mirror of
https://github.com/systemd/systemd
synced 2025-10-01 09:44:46 +02:00
Compare commits
No commits in common. "1441f2e992181318d00ea42feec886cb223938fd" and "16758c2650d8b11b5d5be194ce9eeee4eb0a8307" have entirely different histories.
1441f2e992
...
16758c2650
@ -2015,13 +2015,6 @@ evdev:atkbd:dmi:bvn*:bvr*:bd*:svnSystem76*:pnPangolin*:pvrpang15*
|
|||||||
evdev:atkbd:dmi:bvn*:bvr*:bd*:svnT-bao:pnTbookair:*
|
evdev:atkbd:dmi:bvn*:bvr*:bd*:svnT-bao:pnTbookair:*
|
||||||
KEYBOARD_KEY_76=touchpad_toggle # Touchpad toggle
|
KEYBOARD_KEY_76=touchpad_toggle # Touchpad toggle
|
||||||
|
|
||||||
###########################################################
|
|
||||||
# TongFang
|
|
||||||
###########################################################
|
|
||||||
# TongFang GX4 (X4SP4NAL)
|
|
||||||
evdev:atkbd:dmi:bvn*:bvr*:bd*:svnAiStone:pnX4SP4NAL:*
|
|
||||||
KEYBOARD_KEY_f8=fn
|
|
||||||
|
|
||||||
###########################################################
|
###########################################################
|
||||||
# Toshiba
|
# Toshiba
|
||||||
###########################################################
|
###########################################################
|
||||||
|
|||||||
@ -8,7 +8,4 @@ cat >>"$BUILDROOT/usr/lib/os-release" <<EOF
|
|||||||
MARKER=1
|
MARKER=1
|
||||||
PORTABLE_PREFIXES=app0 minimal minimal-app0
|
PORTABLE_PREFIXES=app0 minimal minimal-app0
|
||||||
EOF
|
EOF
|
||||||
if [ ! -L "$BUILDROOT/etc/os-release" ]; then
|
|
||||||
cp "$BUILDROOT/usr/lib/os-release" "$BUILDROOT/etc/os-release"
|
|
||||||
fi
|
|
||||||
cp "$BUILDROOT/usr/lib/systemd/system/minimal-app0.service" "$BUILDROOT/usr/lib/systemd/system/minimal-app0-foo.service"
|
cp "$BUILDROOT/usr/lib/systemd/system/minimal-app0.service" "$BUILDROOT/usr/lib/systemd/system/minimal-app0-foo.service"
|
||||||
|
|||||||
@ -8,7 +8,4 @@ cat >>"$BUILDROOT/usr/lib/os-release" <<EOF
|
|||||||
MARKER=2
|
MARKER=2
|
||||||
PORTABLE_PREFIXES=app0 minimal minimal-app0
|
PORTABLE_PREFIXES=app0 minimal minimal-app0
|
||||||
EOF
|
EOF
|
||||||
if [ ! -L "$BUILDROOT/etc/os-release" ]; then
|
|
||||||
cp "$BUILDROOT/usr/lib/os-release" "$BUILDROOT/etc/os-release"
|
|
||||||
fi
|
|
||||||
cp "$BUILDROOT/usr/lib/systemd/system/minimal-app0.service" "$BUILDROOT/usr/lib/systemd/system/minimal-app0-bar.service"
|
cp "$BUILDROOT/usr/lib/systemd/system/minimal-app0.service" "$BUILDROOT/usr/lib/systemd/system/minimal-app0-bar.service"
|
||||||
|
|||||||
@ -62,7 +62,6 @@ wrap=(
|
|||||||
findmnt
|
findmnt
|
||||||
getent
|
getent
|
||||||
getfacl
|
getfacl
|
||||||
groups
|
|
||||||
id
|
id
|
||||||
integritysetup
|
integritysetup
|
||||||
iscsid
|
iscsid
|
||||||
|
|||||||
@ -83,7 +83,7 @@ static int openat_opath_with_automount(int dir_fd, const char *path, bool automo
|
|||||||
|
|
||||||
/* Pin an inode via O_PATH semantics. Sounds pretty obvious to do this, right? You just do open()
|
/* Pin an inode via O_PATH semantics. Sounds pretty obvious to do this, right? You just do open()
|
||||||
* with O_PATH, and there you go. But uh, it's not that easy. open() via O_PATH does not trigger
|
* with O_PATH, and there you go. But uh, it's not that easy. open() via O_PATH does not trigger
|
||||||
* automounts, but we usually want that (when CHASE_AUTOFS is used). But thankfully there's
|
* automounts, but we usually want that (except if CHASE_NO_AUTOFS is used). But thankfully there's
|
||||||
* a way out: the newer open_tree() call, when specified without OPEN_TREE_CLONE actually is fully
|
* a way out: the newer open_tree() call, when specified without OPEN_TREE_CLONE actually is fully
|
||||||
* equivalent to open() with O_PATH – except for one thing: it triggers automounts.
|
* equivalent to open() with O_PATH – except for one thing: it triggers automounts.
|
||||||
*
|
*
|
||||||
@ -202,7 +202,7 @@ int chaseat(int dir_fd, const char *path, ChaseFlags flags, char **ret_path, int
|
|||||||
* -ENOLINK. If CHASE_WARN is also set, a warning describing the unsafe transition is emitted.
|
* -ENOLINK. If CHASE_WARN is also set, a warning describing the unsafe transition is emitted.
|
||||||
* CHASE_WARN cannot be used in PID 1.
|
* CHASE_WARN cannot be used in PID 1.
|
||||||
*
|
*
|
||||||
* 5. Without CHASE_AUTOFS: in this case if an autofs mount point is encountered, path normalization
|
* 5. With CHASE_NO_AUTOFS: in this case if an autofs mount point is encountered, path normalization
|
||||||
* is aborted and -EREMOTE is returned. If CHASE_WARN is also set, a warning showing the path of
|
* is aborted and -EREMOTE is returned. If CHASE_WARN is also set, a warning showing the path of
|
||||||
* the mount point is emitted. CHASE_WARN cannot be used in PID 1.
|
* the mount point is emitted. CHASE_WARN cannot be used in PID 1.
|
||||||
*/
|
*/
|
||||||
@ -219,7 +219,7 @@ int chaseat(int dir_fd, const char *path, ChaseFlags flags, char **ret_path, int
|
|||||||
}
|
}
|
||||||
|
|
||||||
if (!(flags &
|
if (!(flags &
|
||||||
(CHASE_AT_RESOLVE_IN_ROOT|CHASE_NONEXISTENT|CHASE_AUTOFS|CHASE_SAFE|CHASE_STEP|
|
(CHASE_AT_RESOLVE_IN_ROOT|CHASE_NONEXISTENT|CHASE_NO_AUTOFS|CHASE_SAFE|CHASE_STEP|
|
||||||
CHASE_PROHIBIT_SYMLINKS|CHASE_MKDIR_0755|CHASE_PARENT)) &&
|
CHASE_PROHIBIT_SYMLINKS|CHASE_MKDIR_0755|CHASE_PARENT)) &&
|
||||||
!ret_path && ret_fd) {
|
!ret_path && ret_fd) {
|
||||||
|
|
||||||
@ -396,7 +396,7 @@ int chaseat(int dir_fd, const char *path, ChaseFlags flags, char **ret_path, int
|
|||||||
}
|
}
|
||||||
|
|
||||||
/* Otherwise let's pin it by file descriptor, via O_PATH. */
|
/* Otherwise let's pin it by file descriptor, via O_PATH. */
|
||||||
child = r = openat_opath_with_automount(fd, first, /* automount = */ FLAGS_SET(flags, CHASE_AUTOFS));
|
child = r = openat_opath_with_automount(fd, first, /* automount = */ !FLAGS_SET(flags, CHASE_NO_AUTOFS));
|
||||||
if (r < 0) {
|
if (r < 0) {
|
||||||
if (r != -ENOENT)
|
if (r != -ENOENT)
|
||||||
return r;
|
return r;
|
||||||
@ -435,7 +435,7 @@ int chaseat(int dir_fd, const char *path, ChaseFlags flags, char **ret_path, int
|
|||||||
unsafe_transition(&st, &st_child))
|
unsafe_transition(&st, &st_child))
|
||||||
return log_unsafe_transition(fd, child, path, flags);
|
return log_unsafe_transition(fd, child, path, flags);
|
||||||
|
|
||||||
if (!FLAGS_SET(flags, CHASE_AUTOFS) &&
|
if (FLAGS_SET(flags, CHASE_NO_AUTOFS) &&
|
||||||
fd_is_fs_type(child, AUTOFS_SUPER_MAGIC) > 0)
|
fd_is_fs_type(child, AUTOFS_SUPER_MAGIC) > 0)
|
||||||
return log_autofs_mount_point(child, path, flags);
|
return log_autofs_mount_point(child, path, flags);
|
||||||
|
|
||||||
@ -783,7 +783,7 @@ int chase_and_open(
|
|||||||
assert(!(chase_flags & (CHASE_NONEXISTENT|CHASE_STEP)));
|
assert(!(chase_flags & (CHASE_NONEXISTENT|CHASE_STEP)));
|
||||||
|
|
||||||
if (empty_or_root(root) && !ret_path &&
|
if (empty_or_root(root) && !ret_path &&
|
||||||
(chase_flags & (CHASE_AUTOFS|CHASE_SAFE|CHASE_PROHIBIT_SYMLINKS|CHASE_PARENT|CHASE_MKDIR_0755)) == 0)
|
(chase_flags & (CHASE_NO_AUTOFS|CHASE_SAFE|CHASE_PROHIBIT_SYMLINKS|CHASE_PARENT|CHASE_MKDIR_0755)) == 0)
|
||||||
/* Shortcut this call if none of the special features of this call are requested */
|
/* Shortcut this call if none of the special features of this call are requested */
|
||||||
return xopenat_full(AT_FDCWD, path,
|
return xopenat_full(AT_FDCWD, path,
|
||||||
open_flags | (FLAGS_SET(chase_flags, CHASE_NOFOLLOW) ? O_NOFOLLOW : 0),
|
open_flags | (FLAGS_SET(chase_flags, CHASE_NOFOLLOW) ? O_NOFOLLOW : 0),
|
||||||
@ -822,7 +822,7 @@ int chase_and_opendir(const char *path, const char *root, ChaseFlags chase_flags
|
|||||||
assert(ret_dir);
|
assert(ret_dir);
|
||||||
|
|
||||||
if (empty_or_root(root) && !ret_path &&
|
if (empty_or_root(root) && !ret_path &&
|
||||||
(chase_flags & (CHASE_AUTOFS|CHASE_SAFE|CHASE_PROHIBIT_SYMLINKS|CHASE_PARENT|CHASE_MKDIR_0755)) == 0) {
|
(chase_flags & (CHASE_NO_AUTOFS|CHASE_SAFE|CHASE_PROHIBIT_SYMLINKS|CHASE_PARENT|CHASE_MKDIR_0755)) == 0) {
|
||||||
/* Shortcut this call if none of the special features of this call are requested */
|
/* Shortcut this call if none of the special features of this call are requested */
|
||||||
d = opendir(path);
|
d = opendir(path);
|
||||||
if (!d)
|
if (!d)
|
||||||
@ -858,7 +858,7 @@ int chase_and_stat(const char *path, const char *root, ChaseFlags chase_flags, c
|
|||||||
assert(ret_stat);
|
assert(ret_stat);
|
||||||
|
|
||||||
if (empty_or_root(root) && !ret_path &&
|
if (empty_or_root(root) && !ret_path &&
|
||||||
(chase_flags & (CHASE_AUTOFS|CHASE_SAFE|CHASE_PROHIBIT_SYMLINKS|CHASE_PARENT|CHASE_MKDIR_0755)) == 0)
|
(chase_flags & (CHASE_NO_AUTOFS|CHASE_SAFE|CHASE_PROHIBIT_SYMLINKS|CHASE_PARENT|CHASE_MKDIR_0755)) == 0)
|
||||||
/* Shortcut this call if none of the special features of this call are requested */
|
/* Shortcut this call if none of the special features of this call are requested */
|
||||||
return RET_NERRNO(fstatat(AT_FDCWD, path, ret_stat,
|
return RET_NERRNO(fstatat(AT_FDCWD, path, ret_stat,
|
||||||
FLAGS_SET(chase_flags, CHASE_NOFOLLOW) ? AT_SYMLINK_NOFOLLOW : 0));
|
FLAGS_SET(chase_flags, CHASE_NOFOLLOW) ? AT_SYMLINK_NOFOLLOW : 0));
