summaryrefslogtreecommitdiffstats
path: root/rules.d/70-power-switch.rules (unfollow)
Commit message (Collapse)AuthorFilesLines
2024-09-08Fix typo in escape.csamuelvw011-1/+1
2024-09-08TODO: fix typoErik Sjölund1-1/+1
2024-09-08Fix grammar in udevadm settle timeout messagemarginaldev1-1/+1
2024-09-07NEWS: fix typoYu Watanabe1-2/+2
Follow-up for 7a3a49386cc49d3971531ea24efb84232c05cc86.
2024-09-07man/varlinkctl: fix typoYu Watanabe1-2/+2
Follow-up for 39ce86d19c7c3ac46b4afb546879ca8dcad1bdb2.
2024-09-07network/route: fix typoYu Watanabe1-1/+1
Follow-up for 195bb6f97ebc5cd5e9932c62aa80df5427c30d67.
2024-09-07mkosi: Drop _fixperms workaroundDaan De Meyer2-2/+0
This was added to deal with a bug in the rpm 4.20 rc in Rawhide but since that's been fixed, let's drop the workaround.
2024-09-07docs: use actual docs/HACKING.md URLMichal Sekletar1-1/+1
2024-09-07varlinkctl: add --timeout= switch to tweak time-out behaviourLennart Poettering2-22/+79
Fixes: #33772
2024-09-07dm-util: get rid of flex array in middle of structureLennart Poettering1-9/+17
Fixes: #33936
2024-09-06man: CAP_SYS_ADMIN does NOT grant any permission for dbus APITakeo Kondo1-2/+1
2024-09-06pcrlock: be more careful when preparing credential name for pcrlock policyLennart Poettering2-24/+48
The .cred suffix is stripped from a credential as it is imported from the ESP, hence it should not be included in the credential name embedded in the credential. Fixes: #33497
2024-09-06ukify: introduce new --measure-base= switchLennart Poettering2-8/+85
2024-09-06ukify: add new --extend= switch for importing an existing UKI's sections to ↵Lennart Poettering2-17/+119
later extend This options is pretty simple, it allows specifying an UKI whose sections to import first, and place at the beginning of the new UKI. This is useful for generating multi-profile UKIs piecemeal: generate the base UKI first, then append a profile, and another one and another one. The sections imported this way are not included in any PCR signature, the assumption is that that already happened before in the imported UKI.
2024-09-06ukify: add basic .profile supportLennart Poettering2-0/+20
This just allows including .profile sections, but doesn't try to be smart about it. This alone won't help you much to create valid multi-profile UKIs.
2024-09-06journald: mention the access mode we tried to open /dev/kmsg inLennart Poettering1-6/+4
Let's make clearer what we are going to use /dev/kmsg for: read/write or just writing. This hopefully should avoid confusion, such as the one #33975 is result of. (Also while we are at it, add one extra debug message). Fixes: #33975
2024-09-06NEWS: extend the userdb sshd_config NEWS entry a bitLennart Poettering1-2/+13
2024-09-06tpm2-util: introduce tpm2b_sensitive_data_erase_and_esys_freep() destructorLennart Poettering1-9/+18
Let's make sure we erase TPM2B_SENSITIVE_DATA structures reliably in all code paths.
2024-09-06cryptenroll/cryptsetup: allow combined signed TPM2 PCR policy + pcrlock policyLennart Poettering13-272/+698
So far you had to pick: 1. Use a signed PCR TPM2 policy to lock your disk to (i.e. UKI vendor blesses your setup via signature) or 2. Use a pcrlock policy (i.e. local system blesses your setup via dynamic local policy stored in NV index) It was not possible combine these two, because TPM2 access policies do not allow the combination of PolicyAuthorize (used to implement #1 above) and PolicyAuthorizeNV (used to implement #2) in a single policy, unless one is "further upstream" (and can simply remove the other from the policy freely). This is quite limiting of course, since we actually do want to enforce on each TPM object that both the OS vendor policy and the local policy must be fulfilled, without the chance for the vendor or the local system to disable the other. This patch addresses this: instead of trying to find a way to come up with some adventurous scheme to combine both policy into one TPM2 policy, we simply shard the symmetric LUKS decryption key: one half we protect via the signed PCR policy, and the other we protect via the pcrlock policy. Only if both halves can be acquired the disk can be decrypted. This means: 1. we simply double the unlock key in length in case both policies shall be used. 2. We store two resulting TPM policy hashes in the LUKS token JSON, one for each policy 3. We store two sealed TPM policy key blobs in the LUKS token JSON, for both halves of the LUKS unlock key. This patch keeps the "sharding" logic relatively generic (i.e. the low level logic is actually fine with more than 2 shards), because I figure sooner or later we might have to encode more shards, for example if we add further TPM2-based access policies, for example when combining FIDO2 with TPM2, or implementing TOTP for this.
2024-09-06iovec-util: add iovec_append() for appending to an existing iovecLennart Poettering3-0/+27
2024-09-06man: document that sd_bus_message_read_strv() happily spits out empty arrays ↵Lennart Poettering1-1/+3
as NULL Fixes: #34163
2024-09-06tree-wide: use UTMPX_FILE rather than _PATH_UTMPXLennart Poettering3-9/+9
Apparently _PATH_UTMPX is a glibc'ism. UTMPX_FILE is the same thing and what everyone else uses. Since they are otherwise equivalent, let's just switch.
