Daan De Meyer [Fri, 21 Feb 2025 21:41:26 +0000 (22:41 +0100)]
sbsign: Don't set bit in SpcPeImageData->flags
Neither sbsign nor pesign set this flag in SpcPeImageData->flags,
which is about which resources should be included specifying "Which
portions of the Windows PE file are hashed." according to the
authenticode spec. However, this is followed by "Although flags is
always present, it is ignored when calculating the file hash for both
signing and verification purposes". So as it doesn't seem to do
anything useful and the other tools don't set any of these flags
either, let's follow suite and not set this flag ourselves either.
Luca Boccassi [Fri, 21 Feb 2025 21:32:27 +0000 (21:32 +0000)]
mkosi: add libapparmor1 to package list for opensuse
TEST-02-UNITTESTS.sh[4381]: [ 2329.636166] test-dlopen-so[650]: libapparmor.so.1 is not installed: libapparmor.so.1: cannot open shared object file: No such file or directory
TEST-02-UNITTESTS.sh[4381]: [ 2329.636174] test-dlopen-so[650]: Assertion 'dlopen_libapparmor() >= 0' failed at src/test/test-dlopen-so.c:103, function run(). Aborting.
Mike Yuan [Sun, 7 Jul 2024 17:35:40 +0000 (19:35 +0200)]
core: dlopen()'ify libapparmor
In Arch Linux we currently have a half-baked apparmor support,
in particular we cannot link systemd to libapparmor for service
context integration, since that will pull apparmor into base system.
Hence, let's turn this into a dlopen dep.
Support booting from rootfs acquired via HTTP (#36314)
This extends systemd-import-generator to not only download a disk image
at boot, but also attach it to a loopback device, so that we can boot
from it.
We have most of the pieces already in place, this just polishes some
things, to make this round.
The topmost commit contains example command lines that just work to make
`systemd-vmspawn` boot from a `mkosi serve` call.
Note that this does not address how to get the UKI running on the target
system, this only deals with the later boot phase once the UKI is
already running.
This is WIP, because it lacks docs, and I want to do some more
polishing. But it works great.
Ultimate goal, provide a complete solution so that we also can do uefi
http boot for ukis
Assuming sd-boot is available inside the ESP of foobar.raw a new item
will show up in the boot menu that allows booting directly into the
specified UKI.
This one is between "efi" and "linux": we'll recognize such entries as
linux, but we'll just invoke them as EFI binaries.
This creates a high-level concept for invoking UKIs via indirection of a
bls type #1 entry, for example to permit invocation from a non-standard
path or for giving entries a different name.
gpt-auto-generator: if root=gpt-auto is specified on kernel cmdline, always wait for /dev/gpt-auto-root symlink
So far our login in gpt-auto-generator when run in the initrd has been
to generate the units that wait for /dev/gpt-auto-root to show up and
mount them only if we have the loader partition EFI variables set. This
is of course not the case for network boots with a UKI kernel, which
means auto-gpt would not work for mounting the rootfs.
What's nasty is that we don't know for sure whether the "rootdisk"
loopback device will shown up eventually, as it needs explicit
configuration by the user via the kernel cmdline, or could be configured
entirely indepdenently. Hence, let's tweak the logic when we wat for
/dev/gpt-auto-root as device to mount: make the gpt auto root logic a
tristate: if root=gpt-auto is specified on the cmdline *definitely*
enable the logic. If root= is specified and set to anyting else,
*definitely* disable the logic. And if root= is not specified check for
the EFI partition vars – as before – to conditionalized things.
Or in other words, you can now boot the same image either via ESP/local
boot or via netboot with a kernelcmdline image like this:
udev-builtin-blkid: use loopback block device 'ref' field fo determining gpt-auto whole block device
So far the gpt-auto logic only looked for the partition table of devices
that the ESP/XBOOTLDR partition used to boot was on. This works great
for local boots, but is more problematic if we boot a UKI via UEFI HTTP
boot, because there is no ESP in play in that case.
Let's introduce an alternative to communicate the intended default root
disk to cover for this situation: any loopback block device whose
backing file field (i.e. the userspace controlled freeform field we use
for /dev/disk/by-loop-ref/ naming) is set to "rootdisk" will be consider
for gpt-auto will be consider for gpt-auto.
With this in place we should have nice automatic behaviour:
1. If we are booted locally we'll get the ESP/XBOOTLDR data, and derive
the root disk from that.
