morgan/systemd
1
0
Fork 0
mirror of https://github.com/morgan9e/systemd synced 2026-04-15 00:47:10 +09:00
Code Issues Packages Projects Releases Wiki Activity
72,932 Commits 1 Branch 0 Tags
245387721b4ea4ebe9e67bf02497176a72daeb10
Commit Graph

8537 Commits

Author SHA1 Message Date
Mike Yuan
f8598699e7 Merge pull request #32370 from YHNdnzj/vpick-check-early 
shared/vpick: some minor cleanups
 2024-04-20 21:02:37 +08:00
Lennart Poettering
5c81de98fc timedate: handle gracefully if RTC lost time because of power loss 
Apparently some RTC drivers return EINVAL in that case when we try to
read it. Handle that reasonably gracefully.

Fixes: #31854
 2024-04-20 09:15:07 +09:00
Mike Yuan
b6d31deca4 shared/vpick: check deterministic suffix earlier 
Follow-up for 421a4ba7e4
 2024-04-20 07:17:04 +08:00
Mike Yuan
fde8fb7466 shared/vpick: flatten errno check 2024-04-20 07:16:24 +08:00
Mike Yuan
164f3d8f3d shared/vpick: use strdup_to where appropriate 2024-04-20 07:16:00 +08:00
Luca Boccassi
565f6130b2 Merge pull request #32142 from bluca/portable_vpick 
portable: support vpick
 2024-04-19 20:34:16 +02:00
Luca Boccassi
421a4ba7e4 vpick: add pick_filter_image_any filter that matches both dirs and images 2024-04-19 13:25:32 +01:00
Luca Boccassi
5dcd6b1d55 Merge pull request #31978 from nolange/fix_openssl_deprecations 
Fix openssl deprecations
 2024-04-19 11:20:44 +02:00
Yu Watanabe
ff5b9aeeda Merge pull request #32340 from YHNdnzj/wait-for-unit-cleanup 
bus-wait-for-units: some cleanup
 2024-04-19 12:36:48 +09:00
Mike Yuan
61cd6c4db7 bus-wait-for-units: simplify property_map_job_id 2024-04-19 10:08:37 +08:00
Mike Yuan
ac21fafbea bus-wait-for-units: drop 'current' field 
This is not used anywhere.
 2024-04-19 10:08:37 +08:00
Mike Yuan
cc6978d6ae bus-wait-for-units: check for existing unit first, use hashmap_ensure_put 2024-04-19 10:08:36 +08:00
Mike Yuan
df0183d8f1 bus-wait-for-units: make callback type end with "_t" 2024-04-19 10:08:36 +08:00
Mike Yuan
4b8fdb4681 bus-wait-for-units: drop ready_callback 
This is never used, and given that bus_wait_for_units_run
returns BusWaitForUnits.state it's not really useful.
 2024-04-19 10:08:36 +08:00
Yu Watanabe
f72e851fd3 conf-parser: move config_parse_timezone() to conf-parser.[ch] 
Even though it is currently only used by networkd, the parser itself
is quite generic. Let's move it to the shared library.
 2024-04-19 10:23:01 +09:00
Nick Rosbrook
c0bc1e8971 copy: ignore -EOPNOTSUPP from copy_file_range() 
According to copy_file_range (2), errno will be set to EOPNOTSUPP when
the file system does not support copy_file_range(). Since there is
already fallback logic in place here for other kinds of errors, add
-EOPNOTSUPP to the list of ignored errors.
 2024-04-19 09:57:25 +09:00
Lennart Poettering
dd37963aff Merge pull request #31790 from poettering/pcrlock-policy-fix 
Replace PolicyAuthValue by PolicySigned as access policy for pcrlock policy nvindex
 2024-04-18 21:11:27 +02:00
Lennart Poettering
d10d4a3701 tpm2-util: now that we don't use PolicyAuthValue anymore, let's not set an authValue anymore for the policy nvindex 
We have now switched from PolicyAuthValue to PolicySigned to control
access to the policy nvindex to. This means there's no point in setting
an authValue on the nvindex anymore, hence drop this.
 2024-04-18 18:12:23 +02:00
Lennart Poettering
cb835a2ed1 pcrlock: switch access policy for nvindex to store policy in from PolicyAuthValue to PolicySigned (with an HMAC-SHA256 key) 
So far the nvindex to store the pcrlock policy in was protected via a
PolicyAuthValue policy (i.e. with a simple PIN set on the nvindex).
That's a bad idea however, as it means an attacker can simply remove and
re-create the nvindex and the "name" of the nvindex does not change,
thus defeating the logic. (This is because the authValue is *not* part
of the "name" of an nvindex!).

