- tags: ['^\S*-rc\d+$']
feedback:
frozen-state: |
- An -rc1 tag has been created and a release is being prepared, so please note that PRs introducing new features and APIs will be held back until the new version has been released.
+ > [!IMPORTANT]
+ > An -rc1 tag has been created and a release is being prepared, so please note that PRs introducing new features and APIs will be held back until the new version has been released.
unfreeze-state: |
- We had successfully released a new major release. We are no longer in a development freeze phase.
- We will try our best to get back to your PR as soon as possible. Thank you for your patience.
+ > [!NOTE]
+ > We had successfully released a new major release. We are no longer in a development freeze phase.
+ > We will try our best to get back to your PR as soon as possible. Thank you for your patience.
a private VLAN variant of the proxy ARP supported by the kernel
under the name IPv4ProxyARPPrivateVLAN=.
+ * TPM 1.2 PCR measurement support has been removed from
+ systemd-stub. TPM 1.2 is obsolete and — due to the (by today's
+ standards) weak cryptographic algorithms it only supports — does not
+ actually provide the security benefits it's supposed to
+ provide. Given that the rest of systemd's codebase never supported
+ TPM 1.2 the support has now been removed from systemd-stub as well.
+
CHANGES WITH 255:
Announcements of Future Feature Removals and Incompatible Changes:
CONFIG_SECCOMP_FILTER (required for seccomp support)
CONFIG_KCMP (for the kcmp() syscall, used to be under
CONFIG_CHECKPOINT_RESTORE before ~5.12)
+ CONFIG_NET_SCHED
+ CONFIG_NET_SCH_FQ_CODEL
Required for CPUShares= in resource control unit settings:
CONFIG_CGROUP_SCHED
* Once baseline is 4.13, remove support for INTERFACE_OLD= checks in "udevadm
trigger"'s waiting logic, since we can then rely on uuid-tagged uevents
-* remove remaining tpm1.2 support from sd-stub
-
Features:
* vmspawn: to speed up boot let's disable all PCR banks in swtpm except for
SOURCE_DATE_EPOCH (maybe even under that name?). Would then be used to
initialize the timestamp logic of ConditionNeedsUpdate=.
+* ptyfwd: look for window title ANSI sequences and insert colored dot in front
+ of it while passing it through, to indicate whether we are in privileged, VM,
+ container terminal sessions.
+
+* nspawn/vmspawn/pid1: add ability to easily insert fully booted VMs/FOSC into
+ shell pipelines, i.e. add easy to use switch that turns off console status
+ output, and generates the right credentials for systemd-run-generator so that
+ a program is invoked, and its output captured, with correct EOF handling and
+ exit code propagation
+
* new systemd-analyze "join" verb or so, for debugging services. Would be
nsenter on steroids, i.e invoke a shell or command line in an environment as
close as we can make it for the MainPID of a service. Should be built around
* systemd-tpm2-setup should probably have a factory reset logic, i.e. when some
kernel command line option is set we reset the TPM (equivalent of tpm2_clear
- -c owner?).
+ -c owner? or rather echo 5 >/sys/class/tpm/tpm0/ppi/request?).
* systemd-tpm2-setup should support a mode where we refuse booting if the SRK
changed. (Must be opt-in, to not break systems which are supposed to be
<xi:include href="version-info.xml" xpointer="v248"/></listitem>
</varlistentry>
+ <varlistentry>
+ <term><varname>IPv4Forwarding=</varname></term>
+ <listitem>
+ <para>Configures IPv4 packet forwarding for the system. Takes a boolean value. This controls the
+ <filename>net.ipv4.conf.default.forwarding</filename> and
+ <filename>net.ipv4.conf.all.forwarding</filename>sysctl options. See
+ <ulink url="https://docs.kernel.org/networking/ip-sysctl.html">IP Sysctl</ulink>
+ for more details about the sysctl options. Defaults to unset and the sysctl options will not be
+ changed.</para>
+
+ <xi:include href="version-info.xml" xpointer="v256"/>
+ </listitem>
+ </varlistentry>
+
+ <varlistentry>
+ <term><varname>IPv6Forwarding=</varname></term>
+ <listitem>
+ <para>Configures IPv6 packet forwarding for the system. Takes a boolean value. This controls the
+ <filename>net.ipv6.conf.default.forwarding</filename> and
+ <filename>net.ipv6.conf.all.forwarding</filename> sysctl options. See
+ <ulink url="https://docs.kernel.org/networking/ip-sysctl.html">IP Sysctl</ulink>
+ for more details about the sysctl options. Defaults to unset and the sysctl options will not be
+ changed.</para>
+
+ <xi:include href="version-info.xml" xpointer="v256"/>
+ </listitem>
+ </varlistentry>
+
<varlistentry>
<term><varname>IPv6PrivacyExtensions=</varname></term>
<listitem>
<citerefentry><refentrytitle>systemd-ssh-proxy</refentrytitle><manvolnum>1</manvolnum></citerefentry> for
details on how to connect to these sockets via the <command>ssh</command> client.</para>
+ <para>The <varname>ssh.authorized_keys.root</varname> credential can be used to allow specific public keys
+ to log in over SSH. See
+ <citerefentry><refentrytitle>systemd.systemd-credentials</refentrytitle><manvolnum>7</manvolnum></citerefentry>
+ for more information.</para>
+
<para>The generator will use a packaged <filename>sshd@.service</filename> service template file if one
exists, and otherwise generate a suitable service template file.</para>
</varlistentry>
<varlistentry>
- <term><varname>IPForward=</varname></term>
- <listitem>
- <para>Configures IP packet forwarding for the system. If enabled, incoming packets on any
- network interface will be forwarded to any other interfaces according to the routing table.
- Takes a boolean, or the values <literal>ipv4</literal> or <literal>ipv6</literal>, which only
- enable IP packet forwarding for the specified address family. This controls the
- <filename>net.ipv4.ip_forward</filename> and <filename>net.ipv6.conf.all.forwarding</filename>
- sysctl options of the network interface (see
+ <term><varname>IPv4Forwarding=</varname></term>
+ <listitem>
+ <para>Configures IPv4 packet forwarding for the interface. Takes a boolean value. This controls the
+ <filename>net.ipv4.conf.<replaceable>INTERFACE</replaceable>.forwarding</filename> sysctl option of
+ the network interface. See
<ulink url="https://docs.kernel.org/networking/ip-sysctl.html">IP Sysctl</ulink>
- for details about sysctl options). Defaults to <literal>no</literal>.</para>
+ for more details about the sysctl option. Defaults to true if <varname>IPMasquerade=</varname> is
+ enabled for IPv4, otherwise the value specified to the same setting in
+ <citerefentry><refentrytitle>networkd.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry>
+ will be used. If none of them are specified, the sysctl option will not be changed.</para>
+
+ <para>To control the global setting, use the same setting in
+ <citerefentry><refentrytitle>networkd.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry>.
+ </para>
+
+ <xi:include href="version-info.xml" xpointer="v256"/>
+ </listitem>
+ </varlistentry>
- <para>Note: this setting controls a global kernel option, and does so one way only: if a
- network that has this setting enabled is set up the global setting is turned on. However,
- it is never turned off again, even after all networks with this setting enabled are shut
- down again.</para>
+ <varlistentry>
+ <term><varname>IPv6Forwarding=</varname></term>
+ <listitem>
+ <para>Configures IPv6 packet forwarding for the interface. Takes a boolean value. This controls the
+ <filename>net.ipv6.conf.<replaceable>INTERFACE</replaceable>.forwarding</filename> sysctl option of
+ the network interface. See
+ <ulink url="https://docs.kernel.org/networking/ip-sysctl.html">IP Sysctl</ulink>
+ for more details about the sysctl option. Defaults to true if <varname>IPMasquerade=</varname> is
+ enabled for IPv6 or <varname>IPv6SendRA=</varname> is enabled, otherwise the value specified to the
+ same setting in
+ <citerefentry><refentrytitle>networkd.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry>
+ will be used. If none of them are specified, the sysctl option will not be changed.</para>
- <para>To allow IP packet forwarding only between specific network interfaces use a firewall.
