Yu Watanabe [Wed, 14 Feb 2024 22:01:17 +0000 (07:01 +0900)]
fs-util: readlinkat() supports an empty string
From readlinkat(2):
Since Linux 2.6.39, pathname can be an empty string, in which case the
call operates on the symbolic link referred to by dirfd (which should
have been obtained using open(2) with the O_PATH and O_NOFOLLOW flags).
Michael Biebl [Thu, 8 Feb 2024 13:06:00 +0000 (14:06 +0100)]
systemctl: drop chain invocation of telinit
This functionality relied on telinit being available in a different path
then the compat symlink shipped by systemd itself. This is no longer the
case for any known distro, so remove that code.
Luca Boccassi [Wed, 14 Feb 2024 17:14:21 +0000 (17:14 +0000)]
man: enchance sd_bus_set_watch_bind() example to handle one more failure
In case the D-Bus policy is not set up correctly the example just
loops forever. Check the return of sd_bus_request_name_async() in
a callback and exit if the error is not temporary.
Mike Yuan [Fri, 12 Jan 2024 13:30:49 +0000 (21:30 +0800)]
logind-session: use Requires= for user{,-runtime-dir}@.service
Since we do require these basic user services, let's make
the dependency stronger. Note that logind should enqueue
start jobs for these already in user_start(), so mostly
just paranoia.
Mike Yuan [Sat, 13 Jan 2024 18:38:11 +0000 (02:38 +0800)]
logind-user: track user started/stopping state through user-runtime-dir@.service
Before #30884, the user state is tied to user@.service (user service
manager). However, #30884 introduced sessions that need no manager,
and we can no longer rely on that.
Consider the following situation:
1. A 'background-light' session '1' is created (i.e. no user service manager
is needed)
2. Session '1' scope unit pulls in user-runtime-dir@.service
3. Session '1' exits. A stop job is enqueued for user-runtime-dir@.service
due to StopWhenUnneeded=yes
4. At the same time, another session '2' which requires user manager is started.
However, session scope units have JobMode=fail, therefore the start job
for user-runtime-dir@.service that was pulled in by session '2' scope job
is deleted as it conflicts with the stop job.
We want session scope units to continue using JobMode=fail, but we still need
the dependencies to be started correctly, i.e. explicitly requested by logind
beforehand. Therefore, let's stop using StopWhenUnneeded=yes for
user-runtime-dir@.service, and track users' `started` and `stopping` state
based on that when user@.service is not needed. Then, for every invocation
of user_start(), we'll recheck if we need the service manager and start it
if so.
Also, the dependency type on user-runtime-dir@.service from user@.service
is upgraded to `BindsTo=`, in order to ensure that when logind stops the
former, the latter is stopped as well.
Adrian Vovk [Thu, 1 Feb 2024 22:53:01 +0000 (17:53 -0500)]
keyring-util: Use reported key size to resize buf
According to keyctl(2), the return value for KEYCTL_READ is:
The amount of data that is available in the key,
irrespective of the provided buffer size
So, we could pass in a NULL buffer to query the size, then allocate the
exact right amount of space, then call keyctl again to get the key data.
However, we must still keep the for loop to avoid TOCTOU issues: the key
might have been replaced with something bigger while we're busy
allocating the buffer to store it.
Thus, we can actually save a syscall by picking some reasonable default
buffer size and skipping the NULL call to keyctl. If our default is big
enough, we're done and have saved a syscall! If not, then the first call
behaves essentially the same as the NULL call, and we use the size it
returns to reallocate the buffer appropriately.
Benjamin Franzke [Fri, 17 Nov 2023 07:03:57 +0000 (08:03 +0100)]
nspawn: add support for owneridmap bind option
owneridmap bind option will map the target directory owner from inside the
container to the owner of the directory bound from the host filesystem.
This will ensure files and directories created in the container will be owned
by the directory owner of the host filesystem. All other users will remain
unmapped. Files to be written as other users in the container will not be
allowed.
