| Commit message (Collapse) | Author | Files | Lines |
|---|
|
|
|
We can't shortcut chaseat() if CHASE_PARENT is set.
|
|
If the source is a file, don't copy the mode and such from it to
the root directory, even if the target is /.
|
|
|
|
|
|
Avoids the need to maintain the same list over and over again, and
link it to the defition table in the implementation as a reminder
too
|
|
The API introduced in https://github.com/systemd/systemd/pull/34295
is less than ideal:
- It doesn't consider signing at all (ukify can't sign separately yet)
- Measurement is completely broken (all profile sections are marked to
not be measured)
- It focuses on a very niche use case of extending existing UKIs and makes
the more common use case of building a UKI with several profiles included
much harder than needed.
Let's instead rework the API to focus on the primary use case of building
a UKI with multiple profiles added to it immediately. We require the profiles
to be built upfront as separate PE binaries with UKI. There's no need to sign
or measure these, they're solely vehicles for profile sections. This saves us
from having to complicate the command line and config parsing to support defining
multiple profiles.
To add the profiles when building a UKI, we introduce the new --add-profile
switch which takes a path to a PE binary describing a profile. The required
sections are read from each PE binary, measured and added as a profile.
The integration test is disabled until the new API is merged and exposed in
mkosi so that building a UKI with profiles can be left to mkosi and the integration
test will only test the switching between profiles and not the building of UKIs
with profiles.
|
|
|
|
|
|
sections to later extend"
This reverts commit b6570095ce889b07242d36cd05fa1d1899d0bc6c.
|
|
This reverts commit bc3e2c5a5774ae7b212817d04e04abccf30088ae.
|
|
This is to ensure that the UUIDs from the CopyBlocks= devices are copied
to the corresponding new partition instead of creating a new UUID for
it. With this verity partitions can be copied, keeping their UUIDs to
ensure that they still match up with what is specified in roothash=.
|
|
Fixup for 2413a0fab4fdad7eef3ce1d4b57664be5795b002.
|
|
- The text was clearly edited in variuos places to e.g. allow multiple
sections, so it first said that sections are singletons, and immediately
after that that some section are not.
- Replace "regardless of the kernel" with "regardless of the kernel version".
The kernel is very much involved e.g. in loading of the initrds.
- Various other small rewordings to make the text more legible.
|
|
Fixes compilation error
"""
[780/3171] /usr/bin/clang -std=gnu11 -Wno-compare-distinct-pointer-types -fno-stack-protector -O2 -target bpf -g -c -D__aarch64__ -I. -isystem /usr/include/ -idirafter /usr/include ../src/nsresourced/bpf/userns_restrict/userns-restrict.bpf.c -o src/nsresourced/bpf/userns_restrict/userns-restrict.bpf.unstripped.o -I/usr/src/kernels/6.11.1-0.hs1.hs+fb.el9.aarch64
FAILED: src/nsresourced/bpf/userns_restrict/userns-restrict.bpf.unstripped.o
/usr/bin/clang -std=gnu11 -Wno-compare-distinct-pointer-types -fno-stack-protector -O2 -target bpf -g -c -D__aarch64__ -I. -isystem /usr/include/ -idirafter /usr/include ../src/nsresourced/bpf/userns_restrict/userns-restrict.bpf.c -o src/nsresourced/bpf/userns_restrict/userns-restrict.bpf.unstripped.o -I/usr/src/kernels/6.11.1-0.hs1.hs+fb.el9.aarch64
../src/nsresourced/bpf/userns_restrict/userns-restrict.bpf.c:27:7: error: conflicting types for 'bpf_rdonly_cast'
27 | void *bpf_rdonly_cast(void *, __u32) __ksym;
| ^
/usr/src/kernels/6.11.1-0.hs1.hs+fb.el9.aarch64/vmlinux.h:143063:14: note: previous declaration is here
143063 | extern void *bpf_rdonly_cast(const void *obj__ign, u32 btf_id__k) __weak __ksym;
| ^
1 error generated.