+ <para>To control the global setting, use the same setting in
+ <citerefentry><refentrytitle>networkd.conf</refentrytitle><manvolnum>5</manvolnum></citerefentry>.
</para>
- <xi:include href="version-info.xml" xpointer="v219"/>
+ <xi:include href="version-info.xml" xpointer="v256"/>
</listitem>
</varlistentry>
<para>Configures IP masquerading for the network interface. If enabled, packets forwarded
from the network interface will be appear as coming from the local host. Takes one of
<literal>ipv4</literal>, <literal>ipv6</literal>, <literal>both</literal>, or
- <literal>no</literal>. Defaults to <literal>no</literal>. If enabled, this automatically sets
- <varname>IPForward=</varname> to one of <literal>ipv4</literal>, <literal>ipv6</literal> or
- <literal>yes</literal>.</para>
+ <literal>no</literal>. Defaults to <literal>no</literal>.</para>
<para>Note. Any positive boolean values such as <literal>yes</literal> or
<literal>true</literal> are now deprecated. Please use one of the values in the above.</para>
#####################################################################
version_tag = get_option('version-tag')
-version_h = vcs_tag(
- input : 'src/version/version.h.in',
- output : 'version.h',
- command: [project_source_root / 'tools/meson-vcs-tag.sh',
- project_source_root,
- version_tag,
- ])
+if version_tag == ''
+ version_tag = meson.project_version()
+endif
+
+conf.set_quoted('VERSION_TAG', version_tag)
+
+vcs_tag = get_option('vcs-tag')
+if vcs_tag and fs.is_dir(project_source_root / '.git')
+ version_h = vcs_tag(
+ input : 'src/version/version.h.in',
+ output : 'version.h',
+ fallback : '',
+ command : ['sh', '-c', 'echo "-g$(git -C . describe --abbrev=7 --match="" --always --dirty=^)"'],
+ )
+else
+ version_h = configure_file(
+ input : 'src/version/version.h.in',
+ output : 'version.h',
+ configuration : configuration_data({'VCS_TAG' : ''}),
+ )
+endif
shared_lib_tag = get_option('shared-lib-tag')
if shared_lib_tag == ''
# SPDX-License-Identifier: LGPL-2.1-or-later
option('version-tag', type : 'string',
- description : 'override the git version string')
+ description : 'set the extended version string (defaults to project version)')
option('shared-lib-tag', type : 'string',
description : 'override the private shared library version tag (defaults to project version)')
+option('vcs-tag', type : 'boolean', value : true,
+ description : 'append current git commit to version output when git information is available')
option('mode', type : 'combo', choices : ['developer', 'release'],
description : 'autoenable features suitable for systemd development/release builds')
--- /dev/null
+# do not edit this file, it will be overwritten on update
+
+# Media controller rules
+
+ACTION=="remove", GOTO="persistent_media_ctl_end"
+SUBSYSTEM!="media", GOTO="persistent_media_ctl_end"
+ENV{MAJOR}=="", GOTO="persistent_media_ctl_end"
+
+IMPORT{builtin}="path_id"
+ENV{ID_PATH}=="?*", KERNEL=="media*", SYMLINK+="media/by-path/$env{ID_PATH}-media-controller"
+
+LABEL="persistent_media_ctl_end"
--- /dev/null
+/* SPDX-License-Identifier: LGPL-2.1-or-later */
+
+#include <elf.h>
+#include <link.h>
+#include <sys/auxv.h>
+
+#include "build-path.h"
+#include "errno-list.h"
+#include "errno-util.h"
+#include "macro.h"
+#include "path-util.h"
+#include "process-util.h"
+#include "unistd.h"
+
+static int get_runpath_from_dynamic(const ElfW(Dyn) *d, const char **ret) {
+ size_t runpath_index = SIZE_MAX, rpath_index = SIZE_MAX;
+ const char *strtab = NULL;
+
+ assert(d);
+
+ /* Iterates through the PT_DYNAMIC section to find the DT_RUNPATH/DT_RPATH entries */
+
+ for (; d->d_tag != DT_NULL; d++) {
+
+ switch (d->d_tag) {
+
+ case DT_RUNPATH:
+ runpath_index = (size_t) d->d_un.d_val;
+ break;
+
+ case DT_RPATH:
+ rpath_index = (size_t) d->d_un.d_val;
+ break;
+
+ case DT_STRTAB:
+ strtab = (const char *) d->d_un.d_val;
+ break;
+ }
+
+ /* runpath wins, hence if we have the table and runpath we can exit the loop early */
+ if (strtab && runpath_index != SIZE_MAX)
+ break;
+ }
+
+ if (!strtab)
+ return -ENOTRECOVERABLE;
+
+ /* According to dl.so runpath wins of both runpath and rpath are defined. */
+ if (runpath_index != SIZE_MAX) {
+ if (ret)
+ *ret = strtab + runpath_index;
+ return 1;
+ }
+
+ if (rpath_index != SIZE_MAX) {
+ if (ret)
+ *ret = strtab + rpath_index;
+ return 1;
+ }
+
+ if (ret)
+ *ret = NULL;
+
+ return 0;
+}
+
+static int get_runpath(const char **ret) {
+ unsigned long phdr, phent, phnum;
+
+ /* Finds the rpath/runpath in the program headers of the main executable we are running in */
+
+ phdr = getauxval(AT_PHDR); /* Start offset of phdr */
+ if (phdr == 0)
+ return -ENOTRECOVERABLE;
+
+ phnum = getauxval(AT_PHNUM); /* Number of entries in phdr */
+ if (phnum == 0)
+ return -ENOTRECOVERABLE;
+
+ phent = getauxval(AT_PHENT); /* Size of entries in phdr */
+ if (phent < sizeof(ElfW(Phdr))) /* Safety check, that our idea of the structure matches the file */
+ return -ENOTRECOVERABLE;
+
+ ElfW(Addr) bias = 0, dyn = 0;
+ bool found_bias = false, found_dyn = false;
+
+ /* Iterate through the Phdr structures to find the PT_PHDR and PT_DYNAMIC sections */
+ for (unsigned long i = 0; i < phnum; i++) {
+ const ElfW(Phdr) *p = (const ElfW(Phdr)*) (phdr + (i * phent));
+
+ switch (p->p_type) {
+
+ case PT_PHDR:
+ if (p->p_vaddr > phdr) /* safety overflow check */
+ return -ENOTRECOVERABLE;
+
+ bias = (ElfW(Addr)) phdr - p->p_vaddr;
+ found_bias = true;
+ break;
+
+ case PT_DYNAMIC:
+ dyn = p->p_vaddr;
+ found_dyn = true;
+ break;
+ }
+
+ if (found_bias && found_dyn)
+ break;
+ }
+
+ if (!found_dyn)
+ return -ENOTRECOVERABLE;
+
+ return get_runpath_from_dynamic((const ElfW(Dyn)*) (bias + dyn), ret);
+}
+
+int get_build_exec_dir(char **ret) {
+ int r;
+
+ /* Returns the build execution directory if we are invoked in a build environment. Specifically, this
+ * checks if the main program binary has an rpath/runpath set (i.e. an explicit directory where to
+ * look for shared libraries) to $ORIGIN. If so we know that this is not a regular installed binary,
+ * but one which shall acquire its libraries from below a directory it is located in, i.e. a build
+ * directory or similar. In that case it typically makes sense to also search for our auxiliary
+ * executables we fork() off in a directory close to our main program binary, rather than in the
+ * system.
+ *
+ * This function is supposed to be used when looking for "callout" binaries that are closely related
+ * to the main program (i.e. speak a specific protocol between each other). And where it's generally
+ * a good idea to use the binary from the build tree (if there is one) instead of the system.
+ *
+ * Note that this does *not* actually return the rpath/runpath but the instead the directory the main
+ * executable was found in. This follows the logic that the result is supposed to be used for
+ * executable binaries (i.e. stuff in bindir), not for shared libraries (i.e. stuff in libdir), and
+ * hence the literal shared library path would just be wrong.