|
||||||
@ -886,7 +886,7 @@ int chase_and_access(const char *path, const char *root, ChaseFlags chase_flags,
|
|||||||
assert(!(chase_flags & (CHASE_NONEXISTENT|CHASE_STEP)));
|
assert(!(chase_flags & (CHASE_NONEXISTENT|CHASE_STEP)));
|
||||||
|
|
||||||
if (empty_or_root(root) && !ret_path &&
|
if (empty_or_root(root) && !ret_path &&
|
||||||
(chase_flags & (CHASE_AUTOFS|CHASE_SAFE|CHASE_PROHIBIT_SYMLINKS|CHASE_PARENT|CHASE_MKDIR_0755)) == 0)
|
(chase_flags & (CHASE_NO_AUTOFS|CHASE_SAFE|CHASE_PROHIBIT_SYMLINKS|CHASE_PARENT|CHASE_MKDIR_0755)) == 0)
|
||||||
/* Shortcut this call if none of the special features of this call are requested */
|
/* Shortcut this call if none of the special features of this call are requested */
|
||||||
return RET_NERRNO(faccessat(AT_FDCWD, path, access_mode,
|
return RET_NERRNO(faccessat(AT_FDCWD, path, access_mode,
|
||||||
FLAGS_SET(chase_flags, CHASE_NOFOLLOW) ? AT_SYMLINK_NOFOLLOW : 0));
|
FLAGS_SET(chase_flags, CHASE_NOFOLLOW) ? AT_SYMLINK_NOFOLLOW : 0));
|
||||||
@ -992,7 +992,7 @@ int chase_and_openat(
|
|||||||
assert(!(chase_flags & (CHASE_NONEXISTENT|CHASE_STEP)));
|
assert(!(chase_flags & (CHASE_NONEXISTENT|CHASE_STEP)));
|
||||||
|
|
||||||
if (dir_fd == AT_FDCWD && !ret_path &&
|
if (dir_fd == AT_FDCWD && !ret_path &&
|
||||||
(chase_flags & (CHASE_AUTOFS|CHASE_SAFE|CHASE_PROHIBIT_SYMLINKS|CHASE_PARENT|CHASE_MKDIR_0755)) == 0)
|
(chase_flags & (CHASE_NO_AUTOFS|CHASE_SAFE|CHASE_PROHIBIT_SYMLINKS|CHASE_PARENT|CHASE_MKDIR_0755)) == 0)
|
||||||
/* Shortcut this call if none of the special features of this call are requested */
|
/* Shortcut this call if none of the special features of this call are requested */
|
||||||
return xopenat_full(dir_fd, path,
|
return xopenat_full(dir_fd, path,
|
||||||
open_flags | (FLAGS_SET(chase_flags, CHASE_NOFOLLOW) ? O_NOFOLLOW : 0),
|
open_flags | (FLAGS_SET(chase_flags, CHASE_NOFOLLOW) ? O_NOFOLLOW : 0),
|
||||||
@ -1029,7 +1029,7 @@ int chase_and_opendirat(int dir_fd, const char *path, ChaseFlags chase_flags, ch
|
|||||||
assert(ret_dir);
|
assert(ret_dir);
|
||||||
|
|
||||||
if (dir_fd == AT_FDCWD && !ret_path &&
|
if (dir_fd == AT_FDCWD && !ret_path &&
|
||||||
(chase_flags & (CHASE_AUTOFS|CHASE_SAFE|CHASE_PROHIBIT_SYMLINKS|CHASE_PARENT|CHASE_MKDIR_0755)) == 0) {
|
(chase_flags & (CHASE_NO_AUTOFS|CHASE_SAFE|CHASE_PROHIBIT_SYMLINKS|CHASE_PARENT|CHASE_MKDIR_0755)) == 0) {
|
||||||
/* Shortcut this call if none of the special features of this call are requested */
|
/* Shortcut this call if none of the special features of this call are requested */
|
||||||
d = opendir(path);
|
d = opendir(path);
|
||||||
if (!d)
|
if (!d)
|
||||||
@ -1065,7 +1065,7 @@ int chase_and_statat(int dir_fd, const char *path, ChaseFlags chase_flags, char
|
|||||||
assert(ret_stat);
|
assert(ret_stat);
|
||||||
|
|
||||||
if (dir_fd == AT_FDCWD && !ret_path &&
|
if (dir_fd == AT_FDCWD && !ret_path &&
|
||||||
(chase_flags & (CHASE_AUTOFS|CHASE_SAFE|CHASE_PROHIBIT_SYMLINKS|CHASE_PARENT|CHASE_MKDIR_0755)) == 0)
|
(chase_flags & (CHASE_NO_AUTOFS|CHASE_SAFE|CHASE_PROHIBIT_SYMLINKS|CHASE_PARENT|CHASE_MKDIR_0755)) == 0)
|
||||||
/* Shortcut this call if none of the special features of this call are requested */
|
/* Shortcut this call if none of the special features of this call are requested */
|
||||||
return RET_NERRNO(fstatat(AT_FDCWD, path, ret_stat,
|
return RET_NERRNO(fstatat(AT_FDCWD, path, ret_stat,
|
||||||
FLAGS_SET(chase_flags, CHASE_NOFOLLOW) ? AT_SYMLINK_NOFOLLOW : 0));
|
FLAGS_SET(chase_flags, CHASE_NOFOLLOW) ? AT_SYMLINK_NOFOLLOW : 0));
|
||||||
@ -1093,7 +1093,7 @@ int chase_and_accessat(int dir_fd, const char *path, ChaseFlags chase_flags, int
|
|||||||
assert(!(chase_flags & (CHASE_NONEXISTENT|CHASE_STEP)));
|
assert(!(chase_flags & (CHASE_NONEXISTENT|CHASE_STEP)));
|
||||||
|
|
||||||
if (dir_fd == AT_FDCWD && !ret_path &&
|
if (dir_fd == AT_FDCWD && !ret_path &&
|
||||||
(chase_flags & (CHASE_AUTOFS|CHASE_SAFE|CHASE_PROHIBIT_SYMLINKS|CHASE_PARENT|CHASE_MKDIR_0755)) == 0)
|
(chase_flags & (CHASE_NO_AUTOFS|CHASE_SAFE|CHASE_PROHIBIT_SYMLINKS|CHASE_PARENT|CHASE_MKDIR_0755)) == 0)
|
||||||
/* Shortcut this call if none of the special features of this call are requested */
|
/* Shortcut this call if none of the special features of this call are requested */
|
||||||
return RET_NERRNO(faccessat(AT_FDCWD, path, access_mode,
|
return RET_NERRNO(faccessat(AT_FDCWD, path, access_mode,
|
||||||
FLAGS_SET(chase_flags, CHASE_NOFOLLOW) ? AT_SYMLINK_NOFOLLOW : 0));
|
FLAGS_SET(chase_flags, CHASE_NOFOLLOW) ? AT_SYMLINK_NOFOLLOW : 0));
|
||||||
|
|||||||
@ -6,7 +6,7 @@
|
|||||||
typedef enum ChaseFlags {
|
typedef enum ChaseFlags {
|
||||||
CHASE_PREFIX_ROOT = 1 << 0, /* The specified path will be prefixed by the specified root before beginning the iteration */
|
CHASE_PREFIX_ROOT = 1 << 0, /* The specified path will be prefixed by the specified root before beginning the iteration */
|
||||||
CHASE_NONEXISTENT = 1 << 1, /* It's OK if the path doesn't actually exist. */
|
CHASE_NONEXISTENT = 1 << 1, /* It's OK if the path doesn't actually exist. */
|
||||||
CHASE_AUTOFS = 1 << 2, /* Trigger automount if autofs mount point found instead of returning -EREMOTE */
|
CHASE_NO_AUTOFS = 1 << 2, /* Return -EREMOTE if autofs mount point found */
|
||||||
CHASE_SAFE = 1 << 3, /* Return -EPERM if we ever traverse from unprivileged to privileged files or directories */
|
CHASE_SAFE = 1 << 3, /* Return -EPERM if we ever traverse from unprivileged to privileged files or directories */
|
||||||
CHASE_TRAIL_SLASH = 1 << 4, /* Any trailing slash will be preserved */
|
CHASE_TRAIL_SLASH = 1 << 4, /* Any trailing slash will be preserved */
|
||||||
CHASE_STEP = 1 << 5, /* Just execute a single step of the normalization */
|
CHASE_STEP = 1 << 5, /* Just execute a single step of the normalization */
|
||||||
|
|||||||
@ -15,7 +15,6 @@
|
|||||||
#include "pe.h"
|
#include "pe.h"
|
||||||
#include "proto/device-path.h"
|
#include "proto/device-path.h"
|
||||||
#include "proto/loaded-image.h"
|
#include "proto/loaded-image.h"
|
||||||
#include "proto/memory-attribute.h"
|
|
||||||
#include "secure-boot.h"
|
#include "secure-boot.h"
|
||||||
#include "shim.h"
|
#include "shim.h"
|
||||||
#include "util.h"
|
#include "util.h"
|
||||||
@ -126,50 +125,6 @@ static EFI_STATUS load_via_boot_services(
|
|||||||
return log_error_status(err, "Error starting kernel image with shim: %m");
|
return log_error_status(err, "Error starting kernel image with shim: %m");
|
||||||
}
|
}
|
||||||
|
|
||||||
static EFI_STATUS kernel_set_nx(EFI_PHYSICAL_ADDRESS addr, uint64_t length) {
|
|
||||||
EFI_MEMORY_ATTRIBUTE_PROTOCOL *memory_proto;
|
|
||||||
EFI_STATUS err;
|
|
||||||
|
|
||||||
err = BS->LocateProtocol(MAKE_GUID_PTR(EFI_MEMORY_ATTRIBUTE_PROTOCOL), NULL, (void **) &memory_proto);
|
|
||||||
if (err != EFI_SUCCESS) {
|
|
||||||
log_debug("No EFI_MEMORY_ATTRIBUTE_PROTOCOL found, skipping NX_COMPAT support.");
|
|
||||||
return EFI_SUCCESS; /* ignore if firmware lacks support */
|
|
||||||
}
|
|
||||||
|
|
||||||
err = memory_proto->SetMemoryAttributes(memory_proto, addr, length, EFI_MEMORY_RO);
|
|
||||||
if (err != EFI_SUCCESS)
|
|
||||||
return log_error_status(err, "Cannot make kernel image read-only: %m");
|
|
||||||
|
|
||||||
err = memory_proto->ClearMemoryAttributes(memory_proto, addr, length, EFI_MEMORY_XP);
|
|
||||||
if (err != EFI_SUCCESS)
|
|
||||||
return log_error_status(err, "Cannot make kernel image executable: %m");
|
|
||||||
|
|
||||||
log_debug("Changed kernel image to read-only for NX_COMPAT support.");
|
|
||||||
|
|
||||||
return EFI_SUCCESS;
|
|
||||||
}
|
|
||||||
|
|
||||||
static EFI_STATUS kernel_clear_nx(EFI_PHYSICAL_ADDRESS addr, uint64_t length) {
|
|
||||||
EFI_MEMORY_ATTRIBUTE_PROTOCOL *memory_proto;
|
|
||||||
EFI_STATUS err;
|
|
||||||
|
|
||||||
err = BS->LocateProtocol(MAKE_GUID_PTR(EFI_MEMORY_ATTRIBUTE_PROTOCOL), NULL, (void **) &memory_proto);
|
|
||||||
if (err != EFI_SUCCESS) {
|
|
||||||
log_debug("No EFI_MEMORY_ATTRIBUTE_PROTOCOL found, skipping NX_COMPAT support.");
|
|
||||||
return EFI_SUCCESS; /* ignore if firmware lacks support */
|
|
||||||
}
|
|
||||||
|
|
||||||
err = memory_proto->SetMemoryAttributes(memory_proto, addr, length, EFI_MEMORY_XP);
|
|
||||||
if (err != EFI_SUCCESS)
|
|
||||||
return log_error_status(err, "Cannot make kernel image non-executable: %m");
|
|
||||||
|
|
||||||
err = memory_proto->ClearMemoryAttributes(memory_proto, addr, length, EFI_MEMORY_RO);
|
|
||||||
if (err != EFI_SUCCESS)
|
|
||||||
return log_error_status(err, "Cannot make kernel image writable: %m");
|
|
||||||
|
|
||||||
return EFI_SUCCESS;
|
|
||||||
}
|
|
||||||
|
|
||||||
EFI_STATUS linux_exec(
|
EFI_STATUS linux_exec(
|
||||||
EFI_HANDLE parent_image,
|
EFI_HANDLE parent_image,
|
||||||
const char16_t *cmdline,
|
const char16_t *cmdline,
|
||||||
@ -243,16 +198,6 @@ EFI_STATUS linux_exec(
|
|||||||
if (err != EFI_SUCCESS)
|
if (err != EFI_SUCCESS)
|
||||||
return err;
|
return err;
|
||||||
|
|
||||||
/* As per MSFT requirement, memory pages need to be marked W^X.
