From: Zbigniew Jędrzejewski-Szmek Date: Wed, 15 Apr 2026 06:09:55 +0000 (+0200) Subject: Merge pull request #41375 from brauner/work.todo.cleanup X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;p=thirdparty%2Fsystemd.git Merge pull request #41375 from brauner/work.todo.cleanup [zjs: I did the merge by hand to incorporate the changes that were made on 'main' in the meantime. That is easier then rebasing the series.] --- ceeb9ccfed9d5896cac1e41b68c588ef5786da30 diff --cc TODO.md index 37cd671d7ea,0cd44bd57d9..04ab5971670 --- a/TODO.md +++ b/TODO.md @@@ -110,559 -118,554 +118,564 @@@ SPDX-License-Identifier: LGPL-2.1-or-la That requires distros to enable CONFIG_ACPI_FPDT, and have kernels v5.12 for x86 and v6.2 for arm. - * In v260: remove support for deprecated FactoryReset EFI variable in - systemd-repart, replaced by FactoryResetRequest. + - Remove support for deprecated FactoryReset EFI variable in + systemd-repart, replaced by FactoryResetRequest (was planned for v260). - * Consider removing root=gpt-auto, and push people to use root=dissect instead. + - Consider removing root=gpt-auto, and push people to use root=dissect instead. - * remove any trace of "cpuacct" cgroup controller, it's a cgroupv1 thing. + - remove any trace of "cpuacct" cgroup controller, it's a cgroupv1 thing. similar "devices" - Features: - * sysext: make systemd-{sys,conf}ext-sysroot.service work in the split '/var' - configuration. + ## Features - * introduce a concept of /etc/machine-info "TAGS=" field that allows tagging - machines with zero, one or more roles, states or other forms of - categorization. Then, add a way of using this in sysupdate to automatically - enable certain transfers, one for each role. + - a small tool that can do basic btrfs raid policy mgmt. i.e. gets started as + part of the initial transaction for some btrfs raid fs, waits for some time, + then puts message on screen (plymouth, console) that some devices apparently + are not showing up, then counts down, eventually set a flag somewhere, and + retriggers the fs is was invoked for, which causes the udev rules to rerun + that assemble the btrfs raid, but this time force degraded assembly. - * sd-varlink: add fully async modes of the protocol upgrade stuff + - a way for container managers to turn off getty starting via $container_headless= or so... - * repart: maybe remove iso9660/eltorito superblock from disk when booting via - gpt, if there is one. + - add "conditions" for bls type 1 and type 2 profiles that allow suppressing + them under various conditions: 1. if tpm2 is available or not available; + 2. if sb is on or off; 3. if we are netbooted or not; … - * crypttab/gpt-auto-generator: allow explicit control over which unlock mechs - to permit, and maybe have a global headless kernel cmdline option + - add "homectl export" and "homectl import" that gets you an "atomic" snapshot + of your homedir, i.e. either a tarball or a snapshot of the underlying disk + (use FREEZE/THAW to make it consistent, btrfs snapshots) - * start making use of the new --graceful switch to util-linux' umount command + - Add "purpose" flag to partition flags in discoverable partition spec that + indicate if partition is intended for sysext, for portable service, for + booting and so on. Then, when dissecting DDI allow specifying a purpose to + use as additional search condition. Use case: images that combined a sysext + partition with a portable service partition in one. - * sysusers: allow specifying a path to an inode *and* a literal UID in the UID - column, so that if the inode exists it is used, and if not the literal UID is - used. Use this for services such as the imds one, which run under their own - UID in the initrd, and whose data should survive to the host, properly owned. + - add "systemctl wait" or so, which does what "systemd-run --wait" does, but + for all units. It should be both a way to pin units into memory as well as a + wait to retrieve their exit data. - * add service file setting to force the fwmark (a la SO_MARK) to some value, so - that we can allowlist certain services for imds this way. + - add "systemd-analyze debug" + AttachDebugger= in unit files: The former + specifies a command to execute; the latter specifies that an already running + "systemd-analyze debug" instance shall be contacted and execution paused + until it gives an OK. That way, tools like gdb or strace can be safely be + invoked on processes forked off PID 1. - * lock down swtpm a bit to make it harder to extract keys from it as it is - running. i.e. make ptracing + termination hard from the outside. also run - swtpm as unpriv user (not trivial, probably requires patch swtpm, as it needs - to allocate vtpm device), to lock it down from the inside. + - add "systemd-sysext identify" verb, that you can point on any file in /usr/ + and that determines from which overlayfs layer it originates, which image, and with + what it was signed. - * once swtpm's sd_notify() support has landed in the distributions, remove the - invocation in tpm2-swtpm.c and let swtpm handle it. + - add --vacuum-xyz options to coredumpctl, matching those journalctl already has. - * make systemd work nicely without /bin/sh, logins and associated shell tools around - - make sure debug shell service (sushell) has a nice failure mode, prints a message and reboots - - varlink interface for "systemctl start" and friends - - https://github.com/util-linux/util-linux/issues/4117 + - Add a "systemctl list-units --by-slice" mode or so, which rearranges the + output of "systemctl list-units" slightly by showing the tree structure of + the slices, and the units attached to them. - * imds: maybe do smarter api version handling + - Add a concept of ListenStream=anonymous to socket units: listen on a socket + that is deleted in the fs. Use case would be with ConnectSocket= above. - * drop NV_ORDERLY flag from the product uuid nvpcr. Effect of the flag is that - it pushes the thing into TPM RAM, but a TPM usually has very little of that, - less than NVRAM. hence setting the flag amplifies space issues. Unsetting the - flag increases wear issues on the NVRAM, however, but this should be limited - for the product uuid nvpcr, since its only changed once per boot. this needs - to be configurable by nvpcr however, as other nvpcrs are different, - i.e. verity one receives many writes during system uptime quite - possibly. (also, NV_ORDERLY makes stuff faster, and dropping it costs - possibly up to 100ms supposedly) + - add a ConnectSocket= setting to service unit files, that may reference a + socket unit, and which will connect to the socket defined therein, and pass + the resulting fd to the service program via socket activation proto. - * instead of going directly for DefineSpace when initializing nvpcrs, check if - they exist first. apparently DEfineSpace is broken on some tpms, and also - creates log spam if the nvindex already exists. + - add a dbus call to generate target from current state - * on first login of a user, measure its identity to some nvpcr + - add a dependency on standard-conf.xml and other included files to man pages - * sd-lldp: pick up 802.3 maximum frame size/mtu, to be able to detect jumbo - frame capable networks + - add a job mode that will fail if a transaction would mean stopping + running units. Use this in timedated to manage the NTP service + state. + https://lists.freedesktop.org/archives/systemd-devel/2015-April/030229.html - * networkd: maintain a file in /run/ that can be symlinked into /run/issue.d/ - that always shows the current primary IP address + - add a kernel cmdline switch (and cred?) for marking a system to be + "headless", in which case we never open /dev/console for reading, only for + writing. This would then mean: systemd-firstboot would process creds but not + ask interactively, getty would not be started and so on. - * oci: add support for blake hashes for layers + - add a Load= setting which takes literal data in text or base64 format, and + puts it into a memfd, and passes that. This enables some fun stuff, such as + embedding bash scripts in unit files, by combining Load= with + ExecStart=/bin/bash /proc/self/fd/3 - * oci: add support for "importctl import-oci" which implements the "OCI layout" - spec (i.e. acquiring via local fs access), as opposed to the current - "importctl pull-oci" which focusses on the "OCI image spec", i.e. downloads - from the web (i.e. acquiring via URLs). + - add a mechanism we can drop capabilities from pid1 *before* transitioning + from initrd to host. i.e. before we transition into the slightly lower trust + domain that is the host systems we might want to get rid of some caps. + Example: CAP_SYS_BPF in the signed bpf loading logic above. (We already have + CapabilityBoundingSet= in system.conf, but that is enforced when pid 1 + initializes, rather then when it transitions to the next.) - * oci: support "data" in any OCI descriptor, not just manifest config. + - add a new "debug" job mode, that is propagated to unit_start() and for + services results in two things: we raise SIGSTOP right before invoking + execve() and turn off watchdog support. Then, use that to implement + "systemd-gdb" for attaching to the start-up of any system service in its + natural habitat. - * report: - - plug "facts" into systemd-report too, i.e. stuff that is more static, such as hostnames, ssh keys and so on. - - pass filtering hints to services, so that they can also be applied server-side, not just client side - - metrics from pid1: suppress metrics form units that are inactive and have nothing to report - - add "hint-suppress-zero" flag (which suppresses all metrics which are zero) - - add "hint-object" parameter (which only queries info about certain object) - - make systemd-report a varlink service + - add a new flag to chase() that stops chasing once the first missing + component is found and then allows the caller to create the rest. - * implement a varlink registry service, similar to the one of the reference - implementation, backed by /run/varlink/registry/. Then, also implement - connect-via-registry-resolution in sd-varlink and varlinkctl. Care needs to - be taken to do the resolution asynchronousy. Also, note that the Varlink - reference implementation uses a different address syntax, which needs to be - taken into account. + - add a new PE binary section ".mokkeys" or so which sd-stub will insert into + Mok keyring, by overriding/extending whatever shim sets in the EFI + var. Benefit: we can extend the kernel module keyring at ukify time, + i.e. without recompiling the kernel, taking an upstream OS' kernel and adding + a local key to it. - * have a signal that reloads every unit that supports reloading + - add a new specifier to unit files that figures out the DDI the unit file is + from, tracing through overlayfs, DM, loopback block device. - * systemd: add storage API via varlink, where everyone can drop a socket in a - dir, similar, do the same thing for networking + - add a new switch --auto-definitions=yes/no or so to systemd-repart. If + specified, synthesize a definition automatically if we can: enlarge last + partition on disk, but only if it is marked for growing and not read-only. - * do a console daemon that takes stdio fds for services and allows to reconnect - to them later + - add a new syscall group "@esoteric" for more esoteric stuff such as bpf() and + usefaultd() and make systemd-analyze check for it. - * report: have something that requests cloud workload identity bearer tokens - and includes it in the report + - Add a new verb "systemctl top" - * sysupdate: download multiple arbitrary patterns from same source + - add a pam module that on password changes updates any LUKS slot where the password matches - * sysupdate: SHA256SUMS format with bearer tokens for each resource to download + - add a percentage syntax for TimeoutStopSec=, e.g. TimeoutStopSec=150%, and + then use that for the setting used in user@.service. It should be understood + relative to the configured default value. - * sysupdate: decrypt SHA256SUMS with key from tpm + - add a plugin for factory reset logic that erases certain parts of the ESP, + but leaves others in place. - * sysupdate: clean up stuff on disk that disappears from SHA256SUMS + - add a proper concept of a "developer" mode, i.e. where cryptographic + protections of the root OS are weakened after interactive confirmation, to + allow hackers to allow their own stuff. idea: allow entering developer mode + only via explicit choice in boot menu: i.e. add explicit boot menu item for + it. When developer mode is entered, generate a key pair in the TPM2, and add + the public part of it automatically to keychain of valid code signature keys + on subsequent boots. Then provide a tool to sign code with the key in the + TPM2. Ensure that boot menu item is the only way to enter developer mode, by + binding it to locality/PCRs so that keys cannot be generated otherwise. - * sysupdate: turn http backend stuff int plugin via varlink + - add a system-wide seccomp filter list for syscalls, kill "acct()" "@obsolete" + and a few other legacy syscalls that way. - * add new tool that can be used in debug mode runs in very early boot, - generates a random password, passes it as credential to sysusers for the root - user, then displays it on screen. people can use this to remotely log in. + - add a test if all entries in the catalog are properly formatted. + (Adding dashes in a catalog entry currently results in the catalog entry + being silently skipped. journalctl --update-catalog must warn about this, + and we should also have a unit test to check that all our message are OK.) - * Maybe introduce an InodeRef structure inspired by PidRef, which references a - specific inode, and combines: a path, an O_PATH fd, and possibly a FID into - one. Why? We often pass around path and fd separately in chaseat() and similar - calls. Because passing around both separately is cumbersome we sometimes only - one pass one, once the other and sometimes both. It would make the code a lot - simpler if we could path both around at the same time in a simple way, via an - InodeRef which *both* pins the inode via an fd, *and* gives us a friendly - name for it. + - add a utility that can be used with the kernel's + CONFIG_STATIC_USERMODEHELPER_PATH and then handles them within pid1 so that + security, resource management and cgroup settings can be enforced properly + for all umh processes. - * systemd-sysupdate: for each transfer support looking at multiple sources, - pick source with newest entry. If multiple sources have the same entry, use - first configured source. Usecase: "sideload" components from local dirs, - without disabling remote sources. + - add a way to lock down cgroup migration: a boolean, which when set for a unit + makes sure the processes in it can never migrate out of it - * systemd-sysupdate: support "revoked" items, which cause the client to - downgrade/upgrade + - add ability to path_is_valid() to classify paths that refer to a dir from + those which may refer to anything, and use that in various places to filter + early. i.e. stuff ending in "/", "/." and "/.." definitely refers to a + directory, and paths ending that way can be refused early in many contexts. - * portable services: attach not only unit files to host, but also simple - binaries to a tmpfs path in $PATH. + - Add ACL-based access management to .socket units. i.e. add AllowPeerUser= + + AllowPeerGroup= that installs additional user/group ACL entries on AF_UNIX + sockets. - * systemd-sysext: add "exec" command or so that is a bit like "refresh" but - runs it in a new namespace and then just executes the selected binary within - it. Could be useful to run one-off binaries inside a sysext as a CLI tool. + - Add AddUser= setting to unit files, similar to DynamicUser=1 which however + creates a static, persistent user rather than a dynamic, transient user. We + can leverage code from sysusers.d for this. - * systemd-repart: implement Integrity=data/meta and Integrity=inline for non-LUKS - case. Currently, only Integrity=inline combined with Encrypt= is implemented - and uses libcryptsetup features. Add support for plain dm-integrity setups when - integrity tags are stored by the device (inline), interleaved with data (data), - and on a separate device (meta). + - add an explicit parser for LimitRTPRIO= that verifies + the specified range and generates sane error messages for incorrect + specifications. - * homed/pam_systemd: allow authentication by ssh-agent, so that run0/polkit can - be allowed if caller comes with the right ssh-agent keys. + - Add and pickup tpm2 metadata for creds structure. + + - add another PE section ".fname" or so that encodes the intended filename for + PE file, and validate that when loading add-ons and similar before using + it. This is particularly relevant when we load multiple add-ons and want to + sort them to apply them in a define order. The order should not be under + control of the attacker. - * machined: gc for OCI layers that are not referenced anymore by any .mstack/ links. + - add bus API for creating unit files in /etc, reusing the code for transient units - * pull-oci: progress notification + - add bus api to query unit file's X fields. - * networkd/machined: implement reverse name lookups in the resolved hook + - add bus API to remove unit files from /etc - * networkd's resolved hook: optionally map all lease IP addresses handed out to - the same hostname which is configured on the .network file. Optionally, even - derive this single name from the network interface name (i.e. probably - altname or so). This way, when spawning a VM the host could pick the hostname - for it and the client gets no say. + - add bus API to retrieve current unit file contents (i.e. implement "systemctl cat" on the bus only) - * systemd-repart: add --ghost, that creates file systems, updates the kernel's - partition table but does *not* update partition table on disk. This way, we - have disk backed file systems that go effectively disappear on reboot. This - is useful when booting from a "live" usb stick that is writable, as it means - we do not have to place everything in memory. Moreover, we could then migrate - the file systems to disk later (using btrfs device replacement), if needed as - part of an installer logic. + - Add ConditionDirectoryNotEmpty= handle non-absoute paths as a search path or add + ConditionConfigSearchPathNotEmpty= or different syntax? See the discussion starting at + https://github.com/systemd/systemd/pull/15109#issuecomment-607740136. - * journald: log pidfid as another field, i.e. _PIDFDID= + - add CopyFile= or so as unit file setting that may be used to copy files or + directory trees from the host to the services RootImage= and RootDirectory= + environment. Which we can use for /etc/machine-id and in particular + /etc/resolv.conf. Should be smart and do something useful on read-only + images, for example fall back to read-only bind mounting the file instead. - * measure all log-in attempts into a new nvpcr + - Add ELF section to make systemd main binary recognizable cleanly, the same + way as we make sd-boot recognizable via PE section. - * maybe rework systemd-modules-load to be a generator that just instantiates - modprobe@.service a bunch of times + - Add ExecMonitor= setting. May be used multiple times. Forks off a process in + the service cgroup, which is supposed to monitor the service, and when it + exits the service is considered failed by its monitor. - * Split vconsole-setup in two, of which the second is started via udev (instead - of the "restart" job it currently fires). That way, boot becomes purely - positive again, and we can nicely order the two against each other. + - add field to bls type 1 and type 2 profiles that ensures an item is never + considered for automatic selection - * Add ELF section to make systemd main binary recognizable cleanly, the same - way as we make sd-boot recognizable via PE section. + - add generator that pulls in systemd-network from containers when + CAP_NET_ADMIN is set, more than the loopback device is defined, even + when it is otherwise off - * Add knob to cryptsetup, to trigger automatic reboot on failure to unlock + - add growvol and makevol options for /etc/crypttab, similar to + x-systemd.growfs and x-systemd-makefs. + + - Add knob to cryptsetup, to trigger automatic reboot on failure to unlock disk. Enable this by default for rootfs, also in gpt-auto-generator - * replace bootctl's PE version check to actually use APIs from pe-binary.