journal-file: let's make journal_file_copy_entry() robust against concurrent writing of the source
As usual, we need to protect ourselves against concurrent modification
of journal files. We a pretty good at that these days when reading
journal files. But journal_file_copy_entry() so far wasn't too good with
that. journal_file_append_data() so far returned EINVAL when you pass
invalid data to it. Since we pass the source data as-is in there, it's
going to fail if the journal source file is slightly invalid due to a
concurrent update.
Hence, we need to validate data gracefully here that we think comes from
a safe place, because actually it doesn't, it's directly copied from an
unsafe journal file.
Hence, let's introduce a clear error code here, and look for it in
journal_file_copy_entry(), and handle it gracefully.
Pretty sure this fixes #33372, but it's a race, so I don't know for
sure. If this remains reproducible we need to look at this again.
Let's rename the return parameters as "ret_xyz" systematically in
sd-login.
Also, let's make the return parameters systematically optional, like we
typically do these days. So far some where optional, other's weren't.
Let's clean this up.
Since 8065d02e263a ("copy: Fix error handling in fd_copy_directory()")
we immediately abort recursive copy operations on ENOSPC. Let's also
abort on the common case of filesystems not supporting fs-verity: if
it's unsupported for one file, it's unlikely to work for the 1000s that
follow it.
We do this by mapping the two fs-verity "not supported" errors (ENOTTY,
EOPNOTSUPP) to ESOCKTNOSUPPORT as a special "fs-verity not supported
here" error. When we see that error at the top level we exit
immediately.
This prevents us from having to see the same error message literally
thousands of time when using fsverity=copy with systemd-repart on a
filesystem which lacks the proper support.
Adjust the test-copy test case to expect the new errno. Previously this
test case would output multiple failure lines per `copy_tree_at()`
invocation (for the failing cases) but now it only outputs one.
Yu Watanabe [Tue, 3 Jun 2025 20:38:35 +0000 (05:38 +0900)]
TEST-17-UDEV: acquire SYS_UID_MAX/SYS_GID_MAX from userdbctl
Suse build systemd with -Dsystem-uid-max=499 -Dsystem-gid-max=499,
and seems to not provide /etc/login.defs file. See
https://github.com/bmwiedemann/openSUSE/blob/2dc224ae5d446e928519315f4d46f76d1e34b8a8/packages/s/systemd/systemd.spec
Yu Watanabe [Wed, 4 Jun 2025 09:14:52 +0000 (18:14 +0900)]
userdb: make ENOEXEC wins over ESRCH
Both ENOEXEC and ESRCH is a kind of error that indicate successful
lookup. ENOEXEC means the server found an entry but it does not
pass filter. ESRCH means the server could not find an entry.
Hence, ENOEXEC should have more information, and should be propagated to
the caller.
Reverted change broke EnterNamespace= completely. For example, libdw
tries to access libc in /lib64 which points to usr/lib64 and that fails.
Similarly for binaries, we need to be able to resolve /bin to usr/bin
and /sbin to usr/sbin at the very least.
Yu Watanabe [Wed, 4 Jun 2025 03:35:39 +0000 (12:35 +0900)]
sd-journal: replace sizeof(ObjectHeader) with offsetof(ObjectHeader, payload)
Note, the preceding fields have size that is a multiple of 8 bytes,
so the end of `.size` is aligned, thus
`offsetof(ObjectHeader, payload) == sizeof(ObjectHeader)`.
Yu Watanabe [Fri, 16 May 2025 17:25:36 +0000 (02:25 +0900)]
sd-journal: variable sized array cannot be used in ObjectHeader
The struct ObjectHeader is embedded in real object structs.
Hence, the existence of the flex array in ObjectHeader violates the
requirement that flex array must be at the end of struct.
pcrlock: add "is-supported" verb that checks if the local TPM supports the commands we need for pcrlock
systemd-pcrlock requires support for the PolicyAuthorizeNV command,
which is not implemented in the first TPM2 releases. We also strictly
require SHA-256 support. Hence add a tool for checking for both of
these.
This is a tighter version of "systemd-analyze has-tpm2", that checks for
the precise feature that systemd-pcrlock needs, on top of basic TPM2
functionality.
Yu Watanabe [Fri, 30 May 2025 19:30:43 +0000 (04:30 +0900)]
bus-unit-util: warn and ignore assignment of deprecated properties
With 5da476ac7728b91ad3a49c1b126b3559b4fbeed8, we refused to set the
properties, but this relaxes the behavior, and now commands warn and
ignore the assignment.
vmspawn: do not preserve access permissions and xattrs of template OVMF vars
This makes vmspawn work when /usr/share/qemu/edk2-i386-vars.fd is on
disk with 0444 permissions as is the case on NixOS.
The nix package manager does not store any access permissions, ownership,
timestamps, or extended attributes in its package format to increase
reproducibility. The only meta-data that is stored is the executable bit.
Thus when unpacking a nix package, the executable bit is preserved, but no other
access permissions are preserved and all files in /nix/store end up as
read-only.
This causes the template OVMF vars file to have 0444 permissions. If we preserve
those permissions when copying the template file to /tmp that means QEMU can not
write to the file and fails.
So lets not preserve permissions and keep the 0600 permissions that are set by
default.
Alex [Mon, 2 Jun 2025 22:47:49 +0000 (18:47 -0400)]
network: fix a potential divide-by-zero (#37705)
In function `tc_init`, hz is parsed from the content of file
`"/proc/net/psched"` and can be 0.
In function `hierarchy_token_bucket_class_verify`, hz is directly used
as a divisor in
`htb->buffer = htb->rate / hz + htb->mtu;` without any check. This adds a check on hz before using it as a divisor.
I wanted to see if moving moving out constant string arguments our of
error messages results in smaller binary sizes. Turns out it does, but
the savings are not consistent. Sometimes we get a few kB in a single
binary, sometimes there is no size change.
Adrian Vovk [Wed, 21 May 2025 21:32:03 +0000 (17:32 -0400)]
Define uid range for greeter
In multi-seat scenarios, a display manager might need to start multiple
greeter sessions. But systemd allows at most one graphical session per
user. So, display managers now have a range of UIDs to dynamically
allocate users for their greeter sessions.
various: do not include file names directly in error messages
git grep -l 'Failed to open /'|xargs sed -r -i 's|"Failed to open (/[^ ]+): %m"|"Failed to open %s: %m", "\1"|g'
git grep -l $'Failed to open \'/'|xargs sed -r -i $'s|"Failed to open \'(/[^ ]+)\': %m"|"Failed to open %s: %m", "\\1"|g'
git grep -l "Failed to open /"|xargs sed -r -i $'s|"Failed to open (/[^ ]+), ignoring: %m"|"Failed to open %s, ignoring: %m", "\\1"|g'
+ some manual fixups.
repart: make CopyBlock=auto work for verity sig partitions
Note that this doesn't care which partition set (A or B in an A/B
scenario) is actually newer, it just picks the first suitable, but
that's something we should look into later. For now, let's just make
verity sig partitions work the same way as verity partitions.
Daan De Meyer [Sun, 1 Jun 2025 18:24:47 +0000 (20:24 +0200)]
repart: Apply verity-sig max size based on partition type
We already do this for partition_min_size(), let's do it for
partition_max_size() as well. This makes sure repart doesn't accidentally
try to grow verity sig partitions to larger sizes than the hardcoded
max size in systemd.
projects / thirdparty / systemd.git / log
