cryptenroll/repart/creds: no longer default to binding against literal PCR 7
PCR 7 covers the SecureBoot policy, in particular "dbx", i.e. the
denylist of bad actors. That list is pretty much as frequently updated
as firmware these days (as fwupd took over automatic updating). This
means literal PCR 7 policies are problematic: they likely break soon,
and are as brittle as any other literal PCR policies.
hence, pick safer defaults, i.e. exclude PCR 7 from the default mask.
This means the mask is now empty.
Generally, people should really switch to signed PCR policies covering
PCR 11, in combination with systemd-pcrlock for the other PCRs.
userdb: move filter of user/group records to the varlink server side (#36133)
In v257 userdbctl gained support for filtering user records with fuzzy
matching and some other parameters. It was done on the client side only.
This PR adds server-side matching, by exendting the generic userdb
varlink api.
The api is generic any may have many other implementors, hence care is
taken to fallback to exclusively client side filtering in case the
service does not support the new parameters.
In fact I even opted to not actually implement server-side filtering in
any services but systemd-userdbd.service, because it's probably not too
much an optimization in relevant services (we might want to revisit this
later). By implementing it in userdbd the primary entrypoint for userdb
is however covered: the multiplexer interface which provides a single
interface for the multitude of backends. Or in other words: the
multiplexer itself supports server-side filtering even if its own
backends don't, and will hide this neatly away.
One nice side effect from not implementing server side filtering for all
our backends is that the fallback codepaths are comprehensively tested.
Note that this adds some unit tests but not new integration test for all
this, as the filtering tests for userdbctl already existed before, we
just move their implementation from the client to the server side.
Yu Watanabe [Tue, 28 Jan 2025 19:16:20 +0000 (04:16 +0900)]
network: bridge: add support for configuring locked ports (#36150)
"Recently" (as of 5.18) the Linux kernel gained the ability of locking
bridge ports to restrict network access to authenticated hosts only.
This is implemented by disabling automated learning and dropping
incoming traffic from unknown hosts. User space is then expected to add
fdb entries for authenticated hosts. Once a fdb entry exist, traffic for
that host will be forwarded as expected.
This was later extended with "Mac Authentication Bypass", where the
locking was extended to fdb entries. In this mode the kernel adds fdb
entries again automatically, but they are locked by default.
To properly configure this, add two network options and one netdev
option:
* `LinkLocalLearning=` to prevent the kernel from creating unlocked
entries based on link-local traffic, which would bypass any
authentication. Needed when enabling learning on a locked port.
* `Locked=` to allow setting a bridge port to locked.
* `MACAuthenticationBypass=` to allow enabling Mac Authentication
Bypass on a port. Requires learning to be enabled on the port as well
(and consequently `LinkLocalLearning` disabled on the bridge).
An authenticator (e.g. hostapd) is still needed to do the actual
authentication, the kernel only provides the access control.
Luca Boccassi [Tue, 28 Jan 2025 17:33:39 +0000 (17:33 +0000)]
wait-online: add initial support for waiting for DNS (#34640)
Add a new flag, `--dns`, to systemd-networkd-wait-online to allow
waiting for DNS to be configured. The `--dns` flag respects the `--ipv4`
and `--ipv6` flags, as well as `--interface=` and `--any`.
Daan De Meyer [Tue, 28 Jan 2025 08:38:26 +0000 (09:38 +0100)]
ukify: Add --sign-profile
Let's allow configuring which UKI profiles we generate signed PCR
measurements for since there are various types of profiles for
which we do not want to generate signed PCR measurements so that they
can not unlock the encrypted rootfs.
Nick Rosbrook [Thu, 19 Sep 2024 19:59:50 +0000 (15:59 -0400)]
wait-online: add support for waiting for DNS configuration
Add a new flag to systemd-networkd-wait-online, --dns, to allow waiting
for DNS to be configured.
DNS is considered configured when at least one DNS server is accessible.
If a link has the property DefaultRoute=yes (either by explicit
configuration, or because there are no routing-only domains), or if the
search domain '.' is configured, wait for link-specific DNS to be
configured. Otherwise, global DNS servers may be considered.
