Daan De Meyer [Tue, 13 Jun 2023 13:52:03 +0000 (15:52 +0200)]
repart: Store dm_name in DecryptedPartitionTarget
This means we don't have to do a fallible allocation in the
DecryptedPartitionTarget destructor. Also use log_warning_error_errno()
for the failure we ignore in the destructor.
Daan De Meyer [Tue, 13 Jun 2023 08:26:00 +0000 (10:26 +0200)]
sd-daemon: Add vsock fallback to SOCK_STREAM
SOCK_SEQPACKET is only supported on recent kernels. Let's add a
fallback to SOCK_STREAM if it is not supported.
To accomodate SOCK_STREAM, we also modify
pid_notify_with_fds_internal() to do sendmsg() in a loop as with
SOCK_STREAM, sendmsg() is not guaranteed to write all data in a single
syscall or fail otherwise.
Frantisek Sumsal [Mon, 12 Jun 2023 19:05:30 +0000 (21:05 +0200)]
proc-cmdline: parse the whole /proc/cmdline
The kernel command line may contain newlines which kernel happily
accepts, but we'd ignore everything past the first newline. Let's fix
that by replacing read_one_line_file() with read_full_file().
tmpfile-util: turn last parameter of link_tmpfile() into a proper flags
This changes a boolean param into a proper bitflag field.
Given this only defines a single flag for now this doesn't look like
much of an improvement. But we'll add another flag shortly, where it
starts to make more sense.
Jan Janssen [Mon, 12 Jun 2023 13:12:05 +0000 (15:12 +0200)]
boot: Unify protocol opening
We are using HandleProtocol everywhere except in these few cases. This
unifies on HandleProtocol as it is simpler to use and equivalent to
OpenProtocol.
The only difference between the two is that OpenProtocol attributes the
opened protocol to a firmware-owned handle instead of our image handle.
This has no real use for regular UEFI applications as any protocols
opened via BY_HANDLE or GET_PROTOCOL is not required to be closed. In
fact, when a protocol is uninstalled it will do nothing more than reduce
the open count for these.
The current start + stop timeouts for xdg autostart files are *very*
short with 5s. On a busy system this might be too easy to hit even in
unintended case.
Apparently, the intention here was to cut the shutdown logic short.
(https://github.com/systemd/systemd/issues/27919#issuecomment-1580576178)
Let's hence stick to the very short timeout for that (under the
assumption that apps are written in a safe enough style to not lose data
if killed too early). But for starting XGD autostrat services, use our
regular timeouts.
Alfred Klomp [Thu, 8 Jun 2023 11:26:24 +0000 (13:26 +0200)]
integritysetup: support mode=(journal|bitmap|direct)
Add a parameter to the integritytab file to set the mode in which to
open the integrity volume. The mode can be journaled (the default),
bitmap without a journal, or direct mode without a journal or a bitmap.
This change removes the `no-journal' option because it is redundant,
being replaced with `mode=direct'.
Supercedes commit bcc1ee56c, from a week ago, which implemented
`no-journal'.
Daan De Meyer [Fri, 13 Jan 2023 15:22:46 +0000 (16:22 +0100)]
creds: Add ImportCredential=
ImportCredential= takes a credential name and searches for a matching
credential in all the credential stores we know about it. It supports
globs which are expanded so that all matching credentials are loaded.
Dan Streetman [Fri, 17 Feb 2023 17:59:18 +0000 (12:59 -0500)]
tpm2: add tpm2_get_legacy_template() and tpm2_get_srk_template()
Add functions to get either the 'legacy' or standard SRK template, for RSA or
ECC. The 'legacy' templates are those used with earlier code, where a transient
key was created to use for tpm sealing; the standard SRK is the persistent
shared key as defined in TCG guidance docs.
This also replaces tpm2_get_primary_template() with the new functions; that
function's use of flags is confusing and unnecessary.
