| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
We often used a pattern like if (!FLAGS_SET(flags, SD_JSON_FORMAT_OFF)),
which is rather verbose and also contains a double negative, which we try
to avoid. Add a little helper to avoid an explicit bit check.
This change clarifies an aditional thing: in some cases we treated
SD_JSON_FORMAT_OFF as a flag (flags & SD_JSON_FORMAT_OFF), while in other cases
we treated it as an independent enum value (flags == SD_JSON_FORMAT_OFF).
In the first form, flags like SD_JSON_FORMAT_SSE do _not_ turn the json
output on, while in the second form they do. Let's use the first form
everywhere.
No functional change intended.
Initially I wasn't sure if this helper should be made public or just internal,
but it seems such a common pattern that if we expose the flags, we might just
as well expose it too, to make life easier for any consumers.
|
| |
|
|
| |
Fixes: https://github.com/systemd/systemd/issues/34547
|
| | |
|
| |
|
|
| |
Follow-up for 58e359604ffdca12bb4d2c5807b96e070611c0f6.
|
| | |
|
| |
|
|
| |
Follow-up for 58e359604ffdca12bb4d2c5807b96e070611c0f6.
|
| |
|
|
|
|
| |
The verb s not really specific to credential management, it was always a
bit misplaced. Hence move it to systemd-analyze, where we already have
some general TPM related verbs such as "srk" and "pcrs"
|
| |
|
|
|
| |
I guess this was copy/pasted from sysupdate? Weird though. Fix it. And
also reword "cat" help text to make it more precise.
|
| |
|
|
|
|
|
|
|
|
| |
It's time. sd-json was already done earlier in this cycle, let's now
make sd-varlink public too.
This is mostly just a search/replace job of epical proportions.
I left some functions internal (mostly IDL handling), and I turned some
static inline calls into regular calls.
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This is preparation for making our Varlink API a public API. Since our
Varlink API is built on top of our JSON API we need to make that public
first (it's a nice API, but JSON APIs there are already enough, this is
purely about the Varlink angle).
I made most of the json.h APIs public, and just placed them in
sd-json.h. Sometimes I wasn't so sure however, since the underlying data
structures would have to be made public too. If in doubt I didn#t risk
it, and moved the relevant API to src/libsystemd/sd-json/json-util.h
instead (without any sd_* symbol prefixes).
This is mostly a giant search/replace patch.
|
| |
|
|
|
|
|
|
|
|
|
|
| |
When we display passed credentials we show a brief safety level based on
how the credential is pass in: if it's backed by swappable memory we
give it a "weak" level. This check was so far done by checking if the
file is backed by ramfs. However, since
1155f44f48f8fd59c863d71b3938e34a0b2fec2a we actually prefer tmpfs with
the new "noswap" option for this.
Hence, fix this, and explicitly look for "noswap" among the mount
options in case we detect tmpfs.
|
| |
|
|
|
|
|
|
|
|
|
| |
- drop unnecessary SYNTHETIC_ERRNO() when the logger does not propagate
error code,
- drop unnecessary '%m' in error message when the error code is
specified with SYNTHETIC_ERRNO(),
- add missing full stop at the end of log message,
- use RET_GATHER(),
- add missing ", ignoring.",
- upeercase the first letter, etc., etc...
|
| |
|
|
|
|
| |
This was forgotten when "tpm2-absent" was renamed to "null".
Follow-up-for: 6d78dc282721b3b40e8474222ff8c6e0aebb6d10
|
| |
|
|
|
| |
pcrlock writes a credential file using null key. Make sure systemd-creds
can show the file
|
| |\
| |
| | |
shared/service-util: actually use the `bus_introspect` argument in `help()`
|
| | |
| |
| |
| | |
Follow-up for bc556335b1c568c98688cc1f586b5f753fcddac6
|
| |/
|
|
|
|
|
|
|
|
|
|
| |
(#31715)
This adds for both the D-Bus and the Varlink flavours of our polkit
client api a flags parameter. And then folds the "bool interactive" flag
that the D-Bus version so far had, into a flag, and also adds support
for it in the Varlink API.
Since this means the Varlink API gained another parameter, let's do what
we already did for the D-Bus API and add a _full() version of the API
that has the flags and the good_uid parameter, and one without both.
|
| | |
|
| |
|
|
| |
Follow-up for 8464f7cbd652af75566017c62bec5308d1c30775.
|
| |
|
|
| |
Fixes: #30191
|
| |
|
|
|
|
|
|
| |
without polkit authentication
Now that we have the concept of scoped credentials, we can allow
unprivileged clients to encrypt/decrypt them as longed as they are
scoped to them.
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
So far credentials are a concept for system services only: to encrypt or
decrypt credential you must be privileged, as only then you can access
the TPM and the host key.
