Daan De Meyer [Tue, 30 May 2023 12:48:43 +0000 (14:48 +0200)]
mkosi: Blacklist vmw_vmci to avoid issues with vsock in Github Actions
If this module is loaded, sending readiness notifications from the
VM will fail with "no route to host" so let's blacklist the module
to prevent that from happening.
Daan De Meyer [Sun, 26 Mar 2023 16:20:41 +0000 (18:20 +0200)]
label: Introduce LabelOps to do pre/post labelling operations
By default, label_ops is initialized with a NULL pointer which translates
to noop labelling operations. In mac_selinux_init() and the new mac_smack_init(),
we initialize label_ops with a MAC specific LabelOps pointer.
We also introduce mac_init() to initialize any configured MACs and replace all
usages of mac_selinux_init() with mac_init().
All users of loopback_setup() ignore the return values (with the notable
exception of the test cases). Hence let's adjust the log messaging to
always log at LOG_WARNING level at most, and suffix messages with ",
ignoring", to make clear these failures are ignored.
find-esp: change "unprivileged_mode" parameter to be tristate
Previously, unprivileged mode for find_esp_and_warn() and
find_xbootldr_and_warn() could be enabled or disabled. With this change
it can also be set to negative in which case the functions will enable
it automatically if found to be executing without privileges.
This just moves te geteuid() check we often do for the param inside of
the functions.
At the same time internally in the functions we also pass around the
VerifyESPFlags field across the various functions instead of booleans.
Both changes are just refactoring. No changes in behaviour.
In b6033b706028a64e9affb79050ced1ad9a4f5b43 support was added to create
{/etc|/run}/credstore{|.encrypted} via tmpfiles.d with perms 0000. These
perms are so restrictive that not even root can access them unless it
has CAP_DAC_OVERRIDE capability. This is creates the dirs at boot time
1. creates both /etc/credstore *and* /etc/credstore.encrypted in both
places (the build system still won't create them in /run/, since
that's pointless since not shipped, and the runtime won't create the
dirs below /usr/lib/, since that's not generically writable anyway).
2. Both at runtime and at build time we'll create the dirs with mode
0700. This is easier for packaging tools to handle since they
generally react pretty negatively on dirs they can't enumerate.
Frantisek Sumsal [Tue, 30 May 2023 10:40:19 +0000 (12:40 +0200)]
core,shared: add a couple of asserts
To appease the LTO overlords:
In file included from ../../../../src/basic/macro.h:446,
from ../../../../src/shared/blockdev-util.h:8,
from ../../../../src/shared/creds-util.c:11:
../../../../src/shared/creds-util.c: In function 'get_credential_host_secret':
../../../../src/shared/creds-util.c:379:52: error: '%s' directive argument is null [-Werror=format-overflow=]
379 | log_debug_errno(r, "Credential secret %s/%s appeared while we were creating it, rereading.",
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
../../../../src/basic/log.h:214:86: note: in definition of macro 'log_full_errno_zerook'
214 | ? log_internal(_level, _e, PROJECT_FILE, __LINE__, __func__, __VA_ARGS__) \
| ^~~~~~~~~~~
../../../../src/basic/log.h:250:41: note: in expansion of macro 'log_full_errno'
250 | #define log_debug_errno(error, ...) log_full_errno(LOG_DEBUG, error, __VA_ARGS__)
| ^~~~~~~~~~~~~~
../../../../src/shared/creds-util.c:379:33: note: in expansion of macro 'log_debug_errno'
379 | log_debug_errno(r, "Credential secret %s/%s appeared while we were creating it, rereading.",
| ^~~~~~~~~~~~~~~
../../../../src/shared/creds-util.c:379:74: note: format string is defined here
379 | log_debug_errno(r, "Credential secret %s/%s appeared while we were creating it, rereading.",
| ^~
cc1: some warnings being treated as errors
../../../../src/core/transaction.c: In function 'transaction_verify_order_one':
../../../../src/core/transaction.c:338:38: error: '%s' directive argument is null [-Werror=format-overflow=]
338 | sprintf(ans + size, "%s%s", unit_log_field, *unit_id);
| ^~
cc1: some warnings being treated as errors
Daan De Meyer [Sat, 27 May 2023 10:21:19 +0000 (12:21 +0200)]
test-udev: Skip running in container
Containers generally don't have permission to mknod() which is
required by test-udev so let's skip the test as well if we detect
we're running in a container.
