We should be more careful with distinguishing the cases "all bits set in
caps mask" from "cap mask invalid". We so far mostly used UINT64_MAX for
both, which is not correct though (as it would mean
AmbientCapabilities=~0 followed by AmbientCapabilities=0) would result
in capability 63 to be set (which we don't really allow, since that
means unset).
cap-list: make sure never to accidentally return more than 63 caps
The rest of our codebase stores caps masks in a uint64_t, and also
assumes UINT64_MAX was a suitable value for "unset mask". Hence refuse
any caps outside of 0…62.
(right now the kernel knows 40 caps, hence 22 more to go before we have
to reconsider our life's choices.)
We refuse it otherwise currently, simply because we cannot store it in a
uint64_t caps mask value anymore while retaining the ability to use
UINT64_MAX as "unset" marker.
The check actually was in place already, just one off.
Yu Watanabe [Sat, 18 Feb 2023 22:15:02 +0000 (07:15 +0900)]
udev-node: drop unnecessary initialization
The priority of device node symlink can be negative. So the
initialization is confusing.
Fortunately, this changes no functionality, as we only compare the
priorities of symlinks only when we parsed at least one device node and
its priority.
Frantisek Sumsal [Mon, 20 Feb 2023 09:50:06 +0000 (10:50 +0100)]
test: ignore missing coverage in TEST-78
gcov is incompatible with DynamicUser=true without additional tweaks, so
let's ignore its complaints in this test, as working around it is not
worth it (in this case).
Mike Yuan [Sat, 18 Feb 2023 13:49:21 +0000 (21:49 +0800)]
journalctl: fix output when --lines is used with --grep
Previously, we skip the entries before arg_lines
unconditionally, which doesn't behave correctly
when used with --grep. After this commit, when
a pattern is specified, we don't skip the entries
early, but rely on the count of the lines shown
to tell us when to stop. To achieve that we would
have to search backwards instead.
mempool: rework mempool_cleanup() to only release freed tiles
This substantially reworks mempool_cleanup() so that it releases pools
with all freed tiles only, but keeps all pools with still-allocated
tiles around.
This is more correct, as the previous implementation just released all
pools regardless if anything was still used or not. This would make
valgrind shut up but would just hide memory leaks altogether. Moreover
if called during regular runtime of a program would result in bad memory
accesses all over.
Hence, let's add a proper implementation and only trim pools we really
know are empty.
This way we can safely call these functions later, when under memory
pressure, at any time.
Dan Streetman [Mon, 19 Dec 2022 14:58:05 +0000 (09:58 -0500)]
tpm2: simplify tpm2_seal() blob creation
TPM2 marshalling will never increase the total size, only possibly decrease.
There is no need for checking for insufficient size if the buffer size
is set to the sizeof both objects to be marshalled.
sd-event: allocate event source objects with the actually needed size
Currently we allocate fixed-size memory for event sources: the largest
any of the event source type needs. Discrepancy in the sizes needed for
the various event sources is quite major however: it's 144 bytes on
x86_64, i.e. more than two cache lines.
hence, let's be a tiny bit more careful, and allocate exactly as much as
we need, but not more.
systemctl: add --kill-value= argument to systemctl
This allows accompanying a signal with a value (as supported for Linux
Realtime signals). This is particularly useful as it allows us to do
stuff like this:
Yu Watanabe [Fri, 17 Feb 2023 01:21:58 +0000 (10:21 +0900)]
test-execute: also mount tmpfs on /dev/shm
Otherwise, if /dev/shm has a directory that cannot be accessible by
unprivileged user, then we cannot pick a dynamic user, and test service
may fail with unexpected error code:
---
Failed to enter shared memory directory /dev/shm/systemd-watch-bind-BqAGlN: Permission denied
exec-dynamicuser-supplementarygroups.service: Failed to update dynamic user credentials: Device or resource busy
exec-dynamicuser-supplementarygroups.service: Failed at step USER spawning /bin/sh: Device or resource busy
src/test/test-execute.c:885:test_exec_dynamicuser: exec-dynamicuser-supplementarygroups.service: can_unshare=no: exit status 217, expected 216
---
Frantisek Sumsal [Thu, 16 Feb 2023 18:48:03 +0000 (19:48 +0100)]
test: avoid matching other fields than __SEQNUM=
The current unanchored grep sometimes matches MESSAGE=/_CMDLINE= fields
that contain "__SEQNUM=" instead of just the __SEQNUM= field, causing
spurious test fails:
Jan Janssen [Thu, 16 Feb 2023 14:24:44 +0000 (15:24 +0100)]
boot: Fix assertion failure
The TPM code expects a description unless the PCR index indicates that
no measurements have to take place. The assert was preempting this
check from happening.
HATAYAMA Daisuke [Sun, 12 Feb 2023 12:15:08 +0000 (12:15 +0000)]
sulogin: fix control lost of the current terminal when default.target is rescue.target
When default.target is rescue.target, exiting from the single-user shell
results in lost of the control of the current terminal. This is because the
operation performed to continue to boot is systemctl default but default.target
is now rescue.target and it is already active. Hence, no new process that
controls the current terminal is created. Users need to make hardware reset to
recover the situation.