Yu Watanabe [Fri, 9 Feb 2024 11:21:25 +0000 (20:21 +0900)]
journal-file-util: drop unused template argument for journal_file_open_reliably()
I understand that the original motivation to introduce the template
argument here is to make journal_file_open() and _reliabrly() take the
same arguments. But, yeah, that's completely unused, not necessary to
complicate the code even the difference is not big.
Yu Watanabe [Fri, 2 Feb 2024 03:30:32 +0000 (12:30 +0900)]
network/ndisc: remove conflicting routes on configuring routes based on newly received RA
The linux kernel does not update several parameters, e.g. RTA_PREF.
Hence, when we configure routes based on a RA, we need to remove
existing conflicting routes.
As networkd does not configure nexthops, neighbors, or routing policy rules
dynamically, this only changes link_drop_managed_addresses(). Previously
it also removed dynamic addresses, but with this commit, now it only
removes static addresses. Note, link_drop_managed_routes() has removed
only static routes, so this commit only changes its name.
Note. as commented in the code, the dynamic addresses will be removed
on lease expiration or stopping client, and link_drop_managed_xyz() are
called on reconfiguration or so, and at that time, all dynamic
addressing clients are stopped or restarted, so this should not
effective behavior change.
efi-loader: make efi_loader_get_entries() handling missing NUL termination gracefully
Our function so far assumed that the LoaderEntries's last string is or
is not NUL terminated. But if it was, then we'd debug log about this,
claiming there was an invalid id. sd-boot actually ends the list in a
properly NUL-terminated string, hence we should just accept that. Handle
that case gracefully, and add comments explaining why we have two ways
why we exit the loop.
This is cosmetic only, just suppresses a misleading debug log message.
pam_systemd_home: make sure we handle RefUnit() returning HomeBusy properly
RefUnit() only succeeds it a home dir is fully up. We already dealt with
it not being up at all, but let's also cover the case where it is
currently busy with changing state, and in that case fall back to
RefUnrestricted(), with the usual implications.
This has the effect that two subsequent ssh logins one-after-the-other
will work correctly.
pam_systemd_home: in ssh logins and similar, ask via fallback shall for home password
ssh runs PAM session hooks before they allocate a pty for the session.
(That's because they allow multiplexed connections, and hence might run
multiple ptys over the same same session). This means PAM modules cannot
interactively ask the user for additional information as they deem fit.
That's a problem for us, since generally during an SSH login no
authentication token (aka "password") is supplied to us which we could
use to unlock the user's home dir.
With this commit we implement a way out: we allow the login to proceed,
but without the home dir activated, and then override the user's shell
with our fallback shell, which will ask for the user's password and then
chainload the actual shell.
This will of course only work if the login actually involves invoking
the configured interactive shell of the user. For other logins (such as
sftp or so), this cannot work, and they'll see an empty home dir
instead.
This is very similar to ActivateHome() but will fail if the home
directory is not referenced yet. Or in other words, this doesn't add any
new reference, but simply is the other side of RefUnrestricted(): if we
allowed a home dir to be referenced without it actually being active,
then this can catch up with things and activated what was previously
referenced already.
This also relaxes access rights to that users can always activate their
own home dirs. This is useful once we allow user code to run without the
home dir being activated.
homed: add bus call that allows referencing a home without activating it
This is useful for allowing users to login without the ability to unlock
their home dir. Usecase is ssh: ssh might grant access without giving
us the chance to unlock the home dir for the user (because it doesn't
allow us asking questions during authentication), hence with this call
we can pin the home dir, but not activate it and then allow the
activation to be delayed until later.
user-record: add fields for a fallback home dir + shell
This adds fields to the user record logic to allow a "fallback" home
directory and shell to be set as part of the "status" section of the
user record, i.e. supplied by the manager of the user record.
The idea is that if the fallback homedir/shell is set it will take
precedence over the real one in most ways.
Usecase: let's try to make ssh logins into homed directories work.
systemd-homed would set a fallback shell/homedir for inactive home dirs.
