Daan De Meyer [Thu, 10 Nov 2022 14:40:00 +0000 (15:40 +0100)]
repart: Run most repart integration tests without root privileges
To make sure rootless mode keeps working, let's run all repart
integration tests that we can without root privileges. The only ones
we need to keep running with root privileges are the tests that operate
on a block/loop device and those that use --image=.
Daan De Meyer [Sun, 9 Oct 2022 22:14:17 +0000 (00:14 +0200)]
repart: Don't use loop devices when we're not operating on a block device
When repart is not operating on a block device, if we avoid using
any loop devices at all, it becomes possible to run repart without
needing root privileges.
Note that this also depends on the filesystems in use to support
population without needing root privileges (specifically, squashfs,
ext4 or btrfs).
Daan De Meyer [Mon, 10 Oct 2022 21:34:04 +0000 (23:34 +0200)]
repart: Ensure files end up owned by root in generated filesystems
By forking off a user namespace before running mkfs and ID mapping
the user running repart to root in the user namespace, we can make
sure that files in the generated filesystems are all owned by root
instead of the user running repart.
To make this work we have to make sure that all the files in the
root directory that's passed to the mkfs binary are owned by the
user running repart, so we have to drop the shortcut for only a
single root directory in partition_populate_directory().
Daan De Meyer [Sun, 9 Oct 2022 18:46:59 +0000 (20:46 +0200)]
repart: Do offline encryption instead of online
Offline encryption can be done without mounting the luks device. For
now we still use loop devices to split out the partition we want to
write to but in a later commit we'll replace this with a regular file.
For offline encryption, we need to keep 2x the luks header size space
free at the end of the partition, so this means our encrypted partitions
will be 16M larger than before.
Daan De Meyer [Tue, 11 Oct 2022 08:50:58 +0000 (10:50 +0200)]
mkfs-util: Add support to populate vfat without mounting using mcopy
mkfs.vfat doesn't support specifying a root directory to bootstrap
the filesystem from (see https://github.com/dosfstools/dosfstools/issues/183).
Instead, we can use the mcopy tool from the mtools package to copy
files into the vfat filesystem after creating it without needing to
mount the vfat filesystem.
Daan De Meyer [Fri, 14 Oct 2022 10:06:55 +0000 (12:06 +0200)]
repart: Add --include/--exclude-partitions
Let's allow filtering the partitions to operate on by partition
type UUID. This is necessary when building bootable images with a
verity protected root/usr partition as we can only build the UKI
image when we have the verity roothash which means we cannot populate
the EFI partition yet when we run repart initially to determine the
verity roothash.
Daan De Meyer [Fri, 14 Oct 2022 10:40:28 +0000 (12:40 +0200)]
repart: Use first unused partition number for new partitions
If we skip some partition types in a first run of systemd-repart,
we don't want their partition numbers to be different than usual,
so let's change the allocation of partition numbers to account for
that.
Daan De Meyer [Thu, 13 Oct 2022 19:26:16 +0000 (21:26 +0200)]
gpt: Expose GptPartitionType and get rid of SECONDARY/OTHER
Instead of exposing just the partition type UUID, let's expose the
GptPartitionType struct, which has a lot more information available
in a much more accessible way.
Also, let's get rid of SECONDARY/OTHER in PartitionDesignator. These
were only there to support preferred architectures in dissect-image.c,
but we can easily handle that by comparing architectures when we decide
whether to override a partition. This is done in a new function
compare_arch().
Vitaly Kuznetsov [Fri, 11 Nov 2022 16:15:55 +0000 (17:15 +0100)]
measure: fix section names in 'objcopy' example in systemd-measure man
A copy paste error has crippled in the objcopy example in 'systemd-measure'
manual, "--change-section-vma" should reference the section being added,
not ".splash". When used as-is, the resulting UKI is unbootable.
These are allowed to fail, for example on a read-only filesystem. But they still
log at error level, which is annoying and gets flagged. Tune those specific errors
down to info.
There are likely more that could be tuned down, but the important thing is to cover
the tmpfiles.d that we ship right now.
Before:
$ echo -e "d- /root :0700 root :root - \nd- /root/.ssh :0700 root :root -" | SYSTEMD_LOG_LEVEL=err build/systemd-tmpfiles --root=/tmp/img --create -
Failed to create directory or subvolume "/tmp/img/root": Read-only file system
Failed to open path '/tmp/img/root': No such file or directory
$
Mike Yuan [Fri, 11 Nov 2022 18:52:38 +0000 (02:52 +0800)]
module-util: use the blacklist from module_blacklist= in cmdline
When a module is blacklisted using module_blacklist=
we shouldn't fail with 'Operation not permitted'.
