Let's operate on fds rather than paths. Make some tweaks to the logic on
top:
1. Mark the resulting dir as read-only after we are done.
2. Use the new inode_type_to_string() calls to determine the inode
names.
3. If an inode already exists, try to adjust the access mode, just in
case.
4. Use FOREACH_ARRAY()
This patch adds a new parameter to parse_ip_port_range, giving callers
the option to allow ranges to have their min be 0 instead of 1.
This is then used by parse_ip_ports_token, intern used by
parse_socket_bind_item to allow port 0 when restricting bind system
calls with SocketBindDeny / SocketBindAllow.
With this, users running server software written using the golang
standard library will be able to effectively sandbox their software,
albeit with a small loss in security protections by allowing the
process to bind on a random port in the
/proc/sys/net/ipv4/ip_local_port_range.
If we want to allow method replies to be extended without this breaking
compat, then we should set this flag. Do so at various method call
replies hence.
Also do it when parsing user/group records, which are expressly
documented to be extensible, as well as the hibernate JSON record.
This is a subset of JSON_PERMISSIVE focussed on allowing parsing of
varlink replies that get extended, i.e. gain new fields, without
allowing more than that (i.e. without allowing missing fields, or bad
field types or such).
cryptenroll accepts only PKCS#11 URIs that match both a certificate and a private key in a token.
This patch allows users to provide a PKCS#11 URI that points to a certificate only, and makes possible to use output of some PKCS#11 tools directly.
Internally the patch changes 'type=cert' in the provided PKCS#11 URI to 'type=private' before storing in a LUKS2 header.
Fixes: #23479
This is what it is after all: encryption with a NULL key. This is more
descriptive, but also relevant since we want to use this kind of
credentials in a different context soon: for carrying pcrlock data into
a UKI. In that case we don#t want encryption, since the pcrlock data is
intended to help unlocking secrets, hence should not be a secret itself.
This only changes the code labels and the way this is labelled in the
output. We retain compat with the old name.
The same check is done exactly one line later, because this is one of
the things that json_variant_is_regular() checks.
As per: fa9a6db478 (r1441792019)
All the keys are high-entropy keys that cannot be practically
bruteforced and thus don't require protection from dictionary attacks.
With the exception of PINs, of course, which are low-entropy and user
provided.
Note that a new enrollment is required for unlocking while in DA
lockdown to function. Existing enrollments are subject to DA lockout.
Fixes: #30330
This adds a new concept for handling paths. At appropriate places, if a
path such as /foo/bar/baz.v/ is specified, we'll
automatically enumerate all entries in /foo/bar/baz.v/baz* and then
do a version sort and pick the newest file.
A slightly more complex syntax is available, too:
/foo/bar/baz.v/quux___waldo
if that's used, then we'll look for all files matching
/foo/bar/baz.v/quux*waldo, and split out the middle, and version sort
it, and pick the nwest.
The ___ wildcard indicates both a version string, and if needed an
architecture ID, in case per-arch entries shall be supported.
This is a very simple way to maintain versioned resources in a dir, and
make systemd's components automatically pick the newest. Example:
/srv/myimages.v/foobar_1.32.65_x86-64.raw
/srv/myimages.v/foobar_1.33.45_x86-64.raw
/srv/myimages.v/foobar_1.31.5_x86-64.raw
/srv/myimages.v/foobar_1.31.5_arm64.raw
If now nspawn is invoked like this:
systemd-nspawn --image=/srv/myimages.v/foobar___.raw
Then it will automatically pick
/srv/myimages.v/foobar_1.33.45_x86-64.raw as the version to boot on
x86-64, and /srv/myimages.v/foobar_1.31.5_arm64.raw on arm64.
This commit only adds the basic implementation for picking files from a
dir, but no hook-up anywhere.
If a TPM doesn't do ECC it could either return zero curves when asked
for it, or it could simply fail with TPM2_RC_VALUES because it doesn't
recognize the capability at all.
Handle both cases the same way.
Fixes: #30679
Users become perplexed when they run their workload in a unit with no
explicit limits configured (moreover, listing the limit property would
even show it's infinity) but they experience unexpected resource
limitation.
The memory and pid limits come as the most visible, therefore add new
unit read-only properties:
- EffectiveMemoryMax=,
- EffectiveMemoryHigh=,
- EffectiveTasksMax=.
These properties represent the most stringent limit systemd is aware of
for the given unit -- and that is typically(*) the effective value.
Implement the properties by simply traversing all parents in the
leaf-slice tree and picking the minimum value. Note that effective
limits are thus defined even for units that don't enable explicit
accounting (because of the hierarchy).
(*) The evasive case is when systemd runs in a cgroupns and cannot
reason about outer setup. Complete solution would need kernel support.
This is important now that creds are sent via varlink
systemd-creds[463]: varlink-3: Sending message: {"parameters":{"data":"Zm9vYmFyCg=="}}
systemd-creds[462]: varlink-3: New incoming message: {"method":"io.systemd.Credentials.Encrypt","parameters":{"data":"Zm9vYmFyCg=="}}
This extends our current polkit logic, so that we can in a very similar
fashion as we already can authenticate dbus peers authenticate varlink
connection peers.
polkit natively speaks dbus and can authentication dbus peers. To get
the same level of support for varlink we'll use authentication by
pidfd+uid. This requires polkit v124, and if that's not available it
will fallback to authorizing root only as before.
Co-authored-by: Luca Boccassi <bluca@debian.org>
When we want to do Polkit authentication we want to temporarily pause
handling of a method call until we have the Polkit reply, and then start
again. Let's add some glue to make that easy. This adds two helpers:
varlink_dispatch_again() allows to ask for redispatching of the
currently queued incoming message. Usecase is this: if we don't process
a methd right away, we can come back later, and ask it to be processed
again with this function, in which case our handlers will be called a
2nd time, exactly like on the first time.
varlink_get_current_message() provides access to the currently processed
method call.
With this the polkit logic can look into the current message, do its
thing, and then restart the method handling.
We simply don't carry any userspace support for TPM1.2 in our tree, and
we shouldn't given it's too weak by today's standards. Hence, if we
check if we are booted in UKI measured boot mode, don't just check if we
are booted in EFI, but also check that we have a TPM2 chip (as opposed
to none or only a TPM1.2 chip).
This is an alternative to #30652 but more comprehensive (and simpler),
since it covers all invocations of efi_measured_uki().
Fixes: #30650
Replaces: #30652