|
|
||||||
* Firmwares will start enforcing this at some point in the near-ish future.
|
|
||||||
* The kernel needs to mark this as supported explicitly, otherwise it will crash.
|
|
||||||
* https://microsoft.github.io/mu/WhatAndWhy/enhancedmemoryprotection/
|
|
||||||
* https://www.kraxel.org/blog/2023/12/uefi-nx-linux-boot/ */
|
|
||||||
_cleanup_free_ EFI_PHYSICAL_ADDRESS *nx_sections_addrs = NULL;
|
|
||||||
_cleanup_free_ uint64_t *nx_sections_lengths = NULL;
|
|
||||||
size_t nx_sections = 0;
|
|
||||||
bool nx_compat = pe_kernel_check_nx_compat(kernel->iov_base);
|
|
||||||
|
|
||||||
const PeSectionHeader *headers;
|
const PeSectionHeader *headers;
|
||||||
size_t n_headers;
|
size_t n_headers;
|
||||||
|
|
||||||
@ -280,20 +225,6 @@ EFI_STATUS linux_exec(
|
|||||||
h->SizeOfRawData);
|
h->SizeOfRawData);
|
||||||
memzero(loaded_kernel + h->VirtualAddress + h->SizeOfRawData,
|
memzero(loaded_kernel + h->VirtualAddress + h->SizeOfRawData,
|
||||||
h->VirtualSize - h->SizeOfRawData);
|
h->VirtualSize - h->SizeOfRawData);
|
||||||
|
|
||||||
/* Not a code section? Nothing to do, leave as-is. */
|
|
||||||
if (nx_compat && ((h->Characteristics & PE_CODE) || (h->Characteristics & PE_EXECUTE))) {
|
|
||||||
nx_sections_addrs = xrealloc(nx_sections_addrs, nx_sections * sizeof(EFI_PHYSICAL_ADDRESS), (nx_sections + 1) * sizeof(EFI_PHYSICAL_ADDRESS));
|
|
||||||
nx_sections_lengths = xrealloc(nx_sections_lengths, nx_sections * sizeof(uint64_t), (nx_sections + 1) * sizeof(uint64_t));
|
|
||||||
nx_sections_addrs[nx_sections] = POINTER_TO_PHYSICAL_ADDRESS(loaded_kernel + h->VirtualAddress - image_base);
|
|
||||||
nx_sections_lengths[nx_sections] = h->VirtualSize;
|
|
||||||
|
|
||||||
err = kernel_set_nx(nx_sections_addrs[nx_sections], nx_sections_lengths[nx_sections]);
|
|
||||||
if (err != EFI_SUCCESS)
|
|
||||||
return err;
|
|
||||||
|
|
||||||
++nx_sections;
|
|
||||||
}
|
|
||||||
}
|
}
|
||||||
|
|
||||||
_cleanup_free_ KERNEL_FILE_PATH *kernel_file_path = xnew(KERNEL_FILE_PATH, 1);
|
_cleanup_free_ KERNEL_FILE_PATH *kernel_file_path = xnew(KERNEL_FILE_PATH, 1);
|
||||||
@ -342,11 +273,5 @@ EFI_STATUS linux_exec(
|
|||||||
err = compat_entry(parent_image, ST);
|
err = compat_entry(parent_image, ST);
|
||||||
}
|
}
|
||||||
|
|
||||||
/* On failure we'll free the buffers. EDK2 requires the memory buffers to be writable and
|
|
||||||
* non-executable, as in some configurations it will overwrite them with a fixed pattern, so if the
|
|
||||||
* attributes are not restored FreePages() will crash. */
|
|
||||||
for (size_t i = 0; i < nx_sections; i++)
|
|
||||||
(void) kernel_clear_nx(nx_sections_addrs[i], nx_sections_lengths[i]);
|
|
||||||
|
|
||||||
return log_error_status(err, "Error starting kernel image: %m");
|
return log_error_status(err, "Error starting kernel image: %m");
|
||||||
}
|
}
|
||||||
|
|||||||
@ -9,7 +9,6 @@
|
|||||||
|
|
||||||
#define DOS_FILE_MAGIC "MZ"
|
#define DOS_FILE_MAGIC "MZ"
|
||||||
#define PE_FILE_MAGIC "PE\0\0"
|
#define PE_FILE_MAGIC "PE\0\0"
|
||||||
#define IMAGE_DLLCHARACTERISTICS_NX_COMPAT 0x0100
|
|
||||||
|
|
||||||
#if defined(__i386__)
|
#if defined(__i386__)
|
||||||
# define TARGET_MACHINE_TYPE 0x014CU
|
# define TARGET_MACHINE_TYPE 0x014CU
|
||||||
@ -556,18 +555,6 @@ EFI_STATUS pe_kernel_check_no_relocation(const void *base) {
|
|||||||
return EFI_SUCCESS;
|
return EFI_SUCCESS;
|
||||||
}
|
}
|
||||||
|
|
||||||
bool pe_kernel_check_nx_compat(const void *base) {
|
|
||||||
const DosFileHeader *dos = ASSERT_PTR(base);
|
|
||||||
if (!verify_dos(dos))
|
|
||||||
return false;
|
|
||||||
|
|
||||||
const PeFileHeader *pe = (const PeFileHeader *) ((const uint8_t *) base + dos->ExeHeader);
|
|
||||||
if (!verify_pe(dos, pe, /* allow_compatibility= */ true))
|
|
||||||
return false;
|
|
||||||
|
|
||||||
return pe->OptionalHeader.DllCharacteristics & IMAGE_DLLCHARACTERISTICS_NX_COMPAT;
|
|
||||||
}
|
|
||||||
|
|
||||||
EFI_STATUS pe_section_table_from_base(
|
EFI_STATUS pe_section_table_from_base(
|
||||||
const void *base,
|
const void *base,
|
||||||
const PeSectionHeader **ret_section_table,
|
const PeSectionHeader **ret_section_table,
|
||||||
|
|||||||
@ -3,10 +3,6 @@
|
|||||||
|
|
||||||
#include "efi.h"
|
#include "efi.h"
|
||||||
|
|
||||||
/* PE flags in the Characteristics attribute of the optional header indicating executable code */
|
|
||||||
#define PE_CODE 0x00000020
|
|
||||||
#define PE_EXECUTE 0x20000000
|
|
||||||
|
|
||||||
/* This is the actual PE format of the section header */
|
/* This is the actual PE format of the section header */
|
||||||
typedef struct PeSectionHeader {
|
typedef struct PeSectionHeader {
|
||||||
uint8_t Name[8];
|
uint8_t Name[8];
|
||||||
@ -60,5 +56,3 @@ EFI_STATUS pe_memory_locate_sections(
|
|||||||
EFI_STATUS pe_kernel_info(const void *base, uint32_t *ret_entry_point, uint32_t *ret_compat_entry_point, uint64_t *ret_image_base, size_t *ret_size_in_memory);
|
EFI_STATUS pe_kernel_info(const void *base, uint32_t *ret_entry_point, uint32_t *ret_compat_entry_point, uint64_t *ret_image_base, size_t *ret_size_in_memory);
|
||||||
|
|
||||||
EFI_STATUS pe_kernel_check_no_relocation(const void *base);
|
EFI_STATUS pe_kernel_check_no_relocation(const void *base);
|
||||||
|
|
||||||
bool pe_kernel_check_nx_compat(const void *base);
|
|
||||||
|
|||||||
@ -1,31 +0,0 @@
|
|||||||
/* SPDX-License-Identifier: LGPL-2.1-or-later */
|
|
||||||
#pragma once
|
|
||||||
|
|
||||||
#include "efi.h"
|
|
||||||
|
|
||||||
#define EFI_MEMORY_ATTRIBUTE_PROTOCOL_GUID \
|
|
||||||
GUID_DEF(0xf4560cf6, 0x40ec, 0x4b4a, 0xa1, 0x92, 0xbf, 0x1d, 0x57, 0xd0, 0xb1, 0x89)
|
|
||||||
|
|
||||||
#define EFI_MEMORY_RP 0x0000000000002000
|
|
||||||
#define EFI_MEMORY_XP 0x0000000000004000
|
|
||||||
#define EFI_MEMORY_RO 0x0000000000020000
|
|
||||||
|
|
||||||
struct _EFI_MEMORY_ATTRIBUTE_PROTOCOL;
|
|
||||||
|
|
||||||
typedef struct _EFI_MEMORY_ATTRIBUTE_PROTOCOL {
|
|
||||||
EFI_STATUS (EFIAPI *GetMemoryAttributes)(
|
|
||||||
struct _EFI_MEMORY_ATTRIBUTE_PROTOCOL *This,
|
|
||||||
EFI_PHYSICAL_ADDRESS BaseAddress,
|
|
||||||
uint64_t Length,
|
|
||||||
uint64_t *Attributes);
|
|
||||||
EFI_STATUS (EFIAPI *SetMemoryAttributes)(
|
|
||||||
struct _EFI_MEMORY_ATTRIBUTE_PROTOCOL *This,
|
|
||||||
EFI_PHYSICAL_ADDRESS BaseAddress,
|
|
||||||
uint64_t Length,
|
|
||||||
uint64_t Attributes);
|
|
||||||
EFI_STATUS (EFIAPI *ClearMemoryAttributes)(
|
|
||||||
struct _EFI_MEMORY_ATTRIBUTE_PROTOCOL *This,
|
|
||||||
EFI_PHYSICAL_ADDRESS BaseAddress,
|
|
||||||
uint64_t Length,
|
|
||||||
uint64_t Attributes);
|
|
||||||
} EFI_MEMORY_ATTRIBUTE_PROTOCOL;
|
|
||||||
@ -51,7 +51,7 @@ enum {
|
|||||||
/* magic string to find in the binary image */
|
/* magic string to find in the binary image */
|
||||||
DECLARE_NOALLOC_SECTION(".sdmagic", "#### LoaderInfo: systemd-stub " GIT_VERSION " ####");
|
DECLARE_NOALLOC_SECTION(".sdmagic", "#### LoaderInfo: systemd-stub " GIT_VERSION " ####");
|
||||||
|
|
||||||
DECLARE_SBAT_PADDED(SBAT_STUB_SECTION_TEXT);
|
DECLARE_SBAT(SBAT_STUB_SECTION_TEXT);
|
||||||
|
|
||||||
static char16_t* pe_section_to_str16(
|
static char16_t* pe_section_to_str16(
|
||||||
EFI_LOADED_IMAGE_PROTOCOL *loaded_image,
|
EFI_LOADED_IMAGE_PROTOCOL *loaded_image,
|
||||||
|
|||||||
@ -343,7 +343,7 @@ static int update_efi_boot_binaries(const char *esp_path, const char *source_pat
|
|||||||
assert(esp_path);
|
assert(esp_path);
|
||||||
assert(source_path);
|
assert(source_path);
|
||||||
|
|
||||||
r = chase_and_opendir("/EFI/BOOT", esp_path, CHASE_PREFIX_ROOT|CHASE_PROHIBIT_SYMLINKS|CHASE_AUTOFS, &p, &d);
|
r = chase_and_opendir("/EFI/BOOT", esp_path, CHASE_PREFIX_ROOT|CHASE_PROHIBIT_SYMLINKS, &p, &d);
