bootctl: don't start "bootctl list" output with a title line
Let's not output a title line given that we don't output multiple
different things here anyway, and the "bootctl list" command is about
listing boot entries anyway and it's documented that way.
Having titles for sections if we have mutliple sections of output
definitely makes sense, but if there's only one kind of information we
list it's redundant clutter.
Let's better be safe than sorry, and follow symlinks in ESP + XBOOTLDR
via chase_symlinks() relative to the root of these files systems. This is
not a big issue given that ESP/XBOOTLDR are supposed to be VFAT where
symlinks don't exist, but the specs don't strictly require this, and by
loading efifs drivers in uefi it would be possible to support symlinks,
but we'd rather not have that here.
No real change in behaviour, just stricter rules to make me sleep better
at night.
William Roberts [Wed, 7 Sep 2022 12:52:16 +0000 (07:52 -0500)]
tpm2: add bind key
Currently, the tpm2 support will use encrypted sessions by creating a
primary key that is used to encrypt traffic. This creates a problem as
the key created for encrypting the traffic could be faked by an active
interposer on the bus. In cases when a pin is used, we can introduce the
bind key. The pin is used as the auth value for the seal key, aka the
disk encryption key, and that auth value can be used in the session
establishment. An attacker would need the pin value to create the secure
session and thus an active interposer without the pin could not
interpose on TPM traffic.
Related-to: #22637 Signed-off-by: William Roberts <william.c.roberts@intel.com>
repart: Add support for formatting verity partitions
This commit adds a new Verity= setting to repart definition files
with two possible values: "data" and "hash".
If Verity= is set to "data", repart works as before, and populates
the partition with the content from CopyBlocks= or CopyFiles=.
If Verity= is set to "hash", repart will try to find a matching
data partition with Verity=data and equal values for CopyBlocks=
or CopyFiles=, Format= and MakeDirectories=. If a matching data
partition is found, repart will generate verity hashes for that
data partition in the verity partition. The UUID of the data
partition is set to the first 128 bits of the verity root hash. The
UUID of the hashes partition is set to the final 128 bits of the
verity root hash.
uid-range: error code tweak for uid_range_load_userns()
Let's return ENOSYS if /proc/ is not mounted (as that's what we usually
return in that case in various helpers that operate on /proc/). Return
EOPNOTSUPP if the kernel simply doesn't support userns.
dissect-image: reuse LoopDevice.node in dissect_image()
Currently, dissect_image() is only called through dissect_loop_device(),
and the LoopDevice object has device name. Hence, it is not necessary to
get device name in dissect_image().
dissect-image: use loop backing file or device node as name of the image
Note, currently, for each call of dissect_loop_device_and_warn(), the
specified name is equivalent to the path passed to loop_device_make_by_path().
Hence, this should not change the current behavios.
Jan Janssen [Mon, 29 Aug 2022 08:43:27 +0000 (10:43 +0200)]
boot: Use proper scan codes
This arg expects scan codes and it can be very confusing to find a key
conflict when trying to add a F3 button when there are no F3 keycodes
seemingly in use. CHAR_CARRIAGE_RETURN and SCAN_F3 use the same value,
so no changes in behavior.
busctl: Add introspect support for methods with same name but different signature
D-Bus interfaces can have multiple methods with the same name, as long
as they have different arguments (signature). Currently busctl can call
those methods but when introspecting the interface it just displays
"Duplicate method"
This PR fixes the behavior, by also adding the signature to the hash for
the members set.
$ busctl introspect org.asamk.Signal /org/asamk/Signal
NAME TYPE SIGNATURE RESULT/VALUE FLAGS
org.asamk.Signal interface - - -
.sendMessage method as x -
.sendMessage method s x -
Calling the methods already works as expected, as the user must specify
the signature explicitely:
busctl --user call org.asamk.Signal /org/asamk/Signal org.asamk.Signal sendMessage "as" 2 foo bar
busctl --user call org.asamk.Signal /org/asamk/Signal org.asamk.Signal sendMessage "s" foo
test: don't fail if we don't need any external nss libs
On certain systems the `install_libnss()` function might end up with an
empty list of libraries to install, which triggers an assertion in
`image_install()`:
```
I: Install libnss
..//test-functions: line 2721: 1: parameter null or not set
make: *** [Makefile:4: setup] Error 1
```
test: kill plymouthd after initrd transition if it's still running
Until now using the INTERACTIVE_DEBUG=yes stuff together with sanitizers
was almost impossible, since the console kept eating up our inputs or
not responding at all. After a painful day of debugging I noticed that
if we use a shell script in the initrd -> root transition, we might end up
with a plymouthd still running, which kept screwing with the tty.
E.g. with initrd -> wrapper -> systemd transition, where the `wrapper`
is a simple script:
```
exec -- /usr/lib/systemd/systemd "$@"
```
we'd end up with a stray plymouthd process after the bootup:
Kai Lueke [Mon, 15 Aug 2022 15:47:03 +0000 (17:47 +0200)]
Use original filename for extension name check
The loading of an extension image from a symlink "NAME.raw" to
"NAME-VERSION.raw" failed because the release file name check worked
with the backing file of the loop device which already resolves the
symlink and thus the found name "NAME-VERSION" mismatched "NAME".
Pass the original filename and use it instead of the backing file
when available. This fixes the loading of "NAME.raw" extensions which
are a symlink to "NAME-VERSION.raw" as, e.g., may be the case when
systemd-sysupdate manages multiple versions.
rootidmap bind option will map the root user from the container to the
owner of the mounted directory on the filesystem. This will ensure files
and directories created by the root user in the container will be owned
by the directory owner on the filesystem. All other user will remain
unmapped.
nspawn: rename RemountIdmapFlags enum to RemountIdmapping
This enum should be used to define various idmapping modes for bind
mounts which might be incompatible. Changing its name and the values
name to reflect that.