+ *
+ * TLDR: if we look for callouts in this dir first, running binaries from the meson build tree
+ * automatically uses the right callout.
+ *
+ * Returns:
+ * -ENOEXEC → We are not running in an rpath/runpath $ORIGIN environment
+ * -ENOENT → We don't know our own binary path
+ * -NOTRECOVERABLE → Dynamic binary information missing?
+ */
+
+ static int runpath_cached = -ERRNO_MAX-1;
+ if (runpath_cached == -ERRNO_MAX-1) {
+ const char *runpath = NULL;
+
+ runpath_cached = get_runpath(&runpath);
+
+ /* We only care if the runpath starts with $ORIGIN/ */
+ if (runpath_cached > 0 && !startswith(runpath, "$ORIGIN/"))
+ runpath_cached = 0;
+ }
+ if (runpath_cached < 0)
+ return runpath_cached;
+ if (runpath_cached == 0)
+ return -ENOEXEC;
+
+ _cleanup_free_ char *exe = NULL;
+ r = get_process_exe(0, &exe);
+ if (r < 0)
+ return runpath_cached = r;
+
+ return path_extract_directory(exe, ret);
+}
+
+static int find_build_dir_binary(const char *fn, char **ret) {
+ int r;
+
+ assert(fn);
+ assert(ret);
+
+ _cleanup_free_ char *build_dir = NULL;
+ r = get_build_exec_dir(&build_dir);
+ if (r < 0)
+ return r;
+
+ _cleanup_free_ char *np = path_join(build_dir, fn);
+ if (!np)
+ return -ENOMEM;
+
+ *ret = TAKE_PTR(np);
+ return 0;
+}
+
+static int find_environment_binary(const char *fn, const char **ret) {
+
+ /* If a path such as /usr/lib/systemd/systemd-foobar is specified, then this will check for an
+ * environment variable SYSTEMD_FOOBAR_PATH and return it if set. */
+
+ _cleanup_free_ char *s = strdup(fn);
+ if (!s)
+ return -ENOMEM;
+
+ ascii_strupper(s);
+ string_replace_char(s, '-', '_');
+
+ if (!strextend(&s, "_PATH"))
+ return -ENOMEM;
+
+ const char *e;
+ e = secure_getenv(s);
+ if (!e)
+ return -ENXIO;
+
+ *ret = e;
+ return 0;
+}
+
+int invoke_callout_binary(const char *path, char *const argv[]) {
+ int r;
+
+ assert(path);
+
+ /* Just like execv(), but tries to execute the specified binary in the build dir instead, if known */
+
+ _cleanup_free_ char *fn = NULL;
+ r = path_extract_filename(path, &fn);
+ if (r < 0)
+ return r;
+ if (r == O_DIRECTORY) /* Uh? */
+ return -EISDIR;
+
+ const char *e;
+ if (find_environment_binary(fn, &e) >= 0) {
+ /* If there's an explicit environment variable set for this binary, prefer it */
+ execv(e, argv);
+ return -errno; /* The environment variable counts, let's fail otherwise */
+ }
+
+ _cleanup_free_ char *np = NULL;
+ if (find_build_dir_binary(fn, &np) >= 0)
+ execv(np, argv);
+
+ execv(path, argv);
+ return -errno;
+}
+
+int pin_callout_binary(const char *path) {
+ int r;
+
+ assert(path);
+
+ /* Similar to invoke_callout_binary(), but pins (i.e. O_PATH opens) the binary instead of executing it. */
+
+ _cleanup_free_ char *fn = NULL;
+ r = path_extract_filename(path, &fn);
+ if (r < 0)
+ return r;
+ if (r == O_DIRECTORY) /* Uh? */
+ return -EISDIR;
+
+ const char *e;
+ if (find_environment_binary(fn, &e) >= 0)
+ return RET_NERRNO(open(e, O_CLOEXEC|O_PATH));
+
+ _cleanup_free_ char *np = NULL;
+ if (find_build_dir_binary(fn, &np) >= 0) {
+ r = RET_NERRNO(open(np, O_CLOEXEC|O_PATH));
+ if (r >= 0)
+ return r;
+ }
+
+ return RET_NERRNO(open(path, O_CLOEXEC|O_PATH));
+}
--- /dev/null
+/* SPDX-License-Identifier: LGPL-2.1-or-later */
+#pragma once
+
+int get_build_exec_dir(char **ret);
+
+int invoke_callout_binary(const char *path, char *const argv[]);
+
+int pin_callout_binary(const char *path);
'audit-util.c',
'btrfs.c',
'build.c',
+ 'build-path.c',
'bus-label.c',
'cap-list.c',
'capability-util.c',
p = procfs_file_alloca(pid, proc_file);
r = readlink_malloc(p, ret);
- return r == -ENOENT ? -ESRCH : r;
+ return (r == -ENOENT && proc_mounted() > 0) ? -ESRCH : r;
}
int get_process_exe(pid_t pid, char **ret) {
#include "tpm2-pcr.h"
#include "util.h"
-static EFI_STATUS tpm1_measure_to_pcr_and_event_log(
- const EFI_TCG_PROTOCOL *tcg,
- uint32_t pcrindex,
- EFI_PHYSICAL_ADDRESS buffer,
- size_t buffer_size,
- const char16_t *description) {
-
- _cleanup_free_ TCG_PCR_EVENT *tcg_event = NULL;
- EFI_PHYSICAL_ADDRESS event_log_last;
- uint32_t event_number = 1;
- size_t desc_len;
-
- assert(tcg);
- assert(description);
-
- desc_len = strsize16(description);
- tcg_event = xmalloc(offsetof(TCG_PCR_EVENT, Event) + desc_len);
- *tcg_event = (TCG_PCR_EVENT) {
- .EventSize = desc_len,
- .PCRIndex = pcrindex,
- .EventType = EV_IPL,
- };
- memcpy(tcg_event->Event, description, desc_len);
-
- return tcg->HashLogExtendEvent(
- (EFI_TCG_PROTOCOL *) tcg,
- buffer, buffer_size,
- TCG_ALG_SHA,
- tcg_event,
- &event_number,
- &event_log_last);
-}
-
static EFI_STATUS tpm2_measure_to_pcr_and_tagged_event_log(
EFI_TCG2_PROTOCOL *tcg,
uint32_t pcrindex,
return cc;
}
-static EFI_TCG_PROTOCOL *tcg1_interface_check(void) {
- EFI_PHYSICAL_ADDRESS event_log_location, event_log_last_entry;
- EFI_TCG_BOOT_SERVICE_CAPABILITY capability = {
- .Size = sizeof(capability),
- };
- EFI_STATUS err;
- uint32_t features;
- EFI_TCG_PROTOCOL *tcg;
-
- err = BS->LocateProtocol(MAKE_GUID_PTR(EFI_TCG_PROTOCOL), NULL, (void **) &tcg);
- if (err != EFI_SUCCESS)
- return NULL;
-
- err = tcg->StatusCheck(
- tcg,
- &capability,
- &features,
- &event_log_location,
- &event_log_last_entry);
- if (err != EFI_SUCCESS)
- return NULL;
-
- if (capability.TPMDeactivatedFlag)
- return NULL;
-
- if (!capability.TPMPresentFlag)
- return NULL;
-
- return tcg;
-}
-
static EFI_TCG2_PROTOCOL *tcg2_interface_check(void) {
EFI_TCG2_BOOT_SERVICE_CAPABILITY capability = {
.Size = sizeof(capability),
}
bool tpm_present(void) {
- return tcg2_interface_check() || tcg1_interface_check();
+ return tcg2_interface_check();
}
EFI_STATUS tpm_log_event(uint32_t pcrindex, EFI_PHYSICAL_ADDRESS buffer, size_t buffer_size, const char16_t *description, bool *ret_measured) {
if (tpm2)
err = tpm2_measure_to_pcr_and_event_log(tpm2, pcrindex, buffer, buffer_size, description);
else {
- EFI_TCG_PROTOCOL *tpm1;
+ EFI_CC_MEASUREMENT_PROTOCOL *cc;
- tpm1 = tcg1_interface_check();
- if (tpm1)
- err = tpm1_measure_to_pcr_and_event_log(tpm1, pcrindex, buffer, buffer_size, description);
+ cc = cc_interface_check();
+ if (cc)
+ err = cc_measure_to_mr_and_event_log(cc, pcrindex, buffer, buffer_size, description);
else {
- EFI_CC_MEASUREMENT_PROTOCOL *cc;
-
- cc = cc_interface_check();
- if (cc)
- err = cc_measure_to_mr_and_event_log(cc, pcrindex, buffer, buffer_size, description);
- else {