Daan De Meyer [Mon, 22 May 2023 21:17:49 +0000 (23:17 +0200)]
repart: Allow target directory excludes
Currently, ExcludeFiles= supports excluding directories on the host
from being copied. Let's extend this to also support preventing files
from being copied into specific directories in the partition by adding
a new option ExcludeFilesTarget=. An example where this is useful is
when setting up btrfs subvolumes in the top level that are intended to
be mounted into specific locations, so /usr would be stored in @usr,
/home in @home, .... To accomplish this, we need to copy /usr to @usr
and prevent any files from being copied into /usr in the partition,
which with this commit, we'd be able to do as follows:
shared/loop-util: use longer delay when waiting for loop device
The kernel may be syncing a file system or doing something else that requires
more time. So make the delay a bit longer, but provide some feedback and also
grow the delay exponentially (though with a long exponent). If the kernel is
doing something else, no need to repeat so often. With 38 attempts, we get a
total of slightly above 5000 ms.
I wrote this when I thought that the the delay is not long enough. It turned
out that we were blocking the file system on the loop device, so waiting longer
wasn't helpful. But I think it's nicer to do it this way anyway.
The man page is reference documentation, so we shouldn't write too much
duplicate things here, but we can make the text a bit more approachable. This
rewords and extends the documentation as requested and suggested in #24231 and
adds some hints for the user.
The text is reworded a bit too. In particular, it's "partitions" that are not
reordered, not "partition table slots". If we were reordering things, we'd move
the partitions between slots. The slots themselves are not moveable.
Richard Phibel [Mon, 29 May 2023 22:45:09 +0000 (00:45 +0200)]
Fix failing test
In test-execute, only the unit was started, not the slice. Because of
that the slice cgroup was pruned even if it was still needed. From what
I can tell, this is because, in the test, we don't have all the
mechanics that starts the slice for a service. To fix the issue the
slice is started manually.
Dmitry V. Levin [Mon, 29 May 2023 08:00:00 +0000 (08:00 +0000)]
man: mention that udevadm verify also checks for udev rules style issues
Starting with commit acc1954a0394, udevadm verify also checks token
delimiters, which are not necessarily a matter of udev rules syntax,
but rather a question of style and readability. Mention that in the
documentation to avoid confusion.
Suggested-by: Martin Wilck <mwilck@suse.com>
Complements: acc1954a0394 ("udev-rules: check token delimiters")
There is really no reason to go out of our way to create the config files as
the unprivileged user. And in the logs, the runas calls are quite verbose,
distracting from the interesting stuff. Also add .defs/.imgs/.root to the
temporary paths to make them easier to distinguish in the logs.
KERNEL_APPEND="systemd.unit=multi-user.target" is not very useful, because the
machine will still shut down as soon as the tests succeeds or fails. But
INTERACTIVE_DEBUG=1 works great, so let's simplify the instructions and
recommend that.
Russell Harmon [Mon, 29 May 2023 01:51:36 +0000 (18:51 -0700)]
Support no-journal for dm-integrity devices.
As documented in integritysetup.8, dm-integrity devices support running
without a journal whatsoever. This change allows the
CRYPT_ACTIVATE_NO_JOURNAL flag (the same as is used with `integritysetup
--integrity-no-journal`) to be passed in during dmsetup by specifying
the `no-journal` option in integritytab.5.
Frantisek Sumsal [Mon, 29 May 2023 18:28:34 +0000 (20:28 +0200)]
home: move the assert back to the intended place
98d81cf974 moved the assertion at the beginning of home_dispatch_acquire(),
which is however before we even check for any ongoing operation, hence we
might hit it even in legitimate cases.
Let's move it back to after we check for any possibly ongoing operation, to
make it once again a safety check.
Follow-up to 98d81cf974.
Resolves: #22443 and #24036
dissect: implement the same logic as gpt-auto-generator
gpt-auto-generator does three checks: 1. whether the directory doesn't have
files, 2. whether it's not in fstab, and 3. whether it is not a mount point.
For dissect logic, 3. is not relevant, and it ignores 2.
But the check whether files exists was done only partially: it was done
for /efi, but not for /boot.
Two changes are made:
- the check whether /boot is empty is now done.
- for ESP, /boot is used in preference to /efi, if not used for XBOOTLDR.
With those changes, the logic in dissect matches what gpt-auto-generator does.
There are the two intentional differences described in the first paragraph,
gpt-auto-generator: rework/simplify logic for picking /efi or /boot
I started looking into https://github.com/uapi-group/specifications/issues/35.
BLS says:
> Otherwise [no existing XBOOTLDR partition], if on GPT and an ESP is found and
> it is large enough (let’s say at least 1G) it should be used as $BOOT and
> used as primary location to place boot loader menu resources in.
> It is recommended to mount $BOOT to /boot/, and the ESP to /efi/.
DPS says:
> The ESP used for the current boot is automatically mounted to /efi/ (or
> /boot/ as fallback), unless a different partition is mounted there (possibly
> via /etc/fstab, or because the Extended Boot Loader Partition — see below —
> exists) or the directory is non-empty on the root disk.
I don't think we want to mount the same partition in two places.
