]>
Commit | Line | Data |
---|---|---|
1 | Bugfixes: | |
2 | ||
3 | * Many manager configuration settings that are only applicable to user | |
4 | manager or system manager can be always set. It would be better to reject | |
5 | them when parsing config. | |
6 | ||
7 | * Jun 01 09:43:02 krowka systemd[1]: Unit user@1000.service has alias user@.service. | |
8 | Jun 01 09:43:02 krowka systemd[1]: Unit user@6.service has alias user@.service. | |
9 | Jun 01 09:43:02 krowka systemd[1]: Unit user-runtime-dir@6.service has alias user-runtime-dir@.service. | |
10 | ||
11 | External: | |
12 | ||
13 | * Fedora: add an rpmlint check that verifies that all unit files in the RPM are listed in %systemd_post macros. | |
14 | ||
15 | * dbus: | |
16 | - natively watch for dbus-*.service symlinks (PENDING) | |
17 | - teach dbus to activate all services it finds in /etc/systemd/services/org-*.service | |
18 | ||
19 | * fedora: suggest auto-restart on failure, but not on success and not on coredump. also, ask people to think about changing the start limit logic. Also point people to RestartPreventExitStatus=, SuccessExitStatus= | |
20 | ||
21 | * neither pkexec nor sudo initialize environ[] from the PAM environment? | |
22 | ||
23 | * fedora: update policy to declare access mode and ownership of unit files to root:root 0644, and add an rpmlint check for it | |
24 | ||
25 | * register catalog database signature as file magic | |
26 | ||
27 | * zsh shell completion: | |
28 | - <command> <verb> -<TAB> should complete options, but currently does not | |
29 | - systemctl add-wants,add-requires | |
30 | - systemctl reboot --boot-loader-entry= | |
31 | ||
32 | * systemctl status should know about 'systemd-analyze calendar ... --iterations=' | |
33 | * If timer has just OnInactiveSec=..., it should fire after a specified time | |
34 | after being started. | |
35 | ||
36 | * write blog stories about: | |
37 | - hwdb: what belongs into it, lsusb | |
38 | - enabling dbus services | |
39 | - how to make changes to sysctl and sysfs attributes | |
40 | - remote access | |
41 | - how to pass throw-away units to systemd, or dynamically change properties of existing units | |
42 | - testing with Harald's awesome test kit | |
43 | - auto-restart | |
44 | - how to develop against journal browsing APIs | |
45 | - the journal HTTP iface | |
46 | - non-cgroup resource management | |
47 | - dynamic resource management with cgroups | |
48 | - refreshed, longer missions statement | |
49 | - calendar time events | |
50 | - init=/bin/sh vs. "emergency" mode, vs. "rescue" mode, vs. "multi-user" mode, vs. "graphical" mode, and the debug shell | |
51 | - how to create your own target | |
52 | - instantiated apache, dovecot and so on | |
53 | - hooking a script into various stages of shutdown/early boot | |
54 | ||
55 | Regularly: | |
56 | ||
57 | * look for close() vs. close_nointr() vs. close_nointr_nofail() | |
58 | ||
59 | * check for strerror(r) instead of strerror(-r) | |
60 | ||
61 | * pahole | |
62 | ||
63 | * set_put(), hashmap_put() return values check. i.e. == 0 does not free()! | |
64 | ||
65 | * use secure_getenv() instead of getenv() where appropriate | |
66 | ||
67 | * link up selected blog stories from man pages and unit files Documentation= fields | |
68 | ||
69 | Janitorial Clean-ups: | |
70 | ||
71 | * rework mount.c and swap.c to follow proper state enumeration/deserialization | |
72 | semantics, like we do for device.c now | |
73 | ||
74 | * get rid of prefix_roota() and similar, only use chase() and related | |
75 | calls instead. | |
76 | ||
77 | * get rid of basename() and replace by path_extract_filename() | |
78 | ||
79 | * Replace our fstype_is_network() with a call to libmount's mnt_fstype_is_netfs()? | |
80 | Having two lists is not nice, but maybe it's now worth making a dependency on | |
81 | libmount for something so trivial. | |
82 | ||
83 | * drop set_free_free() and switch things over from string_hash_ops to | |
84 | string_hash_ops_free everywhere, so that destruction is implicit rather than | |
85 | explicit. Similar, for other special hashmap/set/ordered_hashmap destructors. | |
86 | ||
87 | * generators sometimes apply C escaping and sometimes specifier escaping to | |
88 | paths and similar strings they write out. Sometimes both. We should clean | |
89 | this up, and should probably always apply both, i.e. introduce | |
90 | unit_file_escape() or so, which applies both. | |
91 | ||
92 | * xopenat() should pin the parent dir of the inode it creates before doing its | |
93 | thing, so that it can create, open, label somewhat atomically. | |
94 | ||
95 | Deprecations and removals: | |
96 | ||
97 | * Remove any support for booting without /usr pre-mounted in the initrd entirely. | |
98 | Update INITRD_INTERFACE.md accordingly. | |
99 | ||
100 | * remove cgroups v1 support EOY 2023. As per | |
101 | https://lists.freedesktop.org/archives/systemd-devel/2022-July/048120.html | |
102 | and then rework cgroupsv2 support around fds, i.e. keep one fd per active | |
103 | unit around, and always operate on that, instead of cgroup fs paths. | |
104 | ||
105 | * drop support for kernels that lack ambient capabilities support (i.e. make | |
106 | 4.3 new baseline). Then drop support for "!!" modifier for ExecStart= which | |
107 | is only supported for such old kernels. | |
108 | ||
109 | * drop support for kernels lacking memfd_create() (i.e. make 3.17 new | |
110 | baseline), then drop all pipe() based fallbacks. | |
111 | ||
112 | * drop support for getrandom()-less kernels. (GRND_INSECURE means once kernel | |
113 | 5.6 becomes our baseline). See | |
114 | https://github.com/systemd/systemd/pull/24101#issuecomment-1193966468 for | |
115 | details. Maybe before that: at taint-flags/warn about kernels that lack | |
116 | getrandom()/environments where it is blocked. | |
117 | ||
118 | * drop support for LOOP_CONFIGURE-less loopback block devices, once kernel | |
119 | baseline is 5.8. | |
120 | ||
121 | * drop fd_is_mount_point() fallback mess once we can rely on | |
122 | STATX_ATTR_MOUNT_ROOT to exist i.e. kernel baseline 5.8 | |
123 | ||
124 | * Remove /dev/mem ACPI FPDT parsing when /sys/firmware/acpi/fpdt is ubiquitous. | |
125 | That requires distros to enable CONFIG_ACPI_FPDT, and have kernels v5.12 for | |
126 | x86 and v6.2 for arm. | |
127 | ||
128 | * Once baseline is 4.13, remove support for INTERFACE_OLD= checks in "udevadm | |
129 | trigger"'s waiting logic, since we can then rely on uuid-tagged uevents | |
130 | ||
131 | Features: | |
132 | ||
133 | * use name_to_handle_at() with AT_HANDLE_FID instead of .st_ino (inode | |
134 | number) for identifying inodes, for example in copy.c when finding hard | |
135 | links, or loop-util.c for tracking backing files, and other places. | |
136 | ||
137 | * cryptenroll/cryptsetup/homed: add unlock mechanism that combines tpm2 and | |
138 | fido2, as well as tpm2 + ssh-agent, inspired by ChromeOS' logic: encrypt the | |
139 | volume key with the TPM, with a policy that insists that a nonce is signed by | |
140 | the fido2 device's key or ssh-agent key. Thus, add unlock/login time the TPM | |
141 | generates a nonce, which is sent as a challenge to the fido2/ssh-agent, which | |
142 | returns a signature which is handed to the tpm, which then reveals the volume | |
143 | key to the PC. | |
144 | ||
145 | * cryptenroll/cryptsetup/homed: similar to this, implement TOTP backed by TPM. | |
146 | ||
147 | * expose the handoff timestamp fully via the D-Bus properties that contain | |
148 | ExecStatus information | |
149 | ||
150 | * properly serialize the ExecStatus data from all ExecCommand objects | |
151 | associated with services, sockets, mounts and swaps. Currently, the data is | |
152 | flushed out on reload, which is quite a limitation. | |
153 | ||
154 | * Clean up "reboot argument" handling, i.e. set it through some IPC service | |
155 | instead of directly via /run/, so that it can be sensible set remotely. | |
156 | ||
157 | * userdb: add concept for user "aliases", to cover for cases where you can log | |
158 | in under the name lennart@somenetworkfsserver, and it would automatically | |
159 | generate a local user, and from the one both names can be used to allow | |
160 | logins into the same account. | |
161 | ||
162 | * systemd-tpm2-support: add a some logic that detects if system is in DA | |
163 | lockout mode, and queries the user for TPM recovery PIN then. | |
164 | ||
165 | * systemd-repart should probably enable btrfs' "temp_fsid" feature for all file | |
166 | systems it creates, as we have no interest in RAID for repart, and it should | |
167 | make sure that we can mount them trivially everywhere. | |
168 | ||
169 | * systemd-nspawn should get the same SSH key support that vmspawn now has. | |
170 | ||
171 | * insert the new pidfs inode number as a third field into PidRef, so that | |
172 | PidRef are reasonably serializable without having to pass around fds. | |
173 | ||
174 | * systemd-analyze smbios11 to dump smbios type 11 vendor strings | |
175 | ||
176 | * move documentation about our common env vars (SYSTEMD_LOG_LEVEL, | |
177 | SYSTEMD_PAGER, …) into a man page of its own, and just link it from our | |
178 | various man pages that so far embed the whole list again and again, in an | |
179 | attempt to reduce clutter and noise a bid. | |
180 | ||
181 | * vmspawn switch default swtpm PCR bank to SHA384-only (away from SHA256), at | |
182 | least on 64bit archs, simply because SHA384 is typically double the hashing | |
183 | speed than SHA256 on 64bit archs (since based on 64bit words unlike SHA256 | |
184 | which uses 32bit words). | |
185 | ||
186 | * In vmspawn/nspawn/machined wait for X_SYSTEMD_UNIT_ACTIVE=ssh-active.target | |
187 | and X_SYSTEMD_SIGNAL_LEVEL=2 as indication whether/when SSH and the POSIX | |
188 | signals are available. Similar for D-Bus (but just use sockets.target for | |
189 | that). Report as property for the machine. | |
190 | ||
191 | * teach nspawn/machined a new bus call/verb that gets you a | |
192 | shell in containers that have no sensible pid1, via joining the container, | |
193 | and invoking a shell directly. Then provide another new bus call/vern that is | |
194 | somewhat automatic: if we detect that pid1 is running and fully booted up we | |
195 | provide a proper login shell, otherwise just a joined shell. Then expose that | |
196 | as primary way into the container. | |
197 | ||
198 | * make vmspawn/nspawn/importd/machined a bit more usable in a WSL-like | |
199 | fashion. i.e. teach unpriv systemd-vmspawn/systemd-nspawn a reasonable | |
200 | --bind-user= behaviour that mounts the calling user through into the | |
201 | machine. Then, ship importd with a small database of well known distro images | |
202 | along with their pinned signature keys. Then add some minimal glue that binds | |
203 | this together: downloads a suitable image if not done so yet, starts it in | |
204 | the bg via vmspawn/nspawn if not done so yet and then requests a shell inside | |
205 | it for the invoking user. | |
206 | ||
207 | * make varlink.h a public API, i.e. give all symbols an sd_ prefix, and rename | |
208 | header file to sd-varlink.h. This of course also means we have to make json.h | |
209 | public the same way. Convert the function param checks from assert() to | |
210 | assert_ret(). Only export the stuff we are sure about, and keep some symbols | |
211 | internally where things are not clear whether we want other projects to use. | |
212 | ||
213 | * machined: allow running in a per-user instance too, to allow unpriv | |
214 | systemd-nspawn and systemd-vmspawn do something useful. (Alternatively: open | |
215 | up system machined to unpriv client's registering their machines, and enforce | |
216 | they come with some prefix or suffix that clarifies they are the | |
217 | user's. i.e. when a user registers a machine it must be called | |
218 | foobar.<username> or so.). | |
219 | ||
220 | * importd/…: define per-user dirs for container/VM images too. | |
221 | ||
222 | * add a new specifier to unit files that figures out the DDI the unit file is | |
223 | from, tracing through overlayfs, DM, loopback block device. | |
224 | ||
225 | * importd/importctl | |
226 | - import generator | |
227 | - port tar handling to libarchive | |
228 | - add varlink interface | |
229 | - download images into .v/ dirs | |
230 | ||
231 | * in os-release define a field that can be initialized at build time from | |
232 | SOURCE_DATE_EPOCH (maybe even under that name?). Would then be used to | |
233 | initialize the timestamp logic of ConditionNeedsUpdate=. | |
234 | ||
235 | * nspawn/vmspawn/pid1: add ability to easily insert fully booted VMs/FOSC into | |
236 | shell pipelines, i.e. add easy to use switch that turns off console status | |
237 | output, and generates the right credentials for systemd-run-generator so that | |
238 | a program is invoked, and its output captured, with correct EOF handling and | |
239 | exit code propagation | |
240 | ||
241 | * new systemd-analyze "join" verb or so, for debugging services. Would be | |
242 | nsenter on steroids, i.e invoke a shell or command line in an environment as | |
243 | close as we can make it for the MainPID of a service. Should be built around | |
244 | pidfd, so that we can reasonably robustly do this. Would only cover the | |
245 | execution environment like namespaces, but not the privilege settings. | |
246 | ||
247 | * varlink: extend varlink IDL macros to include documentation strings | |
248 | ||
249 | * Introduce a CGroupRef structure, inspired by PidRef. Should contain cgroup | |
250 | path, cgroup id, and cgroup fd. Use it to continuously pin all v2 cgroups via | |
251 | a cgroup_ref field in the CGroupRuntime structure. Eventually switch things | |
252 | over to do all cgroupfs access only via that structure's fd. | |
253 | ||
254 | * Get rid of the symlinks in /run/systemd/units/* and exclusively use cgroupfs | |
255 | xattrs to convey info about invocation ids, logging settings and so on. | |
256 | support for cgroupfs xattrs in the "trusted." namespace was added in linux | |
257 | 3.7, i.e. which we don't pretend to support anymore. | |
258 | ||
259 | * rewrite bpf-devices in libbpf/C code, rather than home-grown BPF assembly, to | |
260 | match bpf-restrict-fs, bpf-restrict-ifaces, bpf-socket-bind | |
261 | ||
262 | * ditto: rewrite bpf-firewall in libbpf/C code | |
263 | ||
264 | * credentials: if we ever acquire a secure way to derive cgroup id of socket | |
265 | peers (i.e. SO_PEERCGROUPID), then extend the "scoped" credential logic to | |
266 | allow cgroup-scoped (i.e. app or service scoped) credentials. Then, as next | |
267 | step use this to implement per-app/per-service encrypted directories, where | |
268 | we set up fscrypt on the StateDirectory= with a randomized key which is | |
269 | stored as xattr on the directory, encrypted as a credential. | |
270 | ||
271 | * credentials: optionally include a per-user secret in scoped user-credential | |
272 | encryption keys. should come from homed in some way, derived from the luks | |
273 | volume key or fscrypt directory key. | |
274 | ||
275 | * credentials: add a flag to the scoped credentials that if set require PK | |
276 | reauthentication when unlocking a secret. | |
277 | ||
278 | * teach systemd --user to properly load credentials off disk, with | |
279 | /etc/credstore equivalent and similar. Make sure that $CREDENTIALS_DIRECTORY= | |
280 | actually works too when run with user privs. | |
281 | ||
282 | * extend the smbios11 logic for passing credentials so that instead of passing | |
283 | the credential data literally it can also just reference an AF_VSOCK CID/port | |
284 | to read them from. This way the data doesn't remain in the SMBIOS blob during | |
285 | runtime, but only in the credentials fs. | |
286 | ||
287 | * machined: make machine registration available via varlink to simplify | |
288 | nspawn/vmspawn, and to have an extensible way to register VM/machine metadata | |
289 | ||
290 | * ssh-proxy: add support for "ssh machine/foobar" to automatically connect to | |
291 | machined registered machine "foobar". Requires updating machined to track CID | |
292 | and unix-export dir of containers. | |
293 | ||
294 | * add a new ExecStart= flag that inserts the configured user's shell as first | |
295 | word in the command line. (maybe use character '.'). Usecase: tool such as | |
296 | run0 can use that to spawn the target user's default shell. | |
297 | ||
298 | * varlink: figure out how to do docs for our varlink interfaces. Idea: install | |
299 | interface files augmented with docs in /usr/share/ somewhere. And have | |
300 | functionality in varlinkctl to merge interface info extracted from binaries | |
301 | with interface info on disk. And store the doc strings only in the latter. | |
302 | ||
303 | * introduce mntid_t, and make it 64bit, as apparently the kernel switched to | |
304 | 64bit mount ids | |
305 | ||
306 | * use udev rule networkd ownership property to take ownership of network | |
307 | interfaces nspawn creates | |
308 | ||
309 | * mountfsd/nsresourced | |
310 | - userdb: maybe allow callers to map one uid to their own uid | |
311 | - bpflsm: allow writes if resulting UID on disk would be userns' owner UID | |
312 | - make encrypted DDIs work (password…) | |
313 | - add API for creating a new file system from scratch (together with some | |
314 | dm-integrity/HMAC key). Should probably work using systemd-repart (access | |
315 | via varlink). | |
316 | - add api to make an existing file "trusted" via dm-integry/HMAC key | |
317 | - port: portabled | |
318 | - port: tmpfiles, sysusers and similar | |
319 | - lets see if we can make runtime bind mounts into unpriv nspawn work | |
320 | ||
321 | * add a kernel cmdline switch (and cred?) for marking a system to be | |
322 | "headless", in which case we never open /dev/console for reading, only for | |
323 | writing. This would then mean: systemd-firstboot would process creds but not | |
324 | ask interactively, getty would not be started and so on. | |
325 | ||
326 | * cryptsetup: new crypttab option to auto-grow a luks device to its backing | |
327 | partition size. new crypttab option to reencrypt a luks device with a new | |
328 | volume key. | |
329 | ||
330 | * we probably should have some infrastructure to acquire sysexts with | |
331 | drivers/firmware for local hardware automatically. Idea: reuse the modalias | |
332 | logic of the kernel for this: make the main OS image install a hwdb file | |
333 | that matches against local modalias strings, and adds properties to relevant | |
334 | devices listing names of sysexts needed to support the hw. Then provide some | |
335 | tool that goes through all devices and tries to acquire/download the | |
336 | specified images. | |
337 | ||
338 | * repart + cryptsetup: support file systems that are encrypted and use verity | |
339 | on top. Usecase: confexts that shall be signed by the admin but also be | |
340 | confidential. Then, add a new --make-ddi=confext-encrypted for this. | |
341 | ||
342 | * tmpfiles: add new line type for moving files from some source dir to some | |
343 | target dir. then use that to move sysexts/confexts and stuff from initrd | |
