Sam Leonard [Tue, 27 Feb 2024 15:08:37 +0000 (15:08 +0000)]
shared/ptyfwd: allow window title but not background color as a valid state
Previously if a PTYForward instance had the window title set but no
background color set then it would crash in an assertion as
pty_forward_ansi_process didn't require both to be present.
systemd-vmspawn could get into this state if it failed to get the
terminal tint color.
Now any method that would have called background_color_sequence now
becomes just a NOP if the background color is not set.
This allows keeping the functionality to set window titles even if the
terminal doesn't support the background coloring.
Sam Leonard [Tue, 27 Feb 2024 14:35:14 +0000 (14:35 +0000)]
basic/terminal-util: accept ST or BEL to end escape sequence queries
Currently scan_background_color_response only accepts BEL (\x07) to end
a response, however some terminals (namely kitty in my case) will reply
with the string terminator (ST - https://en.wikipedia.org/wiki/ANSI_escape_code).
This commit changes the behaviour to now accept either ending.
Sam Leonard [Tue, 27 Feb 2024 11:12:39 +0000 (11:12 +0000)]
basic/terminal-util: add check for poll timeout in get_default_background_color
Currently the return value 0 is not checked for, this indicates a
timeout and should be handled to prevent doing a blocking read on a file
descriptor with no data ready.
The retrans time field in RA message is for neighbor solicitation,
and the commit d4c8de21a07d015f2f2c787e0735be5e4d02fb3c makes the value
assigned to the correct sysctl property.
Let's deprecate the option, and drop the redundant functions.
core: remove duplicate serialization of `cpu_sched_reset_on_fork`
`c->cpu_sched_reset_on_fork` is serialized using
`exec-context-cpu-sched-reset-on-fork` and
`exec-context-cpu-scheduling-reset-on-fork`. Let's keep only the second one, to
serialize the value only if `cpu_sched_set` is true.
bootspec: don't complain about valid loader.conf settings
Let's not complain about various valid loader.conf settings we more
recently added. At the same time let's remove the half-assed userspace
parsers for the fields we actually do support but don't actually really
care about in userspace. There's really no point in storing strings away
that we are not using at all, hence just don#t.
Frantisek Sumsal [Tue, 27 Feb 2024 10:10:53 +0000 (11:10 +0100)]
test: use socat in unidirectional mode
By default socat open a separate r/w channel for each specified address,
and terminates the connection after .5s from receiving EOF on _either_
side. And since one side of that connection is an empty stdin, we reach
that EOF pretty quickly. Let's avoid this by using socat in
"reversed unidirectional" mode, where the first address is used only for
writing, and the second one is used only for reading.
vmspawn: use our own ptyfwd code for the console of a VM
Let's make systemd-nspawn use our own ptyfwd logic to handle the TTY by
default.
This adds a new setting --console=, inspired by nspawn's setting of the
same name. If --console=interactive= is used, then we'll do the TTY
dance on our own via ptyfwd, and thus get tinting, our usual hotkey
handling and similar.
Since qemu's own console is useful too, let's keep it around via
--console=native.
FInally, replace the --qemu-gui switch by --console=gui.
Ronan Pigott [Sun, 25 Feb 2024 07:23:32 +0000 (00:23 -0700)]
resolved: reduce the maximum nsec3 iterations to 100
According to RFC9267, the 2500 value is not helpful, and in fact it can
be harmful to permit a large number of iterations. Combined with limits
on the number of signature validations, I expect this will mitigate the
impact of maliciously crafted domains designed to cause excessive
cryptographic work.
Ronan Pigott [Sun, 25 Feb 2024 01:21:24 +0000 (18:21 -0700)]
resolved: limit the number of signature validations in a transaction
It has been demonstrated that tolerating an unbounded number of dnssec
signature validations is a bad idea. It is easy for a maliciously
crafted DNS reply to contain as many keytag collisions as desired,
causing us to iterate every dnskey and signature combination in vain.
The solution is to impose a maximum number of validations we will
tolerate. While collisions are not hard to craft, I still expect they
are unlikely in the wild so it should be safe to pick fairly small
values.
