| Commit message (Collapse) | Author | Files | Lines |
|---|
|
|
|
The idea was to catch CFLite regressions but since the action itself
pulls the latest docker images it can't be pinned properly and issues
like https://github.com/google/clusterfuzzlite/issues/91 are going to
pop up anyway. Let's unpin it by analogy with CIFuzz and hope it doesn't
break very often.
|
|
|
|
|
|
|
|
|
|
Follow-up to #22759.
|
|
Even if the corresponding device node or syspath are already removed,
the specified symlink to the device node may still exist.
Fixes #23166.
|
|
* Some authenticators(like Yubikey) support credential algorithm other than ES256
* Introduce a new option so users can make use of it
|
|
|
|
For micmute userspace handles both micmute and f20, as Xorg cannot
handle the high keycode that the micmute key has. As such, adding the
remapping means that the key will work on Xorg clients and not just when
using wayland.
|
|
golden images
|
|
|
|
Suggested by Daniele Nicolodi:
https://github.com/systemd/systemd/pull/23160#discussion_r855853716
This is possible only if the macro is never used in #if, but only in C code.
This means that all places that use #if have to be refactored into C, but we
reduce the duplication a bit, and C is nicer to read than preprocessor
conditionals.
|
|
Follow-up for da13d2ca0731b413841663052f2cc6832a855334. Instead of having
separate definitions of the bitmask flags, just define DEFAULT_COMPRESSION_FOO=0|1
directly.
(It *should* be possible to do this more simply, but the problem is that
anything that is used in #if cannot refer to C constants or enums. This is the
simplest I could come up with that preserves the property that we don't use #ifdef.)
The return value from compress_blob() is changed to propagate the error instead
of always returning -EOPNOTSUPP. The callers don't care about the specific error
value. compress_blob_*() are changed to return the compression method on success, so
that compress_blob() can be simplified. compress_stream_*() and compress_stream() are
changed in the same way for consistency, even though the callers do not currently use
this information (outside of tests).
|
|
|
|
|
|
|
|
LoadCredential=
If SetCredential= and LoadCredentials= are combined for the same
credential name, then the former shall act as fallback for the latter in
case the source file does not exist. That's documented, but didn't work.
Let's fix that.
|
|
manager and such)
This was broken in 3989bdc1ad7cca4d75c06cdf601fea2cb37ba337 let's
restore the functionality.
Basically, we want that if a relative name is specified as source to
load from we take it relative to the credentials dir the service manager
itself got passed.
|
|
|
|
This is not done first, but second.
Also, while we are at it, explain why faccessat() is OK here.
|
|
Given that the recusive credential loading allows two ways to load the
same credentials, it's important to define a clear order so that it is
always the same one that wins.
i.e. if you use LoadCredential=foobar:/tmp/xyz and there are two files
/tmp/xyz/abc/cde and /tmp/xyz/abc_cde these would both result in a
credential foobar_abc_cde being set, hence it is important to make clear
which one shall win, and that it is always the same one.
|
|
When checking whether we already loaded a credential before, let's just
use faccessat() in the credential dir we are populating. First of all,
we already do it exactly that way when appliying SetCredential= settings
later. Secondly, this is not performance relevant, and by using
faccessat() things simply become a lot simpler.
|
|
Given we only need a single field off the ExecLoadCredential structure
we don't have to link it as a whole, but just copy that one bit over
directly, simplifying the struct a bit.
|
|
recurse_dir() allows specifiying a freely choosable initial path to
which to append the subdirs as it descends into the tree. If we pass the
configured id there, recurse_dir() will suffix the subdir to that for
us, so that we don't have to do that manually anymore in the callback,
simplifying things a bit.
|
|
|
|
|
|
we must synthesize
Let's just simplify the logic and pass the fields we need as regular
arguments, even if that means the function now has a lot. It's otherwise
really weird that we have to fake a local ExecLoadCredential from the
real one.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
We recently added caching for the dependencies we build from source
in mkosi's github action which speeds up builds by +-10 minutes. Let's
update to the latest commit so we benefit from this in systemd's mkosi
CI as well.
|
|
fuzz-introspector passes -fuse-ld=gold and -flto using CFLAGS/LDFLAGS and due to
https://github.com/mesonbuild/meson/issues/6377#issuecomment-575977919 and
https://github.com/mesonbuild/meson/issues/6377 it doesn't mix well with meson.
It's possible to build systemd with duct tape there using something like
https://github.com/google/oss-fuzz/pull/7583#issuecomment-1104011067 but
apparently even with gold and lto some parts of systemd are missing from
reports (presumably due to https://github.com/google/oss-fuzz/issues/7598).
Let's just fail here for now to make it clear that fuzz-introspector isn't supported.
|
|
We use authenticated encryption, and that deserves mention. This in
particular relevant as the fact they are authenticated makes the
credentials useful as initrd parameterization items.
|
|
|
|
string
LoadCredentials= in unit files supports a syntax passing a single string
only (in which case the credentials are propagated down from the host).
but systemd-run's --property= setting doesn't allow that yet. Fix that.
|
|
|
|
|
|
Previously we'd only warn when we consume it, but it's even more
relevant to warn if we save it to an unencrypted storage location.
|
|
|
|
This is generally used in a directly client controllable way, hence we
should handle ref count overflow gracefully, instead of hitting an
assert().
As discussed:
https://github.com/systemd/systemd/pull/23099#discussion_r854341850
|
|
The overflow check for ref counting should not be subject to NDEBUG,
hence upgrade assert() → assert_se(). (The check for zero is an
immediate bug in our code, and should be impossible to trigger, hence
it's fine if the check is optimized away if people are crazy enough to
set NDEBUG, so that can stay assert())
https://github.com/systemd/systemd/pull/23099#discussion_r854341850
|
|
|
|
The assignments were partly simply incorrectly documented, partly changed
with 4d32507f5186a89e98093659fbbe386787a97b9f and partly missing.
Moreover kernel 5.17 now measures all initrds to PCR 9 on its own
(https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=f046fff8bc4c4d8f8a478022e76e40b818f692df)
Let's correct all this and bring it up-to-date.
And while we are at it extend the docs about this in systemd-stub, with
a new table that indicates which OS resource is protected by which PCR.
|
|
|
|
fallback for systems lacking TPM2
This is supposed to be useful when generating credentials for immutable
initrd environments, where it is is relevant to support credentials even
on systems lacking a TPM2 chip.
With this, if `systemd-creds encrypt --with-key=auto-initrd` is used a
credential will be encrypted/signed with the TPM2 if it is available and
recognized by the firmware. Otherwise it will be encrypted/signed with
the fixed empty key, thus providing no confidentiality or authenticity.
The idea is that distributions use this mode to generically create
credentials that are as locked down as possible on the specific
platform.
|