Thus, when ssh logins take place via key auth, we can allow them, and
these fallback session params would be used because the real home cannot
be activated just yet becasue we cannot acquire any password for it from
the user.
pam-systemd: automatically enable "incomplete" user session if XDG_SESSION_INCOMPLETE env var is set
This allows earlier PAM modules (i.e. pam_systemd_home) to inform
pam_systemd that the session is not "complete" yet (i.e. doesn't have
the home dir set up properly yet).
Luca Boccassi [Tue, 13 Feb 2024 13:43:49 +0000 (13:43 +0000)]
meson: do not attempt to install tests when they are disabled
If -Dtests=false but -Dinstall-tests=true the build will fail, as some tests will
be pulled in the build but not their prerequisites. It doesn't make sense to ask
for tests to be installed if they are disabled.
FAILED: test-acd
cc -o test-acd test-acd.p/src_libsystemd-network_test-acd.c.o -flto -Wl,--as-needed -Wl,--no-undefined -pie -fstack-protector -Wl,-z,relro -specs=/usr/share/debhelper/dh_package_notes/debian-package-notes.specs -g -O2 -ffile-prefix-map=/tmp/s=. -fstack-protector-strong -fstack-clash-protection -Wformat -Werror=format-security -fcf-protection -ffat-lto-objects -Wdate-time -D_FORTIFY_SOURCE=2 '-Wl,-rpath,$ORIGIN/src/shared:XXXXXXXXXXXXXXX' -Wl,-rpath-link,/tmp/s/obj-x86_64-linux-gnu/src/shared -Wl,--start-group src/shared/libsystemd-shared-255.so src/libsystemd-network/libsystemd-network.a -Wl,--end-group -Wl,--fatal-warnings -Wl,-z,now -Wl,-z,relro -Wl,--warn-common -Wl,--gc-sections -Wl,--fatal-warnings -Wl,-z,now -Wl,-z,relro -Wl,--warn-common -Wl,--gc-sections
/usr/bin/ld: /tmp/cc0oYwFZ.ltrans0.ltrans.o: in function `main':
./obj-x86_64-linux-gnu/./obj-x86_64-linux-gnu/<artificial>:85:(.text.startup+0x33): undefined reference to `test_setup_logging'
collect2: error: ld returned 1 exit status
An UKI final command line is not just made of the content of .cmdline,
but also from the addons that are inserted in
/boot/efi/EFI/Linux/<UKI_NAME>.efi.extra.d (local addons) and /boot/efi/loader/addons
(global addons).
Therefore bootclt "status" and "list" should also include these addons
when printing the UKI command line.
Support for /boot/efi/EFI/Linux/<UKI_NAME>.efi.extra.d is already present,
so now cover addons present in /boot/efi/loader/addons (global addons).
Example (assume UKI_NAME=devel):
$ bootctl
ukiCmdline: console=tty0 console=ttyS0
globalAddon: loader/addons/global.addon.efi
cmdline: └─quiet
localAddon: devel.efi.extra.d/rpm_addon.addon.efi
cmdline: └─this is a normal addon
finalCmdline: console=tty0 console=ttyS0 quiet this is a normal addon
An UKI final command line is not just made of the content of .cmdline,
but also from the addons that are inserted in
/boot/efi/EFI/Linux/<UKI_NAME>.efi.extra.d (local addons) and
/boot/efi/loader/addons (global addons).
Therefore bootclt "status" and "list" should also include these addons
when printing the UKI command line.
Right now, discover addons present in
/boot/efi/EFI/Linux/<UKI_NAME>.efi.extra.d.
Example output (assume UKI_NAME=devel):
$ bootctl
ukiCmdline: console=tty0 console=ttyS0
localAddon: devel.efi.extra.d/rpm_addon.addon.efi
cmdline: └─this is a normal addon
finalCmdline: console=tty0 console=ttyS0 this is a normal addon
Franck Bui [Wed, 14 Feb 2024 09:01:57 +0000 (10:01 +0100)]
test: make sure to install the filesystem package in the test image on SUSE
Othewise test images are missing the tmpfiles snippets used to create the very
basic files at boot, which can be useful when a test wants to reuse the OS tree
(is already running in) for spawning a new container in pristine state.