344 | tmpfs to /run/, so that host can pick things up. | |
345 | ||
346 | * tiny varlink service that takes a fd passed in and serves it via http. Then | |
347 | make use of that in networkd, and expose some EFI binary of choice for | |
348 | DHCP/HTTP base EFI boot. | |
349 | ||
350 | * bootctl: add reboot-to-disk which takes a block device name, and | |
351 | automatically sets things up so that system reboots into that device next. | |
352 | ||
353 | * maybe: in PID1, when we detect we run in an initrd, make superblock read-only | |
354 | early on, but provide opt-out via kernel cmdline. | |
355 | ||
356 | * systemd-pcrextend: | |
357 | - support measuring to nvindex with PCR update semantics ("fake PCRs") | |
358 | - add api for "allocating" such an nvindex | |
359 | - once we have that start measuring every sysext we apply, every confext, | |
360 | every RootImage= we apply, every nspawn and so on. All in separate fake | |
361 | PCRs. | |
362 | ||
363 | * vmspawn: | |
364 | - run in scope unit when invoked from command line, and machined registration is off | |
365 | - sd_notify support | |
366 | - --ephemeral support | |
367 | - --read-only support | |
368 | - automatically suspend/resume the VM if the host suspends. Use logind | |
369 | suspend inhibitor to implement this. request clean suspend by generating | |
370 | suspend key presses. | |
371 | - support for "real" networking via "-n" and --network-bridge= | |
372 | - translate SIGTERM to clean ACPI shutdown event | |
373 | ||
374 | * systemd-pcrmachine should probably also measure the SMBIOS system UUID. | |
375 | ||
376 | * sd-boot: allow synthesizing additional type1 entries via SMBIOS vendor strings | |
377 | ||
378 | * storagetm: | |
379 | - add USB mass storage device logic, so that all local disks are also exposed | |
380 | as mass storage devices on systems that have a USB controller that can | |
381 | operate in device mode | |
382 | - add NVMe authentication | |
383 | ||
384 | * add support for activating nvme-oF devices at boot automatically via kernel | |
385 | cmdline, and maybe even support a syntax such as | |
386 | root=nvme:<trtype>:<traddr>:<trsvcid>:<nqn>:<partition> to boot directly from | |
387 | nvme-oF | |
388 | ||
389 | * pcrlock: | |
390 | - make signed PCR work together with pcrlock | |
391 | - add kernel-install plugin that automatically creates UKI .pcrlock file when | |
392 | UKI is installed, and removes it when it is removed again | |
393 | - automatically install PE measurement of sd-boot on "bootctl install" | |
394 | - write generated pcrlock signature files to the ESP as credential, one for | |
395 | each installed OS & pick up generated pcrlock signature file in sd-stub, | |
396 | pass it via initrd to OS | |
397 | - pre-calc sysext + kernel cmdline measurements | |
398 | - pre-calc cryptsetup root key measurement | |
399 | - maybe make systemd-repart generate .pcrlock for old and new GPT header in | |
400 | /run? | |
401 | - Add support for more than 8 branches per PCR OR | |
402 | - add "systemd-pcrlock lock-kernel-current" or so which synthesizes .pcrlock | |
403 | policy from currently booted kernel/event log, to close gap for first boot | |
404 | for pre-built images | |
405 | ||
406 | * in sd-boot and sd-stub measure the SMBIOS vendor strings to some PCR (at | |
407 | least some subset of them that look like systemd stuff), because apparently | |
408 | some firmware does not, but systemd honours it. avoid duplicate measurement | |
409 | by sd-boot and sd-stub by adding LoaderFeatures/StubFeatures flag for this, | |
410 | so that sd-stub can avoid it if sd-boot already did it. | |
411 | ||
412 | * cryptsetup: a mechanism that allows signing a volume key with some key that | |
413 | has to be present in the kernel keyring, or similar, to ensure that confext | |
414 | DDIs can be encrypted against the local SRK but signed with the admin's key | |
415 | and thus can authenticated locally before they are decrypted. | |
416 | ||
417 | * image policy should be extended to allow dictating *how* a disk is unlocked, | |
418 | i.e. root=encrypted-tpm2+encrypted-fido2 would mean "root fs must be | |
419 | encrypted and unlocked via fido2 or tpm2, but not otherwise" | |
420 | ||
421 | * systemd-repart: add support for formatting dm-crypt + dm-integrity file | |
422 | systems. | |
423 | ||
424 | * homed: use systemd-storagetm to expose home dirs via nvme-tcp. Then, | |
425 | teach homed/pam_systemd_homed with a user name such as | |
426 | lennart%nvme_tcp_192.168.100.77_8787 to log in from any linux host with the | |
427 | same home dir. Similar maybe for nbd, iscsi? this should then first ask for | |
428 | the local root pw, to authenticate that logging in like this is ok, and would | |
429 | then be followed by another password prompt asking for the user's own | |
430 | password. Also, do something similar for CIFS: if you log in via | |
431 | lennart%cifs-someserver_someshare, then set up the homed dir for it | |
432 | automatically. The PAM module should update the user name used for login to | |
433 | the short version once it set up the user. Some care should be taken, so that | |
434 | the long version can be still be resolved via NSS afterwards, to deal with | |
435 | PAM clients that do not support PAM sessions where PAM_USER changes half-way. | |
436 | ||
437 | * redefine /var/lib/extensions/ as the dir one can place all three of sysext, | |
438 | confext as well is multi-modal DDIs that qualify as both. Then introduce | |
439 | /var/lib/sysexts/ which can be used to place only DDIs that shall be used as | |
440 | sysext | |
441 | ||
442 | * Varlinkification of the following command line tools, to open them up to | |
443 | other programs via IPC: | |
444 | - bootctl | |
445 | - journalctl (allowing journal read access via IPC) | |
446 | - coredumpcl | |
447 | - systemd-bless-boot | |
448 | - systemd-measure | |
449 | - systemd-cryptenroll (to allow UIs to enroll FIDO2 keys and such) | |
450 | - systemd-dissect | |
451 | - systemd-sysupdate | |
452 | - systemd-analyze | |
453 | - kernel-install | |
454 | - systemd-mount (with PK so that desktop environments could use it to mount disks) | |
455 | ||
456 | * in the service manager, pick up ERRNO= + BUSERROR= + VARLINKERROR= error | |
457 | identifiers, and store them along with the exit status of a server and report | |
458 | via "systemctl status". | |
459 | ||
460 | * enumerate virtiofs devices during boot-up in a generator, and synthesize | |
461 | mounts for rootfs, /usr/, /home/, /srv/ and some others from it, depending on | |
462 | the "tag". (waits for: https://gitlab.com/virtio-fs/virtiofsd/-/issues/128) | |
463 | ||
464 | * automatically mount one virtiofs during early boot phase to /run/host/, | |
465 | similar to how we do that for nspawn, based on some clear tag. | |
466 | ||
467 | * add some service that makes an atomic snapshot of PCR state and event log up | |
468 | to that point available, possibly even with quote by the TPM. | |
469 | ||
470 | * encode type1 entries in some UKI section to add additional entries to the | |
471 | menu. | |
472 | ||
473 | * Add ACL-based access management to .socket units. i.e. add AllowPeerUser= + | |
474 | AllowPeerGroup= that installs additional user/group ACL entries on AF_UNIX | |
475 | sockets. | |
476 | ||
477 | * systemd-tpm2-setup should probably have a factory reset logic, i.e. when some | |
478 | kernel command line option is set we reset the TPM (equivalent of tpm2_clear | |
479 | -c owner? or rather echo 5 >/sys/class/tpm/tpm0/ppi/request?). | |
480 | ||
481 | * systemd-tpm2-setup should support a mode where we refuse booting if the SRK | |
482 | changed. (Must be opt-in, to not break systems which are supposed to be | |
483 | migratable between PCs) | |
484 | ||
485 | * when systemd-sysext learns mutable /usr/ (and systemd-confext mutable /etc/) | |
486 | then allow them to store the result in a .v/ versioned subdir, for some basic | |
487 | snapshot logic | |
488 | ||
489 | * add a new PE binary section ".mokkeys" or so which sd-stub will insert into | |
490 | Mok keyring, by overriding/extending whatever shim sets in the EFI | |
491 | var. Benefit: we can extend the kernel module keyring at ukify time, | |
492 | i.e. without recompiling the kernel, taking an upstream OS' kernel and adding | |
493 | a local key to it. | |
494 | ||
495 | * PidRef conversion work: | |
496 | - cg_pid_get_xyz() | |
497 | - pid_from_same_root_fs() | |
498 | - get_ctty_devnr() | |
499 | - pid1: sd_notify() receiver should use SCM_PIDFD to authenticate client | |
500 | - actually wait for POLLIN on pidref's pidfd in service logic | |
501 | - exec_spawn() + safe_fork() | |
502 | - openpt_allocate_in_namespace() | |
503 | - unit_attach_pid_to_cgroup_via_bus() | |
504 | - cg_attach() – requires new kernel feature | |
505 | ||
506 | * ddi must be listed as block device fstype | |
507 | ||
508 | * measure some string via pcrphase whenever we end up booting into emergency | |
509 | mode. | |
510 | ||
511 | * homed: add a basic form of secrets management to homed, that stores | |
512 | secrets in $HOME somewhere, is protected by the accounts own authentication | |
513 | mechanisms. Should implement something PKCS#11-like that can be used to | |
514 | implement emulated FIDO2 in unpriv userspace on top (which should happen | |
515 | outside of homed), emulated PKCS11, and libsecrets support. Operate with a | |
516 | 2nd key derived from volume key of the user, with which to wrap all | |
517 | keys. maintain keys in kernel keyring if possible. | |
518 | ||
519 | * use sd-event ratelimit feature optionally for journal stream clients that log | |
520 | too much | |
521 | ||
522 | * systemd-mount should only consider modern file systems when mounting, similar | |
523 | to systemd-dissect | |
524 | ||
525 | * add another PE section ".fname" or so that encodes the intended filename for | |
526 | PE file, and validate that when loading add-ons and similar before using | |
527 | it. This is particularly relevant when we load multiple add-ons and want to | |
528 | sort them to apply them in a define order. The order should not be under | |
529 | control of the attacker. | |
530 | ||
531 | * also include packaging metadata (á la | |
532 | https://systemd.io/ELF_PACKAGE_METADATA/) in our UEFI PE binaries, using the | |
533 | same JSON format. | |
534 | ||
535 | * make "bootctl install" + "bootctl update" useful for installing shim too. For | |
536 | that introduce new dir /usr/lib/systemd/efi/extra/ which we copy mostly 1:1 | |
537 | into the ESP at install time. Then make the logic smart enough so that we | |
538 | don't overwrite bootx64.efi with our own if the extra tree already contains | |
539 | one. Also, follow symlinks when copying, so that shim rpm can symlink their | |
540 | stuff into our dir (which is safe since the target ESP is generally VFAT and | |
541 | thus does not have symlinks anyway). Later, teach the update logic to look at | |
542 | the ELF package metadata (which we also should include in all PE files, see | |
543 | above) for version info in all *.EFI files, and use it to only update if | |
544 | newer. | |
545 | ||
546 | * in sd-stub: optionally add support for a new PE section .keyring or so that | |
547 | contains additional certificates to include in the Mok keyring, extending | |
548 | what shim might have placed there. why? let's say I use "ukify" to build + | |
549 | sign my own fedora-based UKIs, and only enroll my personal lennart key via | |
550 | shim. Then, I want to include the fedora keyring in it, so that kmods work. | |
551 | But I might not want to enroll the fedora key in shim, because this would | |
552 | also mean that the key would be in effect whenever I boot an archlinux UKI | |
553 | built the same way, signed with the same lennart key. | |
554 | ||
555 | * resolved: take possession of some IPv6 ULA address (let's say | |
556 | fd00:5353:5353:5353:5353:5353:5353:5353), and listen on port 53 on it for the | |
557 | local stubs, so that we can make the stub available via ipv6 too. | |
558 | ||
559 | * Maybe add SwitchRootEx() as new bus call that takes env vars to set for new | |
560 | PID 1 as argument. When adding SwitchRootEx() we should maybe also add a | |
561 | flags param that allows disabling and enabling whether serialization is | |
562 | requested during switch root. | |
563 | ||
564 | * introduce a .acpitable section for early ACPI table override | |
565 | ||
566 | * add proper .osrel matching for PE addons. i.e. refuse applying an addon | |
567 | intended for a different OS. Take inspiration from how confext/sysext are | |
568 | matched against OS. | |
569 | ||
570 | * figure out what to do about credentials sealed to PCRs in kexec + soft-reboot | |
571 | scenarios. Maybe insist sealing is done additionally against some keypair in | |
572 | the TPM to which access is updated on each boot, for the next, or so? | |
573 | ||
574 | * logind: when logging in, always take an fd to the home dir, to keep the dir | |
575 | busy, so that autofs release can never happen. (this is generally a good | |
576 | idea, and specifically works around the fact the autofs ignores busy by mount | |
577 | namespaces) | |
578 | ||
579 | * mount most file systems with a restrictive uidmap. e.g. mount /usr/ with a | |
580 | uidmap that blocks out anything outside 0…1000 (i.e. system users) and similar. | |
581 | ||
582 | * mount the root fs with MS_NOSUID by default, and then mount /usr/ without | |
583 | both so that suid executables can only be placed there. Do this already in | |
584 | the initrd. If /usr/ is not split out create a bind mount automatically. | |
585 | ||
586 | * fix our various hwdb lookup keys to end with ":" again. The original idea was | |
587 | that hwdb patterns can match arbitrary fields with expressions like | |
588 | "*:foobar:*", to wildcard match both the start and the end of the string. | |
589 | This only works safely for later extensions of the string if the strings | |
590 | always end in a colon. This requires updating our udev rules, as well as | |
591 | checking if the various hwdb files are fine with that. | |
592 | ||
593 | * mount /tmp/ and /var/tmp with a uidmap applied that blocks out "nobody" user | |
594 | among other things such as dynamic uid ranges for containers and so on. That | |
595 | way no one can create files there with these uids and we enforce they are only | |
596 | used transiently, never persistently. | |
597 | ||
598 | * rework loopback support in fstab: when "loop" option is used, then | |
599 | instantiate a new systemd-loop@.service for the source path, set the | |
600 | lo_file_name field for it to something recognizable derived from the fstab | |
601 | line, and then generate a mount unit for it using a udev generated symlink | |
602 | based on lo_file_name. | |
603 | ||
604 | * teach systemd-nspawn the boot assessment logic: hook up vpick's try counters | |
605 | with success notifications from nspawn payloads. When this is enabled, | |
606 | automatically support reverting back to older OS version images if newer ones | |
607 | fail to boot. | |
608 | ||
609 | * implement new "systemd-fsrebind" tool that works like gpt-auto-generator but | |
610 | looks at a root dir and then applies vpick on various dirs/images to pick a | |
611 | root tree, a /usr/ tree, a /home/, a /srv/, a /var/ tree and so on. Dirs | |
612 | could also be btrfs subvols (combine with btrfs auto-snapshort approach for | |
613 | creating versions like these automatically). | |
614 | ||
615 | * remove tomoyo support, it's obsolete and unmaintained apparently | |
616 | ||
617 | * In .socket units, add ConnectStream=, ConnectDatagram=, | |
618 | ConnectSequentialPacket= that create a socket, and then *connect to* rather than | |
619 | listen on some socket. Then, add a new setting WriteData= that takes some | |
620 | base64 data that systemd will write into the socket early on. This can then | |
621 | be used to create connections to arbitrary services and issue requests into | |
622 | them, as long as the data is static. This can then be combined with the | |
623 | aforementioned journald subscription varlink service, to enable | |
624 | activation-by-message id and similar. | |
625 | ||
626 | * .service with invalid Sockets= starts successfully. | |
627 | ||
628 | * landlock: lock down RuntimeDirectory= via landlock, so that services lose | |
629 | ability to write anywhere else below /run/. Similar for | |
630 | StateDirectory=. Benefit would be clear delegation via unit files: services | |
631 | get the directories they get, and nothing else even if they wanted to. | |
632 | ||
633 | * landlock: for unprivileged systemd (i.e. systemd --user), use landlock to | |
634 | implement ProtectSystem=, ProtectHome= and so on. Landlock does not require | |
635 | privs, and we can implement pretty similar behaviour. Also, maybe add a mode | |
636 | where ProtectSystem= combined with an explicit PrivateMounts=no could request | |
637 | similar behaviour for system services, too. | |
638 | ||
639 | * Add systemd-mount@.service which is instantiated for a block device and | |
640 | invokes systemd-mount and exits. This is then useful to use in | |
641 | ENV{SYSTEMD_WANTS} in udev rules, and a bit prettier than using RUN+= | |
642 | ||
643 | * udevd: extend memory pressure logic: also kill any idle worker processes | |
644 | ||
645 | * udevadm: to make symlink querying with udevadm nicer: | |
646 | - do not enable the pager for queries like 'udevadm info -q -r symlink' | |
647 | - add mode with newlines instead of spaces (for grep)? | |
648 | ||
649 | * SIGRTMIN+18 and memory pressure handling should still be added to: hostnamed, | |
650 | localed, oomd, timedated. | |
651 | ||
652 | * repart/gpt-auto/DDIs: maybe introduce a concept of "extension" partitions, | |
653 | that have a new type uuid and can "extend" earlier partitions, to work around | |
654 | the fact that systemd-repart can only grow the last partition defined. During | |
655 | activation we'd simply set up a dm-linear mapping to merge them again. A | |
656 | partition that is to be extended would just set a bit in the partition flags | |
657 | field to indicate that there's another extension partition to look for. The | |
658 | identifying UUID of the extension partition would be hashed in counter mode | |
659 | from the uuid of the original partition it extends. Inspiration for this is | |
660 | the "dynamic partitions" concept of new Android. This would be a minimalistic | |
661 | concept of a volume manager, with the extents it manages being exposes as GPT | |
662 | partitions. I a partition is extended multiple times they should probably | |
663 | grow exponentially in size to ensure O(log(n)) time for finding them on | |
664 | access. | |
665 | ||
666 | * Make nspawn to a frontend for systemd-executor, so that we have to ways into | |
667 | the executor: via unit files/dbus/varlink through PID1 and via cmdline/OCI | |
668 | through nspawn. | |
669 | ||
670 | * sd-stub: detect if we are running with uefi console output on serial, and if so | |
671 | automatically add console= to kernel cmdline matching the same port. | |
672 | ||
673 | * add a utility that can be used with the kernel's | |
