morgan/systemd
1
0
Fork 0
mirror of https://github.com/morgan9e/systemd synced 2026-04-14 08:25:20 +09:00
Code Issues Packages Projects Releases Wiki Activity
80,373 Commits 1 Branch 0 Tags
0bdd5ccc8145af8dae9779751d3e7a34c4fa6aa5
Go to file
Clone
Open with VS Code Open with VSCodium Open with Intellij IDEA
Download ZIP Download TAR.GZ Download BUNDLE
Lennart Poettering 0bdd5ccc81 validatefs: add new tool that enforces mount constraints 
This new tool looks for a three xattr on the root inode of a file system
that encode mount constraints of the file system. The tool is supposed
to be hooke into the mount logic and is supposed to protect against
misappropriating trusted file systems in unintended ways.

Consider the following scenario: we boot up on first boot and create a
tpm-locked pair of /var/ and /srv/ partitions via systemd-repart. An
attacker then offline modifies the partition table, exchanging the
metadata of the /var/ and /srv/ partition. So far we'd happily accept
that, honour the modified metadata and boot up. This could be used to
revert changes to /var/ or similar. And all that even though both
partitions are encrypted and locked to TPM!

With this new mechanism we can encode in the protected contents of the
file systems the ways it can be used: the partition type uuid, the
partition label and the intended mount point can be stored in xattrs,
and we can check them automatically on mount, and take action on
mismatch. (action would typically be immediate reboot).
2025-03-31 15:14:13 +02:00
.clusterfuzzlite
.github
meson: add feature flag for nspawn build (#36876)
2025-03-28 13:55:19 +00:00
.obs
obs: trigger systemd-suse instead of systemd-fedora
2025-02-18 23:10:00 +00:00
.semaphore
semaphore-runner: disable cgroup setup in lxc
2025-03-16 15:30:38 +01:00
catalog
tpm2-clear: optionally reset TPM during a factory reset
2025-03-05 12:37:51 +01:00
coccinelle
coccinelle: add .gitignore for cache files
2025-01-19 08:27:47 +09:00
docs
mkosi: Use build image prepare scripts for tools tree as well
2025-03-28 12:29:09 +01:00
factory
pam_systemd_home: tweak order in authentication stack
2025-02-26 18:12:08 +01:00
hwdb.d
meson: Drop project_source_root and project_build_root variables
2025-03-26 14:45:34 +01:00
LICENSES
boot: Add HWID calculation from SMBIOS strings and matching against a built-in list
2024-11-05 22:29:58 +03:00
man
validatefs: add new tool that enforces mount constraints
2025-03-31 15:14:13 +02:00
mime
mime: add mimetype for luks home dir
2025-03-07 17:27:20 +01:00
mkosi.conf.d
mkosi: Use build image prepare scripts for tools tree as well
2025-03-28 12:29:09 +01:00
mkosi.coverage
mkosi: Make sure the /coverage directory exists
2024-12-05 22:03:07 +01:00
mkosi.credentials
mkosi: Create testuser at runtime
2025-03-18 22:46:10 +01:00
mkosi.extra
mkosi: Create testuser at runtime
2025-03-18 22:46:10 +01:00
mkosi.extra.common
mkosi: Disable various extra things in the default preset
2025-03-28 09:49:17 +01:00
mkosi.images
mkosi: Use build image prepare scripts for tools tree as well
2025-03-28 12:29:09 +01:00
mkosi.repart
mkosi: switch rootfs to ext4
2025-01-22 22:50:52 +00:00
mkosi.sanitizers
mkosi: Add unix_chkpwd to sanitizer wrapped binaries
2025-03-18 22:46:10 +01:00
mkosi.uki-profiles
Rework TEST-86-MULTI-PROFILE-UKI
2024-10-21 17:24:14 +02:00
modprobe.d
modprobe: set 'ifb numifbs=0' to avoid autocreating ifb0
2024-01-12 23:24:54 +00:00
network
network: also manage namespace tap links
2025-03-17 16:03:18 +01:00
po
po: Translated using Weblate (Spanish)
2025-03-21 13:41:56 +00:00
presets
tpm2-clear: optionally reset TPM during a factory reset
2025-03-05 12:37:51 +01:00
profile.d
meson: use install_symlink() where applicable
2025-03-10 02:41:40 +09:00
rules.d
rules: tag /dev/tpm0 with "systemd" too
2025-03-07 16:09:32 +01:00
shell-completion
meson: add feature flag for nspawn build
2025-03-28 10:34:02 +00:00
src
validatefs: add new tool that enforces mount constraints
2025-03-31 15:14:13 +02:00
sysctl.d
sysctl.d: Fix pid_max comment
2023-10-31 13:07:49 +01:00
sysusers.d
udev: set clock group for PTP and RTC devices
2025-01-16 21:12:47 +01:00
test
test: skip networkd tests if networkd/resolved are disabled at build time
2025-03-30 10:18:18 +02:00
tmpfiles.d
profile: generate shell + command OSC events
2025-02-27 15:13:15 +01:00
tools
mkosi: Use build image prepare scripts for tools tree as well
2025-03-28 12:29:09 +01:00
units
validatefs: add new tool that enforces mount constraints
2025-03-31 15:14:13 +02:00
xorg
.clang-format
Improve the formatting by adding AlignArrayOfStructures and setting it to Right(right justify)
2024-03-06 15:24:23 +01:00
.ctags
.dir-locals.el
.editorconfig
.gitattributes
.gitignore
mkosi: Add back .mkosi-private/ to .gitignore
2025-03-26 14:40:14 +01:00
.mailmap
mailmap: fix entries for Tobias Klauser
2024-12-11 13:55:07 +00:00
.packit.yml
mkosi: Use build image prepare scripts for tools tree as well
2025-03-28 12:29:09 +01:00
.pylintrc
.vimrc
.ycm_extra_conf.py
LICENSE.GPL2
LICENSE.LGPL2.1
meson_options.txt
meson: add feature flag for nspawn build
2025-03-28 10:34:02 +00:00
meson.build
validatefs: add new tool that enforces mount constraints
2025-03-31 15:14:13 +02:00
meson.version
meson: update version to 258~devel
2024-12-10 19:30:06 +00:00
mkosi.clangd
mkosi: Switch to --rerun-build-scripts in mkosi.clangd
2025-03-07 16:09:03 +01:00
mkosi.clean
mkosi: Add missing SPDX line
2024-09-22 15:23:08 +02:00
mkosi.conf
mkosi: Use build image prepare scripts for tools tree as well
2025-03-28 12:29:09 +01:00
mkosi.finalize
mkosi: Mark /etc /var as updated in a finalize script
2025-03-28 09:49:17 +01:00
mkosi.functions
mkosi: Move copying packages to the output directory to the postinst script
2024-10-29 11:28:47 +01:00
mkosi.postinst.chroot
test: Make it possible to run the integration tests standalone
2025-03-27 21:37:13 +01:00
mkosi.sync
mkosi: Use build image prepare scripts for tools tree as well
2025-03-28 12:29:09 +01:00
mypy.ini
Move mypy.ini and ruff.toml to top level
2024-11-24 16:47:20 +01:00
NEWS
meson: drop split-usr, rootlibdir, and rootprefix from meson_options.txt
2025-03-12 15:21:57 +01:00
README
README: note min kernerl version for SO_BINDTOIFINDEX
2025-03-31 14:06:57 +01:00
README.md
README: fix broken link in OBS badge
2025-02-15 01:32:51 +00:00
ruff.toml
Move mypy.ini and ruff.toml to top level
2024-11-24 16:47:20 +01:00
TODO
Update TODO
2025-03-18 22:46:10 +01:00

