Frantisek Sumsal [Fri, 10 Nov 2023 15:38:01 +0000 (16:38 +0100)]
fuzz: pass -Dc_args=/-Dcpp_args= to fuzzer targets
Prompted by #29972, because right now it's practically impossible to pass
-fno-sanitize=function to the fuzzer targets without some extensive
sed'ing.
This splits both c_args and cpp_args to separate arguments for
tools/meson-build.sh, because the other way would be to use `eval`, so
the space-separated but quoted strings passed to these options are not
split where they shouldn't, and I'd rather avoid using `eval` if
possible.
Also, this switches the positional arguments we pass to `meson setup`,
as they were in incorrect order (docs say it should be buildir followed
by sourcedir); meson is apparently clever enough to figure this out and
switch the arguments around if necessary, so it didn't complain.
Let's just rely on the word splitting done by bash instead of messing
with that ourselves, as it's just adding extra complexity to appease one
ShellCheck check. Also, this apparently never worked for the nspawn
stuff anyway, since I forgot to set $IFS to an appropriate value, so it
always put all arguments from $KERNEL_APPEND into a single array item
with an extra newline, which then made systemd sad:
~# readarray arr <<< "foo bar baz"; for i in "${arr[@]}"; do echo "'$i'"; done
'foo bar baz
'
~# make -C test/TEST-45-TIMEDATE/ clean setup run BUILD_DIR=$PWD/build TEST_NO_QEMU=1 KERNEL_APPEND="systemd.log_level=console"
...
~# journalctl -o short-monotonic --no-hostname --file /var/tmp/systemd-tests/systemd-test.XaDX67/system.journal --grep "Failed to parse" -p info --no-pager
[551138.986882] systemd-tmpfiles[21]: Failed to parse log level 'console
[551138.987179] systemd-remount-fs[20]: Failed to parse log level 'console
[551138.993125] systemd-sysusers[23]: Failed to parse log level 'console
[551138.998685] journalctl[29]: Failed to parse log level 'console
analyze: add "srk" verb to extract current srk from TPM2 chip
This is pretty low-level functionality, hence placed in systemd-analyze.
This is useful for working with systemd-cryptenroll --tpm2-device-key=,
as it acquires the SRK without requiring the full tpm2-tss tool set.
tpm2-setup: also save the SRK to the file system in TPM2_PUBLIC format
We already save it in PEM format, also store it TPM2_PUBLIC format next
to it. This is useful for usage with systemd-cryptenroll's
--tpm2-device-key= switch.
The tpm2_tpm2b_public_from_pem() invocation only makes sense when we
succeed to load the file from disk, hence we might do this together and
safe a conditionalization.
tpm2-util: move loading of TPM2B_PUBLIC from disk into tpm2-util.c
No change in behaviour, let's just move this over so that we can reuse
this in repart later (and don't have to export the ugly `sym_` function
pointer for it)
Daan De Meyer [Thu, 9 Nov 2023 11:10:53 +0000 (12:10 +0100)]
repart: Fix size round up/round down
Currently, we round minimum sizes up and maximum size down, whereas
it should be the opposite as the current approach means that if the
same size is used for min and max, the min size will end up bigger
than the max size after rounding.
Florian Schmaus [Thu, 9 Nov 2023 07:59:59 +0000 (08:59 +0100)]
core: fix array size in unit_log_resources()
In 0531bded79dc ("core: include peak memory in unit_log_resources()") new log
messages where added, however the size of the according arrays to hold the
messages was not adjusted.
Fixes: 0531bded79dc ("core: include peak memory in unit_log_resources()")
test: use Type=notify together with `busctl monitor`
Let's use the newly gained feature of `busctl` and start is as a
Type=notify unit, which should make sure the unit is started only after
`busctl` is on the bus listening for messages.
This should help with a race spotted in CIs, where we continued too
early after starting `busctl monitor` and miss the emitted signals:
This is pretty much the same stuff as `resolvectl monitor` does, and
allows us to run `busctl monitor` in a Type=notify unit which ensures
that `busctl` is really listening for messages once the unit is marked
as started.
Currently test_setpriority_closest assumes that setting RLIMIT_NICE to 30 will
fail if the process is unprivileged. If it succeeds, it assumes that the
process is privileged and setresuid and setresgid will succeed.
However, if RLIMIT_NICE is already >= 30, then setrlimit will succeed even if
the process is unprivileged. Guard against that by checking for permission
errors in setresuid and setresgid and skipping the full test if so.
Felix Dörre [Fri, 18 Aug 2023 08:00:40 +0000 (10:00 +0200)]
journalctl: verify sealed log epochs are continuous
Currently empty epochs are not sealed. This allows an attacker to truncate
a sealed log and continue it without any problems showing when verifying the
log.
This partially addresses CVE-2023-31438. One way to extend this change to
address CVE-2023-31438 completely, would be to verify that there is exactly
one seal per epoch (and not sealing when the epoch has not ended yet).
the change also adds a journal-file flag: HEADER_COMPATIBLE_SEALED_CONTINUOUS
this flag indicates that a journal file is sealed continuously and decides whether
any missing crypto epochs should trigger a warning or an error.
