Commit Graph

9098 Commits

Author SHA1 Message Date
Yu Watanabe
20465bcb1e daemon-util: expose notify_push_fd()
It will be used in a later commit.
2024-11-05 02:55:15 +09:00
Franck Bui
c52f6c1f33 efi-loader: add missing stub for efi_stub_get_device_part_uuid() 2024-11-04 17:18:23 +00:00
Daan De Meyer
eac5336c27 openssl-util: Query engine/provider pin via ask-password
In mkosi, we want to support signing via a hardware token. We already
support this in systemd-repart and systemd-measure. However, if the
hardware token is protected by a pin, the pin is asked as many as 20
times when building an image as the pin is not cached and thus requested
again for every operation.

Let's introduce a custom openssl ui when we use engines and providers
and plug systemd-ask-password into the process. With systemd-ask-password,
the pin can be cached in the kernel keyring, allowing us to reuse it without
querying the user again every time to enter the pin.

We use the private key URI as the keyring identifier so that the cached pin
can be shared across multiple tools.

Note that if the private key is pin protected, openssl will prompt both when
loading the private key using the pkcs11 engine and when actually signing the
roothash. To make sure our custom UI is used when signing the roothash, we have
to also configure it with ENGINE_ctrl() which takes a non-owning pointer to
the UI_METHOD object and its userdata object which we have to keep alive so we
introduce a new AskPasswordUserInterface struct which we use to keep both objects
alive together with the EVP_PKEY object.

Because the AskPasswordRequest struct stores non-owning pointers to its fields,
we change repart to store the private key URI as a global variable again instead
of the EVP_PKEY object so that we can use the private key argument as the keyring
field of the AskPasswordRequest instance without running into lifetime issues.
2024-11-03 10:46:14 +01:00
Daan De Meyer
d5c12da904 efivars: Remove STRINGIFY() helper macros
The names of these conflict with macros from efi.h that we'll move
to efi-fundamental.h in a later commit. Let's avoid the conflict by
getting rid of these helpers. Arguably this also improves readability
by clearly indicating we're passing arbitrary strings and not constants
to the macros when we invoke them.
2024-11-02 23:20:57 +01:00
Daan De Meyer
36c6c696a7 ask-password: Add $SYSTEMD_ASK_PASSWORD_KEYRING_TYPE
Currently ask_password_auto() will always try to store the password into
the user keyring. Let's make this configurable so that we can configure
ask_password_auto() into the session keyring. This is required when working
with user namespaces, as the user keyring is namespaced by user namespaces
which makes it impossible to share cached keys across user namespaces by using
the user namespace while this is possible with the session keyring.
2024-11-02 23:20:57 +01:00
Daan De Meyer
01d138b990 ask-password: Drop "default" for SYSTEMD_ASK_PASSWORD_KEYRING_TIMEOUT_SEC
Users can simply unset the environment variable to achieve the same effect.
2024-11-02 23:20:57 +01:00
Daan De Meyer
b3bca11c18 ask-password: Use default timeout if SYSTEMD_ASK_PASSWORD_KEYRING_TIMEOUT_SEC is unset
Follow-up for d9f4dad986
2024-11-02 23:20:57 +01:00
Ronan Pigott
f4092cb974 pam: quiet a spurious debug message
This singular debug message gets printed even if debug is not enabled.
Quiet this message when debug is not enabled for consistency.
2024-11-02 22:47:17 +09:00
Luca Boccassi
5cae569818 user-record: add missing comma to list of strings
Follow-up for ad03f2d5f0
2024-11-02 22:46:45 +09:00
Luca Boccassi
89099136d7 machine: introduce io.systemd.MachineImage.{Clone, Remove} methods (#34853)
This PR introduces io.systemd.MachineImage.Clone and Remove methods.
They are 1:1 mapping to DBus alternatives.
2024-11-02 12:06:23 +00:00
Andres Beltran
eae5127246 core: add id-mapped mount support for Exec directories 2024-11-01 18:45:28 +00:00
Ivan Kruglov
cc060c2910 machine: reuse VARLINK_DEFINE_IMAGE_LOOKUP_AND_POLKIT_FIELDS in io.systemd.MachineImage.Update declaration 2024-11-01 15:30:39 +01:00
Ivan Kruglov
1663455b63 machine: introduce io.systemd.MachineImage.Remove method 2024-11-01 15:30:39 +01:00
Ivan Kruglov
38a0cf4172 machine: introduce io.systemd.MachineImage.Clone method 2024-11-01 15:30:34 +01:00
Luca Boccassi
d86e9b64e4 tweaks to ANSI sequence (OSC) handling (#34964)
Fixes: #34604