Instead we check for it and skip it if this is the case.
bootctl,bootspec: make use of CHASE_PROHIBIT_SYMLINKS whenever we access the ESP/XBOOTLDR
Let's make use of the new flag whenever we access the ESP or XBOOTLDR.
The resources we make use of in these partitions can't possibly use
symlinks (because UEFI knows no symlink concept), and they are untrusted
territory, hence under no circumstances we should be tricked into
following symlinks that shouldn't be there in the first place.
Of course, you might argue thta ESP/XBOOTLDR are VFAT and thus don#t
know symlinks. But the thing is, they don#t have to be. Firmware can
support other file systems too, and people can use efifs to gain access
to arbitrary Linux file systems from EFI. Hence, let's better be safe
than sorry.
chase-symlinks: add new flag for prohibiting any following of symlinks
This is useful when operating in the ESP, which is untrusted territory,
and where under no circumstances we should be tricked by symlinks into
doing anything we don't want to.
nulstr-util: fix corner cases of strv_make_nulstr()
Let's change the return semantics of strv_make_nulstr() so that we can
properly distuingish the case where we have a no entries in the nulstr
from the case where we have a single empty string in a nulstr.
Previously we couldn't distuingish those, we'd in both cases return a
size of zero, and a buffer with two NUL bytes.
With this change, we'll still return a buffer with two NULL bytes, but
for the case where no entries are defined we'll return a size of zero,
and where we have two a size of one.
This is a good idea, as it makes sure we can properly handle all corner
cases.
Nowadays the function is used by one place only: ask-password-api.c. The
corner case never mattered there, since it was used to serialize
passwords, and it was known that there was exactly one password, not
less. But let's clean this up. This means the subtraction of the final
NUL byte now happens in ask-password-api.c instead.
nulstr-util: use memdup_suffix0() where appropriate
if the nulstr is not nul-terminated, we shouldn't use strndup() but
memdup_suffix0(), to not trip up static analyzers which imply we are
duping a string here.
This rework the logic for handling the "header" cells a bit. Instead of
special casing the first row in regards to uppercasing/coloring let's
just intrduce a proper cell type TABLE_HEADER which is in most ways
identical to TABLE_STRING except that it defaults to uppercase output
and underlined coloring.
This is mostly refactoring, but I think it makes a ton of sense as it
makes the first row less special and you could in fact insert
TABLE_HEADER (and in fact TABLE_FIELD) cells wherever you like and
something sensible would happen (i.e. a string cell is displayed with
a specific formatting).
Yu Watanabe [Fri, 11 Nov 2022 04:54:03 +0000 (13:54 +0900)]
ac-power: check battery existence and status
If a battery is not present or its status is not discharging, then
the battery should not be used as a power source.
Let's count batteries currently discharging.
MkfsSion [Sat, 29 Oct 2022 18:29:02 +0000 (14:29 -0400)]
libfido2-util: Perform pre-flight check for credentials in token
Do not attempt to decrypt using a key slot unless its corresponding
credential is found on an available FIDO2 token. Avoids multiple touches
/ confirmations when unlocking a LUKS2 device with multiple FIDO2 tokens
enrolled.
Partially fixes #19208 (when the libcryptsetup plugin is in use).
Daan De Meyer [Fri, 11 Nov 2022 10:26:54 +0000 (11:26 +0100)]
strv: Make sure strv_make_nulstr() always returns a valid nulstr
strv_make_nulstr() is documented to always return a valid nulstr,
but if the input is `NULL` we return a string terminated with only
a single NUL terminator, so let's fix that and always terminate the
resulting string with two NUL bytes.
Daan De Meyer [Wed, 12 Oct 2022 21:59:37 +0000 (23:59 +0200)]
repart: Take into account minimal filesystem size
Instead of requiring users to guess the required space for partitions
populated with CopyFiles=, let's make an educated guess ourselves. We
can populate the filesystem once in a very large sparse file and see
how much data is actually used as a good indicator of the required size.
> If you define a path with the ! character, you must also define at least one
> path without the ! character. If you only want to exclude paths, use
> paths-ignore instead.
>
> The order that you define patterns matters:
> A matching negative pattern (prefixed with !) after a positive match will
> exclude the path.
> A matching positive pattern after a negative match will include the path
> again.
Even if some of the exluded paths *could* impact the build, generally it's a
waste of time to do mkosi builds on them. Let's skip to releave the builders a
bit.
Daan De Meyer [Fri, 11 Nov 2022 09:04:37 +0000 (10:04 +0100)]
test-copy: Stop using rm_rf_physical_and_close
This cleanup function depends on resolving fd's to paths via /proc
which is unreliable so we shouldn't depend on it for destructive
operations. Use regular path based cleanup instead.
projects / thirdparty / systemd.git / log
