resolved: downgrade inability to send varlink reply error message
Previously, if a client disconnected after sending a lookup request but
before waiting for the reply we'd log at LOG_ERR level. That's
confusing, since it's entirely OK for the client to lose interest.
msizanoen1 [Tue, 27 Dec 2022 04:57:12 +0000 (11:57 +0700)]
udev: match device tags in rules using current device tags
This ensures that udev scripts using `TAG-="..."` and expecting later
udev rules to honor it will work properly. An use case is removing the
`uaccess` tag from a device without overriding the original file and
ensuring that `73-seat-uaccess.rules` won't run the uaccess builtin later.
It seems that using this protocol on some firmwares to forcibly
initialize console devices may break handles (already opened file
handles and the device handle itself) that we rely on to access the
boot filesystem, making it impossible to load the selected entry.
It might be possible to get a new handle by querying for the device
handle by using its device path after calling into this protocol, but
this is untested. The firmware might also be so buggy that accessing
devices after using this protocol is impossible.
It seems prudent to revert this for now until some reliable way is found
to initialize console devices without introducing huge boot delays. Any
users on firmware where console devices cannot be accessed would have to
rely on disabling fastboot.
../src/basic/cgroup-util.c: In function ‘skip_session’:
../src/basic/cgroup-util.c:1241:32: error: incompatible types when returning type ‘_Bool’ but ‘const char *’ was expected
1241 | return false;
This is a small cleanup removing the need for the spurious
*ret_shutdown_verb argument on invoke_main_loop() while moving
the MANAGER_OBJECTIVE::shutdown_verb string mapping local to
where it actually gets added to the shutdown argv in
become_shutdown().
This also eliminates the need for the several clearings of
*ret_shutdown_argv, and the streq() branches of shutdown_verb in
favor of plain equality tests against the objective value.
Jan Janssen [Sun, 1 Jan 2023 10:32:55 +0000 (11:32 +0100)]
ukify: Fix section offset calculation
objcopy seems to expect that the offset passed to --change-section-vma
is absolute instead of relative to ImageBase. If this is not accounted
for an invalid image is created that cannot be loaded:
Daan De Meyer [Mon, 2 Jan 2023 13:53:47 +0000 (14:53 +0100)]
ukify: Require specifying --tools for each tools directory
Instead of consuming N arguments as tools directories, let's always
only consume one argument per specification of --tools. This avoids
issues where the linux image and initrd are interpreted as tools
directories.
Ludwig Nussel [Wed, 28 Dec 2022 13:00:35 +0000 (14:00 +0100)]
machined: pass shell command line to polkit
Pass the joined arguments to polkit as command_line property like
pkexec does. Obviously not exactly perfect as it lacks quoting. Good
enough for polkit rules to check whether a program was called with
or without arguments though.
Jia Zhang [Sun, 25 Dec 2022 04:29:11 +0000 (12:29 +0800)]
boot: don't convert the trailing newline in mangle_stub_cmdline()
It is pretty convenient to add .cmdline using /proc/cmdline like
this:
--add-section .cmdline=/proc/cmdline --change-section-vma .cmdline=0x25000
However, it always returns a trailing newline, and stub will
convert it to a whitespace by mangle_stub_cmdline() in next boot.
Thus the resulting /proc/cmdline would contain a trailing
whitespace. When /proc/cmdline is used to generate .cmdline again,
the resulting UKI is mangled.
To address this kind of inconvenience, mangle_stub_cmdline() should
skip converting the trailing newline, and try to chomp all the
trailing whitespaces.
The text said /dev/tty* as a whole was the VT subsystem and that VT is
not supported in containers.
But that's not accurate as /dev/tty* will match /dev/tty too and that
one device node is special and is not related to VT: it always points to
the current process own controlling tty, regardless what that is.
units: pull in loop.ko and dm-mod.ko before repart
We want to make use of that when formatting file systems, hence let's
pull in these modules explicitly.