Prompted by that I realized we do not correctly recognize both "ST"
sequences we want to recognize, fix that.
2024-11-01 11:18:57 +00:00
Luca Boccassi
1006022e4c Homed update policy: user changing own settings (#31153)
Rework of #30109 to deal with changes in #30840 and discussed changes to
behavior

Depends on and includes #30840 

Fixes https://github.com/systemd/systemd/issues/34268
2024-11-01 11:14:04 +00:00
Luca Boccassi
890bdd1d77 core: add read-only flag for exec directories
When an exec directory is shared between services, this allows one of the
service to be the producer of files, and the other the consumer, without
letting the consumer modify the shared files.
This will be especially useful in conjunction with id-mapped exec directories
so that fully sandboxed services can share directories in one direction, safely.
2024-11-01 10:46:55 +00:00
Adrian Vovk
a192250eda homed: Allow user to change parts of their record
This allows an unprivileged user that is active at the console to change
the fields that are in the selfModifiable allowlists (introduced in a
previous commit) without authenticating as a system administrator.

Administrators can disable this behavior per-user by setting the
relevant selfModifiable allowlists, or system-wide by changing the
policy of the org.freedesktop.home1.update-home-by-owner Polkit action.
2024-11-01 10:41:46 +00:00
Adrian Vovk
ad03f2d5f0 user-record: Introduce selfModifiable fields
Allows the system administrator to configure what fields the user is
allowed to edit about themself, along with hard-coded defaults.
2024-11-01 10:41:46 +00:00
Lennart Poettering
811aa36ab6 iovw: add simpler iovw_done() destructor 2024-10-31 23:08:11 +01:00
Lennart Poettering
0367424786 terminal-util: define ANSI_OSC as macro for the OSC terminal sequence prefix 2024-10-31 11:38:18 +01:00
Lennart Poettering
de0ebee637 ptyfwd: document why we only honour two of the three kinds of ST 2024-10-31 11:38:18 +01:00
Lennart Poettering
b8311af810 tree-wide: prefer generating 0x1B 0x5C as ANSI sequence "ST"
OSC sequences can be closed with one of three terminators:

1. ASCII code 7, aka BEL, aka ^G, aka \x07, aka \a
2. ASCII code 156, aka \x9c
2. Pair of ASCII code 27 followed by ASCII code 92, aka \x1b\x5c

Of these, in some corner case scenarios BEL makes problem (see #34604).
Hence switch away from that wherever we use it, and prefer the \x1b\x5c
instead. That's preferable over \x9c, since the latter is also a valid
UTF-8 codepoint. See discussion here for example:

https://gist.github.com/egmontkob/eb114294efbcd5adb1944c9f3cb5feda#the-escape-sequence

Fixes: #34604
2024-10-31 11:38:08 +01:00
Lennart Poettering
f2ef9f7760 Fix display of qrcodes by bsod and other related cleanups (#34914) 2024-10-30 17:44:40 +01:00
Daan De Meyer
d9f4dad986 ask-password: Allow configuring the keyring timeout via an environment variable
In mkosi, we want an easy way to set the keyring timeout for every
tool we invoke that might use systemd-ask-password to query for a
password which is then stored in the kernel keyring. Let's make this
possible via a new $SYSTEMD_ASK_PASSWORD_KEYRING_TIMEOUT_SEC environment
variable.

