Andrew Sayers [Wed, 29 Jan 2025 13:13:04 +0000 (13:13 +0000)]
Reduce priority of "cleared HibernateLocation" message
This message appears when a computer hibernates, then awakens, then reboots,
and everything goes OK. It's a normal progress message the user doesn't need
to know about, but it distracts them from important startup messages and could
even train them to ignore the warning when the procedure fails.
cryptenroll/repart/creds: no longer default to binding against literal PCR 7
PCR 7 covers the SecureBoot policy, in particular "dbx", i.e. the
denylist of bad actors. That list is pretty much as frequently updated
as firmware these days (as fwupd took over automatic updating). This
means literal PCR 7 policies are problematic: they likely break soon,
and are as brittle as any other literal PCR policies.
hence, pick safer defaults, i.e. exclude PCR 7 from the default mask.
This means the mask is now empty.
Generally, people should really switch to signed PCR policies covering
PCR 11, in combination with systemd-pcrlock for the other PCRs.
Devilish Spirits [Wed, 29 Jan 2025 20:54:27 +0000 (21:54 +0100)]
Fix inversion of timesyncd_usec/epoch_usec variables in clock-warp.c
In clock_apply_epoch() function, the /usr/lib/clock-epoch timestamp was set to timesyncd_usec instead of epoch_usec and vice-versa which produced a misleading log message about the clock source systemd used for early clock sanitization. This trivial commit fix the mistake.
Daan De Meyer [Wed, 29 Jan 2025 13:44:27 +0000 (14:44 +0100)]
ukify: Calculate section size more correctly
We should only use Misc_VirtualSize if it's smaller than SizeOfRawData,
since in that case it'll be the non-aligned section size. Otherwise we
have to use SizeOfRawData to get the size on disk.
userdb: move filter of user/group records to the varlink server side (#36133)
In v257 userdbctl gained support for filtering user records with fuzzy
matching and some other parameters. It was done on the client side only.
This PR adds server-side matching, by exendting the generic userdb
varlink api.
The api is generic any may have many other implementors, hence care is
taken to fallback to exclusively client side filtering in case the
service does not support the new parameters.
In fact I even opted to not actually implement server-side filtering in
any services but systemd-userdbd.service, because it's probably not too
much an optimization in relevant services (we might want to revisit this
later). By implementing it in userdbd the primary entrypoint for userdb
is however covered: the multiplexer interface which provides a single
interface for the multitude of backends. Or in other words: the
multiplexer itself supports server-side filtering even if its own
backends don't, and will hide this neatly away.
One nice side effect from not implementing server side filtering for all
our backends is that the fallback codepaths are comprehensively tested.
Note that this adds some unit tests but not new integration test for all
this, as the filtering tests for userdbctl already existed before, we
just move their implementation from the client to the server side.
Yu Watanabe [Tue, 28 Jan 2025 19:16:20 +0000 (04:16 +0900)]
network: bridge: add support for configuring locked ports (#36150)
"Recently" (as of 5.18) the Linux kernel gained the ability of locking
bridge ports to restrict network access to authenticated hosts only.
This is implemented by disabling automated learning and dropping
incoming traffic from unknown hosts. User space is then expected to add
fdb entries for authenticated hosts. Once a fdb entry exist, traffic for
that host will be forwarded as expected.
This was later extended with "Mac Authentication Bypass", where the
locking was extended to fdb entries. In this mode the kernel adds fdb
entries again automatically, but they are locked by default.
To properly configure this, add two network options and one netdev
option:
* `LinkLocalLearning=` to prevent the kernel from creating unlocked
entries based on link-local traffic, which would bypass any
authentication. Needed when enabling learning on a locked port.
* `Locked=` to allow setting a bridge port to locked.
* `MACAuthenticationBypass=` to allow enabling Mac Authentication
Bypass on a port. Requires learning to be enabled on the port as well
(and consequently `LinkLocalLearning` disabled on the bridge).
An authenticator (e.g. hostapd) is still needed to do the actual
authentication, the kernel only provides the access control.
Luca Boccassi [Tue, 28 Jan 2025 17:33:39 +0000 (17:33 +0000)]
wait-online: add initial support for waiting for DNS (#34640)
Add a new flag, `--dns`, to systemd-networkd-wait-online to allow
waiting for DNS to be configured. The `--dns` flag respects the `--ipv4`
and `--ipv6` flags, as well as `--interface=` and `--any`.
Daan De Meyer [Tue, 28 Jan 2025 08:38:26 +0000 (09:38 +0100)]
ukify: Add --sign-profile
Let's allow configuring which UKI profiles we generate signed PCR
measurements for since there are various types of profiles for
which we do not want to generate signed PCR measurements so that they
can not unlock the encrypted rootfs.
Nick Rosbrook [Thu, 19 Sep 2024 19:59:50 +0000 (15:59 -0400)]
wait-online: add support for waiting for DNS configuration
Add a new flag to systemd-networkd-wait-online, --dns, to allow waiting
for DNS to be configured.