2. If we are booted via UEFI HTTP boot we expect that the caller makes
the loopback device appear with the right loop-ref identifier, and
then will use that.
import-generator: give import services better names
Previously, we'd name the import services numerically. Let's instead use
the local target file name, i.e. the object we are creating with these
services locally. That's useful so that we can robustely order against
these service instances, should we need to one day.
import-generator: optionally import images into /run/ hierarchy rather than /var/
This is useful in particular in the initrd, as this ensures any
downloaded images are not deleted during the initrd→host transition
(where /var/ does not survive, but /run/ does). Might be useful in other
cases too, for example for transiently deployed confexts and such.
This will then boot via the ESP of the specified image, then download
the image via HTTP from the mkosi instance running in the first
terminal, attach it to a loopback block device, and then use its second
partition as root fs, and boot into it.
(this assumes your host is 192.168.100.1, of course)
Note that downloading the full image takes a bit of time (this downloads
it uncompressed after all), hence we turn off the timeout to wait for
the device.
This also introduces a new "imports.target" unit (and associated
"imports-pre.target") between imports are grouped, and which ensure the
imports actually are ordered correctly both on the host and in the
initrd.
Luca Boccassi [Fri, 21 Feb 2025 00:27:17 +0000 (00:27 +0000)]
exec-invoke: Use FORK_DETACH when forking off pid namespace child (#36446)
This ensures the child process is immediately re-parented to the
manager process which avoids a "Supervising process xxx which is
not our child. We'll most likely not notice when it exits." warning
which can currently happen if the parent systemd-executor parent
process sends the pid namespace child process pidref to the manager
process and the manager process dispatches the child process pidref
before the systemd-executor parent process exits, since at that point
the pid namespace child process's parent will still be the
systemd-executor parent process and not the manager process.
Daan De Meyer [Wed, 19 Feb 2025 19:57:24 +0000 (20:57 +0100)]
exec-invoke: Use FORK_DETACH when forking off pid namespace child
This ensures the child process is immediately re-parented to the
manager process which avoids a "Supervising process xxx which is
not our child. We'll most likely not notice when it exits." warning
which can currently happen if the parent systemd-executor parent
process sends the pid namespace child process pidref to the manager
process and the manager process dispatches the child process pidref
before the systemd-executor parent process exits, since at that point
the pid namespace child process's parent will still be the
systemd-executor parent process and not the manager process.
Daan De Meyer [Thu, 20 Feb 2025 08:24:58 +0000 (09:24 +0100)]
process-util: Implement safe_fork_full() on top of pidref_safe_fork_full()
Let's switch things around, and move the internals of safe_fork_full() into
pidref_safe_fork_full() and make safe_fork_full() a trivial wrapper on top
of pidref_safe_fork_full().
Daan De Meyer [Thu, 20 Feb 2025 18:53:00 +0000 (19:53 +0100)]
Fix race in io.systemd.Machine.Open() test case (#36410)
This started out as a simple attempt to fix a race in an existing test
case for io.systemd.Machine.Open(). To address it nicely I added some
machinery to varlinkctl and systemd-notify though, and because of that I
refacting reception of sd_notify() messages in various places of our
codebase. So it became much much bigger.
This ports all receivers of sd_notify() messages over to a new common
implementation, except for one: the one in PID1. It's more powerful than
the others, since it accepts fds too. I think we should generalize
notify_recv() to cover that too, it's not that much more work, but for
now I didn't want to add even more refactorings on top, and this can
easily happen later separately, hence I left it out for now.
Philip Withnall [Thu, 20 Feb 2025 18:15:43 +0000 (18:15 +0000)]
docs: Clarify that login1 signals are not emitted for convenience objects
While this is obvious if you spend a few minutes thinking about how
D-Bus signals work (in this case, they are broadcast from a system
service, so cannot apply to a specific user/session/seat), it’s a bit
easy to overlook this while putting code together which uses the login1
D-Bus API, so it’s helpful to point this hazard out specifically in the
docs.
The signals can only be emitted on the canonical objects. The
convenience objects are useful for method calls, as the calling context
can be used to dereference ‘self’ and ‘auto’, but this can’t work for
signals.
Signed-off-by: Philip Withnall <pwithnall@gnome.org>
core: also check boot ID and product UUID in ConditionHost=
Sometimes it's interesting to condition units not just on the
installation but on the physical device. Let's make ConditionHost=
useful for that kind of checks, and while we are at it, also allow it to
be used for condition checks on the boot id.