Adrian Vovk [Fri, 19 Jan 2024 01:48:24 +0000 (20:48 -0500)]
hashmap: Add helper to dump sorted keys
Currently, hashmap_dump_sorted sorts by key and then returns the values
in order sorted by key. This commit adds another helper that does the
same but returns the sorted keys instead
Adrian Vovk [Sat, 20 Jan 2024 00:46:07 +0000 (19:46 -0500)]
env-util: Add helper to store current log level
This is useful after a fork but before an exec into a binary that uses
systemd's logging utilities. For example, this should be used in dbus
services that fork off worker processes: currently, the log level set by
the LogControl dbus API will be lost because of the exec, and the worker
process will not have the correct log level set.
Adrian Vovk [Fri, 2 Feb 2024 20:03:54 +0000 (15:03 -0500)]
format-utils: Expose FORMAT_UID and FORMAT_GID
This pulls this generally useful helper out of sysusers and into the
util lib, and updates the places throughout the codebase where it makes
sense to use it.
Adrian Vovk [Thu, 1 Feb 2024 16:16:44 +0000 (11:16 -0500)]
homed: Add some missing asserts
These functions expect secrets to be passed in (some even dereference
the variables), but fail to assert that they're non-null. So this commit
adds some assertions
Before the commit, if a conflicting address exists or already requested,
then the configuration of newly requested address (especially, prefix
length) is mostly ignored silently.
However, after the commit, even if there exists a conflicting address,
networkd anyway tries to configure the newly requested address, and
enter failed state. Such situation can be triggered, e.g. when the DHCPv6
client is started earlier than NDisc, by WithoutRA=solicit.
Adrian Vovk [Sun, 4 Feb 2024 17:27:01 +0000 (12:27 -0500)]
user-record: Add languages field
This field is like preferredLanguage, but takes a priority list of
languages instead. If an app isn't translated into a user's primary
language, it can fall back to one of the other languages in the list
thus making the app more accessible to the user.
For instance: in my experience, many Ukrainians are fluent in Russian,
often significantly better than English (especially if they are of a
generation that grew up during the USSR). Such a person might set this
new variable to ["uk_UA.UTF-8", "ru_UA.UTF-8"] so that software that
lacks Ukrainian translations will first try Russian translations before
defaulting to English.
Adrian Vovk [Sun, 4 Feb 2024 17:18:08 +0000 (12:18 -0500)]
locale-util: Restrict valid locales
This further restricts the charset of locales to better reflect what
locales actually look like.
This allows us to safely join locale names using the `:` character, for
instance, which cannot appear in a locale name and is used by the
`$LANGUAGE` env var
Adrian Vovk [Sun, 4 Feb 2024 16:56:05 +0000 (11:56 -0500)]
pam_systemd: Let user record override env vars
The user record should be the source of truth for the user's environment
variables, and the user should be able to override them in much the same
way that they can if they simply append the variable to their ~/.profile
For example, before $LANG would never get set to the user's preferred
language, because the service manager always ensures that $LANG is set
to something (either the localed config, or a compiled-in default). Thus
the user's preferredLanguage setting was always ignored
Adrian Vovk [Sat, 13 Jan 2024 16:08:12 +0000 (11:08 -0500)]
basic: Add some sha256 helper functions
Adds a util function to sha256 an open fd (moved from dissect). Also
adds functions to check if a string contains a valid sha256 hash, and
parse it into a sha256 array.
Adrian Vovk [Wed, 17 Jan 2024 19:48:45 +0000 (14:48 -0500)]
fundamental: Add overflow-safe math helpers
ADD_SAFE/SUB_SAFE/MUL_SAFE do addition/subtraction/multiplication
respectively with an overflow check. If an overflow occurs these return
false, otherwise true. Example: (c = a + b) would become ADD_SAFE(&c, a,
b)
INC_SAFE/DEC_SAFE/MUL_ASSIGN_SAFE are like above but they also reassign
the first argument. Example: (a += b) would become INC_SAFE(&a, b)