pam_systemd: issue context OSC sequences when allocating new TTY session
note: this also adds making a copy of the session type string after
registering the session. That's because we need to check the session
type we settled on later to condition out the OSC sequence (because it
should only be issued on TTY sessions). However, the session type string
originally quite likely points into the PAM environment block, which we
update in the meantime, invalidating that pointer. hence, make an
explicit copy first, and use that.
SERVICE_RELOAD_SIGNAL state can only be reached via explicit reload jobs,
and we have a clear distinction between that and plain RELOADING=1
notifications, the latter of which is issued by clients doing reload
outside of our job engine. I.e. upon SERVICE_RELOAD_SIGNAL + RELOADING=1
we don't propagate reload jobs again, since that's done during transaction
construction stage already. The handling of combined RELOADING=1 + READY=1
so far is bogus however, as it tries to propagate duplicate reload jobs.
Amend this by following the logic for standalone RELOADING=1.
pam_systemd: complement per-area $HOME management with per-area $XDG_RUNTIME_DIRECTORY mgmt
When a user logs into a non-default area we give them a private
$HOME for that area (that's what 'area' is supposed to be after all). We
so far left $XDG_RUNTIME_DIRECTORY as it was. Let's change that and
mirror the subdirectory logic there too.
Why? $XDG_RUNTIME_DIR is generally the place where AF_UNIX sockets are
bound that can be used to connect to per-user services. (in particular
all those which are behind D-Bus.) If we don't patch $XDG_RUNTIME_DIR
like this then this means all the backing services will use the main
area, which is problematic (since clients and services will disagree on
$HOME), and makes it impossible to support the area concept for
graphical logins properly.
This does not actually make graphical logins work, but it at least makes
them fail cleanly. That's because this patch alone won't make sure a
per-area service manager/dbus instance is invoked automatically. That
however can be added later, in a patch to logind.
Let's tweak update_environment() a bit: instead of being a NOP when no
value is specified, let's actively unset the specified environment
variable if it is set.
This shouldn't change much, since for the cases we call the function so
far the env vars in question should not be set before us in a way we'd
set them differently. However, this is nice preparation for later, as we
can make use of this for XDG_AREA which we might want to unset if we
consider the area dir invalid.
pam_systemd_home: tweak order in authentication stack
Let's move pam_systemd_home before pam_unix in the authentication hook.
Since a while we are exposing shadow entries for homed log entries via
NSS. This means that pam_unix now potentially has enough data for
authenticating a user on its own, without letting pam_systemd_home do
that. This is superficially OK, but also means that authentication will
always go via password, even if pkcs11/fido2 is registered.
Let's move this around, but be careful about it: let's list the precise
errors which we think are enough to terminating further PAM processing,
so that pam_unix comes into control in all cases where it's not clear
that pam_systemd_home owns the user record.
This previously wasn't visible to me, because on Fedora until authselect
1.5.1 (released earleir this year) the NSS shadow stuff was not enabled.
This does the same also for the "account" stack, except that the order
there already was as we want it.
Finally, shorten the account stack, by just requiring pam_unix.so and
dropping pam_permit.so, because it doesn't really serve much purpose
(and Fedora doesn't use it by default either.)
This has been depracted since v254 (2023). Let's kill it for
good now, it has been long enough with 2y. Noone has shown up who wants
to keep it. And given it doesn't work in SB world anyway, and is not
measured is quite problematic security wise.
Daan De Meyer [Wed, 26 Feb 2025 14:56:51 +0000 (15:56 +0100)]
docs: Use mkosi -R instead of mkosi -t none (#36528)
mkosi now supports -R to rerun build scripts without rebuilding the
image so let's document that instead of the current hack to prevent
the rebuild by changing the output format.
Let's in particular log an even if a device name is too long for the
btrfs ioctl structure, instead of truncating it (which could
theoretically reference a different device).
Daan De Meyer [Wed, 26 Feb 2025 13:58:53 +0000 (14:58 +0100)]
docs: Use mkosi -R instead of mkosi -t none
mkosi now supports -R to rerun build scripts without rebuilding the
image so let's document that instead of the current hack to prevent
the rebuild by changing the output format.
- Allocate internal buf on the stack, memdup() only at the end.
This ensures we're able to handle OOM gracefully, i.e.
return -EAGAIN on OOM while still emptying socket buffer.
- Do not treat empty notify message as error.
