pcrlock: add "is-supported" verb that checks if the local TPM supports the commands we need for pcrlock
systemd-pcrlock requires support for the PolicyAuthorizeNV command,
which is not implemented in the first TPM2 releases. We also strictly
require SHA-256 support. Hence add a tool for checking for both of
these.
This is a tighter version of "systemd-analyze has-tpm2", that checks for
the precise feature that systemd-pcrlock needs, on top of basic TPM2
functionality.
Yu Watanabe [Fri, 30 May 2025 19:30:43 +0000 (04:30 +0900)]
bus-unit-util: warn and ignore assignment of deprecated properties
With 5da476ac7728b91ad3a49c1b126b3559b4fbeed8, we refused to set the
properties, but this relaxes the behavior, and now commands warn and
ignore the assignment.
vmspawn: do not preserve access permissions and xattrs of template OVMF vars
This makes vmspawn work when /usr/share/qemu/edk2-i386-vars.fd is on
disk with 0444 permissions as is the case on NixOS.
The nix package manager does not store any access permissions, ownership,
timestamps, or extended attributes in its package format to increase
reproducibility. The only meta-data that is stored is the executable bit.
Thus when unpacking a nix package, the executable bit is preserved, but no other
access permissions are preserved and all files in /nix/store end up as
read-only.
This causes the template OVMF vars file to have 0444 permissions. If we preserve
those permissions when copying the template file to /tmp that means QEMU can not
write to the file and fails.
So lets not preserve permissions and keep the 0600 permissions that are set by
default.
Alex [Mon, 2 Jun 2025 22:47:49 +0000 (18:47 -0400)]
network: fix a potential divide-by-zero (#37705)
In function `tc_init`, hz is parsed from the content of file
`"/proc/net/psched"` and can be 0.
In function `hierarchy_token_bucket_class_verify`, hz is directly used
as a divisor in
`htb->buffer = htb->rate / hz + htb->mtu;` without any check. This adds a check on hz before using it as a divisor.
I wanted to see if moving moving out constant string arguments our of
error messages results in smaller binary sizes. Turns out it does, but
the savings are not consistent. Sometimes we get a few kB in a single
binary, sometimes there is no size change.
Adrian Vovk [Wed, 21 May 2025 21:32:03 +0000 (17:32 -0400)]
Define uid range for greeter
In multi-seat scenarios, a display manager might need to start multiple
greeter sessions. But systemd allows at most one graphical session per
user. So, display managers now have a range of UIDs to dynamically
allocate users for their greeter sessions.
various: do not include file names directly in error messages
git grep -l 'Failed to open /'|xargs sed -r -i 's|"Failed to open (/[^ ]+): %m"|"Failed to open %s: %m", "\1"|g'
git grep -l $'Failed to open \'/'|xargs sed -r -i $'s|"Failed to open \'(/[^ ]+)\': %m"|"Failed to open %s: %m", "\\1"|g'
git grep -l "Failed to open /"|xargs sed -r -i $'s|"Failed to open (/[^ ]+), ignoring: %m"|"Failed to open %s, ignoring: %m", "\\1"|g'
+ some manual fixups.
repart: make CopyBlock=auto work for verity sig partitions
Note that this doesn't care which partition set (A or B in an A/B
scenario) is actually newer, it just picks the first suitable, but
that's something we should look into later. For now, let's just make
verity sig partitions work the same way as verity partitions.
Daan De Meyer [Sun, 1 Jun 2025 18:24:47 +0000 (20:24 +0200)]
repart: Apply verity-sig max size based on partition type
We already do this for partition_min_size(), let's do it for
partition_max_size() as well. This makes sure repart doesn't accidentally
try to grow verity sig partitions to larger sizes than the hardcoded
max size in systemd.
mount-util: avoid unnecessary mount_setattr() call in make_fsmount()
If .attr_set is zero (and .att_clr, .propagation too), then there's no
point in calling mount_setattr().
Fixes: #37062
Note that this optimization is not precisely load-bearing anymore, since 3cc23a2c2345eb188551565349c89ec1fa8f650f got merged which removes the
only caller of make_fsmount() that might trigger it. But it's worth
fixing generic code anyway, in case it gets used like this later again.
core/smack-setup: rework message to include full paths to files
We'd print the filename, but not the full path. Error messages without
the full path are annoying to users since they might not know where the file
is located, esp. if the name is fairly generic, and it is harder to search
for the error message too.
Use a trailing slash to indicate when we're trying to open a directory.