Using an environment variable means we don't have to modify every separate
tool to add a CLI option allowing to specify the timeout. In mkosi specifically,
we'll set up a new session keyring for the mkosi process linked to the user keyring
so that any pins in the user keyring are used if available, and otherwise we'll query
for and store password in mkosi's session keyring with a zero timeout so that they stay
in the keyring until the mkosi process exits at which point they're removed from the
keyring.
2024-10-30 17:43:53 +01:00
Daan De Meyer
b6fed18772 pretty-print: add format-string version of draw_progress_bar() (#34939)
We often format the prefix string via asprintf() before, let's hence add
a helper for that.
2024-10-30 10:26:48 +01:00
Lennart Poettering
5c11f6e0a9 core/service: support sd_notify() MAINPIDFD=1 and MAINPIDFDID= (#34932) 2024-10-30 08:45:25 +01:00
Lennart Poettering
91d640435d pretty-print: add format-string version of draw_progress_bar()
We often format the prefix string via asprintf() before, let's hence add
a helper for that.
2024-10-29 21:37:26 +01:00
Lennart Poettering
21abc0a943 pretty-print: rename draw_progress_bar_impl()→draw_progress_bar_unbuffered() 2024-10-29 21:37:26 +01:00
Mike Yuan
68d9aa7ede shared/fdset: minor modernization 2024-10-29 18:38:42 +01:00
Lennart Poettering
07b869b9c1 progress-bar: issue Windows Terminal progress indicating ANSI sequences
This generates the Windows Terminal OSC sequences indicating progress.
This let's the terminal know that we are doing a slow operation, and how
we are progressing.

Windows Terminal uses this in two ways: it shows a circle in the tab
that completes, and it highlights the progress in the task bar.

I found no Linux terminal that currently supports it, but also none that
didn't like it. Thankfully most terminals correctly ignore unrecognized
OSC sequences.

I think we should just merge this, and see if this trips up too many
people, but I have reason to believe this shouldn't be too bad.

And yes, I do work from Windows Terminal sometimes, ssh into my Linux
build systems, and it is really cute seeing the progress animation
there.
2024-10-29 15:54:08 +01:00
Lennart Poettering
815569791f Merge pull request #34391 from poettering/dns-long-label-fix
resolved: fixes when trying to serialize overly long DNS names
2024-10-29 10:47:14 +01:00
Zbigniew Jędrzejewski-Szmek
439306da8b qrcode-util: avoid memleak in error path 2024-10-29 09:41:54 +01:00
Zbigniew Jędrzejewski-Szmek
5a64c86936 bsod: do not check for color support
When invoked on a running system, bsod would not print the qrcode.
The check for "color support" on stdout is pointless, since we're not
printing to stdout but to a terminal fd that is opened separately.
2024-10-29 09:41:23 +01:00
Yu Watanabe
feb9ccb56e Merge pull request #34633 from keszybz/sd-json-enum-formatting
Add sd_json_format_enabled() helper
2024-10-29 03:29:03 +09:00
Ryan Wilson
cd58b5a135 cgroup: Add support for ProtectControlGroups= private and strict
This commit adds two settings private and strict to
the ProtectControlGroups= property. Private will unshare the cgroup
namespace and mount a read-write private cgroup2 filesystem at /sys/fs/cgroup.
Strict does the same except the mount is read-only. Since the unit is
running in a cgroup namespace, the new root of /sys/fs/cgroup is the unit's
own cgroup.

We also add a new dbus property ProtectControlGroupsEx which accepts strings
instead of boolean. This will allow users to use private/strict via dbus
and systemd-run in addition to service files.

Note private and strict fall back to no and yes respectively if the kernel
doesn't support cgroup2 or system is not using unified hierarchy.

Fixes: #34634
2024-10-28 08:37:36 -07:00
Zbigniew Jędrzejewski-Szmek
f0764b98e5 qrcode-util: add debug message to show why a qrcode wasn't printed 2024-10-28 14:04:06 +01:00
Zbigniew Jędrzejewski-Szmek
23441a3d88 sd-json,tree-wide: add sd_json_format_enabled() and use it everwhere
We often used a pattern like if (!FLAGS_SET(flags, SD_JSON_FORMAT_OFF)),
which is rather verbose and also contains a double negative, which we try
to avoid. Add a little helper to avoid an explicit bit check.

This change clarifies an aditional thing: in some cases we treated
SD_JSON_FORMAT_OFF as a flag (flags & SD_JSON_FORMAT_OFF), while in other cases
we treated it as an independent enum value (flags == SD_JSON_FORMAT_OFF).
In the first form, flags like SD_JSON_FORMAT_SSE do _not_ turn the json
output on, while in the second form they do. Let's use the first form
everywhere.

