networkException [Mon, 29 Jan 2024 21:31:59 +0000 (22:31 +0100)]
resolve: include interface name in org.freedesktop.resolve1 polkit checks
this patch adds the interface name of the interface to be modified
to *details* when verifying dbus calls to the `org.freedesktop.resolve1`
D-Bus interface for all `Set*` and the `Revert` method.
when defining a polkit rule, this allows limiting the access to a specific
interface:
```js
// This rule prevents the user "vpn" to disable DNSoverTLS for any
// other interface than "vpn0". The vpn service should be allowed
// to disable DNSoverTLS on its own as it provides a local DNS
// server with search domains on the interface and this server does
// not support DNSoverTLS.
polkit.addRule(function(action, subject) {
if (action.id == "org.freedesktop.resolve1.set-dns-over-tls" &&
action.lookup("interface") == "vpn0" &&
subject.user == "vpn") {
return polkit.Result.YES;
}
});
```
resolvectl: add JSON output support for "resolvectl query"
It's easy to add. Let's do so.
This only covers record lookups, i.e. with the --type= switch.
The higher level lookups are not covered, I opted instead to print a
message there to use --type= instead.
I am a bit reluctant to defining a new JSON format for the high-level
lookups, hence I figured for now a helpful error is good enough, that
points people to the right use.
Daan De Meyer [Tue, 30 Jan 2024 21:36:12 +0000 (22:36 +0100)]
mkosi: Stop using file provides with CentOS/Fedora
dnf5 does not download filelists metadata by default anymore as this
consists of a pretty big chunk of the repository metadata. Let's make
sure the filelists metadata doesn't have to be downloaded by dnf5 by
removing any usage of file provides from our package lists.
Adrian Vovk [Sun, 21 Jan 2024 01:29:40 +0000 (20:29 -0500)]
homed: Add InhibitSuspend() method
This returns an FD that can be used to temporarily inhibit the automatic
locking on system suspend behavior of homed. As long as the FD is open,
LockAllHomes() won't lock that home directory on suspend. This allows
desktop environments to implement custom more complicated behavior
Frantisek Sumsal [Tue, 30 Jan 2024 10:25:19 +0000 (11:25 +0100)]
meson: don't install broken tmpfiles config with sshd?confdir == 'no'
20-systemd-ssh-generator.conf expands SSHCONFDIR, which is bogus when we
build with -Dsshconfdir=no. Similarly, avoid expanding SSHDCONFDIR in
20-systemd-userdb.conf when building with -Dsshconfdir=no.
Frantisek Sumsal [Tue, 30 Jan 2024 15:27:58 +0000 (16:27 +0100)]
test: explicitly set nsec3-iterations to 0
knot v3.2 and later does this by default. knot v3.1 still has the default set to
10, but it also introduced a warning that the default will be changed to 0 in
later versions, so it effectively complains about its own default, which then
fails the config check. Let's just set the value explicitly to zero to avoid
that.
~# knotc --version
knotc (Knot DNS), version 3.1.6
~# grep nsec3-iterations test/knot-data/knot.conf || echo nope
nope
~# knotc -c /build/test/knot-data/knot.conf conf-check
warning: config, policy[auto_rollover_nsec3].nsec3-iterations defaults to 10, since version 3.2 the default becomes 0
Configuration is valid
Adrian Vovk [Wed, 24 Jan 2024 00:50:21 +0000 (19:50 -0500)]
core: Fail to start/stop/reload unit if frozen
Previously, unit_{start,stop,reload} would call the low-level cgroup
unfreeze function whenever a unit was started, stopped, or reloaded. It
did so with no error checking. This call would ultimately recurse up the
cgroup tree, and unfreeze all the parent cgroups of the unit, unless an
error occurred (in which case I have no idea what would happen...)
After the freeze/thaw rework in a previous commit, this can no longer
work. If we recursively thaw the parent cgroups of the unit, there may
be sibling units marked as PARENT_FROZEN which will no longer actually
have frozen parents. Fixing this is a lot more complicated than simply
disallowing start/stop/reload on a frozen unit
Adrian Vovk [Sun, 21 Jan 2024 20:05:20 +0000 (15:05 -0500)]
core: Rework recursive freeze/thaw
This commit overhauls the way freeze/thaw works recursively:
First, it introduces new FreezerActions that are like the existing
FREEZE and THAW but indicate that the action was initiated by a parent
unit. We also refactored the code to pass these FreezerActions through
the whole call stack so that we can make use of them. FreezerState was
extended similarly, to be able to differentiate between a unit that's
frozen manually and a unit that's frozen because a parent is frozen.
Next, slices were changed to check recursively that all their child
units can be frozen before it attempts to freeze them. This is different
from the previous behavior, that would just check if the unit's type
supported freezing at all. This cleans up the code, and also ensures
that the behavior of slices corresponds to the unit's actual ability
to be frozen
Next, we make it so that if you FREEZE a slice, it'll PARENT_FREEZE
all of its children. Similarly, if you THAW a slice it will PARENT_THAW
its children.