[ch] - to find binary version. + - add linker script that implicitly adds symbol for build ID and new coredump + json package metadata, and use that when logging - * replace symlink_label(), mknodat_label(), btrfs_subvol_make_label(), - mkdir_label() and related calls by flags-based calls that use - label_ops_pre()/label_ops_post(). + - add new gpt type for btrfs volumes - * maybe reconsider whether virtualization consoles (hvc1) are considered local - or remote. i.e. are they more like an ssh login, or more like a /dev/tty1 - login? Lennart used to believe the former, but maybe the latter is more - appropriate? This has effect on polkit interactivity, since it would mean - questions via hvc0 would suddenly use the local polkit property. But this - also raises the question whether such sessions shall be considered active or - not + - add new tool that can be used in debug mode runs in very early boot, + generates a random password, passes it as credential to sysusers for the root + user, then displays it on screen. people can use this to remotely log in. - * automatically reset specific EFI vars on factory reset (make this generic - enough so that infrac can be used to erase shim's mok vars?) + - add option to sockets to avoid activation. Instead just drop packets/connections, see http://cyberelk.net/tim/2012/02/15/portreserve-systemd-solution/ - * similar: add a plugin for factory reset logic that erases certain parts of - the ESP, but leaves others in place. + - add PR_SET_DUMPABLE service setting - * flush_fd() should probably try to be smart and stop reading once we know that - all further queued data was enqueued after flush_fd() was originally - called. For that, try SIOCINQ if fd refers to stream socket, and look at - timestamps for datagram sockets. + - add proper .osrel matching for PE addons. i.e. refuse applying an addon + intended for a different OS. Take inspiration from how confext/sysext are + matched against OS. - * Similar flush_accept() should look at sockdiag queued sockets count and exit - once we flushed out the specified number of connections. + - add proper dbus APIs for the various sd_notify() commands, such as MAINPID=1 + and so on, which would mean we could report errors and such. - * maybe introduce a new per-unit drop-in directory .confext.d/ that may contain - symlinks to confext images to enable for the unit. -- Add RebootUptimeMinSec= knob to PID 1, that makes systemd-shutdown sleep - until the specified uptime has passed, to lengthen tight boot loops. - + - add service file setting to force the fwmark (a la SO_MARK) to some value, so + that we can allowlist certain services for imds this way. - * nspawn: map foreign UID range through 1:1 + - Add service unit setting ConnectStream= which takes IP addresses and connects to them. - * a small tool that can do basic btrfs raid policy mgmt. i.e. gets started as - part of the initial transaction for some btrfs raid fs, waits for some time, - then puts message on screen (plymouth, console) that some devices apparently - are not showing up, then counts down, eventually set a flag somewhere, and - retriggers the fs is was invoked for, which causes the udev rules to rerun - that assemble the btrfs raid, but this time force degraded assembly. + - add some optional flag to ReadWritePaths= and friends, that has the effect + that we create the dir in question when the service is started. Example: - * systemd-repart: make useful to duplicate current OS onto a second disk, so - that we can sanely copy ESP contents, /usr/ images, and then set up btrfs - raid for the root fs to extend/mirror the existing install. This would be - very similar to the concept of live-install-through-btrfs-migration. + ReadWritePaths=:/var/lib/foobar - * introduce /etc/boottab or so which lists block devices that bootctl + - kernel-install shall update the ESPs on (and register in EFI BootXYZ - variables), in addition to whatever is currently the booted /usr/. - systemd-sysupdate should also take it into consideration and update the - /usr/ images on all listed devices. + - add some service that makes an atomic snapshot of PCR state and event log up + to that point available, possibly even with quote by the TPM. - * replace all uses of fopen_temporary() by fopen_tmpfile_linkable() + - flink_tmpfile() and then get rid of fopen_temporary(). Benefit: use O_TMPFILE - pervasively, and avoid rename() wherever we can. + - add some special mode to LogsDirectory=/StateDirectory=… that allows + declaring these directories without necessarily pulling in deps for them, or + creating them when starting up. That way, we could declare that + systemd-journald writes to /var/log/journal, which could be useful when we + doing disk usage calculations and so on. - * loginctl: show argv[] of "leader" process in tabular list-sessions output + - add support for "portablectl attach http://foobar.com/waaa.raw (i.e. importd integration) - * loginctl: show "service identifier" in tabular list-sessions output, to make - run0 sessions easily visible. + - add support for activating nvme-oF devices at boot automatically via kernel + cmdline, and maybe even support a syntax such as + root=nvme:\:\:\:\:\ to boot directly from + nvme-oF - * run0: maybe enable utmp for run0 sessions, so that they are easily visible. + - add support for asymmetric LUKS2 TPM based encryption. i.e. allow preparing + an encrypted image on some host given a public key belonging to a specific + other host, so that only hosts possessing the private key in the TPM2 chip + can decrypt the volume key and activate the volume. Use case: systemd-confext + for a central orchestrator to generate confext images securely that can only + be activated on one specific host (which can be used for installing a bunch + of creds in /etc/credstore/ for example). Extending on this: allow binding + LUKS2 TPM based encryption also to the TPM2 internal clock. Net result: + prepare a confext image that can only be activated on a specific host that + runs a specific software in a specific time window. confext would be + automatically invalidated outside of it. - * maybe beef up sd-event: optionally, allow sd-event to query the timestamp of - next pending datagram inside a SOCK_DGRAM IO fd, and order event source - dispatching by that. Enable this on the native + syslog sockets in journald, - so that we add correct ordering between the two. Use MSG_PEEK + SCM_TIMESTAMP - for this. + - Add support for extra verity configuration options to systemd-repart (FEC, + hash type, etc) - * bsod: add target "bsod.target" or so, which invokes systemd-bsod.target and - waits and then reboots. Then use OnFailure=bsod.target from various jobs that - should result in system reboots, such as TPM tamper detection cases. + - Add SUPPORT_END_URL= field to os-release with more *actionable* information + what to do if support ended - * honour validatefs xattrs in dissect-image.c too + - Add systemd-analyze security checks for RestrictFileSystems= and + RestrictNetworkInterfaces= - * pcrextend: maybe add option to disable measurements entirely via kernel cmdline + - Add systemd-mount@.service which is instantiated for a block device and + invokes systemd-mount and exits. This is then useful to use in + ENV{SYSTEMD_WANTS} in udev rules, and a bit prettier than using RUN+= - * tpm2-setup: reboot if we detect SRK changed + - Add systemd-sysupdate-initrd.service or so that runs systemd-sysupdate in the + initrd to bootstrap the initrd to populate the initial partitions. Some things + to figure out: + - Should it run on firstboot or on every boot? + - If run on every boot, should it use the sysupdate config from the host on + subsequent boots? - * validatefs: validate more things: check if image id + os id of initrd match - target mount, so that we refuse early any attempts to boot into different - images with the wrong kernels. check min/max kernel version too. all encoded - via xattrs in the target fs. + - add systemd.abort_on_kill or some other such flag to send SIGABRT instead of SIGKILL + (throughout the codebase, not only PID1) - * pcrextend: when we fail to measure, reboot the system (at least optionally). - important because certain measurements are supposed to "destroy" tpm object - access. + - Add UKI profile conditioning so that profiles are only available if secure + boot is turned off, or only on. similar, add conditions on TPM availability, + network boot, and other conditions. - * pcrextend: after measuring get an immediate quote from the TPM, and validate - it. if it doesn't check out, i.e. the measurement we made doesn't appear in - the PCR then also reboot. + - Allocate UIDs/GIDs automatically in userdbctl load-credentials if none are + included in the user/group record credentials - * cryptsetup: add boolean for disabling use of any password/recovery key slots. - (i.e. that we can operate in a tpm-only mode, and thus protect us from rogue - root disks) + - allow dynamic modifications of ConcurrencyHardMax= and ConcurrencySoftMax= + via DBus (and with that also by daemon-reload). Similar for portabled. - * complete varlink introspection comments: - - io.systemd.Hostname - - io.systemd.ManagedOOM - - io.systemd.Network - - io.systemd.PCRLock - - io.systemd.Resolve.Monitor - - io.systemd.Resolve - - io.systemd.oom - - io.systemd.sysext + - also include packaging metadata (á la + https://systemd.io/PACKAGE_METADATA_FOR_EXECUTABLE_FILES/) in our UEFI PE + binaries, using the same JSON format. - * maybe define a /etc/machine-info field for the ANSI color to associate with a - hostname. Then use it for the shell prompt to highlight the hostname. If no - color is explicitly set, hash a color automatically from the hostname as a - fallback, in a reasonable way. Take inspiration from the ANSI_COLOR= field - that already exists in /etc/os-release, i.e. use the same field name and - syntax. When hashing the color, use the hsv_to_rgb() helper we already have, - fixate S and V to something reasonable and constant, and derive the H from - the hostname. Ultimate goal with this: give people a visual hint about the - system they are on if the have many to deal with, by giving each a color - identity. This code should be placed in hostnamed, so that clients can query - the color via varlink or dbus. - - * unify how blockdev_get_root() and sysupdate find the default root block device - - * Maybe rename pkcs7 and public verbs of systemd-keyutil to be more verb like. - - * maybe extend the capsule concept to the per-user instance too: invokes a - systemd --user instance with a subdir of $HOME as $HOME, and a subdir of - $XDG_RUNTIME_DIR as $XDG_RUNTIME_DIR. - - * add "homectl export" and "homectl import" that gets you an "atomic" snapshot - of your homedir, i.e. either a tarball or a snapshot of the underlying disk - (use FREEZE/THAW to make it consistent, btrfs snapshots) - - * maybe introduce a new partition that we can store debug logs and similar at - the very last moment of shutdown. idea would be to store reference to block - device (major + minor + partition id + diskeq?) in /run somewhere, than use - that from systemd-shutdown, just write a raw JSON blob into the partition. - Include timestamp, boot id and such, plus kmsg. on next boot immediately - import into journal. maybe use timestamp for making clock more monotonic. - also use this to detect unclean shutdowns, boot into special target if - detected - - * fix homed/homectl confusion around terminology, i.e. "home directory" - vs. "home" vs. "home area". Stick to one term for the concept, and it - probably shouldn't contain "area". - - * sd-boot: do something useful if we find exactly zero entries (ignoring items - such as reboot/poweroff/factory reset). Show a help text or so. - - * sd-boot: optionally ask for confirmation before executing certain operations - (e.g. factory resets, storagetm with world access, and so on) - - * add field to bls type 1 and type 2 profiles that ensures an item is never - considered for automatic selection - - * add "conditions" for bls type 1 and type 2 profiles that allow suppressing - them under various conditions: 1. if tpm2 is available or not available; - 2. if sb is on or off; 3. if we are netbooted or not; … - - * logind: invoke a service manager for "area" logins too. i.e. instantiate - user@.service also for logins where XDG_AREA is set, in per-area fashion, and - ref count it properly. Benefit: graphical logins should start working with - the area logic. - - * repart: introduce concept of "ghost" partitions, that we setup in almost all - ways like other partitions, but do not actually register in the actual gpt - table, but only tell the kernel about via BLKPG ioctl. These partitions are - disk backed (hence can be large), but not persistent (as they are invisible - on next boot). Could be used by live media and similar, to boot up as usual - but automatically start at zero on each boot. There should also be a way to - make ghost partitions properly persistent on request. + - also parse out primary GPT disk label uuid from gpt partition device path at + boot and pass it as efi var to OS. - * repart: introduce MigrateFileSystem= or so which is a bit like - CopyFiles=/CopyBlocks= but operates via btrfs device logic: adds target as - new device then removes source from btrfs. Usecase: a live medium which uses - "ghost" partitions as suggested above, which can become persistent on request - on another device. + - as soon as we have sender timestamps, revisit coalescing multiple parallel daemon reloads: + https://lists.freedesktop.org/archives/systemd-devel/2014-December/025862.html - * make nspawn containers, portable services and vmspawn VMs optionally survive - soft reboot wholesale. + - augment CODE_FILE=, CODE_LINE= with something like CODE_BASE= or so which + contains some identifier for the project, which allows us to include + clickable links to source files generating these log messages. The identifier + could be some abbreviated URL prefix or so (taking inspiration from Go + imports). For example, for systemd we could use + CODE_BASE=github.com/systemd/systemd/blob/98b0b1123cc or so which is + sufficient to build a link by prefixing "http://" and suffixing the + CODE_FILE. - * Turn systemd-networkd-wait-online into a small varlink service that people - can talk to and specify exactly what to wait for via a method call, and get a - response back once that level of "online" is reached. + - Augment MESSAGE_ID with MESSAGE_BASE, in a similar fashion so that we can + make clickable links from log messages carrying a MESSAGE_ID, that lead to + some explanatory text online. - * introduce a small "systemd-installer" tool or so, that glues - systemd-repart-as-installer and bootctl-install into one. Would just - interactively ask user for target disk (with completion and so on), and then do - two varlink calls to the the two tools with the right parameters. To support - "offline" operation, optionally invoke the two tools directly as child - processes with varlink communication over socketpair(). This all should be - useful as blueprint for graphical installers which should do the same. + - automatic boot assessment: add one more default success check that just waits + for a bit after boot, and blesses the boot if the system stayed up that long. - * Make run0 forward various signals to the forked process so that sending - signals to a child process works roughly the same regardless of whether the - child process is spawned via run0 or not. + - automatically ignore threaded cgroups in cg_xyz(). - * write a document explaining how to write correct udev rules. Mention things - such as: - 1. do not do lists of vid/pid matches, use hwdb for that - 2. add|change action matches are typically wrong, should be != remove - 3. use GOTO, make rules short - 4. people shouldn't try to make rules file non-world-readable + - automatically mount one virtiofs during early boot phase to /run/host/, + similar to how we do that for nspawn, based on some clear tag. - * make killing more debuggable: when we kill a service do so setting the - .si_code field with a little bit of info. Specifically, we can set a - recognizable value to first of all indicate that it's systemd that did the - killing. Secondly, we can give a reason for the killing, i.e. OOM or so, and - also the phase we are in, and which process we think we are killing (i.e. - main vs control process, useful in case of sd_notify() MAINPID= debugging). - Net result: people who try to debug why their process gets killed should have - some minimal, nice metadata directly on the signal event. + - automatically propagate LUKS password credential into cryptsetup from host + (i.e. SMBIOS type #11, …), so that one can unlock LUKS via VM hypervisor + supplied password. - * sd-boot/sd-stub: install a uefi "handle" to a sidecar dir of bls type #1 - entries with an "uki" or "uki-url" stanza, and make sd-stub look for - that. That way we can parameterize type #1 entries nicely. + - automatically reset specific EFI vars on factory reset (make this generic + enough so that infra can be used to erase shim's mok vars?) - * add a system-wide seccomp filter list for syscalls, kill "acct()" "@obsolete" - and a few other legacy syscalls that way. + - be able to specify a forced restart of service A where service B depends on, in case B + needs to be auto-respawned? - * maybe introduce "@icky" as a seccomp filter group, which contains acct() and - certain other syscalls that aren't quite obsolete, but certainly icky. + - be more careful what we export on the bus as (usec_t) 0 and (usec_t) -1 - * revisit how we pass fs images and initrd to the kernel. take uefi http boot - ramdisks as inspiration: for any confext/sysext/initrd erofs/DDI image simply - generate a fake pmem region in the UEFI memory tables, that Linux then turns - into /dev/pmemX. Then turn of cpio-based initrd logic in linux kernel, - instead let kernel boot directly into /dev/pmem0. In order to allow our usual - cpio-based parameterization, teach PID 1 to just uncompress cpio ourselves - early on, from another pmem device. (Related to this, maybe introduce a new - PE section .ramdisk that just synthesizes pmem devices from arbitrary - blobs. Could be particularly useful in add-ons) + - beef up log.c with support for stripping ANSI sequences from strings, so that + it is OK to include them in log strings. This would be particularly useful so + that our log messages could contain clickable links for example for unit + files and suchlike we operate on. - * also parse out primary GPT disk label uuid from gpt partition device path at - boot and pass it as efi var to OS. + - beef up pam_systemd to take unit file settings such as cgroups properties as + parameters - * storagetm: maybe also serve the specified disk via HTTP? we have glue for - microhttpd anyway already. Idea would also be serve currently booted UKI as - separate HTTP resource, so that EFI http boot on another system could - directly boot from our system, with full access to the hdd. + - blog about fd store and restartable