| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| |
|
|
|
| |
We use _printf_ for these functions, so there shouldn't
be a warning in the first place.
|
| | |
|
| | |
|
| |
|
|
|
|
| |
Previously, if we encountered a non-socket fd we'd return ENOTSOCK the
first time, but the subsequent times we'd return ENOMEDIUM, due to
caching. Let's make sure we return the same errors all the the time.
|
| |\
| |
| | |
Various fixes
|
| | |
| |
| |
| |
| | |
Otherwise the default log target is the console and we won't use
the journal socket even if it is available.
|
| |/
|
|
|
| |
let's properly handle old kernels that have no pidfd, and use regular
pids in that case, as intended originally.
|
| |
|
|
| |
Fixes a regression introduced by 8157cc0e3e33c97b406cc088cf001ca524154f64.
|
| | |
|
| |\
| |
| | |
core: Set a sensible systemd-executor log level in test runs
|
| | | |
|
| | |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
Replaces #32062
As discussed in #32062, making 'help' the default verb
is not very appealing for two reasons:
1) If the verb is missing, showing a help which is pages long
isn't really helpful to locate the problem.
(https://github.com/systemd/systemd/pull/32062#issuecomment-2064997158)
2) We want to reserve the right to set default verbs to be
more useful ones, instead of help. E.g. 'busctl' lists all
bus peers by default.
So, when there are more than 2 verbs, let's instead add
the list of available verbs to the "Command verb required"
message, that serves as a hint. That way we try to be friendlier
to users, but still make the problem obvious.
|
| |/ |
|
| |
|
|
|
|
|
|
|
|
| |
tpm2_context_new and logs about errors
We so far just print a short log message that is not very useful, let's
add some recognizable error codes, and output better log messages if we
can't get TPM stuff to work.
Fixes: #31925
|
| |
|
|
|
|
|
| |
If we're already running in a unit with delegation turned on, let's
skip allocation of a scope unit and cgroup subroot. This allows journald
to correctly attribute the logs of all subprocesses spawned by tests such
as test-execute to the test-execute service when the test is running in a service.
|
| |
|
|
|
|
| |
Specifically, this will make tests log to the journal if stderr is
connected to the journal. This means we get proper log priorities
and such compared to if we just logged to stderr.
|
| |
|
|
| |
For when we expect something to fail with a specific error.
|
| |\
| |
| | |
shared/vpick: some minor cleanups
|
| | |
| |
| |
| | |
Follow-up for 421a4ba7e4a26332c271359a7a114a1da7a2afad
|
| | | |
|
| | | |
|
| |/
|
|
|
|
|
| |
Apparently some RTC drivers return EINVAL in that case when we try to
read it. Handle that reasonably gracefully.
Fixes: #31854
|
| |\
| |
| | |
portable: support vpick
|
| | | |
|
| |\ \
| | |
| | | |
Fix openssl deprecations
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
openssl can be built without support for engines or with deprecated
definitions disabled.
This also will not pull in most headers automatically,
so add the rsa.h and ec.h header explicitly.
Remove Engine stuff from the header - it is only needed in one
source file.
Make Engine support dependent on the macros.
|
| |\ \ \
| | | |
| | | | |
bus-wait-for-units: some cleanup
|
| | | | | |
|
| | | | |
| | | |
| | | |
| | | | |
This is not used anywhere.
|
| | | | | |
|
| | | | | |
|
| | | | |
| | | |
| | | |
| | | |
| | | | |
This is never used, and given that bus_wait_for_units_run
returns BusWaitForUnits.state it's not really useful.
|
| |/ / /
| | |
| | |
| | |
| | | |
Even though it is currently only used by networkd, the parser itself
is quite generic. Let's move it to the shared library.
|
| | |/
|/|
| |
| |
| |
| |
| | |
According to copy_file_range (2), errno will be set to EOPNOTSUPP when
the file system does not support copy_file_range(). Since there is
already fallback logic in place here for other kinds of errors, add
-EOPNOTSUPP to the list of ignored errors.
|
| |\ \
| | |
| | | |
Replace PolicyAuthValue by PolicySigned as access policy for pcrlock policy nvindex
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
authValue anymore for the policy nvindex
We have now switched from PolicyAuthValue to PolicySigned to control
access to the policy nvindex to. This means there's no point in setting
an authValue on the nvindex anymore, hence drop this.
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
PolicyAuthValue to PolicySigned (with an HMAC-SHA256 key)
So far the nvindex to store the pcrlock policy in was protected via a
PolicyAuthValue policy (i.e. with a simple PIN set on the nvindex).
That's a bad idea however, as it means an attacker can simply remove and
re-create the nvindex and the "name" of the nvindex does not change,
thus defeating the logic. (This is because the authValue is *not* part
of the "name" of an nvindex!).
Fix this by switching from PolicyAuthValue to PolicySigned with an
HMAC-SHA256 key. Behaviour is very similar: however, the PIN is now part
of of the access policy hash, which *is* part of the "name" of an
nvindex. Thus, if an attacker removes and recreates the nvindex it has
to provide the same PIN again or the "name" of the nvindex will change.
Mission accomplished.
I'd like to thank Chris Coulson for finding this issue (and helping me
address it). Thank you!
|
| | | |
| | |
| | |
| | | |
actually does
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
If we load an external key into the TPM we must do so in the NULL
hierarchy. An external key after all is one that is not wrapped by any
hierarchy's seed.
See TPM2 spec, Part 3, Section 12.3.1
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | | |
Just some renaming. I found the old name a bit confusing since it sounds
as if this would get the pin from somewhere, but it really doesn't. It
just converts a PIN into an auth_value, and I think saying so explicitly
makes things easier to grok.
|
| | | |
| | |
| | |
| | | |
We later want to use this from pcrlock.c, hence export it.
|
| | |/
| |
| |
| |
| | |
We want to make use of TPM_PolicySigned soon, hence import the necessary
symbols from tpm2-tss.
|
| |/
|
|
|
|
|
|
| |
Use FOREACH_ELEMENT where possible. Generated with this command,
and checked manually:
git grep -l 'FOREACH_ARRAY.*ELEMENTSOF' | \
xargs sed -ri 's/FOREACH_ARRAY\((.*), (.*), (ELEMENTSOF.*)\)/FOREACH_ELEMENT(\1, \2)/'
|
| |
|
|
| |
Follow-up for 33ff155957327f51dde740a7a75f19122bff1ebc.
|
| |\
| |
| | |
blockdev-util: fix detection of partscan
|
| | |
| |
| |
| |
| | |
The 'capability' sysattr was deprecated by
https://github.com/torvalds/linux/commit/e81cd5a983bb35dabd38ee472cf3fea1c63e0f23 (v6.3).
|
| |\ \
| |/
|/| |
vmspawn: generate predicatable TAP device names and MAC addresses
|
| | |
| |
| |
| | |
shared/netif-util
|
| |\ \
| | |
| | | |
basic/linux: copy magic.h from kernel to our code
|
| | | | |
|