Overloading like this is safe, since UUIDs are globally unique after
all, and hence there should be no conflicts between the namespace of
boot ids, machine ids and product ids.
Finally, relax rules on uuid checking: if the specified string parses
as uuid or id, also check it against the hostname, for setups where
people name hosts after uuids. I wouldn't know why anyone would do that,
but also, why not? shouldn'rt hurt allowing them and should not create
ambiguity conflicts.
Previously, one of the io.systemd.Machine.Open() tests would invoke a
command line via machined, and then check if it ran properly. This was
implemented in a racy fashion: the client side would immediately close
the pty fd allocated for the operation, thus triggering an immediate
SIGHUP on the other side. Now, depending whether this client was quicker
in closing or the server was quicker in executing the command line this
was a race.
Fix this comprehensively: let's first wait for the varlink operation to
complete via the new "systemd-notify --fork" logic (because varlinkctl
sends out READY=1 once handing off to --exec). Secondly let's use
varlinkctl's --exec logic to invoke a process which keeps open the open
pty until we kill it (we just use sleep for that).
(Also add some more tests for the varlinkctl --exec stuff)
This new switch makes it possible to process fds attached to a varlink
reply: if specified it will execute a command line specified by the
caller, will pass the response json as stdin, and any fds acquired as
fd3, fd4, …
homed: explicitly set access mode of private/public signing key pair
So far we relied that the temporary file logic would create the key
files with 0600 mode, but let's set the access mode explicitly:
1. Tighten private key file access from 0600 to 0400, after all we never
want to write it again, it's not a mutable file.
2. Relaxed public key file access mode from 0600 to 0444, after all it's
a public key file, and people should be able to see it if they want
This is useful for propagating the key onto other systems if needed.
homed: return the correct error if an image file is not present when we try to activate it
We already return BUS_ERROR_HOME_ABSENT when we detect the image being
absent before we fork off the homework worker. Let's also return the
same error if the homework process notices the same condition while
actually doing something.
This mostly fixes a race, that the same condition seen at different
points in time results in the same errors.
Daan De Meyer [Thu, 20 Feb 2025 14:08:53 +0000 (15:08 +0100)]
mkosi: Enable userdb tmpfiles dropin on Fedora/CentOS
It's disabled by default in the Fedora spec, but still available
as an example file. Let's symlink it to the proper name in the images
to enable it again.
Let's accept full user records (including status and so on) and simply
eat up the parts we don't care about, instead of refusing the whole
record wholesale.
This makes it easier to just copy a user record from one machine and
registering it at another, without stripping the irrelevant parts first.
timedated: Send error when time set is past build date time
When the user/customer sets the time on the system which is prior
than that of the systemd build time, as systemd doesn't allow time
before it's build date after a reboot, systemd is resetting it but
there is no error or exception present in the setTime method due
to which user/customer is unaware of why the time is reset back to
the systemd-build time.
Added a condition check in the set_time() method to return an
error when tried to set time past the systemd build date.
Tested: Verified that it throws an error when we try to set the
time prior to systemd build date.
Daan De Meyer [Thu, 20 Feb 2025 13:11:58 +0000 (14:11 +0100)]
mkosi: Install systemd-boot in opensuse initrd
This contains the systemd-stub tmpfiles snippet which we need to
copy stuff from /.extra to /run/systemd/stub which
TEST-86-MULTI-UKI-PROFILE depends on to work properly.