services - * support specifying download hash sum in systemd-import-generator expression - to pin image/tarball. + - **bootctl:** + - recognize the case when not booted on EFI + - add tool for registering BootXXX entry that boots from some http + server of your choice (i.e. like kernel-bootcfg --add-uri=) + - add reboot-to-disk which takes a block device name, and + automatically sets things up so that system reboots into that device next. + - show whether UEFI audit mode is available + - teach it to prepare an ESP wholesale, i.e. with mkfs.vfat invocation + - teach it to copy in unified kernel images and maybe type #1 boot loader spec entries from host - * support boot into nvme-over-tcp: add generator that allows specifying nvme - devices on kernel cmdline + credentials. Also maybe add interactive mode - (where the user is prompted for nvme info), in order to boot from other - system's HDD. + - BootLoaderSpec: define a way how an installer can figure out whether a BLS + compliant boot loader is installed. - * ptyfwd: use osc context information in vmspawn/nspawn/… to optionally only - listen to ^]]] key when no further vmspawn/nspawn context is allocated + - BootLoaderSpec: document @saved pseudo-entry, update mention in BLI - * ptyfwd: usec osc context information to propagate status messages from - vmspawn/nspawn to service manager's "status" string, reporting what is - currently in the fg + - bootspec: permit graceful "update" from type #2 to type #1. If both a type #1 + and a type #2 entry exist under otherwise the exact same name, then use the + type #1 entry, and ignore the type #2 entry. This way, people can "upgrade" + from the UKI with all parameters baked in to a Type #1 .conf file with manual + parametrization, if needed. This matches our usual rule that admin config + should win over vendor defaults. - * nspawn/vmspawn: define hotkey that one can hit on the primary interface to - ask for a friendly, acpi style shutdown. + - bpf: see if we can address opportunistic inode sharing of immutable fs images + with BPF. i.e. if bpf gives us power to hook into openat() and return a + different inode than is requested for which we however it has same contents + then we can use that to implement opportunistic inode sharing among DDIs: + make all DDIs ship xattr on all reg files with a SHA256 hash. Then, also + dictate that DDIs should come with a top-level subdir where all reg files are + linked into by their SHA256 sum. Then, whenever an inode is opened with the + xattr set, check bpf table to find dirs with hashes for other prior DDIs and + try to use inode from there. - * for better compat with major clouds: implement simple PTP device support in - timesyncd + - bpf: see if we can use BPF to solve the syslog message cgroup source problem: + one idea would be to patch source sockaddr of all AF_UNIX/SOCK_DGRAM to + implicitly contain the source cgroup id. Another idea would be to patch + sendto()/connect()/sendmsg() sockaddr on-the-fly to use a different target + sockaddr. - * for better compat with major clouds: recognize clouds via hwdb on DMI device, - and add udev properties to it that help with handling IMDS, i.e. entrypoint - URL, which fields to find ip hostname, ssh key, … + - bsod: add target "bsod.target" or so, which invokes systemd-bsod.target and + waits and then reboots. Then use OnFailure=bsod.target from various jobs that + should result in system reboots, such as TPM tamper detection cases. - * for better compat with major clouds: introduce imds mini client service that - sets up primary netif in a private netns (ipvlan?) to query imds without - affecting rest of the host. pick up literal credentials from there plus the - fields the hwdb reports for the other fields and turn them into credentials. - then write generator that used detected virtualization info and plugs this - service into the early boot, waiting for the DMI and network device to show - up. + - bsod: maybe use graphical mode. Use DRM APIs directly, see + https://github.com/dvdhrm/docs/blob/master/drm-howto/modeset.c for an example + for doing that. - * Add UKI profile conditioning so that profiles are only available if secure - boot is turned off, or only on. similar, add conditions on TPM availability, - network boot, and other conditions. + - build short web pages out of each catalog entry, build them along with man + pages, and include hyperlinks to them in the journal output - * fix bug around run0 background color on ls in fresh terminal + - busctl: maybe expose a verb "ping" for pinging a dbus service to see if it + exists and responds. - * Reset TPM2 DA bit on each successful boot + - bypass SIGTERM state in unit files if KillSignal is SIGKILL - * systemd-repart: add --installer or so, that will intractively ask for a - target disk, maybe ask for confirmation, and install something on disk. Then, - hook that into installer.target or so, so that it can be used to - install/replicate installs + - cache sd_event_now() result from before the first iteration... - * systemd-cryptenroll: add --firstboot or so, that will interactively ask user - whether recovery key shall be enrolled and do so + - calenderspec: add support for week numbers and day numbers within a + year. This would allow us to define "bi-weekly" triggers safely. - * bootctl: add tool for registering BootXXX entry that boots from some http - server of your choice (i.e. like kernel-bootcfg --add-uri=) + - cgroups: use inotify to get notified when somebody else modifies cgroups + owned by us, then log a friendly warning. - * maybe introduce container-shell@.service or so, to match - container-getty.service but skips authentication, so you get a shell prompt - directly. Usecase: wsl-like stuff (they have something pretty much like - that). Question: how to pick user for this. Instance parameter? somehow from - credential (would probably require some binary that converts credential to - User= parameter? + - **cgroups:** + - implement per-slice CPUFairScheduling=1 switch + - introduce high-level settings for RT budget, swappiness + - how to reset dynamically changed unit cgroup attributes sanely? + - when reloading configuration, apply new cgroup configuration + - when recursively showing the cgroup hierarchy, optionally also show + the hierarchies of child processes + - add settings for cgroup.max.descendants and cgroup.max.depth, + maybe use them for user@.service - * systemd-firstboot: optionally install an ssh key for root for offline use. + - chase(): take inspiration from path_extract_filename() and return + O_DIRECTORY if input path contains trailing slash. - * Allocate UIDs/GIDs automatically in userdbctl load-credentials if none are - included in the user/group record credentials + - Check that users of inotify's IN_DELETE_SELF flag are using it properly, as + usually IN_ATTRIB is the right way to watch deleted files, as the former only + fires when a file is actually removed from disk, i.e. the link count drops to + zero and is not open anymore, while the latter happens when a file is + unlinked from any dir. - * introduce new ANSI sequence for communicating log level and structured error - metadata to terminals. + - Clean up "reboot argument" handling, i.e. set it through some IPC service + instead of directly via /run/, so that it can be sensible set remotely. - * in pid1: include ExecStart= cmdlines (and other Exec*= cmdlines) in polkit - request, so that policies can match against command lines. + - clean up date formatting and parsing so that all absolute/relative timestamps we format can also be parsed - * allow dynamic modifications of ConcurrencyHardMax= and ConcurrencySoftMax= - via DBus (and with that also by daemon-reload) + - **complete varlink introspection comments:** + - io.systemd.Hostname + - io.systemd.ManagedOOM + - io.systemd.Network + - io.systemd.PCRLock + - io.systemd.Resolve.Monitor + - io.systemd.Resolve + - io.systemd.oom + - io.systemd.sysext - * sysupdated: introduce per-user version that can update per-user installed dDIs + - confext/sysext: instead of mounting the overlayfs directly on /etc/ + /usr/, + insert an intermediary bind mount on itself there. This has the benefit that + services where mount propagation from the root fs is off, an still have + confext/sysext propagated in. - * portabled: similar + - consider adding a new partition type, just for /opt/ for usage in system + extensions - * resolved: make resolved process DNR DHCP info + - coredump: maybe when coredumping read a new xattr from /proc/$PID/exe that + may be used to mark a whole binary as non-coredumpable. Would fix: + https://bugs.freedesktop.org/show_bug.cgi?id=69447 - * maybe introduce an OSC sequence that signals when we ask for a password, so - that terminal emulators can maybe connect a password manager or so, and - highlight things specially. + - **coredump:** + - save coredump in Windows/Mozilla minidump format + - when truncating coredumps, also log the full size that the process had, and make a metadata field so we can report truncated coredumps + - add examples for other distros in PACKAGE_METADATA_FOR_EXECUTABLE_FILES - * start using STATX_SUBVOL in btrfs_is_subvol(). Also, make use of it - generically, so that image discovery recognizes bcachefs subvols too. + - **credentials system:** + - acquire from EFI variable? + - acquire via ask-password? + - acquire creds via keyring? + - pass creds via keyring? + - pass creds via memfd? + - acquire + decrypt creds from pkcs11? + - make macsec code in networkd read key via creds logic (copy logic from + wireguard) + - make gatewayd/remote read key via creds logic + - add sd_notify() command for flushing out creds not needed anymore + - if we ever acquire a secure way to derive cgroup id of socket + peers (i.e. SO_PEERCGROUPID), then extend the "scoped" credential logic to + allow cgroup-scoped (i.e. app or service scoped) credentials. Then, as next + step use this to implement per-app/per-service encrypted directories, where + we set up fscrypt on the StateDirectory= with a randomized key which is + stored as xattr on the directory, encrypted as a credential. + - optionally include a per-user secret in scoped user-credential + encryption keys. should come from homed in some way, derived from the luks + volume key or fscrypt directory key. + - add a flag to the scoped credentials that if set require PK + reauthentication when unlocking a secret. + - rework docs. The list in + https://systemd.io/CREDENTIALS/#well-known-credentials is very stale. + Document credentials in individual man pages, generate list as in + systemd.directives. + + - creds: add a new cred format that reused the JSON structures we use in the + LUKS header, so that we get the various newer policies for free. - * foreign uid: - - add support to export-fs, import-fs - - systemd-dissect should learn mappings, too, when doing mtree and such + - cryptenroll/cryptsetup/homed: add unlock mechanism that combines tpm2 and + fido2, as well as tpm2 + ssh-agent, inspired by ChromeOS' logic: encrypt the + volume key with the TPM, with a policy that insists that a nonce is signed by + the fido2 device's key or ssh-agent key. Thus, add unlock/login time the TPM + generates a nonce, which is sent as a challenge to the fido2/ssh-agent, which + returns a signature which is handed to the tpm, which then reveals the volume + key to the PC. - * resolved: report ttl in resolution replies if we know it. This data is useful - for tools such as wireguard which want to periodically re-resolve DNS names, - and might want to use the TTL has hint for that. + - cryptenroll/cryptsetup/homed: similar to this, implement TOTP backed by TPM. - * journald: beef up ClientContext logic to store pidfd_id of peer, to validate - we really use the right cache entry + - cryptsetup/homed: implement TOTP authentication backed by TPM2 and its + internal clock. - * journald: log client's pidfd id as a new automatic field _PIDFDID= or so. + - **cryptsetup:** + - cryptsetup-generator: allow specification of passwords in crypttab itself + - support rd.luks.allow-discards= kernel cmdline params in cryptsetup generator + - add boolean for disabling use of any password/recovery key slots. + (i.e. that we can operate in a tpm-only mode, and thus protect us from rogue + root disks) + - new crypttab option to auto-grow a luks device to its backing + partition size. new crypttab option to reencrypt a luks device with a new + volume key. + - a mechanism that allows signing a volume key with some key that + has to be present in the kernel keyring, or similar, to ensure that confext + DDIs can be encrypted against the local SRK but signed with the admin's key + and thus can authenticated locally before they are decrypted. + - add option for automatically removing empty password slot on boot + - optionally, when run during boot-up and password is never + entered, and we are on battery power (or so), power off machine again + - when waiting for FIDO2/PKCS#11 token, tell plymouth that, and + allow plymouth to abort the waiting and enter pw instead + - allow encoding key directly in /etc/crypttab, maybe with a + "base64:" prefix. Useful in particular for pkcs11 mode. + - reimplement the mkswap/mke2fs in cryptsetup-generator to use + systemd-makefs.service instead. + ++- sysext: make systemd-{sys,conf}ext-sysroot.service work in the split `/var` ++ configuration. + - * journald: split up ClientContext cache in two: one cache keyed by pid/pidfdid - with process information, and another one keyed by cgroup path/cgroupid with - cgroup information. This way if a service consisting of many logging - processes can take benefit of the cgroup caching. ++- introduce a concept of /etc/machine-info "TAGS=" field that allows tagging ++ machines with zero, one or more roles, states or other forms of ++ categorization. Then, add a way of using this in sysupdate to automatically ++ enable certain transfers, one for each role. + - * system lsmbpf policy that prohibits creating files owned by "nobody" - system-wide ++- sd-varlink: add fully async modes of the protocol upgrade stuff + - * system lsmpbf policy that prohibits creating or opening device nodes outside - of devtmpfs/tmpfs, except if they are the pseudo-devices /dev/null, - /dev/zero, /dev/urandom and so on. ++- repart: maybe remove iso9660/eltorito superblock from disk when booting via ++ gpt, if there is one. + - * system lsmbpf policy that enforces that block device backed mounts may only - be established on top of dm-crypt or dm-verity devices, or an allowlist of - file systems (which should probably include vfat, for compat with the ESP) + - crypttab/gpt-auto-generator: allow explicit control over which unlock mechs + to permit, and maybe have a global headless kernel cmdline option - * $SYSTEMD_EXECPID that the service manager sets should - be augmented with $SYSTEMD_EXECPIDFD (and similar for - other env vars we might send). + - currently x-systemd.timeout is lost in the initrd, since crypttab is copied into dracut, but fstab is not - * port copy.c over to use LabelOps for all labelling. + - dbus: when a unit failed to load (i.e. is in UNIT_ERROR state), we + should be able to safely try another attempt when the bus call LoadUnit() is invoked. - * get rid of compat with libbpf.so.0 (retainly only for libbpf.so.1) + - ddi must be listed as block device fstype - * define a generic "report" varlink interface, which services can implement to + - define a generic "report" varlink interface, which services can implement to provide health/statistics data about themselves. then define a dir somewhere in /run/ where components can bind such sockets. Then make journald, logind, and pid1 itself implement this and expose various stats on things there. Then @@@ -1501,832 -1501,1204 +1511,1200 @@@ portabled/… up to udev to watch block devices coming up with the flags set, and use it. - * sd-boot should look for information what to boot in SMBIOS, too, so that VM - managers can tell sd-boot what to boot into and suchlike + - maybe add support for binding and connecting AF_UNIX sockets in the file + system outside of the 108ch limit. When connecting, open O_PATH fd to socket + inode first, then connect to /proc/self/fd/XYZ. When binding, create symlink + to target dir in /tmp, and bind through it. - * add "systemd-sysext identify" verb, that you can point on any file in /usr/ - and that determines from which overlayfs layer it originates, which image, and with - what it was signed. + - Maybe add SwitchRootEx() as new bus call that takes env vars to set for new + PID 1 as argument. When adding SwitchRootEx() we should maybe also add a + flags param that allows disabling and enabling whether serialization is + requested during switch root. - * systemd-creds: extend encryption logic to support asymmetric - encryption/authentication. Idea: add new verb "systemd-creds public-key" - which generates a priv/pub key pair on the TPM2 and stores the priv key - locally in /var. It then outputs a certificate for the pub part to stdout. - This can then be copied/taken elsewhere, and can be used for encrypting creds - that only the host on its specific hw can decrypt. Then, support a drop-in - dir with certificates that can be used to authenticate credentials. Flow of - operations is then this: build image with owner certificate, then after - boot up issue "systemd-creds public-key" to acquire pubkey of the machine. - Then, when passing data to the machine, sign with privkey belonging to one of - the dropped in certs and encrypted with machine pubkey, and pass to machine. - Machine is then able to authenticate you, and confidentiality is guaranteed. + - maybe allow timer units with an empty Units= setting, so that they + can be used for resuming the system but nothing else. - * building on top of the above, the pub/priv key pair generated on the TPM2 - should probably also one you can use to get a remote attestation quote. + - maybe beef up sd-event: optionally, allow sd-event to query the timestamp of + next pending datagram inside a SOCK_DGRAM IO fd, and order event source + dispatching by that. Enable this on the native + syslog sockets in journald, + so that we add correct ordering between the two. Use MSG_PEEK + SCM_TIMESTAMP + for this. - * Process credentials in: - • crypttab-generator: allow defining additional crypttab-like volumes via - credentials (similar: verity-generator, integrity-generator). Use - fstab-generator logic as inspiration. - • run-generator: allow defining additional commands to run via a credential - • resolved: allow defining additional /etc/hosts entries via a credential (it - might make sense to then synthesize a new combined /etc/hosts file in /run - and bind mount it on /etc/hosts for other clients that want to read it. - • repart: allow defining additional partitions via credential - • timesyncd: pick NTP server info from credential - • portabled: read a credential "portable.extra" or so, that takes a list of - file system paths to enable on start. - • make systemd-fstab-generator look for a system credential encoding root= or - usr= - • in gpt-auto-generator: check partition uuids against such uuids supplied via - sd-stub credentials. That way, we can support parallel OS installations with - pre-built kernels. + - maybe define a /etc/machine-info field for the ANSI color to associate with a + hostname. Then use it for the shell prompt to highlight the hostname. If no + color is explicitly set, hash a color automatically from the hostname as a + fallback, in a reasonable way. Take inspiration from the ANSI_COLOR= field + that already exists in /etc/os-release, i.e. use the same field name and + syntax. When hashing the color, use the hsv_to_rgb() helper we already have, + fixate S and V to something reasonable and constant, and derive the H from + the