Vitaly Kuznetsov [Fri, 11 Nov 2022 16:15:55 +0000 (17:15 +0100)]
measure: fix section names in 'objcopy' example in systemd-measure man
A copy paste error has crippled in the objcopy example in 'systemd-measure'
manual, "--change-section-vma" should reference the section being added,
not ".splash". When used as-is, the resulting UKI is unbootable.
These are allowed to fail, for example on a read-only filesystem. But they still
log at error level, which is annoying and gets flagged. Tune those specific errors
down to info.
There are likely more that could be tuned down, but the important thing is to cover
the tmpfiles.d that we ship right now.
Before:
$ echo -e "d- /root :0700 root :root - \nd- /root/.ssh :0700 root :root -" | SYSTEMD_LOG_LEVEL=err build/systemd-tmpfiles --root=/tmp/img --create -
Failed to create directory or subvolume "/tmp/img/root": Read-only file system
Failed to open path '/tmp/img/root': No such file or directory
$
Mike Yuan [Fri, 11 Nov 2022 18:52:38 +0000 (02:52 +0800)]
module-util: use the blacklist from module_blacklist= in cmdline
When a module is blacklisted using module_blacklist=
we shouldn't fail with 'Operation not permitted'.
Instead we check for it and skip it if this is the case.
bootctl,bootspec: make use of CHASE_PROHIBIT_SYMLINKS whenever we access the ESP/XBOOTLDR
Let's make use of the new flag whenever we access the ESP or XBOOTLDR.
The resources we make use of in these partitions can't possibly use
symlinks (because UEFI knows no symlink concept), and they are untrusted
territory, hence under no circumstances we should be tricked into
following symlinks that shouldn't be there in the first place.
Of course, you might argue thta ESP/XBOOTLDR are VFAT and thus don#t
know symlinks. But the thing is, they don#t have to be. Firmware can
support other file systems too, and people can use efifs to gain access
to arbitrary Linux file systems from EFI. Hence, let's better be safe
than sorry.
chase-symlinks: add new flag for prohibiting any following of symlinks
This is useful when operating in the ESP, which is untrusted territory,
and where under no circumstances we should be tricked by symlinks into
doing anything we don't want to.
nulstr-util: fix corner cases of strv_make_nulstr()
Let's change the return semantics of strv_make_nulstr() so that we can
properly distuingish the case where we have a no entries in the nulstr
from the case where we have a single empty string in a nulstr.
Previously we couldn't distuingish those, we'd in both cases return a
size of zero, and a buffer with two NUL bytes.
With this change, we'll still return a buffer with two NULL bytes, but
for the case where no entries are defined we'll return a size of zero,
and where we have two a size of one.
This is a good idea, as it makes sure we can properly handle all corner
cases.
Nowadays the function is used by one place only: ask-password-api.c. The
corner case never mattered there, since it was used to serialize
passwords, and it was known that there was exactly one password, not
less. But let's clean this up. This means the subtraction of the final
NUL byte now happens in ask-password-api.c instead.
nulstr-util: use memdup_suffix0() where appropriate
if the nulstr is not nul-terminated, we shouldn't use strndup() but
memdup_suffix0(), to not trip up static analyzers which imply we are
duping a string here.
This rework the logic for handling the "header" cells a bit. Instead of
special casing the first row in regards to uppercasing/coloring let's
just intrduce a proper cell type TABLE_HEADER which is in most ways
identical to TABLE_STRING except that it defaults to uppercase output
and underlined coloring.
This is mostly refactoring, but I think it makes a ton of sense as it
makes the first row less special and you could in fact insert
TABLE_HEADER (and in fact TABLE_FIELD) cells wherever you like and
something sensible would happen (i.e. a string cell is displayed with
a specific formatting).
Yu Watanabe [Fri, 11 Nov 2022 04:54:03 +0000 (13:54 +0900)]
ac-power: check battery existence and status
If a battery is not present or its status is not discharging, then
the battery should not be used as a power source.
Let's count batteries currently discharging.
MkfsSion [Sat, 29 Oct 2022 18:29:02 +0000 (14:29 -0400)]
libfido2-util: Perform pre-flight check for credentials in token
Do not attempt to decrypt using a key slot unless its corresponding
credential is found on an available FIDO2 token. Avoids multiple touches
/ confirmations when unlocking a LUKS2 device with multiple FIDO2 tokens
enrolled.
Partially fixes #19208 (when the libcryptsetup plugin is in use).
