| Commit message (Collapse) | Author | Files | Lines |
|---|
|
error path
For SELinux it is essential that we reset the file creation label both
in the success and in the error path, hence do so.
Moreover, when calling the label post ops do it if possible with the
opened fd of the inode itself, rather than always going via its path,
simply to reduce the attack surface.
|
|
If openat_report_new() fails, then 'made_file' will be false, as no file
was created, hence there's no need to skip the unlinkat() explicitly
early, given that we check for 'made_file' anyway in the error path. The
extra error code checks are hence entirely redundant.
|
|
We have two distinct implementations of the post hook.
1. For SELinux we just reset the selinux label we told the kernel
earlier to use for new inodes.
2. For SMACK we might apply an xattr to the specified file.
The two calls are quite different: the first call we want to call in all
cases (failure or success), the latter only if we actually managed to
create an inode, in which case it is called on the inode.
|
|
We didn't go through it at all if label_ops_post() failed.
|
|
|
|
|
|
XDG_RUNTIME_DIR isn't
We noticed some failures because we have code that connects to user
managers by setting DBUS_SESSION_BUS_ADDRESS without setting XDG_RUNTIME_DIR.
If that's the case, connect to the user session bus instead of the
private manager bus as we can't connect to the latter if XDG_RUNTIME_DIR
is not set.
|
|
bus_log_connect_error() checks for ENOMEDIUM, not ENXIO.
|
|
The links moved to the legacy dataset so they won't be available by
default, so stop using them and just use the city ones instead
|
|
This duplicates the svc param constants for the benefit of the
resolved-core library.
|
|
This is only used by the fuzzer so far.
|
|
|
|
The structure of DNR options is considerably more complicated than most
DHCP options, and as a result the fuzzer has poor coverage of these code
paths.
This adds some DNR packets to the fuzzing corpus, not with the intent of
capturing some specific edge case, but with the intent to rapidly
improve the fuzzers' coverage of these codepaths by giving it a valid
example to begin with.
Also include an ndisc router advert with a few Encrypted DNS options,
for the same purpose.
|
|
Serialize DNR servers acquired by ipv6ra option, same as the V4/V6 DNR
DHCP options.
|
|
Same as the DHCP v4/v6 options, this controls the use of DNR received
from ipv6ra.
|
|
This option is equivalent to the V4/V6 DNR options for DHCP.
|
|
Same as the DHCPv4 test.
|
|
This serializes DNR servers acquired by V6_DNR option, equivalent to the
V4_DNR option.
|
|
This is equivalent to the DHCPv4 option introduced earlier.
|
|
Implement the parsing for V6_DNR DHCPv6 option. This does the same as
the DHCP V4_DNR option.
|
|
Convert some of the option parsing to use dns_name_from_wire_format,
introduced earlier. No change in behavior intended.
|
|
The encoded fqdn in this option must be properly terminated. We will
soon validate that this field is correctly encoded, so correct it in the
test.
|
|
This will test that networkd/resolved can understand the V4_DNR DHCP
option.
|
|
Implement serialization/deserialization for DNR servers. This re-uses
the string format in place for user configuration of DoT servers, and as
a consequence non-DoT servers are discarded when recording the link
configuration, for correctness.
This also enables sd-resolved to use these servers as it would other DNS
servers.
|
|
For now only DoT is supported, so DoT resolvers are represented using
the existing configuration format.
|
|
This option will control the use of DNR for choosing DNS servers on the
link. Defaults to the value of UseDNS so that in most cases they will be
toggled together.
|
|
io.systemd.Machine.List output
|
|
|
|
This is equivalent to DBus implementation of GetMachineAddresses.
|
|
io.systemd.Machine.List output
This commit adds support of the above mentioned fields. This is equivalent to DBus implementation of:
- GetMachineOSRelease
- GetMachineUIDShift
|
|
|
|
Now that mkosi supports generating UKI profiles, let's make use of
that to generate the UKI profiles required for the test instead of
doing it within the test itself.
|
|
Otherwise, when the test is executed on a system with signed PCRs,
cryptenroll will automatically pick up the public key from the UKI
which results in a volume that can't be unlocked because the pcrextend
tests appends extra things to pcr 11.
|
|
We can break out of the preceeding for loop in certain scenarios
which would trigger the assert so let's drop it.
|
|
If VirtualSize > SizeOfRawData, measure extra zeros to take into
account the extra zeros also measured by the stub.
|
|
|
|
It was force-pushed again
|
|
to a TTY
Let's provide a mechanism to select the number of screen columns for
rebreaking comments in Varlink IDL connected to a TTY, by honouring the
$COLUMNS env var then too. Previously we'd only honour when connected to
a TTY, but it's also useful otherwise for rebreaking ridiculously long
comments, hence honour it in this case too.
|
|
|
|
Previously, we were using touch(), which usually works fine, because the
path should always refer to an existing directory, in which case it just
updates the timestamp. However, if the dir does not exist yet (which
shouldn't happen), it would be created as regular file, which is just
wrong.
Hence, let's instead create the dir as dir if it is missing, and then
update its timestamp.
|
|
Fixes: #1232 #2217
|
|
This allows selecting which agents to ask about this: system-level
agents, or per-user agents.
Fixes: #1232 #2217
|
|
|
|
|
|
askpw dir
Fixes: #1232 #2217
|
|
|
|
|
|
Seems like we missed some snake_case field names in previous reviews of
systemd-sysupdate
|
|
Same change as https://github.com/systemd/systemd/pull/34583 but for
systemd-measure. Otherwise we end up with PCR policy digest mismatches
as systemd-stub will measure the full virtual size of the kernel image
after it has been loaded while systemd-measure will disregard the extra
size introduced by SizeOfImage.
While ideally the stub would only measure the data that's actually on
disk and not the uninitialized data introduced by VirtualSize > SizeOfRawData,
we want newer systemd-measure to work with older stubs so we have to fix
systemd-measure and can't fix this in the stub.
|
|
A basic test will verify that we provide the right flags.
|