hostname. Ultimate goal with this: give people a visual hint about the + system they are on if the have many to deal with, by giving each a color + identity. This code should be placed in hostnamed, so that clients can query + the color via varlink or dbus. - * define a JSON format for units, separating out unit definitions from unit - runtime state. Then, expose it: + - maybe do not install getty@tty1.service symlink in /etc but in /usr? - 1. Add Describe() method to Unit D-Bus object that returns a JSON object - about the unit. - 2. Expose this natively via Varlink, in similar style - 3. Use it when invoking binaries (i.e. make PID 1 fork off systemd-executor - binary which reads the JSON definition and runs it), to address the cow - trap issue and the fact that NSS is actually forbidden in - forked-but-not-exec'ed children - 4. Add varlink API to run transient units based on provided JSON definitions + - maybe extend .path units to expose fanotify() per-mount change events - * Add SUPPORT_END_URL= field to os-release with more *actionable* information - what to do if support ended + - maybe extend the capsule concept to the per-user instance too: invokes a + systemd --user instance with a subdir of $HOME as $HOME, and a subdir of + $XDG_RUNTIME_DIR as $XDG_RUNTIME_DIR. - * pam_systemd: on interactive logins, maybe show SUPPORT_END information at - login time, à la motd + - Maybe extend the service protocol to support handling of some specific SIGRT + signal for setting service log level, that carries the level via the + sigqueue() data parameter. Enable this via unit file setting. - * sd-boot: instead of unconditionally deriving the ESP to search boot loader - spec entries in from the paths of sd-boot binary, let's optionally allow it - to be configured on sd-boot cmdline + efi var. Use case: embed sd-boot in the - UEFI firmware (for example, ovmf supports that via qemu cmdline option), and - use it to load stuff from the ESP. + - maybe implicitly attach monotonic+realtime timestamps to outgoing messages in + log.c and sd-journal-send - * mount /var/ from initrd, so that we can apply sysext and stuff before the - initrd transition. Specifically: - 1. There should be a var= kernel cmdline option, matching root= and usr= - 2. systemd-gpt-auto-generator should auto-mount /var if it finds it on disk - 3. mount.x-initrd mount option in fstab should be implied for /var + - maybe introduce "@icky" as a seccomp filter group, which contains acct() and + certain other syscalls that aren't quite obsolete, but certainly icky. - * make persistent restarts easier by adding a new setting OpenPersistentFile= - or so, which allows opening one or more files that is "persistent" across - service restarts, hot reboot, cold reboots (depending on configuration): the - files are created empty on first invocation, and on subsequent invocations - the files are reboot. The files would be backed by tmpfs, pmem or /var - depending on desired level of persistency. + - Maybe introduce a helper safe_exec() or so, which is to execve() which + safe_fork() is to fork(). And then make revert the RLIMIT_NOFILE soft limit + to 1K implicitly, unless explicitly opted-out. - * sd-event: add ability to "chain" event sources. Specifically, add a call - sd_event_source_chain(x, y), which will automatically enable event source y - in oneshot mode once x is triggered. Use case: in src/core/mount.c implement - the /proc/self/mountinfo rescan on SIGCHLD with this: whenever a SIGCHLD is - seen, trigger the rescan defer event source automatically, and allow it to be - dispatched *before* the SIGCHLD is handled (based on priorities). Benefit: - dispatch order is strictly controlled by priorities again. (next step: chain - event sources to the ratelimit being over) + - maybe introduce a new partition that we can store debug logs and similar at + the very last moment of shutdown. idea would be to store reference to block + device (major + minor + partition id + diskseq?) in /run somewhere, than use + that from systemd-shutdown, just write a raw JSON blob into the partition. + Include timestamp, boot id and such, plus kmsg. on next boot immediately + import into journal. maybe use timestamp for making clock more monotonic. + also use this to detect unclean shutdowns, boot into special target if + detected - * if we fork of a service with StandardOutput=journal, and it forks off a - subprocess that quickly dies, we might not be able to identify the cgroup it - comes from, but we can still derive that from the stdin socket its output - came from. We apparently don't do that right now. + - maybe introduce a new per-unit drop-in directory .confext.d/ that may contain + symlinks to confext images to enable for the unit. - * add PR_SET_DUMPABLE service setting + - Maybe introduce an InodeRef structure inspired by PidRef, which references a + specific inode, and combines: a path, an O_PATH fd, and possibly a FID into + one. Why? We often pass around path and fd separately in chaseat() and similar + calls. Because passing around both separately is cumbersome we sometimes only + one pass one, once the other and sometimes both. It would make the code a lot + simpler if we could path both around at the same time in a simple way, via an + InodeRef which *both* pins the inode via an fd, *and* gives us a friendly + name for it. - * homed/userdb: maybe define a "companion" dir for home directories where apps - can safely put privileged stuff in. Would not be writable by the user, but - still conceptually belong to the user. Would be included in user's quota if - possible, even if files are not owned by UID of user. Use case: container - images that owned by arbitrary UIDs, and are owned/managed by the users, but - are not directly belonging to the user's UID. Goal: we shouldn't place more - privileged dirs inside of unprivileged dirs, and thus containers really - should not be placed inside of traditional UNIX home dirs (which are owned by - users themselves) but somewhere else, that is separate, but still close - by. Inform user code about path to this companion dir via env var, so that - container managers find it. the ~/.identity file is also a candidate for a - file to move there, since it is managed by privileged code (i.e. homed) and - not unprivileged code. + - maybe introduce an OSC sequence that signals when we ask for a password, so + that terminal emulators can maybe connect a password manager or so, and + highlight things specially. - * maybe add support for binding and connecting AF_UNIX sockets in the file - system outside of the 108ch limit. When connecting, open O_PATH fd to socket - inode first, then connect to /proc/self/fd/XYZ. When binding, create symlink - to target dir in /tmp, and bind through it. + - maybe introduce container-shell@.service or so, to match + container-getty.service but skips authentication, so you get a shell prompt + directly. Usecase: wsl-like stuff (they have something pretty much like + that). Question: how to pick user for this. Instance parameter? somehow from + credential (would probably require some binary that converts credential to + User= parameter? - * add a proper concept of a "developer" mode, i.e. where cryptographic - protections of the root OS are weakened after interactive confirmation, to - allow hackers to allow their own stuff. idea: allow entering developer mode - only via explicit choice in boot menu: i.e. add explicit boot menu item for - it. When developer mode is entered, generate a key pair in the TPM2, and add - the public part of it automatically to keychain of valid code signature keys - on subsequent boots. Then provide a tool to sign code with the key in the - TPM2. Ensure that boot menu item is the only way to enter developer mode, by - binding it to locality/PCRs so that keys cannot be generated otherwise. + - maybe introduce xattrs that can be set on the root dir of the root fs + partition that declare the volatility mode to use the image in. Previously I + thought marking this via GPT partition flags but that's not ideal since + that's outside of the LUKS encryption/verity verification, and we probably + shouldn't operate in a volatile mode unless we got told so from a trusted + source. - * services: add support for cryptographically unlocking per-service directories - via TPM2. Specifically, for StateDirectory= (and related dirs) use fscrypt to - set up the directory so that it can only be accessed if host and app are in - order. + - maybe prohibit setuid() to the nobody user, to lock things down, via seccomp. + the nobody is not a user any code should run under, ever, as that user would + possibly get a lot of access to resources it really shouldn't be getting + access to due to the userns + nfs semantics of the user. Alternatively: use + the seccomp log action, and allow it. - * update HACKING.md to suggest developing systemd with the ideas from: - https://0pointer.net/blog/testing-my-system-code-in-usr-without-modifying-usr.html - https://0pointer.net/blog/running-an-container-off-the-host-usr.html + - maybe reconsider whether virtualization consoles (hvc1) are considered local + or remote. i.e. are they more like an ssh login, or more like a /dev/tty1 + login? Lennart used to believe the former, but maybe the latter is more + appropriate? This has effect on polkit interactivity, since it would mean + questions via hvc0 would suddenly use the local polkit property. But this + also raises the question whether such sessions shall be considered active or + not - * sd-event: compat wd reuse in inotify code: keep a set of removed watch - descriptors, and clear this set piecemeal when we see the IN_IGNORED event - for it, or when read() returns EAGAIN or on IN_Q_OVERFLOW. Then, whenever we - see an inotify wd event check against this set, and if it is contained ignore - the event. (to be fully correct this would have to count the occurrences, in - case the same wd is reused multiple times before we start processing - IN_IGNORED again) + - Maybe rename pkcs7 and public verbs of systemd-keyutil to be more verb like. - * for vendor-built signed initrds: - - kernel-install should be able to install encrypted creds automatically for - machine id, root pw, rootfs uuid, resume partition uuid, and place next to - EFI kernel, for sd-stub to pick them up. These creds should be locked to - the TPM, and bind to the right PCR the kernel is measured to. - - kernel-install should be able to pick up initrd sysexts automatically and - place them next to EFI kernel, for sd-stub to pick them up. - - systemd-fstab-generator should look for rootfs device to mount in creds - - systemd-resume-generator should look for resume partition uuid in creds + - maybe rework systemd-modules-load to be a generator that just instantiates + modprobe@.service a bunch of times - * Maybe extend the service protocol to support handling of some specific SIGRT - signal for setting service log level, that carries the level via the - sigqueue() data parameter. Enable this via unit file setting. + - maybe teach repart.d/ dropins a new setting MakeMountNodes= or so, which is + just like MakeDirectories=, but uses an access mode of 0000 and sets the +i + chattr bit. This is useful as protection against early uses of /var/ or /tmp/ + before their contents is mounted. - * sd_notify/vsock: maybe support binding to AF_VSOCK in Type=notify services, - then passing $NOTIFY_SOCKET and $NOTIFY_GUESTCID with PID1's cid (typically - fixed to "2", i.e. the official host cid) and the expected guest cid, for the - two sides of the channel. The latter env var could then be used in an - appropriate qemu cmdline. That way qemu payloads could talk sd_notify() - directly to host service manager. + - maybe trigger a uevent "change" on a device if "systemctl reload xyz.device" + is issued. - * sd-device should return the devnum type (i.e. 'b' or 'c') via some API for an - sd_device object, so that data passed into sd_device_new_from_devnum() can - also be queried. + - maybe: in PID1, when we detect we run in an initrd, make superblock read-only + early on, but provide opt-out via kernel cmdline. - * sd-event: optionally, if per-event source rate limit is hit, downgrade - priority, but leave enabled, and once ratelimit window is over, upgrade - priority again. That way we can combat event source starvation without - stopping processing events from one source entirely. + - measure all log-in attempts into a new nvpcr - * sd-event: similar to existing inotify support add fanotify support (given - that apparently new features in this area are only going to be added to the - latter). + - measure credentials picked up from SMBIOS to some suitable PCR - * sd-event: add 1st class event source for clock changes + - measure GPT and LUKS headers somewhere when we use them (i.e. in + systemd-gpt-auto-generator/systemd-repart and in systemd-cryptsetup?) - * sd-event: add 1st class event source for timezone changes + - measure some string via pcrphase whenever we end up booting into emergency + mode. - * sysext: measure all activated sysext into a TPM PCR + - measure some string via pcrphase whenever we resume from hibernate - * systemd-dissect: show available versions inside of a disk image, i.e. if - multiple versions are around of the same resource, show which ones. (in other - words: show partition labels). + - Merge systemd-creds options --uid= (which accepts user names) and --user. - * systemd-dissect: add --cat switch for dumping files such as /etc/os-release + - merge unit_kill_common() and unit_kill_context() - * per-service sandboxing option: ProtectIds=. If used, will overmount - /etc/machine-id and /proc/sys/kernel/random/boot_id with synthetic files, to - make it harder for the service to identify the host. Depending on the user - setting it should be fully randomized at invocation time, or a hash of the - real thing, keyed by the unit name or so. Of course, there are other ways to - get these IDs (e.g. journal) or similar ids (e.g. MAC addresses, DMI ids, CPU - ids), so this knob would only be useful in combination with other lockdown - options. Particularly useful for portable services, and anything else that - uses RootDirectory= or RootImage=. (Might also over-mount - /sys/class/dmi/id/*{uuid,serial} with /dev/null). + - MessageQueueMessageSize= (and suchlike) should use parse_iec_size(). - * doc: prep a document explaining resolved's internal objects, i.e. Query - vs. Question vs. Transaction vs. Stream and so on. + - mount /tmp/ and /var/tmp with a uidmap applied that blocks out "nobody" user + among other things such as dynamic uid ranges for containers and so on. That + way no one can create files there with these uids and we enforce they are only + used transiently, never persistently. - * doc: prep a document explaining PID 1's internal logic, i.e. transactions, - jobs, units + - mount /var/ from initrd, so that we can apply sysext and stuff before the + initrd transition. Specifically: + 1. There should be a var= kernel cmdline option, matching root= and usr= + 2. systemd-gpt-auto-generator should auto-mount /var if it finds it on disk + 3. mount.x-initrd mount option in fstab should be implied for /var - * automatically ignore threaded cgroups in cg_xyz(). + - mount most file systems with a restrictive uidmap. e.g. mount /usr/ with a + uidmap that blocks out anything outside 0…1000 (i.e. system users) and similar. - * add linker script that implicitly adds symbol for build ID and new coredump - json package metadata, and use that when logging + - mount the root fs with MS_NOSUID by default, and then mount /usr/ without + both so that suid executables can only be placed there. Do this already in + the initrd. If /usr/ is not split out create a bind mount automatically. - * Enable RestrictFileSystems= for all our long-running services (similar: - RestrictNetworkInterfaces=) + - mount: turn dependency information from /proc/self/mountinfo into dependency information between systemd units. - * Add systemd-analyze security checks for RestrictFileSystems= and - RestrictNetworkInterfaces= + - MountFlags=shared acts as MountFlags=slave right now. - * cryptsetup/homed: implement TOTP authentication backed by TPM2 and its - internal clock. + - **mountfsd/nsresourced:** + - userdb: maybe allow callers to map one uid to their own uid + - bpflsm: allow writes if resulting UID on disk would be userns' owner UID + - make encrypted DDIs work (password…) + - add API for creating a new file system from scratch (together with some + dm-integrity/HMAC key). Should probably work using systemd-repart (access + via varlink). + - add api to make an existing file "trusted" via dm-integry/HMAC key + - port: portabled + - port: tmpfiles, sysusers and similar + - lets see if we can make runtime bind mounts into unpriv nspawn work - * man: rework os-release(5), and clearly separate our extension-release.d/ and - initrd-release parts, i.e. list explicitly which fields are about what. + - move documentation about our common env vars (SYSTEMD_LOG_LEVEL, + SYSTEMD_PAGER, …) into a man page of its own, and just link it from our + various man pages that so far embed the whole list again and again, in an + attempt to reduce clutter and noise a bid. - * sysext: before applying a sysext, do a superficial validation run so that - things are not rearranged to wildy. I.e. protect against accidental fuckups, - such as masking out /usr/lib/ or so. We should probably refuse if existing - inodes are replaced by other types of inodes or so. + - move multiseat vid/pid matches from logind udev rule to hwdb - * userdb: when synthesizing NSS records, pick "best" password from defined - passwords, not just the first. i.e. if there are multiple defined, prefer - unlocked over locked and prefer non-empty over empty. + - Move RestrictAddressFamily= to the new cgroup create socket - * homed: if the homed shell fallback thing has access to an SSH agent, try to - use it to unlock home dir (if ssh-agent forwarding is enabled). We - could implement SSH unlocking of a homedir with that: when enrolling a new - ssh pubkey in a user record we'd ask the ssh-agent to sign some random value - with the privkey, then use that as luks key to unlock the home dir. Will not - work for ECDSA keys since their signatures contain a random component, but - will work for RSA and Ed25519 keys. + - networkd's resolved hook: optionally map all lease IP addresses handed out to + the same hostname which is configured on the .network file. Optionally, even + derive this single name from the network interface name (i.e. probably + altname or so). This way, when spawning a VM the host could pick the hostname + for it and the client gets no say. - * userdbd: implement an additional varlink service socket that provides the - host user db in restricted form, then allow this to be bind mounted into - sandboxed environments that want the host database in minimal form. All - records would be stripped of all meta info, except the basic UID/name - info. Then use this in portabled environments that do not use PrivateUsers=1. + - networkd/machined: implement reverse name lookups in the resolved hook - * portabled: when extracting unit files and copying to system.attached, if a - .p7s is available in the image, use it to protect the system.attached copy - with fs-verity, so that it cannot be tampered with - - * /etc/veritytab: allow that the roothash column can be specified as fs path - including a path to an AF_UNIX path, similar to how we do things with the - keys of /etc/crypttab. That way people can store/provide the roothash - externally and provide to us on demand only. + - networkd: maintain a file in /run/ that can be symlinked into /run/issue.d/ + that always shows the current primary IP address - * rework recursive read-only remount to use new mount API + - **networkd:** + - add