Let's break this up a bit: let's add a "user-scoped" credential, that
are specific to users. Internally this works by adding another step to
the acquisition of the symmetric encryption key for the credential: if a
"user-scoped" credential is used we'll generate an symmetric encryption
key K as usual, but then we'll use it to calculate
K' = HMAC(K, flags || uid || machine-id || username)
and then use the resulting K' as encryption key instead. This basically
includes the (public) user's identity in the encryption key, ensuring
that only if the right user credentials are specified the correct key
can be acquired.
|
| |
|
|
|
|
|
|
|
|
|
| |
So far the varlink logic honoured the "sensitive" flag of output
messages. Let's add something similar for input messages. Since we don't
really know incoming messages, the flag simply controls whether the
"parmaeters" field of all incoming messages should be marked as
sensitive.
Then, turn this on in the credentials logic and in homed, since both
deal with credentials.
|
| | |
|
| |
|
|
|
|
|
| |
Let's move more code to using struct iovec for passing around binary
chunks of data.
No real changes in behaviour, just refactoring.
|
| |
|
|
|
|
|
|
|
|
|
| |
This is what it is after all: encryption with a NULL key. This is more
descriptive, but also relevant since we want to use this kind of
credentials in a different context soon: for carrying pcrlock data into
a UKI. In that case we don#t want encryption, since the pcrlock data is
intended to help unlocking secrets, hence should not be a secret itself.
This only changes the code labels and the way this is labelled in the
output. We retain compat with the old name.
|
| |
|
|
|
| |
Use auth_admin_keep, so that users don't have to re-auth interactively
again and again when encrypting/decrypting batches of credentials.
|
| | |
|
| |
|
|
| |
As per https://github.com/systemd/systemd/pull/30547#discussion_r1434371627
|
| | |
|
| |
|
|
| |
Follow-up for f9568765d4d3d57de1ec01d85f0a0682920f4d10
|
| |
|
|
|
|
|
|
| |
The man page doesn't even mention errno. It just says that ferror() should
be used to check for errors. Those writes are unlikely to fail, but if they
do, errno might even be 0. Also, we have fflush_and_check() which does
additional paranoia around errno, because we apparently do not trust that
errno will always be set correctly.
|
| |
|
|
| |
According to our coding style.
|
| |
|
|
|
|
|
|
|
| |
I always found it confusing that most of our TPM related definitions are
in tpm2-util.h, but the PCR names in tpm-pcr.h, without the "2". Let's
fix that and make this systematic, in particular as the definitions in
the file all start with TPM2_ already.
No code flow changes, just some renaming.
|
| |
|
|
|
|
|
|
|
|
|
|
|
| |
We so far maintained two places for symboic names for PCRs. One in
tpm2-util.h and one in tpm-pcr.h.
Let's unify this into one, i.e. move the full list from tpm2-util.h into
tpm-pcr.h, replacing the short list placed so far there.
Systematically prefix the definitions with TPM2_ or tpm2_, to follow how
we do this for all other defines in this context.
No change in behaviour, just unification of tables.
|
| |
|
|
|
|
| |
The script is mostly equivalent to 'mkdir -p' and 'ln -sfr'.
Let's replace it with install_emptydir() builtin function and
inline meson call.
|
| |
|
|
|
|
|
| |
In order to allow users to specify expected PCR values, change the
tpm2_parse_pcr_argument() to parse the text argument into an array of
Tpm2PCRValue objects, which provide not only the selected PCR indexes, but also
(optionally) the hash algorithm and hash value for each PCR index.
|
| | |
|
| | |
|
| |
|
|
| |
Instead of _cleanup_(set_freep) or so.
|
| | |
|
| |
|
|
|
| |
parse_boolean_argument() returns the same information via both the output
argument and normal return.
|
| |
|
|
| |
character buffers to NUL terminated C strings
|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
-1 was used everywhere, but -EBADF or -EBADFD started being used in various
places. Let's make things consistent in the new style.
Note that there are two candidates:
EBADF 9 Bad file descriptor
EBADFD 77 File descriptor in bad state
Since we're initializating the fd, we're just assigning a value that means
"no fd yet", so it's just a bad file descriptor, and the first errno fits
better. If instead we had a valid file descriptor that became invalid because
of some operation or state change, the other errno would fit better.
In some places, initialization is dropped if unnecessary.
|
| | |
|
| |
|
|
|
|
|
|
|
| |
Instead of succeeding when either the firmware reports a TPM device
or we find a TPM device, let's check that the firmware reports a TPM
device and the TPM subsystem is enabled in the kernel.
To check whether the subsystem enabled, we check if the relevant
subdirectory in /sys exists at all.
|
| | |
|
