| Commit message (Collapse) | Author | Files | Lines |
|---|
|
Otherwise, the command 'echo' may not be invoked yet.
Follow-up for 25aa35d465cf4725bc3ebd2a919e7f39ecafb920.
|
|
If we want to allow method replies to be extended without this breaking
compat, then we should set this flag. Do so at various method call
replies hence.
Also do it when parsing user/group records, which are expressly
documented to be extensible, as well as the hibernate JSON record.
|
|
This is a subset of JSON_PERMISSIVE focussed on allowing parsing of
varlink replies that get extended, i.e. gain new fields, without
allowing more than that (i.e. without allowing missing fields, or bad
field types or such).
|
|
|
|
|
|
|
|
|
|
Let's move more code to using struct iovec for passing around binary
chunks of data.
No real changes in behaviour, just refactoring.
|
|
|
|
|
|
|
|
|
|
|
|
This avoids the ({}) that IOVEC_MAKE_STRING() so far used and might
cause a memory corruption if the parameter passed in is itself allocated
via a compount initialized array or so.
Also, this makes sure both IOVEC_MAKE_STRING() and IOVEC_MAKE() accept
'const' parameters without this causing a compiler warning.
|
|
|
|
|
|
Follow-up for 995bf013a1959d4fb5aed8b135740490888fc196.
|
|
Follow-up for 7d93e4af8088fae7b50eb638c6e297fb8371e307.
|
|
Follow-up for 76511c1bd32a262c76d462919083925c47cbd212.
|
|
Follow-up for 59afe07c217c73e3c7c19fb06aef2ff7bf609fd2.
|
|
Follow-up for 84c01612de805d88875d4d91cfcf73cf10f99447.
|
|
Follow-up for 63566c6b6ffbb747727db4d6f78c28547430d54f.
|
|
Follow-up for 97c493f2140b207ace89e9e028949ceb254fbfc6.
|
|
We already have specifiers that resolve to $XDG_STATE_HOME, and
$XDG_CONFIG_HOME. $XDG_DATA_HOME is in a similar vein.
It allows units belonging to the user service manager to correctly look
into ~/.local/share. I imagine this would be most useful inside of
condition checks (i.e. only run a service on session startup if some
data is not found in ~/.local/share) or in the inotify monitoring of a
.path unit
|
|
cryptenroll accepts only PKCS#11 URIs that match both a certificate and a private key in a token.
This patch allows users to provide a PKCS#11 URI that points to a certificate only, and makes possible to use output of some PKCS#11 tools directly.
Internally the patch changes 'type=cert' in the provided PKCS#11 URI to 'type=private' before storing in a LUKS2 header.
Fixes: #23479
|
|
Follow-up for b732606950f8726c0280080c7d055a714c2888f5 and
6706ce2fd2a13df0ae5e469b72d688eaf643dac4.
If Network.ignore_carrier_loss_set flag is set, then the timeout value
is always used, hence the logic implemented by
b732606950f8726c0280080c7d055a714c2888f5 never worked.
|
|
|
|
Fix the path for the generated.pcrlock files for the cmdline and initrd
cases. Without it the tool complains with:
Failed to parse component file /var/lib/pcrlock.d/720-kernel-initrd.pcrlock, ignoring: Is a directory
Signed-off-by: Alberto Planas <aplanas@suse.com>
|
|
|
|
Both as safety net and as convenience feature of a string is contained
in the credential
|
|
This is what it is after all: encryption with a NULL key. This is more
descriptive, but also relevant since we want to use this kind of
credentials in a different context soon: for carrying pcrlock data into
a UKI. In that case we don#t want encryption, since the pcrlock data is
intended to help unlocking secrets, hence should not be a secret itself.
This only changes the code labels and the way this is labelled in the
output. We retain compat with the old name.
|
|
|
|
|
|
The same check is done exactly one line later, because this is one of
the things that json_variant_is_regular() checks.
As per: https://github.com/systemd/systemd/pull/30578/commits/fa9a6db478e3f0f2753e4633af6d0d4881707c2b#r1441792019
|
|
According to the comment in meson.build this should be a supported
configuration, so let's test it in the CI as well.
|
|
As gcc has trouble figuring this itself with -O2 and -Wmaybe-initialized.
|
|
Otherwise we'd use some garbage value in the error path.
../src/resolve/resolved-dns-query.c: In function ‘dns_query_accept’:
../src/resolve/resolved-dns-query.c:944:27: error: ‘r’ may be used uninitialized in this function [-Werror=maybe-uninitialized]
944 | q->answer_errno = -r;
| ^~
cc1: all warnings being treated as errors
Follow-up for 9ca133e97a0.
|
|
If a binary built with ASan crashes for a reason unrelated to ASan
stuff, we're left with pretty much nothing, as there is neither an ASan
trace nor a coredump. Let's make this slightly more debug-able by
allowing such binaries to dump a core, but without the huge shadow map
(we should be actually fine by just setting disable_coredump=0, since
use_madv_dontdump defaults to true, but let's play it safe and not
potentially dump a 16+ TB core file).
|
|
Follow-up for 519f0074cf.
|
|
|
|
To speed up tests.
|
|
|
|
This is a new utility function recently added. Let's use it.
|
|
statx_timestamp is, for all intents and purposes, the same as a struct
timespec. So, we can trivially convert it and call timespec_load on it.
This commit adds helper functions that do just that.
|
|
Any file/directory created by a tmpfiles.d will be deleted. Useful for
purge/factory reset patterns.
|
|
All the keys are high-entropy keys that cannot be practically
bruteforced and thus don't require protection from dictionary attacks.
With the exception of PINs, of course, which are low-entropy and user
provided.
Note that a new enrollment is required for unlocking while in DA
lockdown to function. Existing enrollments are subject to DA lockout.
Fixes: #30330
|
|
|
|
|
|
Let's add an explicit session class "user-early" for this, so that
change of behaviour on logind is primarily bound to the "class"
property, and not some explicit root checks. This has the benefit that
we can be more fine grained with implying this class: only do so for tty
sessions, not others.
|
|
|