Jonas Gorski [Fri, 24 Jan 2025 12:15:06 +0000 (13:15 +0100)]
network: bridge: add support for IFLA_BRPORT_MAB
Since linux commit a35ec8e38cdd1766f29924ca391a01de20163931 ("bridge:
Add MAC Authentication Bypass (MAB) support"), included since v6.2, it
is possible to enable MAC Authentication Bypass for bridge ports. In
this mode the locked port learns again, but the learned fdb entries are
locked, allowing user space to unlock hosts based seen MAC addresses.
This requires learning to be enabled on the port, and link-local
learning disabled for the bridge.
Add support to systemd-network for setting the new attribute for bridge
ports.
Jonas Gorski [Mon, 2 Dec 2024 10:54:09 +0000 (11:54 +0100)]
network: bridge: add support for IFLA_BRPORT_LOCKED
Since linux commit a21d9a670d81103db7f788de1a4a4a6e4b891a0b ("net:
bridge: Add support for bridge port in locked mode"), included since
v5.18, it is possible to set bridge ports to locked.
Locked ports do not learn automatically, and discard any traffic from
unknown source MACs. To allow traffic, the userspace authenticator is
expected to create fdb entries for authenticated hosts.
Add support to systemd-network for setting the new attribute for bridge
ports.
Jonas Gorski [Tue, 10 Dec 2024 15:45:20 +0000 (16:45 +0100)]
network: bridge: add support for NO_LL_LEARN
When using locked ports on a bridge link-local learning needs to be
disabled to prevent the kernel from learning and automatically unlocking
hosts based on link-local traffic.
So add support for enabling NO_LL_LEARN for bridges.
Adam Williamson [Fri, 10 Jan 2025 21:01:47 +0000 (13:01 -0800)]
kbd-model-map: add a georgian mapping
https://github.com/legionus/kbd/pull/127 adds a Georgian mapping
to kbd. console-setup already has one. Let's support it here, so
it's used for Georgian installs on distros that use this table.
Signed-off-by: Adam Williamson <awilliam@redhat.com>
Nick Rosbrook [Fri, 11 Oct 2024 18:44:44 +0000 (14:44 -0400)]
resolved: add SubscribeDNSConfiguration to varlink API
Add a new method to io.systemd.Resolve.Monitor that allows subscribing
to changes in the systemd-resolved DNS configuration. The new method
emits the full DNS configuration (one entry for global configuration,
and one entry for each interface), any time the configuration is
updated.
userdbd: implement server side filtering in the Multiplexer API
This impelements server side filtering in userdbd's multiplexer logic.
Note thta this means that even if some backend doesn't support it
natively the multiplexer will deal with it and apply the filtering as
necessary.
userdb: move UserDBMatch handling from userdbctl into generic userdb code to allow it to be done server side
This moves around the UserDBMatch handling, moves it out of userdbctl
and into generic userdb code, so that it can be passed to the server
side, to allow server side filtering.
This is preparation for one day allowing complex software to do such
filtering server side, and thus reducing the necessary traffic.
Right now no server side actually knows this, hence care is taken to
downgrade to the userdb varlink API as it was in v257 in case the new
options are not understood. This retains compatibility with any
implementation hence.
varlink: add new calls for server-side user record filtering to varlink IDL + to spec
This is preparation for adding server side filtering to the userdb
logic: it adds some fields for this to the userdb varlink API. This only
adds the IDL for it, no client will use it for now, no server implement
it. That's added in later commits.
Nick Rosbrook [Fri, 24 Jan 2025 20:42:38 +0000 (15:42 -0500)]
udev: add input/by-{id,path} symlinks for hidraw devices
Take some of the same rule structure from 60-persistent-input.rules, and
apply it to hidraw devices in 60-persistent-hidraw.rules.
Since one of the motivations for this is being able to easily reference
FIDO tokens, add a special case when ID_FIDO_TOKEN==1, and add 'fido'
to the symlink.
Nick Rosbrook [Thu, 14 Nov 2024 19:31:07 +0000 (14:31 -0500)]
resolved: add link_get_default_route helper
The dbus property getter for DefaultRoute does not simply check
link->default_route. Instead, if l->default_route is not explicitly
configured, it checks dns_scope_is_default_route(l->unicast_scope).
Add a link_get_default_route() helper with this logic so that it can be
used for consistency.
