kernel-install: silently ignore unexpected arguments for 'remove' command
The shell script version of kernel-install silently ignored unexpected
arguments, but C version refused that. Unfortunately, Fedora's kernel
script specifies kernel file even for 'remove' command. Let's accept
extra arguments and silently ignore them to keep backward compatibility.
This fixes regression introduced in 5a0c810462 with which all requests
for link properties ended up with EINVAL as we kept hitting
the signature_is_single() assert in sd_bus_get_property().
core: copy the host's os-release for /run/host/os-release
Currently for portable services we automatically add a bind mount
os-release -> /run/host/os-release. This becomes problematic for the
soft-reboot case, as it's likely that portable services will be configured
to survive it, and thus would forever keep a reference to the old host's
os-release, which would be a problem because it becomes outdated, and also
it stops the old rootfs from being garbage collected.
Create a copy when the manager starts under /run/systemd/propagate instead,
and bind mount that for all services using RootDirectory=/RootImage=, so
that on soft-reboot the content gets updated (without creating a new file,
so the existing bind mounts will see the new content too).
This expands the /run/host/os-release protocol to more services, but I
think that's a nice thing to have too.
As mentioned in the NEWS entry, it seems to see very little use, but adds
complexity in our code. It was added mainly with the goal of making it easier
for people using grub2 to modify their boot configuration, but grub2 is gaining
support for BLS snippets. On the systemd side, we now have credentials. So
let's deprecate this, and if there's no outcry, remove it in a few releases.
Petr Menšík [Sat, 15 Jul 2023 02:11:25 +0000 (04:11 +0200)]
Include in manual what DNSSEC=no means in detail
https://www.rfc-editor.org/rfc/rfc4035.html#section-3.2.1 says
security-aware recursive name server MUST set DO bit when sending
requests. systemd-resolved does not do that by design. State it more
clearly in manual page. Unlike other implementations it disables not
only validation as it stated, but complete DNSSEC awareness.
analyze: don't warn about version spec compliant versions
This commits adds version_is_valid_versionspec and uses it in
analyze-compare-version.c.
version_is_valid_versionspec differs from version_is_valid in that it acepts
empty strings and since valid characters in a version spec version are all
ASCII letters and digits as well as "-.~^", but ",_+" allowed by
version_is_valid are not.
Also give a more specific warning message on invalid characters.
test-network: check for captive portals received via NDISC
This requires fairly recent radvd that supports sending RAs with captive
portals [0].
Also, this should hopefully provide coverage for issues like:
- https://github.com/systemd/systemd/issues/28229
- https://github.com/systemd/systemd/issues/28231
- https://github.com/systemd/systemd/issues/28277
It's been a while since we introduced Differential ShellCheck and it
proved to be quite useful (and in some ways even better than the shellcheck
run by super-linter). So, to have only one linter scream at us for not
knowing how to write bash properly, let's drop the super-linter's one in
favor of Differential ShellCheck.
Follow-up for https://github.com/systemd/systemd/pull/24328#pullrequestreview-1074127504
Some of the new units using systemd-pcrphase are missing the --graceful
flag which causes them to error if the tpm libraries are not installed.
Add --graceful just like in the other pcrphase units to make systemd-pcrphase
exit gracefully if the tpm libraries are missing.
test-network: correctly support running systemd-udevd from the build dir
We create the udevadm -> systemd-udevd symlink during the install phase,
so it doesn't exist in the just compiled tree. This worked in CI since
the symlink is manually created there post-build.
Given that ERRNO_IS_PRIVILEGE() also matches positive values,
make sure this macro is not called with arguments that do not have
errno semantics.
In this case the arguments passed to ERRNO_IS_PRIVILEGE() are the values
returned by read_one_line_file() which can legitimately return positive
values without errno semantics, so fix this by moving ERRNO_IS_PRIVILEGE()
invocations to the branches where the return values are known to be negative.
Dan Streetman [Sun, 16 Jul 2023 01:33:50 +0000 (21:33 -0400)]
test: avoid TEST-70 passphrase and password file mode complaints
Minor change, to adjust mode of /tmp/passphrase and /tmp/password test files to
avoid repeated warning logs that each file "...has 0644 mode that is too
permissive, please adjust the ownership and access mode."
Given that ERRNO_IS_DISCONNECT() also matches positive values,
make sure this macro is not called with arguments that do not have
errno semantics.
In this case the argument passed to ERRNO_IS_DISCONNECT() is the value
returned by manager_recv() which can legitimately return 1 without errno
semantics, so fix this by moving ERRNO_IS_DISCONNECT() invocation to the
branch where the return value is known to be negative.
Given that ERRNO_IS_DISCONNECT() also matches positive values,
make sure this macro is not called with arguments that do not have
errno semantics.