Fix this by switching from PolicyAuthValue to PolicySigned with an
HMAC-SHA256 key. Behaviour is very similar: however, the PIN is now part
of of the access policy hash, which *is* part of the "name" of an
nvindex. Thus, if an attacker removes and recreates the nvindex it has
to provide the same PIN again or the "name" of the nvindex will change.
Mission accomplished.

I'd like to thank Chris Coulson for finding this issue (and helping me
address it). Thank you!
 2024-04-18 18:12:23 +02:00
Lennart Poettering
19d82e1bee tpm2-util: add comment explaining what tpm2_define_policy_nv_index() actually does 2024-04-18 18:12:23 +02:00
Lennart Poettering
371b594414 tpm2-util: load external key into NULL hierarchy if private key is provided 
If we load an external key into the TPM we must do so in the NULL
hierarchy. An external key after all is one that is not wrapped by any
hierarchy's seed.

See TPM2 spec, Part 3, Section 12.3.1
 2024-04-18 18:12:23 +02:00
Lennart Poettering
d0f8da9815 tpm2-util: rename tpm2_get_pin_auth() → tpm2_auth_value_from_pin() 
Just some renaming. I found the old name a bit confusing since it sounds
as if this would get the pin from somewhere, but it really doesn't. It
just converts a PIN into an auth_value, and I think saying so explicitly
makes things easier to grok.
 2024-04-18 18:12:23 +02:00
Lennart Poettering
98ef5f8419 tpm2: export tpm2_get_name() 
We later want to use this from pcrlock.c, hence export it.
 2024-04-18 18:12:23 +02:00
Lennart Poettering
9892b7238b tpm2-util: import two more symbols from tpm2-tss libraries 
We want to make use of TPM_PolicySigned soon, hence import the necessary
symbols from tpm2-tss.
 2024-04-18 18:12:23 +02:00
Matteo Croce
854711645b use FOREACH_ELEMENT 
Use FOREACH_ELEMENT where possible. Generated with this command,
and checked manually:

    git grep -l 'FOREACH_ARRAY.*ELEMENTSOF' | \
    xargs sed -ri 's/FOREACH_ARRAY\((.*), (.*), (ELEMENTSOF.*)\)/FOREACH_ELEMENT(\1, \2)/'
 2024-04-18 17:39:34 +02:00
Norbert Lange
81d61d6aa7 openssl-util: compatible with restricted openssl3 
openssl can be built without support for engines or with deprecated
definitions disabled.
This also will not pull in most headers automatically,
so add the rsa.h and ec.h header explicitly.

Remove Engine stuff from the header - it is only needed in one
source file.

Make Engine support dependent on the macros.
 2024-04-18 09:23:15 +02:00
Yu Watanabe
955d5012e0 blockdev-util: fix typo 
Follow-up for 33ff155957.
 2024-04-18 13:08:14 +09:00
Yu Watanabe
f846002fa2 Merge pull request #32192 from yuwata/part-scan 
blockdev-util: fix detection of partscan
 2024-04-18 11:38:48 +09:00
Yu Watanabe
d2a0ef6073 Merge pull request #32249 from CodethinkLabs/vmspawn/predicatable_tap_names 
vmspawn: generate predicatable TAP device names and MAC addresses
 2024-04-18 10:26:07 +09:00
Yu Watanabe
33ff155957 blockdev-util: also read 'ext_range' sysattr to check if the partscan is enabled 
The 'capability' sysattr was deprecated by
e81cd5a983 (v6.3).
 2024-04-18 09:48:26 +09:00
Lennart Poettering
7e16650d83 Merge pull request #32143 from yuwata/magic 
basic/linux: copy magic.h from kernel to our code
 2024-04-17 17:03:48 +02:00
Bryan Jacobs
12cf745cce cryptenroll: Use CTAP2.1 credProtect extension 
When enrolling a new FIDO2 token with a client PIN, this tells the authenticator to require the PIN on all uses.

It also collects a PIN before attempting to create a credential.

