core/condition: fix segfault when key not found in os-release
'ConditionOSRelease=|ID_LIKE$=*rhel*' results in a segfault.
The key 'ID_LIKE' is not present in Fedora's os-release file.
I think the most reasonable behaviour is to treat missing keys as empty.
This matches the "shell-like" sprit, since in a shell empty keys would
by default be treated as empty too. Thus, "ID_LIKE=" would match, if
ID_LIKE is not present in the file, and ID_LIKE=!$foo" would also match.
The other option would be to make those matches fail, but I think that'd
make the feature harder to use, esp. with negative matches.
Documentation is updated to clarify the new behaviour.
Daan De Meyer [Thu, 13 Feb 2025 12:03:39 +0000 (13:03 +0100)]
sysupdate: Don't use compression extension for UKIs in manpage
UKIs should generally not be compressed since the kernel image and
initrd in them will already be compressed so let's remove the compression
suffix from the examples in the sysupdate manpage.
Daan De Meyer [Mon, 10 Feb 2025 22:59:04 +0000 (23:59 +0100)]
ptyfwd: Forward various signals to forked process
We want systemd-pty-forward to be something that can be dropped in
somewhere without too much thought. To enable this, let's make sure
we forward various signals to the forked process. This makes sure that
any signals are delivered to the actual child process regardless of whether
it's running within systemd-pty-forward or not.
Daan De Meyer [Wed, 12 Feb 2025 10:09:36 +0000 (11:09 +0100)]
mkosi: Update to latest
In https://github.com/systemd/mkosi/pull/3497, mkosi has started parsing
options passed after the verb as regular mkosi options instead of options
for the invoked command. We adapt to this change by adding '--' as a delimiter
everywhere where required.
Paul Fertser [Tue, 11 Feb 2025 13:33:15 +0000 (13:33 +0000)]
socket: resolve unit specifiers in BindToDevice
There are cases where templated Socket unit files are used for network services
with interface name used as an instance. This patch allows using %i for
BindToDevice setting to limit the scope automatically.
Yu Watanabe [Wed, 12 Feb 2025 00:23:33 +0000 (09:23 +0900)]
udev-watch: do not try to remove invalid watch handle
When a new device is processed, there should be no watch handle for
the device, hence udev_watch_clear() provides -1. Let's not try to call
inotify_rm_watch() in that case.
This should not change any behavior. Just for suppressing spurious
debugging log:
=====
(udev-worker)[3626140]: zram1: Removing watch handle -1.
=====
resolve: add an option to explicitly disable query AAAA, SRV, MX, etc... (#34165)
Based on this patch i had submitted to RedHat
(https://issues.redhat.com/browse/RHEL-56280), i am submitting this
patch to this upstream systemd.
There is no way to explicitly enable/disable IPv6 AAAA queries.
Problem was that i am using RHEL9 and some applications does not use a
newer glibc that supports `no-aaaa` option in `/etc/resolv.conf`. So
some applications will still resolve IPv6 AAAA even with `no-aaaa`
option and it is inconsistent across the system where some work and some
don't.
So this systemd-resolved patch catch-all queries and disable IPv6 AAAA
queries for all applications in the OS by having an option
`RefuseRecordTypes=AAAA` to disable IPv6 AAAA queries.
Although https://github.com/systemd/systemd/pull/28136 tries to fix this
automatically but it still does not work with
`net.ipv6.conf.all.disable_ipv6 = 1`. Also tried with explicitly
removing the conditional and force set `family = AF_INET` and still
resolves AAAA records.
The issue is that i want to explicitly disable IPv6 AAAA queries instead
of systemd-resolved to figure out itself which address family it is
using, which always have problems.
Let's move the currently used/default/oneshot entry output after the
basic info about the boot loader itself, since conceptually these are
objects kinda "one level down" from the boot loader perspective. Hence,
let's *first* show all info about the boot loader itself before we
display the objects it manages.
This is just a trivial change in output, just swaps th elines for these
fields with the ones showing where the boot loader is installed.
Luca Boccassi [Sat, 8 Feb 2025 13:17:22 +0000 (13:17 +0000)]
ukify: add --pcr-certificate= parameter
Public keys and certificates are not the same, as the latter embeds more
information that the former, and other tools like sd-measure have distinct
parameters for each of them.
Add a new --pcr-certificate= parameter to ukify, and use it to pass certs
down to sd-measure, as an alternative to --pcr-public-key=. Do not allow
specifying both.
bootctl: suppress output of empty partition info if we also have no idea about EFI binary path
So far we'd output both the partition and the binary path always, even
if we didn't know either (but in that case show empty information).
Let's address this, and show partition info only if we know it, or if we
know the EFI binary path, but suppress both if we know neither.
Note that we'll show the partition info if we don't know it still if we
know the EFI binary path used for boot, since it is relative to the
partition of course, and hence it's really strange to know one but not
the other, hence it deserves some mentioning in the output.
bootctl: also shown whether stub loader partition data was passed
Let's make the stub and loader output sections more alike, and say in
both cases whether we recieved that data from the boot phase or not the
same way.
