| Commit message (Collapse) | Author | Age | Files | Lines |
|---|
| | |
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
| |
The function path_prefix_root_cwd() was introduced for prefixing the
result from chaseat() with root, but
- it is named slightly generic,
- the logic is different from what chase() does.
This makes the name more explanative and specific for the result of the
chaseat(), and make the logic consistent with chase().
Fixes https://github.com/systemd/systemd/pull/27199#issuecomment-1511387731.
Follow-up for #27199.
|
| |
|
|
| |
As the path may be outside of the specified dir_fd.
|
| |
|
|
|
|
|
|
|
|
| |
root directory
Usually, we pass the file descriptor of the root directory to chaseat()
when `--root=` is not specified. Previously, even in such case, the
result was relative, and we need to prefix the path with "/" when we
want to pass the path to other functions that do not support dir_fd, or
log or show the path. That's inconvenient.
|
| |
|
|
|
| |
Mainly to give it some debug output to, hopefully, see why it sometimes
gets stuck in CI when run with sanitizers.
|
| |\
| |
| | |
test: a bunch of assorted tweaks, Saturday edition
|
| | | |
|
| | | |
|
| | | |
|
| | |
| |
| |
| |
| | |
They're used in repart, but are not part of the "common" specifier
lists, so cover them explicitly.
|
| | |
| |
| |
| | |
Also, sneak in coverage for "less popular" cell types.
|
| |\ \
| | |
| | | |
socket-util: introduce CMSG_FIND_AND_COPY_DATA()
|
| | | |
| | |
| | |
| | | |
Addresses https://github.com/systemd/systemd/pull/27254#discussion_r1165267046.
|
| | |/
|/|
| |
| |
| |
| | |
The ignore directive specifies to not do anything with the given
unit and leave existing configuration intact. This allows distributions
to gradually adopt preset files by shipping a ignore * preset file.
|
| | |
| |
| |
| |
| |
| |
| |
| |
| | |
strstrafter() is like strstr() but returns a pointer to the first
character *after* the found substring, not on the substring itself.
Quite often this is what we actually want.
Inspired by #27267 I think it makes sense to add a helper for this,
to avoid the potentially fragile manual pointer increment afterwards.
|
| |/
|
|
|
|
|
|
|
|
| |
When CHASE_MKDIR_0755 is specified without CHASE_NONEXISTENT and
CHASE_PARENT, then chase() succeeds only when the file specified by
the path already exists, and in that case, chase() does not create
any parent directories, and CHASE_MKDIR_0755 is meaningless.
Let's mention that CHASE_MKDIR_0755 needs to be specified with
CHASE_NONEXISTENT or CHASE_PARENT, and adds a assertion about that.
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Enabling these options when not running as root requires a user
namespace, so implicitly enable PrivateUsers=.
This has a side effect as it changes which users are visible to the unit.
However until now these options did not work at all for user units, and
in practice just a handful of user units in Fedora, Debian and Ubuntu
mistakenly used them (and they have been all fixed since).
This fixes the long-standing confusing issue that the user and system
units take the same options but the behaviour is wildly (and sometimes
silently) different depending on which is which, with user units
requiring manually specifiying PrivateUsers= in order for sandboxing
options to actually work and not be silently ignored.
|
| |
|
|
| |
Fixes #26697. RFE.
|
| |
|
|
|
|
| |
Follow-up for 7947dbe322a922604f3a5b29693e58b370161ad5.
Fixes CID#1508781 and CID#1508783.
|
| |\
| |
| | |
Use _cleanup_ for UnitFileList hash
|
| | | |
|
| | | |
|
| |\ \
| | |
| | | |
dissect: add dissection policies
|
| | | | |
|
| | | | |
|
| | | | |
|
| | | |
| | |
| | |
| | | |
env-util.c
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | | |
For consistency with other functions.
Unfortunately, va_start() requires that the previous argument is a
pointer, hence the order of the arguments in the internal function
cannot be changed.
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | | |
And make compress_xyz() return 0 on success, as we know which compression
algorithm is used when calling compress_blob().
