Yu Watanabe [Sun, 9 Feb 2025 15:41:38 +0000 (00:41 +0900)]
xattr-util: try new *xattrat() family syscalls first (#36228)
While killing cgroup v1 I want to turn all cg_* helpers to take
cgroupfs_fd + cg path, which means all relevant path operations must
support openat() semantics. `removexattrat()` is currently missing. I
took the chance to do a bigger refactor for xattr-util.
hwdb: add accel orientation and location for the BMAX Y14
The BMAX MaxBook Y14 has 2 acceleromenter sensors, one seems to be in
the display, the other in the base. With the default ACCEL_MOUNT_MATRIX
monitor-sensor would report the display to be rotate of 180 degrees
compared to its real position, i.e. upside down when normal and vice
versa. Left up and right up are also swapped.
Correcting the ACCEL_MOUNT_MATRIX for the display sensor solves the
issue and monitor-sensor reports the correct values.
For the Y13 model the Z axis value was also inverted. For the Y14 to
work correctly, this is not necessary, but I'm not sure how to double
check this.
However, when O_PATH fds are encountered we'd have to go by
/proc/self/fd/ still, since the kernel people are reluctant
to make the new syscalls work with them
(https://lore.kernel.org/linux-fsdevel/20250206-steril-raumplanung-733224062432@brauner/)
Hence getxattrat() and listxattrat() are not employed.
While at it, remove the discrepancy between path being NULL
and empty - I don't grok the "security issue" claimed earlier,
but nowadays even the kernel treats the two as identical:
https://github.com/torvalds/linux/commit/e896474fe4851ffc4dd860c92daa906783090346
network: mark container/VM/namespace networks as not required for online + disable DHCP lease persistency
These networks are not connections to upstream routers, but where we are
ourselves are the upstream router, hence it doesn't make too much sense
to require them to be up as default to determine if we are "online",
because they lead "in the wrong direction".
Also, disable DHCP lease persistency for these networks, since
container/VM/namespaces are generally shortlived, and typically have no
persistent identity. Moreover, the IP range we assign each VM/container
connection is just too small to permit persistency, as otherwise we'll
run out of leases way too quickly if VM/containers are restarted a bunch of
times with different MAC addresses (which I ran into).
I think these are better defaults, but of course these are only
defaults.
By default, suite of each built test is determined by the directory of
the source file. Hence, before the mentioned commit, all tests in
src/boot/efi/ are in the 'efi' suite. The commit changed the directory
tree, but forgot to update the name of the test suite.
Luca Boccassi [Fri, 7 Feb 2025 17:14:45 +0000 (17:14 +0000)]
ukify: add --pcrsig and --join-pcrsig arguments to append offline signature (#36181)
Add a build parameter to take an existing UKI and attach a .pcrsig
section
to it. This allows one to create a UKI with a .pcrpkey section with
--policy-digest to get the json output from sd-measure, sign the digest
offline, and attach the .pcrsig section with the signature later.
Yu Watanabe [Sun, 2 Feb 2025 03:07:48 +0000 (12:07 +0900)]
udevadm-test: allow to dump result in json format
This adds --json=MODE option for 'udevadm test' command.
When specified, all messages, except for the final result, will be
written to stderr, and the final result is shown in JSON format to
stdout. It may be useful for parsing the test result.
Luca Boccassi [Sat, 25 Jan 2025 02:09:49 +0000 (02:09 +0000)]
ukify: add --pcrsig and --join-pcrsig arguments to append offline signature
Add a build parameter to take an existing UKI and attach a .pcrsig section
to it. This allows one to create a UKI with a .pcrpkey section with
--policy-digest to get the json output from sd-measure, sign the digest
offline, and attach the .pcrsig section with the signature later.
This definition is broken as rpm internally does the following
since 4.20 to calculate the buildroot:
```
char *bn = rpmExpand("%{NAME}-%{VERSION}-build", NULL);
/* Tilde and caret in paths are evil, convert to underscores */
for (char *t = bn; *t; t++) {
if (*t == '^' || *t == '~')
*t = '_';
}
```
This has broken our upstream opensuse CI builds in systemd as
we do the following to fetch the list of unpackaged files by the rpm build:
```
rpmbuild
...
--define "__check_files sh -c '$(rpm --define "_topdir /var/tmp" --eval %__check_files) | tee /tmp/unpackaged-files'"
...
```
which stopped working because the check files script tries
to look for unpackaged files in the "/var/tmp/BUILD/systemd-258~devel-build/BUILDROOT"
directory (%buildroot) whereas it should be looking in "/var/tmp/BUILD/systemd-258_devel-build/BUILDROOT".
Let's remove the %buildroot compat definition until the bug is
addressed in opensuse tumbleweed.