Finally, we use the new states available to us to refactor the code
that actually does the cgroup freezing. The code now looks at the unit's
existing freezer state and the action being requested, and decides what
next state is most appropriate. Then it puts the unit in that state.
For instance, a RUNNING unit with a request to PARENT_FREEZE will
put the unit into the PARENT_FREEZING state. As another example, a
FROZEN unit who's parent is also FROZEN will transition to
PARENT_FROZEN in response to a request to THAW.
creds-util: add a concept of "user-scoped" credentials
So far credentials are a concept for system services only: to encrypt or
decrypt credential you must be privileged, as only then you can access
the TPM and the host key.
Let's break this up a bit: let's add a "user-scoped" credential, that
are specific to users. Internally this works by adding another step to
the acquisition of the symmetric encryption key for the credential: if a
"user-scoped" credential is used we'll generate an symmetric encryption
key K as usual, but then we'll use it to calculate
K' = HMAC(K, flags || uid || machine-id || username)
and then use the resulting K' as encryption key instead. This basically
includes the (public) user's identity in the encryption key, ensuring
that only if the right user credentials are specified the correct key
can be acquired.
Yu Watanabe [Sat, 27 Jan 2024 18:27:41 +0000 (03:27 +0900)]
nspawn: resolve network interface names before moving to container network namespace
To escape a kernel issue fixed by
https://github.com/torvalds/linux/commit/8e15aee621618a3ee3abecaf1fd8c1428098b7ef,
let's resolve provided interface names earlier, and adjust the interface
name pairs with the result.
Yu Watanabe [Sat, 27 Jan 2024 17:49:22 +0000 (02:49 +0900)]
sd-netlink: unify network interface name getter and resolvers
This makes rtnl_resolve_interface() always check the existence of the
resolved interface, which previously did not when a decimal formatted
ifindex is provided, e.g. "1" or "42".
This is not a hot path, but it seems silly to evalute subsequent branches,
which can never match once one has matched. Also, it makes the code harder to
read, because the reader has to first figure out that only one branch can
match.
By definition, a parameter cannot contain a comma because commas
are used to delimit parameters. So we also don't need to use parens
when the use site is delimited by commas.
Mike Yuan [Mon, 29 Jan 2024 18:07:35 +0000 (02:07 +0800)]
notify: don't exit silently when --exec but no msg
Before this commit, if --exec is used but no message shall
be sent, we silently ignore --exec and exit, which is pretty
surprising. Therefore, let's emit clear error instead.
sd-bus: tighten rules on sd_bus_query_sender_creds() a bit
Let's always derive credentials from a bus name or a conneciton fd if we
can, because they pin things.
Let's not go via PID really, because it's always racy to do so.
Note that this doesn't change much, since we wouldn't use such augmented
data for auth anyway (because it will be masked in the
sd_bus_creds.augmented mask as untrusted). But still, let's prefer
trusted data over untrusted data.
socket-util: start SO_PEERGROUP loop with sysconf(_SC_NGROUPS_MAX), too
We do this for getgroups_malloc() hence we should do this here too,
after all whether we do it for a socket peer or for ourselves doesn't
make too much of a difference.
[ 40.039232] testsuite-50.sh[624]: ++ systemd-dissect --make-archive /tmp/tmp.RZEq3t/minimal_0.raw
[ 40.044745] testsuite-50.sh[625]: ++ sha256sum
[ 40.066693] systemd-dissect[621]: libarchive.so.13 is not installed: libarchive.so.13: cannot open shared object file: No such file or directory
[ 40.068577] systemd-dissect[621]: Archive support not available (compiled without libarchive, or libarchive not installed?).
[ 40.092242] systemd-dissect[624]: libarchive.so.13 is not installed: libarchive.so.13: cannot open shared object file: No such file or directory
[ 40.095716] systemd-dissect[624]: Archive support not available (compiled without libarchive, or libarchive not installed?).
[ 40.100510] testsuite-50.sh[538]: + test e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 '!=' ''
[ 40.100510] testsuite-50.sh[538]: + test e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 = e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
[ 40.108249] testsuite-50.sh[627]: + tar t
[ 40.113791] testsuite-50.sh[626]: + systemd-dissect --make-archive /tmp/tmp.RZEq3t/minimal_0.raw
[ 40.120300] testsuite-50.sh[628]: + grep etc/os-release
[ 40.176288] systemd-dissect[626]: libarchive.so.13 is not installed: libarchive.so.13: cannot open shared object file: No such file or directory
[ 40.180273] systemd-dissect[626]: Archive support not available (compiled without libarchive, or libarchive not installed?).
[ 40.184017] testsuite-50.sh[627]: tar: This does not look like a tar archive
[ 40.185430] testsuite-50.sh[627]: tar: Exiting with failure status due to previous errors
Luca Boccassi [Tue, 23 Jan 2024 16:01:31 +0000 (16:01 +0000)]
core: add SYSTEMD_VERITY_SHARING env var for local development
When running an image that cannot be mounted (e.g.: key missing intentionally
for development purposes), there's a retry loop that takes some time
and slows development down. Add an env var to disable it.