(This is necessary because we are an early boot service that might run
before systemd-tmpfiles-dev.service, which creates /dev/loop-control and
/dev/mapper/control.)
Alternatively we could just order ourselves after
systemd-tmpfiles-dev.service, but I think there's value in adding an
explicit minimal ordering here, since we know what we'll need.
Jia Zhang [Fri, 23 Dec 2022 09:23:36 +0000 (17:23 +0800)]
measure: fix the failures of compare_reported_pcr_nr()
EFI_LOADER_VARIABLE() already applies to the stringify to construct the
path of EFI variable in efivars, so it is wrong to enclose the name of
EFI variable with the quotes. Otherwise, the following errors are
reported.
Reading EFI variable /sys/firmware/efi/efivars/StubFeatures-4a67b082-0a4c-41cf-b6c7-440b29bb8c4f.
Reading EFI variable /sys/firmware/efi/efivars/"StubPcrKernelImage"-4a67b082-0a4c-41cf-b6c7-440b29bb8c4f.
open("/sys/firmware/efi/efivars/"StubPcrKernelImage"-4a67b082-0a4c-41cf-b6c7-440b29bb8c4f") failed: No such file or directory
Reading EFI variable /sys/firmware/efi/efivars/"StubPcrKernelParameters"-4a67b082-0a4c-41cf-b6c7-440b29bb8c4f.
open("/sys/firmware/efi/efivars/"StubPcrKernelParameters"-4a67b082-0a4c-41cf-b6c7-440b29bb8c4f") failed: No such file or directory
Reading EFI variable /sys/firmware/efi/efivars/"StubPcrInitRDSysExts"-4a67b082-0a4c-41cf-b6c7-440b29bb8c4f.
open("/sys/firmware/efi/efivars/"StubPcrInitRDSysExts"-4a67b082-0a4c-41cf-b6c7-440b29bb8c4f") failed: No such file or directory
dissect-image: optionally, reference dissected partition device nodes by diskseq
This is useful to make the dissection logic at boot a bit safer, as we
can reference device nodes by diskseq.
This locks down dissection a bit, since it makes it harder to swap out
the backing device between the time we dissected and validated it, until
we actually mounted it.
This is not complete though, as /bin/mount would have to verify the
diskseq after opening the diskseq symlink again.
Peter Cai [Sun, 18 Dec 2022 01:33:05 +0000 (20:33 -0500)]
cryptenroll: Implement support for unlocking via FIDO2 tokens
This allows FIDO2 users to wipe out password slots and still be able to
enroll new key slots via systemd-cryptenroll. Note that when the user
wants to both unlock with a FIDO2 token and enroll a new FIDO2 token,
they cannot be set to automatic discovery. This is to safeguard against
confusion, because there will be multiple tokens connected to the system
when doing so -- and we require users to explicitly confirm which one to
use for unlocking and which one to use for enrollment.
Peter Cai [Sun, 18 Dec 2022 01:28:51 +0000 (20:28 -0500)]
cryptsetup-fido2: Remove plain mode parameters from `acquire_fido2_key_auto()`
`acquire_fido2_key_auto()` will not be used in PLAIN mode, and
parameters such as the salt will be acquired from the LUKS header.
Parameters intended for PLAIN mode are useless in
`acquire_fido2_key_auto()`.
Daan De Meyer [Mon, 19 Dec 2022 14:29:43 +0000 (15:29 +0100)]
ukify: Prefer using llvm-objcopy instead of objcopy
llvm-objcopy works on stubs built for foreign architectures whereas
objcopy doesn't so let's prefer using llvm-objcopy instead of objcopy.
llvm-objcopy automatically sets the virtual address and doesn't provide
an option to set it manually so we only add --change-section-vma when
using objcopy
The default section flags differ between llvm-objcopy and objcopy
so we add a default for the section flags so we make sure all sections
are read-only data unless specified otherwise.
