Daan De Meyer [Thu, 16 May 2024 15:18:38 +0000 (17:18 +0200)]
mkosi: Sanitizer improvements
- Let's set the environment on the kernel command line so it applies
to initrd and main system.
- Let's add the necessary wrappers that are also added in test-functions.
Unlike test-functions we don't use gcc/clang to get the library path as
that requires installing gcc/clang in the initrd.
- Let's drop the hack to get journald writing to the console and have
it write to kmsg instead. We'll get the output either way.
- Stop removing libstdc++ and sanitizer libraries from Arch Linux
initrds and other images as it's required by the sanitizer libraries.
- Add a workaround for specifying extra meson options for opensuse
- Add a leak sanitizer suppression file as a workaround for a false
positive leak in verify_selinuxmnt() in libselinux. We do a soname match
because the stacktrace can't be properly symbolized on Debian.
Daan De Meyer [Mon, 27 May 2024 11:34:40 +0000 (13:34 +0200)]
test-execute: Load systemd-asan-env environment file if available
When DynamicUser= is enabled, we need LD_PRELOAD to be configured
correctly as the tests will load systemd's nss module which will complain
when built with sanitizers if the sanitizer libraries were not loaded
first.
Daan De Meyer [Thu, 30 May 2024 08:22:51 +0000 (10:22 +0200)]
test-execute: Skip test_exec_mount_apivfs() when running with sanitizers
The test fails when running under sanitizers due to missing sanitizer
libraries. For now, let's skip the test until we can make the necessary
changes to run it under sanitizers.
Daan De Meyer [Wed, 29 May 2024 20:03:38 +0000 (22:03 +0200)]
cgroup-util: Don't try to open pidfd for pids from cgroup.threads
Opening pidfds for non thread group leaders only works from 6.9 onwards with PIDFD_THREAD. On
older kernels or without PIDFD_THREAD pidfd_open() fails with EINVAL. Since we might read non
thread group leader IDs from cgroup.threads, we introduce and set CGROUP_NO_PIDFD to avoid
trying open pidfd's for them and instead use the pid as is.
pcrlock: tweak error messages when we are not looking at a TPM2 event log
If we are looking at a TPM1.2 event log the first log record will not be
the "EfiSpecIdEvent" but something else. Let's improve the log messages
about this, and say explicitly that this is likely not a TPM2.0 event
log.
efi-api: check /sys/class/tpm/tpm0/tpm_version_major, too
If the ceck for the ACPI TPM2 table did not work we currently check if
the EFI TPM table exists to check if the firmware supports TPM2.
Specifically we check if
/sys/kernel/security/tpm0/binary_bios_measurements exists. But that's
not enough, since that also exists on TPM1.2 systems. Hence, let's also
check /sys/class/tpm/tpm0/tpm_version_major which should exist under
similar conditions and tells us the kernel's idea of the TPM version in
use.
I originally intended to read the signature of the
/sys/kernel/security/tpm0/binary_bios_measurements contents for this,
but this is not ideal since that file has tight access mode, and our TPM
availability check would thus not work anymore if invoked unpriv.
Daan De Meyer [Tue, 28 May 2024 08:14:07 +0000 (10:14 +0200)]
mkosi: Stop installing dbus-broker on OpenSUSE
dbus-broker and dbus-daemon have not been made interchangable on
OpenSUSE so we currently end up with dbus-broker used for the system
bus and dbus-daemon for the session bus. Let's stick to dbus-daemon
on OpenSUSE until they switch to dbus-broker.
shutdown: explicitly close watchdog with disarm=false before we destroy watchdog resources
Otherwise we'll close the device disarming it as side-effect of
watchdog_free_device(), which is not intended. Hence, let's close the fd
first explicitly leaving it armed.
watchdog: reset last ping timestamp when opening watchdog
When we open a watchdog fresh we have never pinged it, hence reset the
ping timestamp explicitly, so that it is not only reset the first time
we open the device, but all times.
