Follow-up for 985ea98e7f.
When DevicePolicy= is enabled, but DeviceAllow= for /dev/net/tun is not
specified, bind-mounting the device node from the host system is
meaningless, as it cannot be used in the container anyway.
Let's check the device node is accessible before creating or
bind-mounting.
- Add missing '--' delimiter
- Use the new BuildSubdirectory JSON field to figure out the build
subdirectory.
- Remove the /usr/include path mapping for now. This means we can't
jump into system headers anymore if they don't exist on the host,
we can find a way to add this back later if it turns out to be
crucial.
We want systemd-pty-forward to be something that can be dropped in
somewhere without too much thought. To enable this, let's make sure
we forward various signals to the forked process. This makes sure that
any signals are delivered to the actual child process regardless of whether
it's running within systemd-pty-forward or not.
In https://github.com/systemd/mkosi/pull/3497, mkosi has started parsing
options passed after the verb as regular mkosi options instead of options
for the invoked command. We adapt to this change by adding '--' as a delimiter
everywhere where required.
09fbff57fc introduced new knob
for such functionality. However, that seems unnecessary.
The mount option string is ubiquitous in that all of fstab,
kernel cmdline, credentials, systemd-mount, ... speak it.
And we already have x-systemd.device-bound= that's parsed
by pid1 instead of fstab-generator. It feels hence more natural
for graceful options to be an extension of that, rather than
its own property.
There's also one nice side effect that the setting itself
is now more graceful for systemd versions not supporting
such feature.
Based on this patch i had submitted to RedHat
(https://issues.redhat.com/browse/RHEL-56280), i am submitting this
patch to this upstream systemd.
There is no way to explicitly enable/disable IPv6 AAAA queries.
Problem was that i am using RHEL9 and some applications does not use a
newer glibc that supports `no-aaaa` option in `/etc/resolv.conf`. So
some applications will still resolve IPv6 AAAA even with `no-aaaa`
option and it is inconsistent across the system where some work and some
don't.
So this systemd-resolved patch catch-all queries and disable IPv6 AAAA
queries for all applications in the OS by having an option
`RefuseRecordTypes=AAAA` to disable IPv6 AAAA queries.
Although https://github.com/systemd/systemd/pull/28136 tries to fix this
automatically but it still does not work with
`net.ipv6.conf.all.disable_ipv6 = 1`. Also tried with explicitly
removing the conditional and force set `family = AF_INET` and still
resolves AAAA records.
The issue is that i want to explicitly disable IPv6 AAAA queries instead
of systemd-resolved to figure out itself which address family it is
using, which always have problems.
This adds `--json=MODE` command line option to `udevadm test`.
This may be useful for parsing e.g. network interface name or device
node symlinks.
Closes#23661.
This adds --json=MODE option for 'udevadm test' command.
When specified, all messages, except for the final result, will be
written to stderr, and the final result is shown in JSON format to
stdout. It may be useful for parsing the test result.
- Also configures route to the gateway and prefix route in the specified
table, if necessary.
- Also set preferred source address of the route.
Closes#36168.
This is advanced level stuff that regular contributors don't care
about in the slightest, so move it further down. Also reword the
section a little while we're at it.
The test commands now use mkosi sandbox which always makes sure the
required dependencies for systemd-journal-remote are enabled so no
need to reconfigure meson explicitly anymore.
When '--resolve-names=late', systemd-udevd resolves user/group names
during each event being processed, and does not verify names on parse.
When '--resolve-names=never', systemd-udevd refuses any user/group names
on parse. Hence, the parser of udev rules behaves diffrently. Let's not
convert 'never' -> 'late' silently, and use the specified option as is.
This also updates man page and shell completion for --resolve-names
option.