Nick Rosbrook [Tue, 15 Oct 2024 20:30:52 +0000 (16:30 -0400)]
resolved: add a helper to check if DNS server is accessible
We check this by opening a UDP socket and attempting to connect. We do
not send any traffic on it, but this will tell us if there are routes to
the DNS server.
No functional change. Make it more clear that these varlink connections
are subscribed to query results. This prepares for adding SubscribeDNS
to the varlink API.
16mc1r [Mon, 27 Jan 2025 13:01:05 +0000 (14:01 +0100)]
Adds asus T103HAF rotation matrix to 60-sensor.hwdb (#36177)
Rotation Matrix to enable correct auto-rotation with
[iio-sensor-proxy](https://gitlab.freedesktop.org/hadess/iio-sensor-proxy/)
on an Asus Transformer Mini T103HAF with iio-sensor `HID-SENSOR-200073`.
- Tested on KDE Plasma Mobile (Fedora 41), details see inxi report.
Device Details:
- low powered 2in1 convertible with 10.1" screen size, 4core atom cpu
and 4gb ram. Usefull as x86 based tablet with stylus for annotation and
reading.
- [official asus website for the
device](https://www.asus.com/us/laptops/for-home/everyday-use/asus-transformer-mini-t103/)
Yu Watanabe [Fri, 24 Jan 2025 19:05:51 +0000 (04:05 +0900)]
machine: revert type change of "leader" in io.systemd.Machine.Register method
The varlink method io.systemd.Machine.Register() is in v256, hence type
of "leader" cannot be changed.
Let's revert the change by 755cb018c9b3e93245afb86ec94223756ddd70e4, and
introduce another field "leaderProcessId", which takes detailed information
of the process.
Mike Yuan [Sun, 26 Jan 2025 00:32:42 +0000 (01:32 +0100)]
terminal-util: stop doing 0/upper bound check in tty_is_vc()
tty_is_vc() is more often than not used for simple "categorization"
than validity check. E.g. in logind, we first recognize the tty
"looks like vc", and then use vtnr_from_tty() where range check
is performed and vtnr is extracted. In such cases, we want to reject
invalid vtnr from clients rather than silently carry on, hence
let's remove bound check in tty_is_vc().
Luca Boccassi [Fri, 24 Jan 2025 23:37:33 +0000 (23:37 +0000)]
man: fix reference to non-existing ukify parameter
The --extend parameter was removed by https://github.com/systemd/systemd/pull/34608
and a --join-profile was added instead, fix leftover reference in manpage
Yu Watanabe [Sat, 25 Jan 2025 00:33:58 +0000 (09:33 +0900)]
libmount-util: introduce two helper functions
This introduces libmount_parse_mountinfo() and libmount_parse_with_utab().
The former one parses only mountinfo, but the latter one also parse
utab. Hopefully this avoids pitfalls like issue #35949.
homed: when setting up an idmapping map foreign UID range on itself
Now that nspawn can run unprivileged off directory trees owned by
the new "foreign" UID range let's make sure homed actually allows
files owned by that range in the home directories.
This is not enough to make nspawn just work in homed home dirs
unfortunately though. that's because homed applies an idmapping, and
nspawn would need to then to take that idmapped mount and apply another
one, and the kernel simply doesn't support stacked idmapped mounts.
There's work ongoing to address that in the kernel.
However, this is a first step, and should be enough to make things just
work should the kernel eventually support stacked idmapped mounts.
Daan De Meyer [Fri, 24 Jan 2025 16:28:15 +0000 (17:28 +0100)]
HACKING: Move OBS section further down
HACKING.md should first and foremost tell someone how to hack on
systemd, installing packages from OBS isn't the most likely section
a new contributor will be interested in, so let's move it further
down.
Yu Watanabe [Sat, 11 Jan 2025 23:22:53 +0000 (08:22 +0900)]
udev-rules: use sd_device_set_sysattr_value() to write sysfs attribute
Then, we can avoid that files outside of sysfs are written by udev ATTR key.
This also makes
- logs failure in udev_resolve_subsys_kernel(),
- failure in sd_device_get_syspath() critical, as that should not happen,
- cache the value to be write when running on test mode, to make it
shown by OPTIONS="dump" or obtained by ATTR match token.