If the same partition is not mounted in two places, then the two specs are
contradictory.
The code in gpt-auto-generator implemented the logic from the DPS. It is
modified to implement the logic from BLS.
Effectively:
- if both /boot and /efi are available:
- if both XBOOTLDR and ESP exist:
ESP on /efi, XBOOTLDR on /boot
- if only ESP exists:
ESP on /boot
- if only XBOOTLDR exists:
XBOOTLDR on /boot
- if only /boot is available:
- if XBOOTLDR exists:
XBOOTLDR on /boot
- if only ESP exists:
ESP on /boot
- if only /efi is available:
- if ESP exists:
ESP on /efi
"Available" means that it the mount point is not mounted over and does not
contain files. If the directory doesn't exist, it is also "available" and will
be created later when the mount or automount unit is started.
Thus, the generator attempts to match the partitions and mount points to the
extent possible. In all cases, /boot is the primary place to install kernels.
ESP can be found on /boot or /efi, depending on the situation.
If this patch is merged, I'll submit fixes for BLS and DPS to describe the
same logic.
Richard Phibel [Tue, 23 May 2023 14:09:40 +0000 (16:09 +0200)]
core: Don't GC unit if it is in cgroup_empty_queue
The gc_unit_queue is dispatched before the cgroup_empty_queue. Because
of this, when we enter in on_cgroup_empty_event, the unit in
cgroup_empty_queue may already have been freed and we don't clean up the
corresponding cgroup. With this change, we prevent the unit from being
garbage collected if it is in the cgroup_empty_queue.
Luca Boccassi [Fri, 26 May 2023 19:45:29 +0000 (20:45 +0100)]
gpt/DPS: add more aliases for python's machine
In mkosi we set the default architecture to platform.machine() which
is again slightly incompatible for a few architectures, so add more
aliases, so that repart works by default with these names.
Yu Watanabe [Sun, 28 May 2023 05:28:32 +0000 (14:28 +0900)]
journalctl: fix --follow with non-matching filter
When there is no matching entry stored in journal, then initial call of
`sd_journal_previous()` following `sd_journal_seek_tail()` returns
zero, and does not move the read pointer.
In the main loop, on every journal event, we call `sd_journal_next()`,
even though the current location is tail, and it takes no effect.
In such a case, we need to call `sd_journal_previous()` instead of
`sd_journal_next()`.
Yu Watanabe [Sun, 28 May 2023 05:20:27 +0000 (14:20 +0900)]
sd-journal: introduce sd_journal_step_one()
After the commit 7a4ee861615101ddd2f95056cf30e69e41da86ce,
sd_journal_next() following sd_journal_seek_tail() takes no-op,
and we need to call sd_journal_previous(). This may be useful in
some cases, e.g. to fix the issue explained in the previous commit.
Piotr Drąg [Sat, 27 May 2023 16:11:35 +0000 (18:11 +0200)]
po: add a false positive to POTFILES.skip
Scripts used to detect files that should be in POTFILES.in, like
intltool-update -m used on https://l10n.gnome.org/module/systemd/,
falsely detect this file as containing translations. Avoid this
behavior by putting the file in POTFILES.skip.
Adds a new JSON object called DHCPServer for each interface that has a
DHCPServer configured. It has the following attributes:
- PoolSize and PoolOffset from the configuration
- List of offered leases
- List of static leases from the configuration
Frantisek Sumsal [Fri, 26 May 2023 19:41:43 +0000 (21:41 +0200)]
Revert "test: add test case for systemd-update-utmp vs daemon-reexec"
Temporarily revert the test case for #27167, as the additional
daemon-reexecs exacerbate #27287, making CIs fail quite often.
As the #27167 is also covered by TEST-01-BASIC itself, since we do
daemon-reexec there anyway, we shouldn't lose any coverage, but it
should make CIs more stable until #27287 is figured out.
Luca Boccassi [Fri, 26 May 2023 14:44:42 +0000 (15:44 +0100)]
gpt/DPS: alias amd64 to x86-64 and aarch64 to arm64
The DSP and our implementation mixes Debian terminology with CPU
terminology. It uses arm64 which is a Debian thing instead of
aarch64, but x86-64 which is a CPU thing instead of amd64.
Add some convenience and transparent aliasing, so that we don't
need to maintain architecture-specific and tool-specific translation
layers in mkosi among other places, while at the same time the DDIs
still look the same (ie: the partlabel does not change depending on
which alias is used, the canonical label is used on disk).
Dan Streetman [Thu, 15 Dec 2022 17:56:35 +0000 (12:56 -0500)]
tpm2: add tpm2_calculate_sealing_policy()
This adds a function to fully calculate the authPolicy needed to seal a secret,
and updates tpm2_seal() to use the new function instead of a trial policy.