674 | CONFIG_STATIC_USERMODEHELPER_PATH and then handles them within pid1 so that | |
675 | security, resource management and cgroup settings can be enforced properly | |
676 | for all umh processes. | |
677 | ||
678 | * systemd-shutdown: keep sending sd_notify() status updates immediately before | |
679 | going down, in particular include the "reboot param" string. | |
680 | ||
681 | * homed: when resizing an fs don't sync identity beforehand there might simply | |
682 | not be enough disk space for that. try to be defensive and sync only after | |
683 | resize. | |
684 | ||
685 | * homed: if for some reason the partition ended up being much smaller than | |
686 | whole disk, recover from that, and grow it again. | |
687 | ||
688 | * timesyncd: when saving/restoring clock try to take boot time into account. | |
689 | Specifically, along with the saved clock, store the current boot ID. When | |
690 | starting, check if the boot id matches. If so, don't do anything (we are on | |
691 | the same boot and clock just kept running anyway). If not, then read | |
692 | CLOCK_BOOTTIME (which started at boot), and add it to the saved clock | |
693 | timestamp, to compensate for the time we spent booting. If EFI timestamps are | |
694 | available, also include that in the calculation. With this we'll then only | |
695 | miss the time spent during shutdown after timesync stopped and before the | |
696 | system actually reset. | |
697 | ||
698 | * systemd-stub: maybe store a "boot counter" in the ESP, and pass it down to | |
699 | userspace to allow ordering boots (for example in journalctl). The counter | |
700 | would be monotonically increased on every boot. | |
701 | ||
702 | * pam_systemd_home: add module parameter to control whether to only accept | |
703 | only password or only pcks11/fido2 auth, and then use this to hook nicely | |
704 | into two of the three PAM stacks gdm provides. | |
705 | See discussion at https://github.com/authselect/authselect/pull/311 | |
706 | ||
707 | * sd-boot: make boot loader spec type #1 accept http urls in "linux" | |
708 | lines. Then, do the uefi http dance to download kernels and boot them. This | |
709 | is then useful for network boot, by embedding a cpio with type #1 snippets | |
710 | in sd-boot, which reference remote kernels. | |
711 | ||
712 | * maybe prohibit setuid() to the nobody user, to lock things down, via seccomp. | |
713 | the nobody is not a user any code should run under, ever, as that user would | |
714 | possibly get a lot of access to resources it really shouldn't be getting | |
715 | access to due to the userns + nfs semantics of the user. Alternatively: use | |
716 | the seccomp log action, and allow it. | |
717 | ||
718 | * sd-boot: add a new PE section .bls or so that carries a cpio with additional | |
719 | boot loader entries (both type1 and type2). Then when initializing, find this | |
720 | section, iterate through it and populate menu with it. cpio is simple enough | |
721 | to make a parser for this reasonably robust. use same path structures as in | |
722 | the ESP. Similar add one for signature key drop-ins. | |
723 | ||
724 | * sd-boot: also allow passing in the cpio as in the previous item via SMBIOS | |
725 | ||
726 | * add a new EFI tool "sd-fetch" or so. It looks in a PE section ".url" for an | |
727 | URL, then downloads the file from it using UEFI HTTP APIs, and executes it. | |
728 | Use case: provide a minimal ESP with sd-boot and a couple of these sd-fetch | |
729 | binaries in place of UKIs, and download them on-the-fly. | |
730 | ||
731 | * maybe: systemd-loop-generator that sets up loopback devices if requested via kernel | |
732 | cmdline. use case: include encrypted/verity root fs in UKI. | |
733 | ||
734 | * systemd-gpt-auto-generator: add kernel cmdline option to override block | |
735 | device to dissect. also support dissecting a regular file. useccase: include | |
736 | encrypted/verity root fs in UKI. | |
737 | ||
738 | * sd-stub: add ".bootcfg" section for kernel bootconfig data (as per | |
739 | https://docs.kernel.org/admin-guide/bootconfig.html) | |
740 | ||
741 | * tpm2: add (optional) support for generating a local signing key from PCR 15 | |
742 | state. use private key part to sign PCR 7+14 policies. stash signatures for | |
743 | expected PCR7+14 policies in EFI var. use public key part in disk encryption. | |
744 | generate new sigs whenever db/dbx/mok/mokx gets updated. that way we can | |
745 | securely bind against SecureBoot/shim state, without having to renroll | |
746 | everything on each update (but we still have to generate one sig on each | |
747 | update, but that should be robust/idempotent). needs rollback protection, as | |
748 | usual. | |
749 | ||
750 | * Lennart: big blog story about DDIs | |
751 | ||
752 | * Lennart: big blog story about building initrds | |
753 | ||
754 | * Lennart: big blog story about "why systemd-boot" | |
755 | ||
756 | * bpf: see if we can use BPF to solve the syslog message cgroup source problem: | |
757 | one idea would be to patch source sockaddr of all AF_UNIX/SOCK_DGRAM to | |
758 | implicitly contain the source cgroup id. Another idea would be to patch | |
759 | sendto()/connect()/sendmsg() sockaddr on-the-fly to use a different target | |
760 | sockaddr. | |
761 | ||
762 | * bpf: see if we can address opportunistic inode sharing of immutable fs images | |
763 | with BPF. i.e. if bpf gives us power to hook into openat() and return a | |
764 | different inode than is requested for which we however it has same contents | |
765 | then we can use that to implement opportunistic inode sharing among DDIs: | |
766 | make all DDIs ship xattr on all reg files with a SHA256 hash. Then, also | |
767 | dictate that DDIs should come with a top-level subdir where all reg files are | |
768 | linked into by their SHA256 sum. Then, whenever an inode is opened with the | |
769 | xattr set, check bpf table to find dirs with hashes for other prior DDIs and | |
770 | try to use inode from there. | |
771 | ||
772 | * extend the verity signature partition to permit multiple signatures for the | |
773 | same root hash, so that people can sign a single image with multiple keys. | |
774 | ||
775 | * consider adding a new partition type, just for /opt/ for usage in system | |
776 | extensions | |
777 | ||
778 | * gpt-auto-discovery: also use the pkcs7 signature stuff, and pass signature to | |
779 | kernel. So far we only did this for the various --image= switches, but not | |
780 | for the root fs or /usr/. | |
781 | ||
782 | * dissection policy should enforce that unlocking can only take place by | |
783 | certain means, i.e. only via pw, only via tpm2, or only via fido, or a | |
784 | combination thereof. | |
785 | ||
786 | * make the systemd-repart "seed" value provisionable via credentials, so that | |
787 | confidential computing environments can set it and deterministically | |
788 | enforce the uuids for partitions created, so that they can calculate PCR 15 | |
789 | ahead of time. | |
790 | ||
791 | * systemd-repart: also derive the volume key from the seed value, for the | |
792 | aforementioned purpose. | |
793 | ||
794 | * in the initrd: derive the default machine ID to pass to the host PID 1 via | |
795 | $machine_id from the same seed credential. | |
796 | ||
797 | * Add systemd-sysupdate-initrd.service or so that runs systemd-sysupdate in the | |
798 | initrd to bootstrap the initrd to populate the initial partitions. Some things | |
799 | to figure out: | |
800 | - Should it run on firstboot or on every boot? | |
801 | - If run on every boot, should it use the sysupdate config from the host on | |
802 | subsequent boots? | |
803 | ||
804 | * revisit default PCR bindings in cryptenroll and systemd-creds. Currently they | |
805 | use PCR 7 which should contain secureboot state db/dbx. Which sounded like a | |
806 | safe bet, given that it should change only on policy changes, and not | |
807 | software updates. But that's wrong. Recent fwupd (rightfully) contains code | |
808 | for updating the dbx denylist. This means even without any active policy | |
809 | change PCR 7 might change. Hence, better idea might be in systemd-creds to | |
810 | default to PCR 15 at least if sd-stub is used (i.e. bind to system identity), | |
811 | and in cryptsetup simply the empty list? Also, PCR 14 almost certainly should | |
812 | be included as much as PCR 7 (as it contains shim's policy, which is | |
813 | certainly as relevant as PCR 7 on many systems) | |
814 | ||
815 | * To mimic the new tpm2-measure-pcr= crypttab option add the same to veritytab | |
816 | (measuring the root hash) and integritytab (measuring the HMAC key if one is | |
817 | used) | |
818 | ||
819 | * We should start measuring all services, containers, and system extensions we | |
820 | activate. probably into PCR 13. i.e. add --tpm2-measure-pcr= or so to | |
821 | systemd-nspawn, and MeasurePCR= to unit files. Should contain a measurement | |
822 | of the activated configuration and the image that is being activated (in case | |
823 | verity is used, hash of the root hash). | |
824 | ||
825 | * bootspec: permit graceful "update" from type #2 to type #1. If both a type #1 | |
826 | and a type #2 entry exist under otherwise the exact same name, then use the | |
827 | type #1 entry, and ignore the type #2 entry. This way, people can "upgrade" | |
828 | from the UKI with all parameters baked in to a Type #1 .conf file with manual | |
829 | parametrization, if needed. This matches our usual rule that admin config | |
830 | should win over vendor defaults. | |
831 | ||
832 | * write a "search path" spec, that documents the prefixes to search in | |
833 | (i.e. the usual /etc/, /run/, /usr/lib/ dance, potentially /usr/etc/), how to | |
834 | sort found entries, how masking works and overriding. | |
835 | ||
836 | * automatic boot assessment: add one more default success check that just waits | |
837 | for a bit after boot, and blesses the boot if the system stayed up that long. | |
838 | ||
839 | * systemd-repart: add support for generating ISO9660 images | |
840 | ||
841 | * systemd-repart: in addition to the existing "factory reset" mode (which | |
842 | simply empties existing partitions marked for that). add a mode where | |
843 | partitions marked for it are entirely removed. Use case: remove secondary OS | |
844 | copy, and redundant partitions entirely, and recreate them anew. | |
845 | ||
846 | * systemd-boot: maybe add support for collapsing menu entries of the same OS | |
847 | into one item that can be opened (like in a "tree view" UI element) or | |
848 | collapsed. If only a single OS is installed, disable this mode, but if | |
849 | multiple OSes are installed might make sense to default to it, so that user | |
850 | is not immediately bombarded with a multitude of Linux kernel versions but | |
851 | only one for each OS. | |
852 | ||
853 | * systemd-repart: if the GPT *disk* UUID (i.e. the one global for the entire | |
854 | disk) is set to all FFFFF then use this as trigger for factory reset, in | |
855 | addition to the existing mechanisms via EFI variables and kernel command | |
856 | line. Benefit: works also on non-EFI systems, and can be requested on one | |
857 | boot, for the next. | |
858 | ||
859 | * systemd-sysupdate: make transport pluggable, so people can plug casync or | |
860 | similar behind it, instead of http. | |
861 | ||
862 | * systemd-tmpfiles: add concept for conditionalizing lines on factory reset | |
863 | boot, or on first boot. | |
864 | ||
865 | * in UKIs: add way to define allowlist of additional words that can be added to | |
866 | the kernel cmdline even in SecureBoot mode | |
867 | ||
868 | * we probably needs .pcrpkeyrd or so as additional PE section in UKIs, | |
869 | which contains a separate public key for PCR values that only apply in the | |
870 | initrd, i.e. in the boot phase "enter-initrd". Then, consumers in userspace | |
871 | can easily bind resources to just the initrd. Similar, maybe one more for | |
872 | "enter-initrd:leave-initrd" for resources that shall be accessible only | |
873 | before unprivileged user code is allowed. (we only need this for .pcrpkey, | |
874 | not for .pcrsig, since the latter is a list of signatures anyway). With that, | |
875 | when you enroll a LUKS volume or similar, pick either the .pcrkey (for | |
876 | coverage through all phases of the boot, but excluding shutdown), the | |
877 | .pcrpkeyrd (for coverage in the initrd only) and .pcrpkeybt (for coverage | |
878 | until users are allowed to log in). | |
879 | ||
880 | * Once the root fs LUKS volume key is measured into PCR 15, default to binding | |
881 | credentials to PCR 15 in "systemd-creds" | |
882 | ||
883 | * add support for asymmetric LUKS2 TPM based encryption. i.e. allow preparing | |
884 | an encrypted image on some host given a public key belonging to a specific | |
885 | other host, so that only hosts possessing the private key in the TPM2 chip | |
886 | can decrypt the volume key and activate the volume. Use case: systemd-confext | |
887 | for a central orchestrator to generate confext images securely that can only | |
888 | be activated on one specific host (which can be used for installing a bunch | |
889 | of creds in /etc/credstore/ for example). Extending on this: allow binding | |
890 | LUKS2 TPM based encryption also to the TPM2 internal clock. Net result: | |
891 | prepare a confext image that can only be activated on a specific host that | |
892 | runs a specific software in a specific time window. confext would be | |
893 | automatically invalidated outside of it. | |
894 | ||
895 | * maybe add a "systemd-report" tool, that generates a TPM2-backed "report" of | |
896 | current system state, i.e. a combination of PCR information, local system | |
897 | time and TPM clock, running services, recent high-priority log | |
898 | messages/coredumps, system load/PSI, signed by the local TPM chip, to form an | |
899 | enhanced remote attestation quote. Use case: a simple orchestrator could use | |
900 | this: have the report tool upload these reports every 3min somewhere. Then | |
901 | have the orchestrator collect these reports centrally over a 3min time | |
902 | window, and use them to determine what which node should now start/stop what, | |
903 | and generate a small confext for each node, that uses Uphold= to pin services | |
904 | on each node. The confext would be encrypted using the asymmetric encryption | |
905 | proposed above, so that it can only be activated on the specific host, if the | |
906 | software is in a good state, and within a specific time frame. Then run a | |
907 | loop on each node that sends report to orchestrator and then sysupdate to | |
908 | update confext. Orchestrator would be stateless, i.e. operate on desired | |
909 | config and collected reports in the last 3min time window only, and thus can | |
910 | be trivially scaled up since all instances of the orchestrator should come to | |
911 | the same conclusions given the same inputs of reports/desired workload info. | |
912 | Could also be used to deliver Wireguard secrets and thus to clients, thus | |
913 | permitting zero-trust networking: secrets are rolled over via confext updates, | |
914 | and via the time window TPM logic invalidated if node doesn't keep itself | |
915 | updated, or becomes corrupted in some way. | |
916 | ||
917 | * in the initrd, once the rootfs encryption key has been measured to PCR 15, | |
918 | derive default machine ID to use from it, and pass it to host PID 1. | |
919 | ||
920 | * tree-wide: convert as much as possible over to use sd_event_set_signal_exit(), instead | |
921 | of manually hooking into SIGINT/SIGTERM | |
922 | ||
923 | * tree-wide: convert as much as possible over to SD_EVENT_SIGNAL_PROCMASK | |
924 | instead of manual blocking. | |
925 | ||
926 | * sd-boot: for each installed OS, grey out older entries (i.e. all but the | |
927 | newest), to indicate they are obsolete | |
928 | ||
929 | * automatically propagate LUKS password credential into cryptsetup from host | |
930 | (i.e. SMBIOS type #11, …), so that one can unlock LUKS via VM hypervisor | |
931 | supplied password. | |
932 | ||
933 | * add ability to path_is_valid() to classify paths that refer to a dir from | |
934 | those which may refer to anything, and use that in various places to filter | |
935 | early. i.e. stuff ending in "/", "/." and "/.." definitely refers to a | |
936 | directory, and paths ending that way can be refused early in many contexts. | |
937 | ||
938 | * systemd-measure: add --pcrpkey-auto as an alternative to --pcrpkey=, where it | |
939 | would just use the same public key specified with --public-key= (or the one | |
940 | automatically derived from --private-key=). | |
941 | ||
942 | * Add "purpose" flag to partition flags in discoverable partition spec that | |
943 | indicate if partition is intended for sysext, for portable service, for | |
944 | booting and so on. Then, when dissecting DDI allow specifying a purpose to | |
945 | use as additional search condition. Use case: images that combined a sysext | |
946 | partition with a portable service partition in one. | |
947 | ||
948 | * On boot, auto-generate an asymmetric key pair from the TPM, | |
949 | and use it for validating DDIs and credentials. Maybe upload it to the kernel | |
950 | keyring, so that the kernel does this validation for us for verity and kernel | |
951 | modules | |
952 | ||
953 | * lock down acceptable encrypted credentials at boot, via simple allowlist, | |
954 | maybe on kernel command line: | |
955 | systemd.import_encrypted_creds=foobar.waldo,tmpfiles.extra to protect locked | |
956 | down kernels from credentials generated on the host with a weak kernel | |
957 | ||
958 | * Merge systemd-creds options --uid= (which accepts user names) and --user. | |
959 | ||
960 | * Add support for extra verity configuration options to systemd-repart (FEC, | |
961 | hash type, etc) | |
962 | ||
963 | * chase(): take inspiration from path_extract_filename() and return | |
964 | O_DIRECTORY if input path contains trailing slash. | |
965 | ||
966 | * chase(): refuse resolution if trailing slash is specified on input, | |
967 | but final node is not a directory | |
968 | ||
969 | * document in boot loader spec that symlinks in XBOOTLDR/ESP are not OK even if | |
970 | non-VFAT fs is used. | |
971 | ||
972 | * measure credentials picked up from SMBIOS to some suitable PCR | |
973 | ||
974 | * measure GPT and LUKS headers somewhere when we use them (i.e. in | |
975 | systemd-gpt-auto-generator/systemd-repart and in systemd-cryptsetup?) | |
976 | ||
977 | * pick up creds from EFI vars | |
978 | ||
979 | * Add and pickup tpm2 metadata for creds structure. | |
980 | ||
981 | * sd-boot: we probably should include all BootXY EFI variable defined boot | |
982 | entries in our menu, and then suppress ourselves. Benefit: instant | |
983 | compatibility with all other OSes which register things there, in particular | |
984 | on other disks. Always boot into them via NextBoot EFI variable, to not | |
985 | affect PCR values. | |
986 | ||
987 | * systemd-measure tool: | |
988 | - pre-calculate PCR 12 (command line) + PCR 13 (sysext) the same way we can precalculate PCR 11 | |
989 | ||
990 | * in sd-boot: load EFI drivers from a new PE section. That way, one can have a | |