"""
|
|
Add support for opening /dev/hidraw devices via logind's TakeDevice().
Same semantics as our support for evdev devices, but it requires the
HIDIOCREVOKE ioctl in the kernel.
|
|
|
|
IPE is a new LSM being introduced in 6.12. Like IMA, it works based on a
policy file that has to be loaded at boot, the earlier the better. So
like IMA, if such a policy is present, load it and activate it.
If there are any .p7b files in /etc/ipe/, load them as policies.
The files have to be inline signed in DER format as per IPE documentation.
For more information on the details of IPE:
https://microsoft.github.io/ipe/
|
|
We had several users, that wrote their unit files with
WantedBy=default.target because it should be started "every time".
But for example in Fedora/CentOS/RHEL, this often breaks for
example selinux relabels (where we just want to do a relabel and reboot).
|
|
Otherwise when the user takes a long time to enter input the operation
to create the user's home will fail with "transport endpoint not connected".
|
|
|
|
|
|
|
|
bpftrace nudges the Fedora Rawhide images towards compiler-rt18 while the
sanitizer builds pull in clang19, leading to the sanitizer libraries
not being found at runtime. Let's drop bpftrace for now so that compiler-rt19
is pulled in in the main image.
|
|
systemd built with sanitizers is installed in subimages and tools
might get invoked in postinstall scripts so we have to disable ASAN
in the subimages as well during the image build.
|
|
|
|
The latest clang has started catching more integer promotions which
cause us to pass the wrong type to printf() format specifiers so let's
fix those.
|
|
We don't support "split /usr" systems anymore, hence no point in
mentioning /bin/ anymore as being part of the binary search path.
|
|
ExecStart=
So far we supported this syntax:
ExecStart=foo ; bar
as equivalent to:
ExecStart=foo
ExecStart=bar
With this change we'll "soft" deprecate the first syntax. i.e. it's
still supported in code, but not documented anymore.
The concept was originally added to make things easier for 3rd party
.ini readers, as it allowed writing unit files with a .ini framework
that doesn't allow multiple assignments for the same key. But frankly,
this is kinda pointless, as so many other of our knobs require the
double assignment.
Hence, let's just stop advertising the concept, let's simplify the docs,
by removing one entirely redundant feature from it.
Replaces: #34570
|
|
|
|
an explicit flag
Let's mark functions that accept the 'more' flag explicitly for that,
and validate for this explicitly.
This is preparation for
https://github.com/varlink/varlink.github.io/issues/26, if we get that
one day. Let's make sure that from day #1 we have this info available
even if we don't generate this in the IDL for now.
Also enables the two flags for all interfaces we export that use the
logic.
|
|
Given this is supposed to be a public API now, let's add some concept
for extensions of these open-coded structures: let's make sure we have
flags fields on all structures (which we can use for extensions later).
Right now we only have this for varlink "fields" structures, this adds
the same for "symbols" and the "interface" as a whole.
There are no actual flags defined in either for now, this is just
future-safety preparation.
(But a later commit will add two flags to symbols)
|
|
The call returns multiple entries, hence should be called with `--more`.
|
|
Let's systematically use RTL_NOW|RLTD_NODELETE as flags passed to
dlopen(), across our codebase.
Various distros build with "-z now" anyway, hence it's weird to specify
RTLD_LAZY trying to override that (which it doesn't). Hence, let's
follow suit, and just do what everybody else does.
Also set RTLD_NODELETE, which is apparently what distros will probably
end up implying sooner or later anyway. Given that for pretty much all
our dlopen() calls we never call dlclose() anyway, let's just set this
everywhere too, to make things systematic.
This way, the flags we use by default match what distros such as fedora
do, there are no surprises, and read-only relocations can be a thing.
Fixes: #34537
|
|
Bumps [systemd/mkosi](https://github.com/systemd/mkosi) from 2c9954fa51a3a995bbdc02db6ef51f5bd27bc1ba to 3454f7bd4ef0336ec80a117d593baaef0fe53398.
