Daan De Meyer [Mon, 3 Mar 2025 11:35:11 +0000 (12:35 +0100)]
test: Connect test unit to console when running interactively
When running interactively, let's connect the test unit directly
to the console. This enables adding "bash" anywhere within an
integration test to get a shell within the test environment.
Jörg Behrmann [Sun, 2 Mar 2025 14:52:08 +0000 (15:52 +0100)]
tests: remove cache=unsafe from TEST-64-UDEV-STORAGE
mkosi switch to the newer -blockdev qemu option in systemd/mkosi#3557 [1], but
cache=unsafe is an option only -drive supports.
Since the qemu-system_x86-64 man page [2] says this, cache.writeback=on is the
default and mkosi setting the other two options to the values corresponding to
unsafe, it should be fine to drop the cache=unsafe option.
┌─────────────┬─────────────────┬──────────────┬────────────────┐
│ │ cache.writeback │ cache.direct │ cache.no-flush │
├─────────────┼─────────────────┼──────────────┼────────────────┤
│writeback │ on │ off │ off │
├─────────────┼─────────────────┼──────────────┼────────────────┤
│none │ on │ on │ off │
├─────────────┼─────────────────┼──────────────┼────────────────┤
│writethrough │ off │ off │ off │
├─────────────┼─────────────────┼──────────────┼────────────────┤
│directsync │ off │ on │ off │
├─────────────┼─────────────────┼──────────────┼────────────────┤
│unsafe │ on │ off │ on │
└─────────────┴─────────────────┴──────────────┴────────────────┘
sd-id128: gracefully handle systems where kernel keyring access is blocked
In various scenarios we invoke containers with access to the kernel
keyring blocked. Let's make sure we can handle this properly: when the
invocation ID is stored in in the kernel keyring and we try to read it
and get EPERM we should handle it gracefully, like EOPNOTSUPP.
The functionality is entirely redundant, we already have
sd_json_variant_filter() which does the same, and is in fact even more
powerful, since it takes a list instead of a single field to remove.
Daan De Meyer [Fri, 28 Feb 2025 16:14:49 +0000 (17:14 +0100)]
Add a few more bypass environment variables
When we're building ParticleOS images, we don't want the package
manager (or mkosi) to run systemd-sysusers, systemd-tmpfiles or
systemctl preset so let's add a few more bypass environment
variables that we can set to have execution of these skipped like
we already have $SYSTEMD_HWDB_UPDATE_BYPASS and $KERNEL_INSTALL_BYPASS.
Daan De Meyer [Tue, 4 Feb 2025 14:48:36 +0000 (15:48 +0100)]
core: Add DelegateNamespaces=
This delegates one or more namespaces to the service. Concretely,
this setting influences in which order we unshare namespaces. Delegated
namespaces are unshared *after* the user namespace is unshared. Other
namespaces are unshared *before* the user namespace is unshared.
Yu Watanabe [Fri, 28 Feb 2025 10:28:33 +0000 (19:28 +0900)]
mountpoint-util: make statx() failure critical
Two error conditions are unreachable, as now both glibc and kernel
support statx(). In other many places, failure in statx() are handled as
critical, even if it is filtered by seccomp or so. Let's follow the same
way here.
Hence, based on our supporting policy, we can bump the base line to 2.31.
This commit does not change anything on our source code. But, will drop
many workarounds for supporting older glibc in later commits.
Yu Watanabe [Thu, 27 Feb 2025 18:24:39 +0000 (03:24 +0900)]
test-network: extend test case for static routes
- split out verifications into two functions,
- also check the following scenarios:
* unmanaging an existing interface,
* re-managing an unmanaged interface,
* adding a new unmanaged interface,
* removing an unmanaged interface.
Issue OSC ANSI sequence whenever we change "context" of a TTY, i.e. acquire privs, enter container or VM or similar (#35224)
This is mostly a strawman to get a discussion going regarding how to
communicate to terminal emulators such as ptyxis about run0 (and nspawn,
and vmspawn, and moe) and what it does.
It's hierarchical and I think still relatively simple.
Martin Wilck [Mon, 17 Feb 2025 17:40:35 +0000 (18:40 +0100)]
libfido2-util: accept cached pin in fido2_generate_hmac_hash()
fido2_generate_hmac_hash() sets req->keyring to "fido2-pin" when
calling ask_password_auto(), suggesting that a key by this name
can be read from the kernel keyring. But the keyring is never
opened because the ASK_PASSWORD_ACCEPT_CACHED flag is not set.
Set ASK_PASSWORD_ACCEPT_CACHED to allow automated / scripted
setup of encrypted volumes with FIDO2. If the PIN turns out to
be invalid, clear ASK_PASSWORD_ACCEPT_CACHED to avoid retrying
and possible lockout.
units: measure additional phases into PCR 11 when entering storage target mode or factory reset (#36543)
Let's "spoil" access to TPM secrets when we boot into these two modes.
This matters in particular for storagetm: if the host gets exploited
while booted into storage target mode any secrets kept by the TPM might
remain accessible otherwise. By measuring a new "phase" word into PCR 11
we "blow the fuse" however on this boot.