|
||||||
if (r == -ENOENT)
|
if (r == -ENOENT)
|
||||||
return 0;
|
return 0;
|
||||||
if (r < 0)
|
if (r < 0)
|
||||||
@ -396,10 +396,10 @@ static int copy_one_file(const char *esp_path, const char *name, bool force) {
|
|||||||
if (!p)
|
if (!p)
|
||||||
return log_oom();
|
return log_oom();
|
||||||
|
|
||||||
r = chase(p, root, CHASE_PREFIX_ROOT|CHASE_PROHIBIT_SYMLINKS|CHASE_AUTOFS, &source_path, NULL);
|
r = chase(p, root, CHASE_PREFIX_ROOT|CHASE_PROHIBIT_SYMLINKS, &source_path, NULL);
|
||||||
/* If we had a root directory to try, we didn't find it and we are in auto mode, retry on the host */
|
/* If we had a root directory to try, we didn't find it and we are in auto mode, retry on the host */
|
||||||
if (r == -ENOENT && root && arg_install_source == ARG_INSTALL_SOURCE_AUTO)
|
if (r == -ENOENT && root && arg_install_source == ARG_INSTALL_SOURCE_AUTO)
|
||||||
r = chase(p, NULL, CHASE_PREFIX_ROOT|CHASE_PROHIBIT_SYMLINKS|CHASE_AUTOFS, &source_path, NULL);
|
r = chase(p, NULL, CHASE_PREFIX_ROOT|CHASE_PROHIBIT_SYMLINKS, &source_path, NULL);
|
||||||
if (r < 0)
|
if (r < 0)
|
||||||
return log_error_errno(r,
|
return log_error_errno(r,
|
||||||
"Failed to resolve path %s%s%s: %m",
|
"Failed to resolve path %s%s%s: %m",
|
||||||
@ -411,7 +411,7 @@ static int copy_one_file(const char *esp_path, const char *name, bool force) {
|
|||||||
if (!q)
|
if (!q)
|
||||||
return log_oom();
|
return log_oom();
|
||||||
|
|
||||||
r = chase(q, esp_path, CHASE_PREFIX_ROOT|CHASE_PROHIBIT_SYMLINKS|CHASE_NONEXISTENT|CHASE_AUTOFS, &dest_path, NULL);
|
r = chase(q, esp_path, CHASE_PREFIX_ROOT|CHASE_PROHIBIT_SYMLINKS|CHASE_NONEXISTENT, &dest_path, NULL);
|
||||||
if (r < 0)
|
if (r < 0)
|
||||||
return log_error_errno(r, "Failed to resolve path %s under directory %s: %m", q, esp_path);
|
return log_error_errno(r, "Failed to resolve path %s under directory %s: %m", q, esp_path);
|
||||||
|
|
||||||
@ -428,7 +428,7 @@ static int copy_one_file(const char *esp_path, const char *name, bool force) {
|
|||||||
v = strjoina("/EFI/BOOT/BOOT", e);
|
v = strjoina("/EFI/BOOT/BOOT", e);
|
||||||
ascii_strupper(strrchr(v, '/') + 1);
|
ascii_strupper(strrchr(v, '/') + 1);
|
||||||
|
|
||||||
r = chase(v, esp_path, CHASE_PREFIX_ROOT|CHASE_PROHIBIT_SYMLINKS|CHASE_NONEXISTENT|CHASE_AUTOFS, &default_dest_path, NULL);
|
r = chase(v, esp_path, CHASE_PREFIX_ROOT|CHASE_PROHIBIT_SYMLINKS|CHASE_NONEXISTENT, &default_dest_path, NULL);
|
||||||
if (r < 0)
|
if (r < 0)
|
||||||
return log_error_errno(r, "Failed to resolve path %s under directory %s: %m", v, esp_path);
|
return log_error_errno(r, "Failed to resolve path %s under directory %s: %m", v, esp_path);
|
||||||
|
|
||||||
@ -449,10 +449,10 @@ static int install_binaries(const char *esp_path, const char *arch, bool force)
|
|||||||
_cleanup_free_ char *path = NULL;
|
_cleanup_free_ char *path = NULL;
|
||||||
int r;
|
int r;
|
||||||
|
|
||||||
r = chase_and_opendir(BOOTLIBDIR, root, CHASE_PREFIX_ROOT|CHASE_PROHIBIT_SYMLINKS|CHASE_AUTOFS, &path, &d);
|
r = chase_and_opendir(BOOTLIBDIR, root, CHASE_PREFIX_ROOT|CHASE_PROHIBIT_SYMLINKS, &path, &d);
|
||||||
/* If we had a root directory to try, we didn't find it and we are in auto mode, retry on the host */
|
/* If we had a root directory to try, we didn't find it and we are in auto mode, retry on the host */
|
||||||
if (r == -ENOENT && root && arg_install_source == ARG_INSTALL_SOURCE_AUTO)
|
if (r == -ENOENT && root && arg_install_source == ARG_INSTALL_SOURCE_AUTO)
|
||||||
r = chase_and_opendir(BOOTLIBDIR, NULL, CHASE_PREFIX_ROOT|CHASE_PROHIBIT_SYMLINKS|CHASE_AUTOFS, &path, &d);
|
r = chase_and_opendir(BOOTLIBDIR, NULL, CHASE_PREFIX_ROOT|CHASE_PROHIBIT_SYMLINKS, &path, &d);
|
||||||
if (r == -ENOENT && arg_graceful) {
|
if (r == -ENOENT && arg_graceful) {
|
||||||
log_debug("Source directory does not exist, ignoring.");
|
log_debug("Source directory does not exist, ignoring.");
|
||||||
return 0;
|
return 0;
|
||||||
@ -634,7 +634,7 @@ static int install_secure_boot_auto_enroll(const char *esp, X509 *certificate, E
|
|||||||
if (r < 0)
|
if (r < 0)
|
||||||
return r;
|
return r;
|
||||||
|
|
||||||
_cleanup_close_ int keys_fd = chase_and_open("loader/keys/auto", esp, CHASE_PREFIX_ROOT|CHASE_PROHIBIT_SYMLINKS|CHASE_AUTOFS, O_DIRECTORY, NULL);
|
_cleanup_close_ int keys_fd = chase_and_open("loader/keys/auto", esp, CHASE_PREFIX_ROOT|CHASE_PROHIBIT_SYMLINKS, O_DIRECTORY, NULL);
|
||||||
if (keys_fd < 0)
|
if (keys_fd < 0)
|
||||||
return log_error_errno(keys_fd, "Failed to chase loader/keys/auto in the ESP: %m");
|
return log_error_errno(keys_fd, "Failed to chase loader/keys/auto in the ESP: %m");
|
||||||
|
|
||||||
@ -881,7 +881,7 @@ static int install_variables(
|
|||||||
uint16_t slot;
|
uint16_t slot;
|
||||||
int r;
|
int r;
|
||||||
|
|
||||||
r = chase_and_access(path, esp_path, CHASE_PREFIX_ROOT|CHASE_PROHIBIT_SYMLINKS|CHASE_AUTOFS, F_OK, NULL);
|
r = chase_and_access(path, esp_path, CHASE_PREFIX_ROOT|CHASE_PROHIBIT_SYMLINKS, F_OK, NULL);
|
||||||
if (r == -ENOENT)
|
if (r == -ENOENT)
|
||||||
return 0;
|
return 0;
|
||||||
if (r < 0)
|
if (r < 0)
|
||||||
@ -1097,7 +1097,7 @@ static int remove_boot_efi(const char *esp_path) {
|
|||||||
_cleanup_free_ char *p = NULL;
|
_cleanup_free_ char *p = NULL;
|
||||||
int r, c = 0;
|
int r, c = 0;
|
||||||
|
|
||||||
r = chase_and_opendir("/EFI/BOOT", esp_path, CHASE_PREFIX_ROOT|CHASE_PROHIBIT_SYMLINKS|CHASE_AUTOFS, &p, &d);
|
r = chase_and_opendir("/EFI/BOOT", esp_path, CHASE_PREFIX_ROOT|CHASE_PROHIBIT_SYMLINKS, &p, &d);
|
||||||
if (r == -ENOENT)
|
if (r == -ENOENT)
|
||||||
return 0;
|
return 0;
|
||||||
if (r < 0)
|
if (r < 0)
|
||||||
|
|||||||
@ -222,7 +222,7 @@ static int enumerate_binaries(
|
|||||||
assert(previous);
|
assert(previous);
|
||||||
assert(is_first);
|
assert(is_first);
|
||||||
|
|
||||||
r = chase_and_opendir(path, esp_path, CHASE_PREFIX_ROOT|CHASE_PROHIBIT_SYMLINKS|CHASE_AUTOFS, &p, &d);
|
r = chase_and_opendir(path, esp_path, CHASE_PREFIX_ROOT|CHASE_PROHIBIT_SYMLINKS, &p, &d);
|
||||||
if (r == -ENOENT)
|
if (r == -ENOENT)
|
||||||
return 0;
|
return 0;
|
||||||
if (r < 0)
|
if (r < 0)
|
||||||
@ -693,7 +693,7 @@ static void deref_unlink_file(Hashmap **known_files, const char *fn, const char
|
|||||||
return;
|
return;
|
||||||
|
|
||||||
if (arg_dry_run) {
|
if (arg_dry_run) {
|
||||||
r = chase_and_access(fn, root, CHASE_PREFIX_ROOT|CHASE_PROHIBIT_SYMLINKS|CHASE_AUTOFS, F_OK, &path);
|
r = chase_and_access(fn, root, CHASE_PREFIX_ROOT|CHASE_PROHIBIT_SYMLINKS, F_OK, &path);
|
||||||
if (r < 0)
|
if (r < 0)
|
||||||
log_info_errno(r, "Unable to determine whether \"%s\" exists, ignoring: %m", fn);
|
log_info_errno(r, "Unable to determine whether \"%s\" exists, ignoring: %m", fn);
|
||||||
else
|
else
|
||||||
@ -701,7 +701,7 @@ static void deref_unlink_file(Hashmap **known_files, const char *fn, const char
|
|||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
|
|
||||||
r = chase_and_unlink(fn, root, CHASE_PREFIX_ROOT|CHASE_PROHIBIT_SYMLINKS|CHASE_AUTOFS, 0, &path);
|
r = chase_and_unlink(fn, root, CHASE_PREFIX_ROOT|CHASE_PROHIBIT_SYMLINKS, 0, &path);
|
||||||
if (r >= 0)
|
if (r >= 0)
|
||||||
log_info("Removed \"%s\"", path);
|
log_info("Removed \"%s\"", path);
|
||||||
else if (r != -ENOENT)
|
else if (r != -ENOENT)
|
||||||
@ -709,7 +709,7 @@ static void deref_unlink_file(Hashmap **known_files, const char *fn, const char
|
|||||||
|
|
||||||
_cleanup_free_ char *d = NULL;
|
_cleanup_free_ char *d = NULL;
|
||||||
if (path_extract_directory(fn, &d) >= 0 && !path_equal(d, "/")) {
|
if (path_extract_directory(fn, &d) >= 0 && !path_equal(d, "/")) {
|
||||||
