the right user credentials are specified the correct key
can be acquired.
|
|
Follow-up for 038e4554627c610ae6799d74f9f4bce530d7c283.
|