If multiple service is starting simultaneously with a shared image,
then one of the service may fail to create a mount node:
systemd[695]: Bind-mounting /usr/lib/os-release on /run/systemd/unit-root/run/host/os-release (MS_BIND|MS_REC "")...
systemd[696]: Bind-mounting /usr/lib/os-release on /run/systemd/unit-root/run/host/os-release (MS_BIND|MS_REC "")...
systemd[695]: Failed to mount /usr/lib/os-release (type n/a) on /run/systemd/unit-root/run/host/os-release (MS_BIND|MS_REC ""): No such file or directory
systemd[696]: Failed to mount /usr/lib/os-release (type n/a) on /run/systemd/unit-root/run/host/os-release (MS_BIND|MS_REC ""): No such file or directory
systemd[695]: Bind-mounting /usr/lib/os-release on /run/systemd/unit-root/run/host/os-release (MS_BIND|MS_REC "")...
systemd[696]: Failed to create destination mount point node '/run/systemd/unit-root/run/host/os-release': Operation not permitted
systemd[695]: Successfully mounted /usr/lib/os-release to /run/systemd/unit-root/run/host/os-release
The function apply_one_mount() in src/core/namespace.c gracefully
handles -EEXIST from make_mount_point_inode_from_path(), but it erroneously
returned -EPERM previously. This fixes the issue.
Fixes one of the issues in #24147, especially reported at
https://github.com/systemd/systemd/issues/24147#issuecomment-1236194671.
bootspec: do not build two many json object at once
This is a workaround for an issue in the memory sanitizer.
If a function is called with too many arguments, then the sanitizer
triggers the following false-positive warning:
==349==WARNING: MemorySanitizer: use-of-uninitialized-value
#0 0x7f8b247134a7 in json_buildv /work/build/../../src/systemd/src/shared/json.c:3213:17
#1 0x7f8b24714231 in json_build /work/build/../../src/systemd/src/shared/json.c:4117:13
#2 0x7f8b24487fa5 in show_boot_entries /work/build/../../src/systemd/src/shared/bootspec.c:1424:29
#3 0x4a6a1b in LLVMFuzzerTestOneInput /work/build/../../src/systemd/src/fuzz/fuzz-bootspec.c:119:16
#4 0x4c6693 in fuzzer::Fuzzer::ExecuteCallback(unsigned char const*, unsigned long) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:611:15
#5 0x4c5e7a in fuzzer::Fuzzer::RunOne(unsigned char const*, unsigned long, bool, fuzzer::InputInfo*, bool, bool*) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:514:3
#6 0x4c7ce4 in fuzzer::Fuzzer::ReadAndExecuteSeedCorpora(std::__Fuzzer::vector<fuzzer::SizedFile, std::__Fuzzer::allocator<fuzzer::SizedFile> >&) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:826:7
#7 0x4c7f19 in fuzzer::Fuzzer::Loop(std::__Fuzzer::vector<fuzzer::SizedFile, std::__Fuzzer::allocator<fuzzer::SizedFile> >&) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerLoop.cpp:857:3
#8 0x4b757f in fuzzer::FuzzerDriver(int*, char***, int (*)(unsigned char const*, unsigned long)) /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerDriver.cpp:912:6
#9 0x4e0bd2 in main /src/llvm-project/compiler-rt/lib/fuzzer/FuzzerMain.cpp:20:10
#10 0x7f8b23ead082 in __libc_start_main (/lib/x86_64-linux-gnu/libc.so.6+0x24082) (BuildId: 1878e6b475720c7c51969e69ab2d276fae6d1dee)
#11 0x41f69d in _start (build-out/fuzz-bootspec+0x41f69d)
Dumping everything to console slows the test quite considerably on
slower machines, so let's forward nspawn logs to the journal to still
have them available in case something goes south.
This should, hopefully, help with TEST-13 timeouts in Ubuntu CI and
maybe with CPU soft lockups in CentOS CI.
This should make the test faster on fast machines and more reliable on
slower/under-load machines, where the 4 sec sleep wasn't sometimes enough.
Spotted on C8S machines under load:
```
test_added_after (__main__.ExecutionResumeTest) ... FAIL
test_added_before (__main__.ExecutionResumeTest) ... ok
test_interleaved (__main__.ExecutionResumeTest) ... ok
test_issue_6533 (__main__.ExecutionResumeTest) ... ok
test_no_change (__main__.ExecutionResumeTest) ... ok
test_removal (__main__.ExecutionResumeTest) ... ok
test_swapped (__main__.ExecutionResumeTest) ... ok
======================================================================
FAIL: test_added_after (__main__.ExecutionResumeTest)
----------------------------------------------------------------------
Traceback (most recent call last):
File "./test/test-exec-deserialization.py", line 101, in check_output
with open(self.output_file, 'r') as log:
FileNotFoundError: [Errno 2] No such file or directory: '/tmp/tmpjnec1dj4'
During handling of the above exception, another exception occurred:
Traceback (most recent call last):
File "./test/test-exec-deserialization.py", line 150, in test_added_after
self.check_output(expected_output)
File "./test/test-exec-deserialization.py", line 104, in check_output
self.fail()
AssertionError: None
----------------------------------------------------------------------
Ran 7 tests in 44.270s
```