When we dissect images automatically, let's be a bit more conservative
with the file system types we are willing to mount: only mount common
file systems automatically.
Explicit mounts requested by admins should always be OK, but when we do
automatic mounts, let's not permit barely maintained, possibly legacy
file systems.
The list for now covers the four common writable and two common
read-only file systems. Sooner or later we might want to add more to the
list.
Also, it might make sense to eventually make this configurable via the
image dissection policy logic.
Yu Watanabe [Thu, 22 Dec 2022 00:40:37 +0000 (09:40 +0900)]
wait-online: exit with success when all interfaces are ready or unmanaged
Previously, when neither '--any' nor '--interface' options specified,
at least one of the interfaces must be in configured state.
This patch makes wait-online exit with success even if all interfaces
are in unmanaged state.
This may break backward compatibility in a rare situation. But in most
cases, this typically not change anything, as at least one interface
is managed by networkd.service when it is enabled.
This is mostly for making wait-online gracefully handle the case that
networkd.service and wait-online.service are enabled by mistake. In such
situation, all interfaces are typically not managed.
string-util: rework empty_to_null() to not change "const" qualifier of input
This changes the definition from enpty_to_null() so that we are still
typesafe (i.e. only accept strings) but do not drop (or add) any const
to the returned string that wasn't also on the input.
Hans de Goede [Wed, 21 Dec 2022 11:18:52 +0000 (12:18 +0100)]
hwdb: Add mic-mute, control-center and screen-rotation mappings for MSI laptops
The MSI Summit E16 Flip A12UCT laptop sends the following unmapped
atkbd scancodes:
0x91: Launch MSI Control Center
0xf1: Toggle mic mute
0xf2: Rotate screen
The 0x91, 0xf1 and 0xf2 codes are already present in the MSI Prestige/Modern
series specific keymappings and the 0xf1 mapping is also already present in
the MSI Bravo 15-B5DX FnKeys entry.
This shows that these are generic to many MSI models, so add mappings for
these to the generic MSI mappings.
Since the MSI Bravo 15-B5DX FnKeys entry only contains the 0xf1 mapping and
that is covered by the generic MSI mappings now, that entry is removed.
CVE-2022-4415: systemd: coredump not respecting fs.suid_dumpable kernel setting
Affects systemd >= 247 with libacl support enabled.
This is a merge of https://github.com/systemd/systemd-security/pull/12/.
I'm doing the merge locally because github doesn't support merging directly
from systemd/systemd-security to systemd/systemd.
ukify: check early if inputs exist and are readable
It's much nicer for the user if we fail early instead of doing partial
processing if we cannot read some input. We can't do those checks immediately
from argparse.Parser.parse_args(), because we want to fully process the
commandline first. In particular, even with invalid args, if --help is
specified somewhere, we want to handle that. Thus, we need to delay the checks
after argparse.Parser.parse_args() returns.
Ukify didn't have type annotations on functions, but it probably should.
Jörg's suggested correction included them and we might just as well start here.
Mike Yuan [Sat, 17 Dec 2022 13:07:32 +0000 (21:07 +0800)]
systemctl: new option --drop-in for specifying drop-in filename
Previously 'systemctl edit' would only operate on
'override.conf', but users may need more than that.
Thus the new option '--drop-in' is added to allow
users to specify the drop-in file name.
The autodetection code is supposed to throw ValueError when it
cannot figure out the version so that we fall back to the next method.
With the patch:
Kernel version not specified, starting autodetection 😖.
Real-Mode Kernel Header magic not found
+ readelf --notes vmlinuz/arm64/vmlinuz-6.0.9-300.fc37.aarch64
readelf: vmlinuz/arm64/vmlinuz-6.0.9-300.fc37.aarch64: Error: Not an ELF file - it has the wrong magic bytes at the start
Found uname version: 6.0.9-300.fc37.aarch64