r = chase_and_unlink(d, root, CHASE_PREFIX_ROOT|CHASE_PROHIBIT_SYMLINKS|CHASE_AUTOFS, AT_REMOVEDIR, NULL);
|
r = chase_and_unlink(d, root, CHASE_PREFIX_ROOT|CHASE_PROHIBIT_SYMLINKS, AT_REMOVEDIR, NULL);
|
||||||
if (r < 0 && !IN_SET(r, -ENOTEMPTY, -ENOENT))
|
if (r < 0 && !IN_SET(r, -ENOTEMPTY, -ENOENT))
|
||||||
log_warning_errno(r, "Failed to remove directory \"%s\", ignoring: %m", d);
|
log_warning_errno(r, "Failed to remove directory \"%s\", ignoring: %m", d);
|
||||||
}
|
}
|
||||||
@ -801,7 +801,7 @@ static int unlink_entry(const BootConfig *config, const char *root, const char *
|
|||||||
if (arg_dry_run)
|
if (arg_dry_run)
|
||||||
log_info("Would remove \"%s\"", e->path);
|
log_info("Would remove \"%s\"", e->path);
|
||||||
else {
|
else {
|
||||||
r = chase_and_unlink(e->path, root, CHASE_PROHIBIT_SYMLINKS|CHASE_AUTOFS, 0, NULL);
|
r = chase_and_unlink(e->path, root, CHASE_PROHIBIT_SYMLINKS, 0, NULL);
|
||||||
if (r < 0)
|
if (r < 0)
|
||||||
return log_error_errno(r, "Failed to remove \"%s\": %m", e->path);
|
return log_error_errno(r, "Failed to remove \"%s\": %m", e->path);
|
||||||
|
|
||||||
@ -862,7 +862,7 @@ static int cleanup_orphaned_files(
|
|||||||
if (r < 0)
|
if (r < 0)
|
||||||
return log_error_errno(r, "Failed to count files in %s: %m", root);
|
return log_error_errno(r, "Failed to count files in %s: %m", root);
|
||||||
|
|
||||||
dir_fd = chase_and_open(arg_entry_token, root, CHASE_PREFIX_ROOT|CHASE_PROHIBIT_SYMLINKS|CHASE_AUTOFS,
|
dir_fd = chase_and_open(arg_entry_token, root, CHASE_PREFIX_ROOT|CHASE_PROHIBIT_SYMLINKS,
|
||||||
O_DIRECTORY|O_CLOEXEC, &full);
|
O_DIRECTORY|O_CLOEXEC, &full);
|
||||||
if (dir_fd == -ENOENT)
|
if (dir_fd == -ENOENT)
|
||||||
return 0;
|
return 0;
|
||||||
|
|||||||
@ -3079,7 +3079,7 @@ static int setup_exec_directory(
|
|||||||
* since they all support the private/ symlink logic at least in some
|
* since they all support the private/ symlink logic at least in some
|
||||||
* configurations, see above. */
|
* configurations, see above. */
|
||||||
|
|
||||||
r = chase(target, NULL, CHASE_AUTOFS, &target_resolved, NULL);
|
r = chase(target, NULL, 0, &target_resolved, NULL);
|
||||||
if (r < 0)
|
if (r < 0)
|
||||||
goto fail;
|
goto fail;
|
||||||
|
|
||||||
@ -3090,7 +3090,7 @@ static int setup_exec_directory(
|
|||||||
}
|
}
|
||||||
|
|
||||||
/* /var/lib or friends may be symlinks. So, let's chase them also. */
|
/* /var/lib or friends may be symlinks. So, let's chase them also. */
|
||||||
r = chase(q, NULL, CHASE_NONEXISTENT|CHASE_AUTOFS, &q_resolved, NULL);
|
r = chase(q, NULL, CHASE_NONEXISTENT, &q_resolved, NULL);
|
||||||
if (r < 0)
|
if (r < 0)
|
||||||
goto fail;
|
goto fail;
|
||||||
|
|
||||||
@ -3985,7 +3985,7 @@ static int apply_working_directory(
|
|||||||
|
|
||||||
r = chase(wd,
|
r = chase(wd,
|
||||||
runtime->ephemeral_copy ?: context->root_directory,
|
runtime->ephemeral_copy ?: context->root_directory,
|
||||||
CHASE_PREFIX_ROOT|CHASE_AT_RESOLVE_IN_ROOT|CHASE_AUTOFS,
|
CHASE_PREFIX_ROOT|CHASE_AT_RESOLVE_IN_ROOT,
|
||||||
/* ret_path= */ NULL,
|
/* ret_path= */ NULL,
|
||||||
&dfd);
|
&dfd);
|
||||||
if (r >= 0)
|
if (r >= 0)
|
||||||
|
|||||||
@ -1196,7 +1196,7 @@ static void mount_enter_mounting(Mount *m) {
|
|||||||
/* Validate that the path we are overmounting does not contain any symlinks, because if it does, we
|
/* Validate that the path we are overmounting does not contain any symlinks, because if it does, we
|
||||||
* couldn't support that reasonably: the mounts in /proc/self/mountinfo would not be recognizable to
|
* couldn't support that reasonably: the mounts in /proc/self/mountinfo would not be recognizable to
|
||||||
* us anymore. */
|
* us anymore. */
|
||||||
fd = chase_and_open_parent(m->where, /* root= */ NULL, CHASE_PROHIBIT_SYMLINKS|CHASE_MKDIR_0755|CHASE_AUTOFS, &fn);
|
fd = chase_and_open_parent(m->where, /* root= */ NULL, CHASE_PROHIBIT_SYMLINKS|CHASE_MKDIR_0755, &fn);
|
||||||
if (fd == -EREMCHG) {
|
if (fd == -EREMCHG) {
|
||||||
r = unit_log_noncanonical_mount_path(UNIT(m), m->where);
|
r = unit_log_noncanonical_mount_path(UNIT(m), m->where);
|
||||||
goto fail;
|
goto fail;
|
||||||
|
|||||||
@ -1793,7 +1793,7 @@ static int follow_symlink(
|
|||||||
* a time by specifying CHASE_STEP. This function returns 0 if we resolved one step, and > 0 if we reached the
|
* a time by specifying CHASE_STEP. This function returns 0 if we resolved one step, and > 0 if we reached the
|
||||||
* end and already have a fully normalized name. */
|
* end and already have a fully normalized name. */
|
||||||
|
|
||||||
r = chase(mount_entry_path(m), root_directory, CHASE_STEP|CHASE_NONEXISTENT|CHASE_AUTOFS, &target, NULL);
|
r = chase(mount_entry_path(m), root_directory, CHASE_STEP|CHASE_NONEXISTENT, &target, NULL);
|
||||||
if (r < 0)
|
if (r < 0)
|
||||||
return log_debug_errno(r, "Failed to chase symlinks '%s': %m", mount_entry_path(m));
|
return log_debug_errno(r, "Failed to chase symlinks '%s': %m", mount_entry_path(m));
|
||||||
if (r > 0) /* Reached the end, nothing more to resolve */
|
if (r > 0) /* Reached the end, nothing more to resolve */
|
||||||
@ -1991,7 +1991,7 @@ static int apply_one_mount(
|
|||||||
return log_error_errno(r, "Failed to set label of the source directory %s: %m", mount_entry_source(m));
|
return log_error_errno(r, "Failed to set label of the source directory %s: %m", mount_entry_source(m));
|
||||||
}
|
}
|
||||||
|
|
||||||
r = chase(mount_entry_source(m), NULL, CHASE_TRAIL_SLASH|CHASE_AUTOFS, &chased, NULL);
|
r = chase(mount_entry_source(m), NULL, CHASE_TRAIL_SLASH, &chased, NULL);
|
||||||
if (r == -ENOENT && m->ignore) {
|
if (r == -ENOENT && m->ignore) {
|
||||||
log_debug_errno(r, "Path %s does not exist, ignoring.", mount_entry_source(m));
|
log_debug_errno(r, "Path %s does not exist, ignoring.", mount_entry_source(m));
|
||||||
return 0;
|
return 0;
|
||||||
@ -3434,7 +3434,7 @@ static int is_extension_overlay(const char *path, int fd) {
|
|||||||
assert(path);
|
assert(path);
|
||||||
|
|
||||||
if (fd < 0) {
|
if (fd < 0) {
|
||||||
r = chase(path, /* root= */ NULL, CHASE_TRAIL_SLASH|CHASE_MUST_BE_DIRECTORY|CHASE_AUTOFS, /* ret_path= */ NULL, &dfd);
|
r = chase(path, /* root= */ NULL, CHASE_TRAIL_SLASH|CHASE_MUST_BE_DIRECTORY, /* ret_path= */ NULL, &dfd);
|
||||||
if (r < 0)
|
if (r < 0)
|
||||||
return r;
|
return r;
|
||||||
fd = dfd;
|
fd = dfd;
|
||||||
|
|||||||
@ -5622,7 +5622,7 @@ int service_determine_exec_selinux_label(Service *s, char **ret) {
|
|||||||
return -ENODATA;
|
return -ENODATA;
|
||||||
|
|
||||||
_cleanup_free_ char *path = NULL;
|
_cleanup_free_ char *path = NULL;
|
||||||
r = chase(c->path, s->exec_context.root_directory, CHASE_PREFIX_ROOT|CHASE_AUTOFS, &path, NULL);
|
r = chase(c->path, s->exec_context.root_directory, CHASE_PREFIX_ROOT, &path, NULL);
|
||||||
if (r < 0) {
|
if (r < 0) {
|
||||||
log_unit_debug_errno(UNIT(s), r, "Failed to resolve service binary '%s', ignoring.", c->path);
|
log_unit_debug_errno(UNIT(s), r, "Failed to resolve service binary '%s', ignoring.", c->path);
|
||||||
return -ENODATA;
|
return -ENODATA;
|
||||||
|
|||||||
@ -421,7 +421,7 @@ assert_cc(sizeof(dummy_t) == 0);
|
|||||||
|
|
||||||
/* Restriction/bug (see below) was fixed in GCC 15 and clang 19. */
|
/* Restriction/bug (see below) was fixed in GCC 15 and clang 19. */
|
||||||
#if __GNUC__ >= 15 || (defined(__clang__) && __clang_major__ >= 19)
|
#if __GNUC__ >= 15 || (defined(__clang__) && __clang_major__ >= 19)
|
||||||
# define DECLARE_FLEX_ARRAY(type, name) type name[]
|
#define DECLARE_FLEX_ARRAY(type, name) type name[]
|
||||||
#else
|
#else
|
||||||
/* Declare a flexible array usable in a union.
|
/* Declare a flexible array usable in a union.
