If the input timestamp is too old (say, 1min since 1970-01-01), then
parse_timestamp() may fail on a timezone with positive shift e.g.
JST (UTC+9). Moreover, even if parse_timestamp() succeeds, its result
'y' and 'usec_sub_unsigned(x, 2 * USEC_PER_DAY)' are both zero, and
the assertion will be triggered.
docs: tweak rsync flags for moving existing home dir to systemd-homed
The documentation on moving an existing homedir into a systemd-homed managed
one suggests using rsync(1) with a bunch of flags to preserve as much metadata
as possible: permissions, xattrs, timestamps, etc. The previously suggested
flags were:
rsync -aHAXv --remove-source-files …
… which does include mtimes, but not ctimes and atimes, because -a does not
include those:
--archive, -a archive mode is -rlptgoD (no -A,-X,-U,-N,-H)
This change adds the -N and -U flags to preserve even more file timestamps,
turning the command into:
rsync -aHANUXv --remove-source-files …
The new flags are:
--crtimes, -N preserve create times (newness)
--atimes, -U preserve access (use) times
Dan Streetman [Tue, 24 Jan 2023 00:52:56 +0000 (19:52 -0500)]
tpm2: use ref counter for Tpm2Context
This will be used by Tpm2Handle instances, which is added in later patches.
The refcounting allows the context to be retained until all Tpm2Handles have
been cleaned up, and the initial ref is released, before cleaning the context.
Dan Streetman [Fri, 9 Dec 2022 22:20:24 +0000 (17:20 -0500)]
tpm2: rename tpm2 alg id<->string functions
The 'pcr_bank' functions operate on hash algs, and are not specific to the PCR
banks, while the 'primary_alg' functions operate on asymmetric algs, and are
not specific to primary keys.
Jan Janssen [Tue, 31 Jan 2023 17:53:28 +0000 (18:53 +0100)]
ci: Test with secure boot enabled under mkosi
This gives us some nice test coverage for secure boot enrolling and the
stub secure boot workound. The authenticated EFI variables are already
created by mkosi, all we need to do is request secure boot to be used.
Robin Humble [Wed, 1 Feb 2023 12:36:48 +0000 (23:36 +1100)]
pid1: fix segv triggered by status query (#26279)
If any query makes it to the end of install_info_follow() then I think symlink_target is set to NULL.
If that is followed by -EXDEV from unit_file_load_or_readlink(), then that causes basename(NULL)
which segfaults pid 1.
This is triggered by eg. "systemctl status crond" in RHEL9 if
core: split system/user job timeouts and make them configurable
Config options are -Ddefault-timeout-sec= and -Ddefault-user-timeout-sec=.
Existing -Dupdate-helper-user-timeout= is renamed to -Dupdate-helper-user-timeout-sec=
for consistency. All three options take an integer value in seconds. The
renaming and type-change of the option is a small compat break, but it's just
at compile time and result in a clear error message. I also doubt that anyone was
actually using the option.
This commit separates the user manager timeouts, but keeps them unchanged at 90 s.
The timeout for the user manager is set to 4/3*user-timeout, which means that it
is still 120 s.
Fedora wants to experiment with lower timeouts, but doing this via a patch would
be annoying and more work than necessary. Let's make this easy to configure.
basic/user-util: create /etc from take_etc_passwd_lock
This allows sysusers to operate with --root that is an empty directory.
It may be useful to, for example, populate the user database before installing
anything else.
firstboot was already doing this, so drop the duplicated call there.
journal-file: refuse writing to journal files where the header size is different then expected
We keep adding fields to the header, and it's fine reading files with
different header sizes, as we check via the size if the fields we need
are included. However, let's be stricter when writing journal files than
when reading, and insist that the header structure in the file actually
matches our expectations. Refuse otherwise, so that a new file is
created after rotation that then matches our expectations.
This makes sure that mismatch in header size is treated exactly as
unknown "compatible" flags, which is our other mechanism to allow
extending the journal file format in a non-breaking way.
In https://bugzilla.redhat.com/show_bug.cgi?id=2156900 sysusers was reporting a
conflict between the following lines:
u root 0:0 "Super User" /root /bin/bash
u root 0 "Super User" /root
The problem is that those configurations are indeed not equivalent. If group 0
exists with a different name, the first line would just create the user, but the
second line would create a 'root' group with a different GID. The second
behaviour seems definitely wrong. (Or at least more confusing in practice than
the first one. The system is in a strange shape, but the second approach takes
an additional step than is worse than doing nothing.)
When this line was initially added, we didn't have the uid:gid functionality for
'u', so we didn't think about this too much. But now we do, so we should use it.
$ build/systemd-sysusers --root=/var/tmp/inst7 --inline 'g foobar 0'
Creating group 'foobar' with GID 0.
$ build/systemd-sysusers --root=/var/tmp/inst7 --inline 'u root 0 "Zuper zuper"'
src/sysusers/sysusers.c:1365: Creating group 'root' with GID 999.
src/sysusers/sysusers.c:1115: Suggested user ID 0 for root already used.
src/sysusers/sysusers.c:1183: Creating user 'root' (Zuper zuper) with UID 999 and GID 999.
vs.