Daan De Meyer [Tue, 28 May 2024 12:08:18 +0000 (14:08 +0200)]
TEST-64-UDEV-STORAGE: Replace megasas2 controller with virtio scsi controller
The virtio-scsi driver is available in the KVM/cloud kernel
packages provided by distributions whereas the megasas2 driver is
not. Let's switch to virtio-scsi so we can switch back to the KVM/cloud
kernel packages.
Daan De Meyer [Tue, 28 May 2024 21:15:25 +0000 (23:15 +0200)]
mkosi: Switch from btrfs to ext4
Mounting multiple btrfs filesystems with the same fsid only works
properly from kernel 6.7 onwards. Let's switch to ext4 for now which
does support this.
Luca Boccassi [Tue, 28 May 2024 17:59:24 +0000 (18:59 +0100)]
bpf: add helper to translate kernel error codes from libbpf
libbpf returns error codes from the kernel unmodified, and we don't understand
them so non-fatal ones are handled as hard errors.
Add a translation helper, and start by translating 524 to EOPNOTSUPP, which is
returned when nsresourced tries to use LSM BPF hooks that are not
implemented on a given arch (in this case, arm64 is misssing trampolines).
Yu Watanabe [Tue, 28 May 2024 09:15:02 +0000 (18:15 +0900)]
test-network: tun/tap fd may be owned by tentative worker processes
PID1 may invoke a helper process, e.g. sd-close, during the test.
So, processes other than networkd and PID1 may be shown.
```
testtap99: tap pi multi_queue vnet_hdr persist filter
Attached to processes:systemd-network(2852)(sd-close)(2863)systemd(1)
```
machined: downgrade warning if we cannot drop ref to systemd unit if disconnected from bus
if machined exits while a machine is still running, we'll issue the
UnrefUnit() call on the unit. This quite likely will fail if during
shutdown the bus connection is already down. But that's no reason to
warn at all, since the ref count will implicitly be dropped if our side
disappears from the bus. Hence, downgrade to LOG_DEBUG in case of
connection problems.
Mathias Lang [Thu, 25 Apr 2024 10:38:09 +0000 (12:38 +0200)]
docs/CONTRIBUTING.md: Fix links in CONTRIBUTING
Get them to point to the rendered version, instead of
letting Github thinks they are absolute links in the
repository. The rendered version is much more user-friendly.
Franck Bui [Fri, 24 May 2024 12:11:54 +0000 (14:11 +0200)]
meson: don't put a symlink pointing to '20-systemd-ssh-proxy.conf' in /etc in all cases
On distros like SUSE where ssh config dropins in /usr are supported, there's no
need for a symlink in /etc/ssh/ssh_config.d/ that points to the dropin
installed somewhere in /usr (that is not reachable by ssh).
Mike Yuan [Sun, 26 May 2024 19:23:37 +0000 (03:23 +0800)]
man/run0: remove @ syntax for --machine=
For run0 (as opposed to systemd-run in general), connecting to
the system bus (of localhost or container) as a different user
than root and then trying to elevate privilege from that
makes little sense:
https://github.com/systemd/systemd/issues/32997#issuecomment-2127992973
The @ syntax is mostly useful when connecting to the user bus,
which is not a use case for run0. Hence, let's remove the example.
The syntax will be properly refused in #32999.
Yu Watanabe [Sun, 26 May 2024 21:01:05 +0000 (06:01 +0900)]
blockdev-util: also check loop/partscan sysattr
With https://github.com/torvalds/linux/commit/b9684a71fca793213378dd410cd11675d973eaa1 (v5.19),
we cannot check partition scanning is enabled for a loopback block device
without checking the attribute.
Yu Watanabe [Mon, 27 May 2024 00:21:41 +0000 (09:21 +0900)]
blockdev-util: also check newer value of GENHD_FL_NO_PART flag
With https://github.com/torvalds/linux/commit/430cc5d3ab4d0ba0bd011cfbb0035e46ba92920c,
the value of GENHD_FL_NO_PART, previously named as GENHD_FL_NO_PART_SCAN,
is changed from 0x0200 to 0x0004. So, we need to check both flags.
projects / thirdparty / systemd.git / log