Works around #31443 in most (not all) scenarios.
 2024-04-17 11:46:22 +09:00
Mike Yuan
fecea05e15 shared/vpick: also align function params in header 
Follow-up for 6d8690ecd3
 2024-04-16 10:46:50 +02:00
Yu Watanabe
6c15a28454 creds-util: move pick_up_credentials() from network-generator 
The function is quite general, and can be used at other places.
Let's move to our shared library.
 2024-04-16 09:42:20 +09:00
Mike Yuan
c694419a51 shared/vpick: add missing condition on ret_result 
Fixes #32285
 2024-04-16 01:38:08 +08:00
Mike Yuan
ac68e6d691 shared/vpick: drop unneeded strempty() 
prefix_roota() handles NULL root param gracefully.
 2024-04-16 01:38:08 +08:00
Mike Yuan
6d8690ecd3 shared/vpick: align function args correctly, add missing assertion 2024-04-16 01:38:08 +08:00
Yu Watanabe
e2f0876ecd dissect: refuse to use diskseq if ID_IGNORE_DISKSEQ=1 is specified 
Follow-up for 1a81ddef00.
 2024-04-15 16:50:45 +02:00
Sam Leonard
c50e7dcaf6 nspawn,shared/netif-util: move generate_mac and shorten_ifname to shared/netif-util 2024-04-15 11:42:05 +01:00
Mike Yuan
da130b9ab8 cgroup-setup: modernize cg_migrate 2024-04-14 23:22:13 +08:00
Yu Watanabe
87bbcb26c8 Merge pull request #32255 from YHNdnzj/strextendf 
shared/killall: minor modernization
 2024-04-13 05:10:20 +09:00
Mike Yuan
bbfb9edc66 shared/killall: minor modernization 2024-04-13 02:35:01 +08:00
Antonio Alvarez Feijoo
126928de76 bus-polkit: fix return value for varlink_allow_interactive_authentication() 
Follow-up for d04c1a1c8e
 2024-04-12 13:26:22 +01:00
Yu Watanabe
1ae891037e Merge pull request #32202 from DaanDeMeyer/assert 
tests: Improve assertion error messages
 2024-04-11 09:51:49 +09:00
Luca Boccassi
798ea5c05a Merge pull request #32181 from YHNdnzj/open-file 
Some fixes/improvements for OpenFile=
 2024-04-10 23:15:56 +01:00
Daan De Meyer
681e39c1dc Introduce ASSERT_OK_ERRNO() 
ASSERT_OK() is for functions that return negative errno. Let's
introduce ASSERT_OK_ERRNO() for syscalls that return -1 and store
the error in errno.
 2024-04-10 18:24:26 +02:00
Daan De Meyer
29b27d59d5 tests: Improve assertion error messages 2024-04-10 18:20:23 +02:00
Mike Yuan
c1f9509f79 shared/open-file: use xescape to escape ':' 
Fixes #32179
 2024-04-10 20:16:35 +08:00
Mike Yuan
4eb1feb110 shared/open-file: make open_file_free_many static inline 2024-04-10 20:16:35 +08:00
Antonio Alvarez Feijoo
866a469e5a test: add missing header to test.h 
```
../src/shared/tests.h:361:28: error: implicit declaration of function ‘fork’ [-Werror=implicit-function-declaration]
  361 |                 int _pid = fork();                                                                              \
      |                            ^~~~
../src/test/test-macro.c:1114:9: note: in expansion of macro ‘ASSERT_SIGNAL’
 1114 |         ASSERT_SIGNAL(ASSERT_OK(-1), SIGABRT);
      |         ^~~~~~~~~~~~~
../src/shared/tests.h:369:25: error: implicit declaration of function ‘_exit’ [-Werror=implicit-function-declaration]
  369 |                         _exit(EXIT_SUCCESS);                                                                    \
      |                         ^~~~~
../src/test/test-macro.c:1114:9: note: in expansion of macro ‘ASSERT_SIGNAL’
 1114 |         ASSERT_SIGNAL(ASSERT_OK(-1), SIGABRT);
      |         ^~~~~~~~~~~~~
../src/shared/tests.h:369:25: warning: incompatible implicit declaration of built-in function ‘_exit’ [-Wbuiltin-declaration-mismatch]
  369 |                         _exit(EXIT_SUCCESS);                                                                    \
      |                         ^~~~~
../src/test/test-macro.c:1114:9: note: in expansion of macro ‘ASSERT_SIGNAL’
 1114 |         ASSERT_SIGNAL(ASSERT_OK(-1), SIGABRT);
      |         ^~~~~~~~~~~~~
../src/shared/tests.h:369:25: warning: incompatible implicit declaration of built-in function ‘_exit’ [-Wbuiltin-declaration-mismatch]
  369 |                         _exit(EXIT_SUCCESS);                                                                    \
      |                         ^~~~~
../src/test/test-macro.c:1115:9: note: in expansion of macro ‘ASSERT_SIGNAL’
 1115 |         ASSERT_SIGNAL(ASSERT_OK(-ENOANO), SIGABRT);
      |         ^~~~~~~~~~~~~
../src/test/test-macro.c:1119:21: error: implicit declaration of function ‘getpid’; did you mean ‘getpt’? [-Werror=implicit-function-declaration]
 1119 |         ASSERT_TRUE(getpid());
      |                     ^~~~~~
```

Follow-up for #32189
 2024-04-10 11:09:52 +02:00