|
||||||
* This is essentially a work-around for a pointless constraint in C99
|
* This is essentially a work-around for a pointless constraint in C99
|
||||||
@ -436,22 +436,17 @@ assert_cc(sizeof(dummy_t) == 0);
|
|||||||
}
|
}
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
/* Declare an ELF read-only string section that does not occupy memory at runtime. */
|
/* Declares an ELF read-only string section that does not occupy memory at runtime. */
|
||||||
#define DECLARE_NOALLOC_SECTION(name, text) \
|
#define DECLARE_NOALLOC_SECTION(name, text) \
|
||||||
asm(".pushsection " name ",\"S\"\n\t" \
|
asm(".pushsection " name ",\"S\"\n\t" \
|
||||||
".ascii " STRINGIFY(text) "\n\t" \
|
".ascii " STRINGIFY(text) "\n\t" \
|
||||||
".popsection\n")
|
".popsection\n")
|
||||||
|
|
||||||
/* Similar to DECLARE_NOALLOC_SECTION, but pad the section with extra 512 bytes. After taking alignment into
|
#ifdef SBAT_DISTRO
|
||||||
* account, the section has up to 1024 bytes minus the size of the original content of padding, and this
|
#define DECLARE_SBAT(text) DECLARE_NOALLOC_SECTION(".sbat", text)
|
||||||
* extra space can be used to extend the contents. This is intended for the .sbat section. */
|
#else
|
||||||
#define DECLARE_NOALLOC_SECTION_PADDED(name, text) \
|
#define DECLARE_SBAT(text)
|
||||||
assert_cc(STRLEN(text) <= 512); \
|
#endif
|
||||||
asm(".pushsection " name ",\"S\"\n\t" \
|
|
||||||
".ascii " STRINGIFY(text) "\n\t" \
|
|
||||||
".balign 512\n\t" \
|
|
||||||
".fill 512, 1, 0\n\t" \
|
|
||||||
".popsection\n")
|
|
||||||
|
|
||||||
#define typeof_field(struct_type, member) typeof(((struct_type *) 0)->member)
|
#define typeof_field(struct_type, member) typeof(((struct_type *) 0)->member)
|
||||||
#define sizeof_field(struct_type, member) sizeof(((struct_type *) 0)->member)
|
#define sizeof_field(struct_type, member) sizeof(((struct_type *) 0)->member)
|
||||||
|
|||||||
@ -12,11 +12,3 @@
|
|||||||
SBAT_PROJECT "-stub" ",1,The systemd Developers," SBAT_PROJECT "," PROJECT_VERSION "," PROJECT_URL "\n" \
|
SBAT_PROJECT "-stub" ",1,The systemd Developers," SBAT_PROJECT "," PROJECT_VERSION "," PROJECT_URL "\n" \
|
||||||
SBAT_PROJECT "-stub" "." SBAT_DISTRO "," STRINGIFY(SBAT_DISTRO_GENERATION) "," SBAT_DISTRO_SUMMARY "," SBAT_DISTRO_PKGNAME "," SBAT_DISTRO_VERSION "," SBAT_DISTRO_URL "\n"
|
SBAT_PROJECT "-stub" "." SBAT_DISTRO "," STRINGIFY(SBAT_DISTRO_GENERATION) "," SBAT_DISTRO_SUMMARY "," SBAT_DISTRO_PKGNAME "," SBAT_DISTRO_VERSION "," SBAT_DISTRO_URL "\n"
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
#ifdef SBAT_DISTRO
|
|
||||||
# define DECLARE_SBAT(text) DECLARE_NOALLOC_SECTION(".sbat", text)
|
|
||||||
# define DECLARE_SBAT_PADDED(text) DECLARE_NOALLOC_SECTION_PADDED(".sbat", text)
|
|
||||||
#else
|
|
||||||
# define DECLARE_SBAT(text)
|
|
||||||
# define DECLARE_SBAT_PADDED(text)
|
|
||||||
#endif
|
|
||||||
|
|||||||
@ -6,7 +6,6 @@
|
|||||||
#include "dirent-util.h"
|
#include "dirent-util.h"
|
||||||
#include "escape.h"
|
#include "escape.h"
|
||||||
#include "fd-util.h"
|
#include "fd-util.h"
|
||||||
#include "hexdecoct.h"
|
|
||||||
#include "io-util.h"
|
#include "io-util.h"
|
||||||
#include "log.h"
|
#include "log.h"
|
||||||
#include "memory-util.h"
|
#include "memory-util.h"
|
||||||
@ -334,6 +333,7 @@ int pull_make_verification_jobs(
|
|||||||
|
|
||||||
static int verify_one(PullJob *checksum_job, PullJob *job) {
|
static int verify_one(PullJob *checksum_job, PullJob *job) {
|
||||||
_cleanup_free_ char *fn = NULL;
|
_cleanup_free_ char *fn = NULL;
|
||||||
|
const char *line, *p;
|
||||||
int r;
|
int r;
|
||||||
|
|
||||||
assert(checksum_job);
|
assert(checksum_job);
|
||||||
@ -366,23 +366,17 @@ static int verify_one(PullJob *checksum_job, PullJob *job) {
|
|||||||
return log_error_errno(SYNTHETIC_ERRNO(ELOOP),
|
return log_error_errno(SYNTHETIC_ERRNO(ELOOP),
|
||||||
"Cannot verify checksum/signature files via themselves.");
|
"Cannot verify checksum/signature files via themselves.");
|
||||||
|
|
||||||
const char *p = NULL;
|
line = strjoina(job->checksum, " *", fn, "\n"); /* string for binary mode */
|
||||||
FOREACH_STRING(separator,
|
p = memmem_safe(checksum_job->payload,
|
||||||
" *", /* separator for binary mode */
|
checksum_job->payload_size,
|
||||||
" ", /* separator for text mode */
|
line,
|
||||||
" " /* non-standard separator used by linuxcontainers.org */) {
|
strlen(line));
|
||||||
_cleanup_free_ char *line = NULL;
|
if (!p) {
|
||||||
|
line = strjoina(job->checksum, " ", fn, "\n"); /* string for text mode */
|
||||||
line = strjoin(job->checksum, separator, fn, "\n");
|
|
||||||
if (!line)
|
|
||||||
return log_oom();
|
|
||||||
|
|
||||||
p = memmem_safe(checksum_job->payload,
|
p = memmem_safe(checksum_job->payload,
|
||||||
checksum_job->payload_size,
|
checksum_job->payload_size,
|
||||||
line,
|
line,
|
||||||
strlen(line));
|
strlen(line));
|
||||||
if (p)
|
|
||||||
break;
|
|
||||||
}
|
}
|
||||||
|
|
||||||
/* Only counts if found at beginning of a line */
|
/* Only counts if found at beginning of a line */
|
||||||
|
|||||||
@ -2476,7 +2476,7 @@ int device_chase(sd_device *device, const char *path, ChaseFlags flags, char **r
|
|||||||
|
|
||||||
_cleanup_free_ char *resolved = NULL;
|
_cleanup_free_ char *resolved = NULL;
|
||||||
_cleanup_close_ int fd = -EBADF;
|
_cleanup_close_ int fd = -EBADF;
|
||||||
r = chase(path, /* root = */ NULL, flags, &resolved, ret_fd ? &fd : NULL);
|
r = chase(path, /* root = */ NULL, CHASE_NO_AUTOFS | flags, &resolved, ret_fd ? &fd : NULL);
|
||||||
if (r < 0)
|
if (r < 0)
|
||||||
return r;
|
return r;
|
||||||
|
|
||||||
|
|||||||
@ -91,7 +91,7 @@ static int parse_where(const char *input, char **ret_where) {
|
|||||||
assert(ret_where);
|
assert(ret_where);
|
||||||
|
|
||||||
if (arg_transport == BUS_TRANSPORT_LOCAL && arg_canonicalize) {
|
if (arg_transport == BUS_TRANSPORT_LOCAL && arg_canonicalize) {
|
||||||
r = chase(input, /* root= */ NULL, CHASE_NONEXISTENT|CHASE_AUTOFS, ret_where, /* ret_fd= */ NULL);
|
r = chase(input, /* root= */ NULL, CHASE_NONEXISTENT, ret_where, /* ret_fd= */ NULL);
|
||||||
if (r < 0)
|
if (r < 0)
|
||||||
return log_error_errno(r, "Failed to make path %s absolute: %m", input);
|
return log_error_errno(r, "Failed to make path %s absolute: %m", input);
|
||||||
} else {
|
} else {
|
||||||
@ -476,7 +476,7 @@ static int parse_argv(int argc, char *argv[]) {
|
|||||||
}
|
}
|
||||||
|
|
||||||
if (arg_transport == BUS_TRANSPORT_LOCAL && arg_canonicalize) {
|
if (arg_transport == BUS_TRANSPORT_LOCAL && arg_canonicalize) {
|
||||||
r = chase(p, /* root= */ NULL, CHASE_AUTOFS, &arg_mount_what, /* ret_fd= */ NULL);
|
r = chase(p, /* root= */ NULL, /* flags= */ 0, &arg_mount_what, /* ret_fd= */ NULL);
|
||||||
if (r < 0)
|
if (r < 0)
|
||||||
return log_error_errno(r, "Failed to chase path '%s': %m", p);
|
return log_error_errno(r, "Failed to chase path '%s': %m", p);
|
||||||
} else {
|
} else {
|
||||||
@ -1103,7 +1103,7 @@ static int action_umount(sd_bus *bus, int argc, char **argv) {
|
|||||||
return log_oom();
|
return log_oom();
|
||||||
|
|
||||||
_cleanup_close_ int fd = -EBADF;
|
_cleanup_close_ int fd = -EBADF;
|
||||||
r = chase(u, /* root= */ NULL, CHASE_AUTOFS, &p, &fd);
|
r = chase(u, /* root= */ NULL, 0, &p, &fd);
|
||||||
if (r < 0) {
|
if (r < 0) {
|
||||||
RET_GATHER(ret, log_error_errno(r, "Failed to chase path '%s': %m", u));
|
RET_GATHER(ret, log_error_errno(r, "Failed to chase path '%s': %m", u));
|
||||||
continue;
|
continue;
|
||||||
|
|||||||
@ -176,7 +176,7 @@ static int verify_trusted_image_fd_by_path(int fd) {
|
|||||||
struct stat stb;
|
struct stat stb;
|
||||||
const char *e;
|
const char *e;
|
||||||
|
|
||||||
r = chase(s, NULL, CHASE_SAFE|CHASE_AUTOFS, &q, &dir_fd);
|
r = chase(s, NULL, CHASE_SAFE, &q, &dir_fd);
|
||||||
if (r == -ENOENT)
|
if (r == -ENOENT)
|
||||||
continue;
|
continue;
|
||||||
if (r < 0) {
|
if (r < 0) {
|
||||||
@ -194,7 +194,7 @@ static int verify_trusted_image_fd_by_path(int fd) {
|
|||||||
if (!filename_is_valid(e))
|
if (!filename_is_valid(e))
|
||||||
continue;
|
continue;
|
||||||
|
|
||||||
r = chaseat(dir_fd, e, CHASE_SAFE|CHASE_AUTOFS, NULL, &inode_fd);
|
r = chaseat(dir_fd, e, CHASE_SAFE, NULL, &inode_fd);
|
||||||
if (r < 0)
|
if (r < 0)
|
||||||
return log_error_errno(r, "Couldn't verify that specified image '%s' is in search path '%s': %m", p, s);
|
return log_error_errno(r, "Couldn't verify that specified image '%s' is in search path '%s': %m", p, s);
|
||||||
|
|
||||||
|
|||||||
@ -4713,12 +4713,12 @@ int mountfsd_mount_directory(
|
|||||||
|
|
||||||
r = sd_varlink_push_dup_fd(vl, directory_fd);
|
r = sd_varlink_push_dup_fd(vl, directory_fd);
|
||||||
if (r < 0)
|
if (r < 0)
|
||||||
return log_error_errno(r, "Failed to push directory fd into varlink connection: %m");