This sounds like a bit corner case issue and some might feel configuring
default.target as rescue.target is odd because there are several other ways to
transition to rescue.mode without configuring default.target to rescue.target
such as systemctl rescue or systemd.unit=rescue.target something like
that. However, users unfamiliar with systemd operations tend to come up with
systemctl set-default rescue.target.
To fix this issue, let's transition to default.target only when default.target
is inactive. Otherwise, invoke the single-user shell again to keep control of
the current terminal for users.
This new logic depends on whether D-Bus working well. Exiting without any check
of result of systemctl default could lead to again the control lost of the
current terminal. Hence, add checking results of each D-Bus operations
including systemctl default and invoke the single-user shell if they fail.
Luca Boccassi [Wed, 15 Feb 2023 22:06:26 +0000 (22:06 +0000)]
mkosi: configure multiarch libdir in debian/ubuntu builds
Debian/Ubuntu use /usr/lib/<triplet> instead of /usr/lib64, so configure it
accordingly. This is especially important for cryptsetup token plugins,
as cryptsetup comes from the distro and is configured to look into those
directories.
Daan De Meyer [Wed, 15 Feb 2023 10:16:28 +0000 (11:16 +0100)]
mkosi: Enable debug logging in CI
"Failed to dissect image: connection timed out" messages have been
appearing sporadically in mkosi CI. Let's enable debug logging to
help figure out why.
Frantisek Sumsal [Wed, 15 Feb 2023 17:08:35 +0000 (18:08 +0100)]
journalctl: actually run the static destructors
In journalctl we don't run the static destructors defined via
the STATIC_DESTRUCTOR_REGISTER() macro, since it requires a corresponding
static_destruct() call. In most cases this is handled by
the DEFINE_(TEST_)?MAIN*() macros, but journalctl defines its own main
function, so let's handle that as well.
$ valgrind --suppressions=valgrind.supp --show-leak-kinds=all --leak-check=full build/journalctl --no-pager -u system.slice -n 10 >/dev/null
==2778093== Memcheck, a memory error detector
==2778093== Copyright (C) 2002-2022, and GNU GPL'd, by Julian Seward et al.
==2778093== Using Valgrind-3.19.0 and LibVEX; rerun with -h for copyright info
==2778093== Command: build/journalctl --no-pager -u system.slice -n 10
==2778093==
==2778093==
==2778093== HEAP SUMMARY:
==2778093== in use at exit: 8,221 bytes in 4 blocks
==2778093== total heap usage: 458 allocs, 454 frees, 255,182 bytes allocated
==2778093==
==2778093== 13 bytes in 1 blocks are still reachable in loss record 1 of 4
==2778093== at 0x484586F: malloc (vg_replace_malloc.c:381)
==2778093== by 0x4DA256D: strdup (strdup.c:42)
==2778093== by 0x4ADB747: strv_extend_with_size (strv.c:544)
==2778093== by 0x405386: strv_extend (strv.h:45)
==2778093== by 0x40816F: parse_argv (journalctl.c:933)
==2778093== by 0x40EAB5: main (journalctl.c:2111)
==2778093==
==2778093== 16 bytes in 1 blocks are still reachable in loss record 2 of 4
==2778093== at 0x484578A: malloc (vg_replace_malloc.c:380)
==2778093== by 0x484A70B: realloc (vg_replace_malloc.c:1437)
==2778093== by 0x4ADB2A3: strv_push_with_size (strv.c:423)
==2778093== by 0x4ADB620: strv_consume_with_size (strv.c:496)
==2778093== by 0x4ADB770: strv_extend_with_size (strv.c:548)
==2778093== by 0x405386: strv_extend (strv.h:45)
==2778093== by 0x40816F: parse_argv (journalctl.c:933)
==2778093== by 0x40EAB5: main (journalctl.c:2111)
==2778093==
==2778093== LEAK SUMMARY:
==2778093== definitely lost: 0 bytes in 0 blocks
==2778093== indirectly lost: 0 bytes in 0 blocks
==2778093== possibly lost: 0 bytes in 0 blocks
==2778093== still reachable: 29 bytes in 2 blocks
==2778093== suppressed: 8,192 bytes in 2 blocks
==2778093==
==2778093== For lists of detected and suppressed errors, rerun with: -s
==2778093== ERROR SUMMARY: 0 errors from 0 contexts (suppressed: 0 from 0)
Joan Bruguera [Sun, 12 Feb 2023 20:06:08 +0000 (20:06 +0000)]
resolved: Fall back to TCP if UDP is blocked
If UDP is blocked on the system (e.g. by iptables or BPF), the kernel will
return EPERM on some or all of the system calls (connect, sendmsg, etc.).
In this case, try to fall back to TCP, which hopefully will not be blocked.
Mike Yuan [Tue, 17 Jan 2023 17:21:59 +0000 (01:21 +0800)]
vconsole: allow setting default keymap through build option
Allow defining the default keymap to be used by
vconsole-setup through a build option. A template
vconsole.conf also gets populated by tmpfiles if
it doesn't exist.