- /* No active TPM found, so don't return an error */
+ /* No active TPM found, so don't return an error */
- if (ret_measured)
- *ret_measured = false;
+ if (ret_measured)
+ *ret_measured = false;
- return EFI_SUCCESS;
- }
+ return EFI_SUCCESS;
}
}
elif get_option('sbat-distro') != ''
efi_conf.set_quoted('SBAT_PROJECT', meson.project_name())
efi_conf.set_quoted('PROJECT_VERSION', meson.project_version().split('~')[0])
+ efi_conf.set_quoted('VERSION_TAG', version_tag)
efi_conf.set('PROJECT_URL', conf.get('PROJECT_URL'))
if get_option('sbat-distro-generation') < 1
error('SBAT Distro Generation must be a positive integer')
#include "efi.h"
-#define EFI_TCG_PROTOCOL_GUID \
- GUID_DEF(0xf541796d, 0xa62e, 0x4954, 0xa7, 0x75, 0x95, 0x84, 0xf6, 0x1b, 0x9c, 0xdd)
#define EFI_TCG2_PROTOCOL_GUID \
GUID_DEF(0x607f766c, 0x7455, 0x42be, 0x93, 0x0b, 0xe4, 0xd7, 0x6d, 0xb2, 0x72, 0x0f)
-#define TCG_ALG_SHA 0x4
#define EFI_TCG2_EVENT_HEADER_VERSION 1
#define EV_IPL 13
#define EV_EVENT_TAG UINT32_C(6)
uint32_t ActivePcrBanks;
} EFI_TCG2_BOOT_SERVICE_CAPABILITY;
-typedef struct {
- uint32_t PCRIndex;
- uint32_t EventType;
- struct {
- uint8_t Digest[20];
- } Digest;
- uint32_t EventSize;
- uint8_t Event[];
-} _packed_ TCG_PCR_EVENT;
-
typedef struct {
uint32_t HeaderSize;
uint16_t HeaderVersion;
uint8_t Event[];
} _packed_ EFI_TCG2_TAGGED_EVENT;
-typedef struct EFI_TCG_PROTOCOL EFI_TCG_PROTOCOL;
-struct EFI_TCG_PROTOCOL {
- EFI_STATUS (EFIAPI *StatusCheck)(
- EFI_TCG_PROTOCOL *This,
- EFI_TCG_BOOT_SERVICE_CAPABILITY *ProtocolCapability,
- uint32_t *TCGFeatureFlags,
- EFI_PHYSICAL_ADDRESS *EventLogLocation,
- EFI_PHYSICAL_ADDRESS *EventLogLastEntry);
- void *HashAll;
- void *LogEvent;
- void *PassThroughToTpm;
- EFI_STATUS (EFIAPI *HashLogExtendEvent)(
- EFI_TCG_PROTOCOL *This,
- EFI_PHYSICAL_ADDRESS HashData,
- uint64_t HashDataLen,
- uint32_t AlgorithmId,
- TCG_PCR_EVENT *TCGLogData,
- uint32_t *EventNumber,
- EFI_PHYSICAL_ADDRESS *EventLogLastEntry);
-};
-
typedef struct EFI_TCG2_PROTOCOL EFI_TCG2_PROTOCOL;
struct EFI_TCG2_PROTOCOL {
EFI_STATUS (EFIAPI *GetCapability)(
#include "alloc-util.h"
#include "audit-fd.h"
#include "boot-timestamps.h"
+#include "build-path.h"
#include "bus-common-errors.h"
#include "bus-error.h"
#include "bus-kernel.h"
if (r < 0 && r != -EEXIST)
return r;
+ }
- m->executor_fd = open(SYSTEMD_EXECUTOR_BINARY_PATH, O_CLOEXEC|O_PATH);
- if (m->executor_fd < 0)
- return log_emergency_errno(errno,
- "Failed to open executor binary '%s': %m",
- SYSTEMD_EXECUTOR_BINARY_PATH);
- } else if (!FLAGS_SET(test_run_flags, MANAGER_TEST_DONT_OPEN_EXECUTOR)) {
- _cleanup_free_ char *self_exe = NULL, *executor_path = NULL;
- _cleanup_close_ int self_dir_fd = -EBADF;
- int level = LOG_DEBUG;
-
- /* Prefer sd-executor from the same directory as the test, e.g.: when running unit tests from the
- * build directory. Fallback to working directory and then the installation path. */
- r = readlink_and_make_absolute("/proc/self/exe", &self_exe);
- if (r < 0)
- return r;
-
- self_dir_fd = open_parent(self_exe, O_CLOEXEC|O_PATH|O_DIRECTORY, 0);
- if (self_dir_fd < 0)
- return self_dir_fd;
-
- m->executor_fd = RET_NERRNO(openat(self_dir_fd, "systemd-executor", O_CLOEXEC|O_PATH));
- if (m->executor_fd == -ENOENT)
- m->executor_fd = RET_NERRNO(openat(AT_FDCWD, "systemd-executor", O_CLOEXEC|O_PATH));
- if (m->executor_fd == -ENOENT) {
- m->executor_fd = RET_NERRNO(open(SYSTEMD_EXECUTOR_BINARY_PATH, O_CLOEXEC|O_PATH));
- level = LOG_WARNING; /* Tests should normally use local builds */
- }
+ if (!FLAGS_SET(test_run_flags, MANAGER_TEST_DONT_OPEN_EXECUTOR)) {
+ m->executor_fd = pin_callout_binary(SYSTEMD_EXECUTOR_BINARY_PATH);
if (m->executor_fd < 0)
- return m->executor_fd;
+ return log_debug_errno(m->executor_fd, "Failed to pin executor binary: %m");
+ _cleanup_free_ char *executor_path = NULL;
r = fd_get_path(m->executor_fd, &executor_path);
if (r < 0)
return r;
- log_full(level, "Using systemd-executor binary from '%s'.", executor_path);
+ log_debug("Using systemd-executor binary from '%s'.", executor_path);
}
/* Note that we do not set up the notify fd here. We do that after deserialization,
#include "blockdev-util.h"
#include "btrfs-util.h"
+#include "build-path.h"
#include "bus-common-errors.h"
#include "bus-locator.h"
#include "data-fd-util.h"
return r;
if (r == 0) {
_cleanup_free_ char *joined = NULL;
- const char *homework, *suffix, *unix_path;
+ const char *suffix, *unix_path;
/* Child */
if (r < 0)
log_warning_errno(r, "Failed to update $SYSTEMD_LOG_LEVEL, ignoring: %m");
- /* Allow overriding the homework path via an environment variable, to make debugging
- * easier. */
- homework = getenv("SYSTEMD_HOMEWORK_PATH") ?: SYSTEMD_HOMEWORK_PATH;
-
- execl(homework, homework, verb, NULL);
- log_error_errno(errno, "Failed to invoke %s: %m", homework);
+ r = invoke_callout_binary(SYSTEMD_HOMEWORK_PATH, STRV_MAKE(SYSTEMD_HOMEWORK_PATH, verb));
+ log_error_errno(r, "Failed to invoke %s: %m", SYSTEMD_HOMEWORK_PATH);
_exit(EXIT_FAILURE);
}
#include "sd-bus.h"
#include "alloc-util.h"
+#include "build-path.h"
#include "bus-common-errors.h"
#include "bus-get-properties.h"
#include "bus-log-control-api.h"
cmd[k++] = t->local;
cmd[k] = NULL;
- execv(cmd[0], (char * const *) cmd);
- log_error_errno(errno, "Failed to execute %s tool: %m", cmd[0]);
+ assert(k < ELEMENTSOF(cmd));
+
+ r = invoke_callout_binary(cmd[0], (char * const *) cmd);
+ log_error_errno(r, "Failed to execute %s tool: %m", cmd[0]);
_exit(EXIT_FAILURE);
}
if (r < 0)
return r;
+ (void) event_source_disable(nd->timeout_event_source);
+
log_ndisc(nd, "Received Router Advertisement: flags %s preference %s lifetime %s",
rt->flags & ND_RA_FLAG_MANAGED ? "MANAGED" : rt->flags & ND_RA_FLAG_OTHER ? "OTHER" : "none",
rt->preference == SD_NDISC_PREFERENCE_HIGH ? "high" : rt->preference == SD_NDISC_PREFERENCE_LOW ? "low" : "medium",
/* The function icmp6_receive() accepts the null source address, but RFC 4861 Section 6.1.2 states
* that hosts MUST discard messages with the null source address. */
- if (in6_addr_is_null(&rt->address))
- log_ndisc(nd, "Received RA from null address. Ignoring.");
+ if (in6_addr_is_null(&rt->address)) {
+ log_ndisc(nd, "Received an ICMPv6 packet from null address, ignoring.");
+ return 0;
+ }
- (void) event_source_disable(nd->timeout_event_source);
(void) ndisc_handle_datagram(nd, rt);
return 0;
}