No functional change intended.

Initially I wasn't sure if this helper should be made public or just internal,
but it seems such a common pattern that if we expose the flags, we might just
as well expose it too, to make life easier for any consumers.
2024-10-28 09:23:07 +01:00
Integral
ddb8a639d5 tree-wide: replace for loop with FOREACH_ELEMENT or FOREACH_ARRAY macros (#34893) 2024-10-26 07:10:22 +09:00
Lennart Poettering
210fb8626f Merge pull request #34875 from poettering/userdbctl-filter
userdbctl: add some basic client-side filtering
2024-10-24 22:36:22 +02:00
Mike Yuan
4e69da071d Merge pull request #34799 from YHNdnzj/service-followups
core: follow-ups for live mount
2024-10-24 19:44:10 +02:00
Lennart Poettering
9bbc424a60 user-record: fix indentation 2024-10-24 10:17:35 +02:00
Lennart Poettering
ad5de3222f userdbctl: add some basic client-side filtering
This adds some basic client-side user/group filtering to "userdbctl":

1. by uid/gid min/max
2. by user "disposition" (i.e. show only regular users with "userdbctl
   user -R")
3. by fuzzy name (i.e. search by substring/levenshtein of user name,
   real name, and other identifiers of the user/group record).

In the long run we also want to support this server side, but let's
start out with doing this client-side, since many backends won't support
server-side filtering anytime soon anyway, so we need it in either case.
2024-10-24 10:17:23 +02:00
Lennart Poettering
8ed2c62d46 dns-domain: tweak hash table comparison function for DNS names
Currently, when comparing two DNS names when storing them in a
hashtable, and the DNS names are not actually valid we'll compare the
error codes.

This is not very smart however, since this means two invalid DNS names
that happen to be equally "invalid" will be considered identical, even
if their strings are entirely different.

Let's find a better solution for this niche case: let's simple compare
the domains as strings.

This matters in case of DNS label compression: if we already added added
an invalid DNS name into the label compression hash table, and lookup
any other invalid DNS name, this lookup will likely return what the
earlier one already returned, and that's confusing.
2024-10-23 10:22:28 +02:00
Mike Yuan
c240f293b8 shared/bus-util: debug log when falling back to session bus
Follow-up for d0316b7a0d
2024-10-22 19:19:46 +02:00
Lennart Poettering
3a7ae4ba62 shared: get rid of fileio-label.[ch]
Move the renaming function to reboot-util.h (since it writes out
/run/nologin at shutdown), and let's get rid of fileio-label.[ch] now
that it serves no purpose anymore.
2024-10-22 17:51:26 +02:00
Lennart Poettering
8eeb870971 fileio: port write_string_file() to LabelOps, and thus add WRITE_STRING_FILE_LABEL flag
Given that we have the LabelOps abstraction these days, we can teach
write_string_file() to use it, which means we can get rid of
fileio-label.[ch] as a separate concept.

(The only reason that fileio-label.[ch] exists independently of
fileio.[ch] was that the former linekd to libselinux potentially, and
thus had to be in src/shared/ while the other always was in src/basic/.
But the LabelOps vtable provides us with a nice work-around)
2024-10-22 17:51:26 +02:00
Lennart Poettering
d49449c89b label: tweak LabelOps post() hook to take "created" boolean
We have two distinct implementations of the post hook.

1. For SELinux we just reset the selinux label we told the kernel
   earlier to use for new inodes.

2. For SMACK we might apply an xattr to the specified file.

The two calls are quite different: the first call we want to call in all
cases (failure or success), the latter only if we actually managed to
create an inode, in which case it is called on the inode.
2024-10-22 17:51:26 +02:00
Daan De Meyer
a95aacc851 Merge pull request #34851 from DaanDeMeyer/medium
bus-util: Return ENOMEDIUM if XDG_RUNTIME_DIR is unset
2024-10-22 13:37:59 +02:00
Daan De Meyer
d64a5b30f1 bus-util: Fix bus_log_connect_error() 2024-10-22 12:32:02 +02:00