Rather than always setting all seals, make `memfd_set_seals()` employ
the original set of seals, that is: SEAL+GROW+SHRINK+WRITE
Historically, the memfd code was used with the out-of-tree memfd
patches, which merely supported a single seal ("SEALED", which
effectively was GROW+SHRINK+WRITE). When the code was adapted to the
upstream memfd seals, it was extended to the full seal set. With more
and more seals being added upstream, this because more problematic. In
particular, it is unclear what the function really is meant to achieve.
Instead of just adding all seals, the function is returned to its
original purpose: seal the memfd so futher modifications to its content
are prevented.
With `F_SEAL_SEAL` a memfd can disable further sealing operations,
effectively sealing the set of seals. Testing for it ensures that no
further seals can be added, it never prevents seals from being dropped,
since seals cannot be dropped, ever.
Now testing for `F_SEAL_SEAL` makes sense if you want to ensure that
some seals are *not* set. That is, you either test for the entire set of
seals to match a local set, or you verify that a specific seal is not
set. Neither is what we are doing, so it feels wrong requiring it to be
set.
By dropping the requirement for `F_SEAL_SEAL`, the same FD can be shared
with other entities while retaining the ability to further restrict the
set of seals later on (e.g., being able to mark a region as executable
later on, and then adding `F_SEAL_EXEC`).
In chaseat() we call dir_fd_is_root() several places, and the final
result depends on it. If the root path specified to `chase()` is not
normalized but points to "/", e.g. "/../", assertions in `chaseat()` or
`chase()` may be triggered.
Previously, in path_is_root_at(), if statx() does not provide mount ID,
path_get_mnt_id_at() was called, but it also calls statx(). Let's avoid
the second trial.
When newer glibc is used, but kernel does not support statx(), then
glibc try to fallback with fstatat(). That's quite similar to our
implementation, but the supported flags are different, and if
unsupported flags are specified, it returns EINVAL.
Let's handle the case more gracefully.
The previous definition was not quite appropriate for the library code
because it relied on the message domain set by textdomain() invocation
which is not necessarily the same message domain defined in
GETTEXT_PACKAGE macro.
The only code that uses _() so far is located in pam_systemd_home.c.
Fixes: 20f56fddcd ("Add gettext support")
This commits adds version_is_valid_versionspec and uses it in
analyze-compare-version.c.
version_is_valid_versionspec differs from version_is_valid in that it acepts
empty strings and since valid characters in a version spec version are all
ASCII letters and digits as well as "-.~^", but ",_+" allowed by
version_is_valid are not.
Also give a more specific warning message on invalid characters.
If getopt_long() is called for a list of arguments and it is freed, then
calling getopt_long() for another list will trigger use-after-free.
The function proc_cmdline_filter_pid1_args() may be called before or during
parsing program arguments (typically named as parse_argv()), hence we cannot
use getopt_long() in proc_cmdline_filter_pid1_args().
Fixes#28366.
When systemd-firstboot (or any other unit which uses the tty) is started,
systemd will reset the terminal. If systemd-vconsole-setup happens to be
running at that time, it'll error out when it tries to use the vconsole fd and
gets an EIO from ioctl.
e019ea738d was the first fix. It added an
implicit ordering between units using the tty and systemd-vconsole-setup.
(The commit title is wrong. The approach was generalized, but the commit title
wasn't updated.)
Then cea32691c3 was added to restart
systemd-vconsole-setup.service from systemd-firstboot.service. This was OK,
with the ordering in place, systemd-vconsole-setup.service would wait until
systemd-firstboot.service exited. But this wasn't enough, because we want the
key mappings to be loaded immediately after systemd-firstboot writes the
config. 8eb668b9ab implemented that, but actually
reintroduced the original issue. I had to drop the ordering between the two
units because otherwise we'd deadlock, waiting from firstboot for
vconsole-setup which wouldn't start while firstboot was running.
Restarting vconsole-setup.service from systemd-firstboot.service works just
fine, but when vconsole-setup.service is started earlier, it may be interrupted
by systemd-firstboot.service.
To resolve the issue, let's take a lock around the tty device. The reset is
performed after fork, so the (short) delay should not matter too much.
In xopenat_lock() the assert on <path> is dropped so that we can call
xopenat(fd, NULL) to get a copy of the original fd.
Fixes#26908.
We currently concatenate ANSI_UNDERLINE to the color of our choice
in DEFINE_ANSI_FUNC_UNDERLINE() and DEFINE_ANSI_FUNC_UNDERLINE_256().
The first thing that ANSI_UNDERLINE does is reset all previous ansi
escape sequences, so you just get underlining without any colors.
Let's fix the issue by actually concatenating _UNDERLINE to the given
color macro name so this works properly.
Also add missing color macros that this uncovered.