- [Release notes](https://github.com/systemd/mkosi/releases)
- [Commits](https://github.com/systemd/mkosi/compare/2c9954fa51a3a995bbdc02db6ef51f5bd27bc1ba...3454f7bd4ef0336ec80a117d593baaef0fe53398)
---
updated-dependencies:
- dependency-name: systemd/mkosi
dependency-type: direct:production
...
Signed-off-by: dependabot[bot] <support@github.com>
|
|
For compiling bpf code, the system include directory needs to be
constructed. On Debian-like systems, this requires passing a multiarch
directory. Since clang's -dump-machine prints something other that the
multiarch triplet, gcc was interrogated earlier, but that also yields a
wrong result for cross compilation and was thus skipped resulting in
clang not finding asm/types.h.
Rather than, -dump-machine we should ask for -print-multiarch (which
rarely differs). Whenever gcc is in use, this is right (even for cross
building). Since clang does not support -print-multiarch and its
-dump-machine never matches Debian's multiarch, we resort to asking gcc
when building natively. For cross builds using clang, we are out of
luck.
|
|
|
|
interface
|
|
KEY_SELECTIVE_SCREENSHOT, KEY_NOTIFICATION_CENTER keycodes where appropriate
According to kernel commit cd80ec795156346236e9b1cd9f5cbff5a9bbd212
these were added expressly for these thinkpads, hence use them now.
|
|
The keycode is reletively new. Let's fix some "FIXMEs" and actually make
use of the keycode wherever it appears appropriate according to
commentary.
|
|
suggests that
|
|
No idea what the right fix is here, the commnt says "touchpad off" but
uses "f22" which is touchpad "on".
let's trust the comment, because it's more literal, and assume this was
a mistake.
|
|
The CIs apparently have rally old headers, where KEY_BRIGHTNESS_AUTO is
missing, let's hence ship our own copies from a current kernel.
|
|
This reverts commit 0a40325573b91ea71070653865f7f6a9cada2bef.
|
|
|
|
fix pointer constness in documentation
|
|
Bumps [actions/checkout](https://github.com/actions/checkout) from 4.1.7 to 4.2.0.
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](https://github.com/actions/checkout/compare/692973e3d937129bcbf40652eb9f2f61becf3332...d632683dd7b4114ad314bca15554477dd762a938)
---
updated-dependencies:
- dependency-name: actions/checkout
dependency-type: direct:production
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com>
|
|
Bumps [github/codeql-action](https://github.com/github/codeql-action) from 3.25.15 to 3.26.10.
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](https://github.com/github/codeql-action/compare/afb54ba388a7dca6ecae48f608c4ff05ff4cc77a...e2b3eafc8d227b0241d48be5f425d47c2d750a13)
---
updated-dependencies:
- dependency-name: github/codeql-action
dependency-type: direct:production
update-type: version-update:semver-minor
...
Signed-off-by: dependabot[bot] <support@github.com>
|
|
Bumps [meson](https://github.com/mesonbuild/meson) from 1.5.1 to 1.5.2.
- [Release notes](https://github.com/mesonbuild/meson/releases)
- [Commits](https://github.com/mesonbuild/meson/compare/1.5.1...1.5.2)
---
updated-dependencies:
- dependency-name: meson
dependency-type: direct:production
update-type: version-update:semver-patch
...
Signed-off-by: dependabot[bot] <support@github.com>
|
|
On upgrades, only the %postun scriptlets of the old package version
run. This means that any changes related to restarting daemons require
two releases before they're actually used.
%postun is used because it runs after the old package has been removed,
which is important as it means any lingering dropins from the old package
will have been removed as well.
To allow deploying fixes in just a single release while still running after
the old package has been removed, let's introduce %posttrans versions of these
scriptlets as %posttrans of the new package runs on upgrade and install after
the old package has been removed.
|