- Raise log level since all callers log loudly anyway.
Andreas Stührk [Tue, 25 Feb 2025 23:05:41 +0000 (00:05 +0100)]
copy: Invoke hardlink context cleanup before restoring timestamps
When hardlink recreation is requested, it creates temporary files that
will be deleted once the context is destroyed. The deletion
(potentially) updates the directory's timestamps, so it's crucial that
the deletion happens before the directory timestamps are restored when
`COPY_RESTORE_DIRECTORY_TIMESTAMPS` is requested.
Clean up systemd-boot a bit. Mostly makes handling of some menu entry
types less magic and more uniform. Doesn't really change behaviour in
any ways, except that we now condition things such as boot counting,
random seed management and entry selection saving carefully on the entry
type.
integritysetup: add remote-integritysetup.target to match remote-{crypt|verity}setup.target
Let's make the three subsystems more alike, and add remote-*setup.traget
for all three, enable them all three in the presets, and make them
behave in a similar fashion.
Let's make cryptsetup and veritysetup more symmetric, and enable the
remote target for the latter the same way we enable the remote target
for the former by default.
This is the last entry type that has special handling: with this in
place we now always invoke entry handlers the very same way. via the
.call() method of the BootEntry structure.
boot: only do random seed management for some entry types
Similar to the previous commits, let's carefully condition random seed
management (which might be slow, and simply pointless for various entry
types) on the entry type.
I ran into the limit with ParticleOS, with 6 profiles, hence I think the
current default value is a bit low. let's bump it 4x, to 120. This is
still a lot lower than 500 or so which Debian uses downstream.
We can look into raising this further should we collide with this again,
but for now, let's try 120 and see how it goes in practice.
Daan De Meyer [Tue, 25 Feb 2025 11:44:41 +0000 (12:44 +0100)]
mkosi: Enable History= option (#36500)
This option makes mkosi "remember" all the CLI options specified on the
command line when building an image. This means they don't need to be
specified again when booting the image afterwards or doing any other
operation on the image with "mkosi xxx".
As an example of how this is useful, currently, when running "mkosi -d
opensuse -f" to build an opensuse image and then running "mkosi sandbox
-- meson test -C build TEST-86-MULTI-UKI-PROFILE", running the test will
try to add virtiofs mounts of the fedora~rawhide build directory on my
machine instead of the opensuse one. With the History= option enabled,
it will use the opensuse tumbleweed directory as expected.
Daan De Meyer [Mon, 24 Feb 2025 09:56:26 +0000 (10:56 +0100)]
mkosi: Enable History= option
This option makes mkosi "remember" all the CLI options specified on
the command line when building an image. This means they don't need
to be specified again when booting the image afterwards or doing any
other operation on the image with "mkosi xxx".
As an example of how this is useful, currently, when running "mkosi
-d opensuse -f" to build an opensuse image and then running "mkosi
sandbox -- meson test -C build TEST-86-MULTI-UKI-PROFILE", running
the test will try to add virtiofs mounts of the fedora~rawhide build
directory on my machine instead of the opensuse one. With the History=
option enabled, it will use the opensuse tumbleweed directory as expected.
We stop setting --extra-search-path and --output-dir in the integration test
wrapper as these are settings that are "remembered" by enabling the History=
option.
Daan De Meyer [Mon, 24 Feb 2025 16:14:01 +0000 (17:14 +0100)]
TEST-64-UDEV-STORAGE: Stop using mkosi configure scripts
Now that we have mkosi sandbox, meson runs with the mkosi tools tree
mounted (if one is used at all), so we can implement all the qemu feature
checks in meson itself, removing the need for mkosi configure scripts.
Daan De Meyer [Mon, 24 Feb 2025 16:12:22 +0000 (17:12 +0100)]
TEST-53-ISSUE-16347: Implement rtc via custom argument
Let's get rid of the configure script for this use case by just
implementing the necessary logic in integration-test-wrapper.py.
We need to get rid of our usage of configure scripts to allow enabling
the History= setting.
Dan Streetman [Fri, 21 Feb 2025 09:36:53 +0000 (09:36 +0000)]
systemd-keyutil: add verb to conver PKCS#1 to PKCS#7
Add verb that takes a PKCS#1 signature (plain rsa) as input and a
certificates, and outputs a PKCS#7 binary detached signature (p7s),
which is what the kernel dm-verity driver expects.
projects / thirdparty / systemd.git / log