README.md

Systemd

System and Service Manager

OBS Packages Status
Semaphore CI 2.0 Build Status
Coverity Scan Status
OSS-Fuzz Status
CIFuzz
CII Best Practices
Fossies codespell report
Weblate
Coverage Status
Packaging status
OpenSSF Scorecard

Details

Most documentation is available on systemd's web site.

Assorted, older, general information about systemd can be found in the systemd Wiki.

Information about build requirements is provided in the README file.

Consult our NEWS file for information about what's new in the most recent systemd versions.

Please see the Code Map for information about this repository's layout and content.

Please see the Hacking guide for information on how to hack on systemd and test your modifications.

Please see our Contribution Guidelines for more information about filing GitHub Issues and posting GitHub Pull Requests.

When preparing patches for systemd, please follow our Coding Style Guidelines.

If you are looking for support, please contact our mailing list, join our IRC channel #systemd on libera.chat or Matrix channel

Stable branches with backported patches are available in the stable repo.

We have a security bug bounty program sponsored by the Sovereign Tech Fund hosted on YesWeHack

Repositories with distribution packages built from git main are available on OBS

Reference in New Issue View Git Blame Copy Permalink
Description
No description provided
Readme 321 MiB
Languages
C 89%
Python 5.1%
Shell 4.5%
Meson 1.2%