Luca Boccassi [Fri, 8 Nov 2024 22:41:09 +0000 (22:41 +0000)]
tools/dbus_exporter: set LD_ORIGIN_PATH if procfs is not available
The script runs the binaries which try to find the internal libs via /proc/self/exe due
to glibc's RPATH resolution and fail:
/var/cache/src/systemd/tools/dbus_exporter.py interfaces
/var/cache/src/systemd/build/systemd
/var/cache/src/systemd/build/systemd-homed
/var/cache/src/systemd/build/systemd-hostnamed
/var/cache/src/systemd/build/systemd-importd
/var/cache/src/systemd/build/systemd-localed
/var/cache/src/systemd/build/systemd-logind
/var/cache/src/systemd/build/systemd-machined
/var/cache/src/systemd/build/systemd-networkd
/var/cache/src/systemd/build/systemd-oomd
/var/cache/src/systemd/build/systemd-portabled
/var/cache/src/systemd/build/systemd-resolved
/var/cache/src/systemd/build/systemd-sysupdated
/var/cache/src/systemd/build/systemd-timedated
execve("/var/cache/src/systemd/build/systemd", ["/var/cache/src/systemd/build/sys"..., "--bus-introspect", "list"], 0x7ffc7ab68600 /* 20 vars */) = 0
brk(NULL) = 0x56265bf70000
mmap(NULL, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f56ced7f000
readlinkat(AT_FDCWD, "/proc/self/exe", 0x7ffedeaa7a90, 4096) = -1 ENOENT (No such file or directory)
access("/etc/ld.so.preload", R_OK) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/etc/ld.so.cache", O_RDONLY|O_CLOEXEC) = 3
fstat(3, {st_mode=S_IFREG|0644, st_size=20293, ...}) = 0
mmap(NULL, 20293, PROT_READ, MAP_PRIVATE, 3, 0) = 0x7f56ced7a000
close(3) = 0
openat(AT_FDCWD, "/lib/x86_64-linux-gnu/glibc-hwcaps/x86-64-v4/libsystemd-core-258.so", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
newfstatat(AT_FDCWD, "/lib/x86_64-linux-gnu/glibc-hwcaps/x86-64-v4/", 0x7ffedeaa80b0, 0) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/lib/x86_64-linux-gnu/glibc-hwcaps/x86-64-v3/libsystemd-core-258.so", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
newfstatat(AT_FDCWD, "/lib/x86_64-linux-gnu/glibc-hwcaps/x86-64-v3/", 0x7ffedeaa80b0, 0) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/lib/x86_64-linux-gnu/glibc-hwcaps/x86-64-v2/libsystemd-core-258.so", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
newfstatat(AT_FDCWD, "/lib/x86_64-linux-gnu/glibc-hwcaps/x86-64-v2/", 0x7ffedeaa80b0, 0) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/lib/x86_64-linux-gnu/libsystemd-core-258.so", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
newfstatat(AT_FDCWD, "/lib/x86_64-linux-gnu/", {st_mode=S_IFDIR|0755, st_size=19312, ...}, 0) = 0
openat(AT_FDCWD, "/usr/lib/x86_64-linux-gnu/glibc-hwcaps/x86-64-v4/libsystemd-core-258.so", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
newfstatat(AT_FDCWD, "/usr/lib/x86_64-linux-gnu/glibc-hwcaps/x86-64-v4/", 0x7ffedeaa80b0, 0) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/usr/lib/x86_64-linux-gnu/glibc-hwcaps/x86-64-v3/libsystemd-core-258.so", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
newfstatat(AT_FDCWD, "/usr/lib/x86_64-linux-gnu/glibc-hwcaps/x86-64-v3/", 0x7ffedeaa80b0, 0) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/usr/lib/x86_64-linux-gnu/glibc-hwcaps/x86-64-v2/libsystemd-core-258.so", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
newfstatat(AT_FDCWD, "/usr/lib/x86_64-linux-gnu/glibc-hwcaps/x86-64-v2/", 0x7ffedeaa80b0, 0) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/usr/lib/x86_64-linux-gnu/libsystemd-core-258.so", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
newfstatat(AT_FDCWD, "/usr/lib/x86_64-linux-gnu/", {st_mode=S_IFDIR|0755, st_size=19312, ...}, 0) = 0
openat(AT_FDCWD, "/lib/glibc-hwcaps/x86-64-v4/libsystemd-core-258.so", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
newfstatat(AT_FDCWD, "/lib/glibc-hwcaps/x86-64-v4/", 0x7ffedeaa80b0, 0) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/lib/glibc-hwcaps/x86-64-v3/libsystemd-core-258.so", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
newfstatat(AT_FDCWD, "/lib/glibc-hwcaps/x86-64-v3/", 0x7ffedeaa80b0, 0) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/lib/glibc-hwcaps/x86-64-v2/libsystemd-core-258.so", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
newfstatat(AT_FDCWD, "/lib/glibc-hwcaps/x86-64-v2/", 0x7ffedeaa80b0, 0) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/lib/libsystemd-core-258.so", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