$ build/systemd-sysusers --root=/var/tmp/inst7 --inline 'u root 0:0 "Zuper zuper"'
src/sysusers/sysusers.c:1183: Creating user 'root' (Zuper zuper) with UID 0 and GID 0.
Tuetuopay [Fri, 27 Jan 2023 14:10:49 +0000 (15:10 +0100)]
network/dhcp4: accept local subnet routes from DHCP
RFC3442 specifies option 121 (Classless Static Routes) that allow a DHCP
server to push arbitrary routes to a client. It has a Local Subnet
Routes section expliciting the behavior of routes with a null (0.0.0.0)
gateway.
Such routes are to be installed on the interface with a Link scope, to
mark them as directly available on the link without any gateway.
Networkd currently drops those routes, which is against the RFC, as
Linux has proper support for such routes.
Fixes: 7f20627 ("network: dhcp4: ignore gateway in static routes if destination is link-local or in the same network")
Effectively, because of padding, we were not saving anything. We're not putting
struct Item in arrays, but when allocating on the heap, we're going to round up to
normal alignment too.
The code becomes shorter (and quicker):
$ size build/systemd-sysusers{,.0}
text data bss dec hex filename
79967 2040 264 82271 1415f build/systemd-sysusers.0
79726 2040 264 82030 1406e build/systemd-sysusers
(In case you're wondering, I wrote this long commit message for a very simple
change on purpose: I want to deflate the bitfield cargo cult a bit.)
Ilya Leoshkevich [Mon, 30 Jan 2023 20:21:48 +0000 (21:21 +0100)]
bpf: fix restrict_fs on s390x
Linux kernel's bpf-next contains BPF LSM support for s390x. systemd's
test-bpf-lsm currently fails with this kernel.
This is an endianness issue: in the restrict_fs bpf program,
magic_number has type unsigned long (64 bits on s390x), but magic_map
keys are uint32_t (32 bits). Accessing magic_map using 64-bit keys may
work by accident on little-endian systems, but fails hard on big-endian
ones.
Arsen Arsenović [Sat, 28 Jan 2023 21:32:41 +0000 (22:32 +0100)]
importd: Always specify file unpacked by tar
Despite popular belief, the default file extracted by GNU tar is not stdin. It
is the value of the TAPE environment variable, falling back on a compile-time
constant. On my system, the default value is /dev/full, which causes tar to
just spin forever due to --ignore-zeros. Always specifying this flag is the
safe thing to do.
~$ tar --show-defaults
--format=gnu -f/dev/full -b20 --quoting-style=escape
--rmt-command=/usr/sbin/grmt
See also: ``(tar)defaults'', available via Info viewers, and in HTML form at:
https://www.gnu.org/s/tar/manual/html_node/defaults.html
Daan De Meyer [Sun, 29 Jan 2023 14:17:06 +0000 (15:17 +0100)]
mkosi: Add back CentOS Stream 8 to CI
It's still useful to test the EFI handover logic in systemd-boot.
We use a mkosi.prepare script to install a newer python and update
the system to use it.
Daan De Meyer [Sun, 29 Jan 2023 14:04:13 +0000 (15:04 +0100)]
mkosi: Don't modify rootfs in build script
When unprivileged mkosi becomes available, builds will be executed
as an unprivileged user, so we won't be able to modify the rootfs
anymore. Let's update the build script to account for this.
Daan De Meyer [Sat, 28 Jan 2023 14:12:08 +0000 (15:12 +0100)]
nspawn: Make sure we create bind mount points as the correct UID/GID
When using --private-users, we have to create bind mount points as
the user that will become root in the user namespace, so let's take
that into account.
Yu Watanabe [Thu, 26 Jan 2023 09:05:32 +0000 (18:05 +0900)]
locale: also check if converted keymap or friends is same as the current settings
Before this commit, if virtual console keymap is unchanged, localed just
returns without modifying anything. However, the X11 part may need updating.
So we should check for both and ensure they are unmodified.
Yu Watanabe [Sun, 13 Nov 2022 17:49:19 +0000 (02:49 +0900)]
sleep: introduce siphash24_compress_id128()
Also, rename get_battery_identifier() to siphash24_compress_device_sysattr().
This also makes any errors in sd_id128_get_machine() or id128_get_product()
ignored. For the machine ID, the failure should not be significant unless
the file stored in the discharge level is reused by another system, which
is quite unusual. For the product ID, if the firmware provides useless
ID (all zero or all 0xFF), then loading/storing the discharge rate
becomes completely broken, that should be avoided.
Note, now sysattrs are used instead of properties in uevent files, but
both provide the same information, hence no functionality should be
changed.
Yu Watanabe [Sun, 13 Nov 2022 17:08:05 +0000 (02:08 +0900)]
sleep: introduce SuspendEstimationSec=
Before v252, HibernateDelaySec= specifies the maximum timespan that the
system in suspend state, and the system hibernate after the timespan.
However, after 96d662fa4c8cab24da57523c5e49e6ef3967fc13, the setting is
repurposed as the default interval to measure battery charge level and
estimate the battery discharging late. And if the system has enough
battery capacity, then the system will stay in suspend state and not
hibernate even if the time passed. See issue #25269.
To keep the backward compatibility, let's introduce another setting
SuspendEstimationSec= for controlling the interval to measure
battery charge level, and make HibernateDelaySec= work as of v251.
This also drops implementation details from the man page.