DNS is considered configured when at least one DNS server is accessible.
If a link has the property DefaultRoute=yes (either by explicit
configuration, or because there are no routing-only domains), or if the
search domain '.' is configured, wait for link-specific DNS to be
configured. Otherwise, global DNS servers may be considered.
Jonas Gorski [Fri, 24 Jan 2025 12:15:06 +0000 (13:15 +0100)]
network: bridge: add support for IFLA_BRPORT_MAB
Since linux commit a35ec8e38cdd1766f29924ca391a01de20163931 ("bridge:
Add MAC Authentication Bypass (MAB) support"), included since v6.2, it
is possible to enable MAC Authentication Bypass for bridge ports. In
this mode the locked port learns again, but the learned fdb entries are
locked, allowing user space to unlock hosts based seen MAC addresses.
This requires learning to be enabled on the port, and link-local
learning disabled for the bridge.
Add support to systemd-network for setting the new attribute for bridge
ports.
Jonas Gorski [Mon, 2 Dec 2024 10:54:09 +0000 (11:54 +0100)]
network: bridge: add support for IFLA_BRPORT_LOCKED
Since linux commit a21d9a670d81103db7f788de1a4a4a6e4b891a0b ("net:
bridge: Add support for bridge port in locked mode"), included since
v5.18, it is possible to set bridge ports to locked.
Locked ports do not learn automatically, and discard any traffic from
unknown source MACs. To allow traffic, the userspace authenticator is
expected to create fdb entries for authenticated hosts.
Add support to systemd-network for setting the new attribute for bridge
ports.
Jonas Gorski [Tue, 10 Dec 2024 15:45:20 +0000 (16:45 +0100)]
network: bridge: add support for NO_LL_LEARN
When using locked ports on a bridge link-local learning needs to be
disabled to prevent the kernel from learning and automatically unlocking
hosts based on link-local traffic.
So add support for enabling NO_LL_LEARN for bridges.
Adam Williamson [Fri, 10 Jan 2025 21:01:47 +0000 (13:01 -0800)]
kbd-model-map: add a georgian mapping
https://github.com/legionus/kbd/pull/127 adds a Georgian mapping
to kbd. console-setup already has one. Let's support it here, so
it's used for Georgian installs on distros that use this table.
Signed-off-by: Adam Williamson <awilliam@redhat.com>
Nick Rosbrook [Fri, 11 Oct 2024 18:44:44 +0000 (14:44 -0400)]
resolved: add SubscribeDNSConfiguration to varlink API
Add a new method to io.systemd.Resolve.Monitor that allows subscribing
to changes in the systemd-resolved DNS configuration. The new method
emits the full DNS configuration (one entry for global configuration,
and one entry for each interface), any time the configuration is
updated.
userdbd: implement server side filtering in the Multiplexer API
This impelements server side filtering in userdbd's multiplexer logic.
Note thta this means that even if some backend doesn't support it
natively the multiplexer will deal with it and apply the filtering as
necessary.
userdb: move UserDBMatch handling from userdbctl into generic userdb code to allow it to be done server side
This moves around the UserDBMatch handling, moves it out of userdbctl
and into generic userdb code, so that it can be passed to the server
side, to allow server side filtering.
This is preparation for one day allowing complex software to do such
filtering server side, and thus reducing the necessary traffic.
Right now no server side actually knows this, hence care is taken to
downgrade to the userdb varlink API as it was in v257 in case the new
options are not understood. This retains compatibility with any
implementation hence.
varlink: add new calls for server-side user record filtering to varlink IDL + to spec
This is preparation for adding server side filtering to the userdb
logic: it adds some fields for this to the userdb varlink API. This only
adds the IDL for it, no client will use it for now, no server implement
it. That's added in later commits.
Nick Rosbrook [Fri, 24 Jan 2025 20:42:38 +0000 (15:42 -0500)]
udev: add input/by-{id,path} symlinks for hidraw devices
Take some of the same rule structure from 60-persistent-input.rules, and
apply it to hidraw devices in 60-persistent-hidraw.rules.
Since one of the motivations for this is being able to easily reference
FIDO tokens, add a special case when ID_FIDO_TOKEN==1, and add 'fido'
to the symlink.
Nick Rosbrook [Thu, 14 Nov 2024 19:31:07 +0000 (14:31 -0500)]
resolved: add link_get_default_route helper
The dbus property getter for DefaultRoute does not simply check
link->default_route. Instead, if l->default_route is not explicitly
configured, it checks dns_scope_is_default_route(l->unicast_scope).
Add a link_get_default_route() helper with this logic so that it can be
used for consistency.
Nick Rosbrook [Tue, 15 Oct 2024 20:30:52 +0000 (16:30 -0400)]
resolved: add a helper to check if DNS server is accessible
We check this by opening a UDP socket and attempting to connect. We do
not send any traffic on it, but this will tell us if there are routes to
the DNS server.