Follow-up for 2360352ef02548723ac0c8eaf5ff6905eb9eeca5.
|
| |\ \ \
| | | |
| | | | |
Support O_PATH more
|
| | | | | |
|
| |/ / / |
|
| | | |
| | |
| | |
| | |
| | |
| | | |
When path_find_first_component() returns the last component, the iterator
must be an empty string. The fact is heavily used in chaseat(). Let's
explicitly test it.
|
| | | | |
|
| | | | |
|
| | | |
| | |
| | |
| | | |
Fixes #27175.
|
| |\ \ \
| | | |
| | | | |
proc-cmdline: filter PID1 arguments on container
|
| | | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
Otherwise, PID1 arguments e.g. "--deserialize 16" may be parsed
unexpectedly by generators.
Fixes the issue reported at
https://github.com/systemd/systemd/issues/24452#issuecomment-1475004433.
|
| | | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
When we are running in a container, we parse the command line of PID1 in
proc_cmdline_parse() or friends. Previously, first we merge the command
line nulstr as a single string, and then split by using
extract_first_word(). That's not only redundant, but also unsafe when
the command line argument contain a space.
This drops the redundant steps, hence we can safely parse arguments with
space.
|
| | |/ /
|/| | |
|
| | | |
| | |
| | |
| | | |
Follow-up for e212f422796da9e626030289faf083407c8955df.
|
| | | |
| | |
| | |
| | | |
Then, use id128_get_machine().
|
| | | | |
|
| | | | |
|
| | | | |
|
| | | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
Prevent attackers from spoofing the tpmKey portion of the AuthSession by
adding a trusted key to the LUKS header metadata. Also, use a persistent
object rather than a transient object.
This provides the following benifits:
1. No way to MITM the tpmKey portion of the session, see [1] for
details.
2. Strengthens the encrypted sessions, note that the bindKey could be
dropped now.
3. Speed, once it's created we just use it.
4. Owner Auth is needed to call create primary, so using the SRK
creates a scratch space for normal users.
This is a "first to set" model, in where the first person to set the key
in the LUKS header wins. Thus, setup should be done in a known good
state. If an SRK, which is a primary key at a special persistent
address, is found, it will use whatever is there. If not, it creates an
SRK. The SRK follows the convetions used through the tpm2-software
organization code on GitHub [2], however, a split has occured between
Windows and Linux with respect to SRK templates. The Linux SRK is
generated with the unique field size set to 0, in Windows, it properly
sets the size to key size in bytes and the unique data to all 0's of that
size. Note the proper templates for SRKs is covered in spec [3].
However, the most important thing, is that both SRKs are passwordless,
and thus they should be interchangable. If Windows is the first to make
the SRK, systemd will gladly accept it and vice-versa.
1. Without the bindKey being utilized, an attacker was able to intercept
this and fake a key, thus being able to decrypt and encrypt traffic as
needed. Introduction of the bindKey strengthened this, but allows for
the attacker to brute force AES128CFB using pin guesses. Introduction of
the salt increases the difficulty of this attack as well as DA attacks
on the TPM objects itself.
2. https://github.com/tpm2-software
3. https://trustedcomputinggroup.org/wp-content/uploads/TCG-TPM-v2.0-Provisioning-Guidance-Published-v1r1.pdf
Fixes: #20668
Fixes: #22637
Signed-off-by: William Roberts <william.c.roberts@intel.com>
|
| | | |
| | |
| | |
| | |
| | | |
(#27100)
tests: add test for strv_env_name_is_valid function listed in env-util.c
|
| | | |
| | |
| | |
| | | |
This reverts commit 8c81a618103cafc715e0a1a521e9f1bd34e3e207.
|
| |\ \ \
| | | |
| | | | |
test: a couple of coverage-related test tweaks
|
| | | | |
| | | |
| | | |
| | | |
| | | | |
I noticed missing coverage in the reports and turns out this has been
broken since forever (i.e. 2016 - 9f7672b3bc), whoopsie.
|