Mike Yuan [Wed, 8 Nov 2023 17:10:06 +0000 (01:10 +0800)]
fd-util: refuse O_CREAT in fd_reopen
O_CREAT doesn't make sense for fd_reopen, since we're
working on an already opened fd. Also, in fd_reopen
we don't handle the mode parameter of open(2), which
means we may get runtime error like #29938.
Yu Watanabe [Wed, 8 Nov 2023 13:59:33 +0000 (22:59 +0900)]
network: use Kind= instead of Driver=
networkd ignores errors in reading driver through ethtool. The kind of
network interface is retrieved through netlink, and networkd checks
checks many failures. So, using Kind= should be safer.
David Tardon [Wed, 8 Nov 2023 13:41:28 +0000 (14:41 +0100)]
udev-manager: actually remove the property
AFAICT there's no reason to keep removed entries in the Hashmap
(although it doesn't break anything either). The only use of this
hashmap is in udev_rule_apply_token_to_event(), which just retrieves the
value using hashmap_get(), hence there's no difference there between an
existing entry with a NULL value and a missing entry.
Yu Watanabe [Wed, 8 Nov 2023 11:55:50 +0000 (20:55 +0900)]
resolve/mdns: split out mdns_make_dummy_packet()
Then, this fixes the following issues:
- if dns_packet_append_zone() for other transaction is failed with
EMSGSIZE, the previously added key was not removed,
- if dns_transaction_prepare() for other transaction returns 0, then
we restated the loop without dropping previously appended keys, which
might not be necessary any more.
This completes/corrects the documentation for the following fields:
COREDUMP_CGROUP= - doc where wrong, actually covered COREDUMP_PROC_CGROUP=
COREDUMP_CMDLINE= → undocumented so far
COREDUMP_PROC_CGROUP= → docs where there but incorrectly assigned to COREDUMP_CGROUP=
COREDUMP_PROC_AUXV= → undocumented so far
COREDUMP_SESSION= → undocumented so far
41e4ce06fe shortened existing sleeps, which resulted in the check being
sometimes done before the property had a chance to update. Let's do what
what we do with the rest of the checks and retry it a couple of times.
Yu Watanabe [Wed, 8 Nov 2023 04:49:03 +0000 (13:49 +0900)]
sd-dhcp-client,-server: set timestamp based on the time when received a packet
It seems that RFC does not say anything about the timestamp of lease
we should use: time that the client sent a request or received a reply.
In DHCPv6 client and NDisc, we use a timestamp that we receive a packet,
rather than we sent something. So, let's consistently use the same
logic for DHCPv4 client.
Yu Watanabe [Wed, 8 Nov 2023 03:56:57 +0000 (12:56 +0900)]
sd-dhcp-client: make client_handle_message() propagate critical error
Then, stop client in the caller side.
This also makes
- ignore all errors except for resource errors like OOM when FORCERENEW
is received,
- trigger assertion when an message received even if the client is
stopped.
This should not change any functionality. Just refactoring.
../src/src/vmspawn/vmspawn-util.c:33:13: error: implicit declaration of function ‘access’; did you mean ‘accept’? [-Werror=implicit-function-declaration]
meson: enable vmspawn by default in developer mode
This should also implicitly enabled vmspawn in CI. It wasn't passing even the
basic tests, which we didn't see, because it needs to be explicitly enabled.
xdg-autostart: downgrade warning for missing executables
On a system with a shared home directory, I'm getting a bunch of warnings:
systemd-xdg-autostart-generator[76]: Exec binary '/usr/bin/flatpak' does not exist: No such file or directory
systemd-xdg-autostart-generator[76]: /home/zbyszek/.config/autostart/org.signal.Signal.desktop: not generating unit, error parsing Exec= line: No such file or directory
systemd-xdg-autostart-generator[76]: Exec binary '/usr/bin/flatpak' does not exist: No such file or directory
systemd-xdg-autostart-generator[76]: /home/zbyszek/.config/autostart/im.riot.Riot.desktop: not generating unit, error parsing Exec= line: No such file or directory
systemd-xdg-autostart-generator[76]: Exec binary '/usr/libexec/gnome-tweak-tool-lid-inhibitor' does not exist: No such file or directory
systemd-xdg-autostart-generator[76]: /home/zbyszek/.config/autostart/ignore-lid-switch-tweak.desktop: not generating unit, error parsing Exec= line: No such file or directory
systemd-xdg-autostart-generator[76]: Exec binary '/usr/bin/flatpak' does not exist: No such file or directory
systemd-xdg-autostart-generator[76]: /home/zbyszek/.config/autostart/org.telegram.desktop.desktop: not generating unit, error parsing Exec= line: No such file or directory
This isn't really a problem. Let's just print an info message.
timesync: fix PropertiesChanges signals for NTP properties
As in their current form they didn't work at all:
systemd-timesyncd[190115]: Assertion 's' failed at src/libsystemd/sd-event/sd-event.c:3058, function sd_event_source_set_enabled(). Ignoring.
systemd-timesyncd[190115]: Failed to reenable system ntp server change event source!
systemd-timesyncd[190115]: Failed to enable ntp server defer event, ignoring: Invalid argument
This was also pointed out in the post-merge review [0].
Let's address this together with the rest of the comments, and add
some tests to make sure everything works as it should.