In this case the argument passed to ERRNO_IS_DISCONNECT() is the value
returned by bus_socket_process_watch_bind(), bus_socket_process_opening(),
and bus_socket_process_authenticating() which can legitimately return
positive values without errno semantics, so fix this by moving the
ERRNO_IS_DISCONNECT() invocation to the branch where the return value
is known to be negative.
Given that ERRNO_IS_DISCONNECT() also matches positive values,
make sure this macro is not called with arguments that do not have
errno semantics.
In this case the argument passed to ERRNO_IS_DISCONNECT() is the value
returned by socket_acquire_peer() which can legitimately return 1
without errno semantics, so fix this by moving ERRNO_IS_DISCONNECT()
invocation to the branch where the return value is known to be negative.
Given that ERRNO_IS_RESOURCE() also matches positive values,
make sure this macro is not called with arguments that do not have
errno semantics.
In this case the argument passed to ERRNO_IS_RESOURCE() is the value
returned by recurse_dir_at() which can legitimately return positive
values without errno semantics, so fix this by moving the ERRNO_IS_RESOURCE()
invocation to the branch where the return value is known to be negative.
Dan Streetman [Sat, 15 Jul 2023 12:30:40 +0000 (08:30 -0400)]
tpm2: add tpm2_get_pin_auth()
Add function to calculate the hash digest for a provided pin, and also verify
that the final byte in the digest is not 0. This is required because the TPM
will always remove all trailing 0's from an auth value before using it.
Dan Streetman [Fri, 14 Jul 2023 17:15:48 +0000 (13:15 -0400)]
tpm2: handle older tpm enrollments without a saved pcr bank
Older code did not save the pcr bank (i.e. pcr hash algorithm), and instead let
tpm2_unseal() find the best pcr bank to use. In commit 2cd9d57548b0dadd52523df486d33aa4cf7c3b84 we changed tpm2_unseal() to no longer
handle an unset pcr bank. This adds back in the handling of an unset pcr_bank
so older sealed data should continue to work.
Dan Streetman [Fri, 14 Jul 2023 15:21:43 +0000 (11:21 -0400)]
test: reduce the number of loops in tpm2 test_tpms_pcr_selection_mask_and_hash()
This test loops through masks, but is a relatively long test due to the
increment size between loops; this slightly increases the increment size (from
3->5) which greatly speeds up the test.
efi: add helper API for detecting confidential virtualization
This helper is a simplified version of detect_confidential_virtualization()
that merely returns a boolean status flag reflecting whether we are believed
to be running inside a confidential VM.
This flag can be used for turning off features that are inappropriate to
use from a CVM, but must not be used for releasing sensitive data. The
latter must only be done in response to an attestation for the environment.
Signed-off-by: Daniel P. Berrangé <berrange@redhat.com>
mkosi now supports CentOS SIGs natively so we drop our own definition
of that and use the mkosi builtin one. We also enable hyperscale for
both CentOS 8 and CentOS 9 for consistency and add epel-next as well
which is a requirement for Hyperscale.
CentOS 8 ships python 3.6 so let's try and stay compatible with that
since the only feature we're using that requires python 3.9 is the
streamlined type annotations which are trivial to convert back to
the older stuff to stay compatible with python 3.6.
kernel-install: Avoid reopening file descriptor via /proc
kernel-install used to work without /proc mounted before the rewrite
in C. Let's restore that property by making sure we don't reopen
file descriptors via /proc. In this case, parse_env_file_fdv() calls
fdopen_independent() to get a FILE * for the given file descriptor
(which itself calls fd_reopen()). Let's avoid the call to
fdopen_independent() by using chase_and_fopenat_unlocked() which
gives us a FILE * immediately without having to reopen any file
descriptors.
network: check lifetime of address and route before configure
Otherwise, we may configure a route that depends on the existence
of an address or another route, and may fail when lifetime of one
of them are already zero.
proc-cmdline: re-implement proc_cmdline_filter_pid1_args() without using getopt_long()
If getopt_long() is called for a list of arguments and it is freed, then
calling getopt_long() for another list will trigger use-after-free.
The function proc_cmdline_filter_pid1_args() may be called before or during
parsing program arguments (typically named as parse_argv()), hence we cannot
use getopt_long() in proc_cmdline_filter_pid1_args().
Mike Yuan [Thu, 13 Jul 2023 14:44:19 +0000 (22:44 +0800)]
fstab-generator: resolve bind mount source when in initrd
We currently prepend /sysroot to mount points for entries
in /sysroot/etc/fstab. But when it comes to bind mounts,
the source needs to canonicalized too.
David Tardon [Thu, 29 Jun 2023 14:35:21 +0000 (16:35 +0200)]
bus-polkit: allow to auth. a bus call for multiple actions
In #20155, verify_shutdown_creds() needs to authenticate for both
org.freedesktop.login1.hibernate-multiple-sessions and
org.freedesktop.login1.hibernate-ignore-inhibit . Previously, the second
authentication attempt would fail with -ESTALE.