Add tpm2_get_capability_handle() to query if a "TPM handle" (meaning, a
location/address in TPM storage) is populated in the TPM, and
tpm2_get_capability_handles() to query for a specific number of handles.
Add tpm2_esys_handle_from_tpm_handle() to create an "esys handle" (an opaque
reference for use with the TPM EAPI that represents a TPM handle address) for an
existing TPM handle.
Since the TPM handle already exists in the TPM, this also also requires
updating the cleanup code for Tpm2Handle objects to close the object (free its
resources only from the EAPI code, but leave the handle in the TPM) instead of
flush the object (which frees its EAPI resources and removes it from the TPM).
core: do not GC units/jobs that are in the D-Bus queue
Let's make sure that D-Bus messages are always sent out when pending,
before we might GC a unit/job.
This is kinda a follow-up for 8db998981a4fefd0122bcf5f965726b63c9045c2,
and a similar logic really applies: GC should only be done if we
processed everything else, generated evertyhing else and really don't
need it anymore.
This is a follow-up for 8db998981a4fefd0122bcf5f965726b63c9045c2, and
follows a similar logic: a pending OOM event really trumps everything:
we should not GC a unit while it is pending.
Dan Streetman [Wed, 17 May 2023 21:16:23 +0000 (17:16 -0400)]
tpm2: replace _cleanup_tpm2_* macros with _cleanup_()
Remove _cleanup_tpm2_context_ and _cleanup_tpm2_handle_ macros, replacing their
use with _cleanup_(tpm2_context_unrefp) and _cleanup_(tpm2_handle_freep),
respectively.
This removes documentation of SD_RESOLVED_REQUIRE_PRIMARY and
SD_RESOLVED_CLAMP_TTL, which are internal flags, and not usable from
outside of resolved. They are refused by D-Bus APIs, for a reason.
Various other fixes/clean-ups of the relevant docs (including reordering
of the flags docs by "grouping" rather than bit values).
Cyril Roelandt [Wed, 7 Jun 2023 12:33:19 +0000 (14:33 +0200)]
Fix zsh completion for "localectl set-locale"
When running:
$ localectl set-locale LC_MESSAGES=<TAB>
One is prompted with a list of locale fields instead of the list of
valid locales. This is because by calling "compset -P1 '*='", we modify
the $PREFIX special parameter before testing whether it contains an
equal sign. Therefore
if [[ -prefix 1 *\= ]]
is always false, and we always suggest a list of locale fields to the
user.
Balló György [Wed, 7 Jun 2023 11:33:18 +0000 (13:33 +0200)]
kbd-model-map: change the order of Hungarian keymaps
This changes the console layout from 'hu101' to 'hu' when the user calls 'localectl set-x11-keymap hu', because 'hu' is the expected layout instead of 'hu101' for most users.
Michal Sekletar [Wed, 31 May 2023 16:50:12 +0000 (18:50 +0200)]
pam: add call to pam_umask
Setting umask for user sessions via UMASK setting in /etc/login.defs is
a well-known feature. Let's make sure that user manager also runs with
this umask value.
The old syntax with linux + initrds as positional arguments is still accepted,
but a warning is emitted. We should remove the support for this after the
next release or so.
Adding a single verb by itself is not very useful, but opens the door to adding
other verbs.
Without this, the tests would generally be skipped, since we haven't made a
release with the addon stub yet. But even if the file is there, we always want
to test the freshly-built item.
Daan De Meyer [Mon, 5 Jun 2023 11:15:04 +0000 (13:15 +0200)]
repart: Do online encryption when loop devices are available
Online encryption is much faster then offline encryption when using
cryptsetup. To take advantage of this, when loop devices are available,
let's use online encryption instead off offline encryption to encrypt
partitions.
The online encryption logic is the same logic as was removed in 48a09a8fff480aab9a68e95e95cc37f6b1438751, except that it's now
integrated with PartitionTarget to ensure that logic outside of
partition_target_encrypt() has to minimally change regardless of
whether we're doing online or offline encryption.
projects / thirdparty / systemd.git / log