|
return log_error_errno(r, "Failed to push image fd into varlink connection: %m");
|
||||||
|
|
||||||
if (userns_fd >= 0) {
|
if (userns_fd >= 0) {
|
||||||
r = sd_varlink_push_dup_fd(vl, userns_fd);
|
r = sd_varlink_push_dup_fd(vl, userns_fd);
|
||||||
if (r < 0)
|
if (r < 0)
|
||||||
return log_error_errno(r, "Failed to push user namespace fd into varlink connection: %m");
|
return log_error_errno(r, "Failed to push image fd into varlink connection: %m");
|
||||||
}
|
}
|
||||||
|
|
||||||
sd_json_variant *reply = NULL;
|
sd_json_variant *reply = NULL;
|
||||||
|
|||||||
@ -371,7 +371,7 @@ static int verify_esp(
|
|||||||
/* Non-root user can only check the status, so if an error occurred in the following, it does not cause any
|
/* Non-root user can only check the status, so if an error occurred in the following, it does not cause any
|
||||||
* issues. Let's also, silence the error messages. */
|
* issues. Let's also, silence the error messages. */
|
||||||
|
|
||||||
r = chaseat(rfd, path, CHASE_AT_RESOLVE_IN_ROOT|CHASE_PARENT|CHASE_AUTOFS, &p, &pfd);
|
r = chaseat(rfd, path, CHASE_AT_RESOLVE_IN_ROOT|CHASE_PARENT, &p, &pfd);
|
||||||
if (r < 0)
|
if (r < 0)
|
||||||
return log_full_errno((searching && r == -ENOENT) ||
|
return log_full_errno((searching && r == -ENOENT) ||
|
||||||
(unprivileged_mode && ERRNO_IS_PRIVILEGE(r)) ? LOG_DEBUG : LOG_ERR,
|
(unprivileged_mode && ERRNO_IS_PRIVILEGE(r)) ? LOG_DEBUG : LOG_ERR,
|
||||||
@ -492,7 +492,7 @@ int find_esp_and_warn_at(
|
|||||||
"$SYSTEMD_ESP_PATH does not refer to an absolute path, refusing to use it: %s",
|
"$SYSTEMD_ESP_PATH does not refer to an absolute path, refusing to use it: %s",
|
||||||
path);
|
path);
|
||||||
|
|
||||||
r = chaseat(rfd, path, CHASE_AT_RESOLVE_IN_ROOT|CHASE_AUTOFS, &p, &fd);
|
r = chaseat(rfd, path, CHASE_AT_RESOLVE_IN_ROOT, &p, &fd);
|
||||||
if (r < 0)
|
if (r < 0)
|
||||||
return log_error_errno(r, "Failed to resolve path %s: %m", path);
|
return log_error_errno(r, "Failed to resolve path %s: %m", path);
|
||||||
|
|
||||||
@ -766,7 +766,7 @@ static int verify_xbootldr(
|
|||||||
assert(rfd >= 0 || rfd == AT_FDCWD);
|
assert(rfd >= 0 || rfd == AT_FDCWD);
|
||||||
assert(path);
|
assert(path);
|
||||||
|
|
||||||
r = chaseat(rfd, path, CHASE_AT_RESOLVE_IN_ROOT|CHASE_PARENT|CHASE_AUTOFS, &p, &pfd);
|
r = chaseat(rfd, path, CHASE_AT_RESOLVE_IN_ROOT|CHASE_PARENT, &p, &pfd);
|
||||||
if (r < 0)
|
if (r < 0)
|
||||||
return log_full_errno((searching && r == -ENOENT) ||
|
return log_full_errno((searching && r == -ENOENT) ||
|
||||||
(unprivileged_mode && ERRNO_IS_PRIVILEGE(r)) ? LOG_DEBUG : LOG_ERR,
|
(unprivileged_mode && ERRNO_IS_PRIVILEGE(r)) ? LOG_DEBUG : LOG_ERR,
|
||||||
@ -844,7 +844,7 @@ int find_xbootldr_and_warn_at(
|
|||||||
"$SYSTEMD_XBOOTLDR_PATH does not refer to an absolute path, refusing to use it: %s",
|
"$SYSTEMD_XBOOTLDR_PATH does not refer to an absolute path, refusing to use it: %s",
|
||||||
path);
|
path);
|
||||||
|
|
||||||
r = chaseat(rfd, path, CHASE_AT_RESOLVE_IN_ROOT|CHASE_AUTOFS, &p, &fd);
|
r = chaseat(rfd, path, CHASE_AT_RESOLVE_IN_ROOT, &p, &fd);
|
||||||
if (r < 0)
|
if (r < 0)
|
||||||
return log_error_errno(r, "Failed to resolve path %s: %m", p);
|
return log_error_errno(r, "Failed to resolve path %s: %m", p);
|
||||||
|
|
||||||
|
|||||||
@ -105,7 +105,6 @@ static SD_VARLINK_DEFINE_METHOD(
|
|||||||
SD_VARLINK_DEFINE_INPUT(parentFileDescriptor, SD_VARLINK_INT, 0),
|
SD_VARLINK_DEFINE_INPUT(parentFileDescriptor, SD_VARLINK_INT, 0),
|
||||||
SD_VARLINK_FIELD_COMMENT("Name of the directory to create."),
|
SD_VARLINK_FIELD_COMMENT("Name of the directory to create."),
|
||||||
SD_VARLINK_DEFINE_INPUT(name, SD_VARLINK_STRING, 0),
|
SD_VARLINK_DEFINE_INPUT(name, SD_VARLINK_STRING, 0),
|
||||||
VARLINK_DEFINE_POLKIT_INPUT,
|
|
||||||
SD_VARLINK_FIELD_COMMENT("File descriptor referencing the newly created directory."),
|
SD_VARLINK_FIELD_COMMENT("File descriptor referencing the newly created directory."),
|
||||||
SD_VARLINK_DEFINE_OUTPUT(directoryFileDescriptor, SD_VARLINK_INT, 0));
|
SD_VARLINK_DEFINE_OUTPUT(directoryFileDescriptor, SD_VARLINK_INT, 0));
|
||||||
|
|
||||||
|
|||||||
@ -660,7 +660,7 @@ int resource_resolve_path(
|
|||||||
_cleanup_free_ char *resolved = NULL;
|
_cleanup_free_ char *resolved = NULL;
|
||||||
struct stat st;
|
struct stat st;
|
||||||
|
|
||||||
r = chase(rr->path, root, CHASE_PREFIX_ROOT|CHASE_AUTOFS, &resolved, &fd);
|
r = chase(rr->path, root, CHASE_PREFIX_ROOT, &resolved, &fd);
|
||||||
if (r < 0)
|
if (r < 0)
|
||||||
return log_error_errno(r, "Failed to resolve '%s': %m", rr->path);
|
return log_error_errno(r, "Failed to resolve '%s': %m", rr->path);
|
||||||
|
|
||||||
@ -697,7 +697,7 @@ int resource_resolve_path(
|
|||||||
|
|
||||||
} else if (RESOURCE_IS_FILESYSTEM(rr->type)) {
|
} else if (RESOURCE_IS_FILESYSTEM(rr->type)) {
|
||||||
_cleanup_free_ char *resolved = NULL, *relative_to = NULL;
|
_cleanup_free_ char *resolved = NULL, *relative_to = NULL;
|
||||||
ChaseFlags chase_flags = CHASE_NONEXISTENT | CHASE_PREFIX_ROOT | CHASE_AUTOFS;
|
ChaseFlags chase_flags = CHASE_NONEXISTENT | CHASE_PREFIX_ROOT;
|
||||||
|
|
||||||
if (rr->path_relative_to == PATH_RELATIVE_TO_EXPLICIT) {
|
if (rr->path_relative_to == PATH_RELATIVE_TO_EXPLICIT) {
|
||||||
assert(relative_to_directory);
|
assert(relative_to_directory);
|
||||||
|
|||||||
@ -1498,7 +1498,7 @@ int transfer_install_instance(
|
|||||||
assert_not_reached();
|
assert_not_reached();
|
||||||
|
|
||||||
if (resolve_link_path && root) {
|
if (resolve_link_path && root) {
|
||||||
r = chase(link_path, root, CHASE_PREFIX_ROOT|CHASE_NONEXISTENT|CHASE_AUTOFS, &resolved, NULL);
|
r = chase(link_path, root, CHASE_PREFIX_ROOT|CHASE_NONEXISTENT, &resolved, NULL);
|
||||||
if (r < 0)
|
if (r < 0)
|
||||||
return log_error_errno(r, "Failed to resolve current symlink path '%s': %m", link_path);
|
return log_error_errno(r, "Failed to resolve current symlink path '%s': %m", link_path);
|
||||||
|
|
||||||
|
|||||||
@ -1557,7 +1557,7 @@ static int verb_components(int argc, char **argv, void *userdata) {
|
|||||||
_cleanup_closedir_ DIR *d = NULL;
|
_cleanup_closedir_ DIR *d = NULL;
|
||||||
_cleanup_free_ char *p = NULL;
|
_cleanup_free_ char *p = NULL;
|
||||||
|
|
||||||
r = chase_and_opendir(*i, arg_root, CHASE_PREFIX_ROOT|CHASE_AUTOFS, &p, &d);
|
r = chase_and_opendir(*i, arg_root, CHASE_PREFIX_ROOT, &p, &d);
|
||||||
if (r == -ENOENT)
|
if (r == -ENOENT)
|
||||||
continue;
|
continue;
|
||||||
if (r < 0)
|
if (r < 0)
|
||||||
|
|||||||
@ -24,7 +24,7 @@ static int parse_argv(int argc, char *argv[]) {
|
|||||||
|
|
||||||
{ "prefix-root", no_argument, NULL, CHASE_PREFIX_ROOT },
|
{ "prefix-root", no_argument, NULL, CHASE_PREFIX_ROOT },
|
||||||
{ "nonexistent", no_argument, NULL, CHASE_NONEXISTENT },
|
{ "nonexistent", no_argument, NULL, CHASE_NONEXISTENT },
|
||||||
{ "autofs", no_argument, NULL, CHASE_AUTOFS },
|
{ "no_autofs", no_argument, NULL, CHASE_NO_AUTOFS },
|
||||||
{ "safe", no_argument, NULL, CHASE_SAFE },
|
{ "safe", no_argument, NULL, CHASE_SAFE },
|
||||||
{ "trail-slash", no_argument, NULL, CHASE_TRAIL_SLASH },
|
{ "trail-slash", no_argument, NULL, CHASE_TRAIL_SLASH },
|
||||||
{ "step", no_argument, NULL, CHASE_STEP },
|
{ "step", no_argument, NULL, CHASE_STEP },
|
||||||
@ -60,7 +60,7 @@ static int parse_argv(int argc, char *argv[]) {
|
|||||||
|
|
||||||
case CHASE_PREFIX_ROOT:
|
case CHASE_PREFIX_ROOT:
|
||||||
case CHASE_NONEXISTENT:
|
case CHASE_NONEXISTENT:
|
||||||
case CHASE_AUTOFS:
|
case CHASE_NO_AUTOFS:
|
||||||
case CHASE_SAFE:
|
case CHASE_SAFE:
|
||||||
case CHASE_TRAIL_SLASH:
|
case CHASE_TRAIL_SLASH:
|
||||||
case CHASE_STEP:
|
case CHASE_STEP:
|
||||||
|
|||||||
@ -1082,7 +1082,7 @@ static int path_open_parent_safe(const char *path, bool allow_failure) {
|
|||||||
path,
|
path,
|
||||||
allow_failure ? ", ignoring" : "");
|
allow_failure ? ", ignoring" : "");
|
||||||
|
|
||||||
r = chase(dn, arg_root, allow_failure ? CHASE_SAFE|CHASE_AUTOFS : CHASE_SAFE|CHASE_WARN|CHASE_AUTOFS, NULL, &fd);
|
r = chase(dn, arg_root, allow_failure ? CHASE_SAFE : CHASE_SAFE|CHASE_WARN, NULL, &fd);
|
||||||
if (r == -ENOLINK) /* Unsafe symlink: already covered by CHASE_WARN */
|
if (r == -ENOLINK) /* Unsafe symlink: already covered by CHASE_WARN */
|
||||||
return r;
|
return r;
|
||||||
if (r < 0)
|
if (r < 0)
|
||||||
@ -1107,7 +1107,7 @@ static int path_open_safe(const char *path) {
|
|||||||
if (!path_is_normalized(path))
|
if (!path_is_normalized(path))
|
||||||
return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "Failed to open invalid path '%s'.", path);
|
return log_error_errno(SYNTHETIC_ERRNO(EINVAL), "Failed to open invalid path '%s'.", path);
|
||||||
|
|
||||||