Network.ManageForeignRoutes, config_parse_bool, 0, offsetof(Manager, manage_foreign_routes)
Network.ManageForeignNextHops, config_parse_bool, 0, offsetof(Manager, manage_foreign_nexthops)
Network.RouteTable, config_parse_route_table_names, 0, 0
+Network.IPv4Forwarding, config_parse_tristate, 0, offsetof(Manager, ip_forwarding[0])
+Network.IPv6Forwarding, config_parse_tristate, 0, offsetof(Manager, ip_forwarding[1])
Network.IPv6PrivacyExtensions, config_parse_ipv6_privacy_extensions, 0, offsetof(Manager, ipv6_privacy_extensions)
DHCPv4.DUIDType, config_parse_duid_type, 0, offsetof(Manager, dhcp_duid)
DHCPv4.DUIDRawData, config_parse_duid_rawdata, 0, offsetof(Manager, dhcp_duid)
#include "networkd-link.h"
#include "networkd-lldp-tx.h"
#include "networkd-manager.h"
+#include "networkd-sysctl.h"
#include "parse-util.h"
#include "string-table.h"
#include "string-util.h"
SD_LLDP_SYSTEM_CAPABILITIES_STATION |
SD_LLDP_SYSTEM_CAPABILITIES_BRIDGE |
SD_LLDP_SYSTEM_CAPABILITIES_ROUTER,
- (link->network->ip_forward != ADDRESS_FAMILY_NO) ?
- SD_LLDP_SYSTEM_CAPABILITIES_ROUTER :
- SD_LLDP_SYSTEM_CAPABILITIES_STATION);
+ (link_get_ip_forwarding(link, AF_INET) > 0 || link_get_ip_forwarding(link, AF_INET6) > 0) ?
+ SD_LLDP_SYSTEM_CAPABILITIES_ROUTER : SD_LLDP_SYSTEM_CAPABILITIES_STATION);
if (r < 0)
return r;
.dhcp_duid.type = DUID_TYPE_EN,
.dhcp6_duid.type = DUID_TYPE_EN,
.duid_product_uuid.type = DUID_TYPE_UUID,
+ .ip_forwarding = { -1, -1, },
};
*ret = TAKE_PTR(m);
assert(m);
+ manager_set_sysctl(m);
+
r = manager_start_speed_meter(m);
if (r < 0)
return log_error_errno(r, "Failed to initialize speed meter: %m");
Hashmap *tuntap_fds_by_name;
unsigned reloading;
+
+ /* sysctl */
+ int ip_forwarding[2];
};
int manager_new(Manager **ret, bool test_mode);
#include "networkd-queue.h"
#include "networkd-route.h"
#include "networkd-state-file.h"
+#include "networkd-sysctl.h"
#include "string-table.h"
#include "string-util.h"
#include "strv.h"
if (!link_may_have_ipv6ll(link, /* check_multicast = */ true))
return false;
- assert(link->network->ipv6_accept_ra >= 0);
- return link->network->ipv6_accept_ra;
+ if (link->network->ipv6_accept_ra >= 0)
+ return link->network->ipv6_accept_ra;
+
+ /* Accept RAs if IPv6 forwarding is disabled, and ignore RAs if IPv6 forwarding is enabled. */
+ int t = link_get_ip_forwarding(link, AF_INET6);
+ if (t >= 0)
+ return !t;
+
+ /* Otherwise, defaults to true. */
+ return true;
}
void network_adjust_ipv6_accept_ra(Network *network) {
network->ipv6_accept_ra = false;
}
- if (network->ipv6_accept_ra < 0)
- /* default to accept RA if ip_forward is disabled and ignore RA if ip_forward is enabled */
- network->ipv6_accept_ra = !FLAGS_SET(network->ip_forward, ADDRESS_FAMILY_IPV6);
-
/* When RouterAllowList=, PrefixAllowList= or RouteAllowList= are specified, then
* RouterDenyList=, PrefixDenyList= or RouteDenyList= are ignored, respectively. */
if (!set_isempty(network->ndisc_allow_listed_router))
Network.DNSSEC, config_parse_dnssec_mode, 0, offsetof(Network, dnssec_mode)
Network.DNSSECNegativeTrustAnchors, config_parse_dnssec_negative_trust_anchors, 0, offsetof(Network, dnssec_negative_trust_anchors)
Network.NTP, config_parse_ntp, 0, offsetof(Network, ntp)
-Network.IPForward, config_parse_address_family_with_kernel, 0, offsetof(Network, ip_forward)
+Network.IPForward, config_parse_ip_forward_deprecated, 0, 0
+Network.IPv4Forwarding, config_parse_tristate, 0, offsetof(Network, ip_forwarding[0])
+Network.IPv6Forwarding, config_parse_tristate, 0, offsetof(Network, ip_forwarding[1])
Network.IPMasquerade, config_parse_ip_masquerade, 0, offsetof(Network, ip_masquerade)
Network.IPv6PrivacyExtensions, config_parse_ipv6_privacy_extensions, 0, offsetof(Network, ipv6_privacy_extensions)
Network.IPv6AcceptRA, config_parse_tristate, 0, offsetof(Network, ipv6_accept_ra)
network->ipv6ll_address_gen_mode < 0)
network->ipv6ll_address_gen_mode = IPV6_LINK_LOCAL_ADDRESSS_GEN_MODE_STABLE_PRIVACY;
- /* IPMasquerade implies IPForward */
- network->ip_forward |= network->ip_masquerade;
-
network_adjust_ipv6_proxy_ndp(network);
network_adjust_ipv6_accept_ra(network);
network_adjust_dhcp(network);
.link_local = _ADDRESS_FAMILY_INVALID,
.ipv6ll_address_gen_mode = _IPV6_LINK_LOCAL_ADDRESS_GEN_MODE_INVALID,
+ .ip_forwarding = { -1, -1, },
.ipv4_accept_local = -1,
.ipv4_route_localnet = -1,
.ipv6_privacy_extensions = _IPV6_PRIVACY_EXTENSIONS_INVALID,
int ipoib_umcast;
/* sysctl settings */
- AddressFamily ip_forward;
+ int ip_forwarding[2];
int ipv4_accept_local;
int ipv4_route_localnet;
int ipv6_dad_transmits;
"Ignoring [Route] section from line %u.",
route->section->filename, route->section->line);
- if (route->nexthop.family == AF_INET6 && !route->network->ipv6_accept_ra)
+ if (route->nexthop.family == AF_INET6 && route->network->ipv6_accept_ra == 0)
return log_warning_errno(SYNTHETIC_ERRNO(EINVAL),
"%s: Gateway=\"_ipv6ra\" is specified but IPv6AcceptRA= is disabled. "
"Ignoring [Route] section from line %u.",
#include <linux/if.h>
#include <linux/if_arp.h>
+#include "af-list.h"
#include "missing_network.h"
#include "networkd-link.h"
#include "networkd-manager.h"
#include "string-table.h"
#include "sysctl-util.h"
+static void manager_set_ip_forwarding(Manager *manager, int family) {
+ int r, t;
+
+ assert(manager);
+ assert(IN_SET(family, AF_INET, AF_INET6));
+
+ if (family == AF_INET6 && !socket_ipv6_is_supported())
+ return;
+
+ t = manager->ip_forwarding[family == AF_INET6];
+ if (t < 0)
+ return; /* keep */
+
+ /* First, set the default value. */
+ r = sysctl_write_ip_property_boolean(family, "default", "forwarding", t);
+ if (r < 0)
+ log_warning_errno(r, "Failed to %s the default %s forwarding: %m",
+ enable_disable(t), af_to_ipv4_ipv6(family));
+
+ /* Then, set the value to all interfaces. */
+ r = sysctl_write_ip_property_boolean(family, "all", "forwarding", t);
+ if (r < 0)
+ log_warning_errno(r, "Failed to %s %s forwarding for all interfaces: %m",
+ enable_disable(t), af_to_ipv4_ipv6(family));
+}
+
+void manager_set_sysctl(Manager *manager) {
+ assert(manager);
+ assert(!manager->test_mode);
+
+ manager_set_ip_forwarding(manager, AF_INET);
+ manager_set_ip_forwarding(manager, AF_INET6);
+}
+
static bool link_is_configured_for_family(Link *link, int family) {
assert(link);
return sysctl_write_ip_property_boolean(AF_INET, link->ifname, "proxy_arp_pvlan", link->network->proxy_arp_pvlan > 0);
}