more keys to [Route] and [Address] sections + - add support for more DHCPv4 options (and, longer term, other kinds of dynamic config) + - add reduced [Link] support to .network files + - properly handle routerless dhcp leases + - work with non-Ethernet devices + - dhcp: do we allow configuring dhcp routes on interfaces that are not the one we got the dhcp info from? + - the DHCP lease data (such as NTP/DNS) is still made available when + a carrier is lost on a link. It should be removed instantly. + - expose in the API the following bits: + - option 15, domain name + - option 12, hostname and/or option 81, fqdn + - option 123, 144, geolocation + - option 252, configure http proxy (PAC/wpad) + - provide a way to define a per-network interface default metric value + for all routes to it. possibly a second default for DHCP routes. + - allow Name= to be specified repeatedly in the [Match] section. Maybe also + support Name=foo*|bar*|baz ? + - whenever uplink info changes, make DHCP server send out FORCERENEW + + - nspawn/vmspawn/pid1: add ability to easily insert fully booted VMs/FOSC into + shell pipelines, i.e. add easy to use switch that turns off console status + output, and generates the right credentials for systemd-run-generator so that + a program is invoked, and its output captured, with correct EOF handling and + exit code propagation - * when mounting disk images: if IMAGE_ID/IMAGE_VERSION is set in os-release - data in the image, make sure the image filename actually matches this, so - that images cannot be misused. + - nspawn/vmspawn: define hotkey that one can hit on the primary interface to + ask for a friendly, acpi style shutdown. - * sysupdate: - - add fuzzing to the pattern parser - - support casync as download mechanism - - "systemd-sysupdate update --all" support, that iterates through all components - defined on the host, plus all images installed into /var/lib/machines/, - /var/lib/portable/ and so on. - - Allow invocation with a single transfer definition, i.e. with - --definitions= pointing to a file rather than a dir. - - add ability to disable implicit decompression of downloaded artifacts, - i.e. a Compress=no option in the transfer definitions + - **nspawn:** + - emulate /dev/kmsg using CUSE and turn off the syslog syscall + with seccomp. That should provide us with a useful log buffer that + systemd can log to during early boot, and disconnect container logs + from the kernel's logs. + - as soon as networkd has a bus interface, hook up --network-interface=, + --network-bridge= with networkd, to trigger netdev creation should an + interface be missing + - a nice way to boot up without machine id set, so that it is set at boot + automatically for supporting --ephemeral. Maybe hash the host machine id + together with the machine name to generate the machine id for the container + - fix logic always print a final newline on output. + https://github.com/systemd/systemd/pull/272#issuecomment-113153176 + - should optionally support receiving WATCHDOG=1 messages from its payload + PID 1... + - optionally automatically add FORWARD rules to iptables whenever nspawn is + running, remove them when shut down. + - add support for sysext extensions, too. i.e. a new --extension= switch that + takes one or more arguments, and applies the extensions already during + startup. + - when main nspawn supervisor process gets suspended due to SIGSTOP/SIGTTOU + or so, freeze the payload too. + - support time namespaces + - on cgroupsv1 issue cgroup empty handler process based on host events, so + that we make cgroup agent logic safe + - add API to invoke binary in container, then use that as fallback in + "machinectl shell" + - make nspawn suitable for shell pipelines: instead of triggering a hangup + when input is finished, send ^D, which synthesizes an EOF. Then wait for + hangup or ^D before passing on the EOF. + - greater control over selinux label? + - support that /proc, /sys/, /dev are pre-mounted + - maybe allow TPM passthrough, backed by swtpm, and measure --image= hash + into its PCR 11, so that nspawn instances can be TPM enabled, and partake + in measurements/remote attestation and such. swtpm would run outside of + control of container, and ideally would itself bind its encryption keys to + host TPM. + - make boot assessment do something sensible in a container. i.e send an + sd_notify() from payload to container manager once boot-up is completed + successfully, and use that in nspawn for dealing with boot counting, + implemented in the partition table labels and directory names. + - optionally set up nftables/iptables routes that forward UDP/TCP traffic on + port 53 to resolved stub 127.0.0.54 + - maybe optionally insert .nspawn file as GPT partition into images, so that + such container images are entirely stand-alone and can be updated as one. + - The subreaper logic we currently have seems overly complex. We should + investigate whether creating the inner child with CLONE_PARENT isn't better. + - Reduce the number of sockets that are currently in use and just rely on one + or two sockets. + - map foreign UID range through 1:1 + - systemd-nspawn should get the same SSH key support that vmspawn now has. - * in sd-id128: also parse UUIDs in RFC4122 URN syntax (i.e. chop off urn:uuid: prefix) + - oci: add support for "importctl import-oci" which implements the "OCI layout" + spec (i.e. acquiring via local fs access), as opposed to the current + "importctl pull-oci" which focusses on the "OCI image spec", i.e. downloads + from the web (i.e. acquiring via URLs). - * whenever we receive fds via SCM_RIGHTS make sure none got dropped due to the - reception limit the kernel silently enforces. + - oci: add support for blake hashes for layers - * Add service unit setting ConnectStream= which takes IP addresses and connects to them. + - oci: support "data" in any OCI descriptor, not just manifest config. - * Similar, Load= which takes literal data in text or base64 format, and puts it - into a memfd, and passes that. This enables some fun stuff, such as embedding - bash scripts in unit files, by combining Load= with ExecStart=/bin/bash - /proc/self/fd/3 + - On boot, auto-generate an asymmetric key pair from the TPM, + and use it for validating DDIs and credentials. Maybe upload it to the kernel + keyring, so that the kernel does this validation for us for verity and kernel + modules - * add a ConnectSocket= setting to service unit files, that may reference a - socket unit, and which will connect to the socket defined therein, and pass - the resulting fd to the service program via socket activation proto. + - on first login of a user, measure its identity to some nvpcr - * Add a concept of ListenStream=anonymous to socket units: listen on a socket - that is deleted in the fs. Use case would be with ConnectSocket= above. + - on shutdown: move utmp, wall, audit logic all into PID 1 (or logind?) - * importd: support image signature verification with PKCS#7 + OpenBSD signify - logic, as alternative to crummy gpg + - once swtpm's sd_notify() support has landed in the distributions, remove the + invocation in tpm2-swtpm.c and let swtpm handle it. - * add "systemd-analyze debug" + AttachDebugger= in unit files: The former - specifies a command to execute; the latter specifies that an already running - "systemd-analyze debug" instance shall be contacted and execution paused - until it gives an OK. That way, tools like gdb or strace can be safely be - invoked on processes forked off PID 1. + - Once the root fs LUKS volume key is measured into PCR 15, default to binding + credentials to PCR 15 in "systemd-creds" - * expose MS_NOSYMFOLLOW in various places + - optionally, also require WATCHDOG=1 notifications during service start-up and shutdown - * credentials system: - - acquire from EFI variable? - - acquire via ask-password? - - acquire creds via keyring? - - pass creds via keyring? - - pass creds via memfd? - - acquire + decrypt creds from pkcs11? - - make macsec code in networkd read key via creds logic (copy logic from - wireguard) - - make gatewayd/remote read key via creds logic - - add sd_notify() command for flushing out creds not needed anymore + - optionally, collect cgroup resource data, and store it in per-unit RRD files, + suitable for processing with rrdtool. Add bus API to access this data, and + possibly implement a CPULoad property based on it. - * TPM2: auto-reenroll in cryptsetup, as fallback for hosed firmware upgrades - and such + - optionally: turn on cgroup delegation for per-session scope units - * introduce a new group to own TPM devices + - pam_systemd: on interactive logins, maybe show SUPPORT_END information at + login time, à la motd - * cryptsetup: add option for automatically removing empty password slot on boot + - pam_systemd_home: add module parameter to control whether to only accept + only password or only pcks11/fido2 auth, and then use this to hook nicely + into two of the three PAM stacks gdm provides. + See discussion at https://github.com/authselect/authselect/pull/311 - * cryptsetup: optionally, when run during boot-up and password is never - entered, and we are on battery power (or so), power off machine again + - paranoia: whenever we process passwords, call mlock() on the memory + first. i.e. look for all places we use free_and_erasep() and + augment them with mlock(). Also use MADV_DONTDUMP. + Alternatively (preferably?) use memfd_secret(). - * cryptsetup: when waiting for FIDO2/PKCS#11 token, tell plymouth that, and - allow plymouth to abort the waiting and enter pw instead + - pcrextend/tpm2-util: add a concept of "rotation" to event log. i.e. allow + trailing parts of the logs if time or disk space limit is hit. Protect the + boot-time measurements however (i.e. up to some point where things are + settled), since we need those for pcrlock measurements and similar. When + deleting entries for rotation, place an event that declares how many items + have been dropped, and what the hash before and after that. - * make cryptsetup lower --iter-time + - pcrextend: after measuring get an immediate quote from the TPM, and validate + it. if it doesn't check out, i.e. the measurement we made doesn't appear in + the PCR then also reboot. - * cryptsetup: allow encoding key directly in /etc/crypttab, maybe with a - "base64:" prefix. Useful in particular for pkcs11 mode. + - pcrextend: maybe add option to disable measurements entirely via kernel cmdline - * cryptsetup: reimplement the mkswap/mke2fs in cryptsetup-generator to use - systemd-makefs.service instead. + - pcrextend: when we fail to measure, reboot the system (at least optionally). + important because certain measurements are supposed to "destroy" tpm object + access. - * cryptsetup: - - cryptsetup-generator: allow specification of passwords in crypttab itself - - support rd.luks.allow-discards= kernel cmdline params in cryptsetup generator + - pcrlock: add support for multi-profile UKIs - * systemd-analyze netif that explains predictable interface (or networkctl) + - **pcrlock:** + - add kernel-install plugin that automatically creates UKI .pcrlock file when + UKI is installed, and removes it when it is removed again + - automatically install PE measurement of sd-boot on "bootctl install" + - pre-calc sysext + kernel cmdline measurements + - pre-calc cryptsetup root key measurement + - maybe make systemd-repart generate .pcrlock for old and new GPT header in + /run? + - Add support for more than 8 branches per PCR OR + - add "systemd-pcrlock lock-kernel-current" or so which synthesizes .pcrlock + policy from currently booted kernel/event log, to close gap for first boot + for pre-built images - * systemd-analyze inspect-elf should show other notes too, at least build-id. + - per-service sandboxing option: ProtectIds=. If used, will overmount + /etc/machine-id and /proc/sys/kernel/random/boot_id with synthetic files, to + make it harder for the service to identify the host. Depending on the user + setting it should be fully randomized at invocation time, or a hash of the + real thing, keyed by the unit name or so. Of course, there are other ways to + get these IDs (e.g. journal) or similar ids (e.g. MAC addresses, DMI ids, CPU + ids), so this knob would only be useful in combination with other lockdown + options. Particularly useful for portable services, and anything else that + uses RootDirectory= or RootImage=. (Might also over-mount + /sys/class/dmi/id/*{uuid,serial} with /dev/null). - * Figure out naming of verbs in systemd-analyze: we have (singular) capability, - exit-status, but (plural) filesystems, architectures. + - Permit masking specific netlink APIs with RestrictAddressFamily= - * special case some calls of chase() to use openat2() internally, so - that the kernel does what we otherwise do. + - pick up creds from EFI vars - * add a new flag to chase() that stops chasing once the first missing - component is found and then allows the caller to create the rest. + - PID 1 should send out sd_notify("WATCHDOG=1") messages (for usage in the --user mode, and when run via nspawn) - * make use of new glibc 2.32 APIs sigabbrev_np(). + - **pid1:** + - When logging about multiple units (stopping BoundTo units, conflicts, etc.), + log both units as UNIT=, so that journalctl -u triggers on both. + - generate better errors when people try to set transient properties + that are not supported... + https://lists.freedesktop.org/archives/systemd-devel/2015-February/028076.html + - recreate systemd's D-Bus private socket file on SIGUSR2 + - when we automatically restart a service, ensure we restart its rdeps, too. + - hide PAM options in fragment parser when compile time disabled + - Support --test based on current system state + - If we show an error about a unit (such as not showing up) and it has no Description string, then show a description string generated form the reverse of unit_name_mangle(). + - after deserializing sockets in socket.c we should reapply sockopts and things + - drop PID 1 reloading, only do reexecing (difficult: Reload() + currently is properly synchronous, Reexec() is weird, because we + cannot delay the response properly until we are back, so instead of + being properly synchronous we just keep open the fd and close it + when done. That means clients do not get a successful method reply, + but much rather a disconnect on success. + - when breaking cycles drop services from /run first, then from /etc, then from /usr + - when a bus name of a service disappears from the bus make sure to queue further activation requests + - maybe introduce CoreScheduling=yes/no to optionally set a PR_SCHED_CORE cookie, so that all + processes in a service's cgroup share the same cookie and are guaranteed not to share SMT cores + with other units https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/Documentation/admin-guide/hw-vuln/core-scheduling.rst + - ExtensionImages= deduplication for services is currently only applied to disk images without GPT envelope. + This should be extended to work with proper DDIs too, as well as directory confext/sysext. Moreover, + system-wide confext/sysext should support this too. + - Pin the mount namespace via FD by sending it back from sd-exec to the manager, and use it + for live mounting, instead of doing it via PID + - also remove PID files of a service when the service starts, not just + when it exits + - activation by journal search expression + - lock image configured with RootDirectory=/RootImage= using the usual nspawn semantics while the unit is up + - find a way how we can reload unit file configuration for + specific units only, without reloading the whole of systemd + + - **PidRef conversion work:** + - cg_pid_get_xyz() + - pid_from_same_root_fs() + - get_ctty_devnr() + - actually wait for POLLIN on pidref's pidfd in service logic + - openpt_allocate_in_namespace() + - unit_attach_pid_to_cgroup_via_bus() + - cg_attach() – requires new kernel feature + - journald's process cache - * if /usr/bin/swapoff fails due to OOM, log a friendly explanatory message about it + - port copy.c over to use LabelOps for all labelling. - * pid1: also remove PID files of a service when the service starts, not just - when it exits + - portable services: attach not only unit files to host, but also simple + binaries to a tmpfs path in $PATH. - * seccomp: maybe use seccomp_merge() to merge our filters per-arch if we can. - Apparently kernel performance is much better with fewer larger seccomp - filters than with more smaller seccomp filters. + - portabled: when extracting unit files and copying to system.attached, if a + .p7s is available in the image, use it to protect the system.attached copy + with fs-verity, so that it cannot be tampered with - * systemd-path: Add "private" runtime/state/cache dir enum, mapping to - $RUNTIME_DIRECTORY, $STATE_DIRECTORY and such + - print a nicer explanation if people use variable/specifier expansion in ExecStart= for the first word - * seccomp: by default mask x32 ABI system wide on x86-64. it's on its way out + - **Process credentials in:** + - crypttab-generator: allow defining additional crypttab-like volumes via + credentials (similar: verity-generator, integrity-generator). Use + fstab-generator logic as inspiration. + - run-generator: allow defining additional commands to run via a credential + - resolved: allow defining additional /etc/hosts entries via a credential (it + might make sense to then synthesize a new combined /etc/hosts file in /run + and bind mount it on /etc/hosts for other clients that want to read it. + - repart: allow defining additional partitions via credential + - timesyncd: pick NTP server info from credential + - portabled: read a credential "portable.extra" or so, that takes a list of + file system paths to enable on start. + - make systemd-fstab-generator look for a system credential encoding root= or + usr= + - in gpt-auto-generator: check partition uuids against such uuids supplied via + sd-stub credentials. That way, we can support parallel OS installations with + pre-built kernels. - * seccomp: don't install filters for ABIs that are masked anyway for the - specific service + - properly handle loop back mounts via fstab, especially regards to fsck/passno - * busctl: maybe expose a verb "ping" for pinging a dbus service to see if it - exists and responds. + - properly serialize the ExecStatus data from all ExecCommand objects + associated with services, sockets, mounts and swaps. Currently, the data is + flushed out on reload, which is quite a limitation. - * socket units: allow creating a udev monitor socket with ListenDevices= or so, - with matches, then activate app through that passing socket over + - ProtectClock= (drops CAP_SYS_TIMES, adds seccomp filters for settimeofday, adjtimex), sets DeviceAllow o /dev/rtc - * unify on openssl: - - figure out what to do about libmicrohttpd: - - 1.x is stable and has a hard dependency on gnutls - - 2.x is in development and has openssl support - - Worth testing against 2.x in our CI? - - port fsprg over to openssl + - ProtectKeyRing= to take keyring calls away - * add growvol and makevol options for /etc/crypttab, similar to - x-systemd.growfs and x-systemd-makefs. + - ProtectMount= (drop mount/umount/pivot_root from seccomp, disallow fuse via DeviceAllow, imply Mountflags=slave) - * userdb: allow existence checks + - ProtectReboot= that masks reboot() and kexec_load() syscalls, prohibits kill + on PID 1 with the relevant signals, and makes relevant files in /sys and + /proc (such as the sysrq stuff) unavailable - * pid1: activation by journal search expression + - ProtectTracing= (drops CAP_SYS_PTRACE, blocks ptrace syscall, makes /sys/kernel/tracing go away) - * when switching root from initrd to host, set the machine_id env var so that - if the host has no machine ID set yet we continue