Topi Miettinen [Sun, 22 May 2022 12:17:24 +0000 (15:17 +0300)]
core: add user and group to NFTSet=
The benefit of using this setting is that user and group IDs, especially dynamic and random
IDs used by DynamicUser=, can be used in firewall configuration easily.
core: firewall integration of cgroups with NFTSet=
New directive `NFTSet=` provides a method for integrating dynamic cgroup IDs
into firewall rules with NFT sets. The benefit of using this setting is to be
able to use control group as a selector in firewall rules easily and this in
turn allows more fine grained filtering. Also, NFT rules for cgroup matching
use numeric cgroup IDs, which change every time a service is restarted, making
them hard to use in systemd environment.
This option expects a whitespace separated list of NFT set definitions. Each
definition consists of a colon-separated tuple of source type (only "cgroup"),
NFT address family (one of "arp", "bridge", "inet", "ip", "ip6", or "netdev"),
table name and set name. The names of tables and sets must conform to lexical
restrictions of NFT table names. The type of the element used in the NFT filter
must be "cgroupsv2". When a control group for a unit is realized, the cgroup ID
will be appended to the NFT sets and it will be be removed when the control
group is removed. systemd only inserts elements to (or removes from) the sets,
so the related NFT rules, tables and sets must be prepared elsewhere in
advance. Failures to manage the sets will be ignored.
If the firewall rules are reinstalled so that the contents of NFT sets are
destroyed, command systemctl daemon-reload can be used to refill the sets.
Example:
```
table inet filter {
...
set timesyncd {
type cgroupsv2
}
Mike Yuan [Thu, 21 Sep 2023 06:59:26 +0000 (14:59 +0800)]
sleep-config: several cleanups
* Rename free_sleep_config to sleep_config_free
* Rearrange functions
* Make SleepConfig.modes and .states only contain
operations that needs configuration
* Add missing assert
blockdev@.target is used as a synchronization point between
the mount unit and corresponding systemd-cryptsetup@.service.
After the mentioned commit, it doesn't get a stop job enqueued
during shutdown, and thus the stop job for systemd-cryptsetup@.service
could be run before the mount unit is stopped.
Therefore, let's make blockdev@.target conflict with umount.target,
which is also what systemd-cryptsetup@.service does.
EFI variable access is slow, hence let's avoid it if there's no need.
Let's cache the result of efi_measured_uki() so that we don't have to go
to the EFI variables each time.
This only caches in the yes/no case. If we encounter an error we don't
cache, so that we go to disk again.
This should optimize things a bit given we now have a bunch of services
which are conditioned with this at boot.
Let's say "uki" rather than "stub", since that is just too generic, and
we shouldn't limit us to our own stub anyway, but generally define a
concept of a "measured UKI", which is a UKI that measures its part to
PCR 11.
This is mostly preparation for exposing this check to the user via
ConditionSecurity=.
Balázs Úr [Wed, 27 Sep 2023 01:36:03 +0000 (03:36 +0200)]
po: Translated using Weblate (Hungarian)
Currently translated at 100.0% (227 of 227 strings)
Co-authored-by: Balázs Úr <balazs@urbalazs.hu>
Translate-URL: https://translate.fedoraproject.org/projects/systemd/master/hu/
Translation: systemd/main
Jan Janssen [Tue, 26 Sep 2023 13:14:38 +0000 (15:14 +0200)]
meson: Fix version script handling
Build targets should have a link dependency on the version scripts they
use. This also uses absolute paths in anticipation for meson 1.3
needlessly deprecating file to string conversions.
systemd-hwdb: fix unsigned and signed comparison problem
...
uint8_t c;
struct trie_node *child;
for (p = 0; (c = trie->strings->buf[node->prefix_off + p]); p++) {
_cleanup_free_ struct trie_node *new_child = NULL;
_cleanup_free_ char *s = NULL;
ssize_t off;
if (c == search[i + p])
continue;
...