991 | "supercharged" sd-boot binary, that could carry ext4 drivers built-in. | |
992 | ||
993 | * sd-bus: document that sd_bus_process() only returns messages that non of the | |
994 | filters/handlers installed on the connection took possession of. | |
995 | ||
996 | * sd-device: add an API for acquiring list of child devices, given a device | |
997 | objects (i.e. all child dirents that dirs or symlinks to dirs) | |
998 | ||
999 | * sd-device: maybe pin the sysfs dir with an fd, during the entire runtime of | |
1000 | an sd_device, then always work based on that. | |
1001 | ||
1002 | * maybe add new flags to gpt partition tables for rootfs and usrfs indicating | |
1003 | purpose, i.e. whether something is supposed to be bootable in a VM, on | |
1004 | baremetal, on an nspawn-style container, if it is a portable service image, | |
1005 | or a sysext for initrd, for host os, or for portable container. Then hook | |
1006 | portabled/… up to udev to watch block devices coming up with the flags set, and | |
1007 | use it. | |
1008 | ||
1009 | * sd-boot should look for information what to boot in SMBIOS, too, so that VM | |
1010 | managers can tell sd-boot what to boot into and suchlike | |
1011 | ||
1012 | * add "systemd-sysext identify" verb, that you can point on any file in /usr/ | |
1013 | and that determines from which overlayfs layer it originates, which image, and with | |
1014 | what it was signed. | |
1015 | ||
1016 | * systemd-creds: extend encryption logic to support asymmetric | |
1017 | encryption/authentication. Idea: add new verb "systemd-creds public-key" | |
1018 | which generates a priv/pub key pair on the TPM2 and stores the priv key | |
1019 | locally in /var. It then outputs a certificate for the pub part to stdout. | |
1020 | This can then be copied/taken elsewhere, and can be used for encrypting creds | |
1021 | that only the host on its specific hw can decrypt. Then, support a drop-in | |
1022 | dir with certificates that can be used to authenticate credentials. Flow of | |
1023 | operations is then this: build image with owner certificate, then after | |
1024 | boot up issue "systemd-creds public-key" to acquire pubkey of the machine. | |
1025 | Then, when passing data to the machine, sign with privkey belonging to one of | |
1026 | the dropped in certs and encrypted with machine pubkey, and pass to machine. | |
1027 | Machine is then able to authenticate you, and confidentiality is guaranteed. | |
1028 | ||
1029 | * building on top of the above, the pub/priv key pair generated on the TPM2 | |
1030 | should probably also one you can use to get a remote attestation quote. | |
1031 | ||
1032 | * Process credentials in: | |
1033 | • crypttab-generator: allow defining additional crypttab-like volumes via | |
1034 | credentials (similar: verity-generator, integrity-generator). Use | |
1035 | fstab-generator logic as inspiration. | |
1036 | • run-generator: allow defining additional commands to run via a credential | |
1037 | • resolved: allow defining additional /etc/hosts entries via a credential (it | |
1038 | might make sense to then synthesize a new combined /etc/hosts file in /run | |
1039 | and bind mount it on /etc/hosts for other clients that want to read it. | |
1040 | • repart: allow defining additional partitions via credential | |
1041 | • timesyncd: pick NTP server info from credential | |
1042 | • portabled: read a credential "portable.extra" or so, that takes a list of | |
1043 | file system paths to enable on start. | |
1044 | • make systemd-fstab-generator look for a system credential encoding root= or | |
1045 | usr= | |
1046 | • in gpt-auto-generator: check partition uuids against such uuids supplied via | |
1047 | sd-stub credentials. That way, we can support parallel OS installations with | |
1048 | pre-built kernels. | |
1049 | ||
1050 | * define a JSON format for units, separating out unit definitions from unit | |
1051 | runtime state. Then, expose it: | |
1052 | ||
1053 | 1. Add Describe() method to Unit D-Bus object that returns a JSON object | |
1054 | about the unit. | |
1055 | 2. Expose this natively via Varlink, in similar style | |
1056 | 3. Use it when invoking binaries (i.e. make PID 1 fork off systemd-executor | |
1057 | binary which reads the JSON definition and runs it), to address the cow | |
1058 | trap issue and the fact that NSS is actually forbidden in | |
1059 | forked-but-not-exec'ed children | |
1060 | 4. Add varlink API to run transient units based on provided JSON definitions | |
1061 | ||
1062 | * Add SUPPORT_END_URL= field to os-release with more *actionable* information | |
1063 | what to do if support ended | |
1064 | ||
1065 | * pam_systemd: on interactive logins, maybe show SUPPORT_END information at | |
1066 | login time, à la motd | |
1067 | ||
1068 | * sd-boot: instead of unconditionally deriving the ESP to search boot loader | |
1069 | spec entries in from the paths of sd-boot binary, let's optionally allow it | |
1070 | to be configured on sd-boot cmdline + efi var. Use case: embed sd-boot in the | |
1071 | UEFI firmware (for example, ovmf supports that via qemu cmdline option), and | |
1072 | use it to load stuff from the ESP. | |
1073 | ||
1074 | * mount /var/ from initrd, so that we can apply sysext and stuff before the | |
1075 | initrd transition. Specifically: | |
1076 | 1. There should be a var= kernel cmdline option, matching root= and usr= | |
1077 | 2. systemd-gpt-auto-generator should auto-mount /var if it finds it on disk | |
1078 | 3. mount.x-initrd mount option in fstab should be implied for /var | |
1079 | ||
1080 | * make persistent restarts easier by adding a new setting OpenPersistentFile= | |
1081 | or so, which allows opening one or more files that is "persistent" across | |
1082 | service restarts, hot reboot, cold reboots (depending on configuration): the | |
1083 | files are created empty on first invocation, and on subsequent invocations | |
1084 | the files are reboot. The files would be backed by tmpfs, pmem or /var | |
1085 | depending on desired level of persistency. | |
1086 | ||
1087 | * sd-event: add ability to "chain" event sources. Specifically, add a call | |
1088 | sd_event_source_chain(x, y), which will automatically enable event source y | |
1089 | in oneshot mode once x is triggered. Use case: in src/core/mount.c implement | |
1090 | the /proc/self/mountinfo rescan on SIGCHLD with this: whenever a SIGCHLD is | |
1091 | seen, trigger the rescan defer event source automatically, and allow it to be | |
1092 | dispatched *before* the SIGCHLD is handled (based on priorities). Benefit: | |
1093 | dispatch order is strictly controlled by priorities again. (next step: chain | |
1094 | event sources to the ratelimit being over) | |
1095 | ||
1096 | * if we fork of a service with StandardOutput=journal, and it forks off a | |
1097 | subprocess that quickly dies, we might not be able to identify the cgroup it | |
1098 | comes from, but we can still derive that from the stdin socket its output | |
1099 | came from. We apparently don't do that right now. | |
1100 | ||
1101 | * add ability to set hostname with suffix derived from machine id at boot | |
1102 | ||
1103 | * add PR_SET_DUMPABLE service setting | |
1104 | ||
1105 | * homed/userdb: maybe define a "companion" dir for home directories where apps | |
1106 | can safely put privileged stuff in. Would not be writable by the user, but | |
1107 | still conceptually belong to the user. Would be included in user's quota if | |
1108 | possible, even if files are not owned by UID of user. Use case: container | |
1109 | images that owned by arbitrary UIDs, and are owned/managed by the users, but | |
1110 | are not directly belonging to the user's UID. Goal: we shouldn't place more | |
1111 | privileged dirs inside of unprivileged dirs, and thus containers really | |
1112 | should not be placed inside of traditional UNIX home dirs (which are owned by | |
1113 | users themselves) but somewhere else, that is separate, but still close | |
1114 | by. Inform user code about path to this companion dir via env var, so that | |
1115 | container managers find it. the ~/.identity file is also a candidate for a | |
1116 | file to move there, since it is managed by privileged code (i.e. homed) and | |
1117 | not unprivileged code. | |
1118 | ||
1119 | * maybe add support for binding and connecting AF_UNIX sockets in the file | |
1120 | system outside of the 108ch limit. When connecting, open O_PATH fd to socket | |
1121 | inode first, then connect to /proc/self/fd/XYZ. When binding, create symlink | |
1122 | to target dir in /tmp, and bind through it. | |
1123 | ||
1124 | * add a proper concept of a "developer" mode, i.e. where cryptographic | |
1125 | protections of the root OS are weakened after interactive confirmation, to | |
1126 | allow hackers to allow their own stuff. idea: allow entering developer mode | |
1127 | only via explicit choice in boot menu: i.e. add explicit boot menu item for | |
1128 | it. When developer mode is entered, generate a key pair in the TPM2, and add | |
1129 | the public part of it automatically to keychain of valid code signature keys | |
1130 | on subsequent boots. Then provide a tool to sign code with the key in the | |
1131 | TPM2. Ensure that boot menu item is the only way to enter developer mode, by | |
1132 | binding it to locality/PCRs so that keys cannot be generated otherwise. | |
1133 | ||
1134 | * services: add support for cryptographically unlocking per-service directories | |
1135 | via TPM2. Specifically, for StateDirectory= (and related dirs) use fscrypt to | |
1136 | set up the directory so that it can only be accessed if host and app are in | |
1137 | order. | |
1138 | ||
1139 | * update HACKING.md to suggest developing systemd with the ideas from: | |
1140 | https://0pointer.net/blog/testing-my-system-code-in-usr-without-modifying-usr.html | |
1141 | https://0pointer.net/blog/running-an-container-off-the-host-usr.html | |
1142 | ||
1143 | * sd-event: compat wd reuse in inotify code: keep a set of removed watch | |
1144 | descriptors, and clear this set piecemeal when we see the IN_IGNORED event | |
1145 | for it, or when read() returns EAGAIN or on IN_Q_OVERFLOW. Then, whenever we | |
1146 | see an inotify wd event check against this set, and if it is contained ignore | |
1147 | the event. (to be fully correct this would have to count the occurrences, in | |
1148 | case the same wd is reused multiple times before we start processing | |
1149 | IN_IGNORED again) | |
1150 | ||
1151 | * for vendor-built signed initrds: | |
1152 | - kernel-install should be able to install encrypted creds automatically for | |
1153 | machine id, root pw, rootfs uuid, resume partition uuid, and place next to | |
1154 | EFI kernel, for sd-stub to pick them up. These creds should be locked to | |
1155 | the TPM, and bind to the right PCR the kernel is measured to. | |
1156 | - kernel-install should be able to pick up initrd sysexts automatically and | |
1157 | place them next to EFI kernel, for sd-stub to pick them up. | |
1158 | - systemd-fstab-generator should look for rootfs device to mount in creds | |
1159 | - systemd-resume-generator should look for resume partition uuid in creds | |
1160 | - sd-stub: automatically pick up microcode from ESP (/loader/microcode/*) | |
1161 | and synthesize initrd from it, and measure it. Signing is not necessary, as | |
1162 | microcode does that on its own. Pass as first initrd to kernel. | |
1163 | ||
1164 | * Maybe extend the service protocol to support handling of some specific SIGRT | |
1165 | signal for setting service log level, that carries the level via the | |
1166 | sigqueue() data parameter. Enable this via unit file setting. | |
1167 | ||
1168 | * sd_notify/vsock: maybe support binding to AF_VSOCK in Type=notify services, | |
1169 | then passing $NOTIFY_SOCKET and $NOTIFY_GUESTCID with PID1's cid (typically | |
1170 | fixed to "2", i.e. the official host cid) and the expected guest cid, for the | |
1171 | two sides of the channel. The latter env var could then be used in an | |
1172 | appropriate qemu cmdline. That way qemu payloads could talk sd_notify() | |
1173 | directly to host service manager. | |
1174 | ||
1175 | * sd-device has an API to create an sd_device object from a device id, but has | |
1176 | no api to query the device id | |
1177 | ||
1178 | * sd-device should return the devnum type (i.e. 'b' or 'c') via some API for an | |
1179 | sd_device object, so that data passed into sd_device_new_from_devnum() can | |
1180 | also be queried. | |
1181 | ||
1182 | * sd-event: optionally, if per-event source rate limit is hit, downgrade | |
1183 | priority, but leave enabled, and once ratelimit window is over, upgrade | |
1184 | priority again. That way we can combat event source starvation without | |
1185 | stopping processing events from one source entirely. | |
1186 | ||
1187 | * sd-event: similar to existing inotify support add fanotify support (given | |
1188 | that apparently new features in this area are only going to be added to the | |
1189 | latter). | |
1190 | ||
1191 | * sd-event: add 1st class event source for clock changes | |
1192 | ||
1193 | * sd-event: add 1st class event source for timezone changes | |
1194 | ||
1195 | * support uefi/http boots with sd-boot: instead of looking for dropin files in | |
1196 | /loader/entries/ dir, look for a file /loader/entries/SHA256SUMS and use that | |
1197 | as directory manifest. The file would be a standard directory listing as | |
1198 | generated by GNU sha256sums. | |
1199 | ||
1200 | * sd-boot: maybe add support for embedding the various auxiliary resources we | |
1201 | look for right in the sd-boot binary. i.e. take inspiration from sd-stub | |
1202 | logic: allow combining sd-boot via ukify with kernels to enumerate, .conf | |
1203 | files, drivers, keys to enroll and so on. Then, add whatever we find that way | |
1204 | to the menu. Use case: allow building a single PE image you can boot into via | |
1205 | UEFI HTTP boot. | |
1206 | ||
1207 | * maybe add a new UEFI stub binary "sd-http". It works similar to sd-stub, but | |
1208 | all it does is download a file from a http server, and execute it, after | |
1209 | optionally checking its hash sum. idea would be: combine this "sd-http" stub | |
1210 | binary with some minimal info about a URL + hash sum, plus .osrel data, and | |
1211 | drop it into the unified kernel dir in the ESP. And bam you have something | |
1212 | that is tiny, feels a lot like a unified kernel, but all it does is chainload | |
1213 | the real kernel. benefit: downloading these stubs would be tiny and quick, | |
1214 | hence cheap for enumeration. | |
1215 | ||
1216 | * sysext: measure all activated sysext into a TPM PCR | |
1217 | ||
1218 | * systemd-dissect: show available versions inside of a disk image, i.e. if | |
1219 | multiple versions are around of the same resource, show which ones. (in other | |
1220 | words: show partition labels). | |
1221 | ||
1222 | * maybe add a generator that reads /proc/cmdline, looks for | |
1223 | systemd.pull-raw-portable=, systemd-pull-raw-sysext= and similar switches | |
1224 | that take a URL as parameter. It then generates service units for | |
1225 | systemd-pull calls that download these URLs if not installed yet. Use case: | |
1226 | invoke a VM or nspawn container in a way it automatically deploys/runs these | |
1227 | images as OS payloads. i.e. have a generic OS image you can point to any | |
1228 | payload you like, which is then downloaded, securely verified and run. | |
1229 | ||
1230 | * systemd-dissect: add --cat switch for dumping files such as /etc/os-release | |
1231 | ||
1232 | * per-service sandboxing option: ProtectIds=. If used, will overmount | |
1233 | /etc/machine-id and /proc/sys/kernel/random/boot_id with synthetic files, to | |
1234 | make it harder for the service to identify the host. Depending on the user | |
1235 | setting it should be fully randomized at invocation time, or a hash of the | |
1236 | real thing, keyed by the unit name or so. Of course, there are other ways to | |
1237 | get these IDs (e.g. journal) or similar ids (e.g. MAC addresses, DMI ids, CPU | |
1238 | ids), so this knob would only be useful in combination with other lockdown | |
1239 | options. Particularly useful for portable services, and anything else that | |
1240 | uses RootDirectory= or RootImage=. (Might also over-mount | |
1241 | /sys/class/dmi/id/*{uuid,serial} with /dev/null). | |
1242 | ||
1243 | * doc: prep a document explaining resolved's internal objects, i.e. Query | |
1244 | vs. Question vs. Transaction vs. Stream and so on. | |
1245 | ||
1246 | * doc: prep a document explaining PID 1's internal logic, i.e. transactions, | |
1247 | jobs, units | |
1248 | ||
1249 | * bootspec: bring UEFI and userspace enumeration of bootspec entries back into | |
1250 | sync, i.e. parse out architecture field in sd-boot (currently only done in | |
1251 | userspace) | |
1252 | ||
1253 | * automatically ignore threaded cgroups in cg_xyz(). | |
1254 | ||
1255 | * add linker script that implicitly adds symbol for build ID and new coredump | |
1256 | json package metadata, and use that when logging | |
1257 | ||
1258 | * Enable RestrictFileSystems= for all our long-running services (similar: | |
1259 | RestrictNetworkInterfaces=) | |
1260 | ||
1261 | * Add systemd-analyze security checks for RestrictFileSystems= and | |
1262 | RestrictNetworkInterfaces= | |
1263 | ||
1264 | * cryptsetup/homed: implement TOTP authentication backed by TPM2 and its | |
1265 | internal clock. | |
1266 | ||
1267 | * man: rework os-release(5), and clearly separate our extension-release.d/ and | |
1268 | initrd-release parts, i.e. list explicitly which fields are about what. | |
1269 | ||
1270 | * sysext: before applying a sysext, do a superficial validation run so that | |
1271 | things are not rearranged to wildy. I.e. protect against accidental fuckups, | |
1272 | such as masking out /usr/lib/ or so. We should probably refuse if existing | |
1273 | inodes are replaced by other types of inodes or so. | |
1274 | ||
1275 | * userdb: when synthesizing NSS records, pick "best" password from defined | |
1276 | passwords, not just the first. i.e. if there are multiple defined, prefer | |
1277 | unlocked over locked and prefer non-empty over empty. | |
1278 | ||
1279 | * homed: if the homed shell fallback thing has access to an SSH agent, try to | |
1280 | use it to unlock home dir (if ssh-agent forwarding is enabled). We | |
1281 | could implement SSH unlocking of a homedir with that: when enrolling a new | |
1282 | ssh pubkey in a user record we'd ask the ssh-agent to sign some random value | |
1283 | with the privkey, then use that as luks key to unlock the home dir. Will not | |
1284 | work for ECDSA keys since their signatures contain a random component, but | |
1285 | will work for RSA and Ed25519 keys. | |
1286 | ||
1287 | * add tiny service that decrypts encrypted user records passed via initrd | |
1288 | credential logic and drops them into /run where nss-systemd can pick them up, | |
1289 | similar to /run/host/userdb/. Use case: drop a root user JSON record there, | |
1290 | and use it in the initrd to log in as root with locally selected password, | |