-static bool link_ip_forward_enabled(Link *link, int family) {
+int link_get_ip_forwarding(Link *link, int family) {
assert(link);
+ assert(link->manager);
+ assert(link->network);
assert(IN_SET(family, AF_INET, AF_INET6));
- if (!link_is_configured_for_family(link, family))
- return false;
-
- return link->network->ip_forward & (family == AF_INET ? ADDRESS_FAMILY_IPV4 : ADDRESS_FAMILY_IPV6);
-}
+ /* If it is explicitly specified, then honor the setting. */
+ int t = link->network->ip_forwarding[family == AF_INET6];
+ if (t >= 0)
+ return t;
-static int link_set_ipv4_forward(Link *link) {
- assert(link);
-
- if (!link_ip_forward_enabled(link, AF_INET))
- return 0;
+ /* If IPMasquerade= is enabled, also enable IP forwarding. */
+ if (family == AF_INET && FLAGS_SET(link->network->ip_masquerade, ADDRESS_FAMILY_IPV4))
+ return true;
+ if (family == AF_INET6 && FLAGS_SET(link->network->ip_masquerade, ADDRESS_FAMILY_IPV6))
+ return true;
- /* We propagate the forwarding flag from one interface to the
- * global setting one way. This means: as long as at least one
- * interface was configured at any time that had IP forwarding
- * enabled the setting will stay on for good. We do this
- * primarily to keep IPv4 and IPv6 packet forwarding behaviour
- * somewhat in sync (see below). */
+ /* If IPv6SendRA= is enabled, also enable IPv6 forwarding. */
+ if (family == AF_INET6 && link_radv_enabled(link))
+ return true;
- return sysctl_write_ip_property(AF_INET, NULL, "ip_forward", "1");
+ /* Otherwise, use the global setting. */
+ return link->manager->ip_forwarding[family == AF_INET6];
}
-static int link_set_ipv6_forward(Link *link) {
+static int link_set_ip_forwarding(Link *link, int family) {
+ int r, t;
+
assert(link);
+ assert(IN_SET(family, AF_INET, AF_INET6));
- if (!link_ip_forward_enabled(link, AF_INET6))
+ if (!link_is_configured_for_family(link, family))
return 0;
- /* On Linux, the IPv6 stack does not know a per-interface
- * packet forwarding setting: either packet forwarding is on
- * for all, or off for all. We hence don't bother with a
- * per-interface setting, but simply propagate the interface
- * flag, if it is set, to the global flag, one-way. Note that
- * while IPv4 would allow a per-interface flag, we expose the
- * same behaviour there and also propagate the setting from
- * one to all, to keep things simple (see above). */
+ t = link_get_ip_forwarding(link, family);
+ if (t < 0)
+ return 0; /* keep */
- return sysctl_write_ip_property(AF_INET6, "all", "forwarding", "1");
+ r = sysctl_write_ip_property_boolean(family, link->ifname, "forwarding", t);
+ if (r < 0)
+ return log_link_warning_errno(link, r, "Failed to %s %s forwarding, ignoring: %m",
+ enable_disable(t), af_to_ipv4_ipv6(family));
+
+ return 0;
}
static int link_set_ipv4_rp_filter(Link *link) {
if (r < 0)
log_link_warning_errno(link, r, "Cannot configure proxy ARP private VLAN for interface, ignoring: %m");
- r = link_set_ipv4_forward(link);
- if (r < 0)
- log_link_warning_errno(link, r, "Cannot turn on IPv4 packet forwarding, ignoring: %m");
-
- r = link_set_ipv6_forward(link);
- if (r < 0)
- log_link_warning_errno(link, r, "Cannot configure IPv6 packet forwarding, ignoring: %m");
+ (void) link_set_ip_forwarding(link, AF_INET);
+ (void) link_set_ip_forwarding(link, AF_INET6);
r = link_set_ipv6_privacy_extensions(link);
if (r < 0)
DEFINE_STRING_TABLE_LOOKUP(ip_reverse_path_filter, IPReversePathFilter);
DEFINE_CONFIG_PARSE_ENUM(config_parse_ip_reverse_path_filter, ip_reverse_path_filter, IPReversePathFilter,
"Failed to parse IP reverse path filter option");
+
+int config_parse_ip_forward_deprecated(
+ const char* unit,
+ const char *filename,
+ unsigned line,
+ const char *section,
+ unsigned section_line,
+ const char *lvalue,
+ int ltype,
+ const char *rvalue,
+ void *data,
+ void *userdata) {
+
+ assert(filename);
+
+ log_syntax(unit, LOG_WARNING, filename, line, 0,
+ "IPForward= setting is deprecated. "
+ "Please use IPv4Forwarding= and/or IPv6Forwarding= in networkd.conf for global setting, "
+ "and the same settings in .network files for per-interface setting.");
+ return 0;
+}
#include "conf-parser.h"
typedef struct Link Link;
+typedef struct Manager Manager;
typedef enum IPv6PrivacyExtensions {
/* These values map to the kernel's /proc/sys/net/ipv6/conf/xxx/use_tempaddr values. Do not reorder! */
_IP_REVERSE_PATH_FILTER_INVALID = -EINVAL,
} IPReversePathFilter;
+void manager_set_sysctl(Manager *manager);
+
+int link_get_ip_forwarding(Link *link, int family);
int link_set_sysctl(Link *link);
int link_set_ipv6_mtu(Link *link);
CONFIG_PARSER_PROTOTYPE(config_parse_ipv6_privacy_extensions);
CONFIG_PARSER_PROTOTYPE(config_parse_ip_reverse_path_filter);
+CONFIG_PARSER_PROTOTYPE(config_parse_ip_forward_deprecated);
DEFINE_PRIVATE_STRING_TABLE_LOOKUP_FROM_STRING(ip_masquerade_address_family, AddressFamily);
DEFINE_STRING_TABLE_LOOKUP(dhcp_lease_server_type, sd_dhcp_lease_server_type_t);
-int config_parse_address_family_with_kernel(
- const char* unit,
- const char *filename,
- unsigned line,
- const char *section,
- unsigned section_line,
- const char *lvalue,
- int ltype,
- const char *rvalue,
- void *data,
- void *userdata) {
-
- AddressFamily *fwd = data, s;
-
- assert(filename);
- assert(lvalue);
- assert(rvalue);
- assert(data);
-
- /* This function is mostly obsolete now. It simply redirects
- * "kernel" to "no". In older networkd versions we used to
- * distinguish IPForward=off from IPForward=kernel, where the
- * former would explicitly turn off forwarding while the
- * latter would simply not touch the setting. But that logic
- * is gone, hence silently accept the old setting, but turn it
- * to "no". */
-
- s = address_family_from_string(rvalue);
- if (s < 0) {
- if (streq(rvalue, "kernel"))
- s = ADDRESS_FAMILY_NO;
- else {
- log_syntax(unit, LOG_WARNING, filename, line, 0, "Failed to parse IPForward= option, ignoring: %s", rvalue);
- return 0;
- }
- }
-
- *fwd = s;
-
- return 0;
-}
-
int config_parse_ip_masquerade(
const char *unit,
const char *filename,
}
CONFIG_PARSER_PROTOTYPE(config_parse_link_local_address_family);
-CONFIG_PARSER_PROTOTYPE(config_parse_address_family_with_kernel);
CONFIG_PARSER_PROTOTYPE(config_parse_ip_masquerade);
CONFIG_PARSER_PROTOTYPE(config_parse_mud_url);
#define foosddhcpclientidhfoo
/***
- Copyright © 2013 Intel Corporation. All rights reserved.
