import: port importd from libgcrypt to openssl^gcrypt
This is heavily based on Kevin Kuehler's work, but the logic is also
significantly changed: instead of a straighforward port to openssl, both
versions of the code are kept, and at compile time we pick one or the other.
The code is purposefully kept "dumb" — the idea is that the libgcrypt codepaths
are only temporary and will be removed after everybody upgrades to openssl 3.
Thus, a separate abstraction layer is not introduced. Instead, very simple
ifdefs are used to select one or the other. If we added an abstraction layer,
we'd have to remove it again afterwards, and it don't think it makes sense to
do that for a temporary solution.
Co-authored-by: Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl>
# Conflicts:
# meson.build
Kevin Kuehler [Wed, 20 Oct 2021 10:21:18 +0000 (12:21 +0200)]
repart: port to our home-grown hmac_sha256
This reduces dependencies. The speed of the code here is uimportant, because we
hash only a tiny amount of input data.
Debian and Ubuntu currently build without repart, see
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=976959
> repart requires openssl and so far I tried to avoid linking against
> both gnutls and openssl.
Co-authored-by: Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl>
Rasmus Villemoes [Tue, 30 Nov 2021 11:50:19 +0000 (12:50 +0100)]
sysusers: avoid creating spurious "nobody" group
On distros using Debian's base-passwd, the name of the group with gid 65534 is
nogroup. Currently, systemd-sysusers creates a spurious "nobody" group
systemd-sysusers[243]: Creating group nobody with gid 996
That's both confusing and redundant, as the nobody user still has primary group
65534 aka nogroup, and the nobody group simply goes completely unused.
So explicitly specify the primary group of the nobody user, and add a line
ensuring that that group exists.
This is not a problem for Debian (or Ubuntu) itself, as they add their own
version of basic.conf in their systemd build logic. But it appears on for
example Yocto/OpenEmbedded.
Michal Sekletar [Thu, 25 Nov 2021 17:28:25 +0000 (18:28 +0100)]
unit: add jobs that were skipped because of ratelimit back to run_queue
Assumption in edc027b was that job we first skipped because of active
ratelimit is still in run_queue. Hence we trigger the queue and dispatch
it in the next iteration. Actually we remove jobs from run_queue in
job_run_and_invalidate() before we call unit_start(). Hence if we want
to attempt to run the job again in the future we need to add it back
to run_queue.
Nacho Barrientos [Mon, 29 Nov 2021 13:17:55 +0000 (14:17 +0100)]
Byte order to host before using the lifetime
I've seen this in `NetworkManager-1.34.0-0.3.el8.x86_64` (latest in CentOS
Stream 8 at the time of writing this message) which does not use the latest
Systemd but probably the code base is the same (see
https://github.com/NetworkManager/NetworkManager/commit/51f93e00a23fbd09f5ad96da6290bf4ca737d46a).
Before the patch:
```
libsystemd: eth0: DHCPv6 client: T1 expires in 34y 3w 6d 45min 31s
libsystemd: eth0: DHCPv6 client: T2 expires in 54y 5month 3w 3d 23h 20min 35s
```
After the patch:
```
libsystemd: eth0: DHCPv6 client: T1 expires in 3d 7h 58min 3s
libsystemd: eth0: DHCPv6 client: T2 expires in 5d 2h 26min 50s
```
Marco Scardovi [Mon, 29 Nov 2021 08:53:56 +0000 (09:53 +0100)]
Add missing greater than/less than tab on some HP
Some HP keyboards (like https://h30434.www3.hp.com/t5/image/serverpage/image-id/203235i01AD626584587DA1?v=v2) have <> between AltGr and left arrow. This add the fix and make it working again
Luca Boccassi [Fri, 26 Nov 2021 02:13:57 +0000 (02:13 +0000)]
coredump: fix parsing metadata without access to executable
This was broken in a subtle way: we'd get an ELF ref, but not the right one,
so no metadata note would be found.
Change the parsing function to return 1 when it finds something, so that
we can return early only when that happens.
networkd: replace a table with log2 fields by a list
The code looks a bit more complicated, but the compiler generates a simpler and
more compact text.
An additional advantage is that if any of the fields were repeating or not
power-of-two, the compiler would warn about an overridden entry in the table.
The macro variants can be used in static initializers.
The same guard against calling __builtin_clz(0) is added as for
__builtin_clzll(0), since that's undefined behaviour too. Our code
wouldn't call it, but this avoids a potential pitfall with the macro.
All variants map 0→0. Otherwise we'd often have to handle 0 specially
in callers.
__builtin_clz takes unsigned as the argument, so there's no LOG2I macro.
Topi Miettinen [Fri, 26 Nov 2021 14:34:48 +0000 (16:34 +0200)]
pam_systemd: Check also abstract socket for X11
It seems that `pam_systemd` was the only thing left that wanted to use sockets
in file system path `/tmp/.X11-unix/X*`. X11 apps actually prefer using the
abstract socket version.