1291 | for debugging purposes. Other use case: boot into qemu with regular user | |
1292 | mounted from host. maybe put this in systemd-user-sessions.service? | |
1293 | ||
1294 | * drop dependency on libcap, replace by direct syscalls based on | |
1295 | CapabilityQuintet we already have. (This likely allows us to drop libcap | |
1296 | dep in the base OS image) | |
1297 | ||
1298 | * add concept for "exitrd" as inverse of "initrd", that we can transition to at | |
1299 | shutdown, and has similar security semantics. This should then take the place | |
1300 | of dracut's shutdown logic. Should probably support sysexts too. Care needs | |
1301 | to be taken that the resulting logic ends up in RAM, i.e. is copied out of | |
1302 | on-disk storage. | |
1303 | ||
1304 | * userdbd: implement an additional varlink service socket that provides the | |
1305 | host user db in restricted form, then allow this to be bind mounted into | |
1306 | sandboxed environments that want the host database in minimal form. All | |
1307 | records would be stripped of all meta info, except the basic UID/name | |
1308 | info. Then use this in portabled environments that do not use PrivateUsers=1. | |
1309 | ||
1310 | * portabled: when extracting unit files and copying to system.attached, if a | |
1311 | .p7s is available in the image, use it to protect the system.attached copy | |
1312 | with fs-verity, so that it cannot be tampered with | |
1313 | ||
1314 | * /etc/veritytab: allow that the roothash column can be specified as fs path | |
1315 | including a path to an AF_UNIX path, similar to how we do things with the | |
1316 | keys of /etc/crypttab. That way people can store/provide the roothash | |
1317 | externally and provide to us on demand only. | |
1318 | ||
1319 | * we probably should extend the root verity hash of the root fs into some PCR | |
1320 | on boot. (i.e. maybe add a veritytab option tpm2-measure=12 or so to measure | |
1321 | it into PCR 12); Similar: we probably should extend the LUKS volume key of | |
1322 | the root fs into some PCR on boot. (i.e. maybe add a crypttab option | |
1323 | tpm2-measure=15 or so to measure it into PCR 15); once both are in place | |
1324 | update gpt-auto-discovery to generate these by default for the partitions it | |
1325 | discovers. Static vendor stuff should probably end up in PCR 12 (i.e. the | |
1326 | verity hash), with local keys in PCR 15 (i.e. the encryption volume | |
1327 | key). That way, we nicely distinguish resources supplied by the OS vendor | |
1328 | (i.e. sysext, root verity) from those inherently local (i.e. encryption key), | |
1329 | which is useful if they shall be signed separately. | |
1330 | ||
1331 | * in uefi stub: query firmware regarding which PCR banks are being used, store | |
1332 | that in EFI var. then use this when enrolling TPM2 in cryptsetup to verify | |
1333 | that the selected PCRs actually are used by firmware. | |
1334 | ||
1335 | * rework recursive read-only remount to use new mount API | |
1336 | ||
1337 | * PAM: pick up authentication token from credentials | |
1338 | ||
1339 | * when mounting disk images: if IMAGE_ID/IMAGE_VERSION is set in os-release | |
1340 | data in the image, make sure the image filename actually matches this, so | |
1341 | that images cannot be misused. | |
1342 | ||
1343 | * New udev block device symlink names: | |
1344 | /dev/disk/by-parttypelabel/<pttype>-<ptlabel>. Use case: if pt label is used | |
1345 | as partition image version string, this is a safe way to reference a specific | |
1346 | version of a specific partition type, in particular where related partitions | |
1347 | are processed (e.g. verity + rootfs both named "LennartOS_0.7"). | |
1348 | ||
1349 | * sysupdate: | |
1350 | - add fuzzing to the pattern parser | |
1351 | - support casync as download mechanism | |
1352 | - "systemd-sysupdate update --all" support, that iterates through all components | |
1353 | defined on the host, plus all images installed into /var/lib/machines/, | |
1354 | /var/lib/portable/ and so on. | |
1355 | - figure out what to do about system extensions (i.e. they need to imply an | |
1356 | update component, since otherwise sysupdate.d/ files would override the | |
1357 | host's update files.) | |
1358 | - Allow invocation with a single transfer definition, i.e. with | |
1359 | --definitions= pointing to a file rather than a dir. | |
1360 | - add ability to disable implicit decompression of downloaded artifacts, | |
1361 | i.e. a Compress=no option in the transfer definitions | |
1362 | ||
1363 | * in sd-id128: also parse UUIDs in RFC4122 URN syntax (i.e. chop off urn:uuid: prefix) | |
1364 | ||
1365 | * DynamicUser= + StateDirectory= → use uid mapping mounts, too, in order to | |
1366 | make dirs appear under right UID. | |
1367 | ||
1368 | * systemd-sysext: optionally, run it in initrd already, before transitioning | |
1369 | into host, to open up possibility for services shipped like that. | |
1370 | ||
1371 | * introduce /dev/disk/root/* symlinks that allow referencing partitions on the | |
1372 | disk the rootfs is on in a reasonably secure way. (or maybe: add | |
1373 | /dev/gpt-auto-{home,srv,boot,…} similar in style to /dev/gpt-auto-root as we | |
1374 | already have it. | |
1375 | ||
1376 | * whenever we receive fds via SCM_RIGHTS make sure none got dropped due to the | |
1377 | reception limit the kernel silently enforces. | |
1378 | ||
1379 | * Add service unit setting ConnectStream= which takes IP addresses and connects to them. | |
1380 | ||
1381 | * Similar, Load= which takes literal data in text or base64 format, and puts it | |
1382 | into a memfd, and passes that. This enables some fun stuff, such as embedding | |
1383 | bash scripts in unit files, by combining Load= with ExecStart=/bin/bash | |
1384 | /proc/self/fd/3 | |
1385 | ||
1386 | * add a ConnectSocket= setting to service unit files, that may reference a | |
1387 | socket unit, and which will connect to the socket defined therein, and pass | |
1388 | the resulting fd to the service program via socket activation proto. | |
1389 | ||
1390 | * Add a concept of ListenStream=anonymous to socket units: listen on a socket | |
1391 | that is deleted in the fs. Use case would be with ConnectSocket= above. | |
1392 | ||
1393 | * importd: support image signature verification with PKCS#7 + OpenBSD signify | |
1394 | logic, as alternative to crummy gpg | |
1395 | ||
1396 | * add "systemd-analyze debug" + AttachDebugger= in unit files: The former | |
1397 | specifies a command to execute; the latter specifies that an already running | |
1398 | "systemd-analyze debug" instance shall be contacted and execution paused | |
1399 | until it gives an OK. That way, tools like gdb or strace can be safely be | |
1400 | invoked on processes forked off PID 1. | |
1401 | ||
1402 | * expose MS_NOSYMFOLLOW in various places | |
1403 | ||
1404 | * credentials system: | |
1405 | - acquire from EFI variable? | |
1406 | - acquire via ask-password? | |
1407 | - acquire creds via keyring? | |
1408 | - pass creds via keyring? | |
1409 | - pass creds via memfd? | |
1410 | - acquire + decrypt creds from pkcs11? | |
1411 | - make PAMName= acquire pw via creds logic | |
1412 | - make macsec code in networkd read key via creds logic (copy logic from | |
1413 | wireguard) | |
1414 | - make gatewayd/remote read key via creds logic | |
1415 | - add sd_notify() command for flushing out creds not needed anymore | |
1416 | ||
1417 | * TPM2: auto-reenroll in cryptsetup, as fallback for hosed firmware upgrades | |
1418 | and such | |
1419 | ||
1420 | * introduce a new group to own TPM devices | |
1421 | ||
1422 | * cryptsetup: add option for automatically removing empty password slot on boot | |
1423 | ||
1424 | * cryptsetup: optionally, when run during boot-up and password is never | |
1425 | entered, and we are on battery power (or so), power off machine again | |
1426 | ||
1427 | * cryptsetup: when waiting for FIDO2/PKCS#11 token, tell plymouth that, and | |
1428 | allow plymouth to abort the waiting and enter pw instead | |
1429 | ||
1430 | * make cryptsetup lower --iter-time | |
1431 | ||
1432 | * cryptsetup: allow encoding key directly in /etc/crypttab, maybe with a | |
1433 | "base64:" prefix. Useful in particular for pkcs11 mode. | |
1434 | ||
1435 | * cryptsetup: reimplement the mkswap/mke2fs in cryptsetup-generator to use | |
1436 | systemd-makefs.service instead. | |
1437 | ||
1438 | * cryptsetup: | |
1439 | - cryptsetup-generator: allow specification of passwords in crypttab itself | |
1440 | - support rd.luks.allow-discards= kernel cmdline params in cryptsetup generator | |
1441 | ||
1442 | * systemd-analyze netif that explains predictable interface (or networkctl) | |
1443 | ||
1444 | * Figure out naming of verbs in systemd-analyze: we have (singular) capability, | |
1445 | exit-status, but (plural) filesystems, architectures. | |
1446 | ||
1447 | * Add service setting to run a service within the specified VRF. i.e. do the | |
1448 | equivalent of "ip vrf exec". | |
1449 | ||
1450 | * special case some calls of chase() to use openat2() internally, so | |
1451 | that the kernel does what we otherwise do. | |
1452 | ||
1453 | * add a new flag to chase() that stops chasing once the first missing | |
1454 | component is found and then allows the caller to create the rest. | |
1455 | ||
1456 | * make use of new glibc 2.32 APIs sigabbrev_np() and strerrorname_np(). | |
1457 | ||
1458 | * if /usr/bin/swapoff fails due to OOM, log a friendly explanatory message about it | |
1459 | ||
1460 | * pid1: also remove PID files of a service when the service starts, not just | |
1461 | when it exits | |
1462 | ||
1463 | * make us use dynamically fewer deps for containers in general purpose distros: | |
1464 | o turn into dlopen() deps: | |
1465 | - libblkid (only in RootImage= handling in PID 1, but not elsewhere) | |
1466 | - libpam (only when called from PID 1) | |
1467 | ||
1468 | * seccomp: maybe use seccomp_merge() to merge our filters per-arch if we can. | |
1469 | Apparently kernel performance is much better with fewer larger seccomp | |
1470 | filters than with more smaller seccomp filters. | |
1471 | ||
1472 | * systemd-path: Add "private" runtime/state/cache dir enum, mapping to | |
1473 | $RUNTIME_DIRECTORY, $STATE_DIRECTORY and such | |
1474 | ||
1475 | * seccomp: by default mask x32 ABI system wide on x86-64. it's on its way out | |
1476 | ||
1477 | * seccomp: don't install filters for ABIs that are masked anyway for the | |
1478 | specific service | |
1479 | ||
1480 | * busctl: maybe expose a verb "ping" for pinging a dbus service to see if it | |
1481 | exists and responds. | |
1482 | ||
1483 | * socket units: allow creating a udev monitor socket with ListenDevices= or so, | |
1484 | with matches, then activate app through that passing socket over | |
1485 | ||
1486 | * unify on openssl: | |
1487 | - kill gnutls support in resolved | |
1488 | - figure out what to do about libmicrohttpd, which has a hard dependency on | |
1489 | gnutls | |
1490 | - port fsprg over to a dlopen lib, then switch it to openssl | |
1491 | ||
1492 | * add growvol and makevol options for /etc/crypttab, similar to | |
1493 | x-systemd.growfs and x-systemd-makefs. | |
1494 | ||
1495 | * userdb: allow username prefix searches in varlink API, allow realname and | |
1496 | realname substr searches in varlink API | |
1497 | ||
1498 | * userdb: allow uid/gid range checks | |
1499 | ||
1500 | * userdb: allow existence checks | |
1501 | ||
1502 | * pid1: activation by journal search expression | |
1503 | ||
1504 | * when switching root from initrd to host, set the machine_id env var so that | |
1505 | if the host has no machine ID set yet we continue to use the random one the | |
1506 | initrd had set. | |
1507 | ||
1508 | * sd-event: add native support for P_ALL waitid() watching, then move PID 1 to | |
1509 | it for reaping assigned but unknown children. This needs to some special care | |
1510 | to operate somewhat sensibly in light of priorities: P_ALL will return | |
1511 | arbitrary processes, regardless of the priority we want to watch them with, | |
1512 | hence on each event loop iteration check all processes which we shall watch | |
1513 | with higher prio explicitly, and then watch the entire rest with P_ALL. | |
1514 | ||
1515 | * tweak sd-event's child watching: keep a prioq of children to watch and use | |
1516 | waitid() only on the children with the highest priority until one is waitable | |
1517 | and ignore all lower-prio ones from that point on | |
1518 | ||
1519 | * maybe introduce xattrs that can be set on the root dir of the root fs | |
1520 | partition that declare the volatility mode to use the image in. Previously I | |
1521 | thought marking this via GPT partition flags but that's not ideal since | |
1522 | that's outside of the LUKS encryption/verity verification, and we probably | |
1523 | shouldn't operate in a volatile mode unless we got told so from a trusted | |
1524 | source. | |
1525 | ||
1526 | * coredump: maybe when coredumping read a new xattr from /proc/$PID/exe that | |
1527 | may be used to mark a whole binary as non-coredumpable. Would fix: | |
1528 | https://bugs.freedesktop.org/show_bug.cgi?id=69447 | |
1529 | ||
1530 | * teach parse_timestamp() timezones like the calendar spec already knows it | |
1531 | ||
1532 | * We should probably replace /etc/rc.d/README with a symlink to doc | |
1533 | content. After all it is constant vendor data. | |
1534 | ||
1535 | * maybe add kernel cmdline params: to force random seed crediting | |
1536 | ||
1537 | * introduce a new per-process uuid, similar to the boot id, the machine id, the | |
1538 | invocation id, that is derived from process creds, specifically a hashed | |
1539 | combination of AT_RANDOM + getpid() + the starttime from | |
1540 | /proc/self/status. Then add these ids implicitly when logging. Deriving this | |
1541 | uuid from these three things has the benefit that it can be derived easily | |
1542 | from /proc/$PID/ in a stable, and unique way that changes on both fork() and | |
1543 | exec(). | |
1544 | ||
1545 | * let's not GC a unit while its ratelimits are still pending | |
1546 | ||
1547 | * when killing due to service watchdog timeout maybe detect whether target | |
1548 | process is under ptracing and then log loudly and continue instead. | |
1549 | ||
1550 | * make rfkill uaccess controllable by default, i.e. steal rule from | |
1551 | gnome-bluetooth and friends | |
1552 | ||
1553 | * make MAINPID= message reception checks even stricter: if service uses User=, | |
1554 | then check sending UID and ignore message if it doesn't match the user or | |
1555 | root. | |
1556 | ||
1557 | * maybe trigger a uevent "change" on a device if "systemctl reload xyz.device" | |
1558 | is issued. | |
1559 | ||
1560 | * when importing an fs tree with machined, optionally apply userns-rec-chown | |
1561 | ||
1562 | * when importing an fs tree with machined, complain if image is not an OS | |
1563 | ||
1564 | * Maybe introduce a helper safe_exec() or so, which is to execve() which | |
1565 | safe_fork() is to fork(). And then make revert the RLIMIT_NOFILE soft limit | |
1566 | to 1K implicitly, unless explicitly opted-out. | |
1567 | ||
1568 | * rework seccomp/nnp logic that even if User= is used in combination with | |
1569 | a seccomp option we don't have to set NNP. For that, change uid first whil | |
1570 | keeping CAP_SYS_ADMIN, then apply seccomp, the drop cap. | |
1571 | ||
1572 | * when no locale is configured, default to UEFI's PlatformLang variable | |
1573 | ||
1574 | * add a new syscall group "@esoteric" for more esoteric stuff such as bpf() and | |
1575 | usefaultd() and make systemd-analyze check for it. | |
1576 | ||
1577 | * paranoia: whenever we process passwords, call mlock() on the memory | |
1578 | first. i.e. look for all places we use free_and_erasep() and | |
1579 | augment them with mlock(). Also use MADV_DONTDUMP. | |
1580 | Alternatively (preferably?) use memfd_secret(). | |
1581 | ||
1582 | * Move RestrictAddressFamily= to the new cgroup create socket | |
1583 | ||
1584 | * optionally: turn on cgroup delegation for per-session scope units | |
1585 | ||
1586 | * sd-boot: optionally, show boot menu when previous default boot item has | |
1587 | non-zero "tries done" count | |
1588 | ||
1589 | * augment CODE_FILE=, CODE_LINE= with something like CODE_BASE= or so which | |
1590 | contains some identifier for the project, which allows us to include | |
1591 | clickable links to source files generating these log messages. The identifier | |
1592 | could be some abberviated URL prefix or so (taking inspiration from Go | |
1593 | imports). For example, for systemd we could use | |
1594 | CODE_BASE=github.com/systemd/systemd/blob/98b0b1123cc or so which is | |
1595 | sufficient to build a link by prefixing "http://" and suffixing the | |
1596 | CODE_FILE. | |
1597 | ||
1598 | * Augment MESSAGE_ID with MESSAGE_BASE, in a similar fashion so that we can | |
1599 | make clickable links from log messages carrying a MESSAGE_ID, that lead to | |
1600 | some explanatory text online. | |
1601 | ||
1602 | * maybe extend .path units to expose fanotify() per-mount change events | |
1603 | ||
1604 | * hibernate/s2h: if swap is on weird storage and refuse if so | |
1605 | ||
1606 | * cgroups: use inotify to get notified when somebody else modifies cgroups | |
1607 | owned by us, then log a friendly warning. | |
1608 | ||
1609 | * beef up log.c with support for stripping ANSI sequences from strings, so that | |
1610 | it is OK to include them in log strings. This would be particularly useful so | |
1611 | that our log messages could contain clickable links for example for unit | |
1612 | files and suchlike we operate on. | |
1613 | ||
1614 | * add support for "portablectl attach http://foobar.com/waaa.raw (i.e. importd integration) | |
1615 | ||
1616 | * sync dynamic uids/gids between host+portable srvice (i.e. if DynamicUser=1 is set for a service, make sure that the | |
1617 | selected user is resolvable in the service even if it ships its own /etc/passwd) | |
1618 | ||
1619 | * Fix DECIMAL_STR_MAX or DECIMAL_STR_WIDTH. One includes a trailing NUL, the | |
1620 | other doesn't. What a disaster. Probably to exclude it. | |
1621 | ||
1622 | * Check that users of inotify's IN_DELETE_SELF flag are using it properly, as | |
1623 | usually IN_ATTRIB is the right way to watch deleted files, as the former only | |
1624 | fires when a file is actually removed from disk, i.e. the link count drops to | |
1625 | zero and is not open anymore, while the latter happens when a file is | |
1626 | unlinked from any dir. | |
1627 | ||
1628 | * port systemctl, busctl, … over to format-table.[ch]'s table formatters | |
1629 | ||
1630 | * pid1: lock image configured with RootDirectory=/RootImage= using the usual nspawn semantics while the unit is up | |
1631 | ||
1632 | * add --vacuum-xyz options to coredumpctl, matching those journalctl already has. | |
1633 | ||
1634 | * add CopyFile= or so as unit file setting that may be used to copy files or | |
1635 | directory trees from the host to the services RootImage= and RootDirectory= | |
1636 | environment. Which we can use for /etc/machine-id and in particular | |