Drop quotes from around paths which are static and known to contain no
whitespace.
sd-device: do not include file name directly in error messages
$ diff -u <(strings -n 10 build/libsystemd.so.0.40.0.0 | sort) <(strings -n 10 build/libsystemd.so.0.40.0 | sort)
--- /proc/self/fd/11 2025-05-31 15:17:16.968761963 +0200
+++ /proc/self/fd/12 2025-05-31 15:17:16.970159823 +0200
@@ -3860,11 +3860,6 @@
Failed to fstat() journal file '%s', ignoring: %m
Failed to fstat %s: %m
Failed to get basic: %m
-Failed to get device "ACTION" property, ignoring: %m
-Failed to get device "DEVNUM" property, ignoring: %m
-Failed to get device "DISKSEQ" property, ignoring: %m
-Failed to get device "IFINDEX" property, ignoring: %m
-Failed to get device "SEQNUM" property, ignoring: %m
Failed to get device "%s" property, ignoring: %m
Failed to get inode number of pidfd for pid %i: %m
Failed to get peer's socket address, ignoring: %m
$ ls -l build/libsystemd.so.0.40.0{,.0}
-rwxr-xr-x 1 zbyszek zbyszek 7631640 May 31 15:16 build/libsystemd.so.0.40.0
-rwxr-xr-x 1 zbyszek zbyszek 7635736 May 31 15:16 build/libsystemd.so.0.40.0.0
$ size build/libsystemd.so.0.40.0{,.0}
text data bss dec hex filename 1241382 56185 3554 1301121 13da81 build/libsystemd.so.0.40.0 1241606 56185 3554 1301345 13db61 build/libsystemd.so.0.40.0.0
So the savings are ~4kB, which is more than I expected.
sleep: do not include file name directly in error messages
Here the .text section becomes smaller, but the file size doesn't change
(I guess some alignment issue). But is seems to be reasonable change to
anyway, we might get some savings in different compilations anyway.
random-seed: do not include file name directly in error messages
The path is fairly long and by embedding it in the message, we get a longer
data section in our binary. By using %s, we can make the template strings
shorter, deduplicating bytes in our binary. Those are error messages, i.e. by
definition they are only used very rarely, so it's completely fine if printf
does a bit more work when generating the message.
$ strings build/systemd-random-seed.0 | rg '/var/lib/systemd/random-seed'
/var/lib/systemd/random-seed
Failed to open /var/lib/systemd/random-seed for writing: %m
Failed to open /var/lib/systemd/random-seed for reading: %m
Failed to open /var/lib/systemd/random-seed: %m
Failed to stat() seed file /var/lib/systemd/random-seed: %m
Failed to read seed from /var/lib/systemd/random-seed: %m
Seed file /var/lib/systemd/random-seed not yet initialized, proceeding.
Yu Watanabe [Sat, 31 May 2025 01:24:17 +0000 (10:24 +0900)]
bootctl: do not print slash more than once
When bootctl is called by an unprivileged user, then previously we got
```
Failed to read "/boot/EFI/systemd": Permission denied
Failed to open '/boot//loader/loader.conf': Permission denied
```
Now, with this patch, we get
```
Failed to read "/boot/EFI/systemd": Permission denied
Failed to open '/boot/loader/loader.conf': Permission denied
```
Inspired by https://github.com/systemd/systemd/pull/37538, see a
detailed rationale in
https://github.com/systemd/systemd/pull/37538#discussion_r2110229075.
This is inspired by #37538, see the discussion in
https://github.com/systemd/systemd/pull/37538#discussion_r2110229075.
If the user already specifies $TERM (which is actually
quite common if you look at run0), we'd needlessly invoke
the "fallback" logic and
a) possibly issue a DCS query whose result we end up simply
discarding in strv_env_merge()
b) set $COLORTERM to "truecolor" unconditionally, whereas
the explicit $TERM value might intend to disable the color output
To address this, the logic of setting fallback $TERM and friends
has been split out of build_environment(), and we'd call into it
only after all envvars have been collected.
Mike Yuan [Thu, 29 May 2025 19:01:01 +0000 (21:01 +0200)]
Use DCS sequence to query terminal name and set $TERM automatically (#37538)
This code seems to work quickly and nicely for a bunch of modern
terminals. Setting $TERM automatically removes an common annoyance for
users. This code will not work for all terminal emulators, but by adding
it in systemd we'll entice maintainers of those terminals to add support
for the sequences. For the terminals that don't support the sequence, we
get a bit of a slowdown of `< 1 ms`, which seems hardly noticeable. The
user can always set TERM explicitly to avoid this if upgrading to a
newer terminal emulator is not possible.
query_term_for_tty() is used in two places: in fixup_environment(),
which affects PID1 itself, and in build_environment(), which affects
spawned services. There is obviously some cost to the extra call,
but I think it's worthwhile to do it. When $TERM is set incorrectly,
basic output works OK, but then there are various annoying corner
cases. In particular, we get the support for color (or lack of it)
wrong, and when output is garbled, users are annoyed. Things like
text editors are almost certain to behave incorrectly. Testing in
test-terminal-util indicates that the time required to make a successful
query is on the order of a dozen microseconds, and an unsuccessful
query costs as much as our timeout, i.e. currently 1/3 ms. I think
this is an acceptable tradeoff.
No caching is used, because fixup_environment() is only called once,
and the other place in build_environment(), only affects services
which are connected to a tty, which is only a handful of services,
and often only started in special circumstances.
projects / thirdparty / systemd.git / log