No functional change. Make it more clear that these varlink connections
are subscribed to query results. This prepares for adding SubscribeDNS
to the varlink API.
16mc1r [Mon, 27 Jan 2025 13:01:05 +0000 (14:01 +0100)]
Adds asus T103HAF rotation matrix to 60-sensor.hwdb (#36177)
Rotation Matrix to enable correct auto-rotation with
[iio-sensor-proxy](https://gitlab.freedesktop.org/hadess/iio-sensor-proxy/)
on an Asus Transformer Mini T103HAF with iio-sensor `HID-SENSOR-200073`.
- Tested on KDE Plasma Mobile (Fedora 41), details see inxi report.
Device Details:
- low powered 2in1 convertible with 10.1" screen size, 4core atom cpu
and 4gb ram. Usefull as x86 based tablet with stylus for annotation and
reading.
- [official asus website for the
device](https://www.asus.com/us/laptops/for-home/everyday-use/asus-transformer-mini-t103/)
Yu Watanabe [Fri, 24 Jan 2025 19:05:51 +0000 (04:05 +0900)]
machine: revert type change of "leader" in io.systemd.Machine.Register method
The varlink method io.systemd.Machine.Register() is in v256, hence type
of "leader" cannot be changed.
Let's revert the change by 755cb018c9b3e93245afb86ec94223756ddd70e4, and
introduce another field "leaderProcessId", which takes detailed information
of the process.
Yu Watanabe [Sun, 26 Jan 2025 20:17:44 +0000 (05:17 +0900)]
network/dhcp4: create prefix route and route to gateway in the specified table with Gateway=_dhcp4
Previously, the following setting
====
[Route]
Gateway=_dhcp4
Table=100
====
only configured the route in the specified table. But it was mostly
useless. This makes prefix route and route to the gateway are also
configured in the specified table.
Before:
====
$ ip route show table 100
default via 192.168.0.1 dev eth0 proto dhcp metric 1024
====
After:
====
$ ip route show table 100
default via 192.168.0.1 dev eth0 proto dhcp metric 1024
192.168.0.0/24 dev eth0 proto dhcp src 192.168.0.100 metric 1024
192.168.0.1 dev eth0 proto dhcp scope link src 192.168.0.100 metric 1024
====
Yu Watanabe [Sun, 26 Jan 2025 20:15:48 +0000 (05:15 +0900)]
network/route: adjust configuration source based on Gateway= setting
If Gateway=_dhcp4/_ra, the route will be anyway configured with
NETWORK_CONFIG_SOURCE_DHCP4/_NDISC. See dhcp4_request_route() and
ndisc_route_prepare().
This is mostly for avoiding link_drop_routes(), which drops unnecessary static
and/or foreign routes, unexpectedly filtering an existing route with the
route specified with Gateway=_dhcp4/_ra.
Mike Yuan [Sun, 26 Jan 2025 00:32:42 +0000 (01:32 +0100)]
terminal-util: stop doing 0/upper bound check in tty_is_vc()
tty_is_vc() is more often than not used for simple "categorization"
than validity check. E.g. in logind, we first recognize the tty
"looks like vc", and then use vtnr_from_tty() where range check
is performed and vtnr is extracted. In such cases, we want to reject
invalid vtnr from clients rather than silently carry on, hence
let's remove bound check in tty_is_vc().
Luca Boccassi [Fri, 24 Jan 2025 23:37:33 +0000 (23:37 +0000)]
man: fix reference to non-existing ukify parameter
The --extend parameter was removed by https://github.com/systemd/systemd/pull/34608
and a --join-profile was added instead, fix leftover reference in manpage
Yu Watanabe [Sat, 25 Jan 2025 00:33:58 +0000 (09:33 +0900)]
libmount-util: introduce two helper functions
This introduces libmount_parse_mountinfo() and libmount_parse_with_utab().
The former one parses only mountinfo, but the latter one also parse
utab. Hopefully this avoids pitfalls like issue #35949.
homed: when setting up an idmapping map foreign UID range on itself
Now that nspawn can run unprivileged off directory trees owned by
the new "foreign" UID range let's make sure homed actually allows
files owned by that range in the home directories.
This is not enough to make nspawn just work in homed home dirs
unfortunately though. that's because homed applies an idmapping, and
nspawn would need to then to take that idmapped mount and apply another
one, and the kernel simply doesn't support stacked idmapped mounts.
There's work ongoing to address that in the kernel.
However, this is a first step, and should be enough to make things just
work should the kernel eventually support stacked idmapped mounts.
Daan De Meyer [Fri, 24 Jan 2025 16:28:15 +0000 (17:28 +0100)]
HACKING: Move OBS section further down
HACKING.md should first and foremost tell someone how to hack on
systemd, installing packages from OBS isn't the most likely section
a new contributor will be interested in, so let's move it further
down.