2024-09-06test-utmp: replace UT_LINESIZE/UT_NAMESIZE/UT_HOSTSIZE with sizeof_field()Lennart Poettering1-12/+6
utmpx doesn't know these defines, hence fix them.
2024-09-06tree-wide: drop unnecessary utmp includesLennart Poettering2-2/+0
2024-09-06user-util: switch from utmp to utmpxLennart Poettering1-2/+2
We generally use utmpx instead of utmp (both are actually identical on Linux, but utmpx is POSIX, while utmp is not). Let's fix one left-over case. UT_NAMESIZE does not exist in utmpx world, it has no direct counterpart, hence let's just sizeof_field() to determine the size of the actual field. (which comes to the same result of course: 32).
2024-09-06coredump: set ProtectHome to read-onlyEtienne Cordonnier1-1/+1
In https://github.com/systemd/systemd/pull/5283/commits/924453c22599cc246746a0233b2f52a27ade0819 ProtectHome was set to true for systemd-coredump in order to reduce risk, since an attacker could craft a malicious binary in order to compromise systemd-coredump. At that point the object analysis was done in the main systemd-coredump process. Because of this systemd-coredump is unable to product symbolicated call-stacks for binaries running under /home ("n/a" is shown instead of function names). However, later in https://github.com/systemd/systemd/commit/61aea456c12c54f49c4a76259af130e576130ce9 systemd-coredump was changed to do the object analysis in a forked process, covering those security concerns. Let's set ProtectHome to read-only so that systemd-coredump produces symbolicated call-stacks for processes running under /home.
2024-09-06po: Translated using Weblate (French)Léane GRASSER1-8/+9
Currently translated at 100.0% (253 of 253 strings) Co-authored-by: Léane GRASSER <leane.grasser@proton.me> Translate-URL: https://translate.fedoraproject.org/projects/systemd/main/fr/ Translation: systemd/main
2024-09-06measure: introduce support for a new ".profile" sectionLennart Poettering3-6/+14
This introduces the concept, and makes sure systemd-measure covers it. See a later commit for details on the new section.
2024-09-06uki: add new ".profile" PE section typeLennart Poettering3-1/+3
This is the most basic preparatory work for supporting multi-profile UKIs. (This temporarily drops an assert_cc() check which we'll address in the next commit)
2024-09-06network/route: ignore EEXIST reply when the corresponding request is already ↵Yu Watanabe1-0/+7
detached Follow-ups for db8dc7c1dd7f4620e14fbc4c1560a68a1fc9b85b. Fixes #34275.
2024-09-06tree-wide: check if non-empty password is acquiredYu Watanabe3-3/+4
2024-09-06ask-password: refuse empty password strvYu Watanabe1-8/+21
Fixes #34270.
2024-09-06sd-netlink: fix typoYu Watanabe1-1/+1
Fixes #34273.
2024-09-06nspawn: refuse to bind mount device node from host when --private-users= is ↵Yu Watanabe1-5/+5
specified Also do not chown if a device node is bind-mounted. Fixes #34243.
2024-09-06test: fix copy-and-paste error in commentYu Watanabe1-1/+1
2024-09-06nspawn: fix indentationYu Watanabe1-1/+1
2024-09-06base-filesystem: use FOREACH_ELEMENT()Yu Watanabe1-12/+12
2024-09-06mount-util: wrap long lineYu Watanabe1-1/+9
2024-09-06network/address: use log_section_warning()Yu Watanabe1-24/+20
2024-09-06network/address: use generic section parser moreYu Watanabe4-204/+101
This also - rename variable n -> address, - use log_syntax_parse_error() where applicable, - add one more assertion for lvalue in config_parse_address().
2024-09-06network/address: introduce generic config parser for [Address] sectionYu Watanabe3-152/+41
Then, use generic conf parsers defined in conf-parser.[ch].
2024-09-06firewall-util: several cleanups for config_parse_nft_set()Yu Watanabe1-17/+5
- use log_syntax_parse_error(), - return 1 on success, - drop unnecessary or redundant assertions, - add missing log_oom().
2024-09-06conf-parser: introduce config_parse_uint32_invert_flag()Yu Watanabe2-0/+26
It is similar to config_parse_uint32_flag(), but drops the specified flag when true.
2024-09-06network: align table in network-gperfYu Watanabe1-20/+20
2024-09-06network/address-label: use log_section_warning_errno()Yu Watanabe1-8/+12
2024-09-06network/address-label: introduce generic conf parser for [IPv6AddressLabel] ↵Yu Watanabe4-57/+79
section This also - renames n -> label, - use log_syntax_parse_error(). No functional change, just refactoring.
2024-09-06conf-parser: introduce config section parser wrapperYu Watanabe3-35/+73
It will be used later.
2024-09-06hwdb: Mark Apple Wireless keyboards as not having NumLock LEDBastien Nocera1-0/+12
Mark those Apple Wireless keyboards as not having a NumLock key: https://en.wikipedia.org/wiki/Apple_Wireless_Keyboard You can see that they don't have a NumLock LED because they didn't even have a NumLock in the first place: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=0fea6fe7d5ef1b5fa5f78048d4729f85181c04ca
2024-09-06timesync: make manager_is_connected() staticYu Watanabe2-2/+1
2024-09-06timesync: downgrade log level about network configuration changeYu Watanabe1-2/+6
These message may be unnecessarily shown multiple times when e.g. networkd is restarted, system is wakeup from suspend, and so on. Closes #34262.