PCR 7 covers the SecureBoot policy, in particular "dbx", i.e. the
denylist of bad actors. That list is pretty much as frequently updated
as firmware these days (as fwupd took over automatic updating). This
means literal PCR 7 policies are problematic: they likely break soon,
and are as brittle as any other literal PCR policies.
hence, pick safer defaults, i.e. exclude PCR 7 from the default mask.
This means the mask is now empty.
Generally, people should really switch to signed PCR policies covering
PCR 11, in combination with systemd-pcrlock for the other PCRs.
"Recently" (as of 5.18) the Linux kernel gained the ability of locking
bridge ports to restrict network access to authenticated hosts only.
This is implemented by disabling automated learning and dropping
incoming traffic from unknown hosts. User space is then expected to add
fdb entries for authenticated hosts. Once a fdb entry exist, traffic for
that host will be forwarded as expected.
This was later extended with "Mac Authentication Bypass", where the
locking was extended to fdb entries. In this mode the kernel adds fdb
entries again automatically, but they are locked by default.
To properly configure this, add two network options and one netdev
option:
* `LinkLocalLearning=` to prevent the kernel from creating unlocked
entries based on link-local traffic, which would bypass any
authentication. Needed when enabling learning on a locked port.
* `Locked=` to allow setting a bridge port to locked.
* `MACAuthenticationBypass=` to allow enabling Mac Authentication
Bypass on a port. Requires learning to be enabled on the port as well
(and consequently `LinkLocalLearning` disabled on the bridge).
An authenticator (e.g. hostapd) is still needed to do the actual
authentication, the kernel only provides the access control.
Since linux commit a35ec8e38cdd1766f29924ca391a01de20163931 ("bridge:
Add MAC Authentication Bypass (MAB) support"), included since v6.2, it
is possible to enable MAC Authentication Bypass for bridge ports. In
this mode the locked port learns again, but the learned fdb entries are
locked, allowing user space to unlock hosts based seen MAC addresses.
This requires learning to be enabled on the port, and link-local
learning disabled for the bridge.
Add support to systemd-network for setting the new attribute for bridge
ports.
Since linux commit a21d9a670d81103db7f788de1a4a4a6e4b891a0b ("net:
bridge: Add support for bridge port in locked mode"), included since
v5.18, it is possible to set bridge ports to locked.
Locked ports do not learn automatically, and discard any traffic from
unknown source MACs. To allow traffic, the userspace authenticator is
expected to create fdb entries for authenticated hosts.
Add support to systemd-network for setting the new attribute for bridge
ports.
When using locked ports on a bridge link-local learning needs to be
disabled to prevent the kernel from learning and automatically unlocking
hosts based on link-local traffic.
So add support for enabling NO_LL_LEARN for bridges.
There's finally quota on tmpfs, hence let's use it to make it harder for
users to DoS the system by consuming all disk space in /tmp/ and
/dev/shm/.
This enforces a default limit of 80% quota of the backing fs for these
two dirs for users, but this can be overriden in the user record, if
desired.
This also adds two other interesting features:
1. mount units gain GracefulOptions= which takes optional mount options
that are added only if supported by the kernel. (this is used to enable
usrquota on /tmp/, if available.)
2. The PAM logic in service management now supports reading passwords
from service credentials and via the askpw logic. This used for make
testing easy (so that we can run0 into a homed user which strictly
requires a password).
TEST-74-AUX-UTILS covers many subtests, as it's a catch-all job, and a few
need a VM to run. The job is thus marked VM-only. But that means in settings
where we can't run VM tests (no KVM available), the entire thing is skipped,
losing tons of coverage that doesn't need skipping.
Move the VM-only subtests to TEST-87-AUX-UTILS-VM that is configured to only
run in VMs under both runners. This way we keep the existing tests as-is, and
we can add new VM-only tests without worrying. This is how the rest of the
tests are organized.
Follow-up for f4faac2073
Also, when a filename is specified, also search udev rules file in
udev/rules.d directories.
This also refuses non-existing files, and file neither nor a regular
nor a directory, e.g. /dev/null.