When '®' is present in search, c is 194, search[i + p] is -62, c is not equal to search[i + p], but c should be equal to search[i + p].
This was requested, though I think an issue was never filed. If people are
supposed to invoke it, even for testing, then it's reasonable to make it
"public".
cryptsetup: add parse_argv() and implement --version
All public programs are expected to have that. The --help output is adjusted to
follow the usual style (highlighting, listing of options). The OPTIONS
positional argument is renamed to "CONFIG", because we now also have "OPTIONS…"
to describe the non-positional options.
I was missing an example of how to use cryptenroll. We have that, but in
another page. Instead of repeating, let's just direct the user to the right
place.
Also, reformat synopsis to the "official" non-nested syntax.
add support for hp pavilion gaming 15 lid switch (#29304)
Tested together with kernel patch: https://lore.kernel.org/linux-acpi/20230920130506.8595-1-hdegoede@redhat.com/
but the d7 key is still interpreted as a wlan key switch, so an hwdb update is needed.
We might need a lot of fds on large systems, hence raise RLIMIT_NOFILE
to what the service manager allows us, which is quite a lot these days.
udev already sets FORK_RLIMIT_NOFILE_SAFE when forking of chilren, thus
ensuring that forked off processes get their RLIMIT_NOFILE soft limit
reset to 1K for compat with crappy old select().
Mike Yuan [Mon, 25 Sep 2023 15:23:29 +0000 (23:23 +0800)]
core/service: log the next restart usec only when we're arming timer
service_restart_usec_next() is also called when querying
'RestartUSecNext' dbus property. Let's avoid the redundant
logging triggered every time user does a 'systemctl status'.
sd-journal: always fallback to find entry by realtime
Consider the following situation:
- There are two journal files (x and y), that contains entries for two boots (X and Y).
- The journal file x contains entries of the boot X, and y contains
entries of Y.
- Nevertheless x does not contains entries of boot Y, it contains
the _BOOT_ID= data object of boot Y. Of course, the data object is not
referenced by any entries in the journal file x.
In such situation, when the current location of sd_journal is the head
of journal y, that is, the first entry of the boot Y,
sd_journal_previous() failed without this change, and
'journalctl --boot -NUM' for boot X failed.
So, unfortunately oomd uses "io.system." rather than "io.systemd." as
prefix for its sockets. This is a mistake, and doesn't match the
Varlink interface naming or anything else in oomd.
hence, let's fix that.
Given that this is an internal protocol between PID1 and oomd let's
simply change this without retaining compat.
varlink: move O_NONBLOCK setting to varlink_server_listen_fd(), and set O_CLOEXEC too
Let's move setting of O_NONBLOCK into varlink_server_listen_fd() and out
of varlink_server_create_listen_fd_socket(). The latter has two callers:
varlink_server_listen_fd() and varlink_server_listen_address(), which
guarantees O_CLOEXEC+O_NONBLOCK anyway, hence no neet to repeat the
logic.
The tool initially just measured the boot phase, but was subsequently
extended to measure file system and machine IDs, too. At AllSystemsGo
there were request to add more, and make the tool generically
accessible.
Hence, let's rename the binary (but not the pcrphase services), to make
clear the tool is not just measureing the boot phase, but a lot of other
things too.
The tool is located in /usr/lib/ and still relatively new, hence let's
just rename the binary and be done with it, while keeping the unit names
stable.
While we are at it, also move the tool out of src/boot/ and into its own
src/pcrextend/ dir, since it's not really doing boot related stuff
anymore.
mkosi: Run meson and ninja as the user invoking mkosi
Latest mkosi sets $MKOSI_UID and $MKOSI_GID to the uid/gid of the
user running mkosi. Let's make use of this to run meson setup and
ninja as the user running mkosi, so that if we execute git as a
subprocess during meson setup, it doesn't complain about unsafe
directories. This also makes sure all the build artifacts are owned
on the host by the user running mkosi.