Luca Boccassi [Fri, 24 Jan 2025 12:09:52 +0000 (12:09 +0000)]
mkosi: update debian commit reference
* 4447d2974d Update changelog for 257.2-3 release
* 4b1c65b905 libudev1: add udeb back to shlibs
* 1974e3d06e systemd-boot: always check that the boot entry is set, even with Shim is already installed
* 9a5eea9823 systemd-boot: use boot entry argument instead of installing as grub.efi on ESP
* df6efeed46 libsystemd-dev/libudev-dev: depend on libcap-dev
* 5673b771e1 signing template: add override for executable-not-elf-or-script
* 3f109637c4 Update changelog for 257.2-2 release
* 42f4afa605 Drop udeb packages
* c04f7f2b16 signing template: always set urgency to 'high'
* 9bd8b5228b Set SBAT info for upstream build
* 257ba8563b udev: link to libsystemd-shared when building with noudeb profile
* 8ca2b26678 Link systemctl against libsystemd-shared
* 1a4a8af0c2 Install jq for pkg.systemd.upstream too since the template packages are now built
* 6fd0d2698d signing template: fix Lintian warnings and errors
* c79d10bbaa Build template packages for pkg.systemd.upstream profile, for OBS builds
* 485a867438 d/t/upstream: take into account autopkgtest pinning
* c1b6e565e3 Update README.source in the signing-template
* 17d1b92d9f d/t/control: remove 'flaky' from tests-in-lxd
* 2a36f6f5e1 Do not install sd-resolved and drop breaks-testbed from fast tests
* a3cb52f8d0 Enable UEFI on loong64
* ad7a943023 Enable libseccomp on loong64 and hppa
* 9d24f84ed5 Update changelog for 257.2-1 release
* f47619c9f4 Drop all patches, merged upstream
* d4aa6545a6 Install new files for upstream CI
* 5775daa46e d/rules: support building in OBS from git
Enforce per-user quota on /tmp/ and /dev/shm/ as user logs in (#36010)
There's finally quota on tmpfs, hence let's use it to make it harder for
users to DoS the system by consuming all disk space in /tmp/ and
/dev/shm/.
This enforces a default limit of 80% quota of the backing fs for these
two dirs for users, but this can be overriden in the user record, if
desired.
This also adds two other interesting features:
1. mount units gain GracefulOptions= which takes optional mount options
that are added only if supported by the kernel. (this is used to enable
usrquota on /tmp/, if available.)
2. The PAM logic in service management now supports reading passwords
from service credentials and via the askpw logic. This used for make
testing easy (so that we can run0 into a homed user which strictly
requires a password).
Daan De Meyer [Fri, 24 Jan 2025 09:54:51 +0000 (10:54 +0100)]
mkosi: Drop usage of _systemd_QUIET in arch build script
We dropped the variable in the packaging specs for Arch to keep the
integration points as minimal as possible so let's stop using it in
the build script as well.
Luca Boccassi [Thu, 21 Nov 2024 09:51:14 +0000 (09:51 +0000)]
test: split VM-only subtests from TEST-74-AUX-UTILS to new VM-only test
TEST-74-AUX-UTILS covers many subtests, as it's a catch-all job, and a few
need a VM to run. The job is thus marked VM-only. But that means in settings
where we can't run VM tests (no KVM available), the entire thing is skipped,
losing tons of coverage that doesn't need skipping.
Move the VM-only subtests to TEST-87-AUX-UTILS-VM that is configured to only
run in VMs under both runners. This way we keep the existing tests as-is, and
we can add new VM-only tests without worrying. This is how the rest of the
tests are organized.
nspawn: support unpriv directory-tree containers (#35685)
So far nspawn supported unpriv containers only if backed by a DDI. This
adds dir-based unpriv containers too.
To make this work this introduces a new UID concept to systemd: the
"foreign UID range". This is a high UID range of size 64K. The idea is
that disk images that are "foreign" to the local system can use that,
and when a container or similar is invoked from it, a transiently
allocated dynamic UID range is mapped from that foreign UID range via id
mapped mounts.
This means the fully dynamic, transient UID ranges never hit the disk,
which should vastly simplify management, and does not require that uid
"subranges" are persistently delegated to any users.
The mountfsd daemon gained a new method call for acquiring an idmapped
mount fd for an mount tree owned by the foreign UID range. Access is
permitted to unpriv clients – as long as the referenced inode is located
within a dir owned by client's own uid range.
projects / thirdparty / systemd.git / log