to use the random one the - initrd had set. + - ptyfwd: use osc context information in vmspawn/nspawn/… to optionally only + listen to ^]]] key when no further vmspawn/nspawn context is allocated - * sd-event: add native support for P_ALL waitid() watching, then move PID 1 to - it for reaping assigned but unknown children. This needs to some special care - to operate somewhat sensibly in light of priorities: P_ALL will return - arbitrary processes, regardless of the priority we want to watch them with, - hence on each event loop iteration check all processes which we shall watch - with higher prio explicitly, and then watch the entire rest with P_ALL. + - ptyfwd: usec osc context information to propagate status messages from + vmspawn/nspawn to service manager's "status" string, reporting what is + currently in the fg - * tweak sd-event's child watching: keep a prioq of children to watch and use - waitid() only on the children with the highest priority until one is waitable - and ignore all lower-prio ones from that point on + - pull-oci: progress notification - * maybe introduce xattrs that can be set on the root dir of the root fs - partition that declare the volatility mode to use the image in. Previously I - thought marking this via GPT partition flags but that's not ideal since - that's outside of the LUKS encryption/verity verification, and we probably - shouldn't operate in a volatile mode unless we got told so from a trusted - source. + - redefine /var/lib/extensions/ as the dir one can place all three of sysext, + confext as well is multi-modal DDIs that qualify as both. Then introduce + /var/lib/sysexts/ which can be used to place only DDIs that shall be used as + sysext - * coredump: maybe when coredumping read a new xattr from /proc/$PID/exe that - may be used to mark a whole binary as non-coredumpable. Would fix: - https://bugs.freedesktop.org/show_bug.cgi?id=69447 + - refcounting in sd-resolve is borked - * teach parse_timestamp() timezones like the calendar spec already knows it + - refuse boot if /usr/lib/os-release is missing or /etc/machine-id cannot be set up - * We should probably replace /etc/rc.d/README with a symlink to doc - content. After all it is constant vendor data. + - remove any syslog support from log.c — we probably cannot do this before split-off udev is gone for good - * maybe add kernel cmdline params: to force random seed crediting + - remove tomoyo support, it's obsolete and unmaintained apparently - * let's not GC a unit while its ratelimits are still pending + - RemoveKeyRing= to remove all keyring entries of the specified user - * when killing due to service watchdog timeout maybe detect whether target - process is under ptracing and then log loudly and continue instead. + - repart + cryptsetup: support file systems that are encrypted and use verity + on top. Usecase: confexts that shall be signed by the admin but also be + confidential. Then, add a new --make-ddi=confext-encrypted for this. - * make rfkill uaccess controllable by default, i.e. steal rule from - gnome-bluetooth and friends + - repart/gpt-auto/DDIs: maybe introduce a concept of "extension" partitions, + that have a new type uuid and can "extend" earlier partitions, to work around + the fact that systemd-repart can only grow the last partition defined. During + activation we'd simply set up a dm-linear mapping to merge them again. A + partition that is to be extended would just set a bit in the partition flags + field to indicate that there's another extension partition to look for. The + identifying UUID of the extension partition would be hashed in counter mode + from the uuid of the original partition it extends. Inspiration for this is + the "dynamic partitions" concept of new Android. This would be a minimalistic + concept of a volume manager, with the extents it manages being exposes as GPT + partitions. I a partition is extended multiple times they should probably + grow exponentially in size to ensure O(log(n)) time for finding them on + access. - * make MAINPID= message reception checks even stricter: if service uses User=, - then check sending UID and ignore message if it doesn't match the user or - root. + - repart: introduce concept of "ghost" partitions, that we setup in almost all + ways like other partitions, but do not actually register in the actual gpt + table, but only tell the kernel about via BLKPG ioctl. These partitions are + disk backed (hence can be large), but not persistent (as they are invisible + on next boot). Could be used by live media and similar, to boot up as usual + but automatically start at zero on each boot. There should also be a way to + make ghost partitions properly persistent on request. - * maybe trigger a uevent "change" on a device if "systemctl reload xyz.device" - is issued. + - repart: introduce MigrateFileSystem= or so which is a bit like + CopyFiles=/CopyBlocks= but operates via btrfs device logic: adds target as + new device then removes source from btrfs. Usecase: a live medium which uses + "ghost" partitions as suggested above, which can become persistent on request + on another device. - * when importing an fs tree with machined, optionally apply userns-rec-chown + - replace all \x1b, \x1B, \033 C string escape sequences in our codebase with a + more readable \e. It's a GNU extension, but a ton more readable than the + others, and most importantly it doesn't result in confusing errors if you + suffix the escape sequence with one more decimal digit, because compilers + think you might actually specify a value outside the 8bit range with that. - * when importing an fs tree with machined, complain if image is not an OS - - * Maybe introduce a helper safe_exec() or so, which is to execve() which - safe_fork() is to fork(). And then make revert the RLIMIT_NOFILE soft limit - to 1K implicitly, unless explicitly opted-out. + - replace all uses of fopen_temporary() by fopen_tmpfile_linkable() + + flink_tmpfile() and then get rid of fopen_temporary(). Benefit: use O_TMPFILE + pervasively, and avoid rename() wherever we can. - * rework seccomp/nnp logic that even if User= is used in combination with - a seccomp option we don't have to set NNP. For that, change uid first while - keeping CAP_SYS_ADMIN, then apply seccomp, the drop cap. + - replace bootctl's PE version check to actually use APIs from pe-binary.[ch] + to find binary version. - * when no locale is configured, default to UEFI's PlatformLang variable + - replace symlink_label(), mknodat_label(), btrfs_subvol_make_label(), + mkdir_label() and related calls by flags-based calls that use + label_ops_pre()/label_ops_post(). - * add a new syscall group "@esoteric" for more esoteric stuff such as bpf() and - usefaultd() and make systemd-analyze check for it. + - report: have something that requests cloud workload identity bearer tokens + and includes it in the report - * paranoia: whenever we process passwords, call mlock() on the memory - first. i.e. look for all places we use free_and_erasep() and - augment them with mlock(). Also use MADV_DONTDUMP. - Alternatively (preferably?) use memfd_secret(). + - **report:** + - plug "facts" into systemd-report too, i.e. stuff that is more static, such as hostnames, ssh keys and so on. + - pass filtering hints to services, so that they can also be applied server-side, not just client side + - metrics from pid1: suppress metrics form units that are inactive and have nothing to report + - add "hint-suppress-zero" flag (which suppresses all metrics which are zero) + - add "hint-object" parameter (which only queries info about certain object) + - make systemd-report a varlink service - * Move RestrictAddressFamily= to the new cgroup create socket + - Reset TPM2 DA bit on each successful boot - * optionally: turn on cgroup delegation for per-session scope units + - **resolved:** + - mDNS/DNS-SD + - service registration + - service/domain/types browsing + - avahi compat + - DNS-SD service registration from socket units + - resolved should optionally register additional per-interface LLMNR + names, so that for the container case we can establish the same name + (maybe "host") for referencing the server, everywhere. + - allow clients to request DNSSEC for a single lookup even if DNSSEC is off (?) + - make resolved process DNR DHCP info + - report ttl in resolution replies if we know it. This data is useful + for tools such as wireguard which want to periodically re-resolve DNS names, + and might want to use the TTL has hint for that. + - take possession of some IPv6 ULA address (let's say + fd00:5353:5353:5353:5353:5353:5353:5353), and listen on port 53 on it for the + local stubs, so that we can make the stub available via ipv6 too. + + - revisit how we pass fs images and initrd to the kernel. take uefi http boot + ramdisks as inspiration: for any confext/sysext/initrd erofs/DDI image simply + generate a fake pmem region in the UEFI memory tables, that Linux then turns + into /dev/pmemX. Then turn of cpio-based initrd logic in linux kernel, + instead let kernel boot directly into /dev/pmem0. In order to allow our usual + cpio-based parameterization, teach PID 1 to just uncompress cpio ourselves + early on, from another pmem device. (Related to this, maybe introduce a new + PE section .ramdisk that just synthesizes pmem devices from arbitrary + blobs. Could be particularly useful in add-ons) - * sd-boot: optionally, show boot menu when previous default boot item has - non-zero "tries done" count + - rework ExecOutput and ExecInput enums so that EXEC_OUTPUT_NULL loses its + magic meaning and is no longer upgraded to something else if set explicitly. - * augment CODE_FILE=, CODE_LINE= with something like CODE_BASE= or so which - contains some identifier for the project, which allows us to include - clickable links to source files generating these log messages. The identifier - could be some abberviated URL prefix or so (taking inspiration from Go - imports). For example, for systemd we could use - CODE_BASE=github.com/systemd/systemd/blob/98b0b1123cc or so which is - sufficient to build a link by prefixing "http://" and suffixing the - CODE_FILE. + - rework fopen_temporary() to make use of open_tmpfile_linkable() (problem: the + kernel doesn't support linkat() that replaces existing files, currently) - * Augment MESSAGE_ID with MESSAGE_BASE, in a similar fashion so that we can - make clickable links from log messages carrying a MESSAGE_ID, that lead to - some explanatory text online. + - rework journalctl -M to be based on a machined method that generates a mount + fd of the relevant journal dirs in the container with uidmapping applied to + allow the host to read it, while making everything read-only. - * maybe extend .path units to expose fanotify() per-mount change events + - rework loopback support in fstab: when "loop" option is used, then + instantiate a new systemd-loop@.service for the source path, set the + lo_file_name field for it to something recognizable derived from the fstab + line, and then generate a mount unit for it using a udev generated symlink + based on lo_file_name. - * hibernate/s2h: if swap is on weird storage and refuse if so + - rework recursive read-only remount to use new mount API - * cgroups: use inotify to get notified when somebody else modifies cgroups - owned by us, then log a friendly warning. + - rework seccomp/nnp logic that even if User= is used in combination with + a seccomp option we don't have to set NNP. For that, change uid first while + keeping CAP_SYS_ADMIN, then apply seccomp, the drop cap. - * beef up log.c with support for stripping ANSI sequences from strings, so that - it is OK to include them in log strings. This would be particularly useful so - that our log messages could contain clickable links for example for unit - files and suchlike we operate on. + - rewrite bpf-devices in libbpf/C code, rather than home-grown BPF assembly, to + match bpf-restrict-fs, bpf-restrict-ifaces, bpf-socket-bind - * add support for "portablectl attach http://foobar.com/waaa.raw (i.e. importd integration) + - rewrite bpf-firewall in libbpf/C code - * sync dynamic uids/gids between host+portable service (i.e. if DynamicUser=1 is set for a service, make sure that the - selected user is resolvable in the service even if it ships its own /etc/passwd) + - rfkill,backlight: we probably should run the load tools inside of the udev rules so that the state is properly initialized by the time other software sees it - * Fix DECIMAL_STR_MAX or DECIMAL_STR_WIDTH. One includes a trailing NUL, the - other doesn't. What a disaster. Probably to exclude it. + - rough proposed implementation design for remote attestation infra: add a tool + that generates a quote of local PCRs and NvPCRs, along with synchronous log + snapshot. use "audit session" logic for that, so that we get read-outs and + signature in one step. Then turn this into a JSON object. Use the "TCG TSS 2.0 + JSON Data Types and Policy Language" format to encode the signature. And CEL + for the measurement log. - * Check that users of inotify's IN_DELETE_SELF flag are using it properly, as - usually IN_ATTRIB is the right way to watch deleted files, as the former only - fires when a file is actually removed from disk, i.e. the link count drops to - zero and is not open anymore, while the latter happens when a file is - unlinked from any dir. + - run0: maybe enable utmp for run0 sessions, so that they are easily visible. - * systemctl, machinectl, loginctl: port "status" commands over to - format-table.c's vertical output logic. + - sd-boot/sd-stub: install a uefi "handle" to a sidecar dir of bls type #1 + entries with an "uki" or "uki-url" stanza, and make sd-stub look for + that. That way we can parameterize type #1 entries nicely. - * pid1: lock image configured with RootDirectory=/RootImage= using the usual nspawn semantics while the unit is up + - **sd-boot:** + - do something useful if we find exactly zero entries (ignoring items + such as reboot/poweroff/factory reset). Show a help text or so. + - optionally ask for confirmation before executing certain operations + (e.g. factory resets, storagetm with world access, and so on) + - for each installed OS, grey out older entries (i.e. all but the + newest), to indicate they are obsolete + - we probably should include all BootXY EFI variable defined boot + entries in our menu, and then suppress ourselves. Benefit: instant + compatibility with all other OSes which register things there, in particular + on other disks. Always boot into them via NextBoot EFI variable, to not + affect PCR values. + - should look for information what to boot in SMBIOS, too, so that VM + managers can tell sd-boot what to boot into and suchlike + - instead of unconditionally deriving the ESP to search boot loader + spec entries in from the paths of sd-boot binary, let's optionally allow it + to be configured on sd-boot cmdline + efi var. Use case: embed sd-boot in the + UEFI firmware (for example, ovmf supports that via qemu cmdline option), and + use it to load stuff from the ESP. + - optionally, show boot menu when previous default boot item has + non-zero "tries done" count + + - **sd-bus:** + - EBADSLT handling + - GetAllProperties() on a non-existing object does not result in a failure currently + - port to sd-resolve for connecting to TCP dbus servers + - see if we can introduce a new sd_bus_get_owner_machine_id() call to retrieve the machine ID of the machine of the bus itself + - see if we can drop more message validation on the sending side + - add API to clone sd_bus_message objects + - longer term: priority inheritance + - dbus spec updates: + - NameLost/NameAcquired obsolete + - path escaping + - update systemd.special(7) to mention that dbus.socket is only about the compatibility socket now + - add vtable flag, that may be used to request client creds implicitly + and asynchronously before dispatching the operation + - parse addresses given in sd_bus_set_addresses immediately and not + only when used. Add unit tests. + + - **sd-device:** + - add an API for acquiring list of child devices, given a device + objects (i.e. all child dirents that dirs or symlinks to dirs) + - maybe pin the sysfs dir with an fd, during the entire runtime of + an sd_device, then always work based on that. + - should return the devnum type (i.e. 'b' or 'c') via some API for an + sd_device object, so that data passed into sd_device_new_from_devnum() can + also be queried. + + - **sd-event:** + - allow multiple signal handlers per signal? + - document chaining of signal handler for SIGCHLD and child handlers + - define more intervals where we will shift wakeup intervals around in, 1h, 6h, 24h, ... + - maybe support iouring as backend, so that we allow hooking read and write + operations instead of IO ready events into event loops. See considerations + here: + http://blog.vmsplice.net/2020/07/rethinking-event-loop-integration-for.html + - add ability to "chain" event sources. Specifically, add a call + sd_event_source_chain(x, y), which will automatically enable event source y + in oneshot mode once x is triggered. Use case: in src/core/mount.c implement + the /proc/self/mountinfo rescan on SIGCHLD with this: whenever a SIGCHLD is + seen, trigger the rescan defer event source automatically, and allow it to be + dispatched *before* the SIGCHLD is handled (based on priorities). Benefit: + dispatch order is strictly controlled by priorities again. (next step: chain + event sources to the ratelimit being over) + - compat wd reuse in inotify code: keep a set of removed watch + descriptors, and clear this set piecemeal when we see the IN_IGNORED event + for it, or when read() returns EAGAIN or on IN_Q_OVERFLOW. Then, whenever we + see an inotify wd event check against this set, and if it is contained ignore + the event. (to be fully correct this would have to count the occurrences, in + case the same wd is reused multiple times before we start processing + IN_IGNORED again) + - optionally, if per-event source rate limit is hit, downgrade + priority, but leave enabled, and once ratelimit window is over, upgrade + priority again. That way we can combat event source starvation without + stopping processing events from one source entirely. + - similar to existing inotify support add fanotify support (given + that apparently new features in this area are only going to be added to the + latter). + - add 1st class event source for clock changes + - add 1st class event source for timezone changes + - add native support for P_ALL waitid() watching, then move PID 1 to + it for reaping assigned but unknown children. This needs to some special care + to operate somewhat sensibly in light of priorities: P_ALL will return + arbitrary processes, regardless of the priority we want to watch them with, + hence on each event loop iteration check all processes which we shall watch + with higher prio explicitly, and then watch the entire rest with P_ALL. + + - sd-journal puts a limit on parallel journal files to view at once. journald + should probably honour that same limit (JOURNAL_FILES_MAX) when vacuuming to + ensure we never generate more files than we can actually view. - * add --vacuum-xyz options to coredumpctl, matching those journalctl already has. + - sd-lldp: pick up 802.3 maximum frame size/mtu, to be able to detect jumbo + frame capable networks - * add CopyFile= or so as unit file setting that may be used to copy files or - directory trees from the host to the services RootImage= and RootDirectory= - environment. Which we can use for /etc/machine-id and in particular - /etc/resolv.conf. Should be smart and do something useful on read-only - images, for example fall back to read-only bind mounting the file instead. + - **sd-rtnl:** + - add support for more attribute types + - inbuilt piping support (essentially