systemd is free software; you can redistribute it and/or modify it
under the terms of the GNU Lesser General Public License as published by
the Free Software Foundation; either version 2.1 of the License, or
#define foosddhcpduidhfoo
/***
- Copyright © 2013 Intel Corporation. All rights reserved.
systemd is free software; you can redistribute it and/or modify it
under the terms of the GNU Lesser General Public License as published by
the Free Software Foundation; either version 2.1 of the License, or
#define foosddhcpoptionhfoo
/***
- Copyright © 2013 Intel Corporation. All rights reserved.
systemd is free software; you can redistribute it and/or modify it
under the terms of the GNU Lesser General Public License as published by
the Free Software Foundation; either version 2.1 of the License, or
#define foosddhcpserverleasehfoo
/***
- Copyright © 2013 Intel Corporation. All rights reserved.
systemd is free software; you can redistribute it and/or modify it
under the terms of the GNU Lesser General Public License as published by
the Free Software Foundation; either version 2.1 of the License, or
#define foosdndiscprotocolfoo
/***
- Copyright © 2014 Intel Corporation. All rights reserved.
-
systemd is free software; you can redistribute it and/or modify it
under the terms of the GNU Lesser General Public License as published by
the Free Software Foundation; either version 2.1 of the License, or
#define foosdndiscrouterfoo
/***
- Copyright © 2014 Intel Corporation. All rights reserved.
-
systemd is free software; you can redistribute it and/or modify it
under the terms of the GNU Lesser General Public License as published by
the Free Software Foundation; either version 2.1 of the License, or
#include "alloc-util.h"
#include "blockdev-util.h"
+#include "build-path.h"
#include "chase.h"
#include "device-util.h"
#include "devnum-util.h"
/* Child */
const char *cmdline[] = {
- "systemd-pull",
+ SYSTEMD_PULL_PATH,
"raw",
"--direct", /* just download the specified URL, don't download anything else */
"--verify", verify_signature ? "signature" : "no", /* verify the manifest file */
NULL
};
- execv(pull_binary_path(), (char *const*) cmdline);
- log_error_errno(errno, "Failed to execute %s tool: %m", pull_binary_path());
+ r = invoke_callout_binary(SYSTEMD_PULL_PATH, (char *const*) cmdline);
+ log_error_errno(r, "Failed to execute %s tool: %m", SYSTEMD_PULL_PATH);
_exit(EXIT_FAILURE);
};
#include "alloc-util.h"
#include "blockdev-util.h"
+#include "build-path.h"
#include "chase.h"
#include "conf-parser.h"
#include "dirent-util.h"
memcpy(ret->sha256sum, i->metadata.sha256sum, sizeof(ret->sha256sum));
}
-static int run_helper(
+static int run_callout(
const char *name,
- const char *path,
- const char * const cmdline[]) {
+ char *cmdline[]) {
int r;
assert(name);
- assert(path);
assert(cmdline);
+ assert(cmdline[0]);
r = safe_fork(name, FORK_RESET_SIGNALS|FORK_DEATHSIG_SIGTERM|FORK_LOG|FORK_WAIT, NULL);
if (r < 0)
return r;
if (r == 0) {
/* Child */
-
- execv(path, (char *const*) cmdline);
- log_error_errno(errno, "Failed to execute %s tool: %m", path);
+ r = invoke_callout_binary(cmdline[0], (char *const*) cmdline);
+ log_error_errno(r, "Failed to execute %s tool: %m", cmdline[0]);
_exit(EXIT_FAILURE);
}
* importer has some tricks up its sleeve, such as sparse file generation, which we
* want to take benefit of, too.) */
- r = run_helper("(sd-import-raw)",
- import_binary_path(),
- (const char* const[]) {
- "systemd-import",
+ r = run_callout("(sd-import-raw)",
+ STRV_MAKE(
+ SYSTEMD_IMPORT_PATH,
"raw",
"--direct", /* just copy/unpack the specified file, don't do anything else */
arg_sync ? "--sync=yes" : "--sync=no",
i->path,
- t->temporary_path,
- NULL
- });
+ t->temporary_path));
break;
case RESOURCE_PARTITION:
/* regular file → partition */
- r = run_helper("(sd-import-raw)",
- import_binary_path(),
- (const char* const[]) {
- "systemd-import",
+ r = run_callout("(sd-import-raw)",
+ STRV_MAKE(
+ SYSTEMD_IMPORT_PATH,
"raw",
"--direct", /* just copy/unpack the specified file, don't do anything else */
"--offset", offset,
"--size-max", max_size,
arg_sync ? "--sync=yes" : "--sync=no",
i->path,
- t->target.path,
- NULL
- });
+ t->target.path));
break;
default:
/* directory/subvolume → directory/subvolume */
- r = run_helper("(sd-import-fs)",
- import_fs_binary_path(),
- (const char* const[]) {
- "systemd-import-fs",
+ r = run_callout("(sd-import-fs)",
+ STRV_MAKE(
+ SYSTEMD_IMPORT_FS_PATH,
"run",
"--direct", /* just untar the specified file, don't do anything else */
arg_sync ? "--sync=yes" : "--sync=no",
t->target.type == RESOURCE_SUBVOLUME ? "--btrfs-subvol=yes" : "--btrfs-subvol=no",
i->path,
- t->temporary_path,
- NULL
- });
+ t->temporary_path));
break;
case RESOURCE_TAR:
/* tar → directory/subvolume */
- r = run_helper("(sd-import-tar)",
- import_binary_path(),
- (const char* const[]) {
- "systemd-import",
+ r = run_callout("(sd-import-tar)",
+ STRV_MAKE(
+ SYSTEMD_IMPORT_PATH,
"tar",
"--direct", /* just untar the specified file, don't do anything else */
arg_sync ? "--sync=yes" : "--sync=no",
t->target.type == RESOURCE_SUBVOLUME ? "--btrfs-subvol=yes" : "--btrfs-subvol=no",
i->path,
- t->temporary_path,
- NULL
- });
+ t->temporary_path));
break;
case RESOURCE_URL_FILE:
/* url file → regular file */
- r = run_helper("(sd-pull-raw)",
- pull_binary_path(),
- (const char* const[]) {
- "systemd-pull",
+ r = run_callout("(sd-pull-raw)",
+ STRV_MAKE(
+ SYSTEMD_PULL_PATH,
"raw",
"--direct", /* just download the specified URL, don't download anything else */
"--verify", digest, /* validate by explicit SHA256 sum */
arg_sync ? "--sync=yes" : "--sync=no",
i->path,
- t->temporary_path,
- NULL
- });
+ t->temporary_path));
break;
case RESOURCE_PARTITION:
/* url file → partition */
- r = run_helper("(sd-pull-raw)",
- pull_binary_path(),
- (const char* const[]) {
- "systemd-pull",
+ r = run_callout("(sd-pull-raw)",
+ STRV_MAKE(
+ SYSTEMD_PULL_PATH,
"raw",