1637 | /etc/resolv.conf. Should be smart and do something useful on read-only | |
1638 | images, for example fall back to read-only bind mounting the file instead. | |
1639 | ||
1640 | * bypass SIGTERM state in unit files if KillSignal is SIGKILL | |
1641 | ||
1642 | * add proper dbus APIs for the various sd_notify() commands, such as MAINPID=1 | |
1643 | and so on, which would mean we could report errors and such. | |
1644 | ||
1645 | * introduce DefaultSlice= or so in system.conf that allows changing where we | |
1646 | place our units by default, i.e. change system.slice to something | |
1647 | else. Similar, ManagerSlice= should exist so that PID1's own scope unit could | |
1648 | be moved somewhere else too. Finally machined and logind should get similar | |
1649 | options so that it is possible to move user session scopes and machines to a | |
1650 | different slice too by default. Use case: people who want to put resources on | |
1651 | the entire system, with the exception of one specific service. See: | |
1652 | https://lists.freedesktop.org/archives/systemd-devel/2018-February/040369.html | |
1653 | ||
1654 | * maybe rework get_user_creds() to query the user database if $SHELL is used | |
1655 | for root, but only then. | |
1656 | ||
1657 | * calenderspec: add support for week numbers and day numbers within a | |
1658 | year. This would allow us to define "bi-weekly" triggers safely. | |
1659 | ||
1660 | * sd-bus: add vtable flag, that may be used to request client creds implicitly | |
1661 | and asynchronously before dispatching the operation | |
1662 | ||
1663 | * sd-bus: parse addresses given in sd_bus_set_addresses immediately and not | |
1664 | only when used. Add unit tests. | |
1665 | ||
1666 | * make use of ethtool veth peer info in machined, for automatically finding out | |
1667 | host-side interface pointing to the container. | |
1668 | ||
1669 | * add some special mode to LogsDirectory=/StateDirectory=… that allows | |
1670 | declaring these directories without necessarily pulling in deps for them, or | |
1671 | creating them when starting up. That way, we could declare that | |
1672 | systemd-journald writes to /var/log/journal, which could be useful when we | |
1673 | doing disk usage calculations and so on. | |
1674 | ||
1675 | * deprecate RootDirectoryStartOnly= in favour of a new ExecStart= prefix char | |
1676 | ||
1677 | * support projid-based quota in machinectl for containers | |
1678 | ||
1679 | * add a way to lock down cgroup migration: a boolean, which when set for a unit | |
1680 | makes sure the processes in it can never migrate out of it | |
1681 | ||
1682 | * blog about fd store and restartable services | |
1683 | ||
1684 | * document Environment=SYSTEMD_LOG_LEVEL=debug drop-in in debugging document | |
1685 | ||
1686 | * rework ExecOutput and ExecInput enums so that EXEC_OUTPUT_NULL loses its | |
1687 | magic meaning and is no longer upgraded to something else if set explicitly. | |
1688 | ||
1689 | * in the long run: permit a system with /etc/machine-id linked to /dev/null, to | |
1690 | make it lose its identity, i.e. be anonymous. For this we'd have to patch | |
1691 | through the whole tree to make all code deal with the case where no machine | |
1692 | ID is available. | |
1693 | ||
1694 | * optionally, collect cgroup resource data, and store it in per-unit RRD files, | |
1695 | suitable for processing with rrdtool. Add bus API to access this data, and | |
1696 | possibly implement a CPULoad property based on it. | |
1697 | ||
1698 | * beef up pam_systemd to take unit file settings such as cgroups properties as | |
1699 | parameters | |
1700 | ||
1701 | * maybe hook up xfs/ext4 quotactl() with services? i.e. automatically manage | |
1702 | the quota of the user indicated in User= via unit file settings, like the | |
1703 | other resource management concepts. Would mix nicely with DynamicUser=1. Or | |
1704 | alternatively, do this with projids, so that we can also cover services | |
1705 | running as root. Quota should probably cover all the special dirs such as | |
1706 | StateDirectory=, LogsDirectory=, CacheDirectory=, as well as RootDirectory= if it | |
1707 | is set, plus the whole disk space any image configured with RootImage=. | |
1708 | ||
1709 | * In DynamicUser= mode: before selecting a UID, use disk quota APIs on relevant | |
1710 | disks to see if the UID is already in use. | |
1711 | ||
1712 | * Add AddUser= setting to unit files, similar to DynamicUser=1 which however | |
1713 | creates a static, persistent user rather than a dynamic, transient user. We | |
1714 | can leverage code from sysusers.d for this. | |
1715 | ||
1716 | * add some optional flag to ReadWritePaths= and friends, that has the effect | |
1717 | that we create the dir in question when the service is started. Example: | |
1718 | ||
1719 | ReadWritePaths=:/var/lib/foobar | |
1720 | ||
1721 | * Add ExecMonitor= setting. May be used multiple times. Forks off a process in | |
1722 | the service cgroup, which is supposed to monitor the service, and when it | |
1723 | exits the service is considered failed by its monitor. | |
1724 | ||
1725 | * track the per-service PAM process properly (i.e. as an additional control | |
1726 | process), so that it may be queried on the bus and everything. | |
1727 | ||
1728 | * add a new "debug" job mode, that is propagated to unit_start() and for | |
1729 | services results in two things: we raise SIGSTOP right before invoking | |
1730 | execve() and turn off watchdog support. Then, use that to implement | |
1731 | "systemd-gdb" for attaching to the start-up of any system service in its | |
1732 | natural habitat. | |
1733 | ||
1734 | * gpt-auto logic: support encrypted swap, add kernel cmdline option to force | |
1735 | it, and honour a gpt bit about it, plus maybe a configuration file | |
1736 | ||
1737 | * add a percentage syntax for TimeoutStopSec=, e.g. TimeoutStopSec=150%, and | |
1738 | then use that for the setting used in user@.service. It should be understood | |
1739 | relative to the configured default value. | |
1740 | ||
1741 | * enable LockMLOCK to take a percentage value relative to physical memory | |
1742 | ||
1743 | * Permit masking specific netlink APIs with RestrictAddressFamily= | |
1744 | ||
1745 | * define gpt header bits to select volatility mode | |
1746 | ||
1747 | * ProtectClock= (drops CAP_SYS_TIMES, adds seecomp filters for settimeofday, adjtimex), sets DeviceAllow o /dev/rtc | |
1748 | ||
1749 | * ProtectTracing= (drops CAP_SYS_PTRACE, blocks ptrace syscall, makes /sys/kernel/tracing go away) | |
1750 | ||
1751 | * ProtectMount= (drop mount/umount/pivot_root from seccomp, disallow fuse via DeviceAllow, imply Mountflags=slave) | |
1752 | ||
1753 | * ProtectKeyRing= to take keyring calls away | |
1754 | ||
1755 | * RemoveKeyRing= to remove all keyring entries of the specified user | |
1756 | ||
1757 | * ProtectReboot= that masks reboot() and kexec_load() syscalls, prohibits kill | |
1758 | on PID 1 with the relevant signals, and makes relevant files in /sys and | |
1759 | /proc (such as the sysrq stuff) unavailable | |
1760 | ||
1761 | * Support ReadWritePaths/ReadOnlyPaths/InaccessiblePaths in systemd --user instances | |
1762 | via the new unprivileged Landlock LSM (https://landlock.io) | |
1763 | ||
1764 | * make sure the ratelimit object can deal with USEC_INFINITY as way to turn off things | |
1765 | ||
1766 | * in nss-systemd, if we run inside of RootDirectory= with PrivateUsers= set, | |
1767 | find a way to map the User=/Group= of the service to the right name. This way | |
1768 | a user/group for a service only has to exist on the host for the right | |
1769 | mapping to work. | |
1770 | ||
1771 | * add bus API for creating unit files in /etc, reusing the code for transient units | |
1772 | ||
1773 | * add bus API to remove unit files from /etc | |
1774 | ||
1775 | * add bus API to retrieve current unit file contents (i.e. implement "systemctl cat" on the bus only) | |
1776 | ||
1777 | * rework fopen_temporary() to make use of open_tmpfile_linkable() (problem: the | |
1778 | kernel doesn't support linkat() that replaces existing files, currently) | |
1779 | ||
1780 | * transient units: don't bother with actually setting unit properties, we | |
1781 | reload the unit file anyway | |
1782 | ||
1783 | * optionally, also require WATCHDOG=1 notifications during service start-up and shutdown | |
1784 | ||
1785 | * cache sd_event_now() result from before the first iteration... | |
1786 | ||
1787 | * PID1: find a way how we can reload unit file configuration for | |
1788 | specific units only, without reloading the whole of systemd | |
1789 | ||
1790 | * add an explicit parser for LimitRTPRIO= that verifies | |
1791 | the specified range and generates sane error messages for incorrect | |
1792 | specifications. | |
1793 | ||
1794 | * when we detect that there are waiting jobs but no running jobs, do something | |
1795 | ||
1796 | * PID 1 should send out sd_notify("WATCHDOG=1") messages (for usage in the --user mode, and when run via nspawn) | |
1797 | ||
1798 | * there's probably something wrong with having user mounts below /sys, | |
1799 | as we have for debugfs. for example, src/core/mount.c handles mounts | |
1800 | prefixed with /sys generally special. | |
1801 | https://lists.freedesktop.org/archives/systemd-devel/2015-June/032962.html | |
1802 | ||
1803 | * fstab-generator: default to tmpfs-as-root if only usr= is specified on the kernel cmdline | |
1804 | ||
1805 | * docs: bring https://www.freedesktop.org/wiki/Software/systemd/MyServiceCantGetRealtime up to date | |
1806 | ||
1807 | * add a job mode that will fail if a transaction would mean stopping | |
1808 | running units. Use this in timedated to manage the NTP service | |
1809 | state. | |
1810 | https://lists.freedesktop.org/archives/systemd-devel/2015-April/030229.html | |
1811 | ||
1812 | * The udev blkid built-in should expose a property that reflects | |
1813 | whether media was sensed in USB CF/SD card readers. This should then | |
1814 | be used to control SYSTEMD_READY=1/0 so that USB card readers aren't | |
1815 | picked up by systemd unless they contain a medium. This would mirror | |
1816 | the behaviour we already have for CD drives. | |
1817 | ||
1818 | * hostnamectl: show root image uuid | |
1819 | ||
1820 | * Find a solution for SMACK capabilities stuff: | |
1821 | https://lists.freedesktop.org/archives/systemd-devel/2014-December/026188.html | |
1822 | ||
1823 | * synchronize console access with BSD locks: | |
1824 | https://lists.freedesktop.org/archives/systemd-devel/2014-October/024582.html | |
1825 | ||
1826 | * as soon as we have sender timestamps, revisit coalescing multiple parallel daemon reloads: | |
1827 | https://lists.freedesktop.org/archives/systemd-devel/2014-December/025862.html | |
1828 | ||
1829 | * figure out when we can use the coarse timers | |
1830 | ||
1831 | * maybe allow timer units with an empty Units= setting, so that they | |
1832 | can be used for resuming the system but nothing else. | |
1833 | ||
1834 | * what to do about udev db binary stability for apps? (raw access is not an option) | |
1835 | ||
1836 | * exponential backoff in timesyncd when we cannot reach a server | |
1837 | ||
1838 | * timesyncd: add ugly bus calls to set NTP servers per-interface, for usage by NM | |
1839 | ||
1840 | * add systemd.abort_on_kill or some other such flag to send SIGABRT instead of SIGKILL | |
1841 | (throughout the codebase, not only PID1) | |
1842 | ||
1843 | * drop nss-myhostname in favour of nss-resolve? | |
1844 | ||
1845 | * resolved: | |
1846 | - mDNS/DNS-SD | |
1847 | - service registration | |
1848 | - service/domain/types browsing | |
1849 | - avahi compat | |
1850 | - DNS-SD service registration from socket units | |
1851 | - resolved should optionally register additional per-interface LLMNR | |
1852 | names, so that for the container case we can establish the same name | |
1853 | (maybe "host") for referencing the server, everywhere. | |
1854 | - allow clients to request DNSSEC for a single lookup even if DNSSEC is off (?) | |
1855 | - hook up resolved with machined-based address resolution | |
1856 | ||
1857 | * refcounting in sd-resolve is borked | |
1858 | ||
1859 | * add new gpt type for btrfs volumes | |
1860 | ||
1861 | * generator that automatically discovers btrfs subvolumes, identifies their purpose based on some xattr on them. | |
1862 | ||
1863 | * a way for container managers to turn off getty starting via $container_headless= or so... | |
1864 | ||
1865 | * figure out a nice way how we can let the admin know what child/sibling unit causes cgroup membership for a specific unit | |
1866 | ||
1867 | * For timer units: add some mechanisms so that timer units that trigger immediately on boot do not have the services | |
1868 | they run added to the initial transaction and thus confuse Type=idle. | |
1869 | ||
1870 | * add bus api to query unit file's X fields. | |
1871 | ||
1872 | * gpt-auto-generator: | |
1873 | - Define new partition type for encrypted swap? Support probed LUKS for encrypted swap? | |
1874 | - Make /home automount rather than mount? | |
1875 | ||
1876 | * add generator that pulls in systemd-network from containers when | |
1877 | CAP_NET_ADMIN is set, more than the loopback device is defined, even | |
1878 | when it is otherwise off | |
1879 | ||
1880 | * MessageQueueMessageSize= (and suchlike) should use parse_iec_size(). | |
1881 | ||
1882 | * implement Distribute= in socket units to allow running multiple | |
1883 | service instances processing the listening socket, and open this up | |
1884 | for ReusePort= | |
1885 | ||
1886 | * cgroups: | |
1887 | - implement per-slice CPUFairScheduling=1 switch | |
1888 | - introduce high-level settings for RT budget, swappiness | |
1889 | - how to reset dynamically changed unit cgroup attributes sanely? | |
1890 | - when reloading configuration, apply new cgroup configuration | |
1891 | - when recursively showing the cgroup hierarchy, optionally also show | |
1892 | the hierarchies of child processes | |
1893 | - add settings for cgroup.max.descendants and cgroup.max.depth, | |
1894 | maybe use them for user@.service | |
1895 | ||
1896 | * transient units: | |
1897 | - add field to transient units that indicate whether systemd or somebody else saves/restores its settings, for integration with libvirt | |
1898 | ||
1899 | * libsystemd-journal, libsystemd-login, libudev: add calls to easily attach these objects to sd-event event loops | |
1900 | ||
1901 | * be more careful what we export on the bus as (usec_t) 0 and (usec_t) -1 | |
1902 | ||
1903 | * rfkill,backlight: we probably should run the load tools inside of the udev rules so that the state is properly initialized by the time other software sees it | |
1904 | ||
1905 | * If we try to find a unit via a dangling symlink, generate a clean | |
1906 | error. Currently, we just ignore it and read the unit from the search | |
1907 | path anyway. | |
1908 | ||
1909 | * refuse boot if /usr/lib/os-release is missing or /etc/machine-id cannot be set up | |
1910 | ||
1911 | * man: the documentation of Restart= currently is very misleading and suggests the tools from ExecStartPre= might get restarted. | |
1912 | ||
1913 | * There's currently no way to cancel fsck (used to be possible via C-c or c on the console) | |
1914 | ||
1915 | * add option to sockets to avoid activation. Instead just drop packets/connections, see http://cyberelk.net/tim/2012/02/15/portreserve-systemd-solution/ | |
1916 | ||
1917 | * make sure systemd-ask-password-wall does not shutdown systemd-ask-password-console too early | |
1918 | ||
1919 | * verify that the AF_UNIX sockets of a service in the fs still exist | |
1920 | when we start a service in order to avoid confusion when a user | |
1921 | assumes starting a service is enough to make it accessible | |
1922 | ||
1923 | * Make it possible to set the keymap independently from the font on | |
1924 | the kernel cmdline. Right now setting one resets also the other. | |
1925 | ||
1926 | * and a dbus call to generate target from current state | |
1927 | ||
1928 | * investigate whether the gnome pty helper should be moved into systemd, to provide cgroup support. | |
1929 | ||
1930 | * dot output for --test showing the 'initial transaction' | |
1931 | ||
1932 | * be able to specify a forced restart of service A where service B depends on, in case B | |
1933 | needs to be auto-respawned? | |
1934 | ||
1935 | * pid1: | |
1936 | - When logging about multiple units (stopping BoundTo units, conflicts, etc.), | |
1937 | log both units as UNIT=, so that journalctl -u triggers on both. | |
1938 | - generate better errors when people try to set transient properties | |
1939 | that are not supported... | |
1940 | https://lists.freedesktop.org/archives/systemd-devel/2015-February/028076.html | |
1941 | - recreate systemd's D-Bus private socket file on SIGUSR2 | |
1942 | - when we automatically restart a service, ensure we restart its rdeps, too. | |
1943 | - hide PAM options in fragment parser when compile time disabled | |
1944 | - Support --test based on current system state | |
1945 | - If we show an error about a unit (such as not showing up) and it has no Description string, then show a description string generated form the reverse of unit_name_mangle(). | |
1946 | - after deserializing sockets in socket.c we should reapply sockopts and things | |
1947 | - drop PID 1 reloading, only do reexecing (difficult: Reload() | |
1948 | currently is properly synchronous, Reexec() is weird, because we | |
1949 | cannot delay the response properly until we are back, so instead of | |
1950 | being properly synchronous we just keep open the fd and close it | |
1951 | when done. That means clients do not get a successful method reply, | |
1952 | but much rather a disconnect on success. | |
1953 | - when breaking cycles drop sysv services first, then services from /run, then from /etc, then from /usr | |
1954 | - when a bus name of a service disappears from the bus make sure to queue further activation requests | |
1955 | - maybe introduce CoreScheduling=yes/no to optionally set a PR_SCHED_CORE cookie, so that all | |
1956 | processes in a service's cgroup share the same cookie and are guaranteed not to share SMT cores | |
1957 | with other units https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/Documentation/admin-guide/hw-vuln/core-scheduling.rst | |
1958 | ||
1959 | * unit files: | |
1960 | - allow port=0 in .socket units | |
1961 | - maybe introduce ExecRestartPre= | |
1962 | - implement Register= switch in .socket units to enable registration | |
1963 | in Avahi, RPC and other socket registration services. | |
1964 | - allow Type=simple with PIDFile= | |
1965 | https://bugzilla.redhat.com/show_bug.cgi?id=723942 | |
1966 | - allow writing multiple conditions in unit files on one line | |
1967 | - introduce Type=pid-file | |
1968 | - add a concept of RemainAfterExit= to scope units | |
1969 | - Allow multiple ExecStart= for all Type= settings, so that we can cover rescue.service nicely | |
1970 | - add verification of [Install] section to systemd-analyze verify | |
1971 | ||
1972 | * timer units: | |
1973 | - timer units should get the ability to trigger when DST changes | |