Daan De Meyer [Fri, 11 Nov 2022 10:26:54 +0000 (11:26 +0100)]
strv: Make sure strv_make_nulstr() always returns a valid nulstr
strv_make_nulstr() is documented to always return a valid nulstr,
but if the input is `NULL` we return a string terminated with only
a single NUL terminator, so let's fix that and always terminate the
resulting string with two NUL bytes.
> If you define a path with the ! character, you must also define at least one
> path without the ! character. If you only want to exclude paths, use
> paths-ignore instead.
>
> The order that you define patterns matters:
> A matching negative pattern (prefixed with !) after a positive match will
> exclude the path.
> A matching positive pattern after a negative match will include the path
> again.
Even if some of the exluded paths *could* impact the build, generally it's a
waste of time to do mkosi builds on them. Let's skip to releave the builders a
bit.
Daan De Meyer [Fri, 11 Nov 2022 09:04:37 +0000 (10:04 +0100)]
test-copy: Stop using rm_rf_physical_and_close
This cleanup function depends on resolving fd's to paths via /proc
which is unreliable so we shouldn't depend on it for destructive
operations. Use regular path based cleanup instead.
Originally, the table formatting code was written to display a number of
records, one per line, and within each line multiple fields of the same
record. The first line contains the column names.
It was then started to be used in a "vertical" mode however,
i.e. with field names on the left instead of the top. Let's support such
a mode explicitly, so that we can provide systematic styling, and can
properly convert this mode to JSON.
A new constructor "table_new_vertical()" is added creating such
"vertical" tables. Internally, this is a table with two columns: "key"
and "value". When outputting this as JSON we'll output a single JSON
object, with key/value as fields. (Which is different from the
traditional output where we'd use the first line as JSON field names,
and output an array of objects).
A new cell type TABLE_FIELD is added for specifically marking the
"field" cells, i.e. the cells in the first column. We'll automatically
suffic ":" to these fields on output.
This is useful to force off fancy unicode glyph use (i.e. use "->"
instead of "→"), which is useful in tests where locales might be
missing, and thus control via $LC_CTYPE is not reliable.
Use this in TEST-58, to ensure the output checks we do aren't confused
by missing these glyphs being unicode or not.
repart: Don't descend into directories assigned to other partitions
Let's say we have the following repart definitions files root.conf
and home.conf:
```
[Partition]
Type=root
CopyFiles=/
```
```
[Partition]
Type=home
CopyFiles=/home
```
Currently, we'd end up copying /home to both the root partition and
the home partition. To prevent this from happening, let's adopt a
new policy when copying files for a partition: We won't copy any
files/directories that appear in the CopyFiles= list of another
partition, unless that directory explicitly appears in our own
CopyFiles= list.
This way, we prevent copying /home twice into the root and home
partition, but should a user really want that behavior, they can
have it by adding /home to the CopyFIles= list of the root partition
as well.
dissect: also parse out the top-level GPT table uuid and expose this as image UUID
systemd-repart generates this in a suitably stable fashion, hence let's
actually use it as an identifier for the image. As a first step parse
it, and show it.
Due to "historical reasons" both gcc and clang treat *all* trailing
arrays members as flexible arrays, this has an evil side effect
of inhibiting bounds checks on such members as __builtin_object_size
cannot say for sure that:
struct {
...
type foo[3];
}
has a trailing foo member of fixed size rather than unspecified.
Ideally we should use -fstrict-flex-arrays as is, but we have to
tolerate kernel uapi headers that use [0] and third party libraries
written in c89 that may use [1] like curl.
in_initrd() was really doing two things: checking if we're in the initrd, and
also verifying that the initrd is set up correctly. But this second check is
complicated, in particular it would return false for overlayfs, even with an
upper tmpfs layer. It also doesn't support the use case of having an initial
initrd with tmpfs, and then transitioning into an intermediate initrd that is
e.g. a DDI, i.e. a filesystem possibly with verity arranged as a disk image.
We don't need to check if we're in initrd in every program. Instead, concerns
are separated:
- in_initrd() just does a simple check for /etc/initrd-release.
- When doing cleanup, pid1 checks if it's on a tmpfs before starting to wipe
the old root. The only case where we want to remove the old root is when
we're on a plain tempory filesystem. With an overlay, we'd be creating
whiteout files, which is not very useful. (*)
This should resolve https://bugzilla.redhat.com/show_bug.cgi?id=2137631
which is caused by systemd refusing to treat the system as an initrd because
overlayfs is used.
(*) I think the idea of keeping the initrd fs around for shutdown is outdated.
We should just have a completely separate exitrd that is unpacked when we want
to shut down. This way, we don't waste memory at runtime, and we also don't
transition to a potentially older version of systemd. But we don't have support
for this yet.
projects / thirdparty / systemd.git / log