degenerate async)? see loopback-setup.c and other places - * bypass SIGTERM state in unit files if KillSignal is SIGKILL + - **sd-stub:** + - detect if we are running with uefi console output on serial, and if so + automatically add console= to kernel cmdline matching the same port. + - add ".bootcfg" section for kernel bootconfig data (as per + https://docs.kernel.org/admin-guide/bootconfig.html) - * add proper dbus APIs for the various sd_notify() commands, such as MAINPID=1 - and so on, which would mean we could report errors and such. + - sd_notify/vsock: maybe support binding to AF_VSOCK in Type=notify services, + then passing $NOTIFY_SOCKET and $NOTIFY_GUESTCID with PID1's cid (typically + fixed to "2", i.e. the official host cid) and the expected guest cid, for the + two sides of the channel. The latter env var could then be used in an + appropriate qemu cmdline. That way qemu payloads could talk sd_notify() + directly to host service manager. - * introduce DefaultSlice= or so in system.conf that allows changing where we - place our units by default, i.e. change system.slice to something - else. Similar, ManagerSlice= should exist so that PID1's own scope unit could - be moved somewhere else too. Finally machined and logind should get similar - options so that it is possible to move user session scopes and machines to a - different slice too by default. Use case: people who want to put resources on - the entire system, with the exception of one specific service. See: - https://lists.freedesktop.org/archives/systemd-devel/2018-February/040369.html + - **seccomp:** + - maybe use seccomp_merge() to merge our filters per-arch if we can. + Apparently kernel performance is much better with fewer larger seccomp + filters than with more smaller seccomp filters. + - by default mask x32 ABI system wide on x86-64. it's on its way out + - don't install filters for ABIs that are masked anyway for the + specific service - * calenderspec: add support for week numbers and day numbers within a - year. This would allow us to define "bi-weekly" triggers safely. + - seems that when we follow symlinks to units we prefer the symlink + destination path over /etc and /usr. We should not do that. Instead + /etc should always override /run+/usr and also any symlink + destination. - * sd-bus: add vtable flag, that may be used to request client creds implicitly - and asynchronously before dispatching the operation + - .service with invalid Sockets= starts successfully. - * sd-bus: parse addresses given in sd_bus_set_addresses immediately and not - only when used. Add unit tests. + - services: add support for cryptographically unlocking per-service directories + via TPM2. Specifically, for StateDirectory= (and related dirs) use fscrypt to + set up the directory so that it can only be accessed if host and app are in + order. - * make use of ethtool veth peer info in machined, for automatically finding out - host-side interface pointing to the container. + - shared/wall: Once more programs are taught to prefer sd-login over utmp, + switch the default wall implementation to wall_logind + (https://github.com/systemd/systemd/pull/29051#issuecomment-1704917074) - * add some special mode to LogsDirectory=/StateDirectory=… that allows - declaring these directories without necessarily pulling in deps for them, or - creating them when starting up. That way, we could declare that - systemd-journald writes to /var/log/journal, which could be useful when we - doing disk usage calculations and so on. + - show whether a service has out-of-date configuration in "systemctl status" by + using mtime data of ConfigurationDirectory=. - * deprecate RootDirectoryStartOnly= in favour of a new ExecStart= prefix char + - shutdown logging: store to EFI var, and store to USB stick? - * support projid-based quota in machinectl for containers + - signed bpf loading: to address need for signature verification for bpf + programs when they are loaded, and given the bpf folks don't think this is + realistic in kernel space, maybe add small daemon that facilitates this + loading on request of clients, validates signatures and then loads the + programs. This daemon should be the only daemon with privs to do load BPF on + the system. It might be a good idea to run this daemon already in the initrd, + and leave it around during the initrd transition, to continue serve requests. + Should then live in its own fs namespace that inherits from the initrd's + fs tree, not from the host, to isolate it properly. Should set + PR_SET_DUMPABLE so that it cannot be ptraced from the host. Should have + CAP_SYS_BPF as only service around. - * add a way to lock down cgroup migration: a boolean, which when set for a unit - makes sure the processes in it can never migrate out of it + - SIGRTMIN+18 and memory pressure handling should still be added to: hostnamed, + localed, oomd, timedated. - * blog about fd store and restartable services + - socket units: allow creating a udev monitor socket with ListenDevices= or so, + with matches, then activate app through that passing socket over - * document Environment=SYSTEMD_LOG_LEVEL=debug drop-in in debugging document + - special case some calls of chase() to use openat2() internally, so + that the kernel does what we otherwise do. - * rework ExecOutput and ExecInput enums so that EXEC_OUTPUT_NULL loses its - magic meaning and is no longer upgraded to something else if set explicitly. + - Split vconsole-setup in two, of which the second is started via udev (instead + of the "restart" job it currently fires). That way, boot becomes purely + positive again, and we can nicely order the two against each other. - * in the long run: permit a system with /etc/machine-id linked to /dev/null, to - make it lose its identity, i.e. be anonymous. For this we'd have to patch - through the whole tree to make all code deal with the case where no machine - ID is available. + - start making use of the new --graceful switch to util-linux' umount command - * optionally, collect cgroup resource data, and store it in per-unit RRD files, - suitable for processing with rrdtool. Add bus API to access this data, and - possibly implement a CPULoad property based on it. + - start using STATX_SUBVOL in btrfs_is_subvol(). Also, make use of it + generically, so that image discovery recognizes bcachefs subvols too. - * beef up pam_systemd to take unit file settings such as cgroups properties as - parameters + - storagetm: maybe also serve the specified disk via HTTP? we have glue for + microhttpd anyway already. Idea would also be serve currently booted UKI as + separate HTTP resource, so that EFI http boot on another system could + directly boot from our system, with full access to the hdd. - * In DynamicUser= mode: before selecting a UID, use disk quota APIs on relevant - disks to see if the UID is already in use. + - **storagetm:** + - add USB mass storage device logic, so that all local disks are also exposed + as mass storage devices on systems that have a USB controller that can + operate in device mode + - add NVMe authentication - * Add AddUser= setting to unit files, similar to DynamicUser=1 which however - creates a static, persistent user rather than a dynamic, transient user. We - can leverage code from sysusers.d for this. + - support boot into nvme-over-tcp: add generator that allows specifying nvme + devices on kernel cmdline + credentials. Also maybe add interactive mode + (where the user is prompted for nvme info), in order to boot from other + system's HDD. - * add some optional flag to ReadWritePaths= and friends, that has the effect - that we create the dir in question when the service is started. Example: + - support crash reporting operation modes (https://live.gnome.org/GnomeOS/Design/Whiteboards/ProblemReporting) - ReadWritePaths=:/var/lib/foobar + - support projid-based quota in machinectl for containers - * Add ExecMonitor= setting. May be used multiple times. Forks off a process in - the service cgroup, which is supposed to monitor the service, and when it - exits the service is considered failed by its monitor. + - Support ReadWritePaths/ReadOnlyPaths/InaccessiblePaths in systemd --user instances + via the new unprivileged Landlock LSM (https://landlock.io) - * track the per-service PAM process properly (i.e. as an additional control - process), so that it may be queried on the bus and everything. + - support specifying download hash sum in systemd-import-generator expression + to pin image/tarball. - * add a new "debug" job mode, that is propagated to unit_start() and for - services results in two things: we raise SIGSTOP right before invoking - execve() and turn off watchdog support. Then, use that to implement - "systemd-gdb" for attaching to the start-up of any system service in its - natural habitat. + - sync dynamic uids/gids between host+portable service (i.e. if DynamicUser=1 is set for a service, make sure that the + selected user is resolvable in the service even if it ships its own /etc/passwd) - * add a percentage syntax for TimeoutStopSec=, e.g. TimeoutStopSec=150%, and - then use that for the setting used in user@.service. It should be understood - relative to the configured default value. + - synchronize console access with BSD locks: + https://lists.freedesktop.org/archives/systemd-devel/2014-October/024582.html - * enable LockMLOCK to take a percentage value relative to physical memory + - sysext: before applying a sysext, do a superficial validation run so that + things are not rearranged to wildy. I.e. protect against accidental fuckups, + such as masking out /usr/lib/ or so. We should probably refuse if existing + inodes are replaced by other types of inodes or so. - * Permit masking specific netlink APIs with RestrictAddressFamily= + - sysext: measure all activated sysext into a TPM PCR - * define gpt header bits to select volatility mode + - system BPF LSM policy that enforces that block device backed mounts may only + be established on top of dm-crypt or dm-verity devices, or an allowlist of + file systems (which should probably include vfat, for compat with the ESP) - * ProtectClock= (drops CAP_SYS_TIMES, adds seecomp filters for settimeofday, adjtimex), sets DeviceAllow o /dev/rtc + - system BPF LSM policy that prohibits creating files owned by "nobody" + system-wide - * ProtectTracing= (drops CAP_SYS_PTRACE, blocks ptrace syscall, makes /sys/kernel/tracing go away) + - system BPF LSM policy that prohibits creating or opening device nodes outside + of devtmpfs/tmpfs, except if they are the pseudo-devices /dev/null, + /dev/zero, /dev/urandom and so on. - * ProtectMount= (drop mount/umount/pivot_root from seccomp, disallow fuse via DeviceAllow, imply Mountflags=slave) + - "systemctl preset-all" should probably order the unit files it + operates on lexicographically before starting to work, in order to + ensure deterministic behaviour if two unit files conflict (like DMs + do, for example) - * ProtectKeyRing= to take keyring calls away + - systemctl, machinectl, loginctl: port "status" commands over to + format-table.c's vertical output logic. - * RemoveKeyRing= to remove all keyring entries of the specified user + - **systemctl:** + - add systemctl switch to dump transaction without executing it + - Add a verbose mode to "systemctl start" and friends that explains what is being done or not done + - print nice message from systemctl --failed if there are no entries shown, and hook that into ExecStartPre of rescue.service/emergency.service + - add new command to systemctl: "systemctl system-reexec" which reexecs as many daemons as virtually possible + - systemctl enable: fail if target to alias into does not exist? maybe show how many units are enabled afterwards? + - systemctl: "Journal has been rotated since unit was started." message is misleading + - if some operation fails, show log output? - * ProtectReboot= that masks reboot() and kexec_load() syscalls, prohibits kill - on PID 1 with the relevant signals, and makes relevant files in /sys and - /proc (such as the sysrq stuff) unavailable + - systemd-analyze inspect-elf should show other notes too, at least build-id. - * Support ReadWritePaths/ReadOnlyPaths/InaccessiblePaths in systemd --user instances - via the new unprivileged Landlock LSM (https://landlock.io) + - systemd-analyze netif that explains predictable interface (or networkctl) - * make sure the ratelimit object can deal with USEC_INFINITY as way to turn off things + - systemd-analyze: port "pcrs" verb to talk directly to TPM device, instead of + using sysfs interface (well, or maybe not, as that would require privileges?) - * in nss-systemd, if we run inside of RootDirectory= with PrivateUsers= set, - find a way to map the User=/Group= of the service to the right name. This way - a user/group for a service only has to exist on the host for the right - mapping to work. + - systemd-boot: maybe add support for collapsing menu entries of the same OS + into one item that can be opened (like in a "tree view" UI element) or + collapsed. If only a single OS is installed, disable this mode, but if + multiple OSes are installed might make sense to default to it, so that user + is not immediately bombarded with a multitude of Linux kernel versions but + only one for each OS. - * add bus API for creating unit files in /etc, reusing the code for transient units + - systemd-creds: extend encryption logic to support asymmetric + encryption/authentication. Idea: add new verb "systemd-creds public-key" + which generates a priv/pub key pair on the TPM2 and stores the priv key + locally in /var. It then outputs a certificate for the pub part to stdout. + This can then be copied/taken elsewhere, and can be used for encrypting creds + that only the host on its specific hw can decrypt. Then, support a drop-in + dir with certificates that can be used to authenticate credentials. Flow of + operations is then this: build image with owner certificate, then after + boot up issue "systemd-creds public-key" to acquire pubkey of the machine. + Then, when passing data to the machine, sign with privkey belonging to one of + the dropped in certs and encrypted with machine pubkey, and pass to machine. + Machine is then able to authenticate you, and confidentiality is guaranteed. - * add bus API to remove unit files from /etc + - systemd-cryptenroll: add --firstboot or so, that will interactively ask user + whether recovery key shall be enrolled and do so - * add bus API to retrieve current unit file contents (i.e. implement "systemctl cat" on the bus only) + - systemd-dissect: add --cat switch for dumping files such as /etc/os-release - * rework fopen_temporary() to make use of open_tmpfile_linkable() (problem: the - kernel doesn't support linkat() that replaces existing files, currently) + - systemd-dissect: show available versions inside of a disk image, i.e. if + multiple versions are around of the same resource, show which ones. (in other + words: show partition labels). - * transient units: don't bother with actually setting unit properties, we - reload the unit file anyway + - systemd-firstboot: optionally install an ssh key for root for offline use. - * optionally, also require WATCHDOG=1 notifications during service start-up and shutdown + - systemd-gpt-auto-generator: add kernel cmdline option to override block + device to dissect. also support dissecting a regular file. useccase: include + encrypted/verity root fs in UKI. - * cache sd_event_now() result from before the first iteration... + - systemd-inhibit: make taking delay locks useful: support sending SIGINT or SIGTERM on PrepareForSleep() - * PID1: find a way how we can reload unit file configuration for - specific units only, without reloading the whole of systemd + - **systemd-measure tool:** + - pre-calculate PCR 12 (command line) + PCR 13 (sysext) the same way we can precalculate PCR 11 - * add an explicit parser for LimitRTPRIO= that verifies - the specified range and generates sane error messages for incorrect - specifications. + - systemd-measure: add --pcrpkey-auto as an alternative to --pcrpkey=, where it + would just use the same public key specified with --public-key= (or the one + automatically derived from --private-key=). - * when we detect that there are waiting jobs but no running jobs, do something + - systemd-mount should only consider modern file systems when mounting, similar + to systemd-dissect - * PID 1 should send out sd_notify("WATCHDOG=1") messages (for usage in the --user mode, and when run via nspawn) + - systemd-path: Add "private" runtime/state/cache dir enum, mapping to + $RUNTIME_DIRECTORY, $STATE_DIRECTORY and such - * there's probably something wrong with having user mounts below /sys, - as we have for debugfs. for example, src/core/mount.c handles mounts - prefixed with /sys generally special. - https://lists.freedesktop.org/archives/systemd-devel/2015-June/032962.html + - **systemd-pcrextend:** + - once we have that start measuring every sysext we apply, every confext, + every RootImage= we apply, every nspawn and so on. All in separate fake + PCRs. - * fstab-generator: default to tmpfs-as-root if only usr= is specified on the kernel cmdline + - **systemd-repart:** + - implement Integrity=data/meta and Integrity=inline for non-LUKS + case. Currently, only Integrity=inline combined with Encrypt= is implemented + and uses libcryptsetup features. Add support for plain dm-integrity setups when + integrity tags are stored by the device (inline), interleaved with data (data), + and on a separate device (meta). + - add --ghost, that creates file systems, updates the kernel's + partition table but does *not* update partition table on disk. This way, we + have disk backed file systems that go effectively disappear on reboot. This + is useful when booting from a "live" usb stick that is writable, as it means + we do not have to place everything in memory. Moreover, we could then migrate + the file systems to disk later (using btrfs device replacement), if needed as + part of an installer logic. + - make useful to duplicate current OS onto a second disk, so + that we can sanely copy ESP contents, /usr/ images, and then set up btrfs + raid for the root fs to extend/mirror the existing install. This would be + very similar to the concept of live-install-through-btrfs-migration. + - add --installer or so, that will interactively ask for a + target disk, maybe ask for confirmation, and install something on disk. Then, + hook that into installer.target or so, so that it can be used to + install/replicate installs + - should probably enable btrfs' "temp_fsid" feature for all file + systems it creates, as we have no interest in RAID for repart, and it should + make sure that we can mount them trivially everywhere. + - add support for formatting dm-crypt + dm-integrity file + systems. + - also derive the volume key from the seed value, for the + aforementioned purpose. - - add support for generating ISO9660 images + - in addition to the existing "factory reset" mode (which + simply empties existing partitions marked for that). add a mode where + partitions marked for it are entirely removed. Use case: remove secondary OS + copy, and redundant partitions entirely, and recreate them anew. + - if the GPT *disk* UUID (i.e. the one global for the entire + disk) is set to all FFFFF then use this as trigger for factory reset, in + addition to the existing mechanisms via EFI variables and kernel command + line. Benefit: works also on non-EFI systems, and can be requested on one + boot, for the next. + - read LUKS encryption key from $CREDENTIALS_DIRECTORY + - support setting up dm-integrity with HMAC + - maybe remove half-initialized image on failure. It fails + if the output file exists, so a repeated invocation will usually fail if + something goes wrong on the way. + - by default generate