1974 | - Modulate timer frequency based on battery state | |
1975 | ||
1976 | * add libsystemd-password or so to query passwords during boot using the password agent logic | |
1977 | ||
1978 | * clean up date formatting and parsing so that all absolute/relative timestamps we format can also be parsed | |
1979 | ||
1980 | * on shutdown: move utmp, wall, audit logic all into PID 1 (or logind?), get rid of systemd-update-utmp-runlevel | |
1981 | ||
1982 | * make repeated alt-ctrl-del presses printing a dump | |
1983 | ||
1984 | * currently x-systemd.timeout is lost in the initrd, since crypttab is copied into dracut, but fstab is not | |
1985 | ||
1986 | * add a pam module that on password changes updates any LUKS slot where the password matches | |
1987 | ||
1988 | * test/: | |
1989 | - add unit tests for config_parse_device_allow() | |
1990 | ||
1991 | * seems that when we follow symlinks to units we prefer the symlink | |
1992 | destination path over /etc and /usr. We should not do that. Instead | |
1993 | /etc should always override /run+/usr and also any symlink | |
1994 | destination. | |
1995 | ||
1996 | * when isolating, try to figure out a way how we implicitly can order | |
1997 | all units we stop before the isolating unit... | |
1998 | ||
1999 | * teach ConditionKernelCommandLine= globs or regexes (in order to match foobar={no,0,off}) | |
2000 | ||
2001 | * Add ConditionDirectoryNotEmpty= handle non-absoute paths as a search path or add | |
2002 | ConditionConfigSearchPathNotEmpty= or different syntax? See the discussion starting at | |
2003 | https://github.com/systemd/systemd/pull/15109#issuecomment-607740136. | |
2004 | ||
2005 | * BootLoaderSpec: Define a way how an installer can figure out whether a BLS | |
2006 | compliant boot loader is installed. | |
2007 | ||
2008 | * think about requeuing jobs when daemon-reload is issued? use case: | |
2009 | the initrd issues a reload after fstab from the host is accessible | |
2010 | and we might want to requeue the mounts local-fs acquired through | |
2011 | that automatically. | |
2012 | ||
2013 | * systemd-inhibit: make taking delay locks useful: support sending SIGINT or SIGTERM on PrepareForSleep() | |
2014 | ||
2015 | * remove any syslog support from log.c — we probably cannot do this before split-off udev is gone for good | |
2016 | ||
2017 | * shutdown logging: store to EFI var, and store to USB stick? | |
2018 | ||
2019 | * merge unit_kill_common() and unit_kill_context() | |
2020 | ||
2021 | * add a dependency on standard-conf.xml and other included files to man pages | |
2022 | ||
2023 | * MountFlags=shared acts as MountFlags=slave right now. | |
2024 | ||
2025 | * properly handle loop back mounts via fstab, especially regards to fsck/passno | |
2026 | ||
2027 | * initialize the hostname from the fs label of /, if /etc/hostname does not exist? | |
2028 | ||
2029 | * sd-bus: | |
2030 | - EBADSLT handling | |
2031 | - GetAllProperties() on a non-existing object does not result in a failure currently | |
2032 | - port to sd-resolve for connecting to TCP dbus servers | |
2033 | - see if we can introduce a new sd_bus_get_owner_machine_id() call to retrieve the machine ID of the machine of the bus itself | |
2034 | - see if we can drop more message validation on the sending side | |
2035 | - add API to clone sd_bus_message objects | |
2036 | - longer term: priority inheritance | |
2037 | - dbus spec updates: | |
2038 | - NameLost/NameAcquired obsolete | |
2039 | - path escaping | |
2040 | - update systemd.special(7) to mention that dbus.socket is only about the compatibility socket now | |
2041 | ||
2042 | * sd-event | |
2043 | - allow multiple signal handlers per signal? | |
2044 | - document chaining of signal handler for SIGCHLD and child handlers | |
2045 | - define more intervals where we will shift wakeup intervals around in, 1h, 6h, 24h, ... | |
2046 | - maybe support iouring as backend, so that we allow hooking read and write | |
2047 | operations instead of IO ready events into event loops. See considerations | |
2048 | here: | |
2049 | http://blog.vmsplice.net/2020/07/rethinking-event-loop-integration-for.html | |
2050 | ||
2051 | * dbus: when a unit failed to load (i.e. is in UNIT_ERROR state), we | |
2052 | should be able to safely try another attempt when the bus call LoadUnit() is invoked. | |
2053 | ||
2054 | * document org.freedesktop.MemoryAllocation1 | |
2055 | ||
2056 | * maybe do not install getty@tty1.service symlink in /etc but in /usr? | |
2057 | ||
2058 | * print a nicer explanation if people use variable/specifier expansion in ExecStart= for the first word | |
2059 | ||
2060 | * mount: turn dependency information from /proc/self/mountinfo into dependency information between systemd units. | |
2061 | ||
2062 | * EFI: | |
2063 | - honor language efi variables for default language selection (if there are any?) | |
2064 | - honor timezone efi variables for default timezone selection (if there are any?) | |
2065 | - change bootctl to be backed by systemd-bootd to control temporary and persistent default boot goal plus efi variables | |
2066 | * bootctl | |
2067 | - recognize the case when not booted on EFI | |
2068 | ||
2069 | * bootctl,sd-boot: actually honour the "architecture" key | |
2070 | ||
2071 | * bootctl: | |
2072 | - show whether UEFI audit mode is available | |
2073 | - teach it to prepare an ESP wholesale, i.e. with mkfs.vfat invocation | |
2074 | - teach it to copy in unified kernel images and maybe type #1 boot loader spec entries from host | |
2075 | ||
2076 | * logind: | |
2077 | - logind: optionally, ignore idle-hint logic for autosuspend, block suspend as long as a session is around | |
2078 | - logind: wakelock/opportunistic suspend support | |
2079 | - Add pretty name for seats in logind | |
2080 | - logind: allow showing logout dialog from system? | |
2081 | - add Suspend() bus calls which take timestamps to fix double suspend issues when somebody hits suspend and closes laptop quickly. | |
2082 | - if pam_systemd is invoked by su from a process that is outside of a | |
2083 | any session we should probably just become a NOP, since that's | |
2084 | usually not a real user session but just some system code that just | |
2085 | needs setuid(). | |
2086 | - logind: make the Suspend()/Hibernate() bus calls wait for the for | |
2087 | the job to be completed. before returning, so that clients can wait | |
2088 | for "systemctl suspend" to finish to know when the suspending is | |
2089 | complete. | |
2090 | - logind: when the power button is pressed short, just popup a | |
2091 | logout dialog. If it is pressed for 1s, do the usual | |
2092 | shutdown. Inspiration are Macs here. | |
2093 | - expose "Locked" property on logind session objects | |
2094 | - maybe allow configuration of the StopTimeout for session scopes | |
2095 | - rename session scope so that it includes the UID. THat way | |
2096 | the session scope can be arranged freely in slices and we don't have | |
2097 | make assumptions about their slice anymore. | |
2098 | - follow PropertiesChanged state more closely, to deal with quick logouts and | |
2099 | relogins | |
2100 | - (optionally?) spawn seat-manager@$SEAT.service whenever a seat shows up that as CanGraphical set | |
2101 | - expose details of boot entries on the bus. In particular, it should be possible | |
2102 | to query the list of boot entry titles that bootctl / sd-boot would show. | |
2103 | Currently we only expose their identifiers. | |
2104 | ||
2105 | * move multiseat vid/pid matches from logind udev rule to hwdb | |
2106 | ||
2107 | * logind: rework pam_logind to also do a bus call in case of invocation from | |
2108 | user@.service, which returns the XDG_RUNTIME_DIR value, and make this | |
2109 | behaviour selectable via pam module option. | |
2110 | ||
2111 | * delay activation of logind until somebody logs in, or when /dev/tty0 pulls it | |
2112 | in or lingering is on (so that containers don't bother with it until PAM is used). also exit-on-idle | |
2113 | ||
2114 | * journal: | |
2115 | - consider introducing implicit _TTY= + _PPID= + _EUID= + _EGID= + _FSUID= + _FSGID= fields | |
2116 | - journald: also get thread ID from client, plus thread name | |
2117 | - journal: when waiting for journal additions in the client always sleep at least 1s or so, in order to minimize wakeups | |
2118 | - add API to close/reopen/get fd for journal client fd in libsystemd-journal. | |
2119 | - fall back to /dev/log based logging in libsystemd-journal, if we cannot log natively? | |
2120 | - declare the local journal protocol stable in the wiki interface chart | |
2121 | - sd-journal: speed up sd_journal_get_data() with transparent hash table in bg | |
2122 | - journald: when dropping msgs due to ratelimit make sure to write | |
2123 | "dropped %u messages" not only when we are about to print the next | |
2124 | message that works, but already after a short timeout | |
2125 | - check if we can make journalctl by default use --follow mode inside of less if called without args? | |
2126 | - maybe add API to send pairs of iovecs via sd_journal_send | |
2127 | - journal: add a setgid "systemd-journal" utility to invoke from libsystemd-journal, which passes fds via STDOUT and does PK access | |
2128 | - journalctl: support negative filtering, i.e. FOOBAR!="waldo", | |
2129 | and !FOOBAR for events without FOOBAR. | |
2130 | - journal: store timestamp of journal_file_set_offline() in the header, | |
2131 | so it is possible to display when the file was last synced. | |
2132 | - journal-send.c, log.c: when the log socket is clogged, and we drop, count this and write a message about this when it gets unclogged again. | |
2133 | - journal: find a way to allow dropping history early, based on priority, other rules | |
2134 | - journal: When used on NFS, check payload hashes | |
2135 | - journald: add kernel cmdline option to disable ratelimiting for debug purposes | |
2136 | - refuse taking lower-case variable names in sd_journal_send() and friends. | |
2137 | - journald: we currently rotate only after MaxUse+MaxFilesize has been reached. | |
2138 | - journal: deal nicely with byte-by-byte copied files, especially regards header | |
2139 | - journal: sanely deal with entries which are larger than the individual file size, but where the components would fit | |
2140 | - Replace utmp, wtmp, btmp, and lastlog completely with journal | |
2141 | - journalctl: instead --after-cursor= maybe have a --cursor=XYZ+1 syntax? | |
2142 | - when a kernel driver logs in a tight loop, we should ratelimit that too. | |
2143 | - journald: optionally, log debug messages to /run but everything else to /var | |
2144 | - journald: when we drop syslog messages because the syslog socket is | |
2145 | full, make sure to write how many messages are lost as first thing | |
2146 | to syslog when it works again. | |
2147 | - journald: allow per-priority and per-service retention times when rotating/vacuuming | |
2148 | - journald: make use of uid-range.h to managed uid ranges to split | |
2149 | journals in. | |
2150 | - journalctl: add the ability to look for the most recent process of a binary. journalctl /usr/bin/X11 --pid=-1 or so... | |
2151 | - improve journalctl performance by loading journal files | |
2152 | lazily. Encode just enough information in the file name, so that we | |
2153 | do not have to open it to know that it is not interesting for us, for | |
2154 | the most common operations. | |
2155 | - man: document that corrupted journal files is nothing to act on | |
2156 | - rework journald sigbus stuff to use mutex | |
2157 | - Set RLIMIT_NPROC for systemd-journal-xyz, and all other of our | |
2158 | services that run under their own user ids, and use User= (but only | |
2159 | in a world where userns is ubiquitous since otherwise we cannot | |
2160 | invoke those daemons on the host AND in a container anymore). Also, | |
2161 | if LimitNPROC= is used without User= we should warn and refuse | |
2162 | operation. | |
2163 | - journalctl --verify: don't show files that are currently being | |
2164 | written to as FAIL, but instead show that they are being written to. | |
2165 | - add journalctl -H that talks via ssh to a remote peer and passes through | |
2166 | binary logs data | |
2167 | - add a version of --merge which also merges /var/log/journal/remote | |
2168 | - journalctl: -m should access container journals directly by enumerating | |
2169 | them via machined, and also watch containers coming and going. | |
2170 | Benefit: nspawn --ephemeral would start working nicely with the journal. | |
2171 | - assign MESSAGE_ID to log messages about failed services | |
2172 | - check if loop in decompress_blob_xz() is necessary | |
2173 | ||
2174 | * journald: support RFC3164 fully for the incoming syslog transport, see | |
2175 | https://github.com/systemd/systemd/issues/19251#issuecomment-816601955 | |
2176 | ||
2177 | * Hook up journald's FSS logic with TPM2: seal the verification disk by | |
2178 | time-based policy, so that the verification key can remain on host and ve | |
2179 | validated via TPM. | |
2180 | ||
2181 | * rework journalctl -M to be based on a machined method that generates a mount | |
2182 | fd of the relevant journal dirs in the container with uidmapping applied to | |
2183 | allow the host to read it, while making everything read-only. | |
2184 | ||
2185 | * journald: add varlink service that allows subscribing to certain log events, | |
2186 | for example matching by message ID, or log level returns a list of journal | |
2187 | cursors as they happen. | |
2188 | ||
2189 | * journald: also collect CLOCK_BOOTTIME timestamps per log entry. Then, derive | |
2190 | "corrected" CLOCK_REALTIME information on display from that and the timestamp | |
2191 | info of the newest entry of the specific boot (as identified by the boot | |
2192 | ID). This way, if a system comes up without a valid clock but acquires a | |
2193 | better clock later, we can "fix" older entry timestamps on display, by | |
2194 | calculating backwards. We cannot use CLOCK_MONOTONIC for this, since it does | |
2195 | not account for suspend phases. This would then also enable us to correct the | |
2196 | kmsg timestamping we consume (where we erroneously assume the clock was in | |
2197 | CLOCK_MONOTONIC, but it actually is CLOCK_BOOTTIME as per kernel). | |
2198 | ||
2199 | * in journald, write out a recognizable log record whenever the system clock is | |
2200 | changed ("stepped"), and in timesyncd whenever we acquire an NTP fix | |
2201 | ("slewing"). Then, in journalctl for each boot time we come across, find | |
2202 | these records, and use the structured info they include to display | |
2203 | "corrected" wallclock time, as calculated from the monotonic timestamp in the | |
2204 | log record, adjusted by the delta declared in the structured log record. | |
2205 | ||
2206 | * in journald: whenever we start a new journal file because the boot ID | |
2207 | changed, let's generate a recognizable log record containing info about old | |
2208 | and new ID. Then, when displaying log stream in journalctl look for these | |
2209 | records, to be able to order them. | |
2210 | ||
2211 | * journald: generate recognizable log events whenever we shutdown journald | |
2212 | cleanly, and when we migrate run → var. This way tools can verify that a | |
2213 | previous boot terminated cleanly, because either of these two messages must | |
2214 | be safely written to disk, then. | |
2215 | ||
2216 | * hook up journald with TPMs? measure new journal records to the TPM in regular | |
2217 | intervals, validate the journal against current TPM state with that. (taking | |
2218 | inspiration from IMA log) | |
2219 | ||
2220 | * sd-journal puts a limit on parallel journal files to view at once. journald | |
2221 | should probably honour that same limit (JOURNAL_FILES_MAX) when vacuuming to | |
2222 | ensure we never generate more files than we can actually view. | |
2223 | ||
2224 | * maybe add a tool that displays most recent journal logs as QR code to scan | |
2225 | off screen and run it automatically on boot failures, emergency logs and | |
2226 | such. Use DRM APIs directly, see | |
2227 | https://github.com/dvdhrm/docs/blob/master/drm-howto/modeset.c for an example | |
2228 | for doing that. | |
2229 | ||
2230 | * maybe implicitly attach monotonic+realtime timestamps to outgoing messages in | |
2231 | log.c and sd-journal-send | |
2232 | ||
2233 | * journalctl/timesyncd: whenever timesyncd acquires a synchronization from NTP, | |
2234 | create a structured log entry that contains boot ID, monotonic clock and | |
2235 | realtime clock (I mean, this requires no special work, as these three fields | |
2236 | are implicit). Then in journalctl when attempting to display the realtime | |
2237 | timestamp of a log entry, first search for the closest later log entry | |
2238 | of this kinda that has a matching boot id, and convert the monotonic clock | |
2239 | timestamp of the entry to the realtime clock using this info. This way we can | |
2240 | retroactively correct the wallclock timestamps, in particular for systems | |
2241 | without RTC, i.e. where initially wallclock timestamps carry rubbish, until | |
2242 | an NTP sync is acquired. | |
2243 | ||
2244 | * introduce per-unit (i.e. per-slice, per-service) journal log size limits. | |
2245 | ||
2246 | * journald: do journal file writing out-of-process, with one writer process per | |
2247 | client UID, so that synthetic hash table collisions can slow down a specific | |
2248 | user's journal stream down but not the others. | |
2249 | ||
2250 | * tweak journald context caching. In addition to caching per-process attributes | |
2251 | keyed by PID, cache per-cgroup attributes (i.e. the various xattrs we read) | |
2252 | keyed by cgroup path, and guarded by ctime changes. This should provide us | |
2253 | with a nice speed-up on services that have many processes running in the same | |
2254 | cgroup. | |
2255 | ||
2256 | * maybe add call sd_journal_set_block_timeout() or so to set SO_SNDTIMEO for | |
2257 | the sd-journal logging socket, and, if the timeout is set to 0, sets | |
2258 | O_NONBLOCK on it. That way people can control if and when to block for | |
2259 | logging. | |
2260 | ||
2261 | * journalctl: make sure -f ends when the container indicated by -M terminates | |
2262 | ||
2263 | * journald: sigbus API via a signal-handler safe function that people may call | |
2264 | from the SIGBUS handler | |
2265 | ||
2266 | * add a test if all entries in the catalog are properly formatted. | |
2267 | (Adding dashes in a catalog entry currently results in the catalog entry | |
2268 | being silently skipped. journalctl --update-catalog must warn about this, | |
2269 | and we should also have a unit test to check that all our message are OK.) | |
2270 | ||
2271 | * build short web pages out of each catalog entry, build them along with man | |
2272 | pages, and include hyperlinks to them in the journal output | |
2273 | ||
2274 | * homed: | |
2275 | - when user tries to log into record signed by unrecognized key, automatically add key to our chain after polkit auth | |
2276 | - rollback when resize fails mid-operation | |
2277 | - GNOME's side for forget key on suspend (requires rework so that lock screen runs outside of uid) | |