newfstatat(AT_FDCWD, "/lib/", {st_mode=S_IFDIR|0755, st_size=642, ...}, 0) = 0
openat(AT_FDCWD, "/usr/lib/glibc-hwcaps/x86-64-v4/libsystemd-core-258.so", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
newfstatat(AT_FDCWD, "/usr/lib/glibc-hwcaps/x86-64-v4/", 0x7ffedeaa80b0, 0) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/usr/lib/glibc-hwcaps/x86-64-v3/libsystemd-core-258.so", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
newfstatat(AT_FDCWD, "/usr/lib/glibc-hwcaps/x86-64-v3/", 0x7ffedeaa80b0, 0) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/usr/lib/glibc-hwcaps/x86-64-v2/libsystemd-core-258.so", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
newfstatat(AT_FDCWD, "/usr/lib/glibc-hwcaps/x86-64-v2/", 0x7ffedeaa80b0, 0) = -1 ENOENT (No such file or directory)
openat(AT_FDCWD, "/usr/lib/libsystemd-core-258.so", O_RDONLY|O_CLOEXEC) = -1 ENOENT (No such file or directory)
newfstatat(AT_FDCWD, "/usr/lib/", {st_mode=S_IFDIR|0755, st_size=642, ...}, 0) = 0
writev(2, [{iov_base="/var/cache/src/systemd/build/sys"..., iov_len=36},
{iov_base=": ", iov_len=2},
{iov_base="error while loading shared libra"..., iov_len=36},
{iov_base=": ", iov_len=2},
{iov_base="libsystemd-core-258.so", iov_len=22},
{iov_base=": ", iov_len=2},
{iov_base="cannot open shared object file", iov_len=30},
{iov_base=": ", iov_len=2},
{iov_base="No such file or directory", iov_len=25},
{iov_base="\n", iov_len=1}],
10/var/cache/src/systemd/build/systemd: error while loading shared libraries: libsystemd-core-258.so: cannot open shared object file: No such file or directory
) = 158
Luca Boccassi [Wed, 19 Feb 2025 18:12:19 +0000 (18:12 +0000)]
repart: add parameter to attach offline verity signature (#36405)
Add --join-signature=hash:sig - when a verity signature partition
has been deferred in a previous run, this allows attaching a signature
that was created offline, for example on a build system like OBS where
the private key is not available to the build process.
Can be specified multiple times, the right partition to act upon will
be selected by matching the data+verity partitions UUIDs with the
provided roothash(es)
Luca Boccassi [Mon, 3 Feb 2025 15:05:46 +0000 (16:05 +0100)]
repart: add parameter to attach offline verity signatures
Add --join-signature=hash:sig - when a verity signature partition
has been deferred in a previous run, this allows attaching a signature
that was created offline, for example on a build system like OBS where
the private key is not available to the build process.
Can be specified multiple times, the right partition to act upon will
be selected by matching the data+verity partitions UUIDs with the
provided roothash(es)
xinpeng wang [Mon, 17 Feb 2025 07:01:22 +0000 (15:01 +0800)]
logind: save seat before applying acl
udev will trigger the uaccess program in 73-seat-late.rules, which
may modify the device's acl permissions. In some cases, udev triggers
the uaccess program when logind is started and active is being set.
At this time, 1) logind sets the user's acl permissions, 2) uaccess
obtains active and sets acl permissions; 3) logind updates seat's
stat_file and writes active. This situation will cause the device to
not have the correct acl permissions, resulting in abnormal situations
such as a black screen. Therefore, it is necessary to write active to
seat's stat file before setting acl.
Daan De Meyer [Wed, 19 Feb 2025 12:46:47 +0000 (13:46 +0100)]
mkosi: update fedora commit reference
* 6c7c4a510d Do not use dynamic spec generation for non-upstream builds
* 6201755b36 Allow co-installation of systemd-sysusers-standalone and systemd
* eba1721678 Split out -sysusers and -shared
* ac9c438e27 Use dynamic spec generation for triggers
* 3671a5cc79 Move more auxiliary files into subpackages
* 5c40e08728 Remove patch that is already upstream
* 49ec9f3286 Move some files into subpackages
* 2c0b984bf4 Version 257.3
* d66f997915 Add explicit BR: libxcrypt-devel
* 1ffa7bf7c7 Make Georgian mapping patch downstream-only
* de4ae54a34 Backport PR #36194 to add Georgian mapping to kbd-model-map
* cc9bce7893 Drop override of $PATH in the user manager
* d0973df863 Backport patch to emit audit events from systemd-sysusers
* e54ec2f978 Trim changelog entries that are not relevant to users
projects / thirdparty / systemd.git / log