Here two limits are imposed: one on the maximum number of invalid
signatures encountered per rrset, and another on the total number of
validations performed per transaction.
Yu Watanabe [Thu, 22 Feb 2024 05:28:52 +0000 (14:28 +0900)]
icmp6-util: make icmp6_receive() refuse packets without IPv6 sender address
Previously, the function supports packets without IPv6 sender address
for unit tests. However, now unit tests use their own version of
icmp6_receive(). Hence, let's make the check more strict.
This allows us to pin the process locally when GetUnitByPIDFD
is not available, just like what we have been doing for
'systemctl whoami'. Also, fix looking up remote pid.
We can't use pidfd for those.
Luca Boccassi [Fri, 23 Feb 2024 21:09:11 +0000 (21:09 +0000)]
Fallback from pidfd_open on permission errors too
Skip using pidfds if we get a permission denied error.
This can happen with an old policy and a new kernel that uses the
new pidfs filesystem to back pidfds, instead of anonymous inodes,
as the existing policy denies access.
This is already the case for most uses of pidfd_open, like pidref,
but not on these two. Fix them.
ptyfwd: optionally prefix window title with colored dot
in uid0/systemd-run/nspawn we already set a window title with a colorful
unicode dot indicating the changed privileges/execution context. This typically
gets overriden by the shell inside the environment however.
Let's tweak this a bit: when we see the window title OSC ANSI sequence
passing through, let's patch in the unicode dot as a prefix to the
title.
This is super pretty, since it makes sure root sessions via 0ad are
really easily recognizable as such, because the window title carries an
🔴 red dot as prefix then.
By default swtpm runs with four banks: SHA1, SHA256, SHA384, SHA512.
This means all data that is part of the boot will be hashed four times,
which slows everything down.
Let's restrict things to SHA256 only, which is the one that really
matters. SHA1 is no up to today's standards anyway, and noone really
consumes the other two, hence no point in enabling this.
To disable the banks we need to call swtpm_setup with --pcr-banks. Do
so.
TPM 1.2 is obsolete, and doesn't really provide much security guarantees
given it's build around SHA1 which is not up to today's standards.
The rest of systemd's TPM codebase never supported TPM 1.2 hence let's
drop this partial support in sd-stub too. It has created problems after
all (sd-stub reported the measuements and userspace assumed these were
for TPM2), without bringing any benefits (given that the measurements we
make are not consumed by us anyway, unlike those for TPM 2.0)
This broke all the URLs, we can't have that. (And actually, we probably don't
_want_ to make the change either. It's nicer to have all the pages in one
directory, so one doesn't have to figure out to which collection the page
belongs.)
Max Staudt [Thu, 22 Feb 2024 08:47:36 +0000 (17:47 +0900)]
udev: Add /dev/media/by-path symlinks for media controllers
Add persistent symlinks for media controller ("mediaX") devices, based
on their ID_PATH udev properties.
For example, if the uvcvideo driver creates /dev/media0, a persistent
name may be:
/dev/media/by-path/pci-0000:04:00.3-usb-0:1:1.0-media-controller
Persistent links are a handy tool to make scripts self-documenting
during development or in tests, as well as less error prone in case of
devices changing enumeration order. For media controllers, one can
alternatively scan through all of them and look for a matching bus_info
in their struct media_device_info, but the links are much handier when
drafting something by hand.
A similar pattern already exists for Video4Linux /dev/videoX devices,
see 60-persistent-v4l.rules for those.
Yu Watanabe [Tue, 20 Feb 2024 21:20:45 +0000 (06:20 +0900)]
network: introduce per-interface IP forwarding settings
This deprecates IPForward= setting, which unconditionally controled
the global setting, even though it is a setting in .network file.
Instead, this introduces new IPv4Forwarding= and IPv6Forwarding=
settings both in .network and networkd.conf.
If these settings are specified in a .network file, then the
per-interface forwarding setting will be configured.
If specified in networkd.conf, then the global IP forwarding setting will
be configured.
While the subsequent change made this change no longer trigger warnings if fq_codel wasn't present, it is still recommended to have this enabled. Add the necessary kernel configuration to the documentation.