Yu Watanabe [Sun, 9 Feb 2025 15:41:38 +0000 (00:41 +0900)]
xattr-util: try new *xattrat() family syscalls first (#36228)
While killing cgroup v1 I want to turn all cg_* helpers to take
cgroupfs_fd + cg path, which means all relevant path operations must
support openat() semantics. `removexattrat()` is currently missing. I
took the chance to do a bigger refactor for xattr-util.
hwdb: add accel orientation and location for the BMAX Y14
The BMAX MaxBook Y14 has 2 acceleromenter sensors, one seems to be in
the display, the other in the base. With the default ACCEL_MOUNT_MATRIX
monitor-sensor would report the display to be rotate of 180 degrees
compared to its real position, i.e. upside down when normal and vice
versa. Left up and right up are also swapped.
Correcting the ACCEL_MOUNT_MATRIX for the display sensor solves the
issue and monitor-sensor reports the correct values.
For the Y13 model the Z axis value was also inverted. For the Y14 to
work correctly, this is not necessary, but I'm not sure how to double
check this.
However, when O_PATH fds are encountered we'd have to go by
/proc/self/fd/ still, since the kernel people are reluctant
to make the new syscalls work with them
(https://lore.kernel.org/linux-fsdevel/20250206-steril-raumplanung-733224062432@brauner/)
Hence getxattrat() and listxattrat() are not employed.
While at it, remove the discrepancy between path being NULL
and empty - I don't grok the "security issue" claimed earlier,
but nowadays even the kernel treats the two as identical:
https://github.com/torvalds/linux/commit/e896474fe4851ffc4dd860c92daa906783090346
network: mark container/VM/namespace networks as not required for online + disable DHCP lease persistency
These networks are not connections to upstream routers, but where we are
ourselves are the upstream router, hence it doesn't make too much sense
to require them to be up as default to determine if we are "online",
because they lead "in the wrong direction".
Also, disable DHCP lease persistency for these networks, since
container/VM/namespaces are generally shortlived, and typically have no
persistent identity. Moreover, the IP range we assign each VM/container
connection is just too small to permit persistency, as otherwise we'll
run out of leases way too quickly if VM/containers are restarted a bunch of
times with different MAC addresses (which I ran into).
I think these are better defaults, but of course these are only
defaults.
By default, suite of each built test is determined by the directory of
the source file. Hence, before the mentioned commit, all tests in
src/boot/efi/ are in the 'efi' suite. The commit changed the directory
tree, but forgot to update the name of the test suite.
Luca Boccassi [Fri, 7 Feb 2025 17:14:45 +0000 (17:14 +0000)]
ukify: add --pcrsig and --join-pcrsig arguments to append offline signature (#36181)
Add a build parameter to take an existing UKI and attach a .pcrsig
section
to it. This allows one to create a UKI with a .pcrpkey section with
--policy-digest to get the json output from sd-measure, sign the digest
offline, and attach the .pcrsig section with the signature later.
Yu Watanabe [Sun, 2 Feb 2025 03:07:48 +0000 (12:07 +0900)]
udevadm-test: allow to dump result in json format
This adds --json=MODE option for 'udevadm test' command.
When specified, all messages, except for the final result, will be
written to stderr, and the final result is shown in JSON format to
stdout. It may be useful for parsing the test result.
Luca Boccassi [Sat, 25 Jan 2025 02:09:49 +0000 (02:09 +0000)]
ukify: add --pcrsig and --join-pcrsig arguments to append offline signature
Add a build parameter to take an existing UKI and attach a .pcrsig section
to it. This allows one to create a UKI with a .pcrpkey section with
--policy-digest to get the json output from sd-measure, sign the digest
offline, and attach the .pcrsig section with the signature later.
This definition is broken as rpm internally does the following
since 4.20 to calculate the buildroot:
```
char *bn = rpmExpand("%{NAME}-%{VERSION}-build", NULL);
/* Tilde and caret in paths are evil, convert to underscores */
for (char *t = bn; *t; t++) {
if (*t == '^' || *t == '~')
*t = '_';
}
```
This has broken our upstream opensuse CI builds in systemd as
we do the following to fetch the list of unpackaged files by the rpm build:
```
rpmbuild
...
--define "__check_files sh -c '$(rpm --define "_topdir /var/tmp" --eval %__check_files) | tee /tmp/unpackaged-files'"
...
```
which stopped working because the check files script tries
to look for unpackaged files in the "/var/tmp/BUILD/systemd-258~devel-build/BUILDROOT"
directory (%buildroot) whereas it should be looking in "/var/tmp/BUILD/systemd-258_devel-build/BUILDROOT".
Let's remove the %buildroot compat definition until the bug is
addressed in opensuse tumbleweed.
Michal Sekletar [Tue, 21 Jan 2025 14:31:14 +0000 (15:31 +0100)]
core/namespace: relabel bind mount source based on the target path
Some bind mounts, e.g. /tmp bind mount when PrivateTmp=disconnected,
must be explicitly relabeled because now it would have incorrect SELinux
label. /tmp is expected to have well-known SELinux label, tmp_t. Now it
has label inherited from the source directory of the bind mount.
Daniil [Fri, 7 Feb 2025 09:46:44 +0000 (10:46 +0100)]
hwdb: XBox Series Elite controller modalias entry has been added. (#36305)
Change was requested in response on #36297.
The reason for that change is that XBox Series Elite controller has
exact 4 buttons identified as keyboard key sets.
While it detects using USB connection without any issues, wireless
connection ends with assumption that it's a keyboard.
projects / thirdparty / systemd.git / log