"--direct", /* just download the specified URL, don't download anything else */
"--verify", digest, /* validate by explicit SHA256 sum */
"--size-max", max_size,
arg_sync ? "--sync=yes" : "--sync=no",
i->path,
- t->target.path,
- NULL
- });
+ t->target.path));
break;
default:
case RESOURCE_URL_TAR:
assert(IN_SET(t->target.type, RESOURCE_DIRECTORY, RESOURCE_SUBVOLUME));
- r = run_helper("(sd-pull-tar)",
- pull_binary_path(),
- (const char*const[]) {
- "systemd-pull",
+ r = run_callout("(sd-pull-tar)",
+ STRV_MAKE(
+ SYSTEMD_PULL_PATH,
"tar",
"--direct", /* just download the specified URL, don't download anything else */
"--verify", digest, /* validate by explicit SHA256 sum */
t->target.type == RESOURCE_SUBVOLUME ? "--btrfs-subvol=yes" : "--btrfs-subvol=no",
arg_sync ? "--sync=yes" : "--sync=no",
i->path,
- t->temporary_path,
- NULL
- });
+ t->temporary_path));
break;
default:
extern bool arg_sync;
extern uint64_t arg_instances_max;
extern char *arg_root;
-
-static inline const char* import_binary_path(void) {
- return secure_getenv("SYSTEMD_IMPORT_PATH") ?: SYSTEMD_IMPORT_PATH;
-}
-
-static inline const char* import_fs_binary_path(void) {
- return secure_getenv("SYSTEMD_IMPORT_FS_PATH") ?: SYSTEMD_IMPORT_FS_PATH;
-}
-
-static inline const char *pull_binary_path(void) {
- return secure_getenv("SYSTEMD_PULL_PATH") ?: SYSTEMD_PULL_PATH;
-}
'test-bitmap.c',
'test-blockdev-util.c',
'test-bootspec.c',
+ 'test-build-path.c',
'test-bus-util.c',
'test-calendarspec.c',
'test-cgroup-setup.c',
--- /dev/null
+/* SPDX-License-Identifier: LGPL-2.1-or-later */
+
+#include "build-path.h"
+#include "log.h"
+#include "string-util.h"
+
+int main(int argc, char* argv[]) {
+ _cleanup_free_ char *p = NULL;
+ int r;
+
+ r = get_build_exec_dir(&p);
+ if (r == -ENOEXEC)
+ log_info("Not run from build dir.");
+ else if (r < 0)
+ log_error_errno(r, "Failed to find build dir: %m");
+ else
+ log_info("%s", strna(p));
+
+ return 0;
+}
#include "sd-daemon.h"
+#include "build-path.h"
#include "common-signal.h"
#include "env-util.h"
#include "fd-util.h"
_exit(EXIT_FAILURE);
}
- /* execl("/home/lennart/projects/systemd/build/systemd-userwork", "systemd-userwork", "xxxxxxxxxxxxxxxx", NULL); /\* With some extra space rename_process() can make use of *\/ */
- /* execl("/usr/bin/valgrind", "valgrind", "/home/lennart/projects/systemd/build/systemd-userwork", "systemd-userwork", "xxxxxxxxxxxxxxxx", NULL); /\* With some extra space rename_process() can make use of *\/ */
-
- execl(SYSTEMD_USERWORK_PATH, "systemd-userwork", "xxxxxxxxxxxxxxxx", NULL); /* With some extra space rename_process() can make use of */
- log_error_errno(errno, "Failed start worker process: %m");
+ r = invoke_callout_binary(SYSTEMD_USERWORK_PATH, STRV_MAKE(SYSTEMD_USERWORK_PATH, "xxxxxxxxxxxxxxxx")); /* With some extra space rename_process() can make use of */
+ log_error_errno(r, "Failed start worker process: %m");
_exit(EXIT_FAILURE);
}
* - where a simplified machine-parsable form is more useful, for example
* pkgconfig files and version information written to binary files.
*/
-#define GIT_VERSION "@VCS_TAG@"
+#define GIT_VERSION VERSION_TAG "@VCS_TAG@"
[Network]
Address=192.168.6.2/24
DHCPServer=yes
-IPForward=ipv4
+IPv4Forwarding=yes
IPv6AcceptRA=no
[DHCPServer]
[Network]
DHCP=yes
-IPForward=ipv4
+IPv4Forwarding=yes
IPv6AcceptRA=no
[Network]
Address=192.168.5.2/24
-IPForward=ipv4
+IPv4Forwarding=yes
IPv6AcceptRA=no
[Network]
Address=192.168.5.1/24
-IPForward=ipv4
+IPv4Forwarding=yes
DHCPServer=yes
IPv6AcceptRA=no
IPv6ProxyNDPAddress=2607:5300:203:5215:2::1
IPv6ProxyNDPAddress=2607:5300:203:5215:1::1
IPv6AcceptRA=no
-IPForward=yes
Address=66.70.129.136/32
Address=66.70.129.142/32
Address=66.70.129.143/32
Name=dummy98
[Network]
-IPForward=yes
+IPv4Forwarding=yes
+IPv6Forwarding=yes
IPv6DuplicateAddressDetection=3
IPv6HopLimit=5
IPv4ProxyARP=yes
[Network]
VLAN=vlan99
-IPForward=yes
ConfigureWithoutCarrier=yes
LLDP=yes
IPv6AcceptRA=false
[Network]
IPv6AcceptRA=no
-IPForward=yes
Bridge=bridge99
LinkLocalAddressing=no
EmitLLDP=nearest-bridge
start_networkd()
self.wait_online('veth99:routable', 'veth-peer:degraded')
+ # IPv6SendRA=yes implies IPv6Forwarding.
+ self.check_ipv6_sysctl_attr('veth-peer', 'forwarding', '1')
+
output = resolvectl('dns', 'veth99')
print(output)
self.assertRegex(output, 'fe80::')
+++ /dev/null
-#!/usr/bin/env bash
-# SPDX-License-Identifier: LGPL-2.1-or-later
-
-set -u
-set -o pipefail
-
-dir="${1:-.}"
-version_tag="${2:-}"
-
-if [ -n "${version_tag}" ]; then
- # If -Dversion_tag= was used, just use that without further changes.
- echo "${version_tag}"
-else
- read -r project_version <"${dir}/meson.version"
-
- # Check that we have either .git/ (a normal clone) or a .git file (a work-tree)
- # and that we don't get confused if a tarball is extracted in a higher-level
- # git repository.
- #
- # If the working tree has no tags (CI builds), the first git-describe will fail
- # and we fall back to project_version-commitid instead.
-
- c=''
- if [ -e "${dir}/.git" ]; then
- c="$(git -C "$dir" describe --abbrev=7 --dirty=^ 2>/dev/null)"
- if [ -n "$c" ]; then
- # git describe uses the most recent tag. However, for development versions (e.g. v256~devel), the
- # most recent tag will be v255 as there is no tag for development versions. To deal with this, we
- # replace the tag with the project version instead.
- c="${project_version}-${c#*-}"
- else
- # This call might still fail with permission issues
- suffix="$(git -C "$dir" describe --always --abbrev=7 --dirty=^ 2>/dev/null)"
- [ -n "$suffix" ] && c="${project_version}-${suffix}"
- fi
- fi
- [ -z "$c" ] && c="${project_version}"
- # Replace any hyphens with carets which are allowed in versions by pacman whereas hyphens are not. Git
- # versions with carets will also sort higher than their non-git version counterpart both in pacman
- # versioning and in version format specification versioning.
- echo "$c" | sed 's/^v//; s/-/^/g'
-fi