This allows running Xserver with `-nolisten tcp -nolisten unix`, which makes
the server only listen to an abstract socket.
Also in my setup, Xserver is running as a separate system service instead of
starting from display manager service, and now `PrivateTmp=yes` can be used for
both. The file system of the display manager service is inherited by user apps
and now their `/tmp` will be separate from `/tmp` of PID1 namespace as well as
`/tmp` of Xserver.
Jan Janssen [Fri, 26 Nov 2021 13:00:02 +0000 (14:00 +0100)]
meson: Default to sbat-distro=auto
Any recent shim will refuse starting an image that does not have an sbat section
and will do so with a generic "Security Violation" message. And it is very easy
to forget passing -Dsbat-distro=auto to meson when creating a fresh build dir.
Adding sbat info when shim is not used or secure boot is disabled does not hurt
anyone, so default to auto. This still ensures to not add auto-detected info in
case we are cross building.
Topi Miettinen [Sat, 27 Nov 2021 10:51:39 +0000 (12:51 +0200)]
namespace: allow ProcSubset=pid with some ProtectKernel options
In case `/proc` is successfully mounted with pid tree subset only due to
`ProcSubset=pid`, the protective mounts for `ProtectKernelTunables=yes` and
`ProtectKernelLogs=yes` to non-pid `/proc` paths are failing because the paths
don't exist. But the pid only option may have failed gracefully (for example
because of ancient kernel), so let's try the mounts but it's not fatal if they
don't succeed.
Alyssa Ross [Sat, 27 Nov 2021 12:10:38 +0000 (12:10 +0000)]
docs: fix descriptions in discoverable partitions
00db9a114e ("docs: generate table from header using a script") got the
descriptions for the partition types mixed up. After that change, the
spec claimed, for example, that the /usr partition should contain
"dm-verity integrity hash data for the matching root partition", and
that the /usr verity partition should be of type "Any native, optionally
in LUKS". This made the spec an extremely confusing read before I
figured out what must have happened!
I've gone through the table as it existed prior to 00db9a114e, and moved
the descriptions around in the script that generates the table until
they matched up with what they used to be. Then I regenerated the
table from the fixed script.
Luca Boccassi [Fri, 26 Nov 2021 15:46:40 +0000 (15:46 +0000)]
analyze: add --profile switch to security verb
Allows to pass a portable profile when doing offline analysis of
units. Especially useful for analyzing portable images, since a
lot of the security-relevant settings in those cases come from
the profiles, but they are not shipped in the portable images.
I think the function name is confusing: we generally say "free_free" when
both keys and values are freed in a hash map, but here the type is an
array of strvs, so the name should be something like strv_array_free.
test-journal-flush: do not croak on corrupted input files
We would fail if the input file was corrupted:
build/test-journal-flush ./system@0005b7dac334f805-0021aca076ae5c5e.journal\~
journal_file_copy_entry failed: Bad message
Assertion 'r >= 0' failed at src/libsystemd/sd-journal/test-journal-flush.c:55, function main(). Aborting.
[1] 619472 IOT instruction (core dumped) build/test-journal-flush ./system@0005b7dac334f805-0021aca076ae5c5e.journal\~
Vito Caputo [Thu, 25 Nov 2021 18:39:34 +0000 (10:39 -0800)]
mmap-cache: embed MMapCache.contexts[]
Code simplification; no idea why the Context structs were being
heap-allocated piecemeal. There aren't many and they're small,
and made even smaller with this commit.
This also gets rid of the Context.cache backreference by just
accompanying the Context* with MMapCache* to the few private
Context* operations, resolving the context ID to a Context* at
the single public entrypoint: mmap_cache_fd_get(), which asserts
on the value being within bounds. The Context.id member and
checks are also removed, as there's far less opportunity for
these things to become inconsistent now.
Of course this drops all context_{add,free}() related code,
making for a tasty diffstat.
Daan De Meyer [Fri, 12 Nov 2021 14:32:40 +0000 (14:32 +0000)]
journal: Deduplicate entry items before they are stored in the entry object
If the iovec contains the same data more than once, we'll end up with
duplicate offsets in the items array. Let's make sure we remove any
duplicates before we store the items in an entry object.
Vito Caputo [Thu, 25 Nov 2021 15:05:06 +0000 (07:05 -0800)]
mmap-cache: LIST_REMOVE() *after* w->unused_prev
The LIST_REMOVE() macro always assigns NULL to w->unused_prev,
meaning every time this window was in last_unused, the remainder
of the unused list was lost to the ether.
Turns out there's been a memory leak in journald after all, this
code has been there since at least 2013...