(Note: we also change TEST-13-NSPAWN.machined.sh minimally here, because
it checks for byte precise output of a pty allocated for a service
invocation - which it's not going to get if it claims that the pty is an
all-powerful one. After all this PR ensures that we'll generate the new
OSC sequence on non-dumb terminals associated with services. Hence, set
TERM=dumb explicitly to ensure no ANSI sequences are generated, ever.
Which is a nice test btw that TERM=dumb really does its thing here.)
terminal-util: change conditioning in terminal_reset_defensive()
So far we conditioned the logic that issues ansi sequences for resetting
the TTY based on whether something is a pty is not (under the assumption
we need no reset on ptys, since they are shortlived).
This is simply wrong though. The pty that a container getty is invoked
on is generally long-lived: as long as the container is up, and it will
be reused between getty instances/sessions all the time. In such a case
we really should reset properly.
Let's instead make the logic dependent on whether TERM is set to
anything other than "dumb". The previous commit made sure we always set
TERM in a sensible way in systemd-run, hence this
*explicit* logic sounds like a much better choice now, as it mea
terminal-util: change 2nd parameter of terminal_reset_defensive() to flags
let's convert the 2nd argumeng form a boolean to a proper flags
parameter. Doesn't change behaviour in anyway, but is more readable, and
prepares ground for adding more flags soon.
run: tweak logic how we set $TERM for activated services
There are two cases when we invoke a service on a TTY:
1. We ourselves are connected to a TTY and would intend to enable PTY
forwarding.
2. We are allocating a TTY but are not ourselves connected to a TTY and
just want to input/output to pipe or other non-TTY fd.
Let's propagate $TERM only as-is in the first case. In the 2nd case,
let's explicitly set $TERM to "dumb", so that invoked progams do not
issue needless ansi sequences, since we are not propagating them to a
terminal either.
This should be a much safer result, for cases where people include
invocations of systemd-nspawn with full TTY allocation in a shell
pipeline or so.
(of course, the user can always explicitly override this)
pam_systemd: issue context OSC sequences when allocating new TTY session
note: this also adds making a copy of the session type string after
registering the session. That's because we need to check the session
type we settled on later to condition out the OSC sequence (because it
should only be issued on TTY sessions). However, the session type string
originally quite likely points into the PAM environment block, which we
update in the meantime, invalidating that pointer. hence, make an
explicit copy first, and use that.
Daan De Meyer [Fri, 21 Feb 2025 11:22:45 +0000 (12:22 +0100)]
sbsign: Split out functions and switch to lower level APIs
Preparation for adding offline signing support. Some additional
features and fixes are included as well:
- We make sure to add an empty SMIMECAP attribute instead of a populated
one to mimick pesign more.
- We switch to PKCS7_dataFinal() instead of PKCS7_final() as all that the
latter does is an unnecessary copy before calling PKCS7_dataFinal().
- We add support for passing in the signing time via $SOURCE_DATE_EPOCH.
units: measure "factory-reset" into PCR 11 when we request factory reset
Let's make sure that the moment where factory reset is requested is
visible in the TPM PCR state, so that access to secrets is terminated.
This is particulary interesting when the system is booted with
systemd.unit=factory-reset.target on the kernel command line, requesting
a factory reset on the following boot. The preparations done in
userspace should already lose access to the TPM in that case.
units: measure the fact we enter storage target mode into TPM
storagetm mode means we we are network accessible. let's lock down
access to TPM secrets in this case: let's measure a pcr "phase" string
into PCR 11.
This is good as it means that if we are exploited in this state FDE
secrets protected by TPM are likely to remain protected, since the PCR
values wouldn't allow access.
SERVICE_RELOAD_SIGNAL state can only be reached via explicit reload jobs,
and we have a clear distinction between that and plain RELOADING=1
notifications, the latter of which is issued by clients doing reload
outside of our job engine. I.e. upon SERVICE_RELOAD_SIGNAL + RELOADING=1
we don't propagate reload jobs again, since that's done during transaction
construction stage already. The handling of combined RELOADING=1 + READY=1
so far is bogus however, as it tries to propagate duplicate reload jobs.
Amend this by following the logic for standalone RELOADING=1.
pam_systemd: complement per-area $HOME management with per-area $XDG_RUNTIME_DIRECTORY mgmt
When a user logs into a non-default area we give them a private
$HOME for that area (that's what 'area' is supposed to be after all). We
so far left $XDG_RUNTIME_DIRECTORY as it was. Let's change that and
mirror the subdirectory logic there too.
Why? $XDG_RUNTIME_DIR is generally the place where AF_UNIX sockets are
bound that can be used to connect to per-user services. (in particular
all those which are behind D-Bus.) If we don't patch $XDG_RUNTIME_DIR
like this then this means all the backing services will use the main
area, which is problematic (since clients and services will disagree on
$HOME), and makes it impossible to support the area concept for
graphical logins properly.
This does not actually make graphical logins work, but it at least makes
them fail cleanly. That's because this patch alone won't make sure a
per-area service manager/dbus instance is invoked automatically. That
however can be added later, in a patch to logind.
Let's tweak update_environment() a bit: instead of being a NOP when no
value is specified, let's actively unset the specified environment
variable if it is set.
This shouldn't change much, since for the cases we call the function so
far the env vars in question should not be set before us in a way we'd
set them differently. However, this is nice preparation for later, as we
can make use of this for XDG_AREA which we might want to unset if we
consider the area dir invalid.
projects / thirdparty / systemd.git / log