minimized partition tables (i.e. tables + that only cover the space actually used, excluding any free space at the + end), in order to maximize dd'ability. Requires libfdisk work, see + https://github.com/karelzak/util-linux/issues/907 + - MBR partition table support. Care needs to be taken regarding + Type=, so that partition definitions can sanely apply to both the GPT and the + MBR case. Idea: accept syntax "Type=gpt:home mbr:0x83" for setting the types + for the two partition types explicitly. And provide an internal mapping so + that "Type=linux-generic" maps to the right types for both partition tables + automatically. + - allow sizing partitions as factor of available RAM, so that + we can reasonably size swap partitions for hibernation. + - allow boolean option that ensures that if existing partition + doesn't exist within the configured size bounds the whole command fails. This + is useful to implement ESP vs. XBOOTLDR schemes in installers: have one set + of repart files for the case where ESP is large enough and one where it isn't + and XBOOTLDR is added in instead. Then apply the former first, and if it + fails to apply use the latter. + - add per-partition option to never reuse existing partition + and always create anew even if matching partition already exists. + - add per-partition option to fail if partition already exist, + i.e. is not added new. Similar, add option to fail if partition does not exist yet. + - allow disabling growing of specific partitions, or making + them (think ESP: we don't ever want to grow it, since we cannot resize vfat) + Also add option to disable operation via kernel command line. + - make it a static checker during early boot for existence and + absence of other partitions for trusted boot environments + - add support for SD_GPT_FLAG_GROWFS also on real systems, i.e. + generate some unit to actually enlarge the fs after growing the partition + during boot. + - do not print "Successfully resized …" when no change was done. + + - systemd-stub: maybe store a "boot counter" in the ESP, and pass it down to + userspace to allow ordering boots (for example in journalctl). The counter + would be monotonically increased on every boot. - * docs: bring https://systemd.io/MY_SERVICE_CANT_GET_REALTIME up to date + - systemd-sysext: add "exec" command or so that is a bit like "refresh" but + runs it in a new namespace and then just executes the selected binary within + it. Could be useful to run one-off binaries inside a sysext as a CLI tool. - * add a job mode that will fail if a transaction would mean stopping - running units. Use this in timedated to manage the NTP service - state. - https://lists.freedesktop.org/archives/systemd-devel/2015-April/030229.html -- systemd-sysext: optionally, run it in initrd already, before transitioning - into host, to open up possibility for services shipped like that. - + - systemd-tmpfiles: add concept for conditionalizing lines on factory reset + boot, or on first boot. - * The udev blkid built-in should expose a property that reflects - whether media was sensed in USB CF/SD card readers. This should then - be used to control SYSTEMD_READY=1/0 so that USB card readers aren't - picked up by systemd unless they contain a medium. This would mirror - the behaviour we already have for CD drives. + - systemd-tpm2-setup should support a mode where we refuse booting if the SRK + changed. (Must be opt-in, to not break systems which are supposed to be + migratable between PCs) - * hostnamectl: show root image uuid + - systemd-tpm2-support: add a some logic that detects if system is in DA + lockout mode, and queries the user for TPM recovery PIN then. - * Find a solution for SMACK capabilities stuff: - https://lists.freedesktop.org/archives/systemd-devel/2014-December/026188.html + - systemd: add storage API via varlink, where everyone can drop a socket in a + dir, similar, do the same thing for networking - * synchronize console access with BSD locks: - https://lists.freedesktop.org/archives/systemd-devel/2014-October/024582.html - - * as soon as we have sender timestamps, revisit coalescing multiple parallel daemon reloads: - https://lists.freedesktop.org/archives/systemd-devel/2014-December/025862.html - - * figure out when we can use the coarse timers - - * maybe allow timer units with an empty Units= setting, so that they - can be used for resuming the system but nothing else. - - * what to do about udev db binary stability for apps? (raw access is not an option) - - * exponential backoff in timesyncd when we cannot reach a server + - $SYSTEMD_EXECPID that the service manager sets should + be augmented with $SYSTEMD_EXECPIDFD (and similar for + other env vars we might send). - * timesyncd: add ugly bus calls to set NTP servers per-interface, for usage by NM + - **sysupdate:** + - add fuzzing to the pattern parser + - support casync as download mechanism + - "systemd-sysupdate update --all" support, that iterates through all components + defined on the host, plus all images installed into /var/lib/machines/, + /var/lib/portable/ and so on. + - Allow invocation with a single transfer definition, i.e. with + --definitions= pointing to a file rather than a dir. + - add ability to disable implicit decompression of downloaded artifacts, + i.e. a Compress=no option in the transfer definitions + - download multiple arbitrary patterns from same source + - SHA256SUMS format with bearer tokens for each resource to download + - decrypt SHA256SUMS with key from tpm + - clean up stuff on disk that disappears from SHA256SUMS + - turn http backend stuff int plugin via varlink + - for each transfer support looking at multiple sources, + pick source with newest entry. If multiple sources have the same entry, use + first configured source. Usecase: "sideload" components from local dirs, + without disabling remote sources. + - support "revoked" items, which cause the client to + downgrade/upgrade + - introduce per-user version that can update per-user installed dDIs + - make transport pluggable, so people can plug casync or + similar behind it, instead of http. + + - sysusers: allow specifying a path to an inode *and* a literal UID in the UID + column, so that if the inode exists it is used, and if not the literal UID is + used. Use this for services such as the imds one, which run under their own + UID in the initrd, and whose data should survive to the host, properly owned. - * add systemd.abort_on_kill or some other such flag to send SIGABRT instead of SIGKILL - (throughout the codebase, not only PID1) + - teach ConditionKernelCommandLine= globs or regexes (in order to match foobar={no,0,off}) - * drop nss-myhostname in favour of nss-resolve? + - teach nspawn/machined a new bus call/verb that gets you a + shell in containers that have no sensible pid1, via joining the container, + and invoking a shell directly. Then provide another new bus call/vern that is + somewhat automatic: if we detect that pid1 is running and fully booted up we + provide a proper login shell, otherwise just a joined shell. Then expose that + as primary way into the container. - * resolved: - - mDNS/DNS-SD - - service registration - - service/domain/types browsing - - avahi compat - - DNS-SD service registration from socket units - - resolved should optionally register additional per-interface LLMNR - names, so that for the container case we can establish the same name - (maybe "host") for referencing the server, everywhere. - - allow clients to request DNSSEC for a single lookup even if DNSSEC is off (?) + - teach parse_timestamp() timezones like the calendar spec already knows it - * refcounting in sd-resolve is borked + - teach systemd-nspawn the boot assessment logic: hook up vpick's try counters + with success notifications from nspawn payloads. When this is enabled, + automatically support reverting back to older OS version images if newer ones + fail to boot. - * add new gpt type for btrfs volumes + - **test/:** + - add unit tests for config_parse_device_allow() - * generator that automatically discovers btrfs subvolumes, identifies their purpose based on some xattr on them. + - The bind(AF_UNSPEC) construct (for resetting sockets to their initial state) + should be blocked in many cases because it punches holes in many sandboxes. - * a way for container managers to turn off getty starting via $container_headless= or so... + - the pub/priv key pair generated on the TPM2 should probably also be one you + can use to get a remote attestation quote. - * figure out a nice way how we can let the admin know what child/sibling unit causes cgroup membership for a specific unit + - The udev blkid built-in should expose a property that reflects + whether media was sensed in USB CF/SD card readers. This should then + be used to control SYSTEMD_READY=1/0 so that USB card readers aren't + picked up by systemd unless they contain a medium. This would mirror + the behaviour we already have for CD drives. - * For timer units: add some mechanisms so that timer units that trigger immediately on boot do not have the services - they run added to the initial transaction and thus confuse Type=idle. + - There's currently no way to cancel fsck (used to be possible via C-c or c on the console) - * add bus api to query unit file's X fields. + - there's probably something wrong with having user mounts below /sys, + as we have for debugfs. for example, src/core/mount.c handles mounts + prefixed with /sys generally special. + https://lists.freedesktop.org/archives/systemd-devel/2015-June/032962.html - * gpt-auto-generator: - - Make /home automount rather than mount? + - think about requeuing jobs when daemon-reload is issued? use case: + the initrd issues a reload after fstab from the host is accessible + and we might want to requeue the mounts local-fs acquired through + that automatically. - * add generator that pulls in systemd-network from containers when - CAP_NET_ADMIN is set, more than the loopback device is defined, even - when it is otherwise off + - **timer units:** + - timer units should get the ability to trigger when DST changes + - Modulate timer frequency based on battery state - * MessageQueueMessageSize= (and suchlike) should use parse_iec_size(). + - timesyncd: add ugly bus calls to set NTP servers per-interface, for usage by NM - * implement Distribute= in socket units to allow running multiple - service instances processing the listening socket, and open this up - for ReusePort= + - timesyncd: when saving/restoring clock try to take boot time into account. + Specifically, along with the saved clock, store the current boot ID. When + starting, check if the boot id matches. If so, don't do anything (we are on + the same boot and clock just kept running anyway). If not, then read + CLOCK_BOOTTIME (which started at boot), and add it to the saved clock + timestamp, to compensate for the time we spent booting. If EFI timestamps are + available, also include that in the calculation. With this we'll then only + miss the time spent during shutdown after timesync stopped and before the + system actually reset. - * cgroups: - - implement per-slice CPUFairScheduling=1 switch - - introduce high-level settings for RT budget, swappiness - - how to reset dynamically changed unit cgroup attributes sanely? - - when reloading configuration, apply new cgroup configuration - - when recursively showing the cgroup hierarchy, optionally also show - the hierarchies of child processes - - add settings for cgroup.max.descendants and cgroup.max.depth, - maybe use them for user@.service + - tiny varlink service that takes a fd passed in and serves it via http. Then + make use of that in networkd, and expose some EFI binary of choice for + DHCP/HTTP base EFI boot. - * transient units: - - add field to transient units that indicate whether systemd or somebody else saves/restores its settings, for integration with libvirt + - **tmpfiles:** + - allow time-based cleanup in r and R too + - instead of ignoring unknown fields, reject them. + - creating new directories/subvolumes/fifos/device nodes + should not follow symlinks. None of the other adjustment or creation + calls follow symlinks. + - teach tmpfiles.d q/Q logic something sensible in the context of XFS/ext4 + project quota + - teach tmpfiles.d m/M to move / atomic move + symlink old -> new + - add new line type for setting btrfs subvolume attributes (i.e. rw/ro) + - tmpfiles: add new line type for setting fcaps + - add -n as shortcut for --dry-run in tmpfiles & sysusers & possibly other places + - add new line type for moving files from some source dir to some + target dir. then use that to move sysexts/confexts and stuff from initrd + tmpfs to /run/, so that host can pick things up. - * libsystemd-journal, libsystemd-login, libudev: add calls to easily attach these objects to sd-event event loops + - To mimic the new tpm2-measure-pcr= crypttab option and tpm2-measure-nvpcr= + veritytab option, add the same to integritytab (measuring the HMAC key if one + is used) - * be more careful what we export on the bus as (usec_t) 0 and (usec_t) -1 + - tpm2-setup: reboot if we detect SRK changed - * rfkill,backlight: we probably should run the load tools inside of the udev rules so that the state is properly initialized by the time other software sees it + - tpm2: add (optional) support for generating a local signing key from PCR 15 + state. use private key part to sign PCR 7+14 policies. stash signatures for + expected PCR7+14 policies in EFI var. use public key part in disk encryption. + generate new sigs whenever db/dbx/mok/mokx gets updated. that way we can + securely bind against SecureBoot/shim state, without having to renroll + everything on each update (but we still have to generate one sig on each + update, but that should be robust/idempotent). needs rollback protection, as + usual. - * If we try to find a unit via a dangling symlink, generate a clean - error. Currently, we just ignore it and read the unit from the search - path anyway. + - TPM2: auto-reenroll in cryptsetup, as fallback for hosed firmware upgrades + and such - * refuse boot if /usr/lib/os-release is missing or /etc/machine-id cannot be set up + - track the per-service PAM process properly (i.e. as an additional control + process), so that it may be queried on the bus and everything. - * man: the documentation of Restart= currently is very misleading and suggests the tools from ExecStartPre= might get restarted. + - transient units: don't bother with actually setting unit properties, we + reload the unit file anyway - * There's currently no way to cancel fsck (used to be possible via C-c or c on the console) + - **transient units:** + - add field to transient units that indicate whether systemd or somebody else saves/restores its settings, for integration with libvirt - * add option to sockets to avoid activation. Instead just drop packets/connections, see http://cyberelk.net/tim/2012/02/15/portreserve-systemd-solution/ + - Turn systemd-networkd-wait-online into a small varlink service that people + can talk to and specify exactly what to wait for via a method call, and get a + response back once that level of "online" is reached. - * make sure systemd-ask-password-wall does not shutdown systemd-ask-password-console too early + - tweak journald context caching. In addition to caching per-process attributes + keyed by PID, cache per-cgroup attributes (i.e. the various xattrs we read) + keyed by cgroup path, and guarded by ctime changes. This should provide us + with a nice speed-up on services that have many processes running in the same + cgroup. - * verify that the AF_UNIX sockets of a service in the fs still exist - when we start a service in order to avoid confusion when a user - assumes starting a service is enough to make it accessible + - tweak sd-event's child watching: keep a prioq of children to watch and use + waitid() only on the children with the highest priority until one is waitable + and ignore all lower-prio ones from that point on - * Make it possible to set the keymap independently from the font on - the kernel cmdline. Right now setting one resets also the other. + - **udev-link-config:** + - Make sure ID_PATH is always exported and complete for + network devices where possible, so we can safely rely + on Path= matching - * and a dbus call to generate target from current state + - **udev:** + - move to LGPL + - kill scsi_id + - add trigger --subsystem-match=usb/usb_device device + - reimport udev db after MOVE events for devices without dev_t + - re-enable ProtectClock= once only cgroupsv2 is supported. + See f562abe2963bad241d34e0b308e48cf114672c84. - * investigate whether the gnome pty helper should be moved into systemd, to provide cgroup support. + - **udevadm: to make symlink querying with udevadm nicer:** + - do not enable the pager for queries like 'udevadm info -q symlink -r' + - add mode with newlines instead of spaces (for grep)? - * dot output for --test showing the 'initial transaction' + - udevd: extend memory pressure logic: also kill any idle worker processes - * be able to specify a forced restart of service A where service B depends on, in case B - needs to be auto-respawned? + - unify how blockdev_get_root() and sysupdate find the default root block device - * pid1: - - When logging about multiple units (stopping BoundTo units, conflicts, etc.), - log both units as UNIT=, so that journalctl -u triggers on both. - - generate better errors when people try to set transient properties - that are not supported... - https://lists.freedesktop.org/archives/systemd-devel/2015-February/028076.html - - recreate systemd's D-Bus private socket file on SIGUSR2 - - when we automatically restart a service, ensure we restart its rdeps, too. - - hide PAM options in fragment parser when compile time disabled - - Support --test based on current system state - - If we show an error about a unit (such as not showing up) and it has no Description string, then show a description string generated form the reverse of unit_name_mangle(). - - after deserializing sockets in socket.c we should reapply sockopts and things - - drop PID 1 reloading, only do reexecing (difficult: Reload() - currently is properly synchronous, Reexec() is weird, because we - cannot delay the response properly until we are back, so instead of - being properly synchronous we just keep open the fd and close it - when done. That means clients do not get a successful method reply, - but much rather a disconnect on success. - - when breaking cycles drop services from /run first, then from /etc, then from /usr - - when a bus name of a service disappears from the bus make sure to queue further activation requests - - maybe introduce CoreScheduling=yes/no to optionally set a PR_SCHED_CORE cookie, so that all - processes in a service's cgroup share the same cookie and are guaranteed not to share SMT cores - with other units https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/Documentation/admin-guide/hw-vuln/core-scheduling.rst - - ExtensionImages= deduplication for services is currently only applied to disk images without GPT envelope. - This should be extended to work with proper DDIs too, as well as directory confext/sysext. Moreover, - system-wide confext/sysext should support this too. - - Pin the mount namespace via FD by sending it back from sd-exec to the manager, and use it - for live mounting, instead of doing it via PID + - **unify on openssl:** + - figure out what to do about libmicrohttpd: + - 1.x is stable and has a hard dependency on gnutls + - 2.x is in development and has openssl support + - Worth testing against 2.x in our CI? + - port fsprg over to openssl - * unit files: + - **unit files:** - allow port=0 in .socket units - maybe introduce ExecRestartPre= - implement Register= switch in .socket units to enable registration