2278 | - update LUKS password on login if we find there's a password that unlocks the JSON record but not the LUKS device. | |
2279 | - create on activate? | |
2280 | - properties: icon url?, preferred session type?, administrator bool (which translates to 'wheel' membership)?, address?, telephone?, vcard?, samba stuff?, parental controls? | |
2281 | - communicate clearly when usb stick is safe to remove. probably involves | |
2282 | beefing up logind to make pam session close hook synchronous and wait until | |
2283 | systemd --user is shut down. | |
2284 | - logind: maybe keep a "busy fd" as long as there's a non-released session around or the user@.service | |
2285 | - maybe make automatic, read-only, time-based reflink-copies of LUKS disk | |
2286 | images (and btrfs snapshots of subvolumes) (think: time machine) | |
2287 | - distinguish destroy / remove (i.e. currently we can unregister a user, unregister+remove their home directory, but not just remove their home directory) | |
2288 | - in systemd's PAMName= logic: query passwords with ssh-askpassword, so that we can make "loginctl set-linger" mode work | |
2289 | - fingerprint authentication, pattern authentication, … | |
2290 | - make sure "classic" user records can also be managed by homed | |
2291 | - make size of $XDG_RUNTIME_DIR configurable in user record | |
2292 | - move acct mgmt stuff from pam_systemd_home to pam_systemd? | |
2293 | - when "homectl --pkcs11-token-uri=" is used, synthesize ssh-authorized-keys records for all keys we have private keys on the stick for | |
2294 | - make slice for users configurable (requires logind rework) | |
2295 | - logind: populate auto-login list bus property from PKCS#11 token | |
2296 | - when determining state of a LUKS home directory, check DM suspended sysfs file | |
2297 | - when homed is in use, maybe start the user session manager in a mount namespace with MS_SLAVE, | |
2298 | so that mounts propagate down but not up - eg, user A setting up a backup volume | |
2299 | doesn't mean user B sees it | |
2300 | - use credentials logic/TPM2 logic to store homed signing key | |
2301 | - permit multiple user record signing keys to be used locally, and pick | |
2302 | the right one for signing records automatically depending on a pre-existing | |
2303 | signature | |
2304 | - add a way to "adopt" a home directory, i.e. strip foreign signatures | |
2305 | and insert a local signature instead. | |
2306 | - as an extension to the directory+subvolume backend: if located on | |
2307 | especially marked fs, then sync down password into LUKS header of that fs, | |
2308 | and always verify passwords against it too. Bootstrapping is a problem | |
2309 | though: if no one is logged in (or no other user even exists yet), how do you | |
2310 | unlock the volume in order to create the first user and add the first pw. | |
2311 | - support new FS_IOC_ADD_ENCRYPTION_KEY ioctl for setting up fscrypt | |
2312 | - maybe pre-create ~/.cache as subvol so that it can have separate quota | |
2313 | easily? | |
2314 | - store PKCS#11 + FIDO2 token info in LUKS2 header, compatible with | |
2315 | systemd-cryptsetup, so that it can unlock homed volumes | |
2316 | - maybe make all *.home files owned by `systemd-home` user or so, so that we | |
2317 | can easily set overall quota for all users | |
2318 | - on login, if we can't fallocate initially, but rebalance is on, then allow | |
2319 | login in discard mode, then immediately rebalance, then turn off discard | |
2320 | - add "homectl unbind" command to remove local user record of an inactive | |
2321 | home dir | |
2322 | ||
2323 | * add a new switch --auto-definitions=yes/no or so to systemd-repart. If | |
2324 | specified, synthesize a definition automatically if we can: enlarge last | |
2325 | partition on disk, but only if it is marked for growing and not read-only. | |
2326 | ||
2327 | * systemd-repart: read LUKS encryption key from $CREDENTIALS_DIRECTORY | |
2328 | ||
2329 | * systemd-repart: add a switch to factory reset the partition table without | |
2330 | immediately applying the new configuration again. i.e. --factory-reset=leave | |
2331 | or so. (this is useful to factory reset an image, then putting it into | |
2332 | another machine, ensuring that luks key is generated on new machine, not old) | |
2333 | ||
2334 | * systemd-repart: support setting up dm-integrity with HMAC | |
2335 | ||
2336 | * systemd-repart: maybe remove half-initialized image on failure. It fails | |
2337 | if the output file exists, so a repeated invocation will usually fail if | |
2338 | something goes wrong on the way. | |
2339 | ||
2340 | * systemd-repart: by default generate minimized partition tables (i.e. tables | |
2341 | that only cover the space actually used, excluding any free space at the | |
2342 | end), in order to maximize dd'ability. Requires libfdisk work, see | |
2343 | https://github.com/karelzak/util-linux/issues/907 | |
2344 | ||
2345 | * systemd-repart: MBR partition table support. Care needs to be taken regarding | |
2346 | Type=, so that partition definitions can sanely apply to both the GPT and the | |
2347 | MBR case. Idea: accept syntax "Type=gpt:home mbr:0x83" for setting the types | |
2348 | for the two partition types explicitly. And provide an internal mapping so | |
2349 | that "Type=linux-generic" maps to the right types for both partition tables | |
2350 | automatically. | |
2351 | ||
2352 | * systemd-repart: allow sizing partitions as factor of available RAM, so that | |
2353 | we can reasonably size swap partitions for hibernation. | |
2354 | ||
2355 | * systemd-repart: allow boolean option that ensures that if existing partition | |
2356 | doesn't exist within the configured size bounds the whole command fails. This | |
2357 | is useful to implement ESP vs. XBOOTLDR schemes in installers: have one set | |
2358 | of repart files for the case where ESP is large enough and one where it isn't | |
2359 | and XBOOTLDR is added in instead. Then apply the former first, and if it | |
2360 | fails to apply use the latter. | |
2361 | ||
2362 | * systemd-repart: add per-partition option to never reuse existing partition | |
2363 | and always create anew even if matching partition already exists. | |
2364 | ||
2365 | * systemd-repart: add per-partition option to fail if partition already exist, | |
2366 | i.e. is not added new. Similar, add option to fail if partition does not exist yet. | |
2367 | ||
2368 | * systemd-repart: allow disabling growing of specific partitions, or making | |
2369 | them (think ESP: we don't ever want to grow it, since we cannot resize vfat) | |
2370 | Also add option to disable operation via kernel command line. | |
2371 | ||
2372 | * systemd-repart: make it a static checker during early boot for existence and | |
2373 | absence of other partitions for trusted boot environments | |
2374 | ||
2375 | * systemd-repart: add support for SD_GPT_FLAG_GROWFS also on real systems, i.e. | |
2376 | generate some unit to actually enlarge the fs after growing the partition | |
2377 | during boot. | |
2378 | ||
2379 | * systemd-repart: do not print "Successfully resized …" when no change was done. | |
2380 | ||
2381 | * document: | |
2382 | - document that deps in [Unit] sections ignore Alias= fields in | |
2383 | [Install] units of other units, unless those units are disabled | |
2384 | - man: clarify that time-sync.target is not only sysv compat but also useful otherwise. Same for similar targets | |
2385 | - document that service reload may be implemented as service reexec | |
2386 | - add a man page containing packaging guidelines and recommending usage of things like Documentation=, PrivateTmp=, PrivateNetwork= and ReadOnlyDirectories=/etc /usr. | |
2387 | - document systemd-journal-flush.service properly | |
2388 | - documentation: recommend to connect the timer units of a service to the service via Also= in [Install] | |
2389 | - man: document the very specific env the shutdown drop-in tools live in | |
2390 | - man: add more examples to man pages, | |
2391 | - in particular an example how to do the equivalent of switching runlevels | |
2392 | - man: maybe sort directives in man pages, and take sections from --help and apply them to man too | |
2393 | - document root=gpt-auto properly | |
2394 | ||
2395 | * systemctl: | |
2396 | - add systemctl switch to dump transaction without executing it | |
2397 | - Add a verbose mode to "systemctl start" and friends that explains what is being done or not done | |
2398 | - print nice message from systemctl --failed if there are no entries shown, and hook that into ExecStartPre of rescue.service/emergency.service | |
2399 | - add new command to systemctl: "systemctl system-reexec" which reexecs as many daemons as virtually possible | |
2400 | - systemctl enable: fail if target to alias into does not exist? maybe show how many units are enabled afterwards? | |
2401 | - systemctl: "Journal has been rotated since unit was started." message is misleading | |
2402 | ||
2403 | * introduce an option (or replacement) for "systemctl show" that outputs all | |
2404 | properties as JSON, similar to busctl's new JSON output. In contrast to that | |
2405 | it should skip the variant type string though. | |
2406 | ||
2407 | * Add a "systemctl list-units --by-slice" mode or so, which rearranges the | |
2408 | output of "systemctl list-units" slightly by showing the tree structure of | |
2409 | the slices, and the units attached to them. | |
2410 | ||
2411 | * add "systemctl wait" or so, which does what "systemd-run --wait" does, but | |
2412 | for all units. It should be both a way to pin units into memory as well as a | |
2413 | wait to retrieve their exit data. | |
2414 | ||
2415 | * show whether a service has out-of-date configuration in "systemctl status" by | |
2416 | using mtime data of ConfigurationDirectory=. | |
2417 | ||
2418 | * "systemctl preset-all" should probably order the unit files it | |
2419 | operates on lexicographically before starting to work, in order to | |
2420 | ensure deterministic behaviour if two unit files conflict (like DMs | |
2421 | do, for example) | |
2422 | ||
2423 | * add "systemctl start -v foobar.service" that shows logs of a service | |
2424 | while the start command runs. This is non-trivial to do without | |
2425 | races though, since we should flush out all journal messages before | |
2426 | returning from the "systemctl stop". | |
2427 | ||
2428 | * systemctl: if some operation fails, show log output? | |
2429 | ||
2430 | * Add a new verb "systemctl top" | |
2431 | ||
2432 | * unit install: | |
2433 | - "systemctl mask" should find all names by which a unit is accessible | |
2434 | (i.e. by scanning for symlinks to it) and link them all to /dev/null | |
2435 | ||
2436 | * nspawn: | |
2437 | - emulate /dev/kmsg using CUSE and turn off the syslog syscall | |
2438 | with seccomp. That should provide us with a useful log buffer that | |
2439 | systemd can log to during early boot, and disconnect container logs | |
2440 | from the kernel's logs. | |
2441 | - as soon as networkd has a bus interface, hook up --network-interface=, | |
2442 | --network-bridge= with networkd, to trigger netdev creation should an | |
2443 | interface be missing | |
2444 | - a nice way to boot up without machine id set, so that it is set at boot | |
2445 | automatically for supporting --ephemeral. Maybe hash the host machine id | |
2446 | together with the machine name to generate the machine id for the container | |
2447 | - fix logic always print a final newline on output. | |
2448 | https://github.com/systemd/systemd/pull/272#issuecomment-113153176 | |
2449 | - should optionally support receiving WATCHDOG=1 messages from its payload | |
2450 | PID 1... | |
2451 | - optionally automatically add FORWARD rules to iptables whenever nspawn is | |
2452 | running, remove them when shut down. | |
2453 | - add support for sysext extensions, too. i.e. a new --extension= switch that | |
2454 | takes one or more arguments, and applies the extensions already during | |
2455 | startup. | |
2456 | - when main nspawn supervisor process gets suspended due to SIGSTOP/SIGTTOU | |
2457 | or so, freeze the payload too. | |
2458 | - support time namespaces | |
2459 | - on cgroupsv1 issue cgroup empty handler process based on host events, so | |
2460 | that we make cgroup agent logic safe | |
2461 | - add API to invoke binary in container, then use that as fallback in | |
2462 | "machinectl shell" | |
2463 | - make nspawn suitable for shell pipelines: instead of triggering a hangup | |
2464 | when input is finished, send ^D, which synthesizes an EOF. Then wait for | |
2465 | hangup or ^D before passing on the EOF. | |
2466 | - greater control over selinux label? | |
2467 | - support that /proc, /sys/, /dev are pre-mounted | |
2468 | - maybe allow TPM passthrough, backed by swtpm, and measure --image= hash | |
2469 | into its PCR 11, so that nspawn instances can be TPM enabled, and partake | |
2470 | in measurements/remote attestation and such. swtpm would run outside of | |
2471 | control of container, and ideally would itself bind its encryption keys to | |
2472 | host TPM. | |
2473 | - make boot assessment do something sensible in a container. i.e send an | |
2474 | sd_notify() from payload to container manager once boot-up is completed | |
2475 | successfully, and use that in nspawn for dealing with boot counting, | |
2476 | implemented in the partition table labels and directory names. | |
2477 | - optionally set up nftables/iptables routes that forward UDP/TCP traffic on | |
2478 | port 53 to resolved stub 127.0.0.54 | |
2479 | - maybe optionally insert .nspawn file as GPT partition into images, so that | |
2480 | such container images are entirely stand-alone and can be updated as one. | |
2481 | - The subreaper logic we currently have seems overly complex. We should | |
2482 | investigate whether creating the inner child with CLONE_PARENT isn't better. | |
2483 | - Reduce the number of sockets that are currently in use and just rely on one | |
2484 | or two sockets. | |
2485 | - Support running nspawn as an unprivileged user. | |
2486 | ||
2487 | * machined: | |
2488 | - add an API so that libvirt-lxc can inform us about network interfaces being | |
2489 | removed or added to an existing machine | |
2490 | - "machinectl migrate" or similar to copy a container from or to a | |
2491 | difference host, via ssh | |
2492 | - introduce systemd-nspawn-ephemeral@.service, and hook it into | |
2493 | "machinectl start" with a new --ephemeral switch | |
2494 | - "machinectl status" should also show internal logs of the container in | |
2495 | question | |
2496 | - "machinectl history" | |
2497 | - "machinectl diff" | |
2498 | - "machinectl commit" that takes a writable snapshot of a tree, invokes a | |
2499 | shell in it, and marks it read-only after use | |
2500 | ||
2501 | * udev: | |
2502 | - move to LGPL | |
2503 | - kill scsi_id | |
2504 | - add trigger --subsystem-match=usb/usb_device device | |
2505 | - reimport udev db after MOVE events for devices without dev_t | |
2506 | - re-enable ProtectClock= once only cgroupsv2 is supported. | |
2507 | See f562abe2963bad241d34e0b308e48cf114672c84. | |
2508 | ||
2509 | * coredump: | |
2510 | - save coredump in Windows/Mozilla minidump format | |
2511 | - when truncating coredumps, also log the full size that the process had, and make a metadata field so we can report truncated coredumps | |
2512 | - add examples for other distros in ELF_PACKAGE_METADATA | |
2513 | ||
2514 | * support crash reporting operation modes (https://live.gnome.org/GnomeOS/Design/Whiteboards/ProblemReporting) | |
2515 | ||
2516 | * tmpfiles: | |
2517 | - allow time-based cleanup in r and R too | |
2518 | - instead of ignoring unknown fields, reject them. | |
2519 | - creating new directories/subvolumes/fifos/device nodes | |
2520 | should not follow symlinks. None of the other adjustment or creation | |
2521 | calls follow symlinks. | |
2522 | - teach tmpfiles.d q/Q logic something sensible in the context of XFS/ext4 | |
2523 | project quota | |
2524 | - teach tmpfiles.d m/M to move / atomic move + symlink old -> new | |
2525 | - add new line type for setting btrfs subvolume attributes (i.e. rw/ro) | |
2526 | - tmpfiles: add new line type for setting fcaps | |
2527 | - add -n as shortcut for --dry-run in tmpfiles & sysusers & possibly other places | |
2528 | ||
2529 | * udev-link-config: | |
2530 | - Make sure ID_PATH is always exported and complete for | |
2531 | network devices where possible, so we can safely rely | |
2532 | on Path= matching | |
2533 | ||
2534 | * sd-rtnl: | |
2535 | - add support for more attribute types | |
2536 | - inbuilt piping support (essentially degenerate async)? see loopback-setup.c and other places | |
2537 | ||
2538 | * networkd: | |
2539 | - add more keys to [Route] and [Address] sections | |
2540 | - add support for more DHCPv4 options (and, longer term, other kinds of dynamic config) | |
2541 | - add reduced [Link] support to .network files | |
2542 | - properly handle routerless dhcp leases | |
2543 | - work with non-Ethernet devices | |
2544 | - dhcp: do we allow configuring dhcp routes on interfaces that are not the one we got the dhcp info from? | |
2545 | - the DHCP lease data (such as NTP/DNS) is still made available when | |
2546 | a carrier is lost on a link. It should be removed instantly. | |
2547 | - expose in the API the following bits: | |
2548 | - option 15, domain name | |
2549 | - option 12, hostname and/or option 81, fqdn | |
2550 | - option 123, 144, geolocation | |
2551 | - option 252, configure http proxy (PAC/wpad) | |
2552 | - provide a way to define a per-network interface default metric value | |
2553 | for all routes to it. possibly a second default for DHCP routes. | |
2554 | - allow Name= to be specified repeatedly in the [Match] section. Maybe also | |
2555 | support Name=foo*|bar*|baz ? | |
2556 | - whenever uplink info changes, make DHCP server send out FORCERENEW | |
2557 | ||
2558 | * in networkd, when matching device types, fix up DEVTYPE rubbish the kernel passes to us | |
2559 | ||
2560 | * Figure out how to do unittests of networkd's state serialization | |
2561 | ||
2562 | * dhcp: | |
2563 | - figure out how much we can increase Maximum Message Size | |
2564 | ||
2565 | * dhcp6: | |
2566 | - add functions to set previously stored IPv6 addresses on startup and get | |
2567 | them at shutdown; store them in client->ia_na | |
2568 | - write more test cases | |
2569 | - implement reconfigure support, see 5.3., 15.11. and 22.20. | |
2570 | - implement support for temporary addresses (IA_TA) | |
2571 | - implement dhcpv6 authentication | |
2572 | - investigate the usefulness of Confirm messages; i.e. are there any | |
2573 | situations where the link changes without any loss in carrier detection | |
2574 | or interface down | |
2575 | - some servers don't do rapid commit without a filled in IA_NA, verify | |
2576 | this behavior | |
2577 | - RouteTable= ? | |
2578 | ||
2579 | * shared/wall: Once more programs are taught to prefer sd-login over utmp, | |
2580 | switch the default wall implementation to wall_logind | |
2581 | (https://github.com/systemd/systemd/pull/29051#issuecomment-1704917074) |