Michal Sekletar [Tue, 21 Jan 2025 14:31:14 +0000 (15:31 +0100)]
core/namespace: relabel bind mount source based on the target path
Some bind mounts, e.g. /tmp bind mount when PrivateTmp=disconnected,
must be explicitly relabeled because now it would have incorrect SELinux
label. /tmp is expected to have well-known SELinux label, tmp_t. Now it
has label inherited from the source directory of the bind mount.
Daniil [Fri, 7 Feb 2025 09:46:44 +0000 (10:46 +0100)]
hwdb: XBox Series Elite controller modalias entry has been added. (#36305)
Change was requested in response on #36297.
The reason for that change is that XBox Series Elite controller has
exact 4 buttons identified as keyboard key sets.
While it detects using USB connection without any issues, wireless
connection ends with assumption that it's a keyboard.
Yu Watanabe [Fri, 7 Feb 2025 02:20:21 +0000 (11:20 +0900)]
firstboot: Populate XKBLAYOUT and friends as well in vconsole.conf (#36275)
Let's derive XKBLAYOUT and friends from the given keymap and populate
these as well in vconsole.conf so that if the user configures a keymap
it's also respected in display managers such as gdm.
Daan De Meyer [Wed, 5 Feb 2025 13:31:33 +0000 (14:31 +0100)]
firstboot: Populate XKBLAYOUT and friends as well in vconsole.conf
Let's derive XKBLAYOUT and friends from the given keymap and populate
these as well in vconsole.conf so that if the user configures a keymap
it's also respected in display managers such as gdm.
Daan De Meyer [Wed, 5 Feb 2025 12:17:13 +0000 (13:17 +0100)]
locale: Move vconsole specific logic to shared/vconsole-util.h
This allows reusing the logic in systemd-firstboot.c.
To avoid having to link libxkbcommon into libsystemd-shared, we add
a level of indirection to vconsole_convert_to_x11() so that the verify
function is passed in by the caller.
Daan De Meyer [Thu, 6 Feb 2025 13:53:02 +0000 (14:53 +0100)]
mkosi: Only make build sources ephemeral if NO_BUILD is not enabled
If we're not building distribution packages from source, there's no
need to make the build sources ephemeral so don't enable the setting
if NO_BUILD is enabled.
homed: introduce "area" concept (i.e. secondary home directories stored below the primary one, of which one can pick one at login) (#36149)
This adds a new concept to homed/pam_systemd/pam_systemd_homed: "areas"
are secondary home dirs you can have inside your primary home dir, below
an `~/Areas/` hierarchy. You can log into these secondary dirs if you
specify "user%area" as user at login time.
This is quite useful for maintaining multiple sets of user resources
within the same user account with the same access privileges. The
intended usecase for me is utimately WSL-like stuff: you start a local
unpriv container which gets the host's home dir mounted in and fully
accessible, without this also meaning that the user account gets the
full set of settings and so on propagated down.
Codewise the concept is really simple: whenever an area name like
"foobar" is specified we simply change a $HOME of /home/lennart into
/home/lennart/Areas/foobar. In a way this PR adds more docs than code
for all this.
This also makes this feature directly accessible via "run0 -a foobar"
(for opening a new session in the 'foobar' area).
To be truly fun to use on text (i.e. getty) logins, a util-linux version
containing https://github.com/util-linux/util-linux/pull/3354 is best,
since otherwise $HOME is updated to /home/lennart/Areas/foobar, but the
cwd is still at /home/lennart.
i.e. we generally want that PAM modules can override $HOME and it is
honoured for the CWD after login.
(This renames the 'home' variable we maintained sofar to 'pwent_home',
to clarify that it's the home directory listed in the struct passwd
entry, and thus not necessarily the one actually used)
Yu Watanabe [Thu, 6 Feb 2025 00:38:39 +0000 (09:38 +0900)]
udev-builtin: several trivial cleanups (#36239)
- introduces UDEV_BUILTIN_DESTRUCTOR macro,
- normalize log messages on initialize/finalize,
- explicitly initialize global variable,
- drop using _UDEV_BUILTIN_INVALID.
Luca Boccassi [Wed, 5 Feb 2025 19:54:08 +0000 (19:54 +0000)]
homectl: fix typos in help text (#36279)
I noticed two small typos while reading the help text for homectl.
The `-P` option is described as "Same as
--enforce-password-**password**=no" when the option's name is
`--enforce-password-policy`.
While checking the man page to check if the typo was also there, i
noticed another typo where `--enforce-password-policy=no` has 3 dashes
instead of 2 in the description for `-P`.
Daan De Meyer [Wed, 5 Feb 2025 11:42:39 +0000 (12:42 +0100)]
repart: Don't fail when we're unable to read file attributes
We're getting EOVERFLOW when reading file attributes trying to get
mkosi running in a docker container (don't ask). I have a suspicion
this is coming from fuse-overlayfs. Anyway, since the file attributes
stuff is supposed to be purely optional, let's not fail when we can't
read file attributes for whatever reason.
projects / thirdparty / systemd.git / log