r = chase(path, arg_root, CHASE_SAFE|CHASE_WARN|CHASE_NOFOLLOW|CHASE_AUTOFS, NULL, &fd);
|
r = chase(path, arg_root, CHASE_SAFE|CHASE_WARN|CHASE_NOFOLLOW, NULL, &fd);
|
||||||
if (r == -ENOLINK)
|
if (r == -ENOLINK)
|
||||||
return r; /* Unsafe symlink: already covered by CHASE_WARN */
|
return r; /* Unsafe symlink: already covered by CHASE_WARN */
|
||||||
if (r < 0)
|
if (r < 0)
|
||||||
@ -2162,7 +2162,7 @@ static int empty_directory(
|
|||||||
assert(i);
|
assert(i);
|
||||||
assert(i->type == EMPTY_DIRECTORY);
|
assert(i->type == EMPTY_DIRECTORY);
|
||||||
|
|
||||||
r = chase(path, arg_root, CHASE_SAFE|CHASE_WARN|CHASE_AUTOFS, NULL, &fd);
|
r = chase(path, arg_root, CHASE_SAFE|CHASE_WARN, NULL, &fd);
|
||||||
if (r == -ENOLINK) /* Unsafe symlink: already covered by CHASE_WARN */
|
if (r == -ENOLINK) /* Unsafe symlink: already covered by CHASE_WARN */
|
||||||
return r;
|
return r;
|
||||||
if (r == -ENOENT) {
|
if (r == -ENOENT) {
|
||||||
@ -2406,7 +2406,7 @@ static int create_symlink(Context *c, Item *i) {
|
|||||||
assert(i);
|
assert(i);
|
||||||
|
|
||||||
if (i->ignore_if_target_missing) {
|
if (i->ignore_if_target_missing) {
|
||||||
r = chase(i->argument, arg_root, CHASE_SAFE|CHASE_PREFIX_ROOT|CHASE_NOFOLLOW|CHASE_AUTOFS, /* ret_path = */ NULL, /* ret_fd = */ NULL);
|
r = chase(i->argument, arg_root, CHASE_SAFE|CHASE_PREFIX_ROOT|CHASE_NOFOLLOW, /* ret_path = */ NULL, /* ret_fd = */ NULL);
|
||||||
if (r == -ENOENT) {
|
if (r == -ENOENT) {
|
||||||
/* Silently skip over lines where the source file is missing. */
|
/* Silently skip over lines where the source file is missing. */
|
||||||
log_info("Symlink source path '%s/%s' does not exist, skipping line.",
|
log_info("Symlink source path '%s/%s' does not exist, skipping line.",
|
||||||
@ -3232,7 +3232,7 @@ static int process_item(
|
|||||||
path = _path;
|
path = _path;
|
||||||
}
|
}
|
||||||
|
|
||||||
r = chase(path, arg_root, CHASE_NONEXISTENT|CHASE_WARN|CHASE_AUTOFS, NULL, NULL);
|
r = chase(path, arg_root, CHASE_NO_AUTOFS|CHASE_NONEXISTENT|CHASE_WARN, NULL, NULL);
|
||||||
if (r == -EREMOTE) {
|
if (r == -EREMOTE) {
|
||||||
log_notice_errno(r, "Skipping %s", i->path); /* We log the configured path, to not confuse the user. */
|
log_notice_errno(r, "Skipping %s", i->path); /* We log the configured path, to not confuse the user. */
|
||||||
return 0;
|
return 0;
|
||||||
|
|||||||
@ -943,10 +943,10 @@ def pe_add_sections(opts: UkifyConfig, uki: UKI, output: str) -> None:
|
|||||||
pe.FILE_HEADER.NumberOfSymbols = 0
|
pe.FILE_HEADER.NumberOfSymbols = 0
|
||||||
pe.FILE_HEADER.IMAGE_FILE_LOCAL_SYMS_STRIPPED = True
|
pe.FILE_HEADER.IMAGE_FILE_LOCAL_SYMS_STRIPPED = True
|
||||||
|
|
||||||
|
# Old stubs might have been stripped, leading to unaligned raw data values, so let's fix them up here.
|
||||||
# pylint thinks that Structure doesn't have various members that it has…
|
# pylint thinks that Structure doesn't have various members that it has…
|
||||||
# pylint: disable=no-member
|
# pylint: disable=no-member
|
||||||
|
|
||||||
# Old stubs might have been stripped, leading to unaligned raw data values, so let's fix them up here.
|
|
||||||
for i, section in enumerate(pe.sections):
|
for i, section in enumerate(pe.sections):
|
||||||
oldp = section.PointerToRawData
|
oldp = section.PointerToRawData
|
||||||
oldsz = section.SizeOfRawData
|
oldsz = section.SizeOfRawData
|
||||||
@ -1045,18 +1045,16 @@ def pe_add_sections(opts: UkifyConfig, uki: UKI, output: str) -> None:
|
|||||||
for i, s in enumerate(pe.sections[:n_original_sections]):
|
for i, s in enumerate(pe.sections[:n_original_sections]):
|
||||||
if pe_strip_section_name(s.Name) == section.name and section.name != '.dtbauto':
|
if pe_strip_section_name(s.Name) == section.name and section.name != '.dtbauto':
|
||||||
if new_section.Misc_VirtualSize > s.SizeOfRawData:
|
if new_section.Misc_VirtualSize > s.SizeOfRawData:
|
||||||
raise PEError(
|
raise PEError(f'Not enough space in existing section {section.name} to append new data')
|
||||||
f'Not enough space in existing section {section.name} to append new data'
|
|
||||||
f' (need {new_section.Misc_VirtualSize}, have {s.SizeOfRawData})'
|
|
||||||
)
|
|
||||||
|
|
||||||
padding = bytes(s.SizeOfRawData - new_section.Misc_VirtualSize)
|
padding = bytes(new_section.SizeOfRawData - new_section.Misc_VirtualSize)
|
||||||
pe.__data__ = (
|
pe.__data__ = (
|
||||||
pe.__data__[: s.PointerToRawData]
|
pe.__data__[: s.PointerToRawData]
|
||||||
+ data
|
+ data
|
||||||
+ padding
|
+ padding
|
||||||
+ pe.__data__[pe.sections[i + 1].PointerToRawData :]
|
+ pe.__data__[pe.sections[i + 1].PointerToRawData :]
|
||||||
)
|
)
|
||||||
|
s.SizeOfRawData = new_section.SizeOfRawData
|
||||||
s.Misc_VirtualSize = new_section.Misc_VirtualSize
|
s.Misc_VirtualSize = new_section.Misc_VirtualSize
|
||||||
break
|
break
|
||||||
else:
|
else:
|
||||||
@ -1150,12 +1148,10 @@ def merge_sbat(input_pe: list[Path], input_text: list[str]) -> str:
|
|||||||
continue
|
continue
|
||||||
sbat += split[1:]
|
sbat += split[1:]
|
||||||
|
|
||||||
return '\n'.join(
|
return (
|
||||||
(
|
'sbat,1,SBAT Version,sbat,1,https://github.com/rhboot/shim/blob/main/SBAT.md\n'
|
||||||
'sbat,1,SBAT Version,sbat,1,https://github.com/rhboot/shim/blob/main/SBAT.md',
|
+ '\n'.join(sbat)
|
||||||
*sbat,
|
+ '\n\x00'
|
||||||
'', # an empty line so that we end up with a newline at the end
|
|
||||||
)
|
|
||||||
)
|
)
|
||||||
|
|
||||||
|
|
||||||
@ -1419,11 +1415,11 @@ def make_uki(opts: UkifyConfig) -> None:
|
|||||||
for section in opts.sections:
|
for section in opts.sections:
|
||||||
uki.add_section(section)
|
uki.add_section(section)
|
||||||
|
|
||||||
# Don't add an .sbat section to profile PE binaries.
|
# Don't add a sbat section to profile PE binaries.
|
||||||
if (opts.join_profiles or not opts.profile) and not opts.pcrsig:
|
if (opts.join_profiles or not opts.profile) and not opts.pcrsig:
|
||||||
if linux is not None:
|
if linux is not None:
|
||||||
# Merge the .sbat sections from stub, kernel, and parameter, so
|
# Merge the .sbat sections from stub, kernel and parameter, so that revocation can be done on
|
||||||
# that revocation can be done on either.
|
# either.
|
||||||
input_pes = [opts.stub, linux]
|
input_pes = [opts.stub, linux]
|
||||||
if not opts.sbat:
|
if not opts.sbat:
|
||||||
opts.sbat = [STUB_SBAT]
|
opts.sbat = [STUB_SBAT]
|
||||||
|
|||||||
@ -89,11 +89,6 @@ prepare_root() {
|
|||||||
echo "VERSION=1.2.3"
|
echo "VERSION=1.2.3"
|
||||||
} >"$root/usr/lib/os-release"
|
} >"$root/usr/lib/os-release"
|
||||||
|
|
||||||
if [[ -e $root/etc/os-release ]] && [[ ! -L $root/etc/os-release ]]; then
|
|
||||||
mv "$root/etc/os-release" "$root/etc/os-release.orig"
|
|
||||||
cp "$root/usr/lib/os-release" "$root/etc/os-release"
|
|
||||||
fi
|
|
||||||
|
|
||||||
prepend_trap "cleanup_os_release ${root@Q}"
|
prepend_trap "cleanup_os_release ${root@Q}"
|
||||||
}
|
}
|
||||||
|
|
||||||
@ -108,11 +103,6 @@ cleanup_os_release() {
|
|||||||
# shellcheck disable=SC2317 # It is not unreachable, used in a trap couple lines above.
|
# shellcheck disable=SC2317 # It is not unreachable, used in a trap couple lines above.
|
||||||
mv "$root/usr/lib/os-release.orig" "$root/usr/lib/os-release"
|
mv "$root/usr/lib/os-release.orig" "$root/usr/lib/os-release"
|
||||||
fi
|
fi
|
||||||
# shellcheck disable=SC2317 # It is not unreachable, used in a trap couple lines above.
|
|
||||||
if [[ -e $root/etc/os-release.orig ]]; then
|
|
||||||
# shellcheck disable=SC2317 # It is not unreachable, used in a trap couple lines above.
|
|
||||||
mv "$root/etc/os-release.orig" "$root/etc/os-release"
|
|
||||||
fi
|
|
||||||
}
|
}
|
||||||
|
|
||||||
prepare_extension_image() {
|
prepare_extension_image() {
|
||||||
|
|||||||
@ -46,18 +46,3 @@ userdbctl user 65534 -j | userdbctl -F- user | cmp - <(userdbctl user 65534)
|
|||||||
userdbctl group root -j | userdbctl -F- group | cmp - <(userdbctl group root)
|
userdbctl group root -j | userdbctl -F- group | cmp - <(userdbctl group root)
|
||||||
userdbctl group systemd-network -j | userdbctl -F- group | cmp - <(userdbctl group systemd-network)
|
userdbctl group systemd-network -j | userdbctl -F- group | cmp - <(userdbctl group systemd-network)
|
||||||
userdbctl group 65534 -j | userdbctl -F- group | cmp - <(userdbctl group 65534)
|
userdbctl group 65534 -j | userdbctl -F- group | cmp - <(userdbctl group 65534)
|
||||||
|
|
||||||
# Ensure NSS doesn't try to automount via open_tree
|
|
||||||
if [[ ! -v ASAN_OPTIONS ]]; then
|
|
||||||
systemctl stop systemd-userdbd.socket systemd-userdbd.service
|
|
||||||
set +o pipefail
|
|
||||||
systemd-run -q -t --property SystemCallFilter=~open_tree id definitelynotarealuser | grep -q "no such user"
|
|
||||||
systemd-run -q -t --property SystemCallFilter=~open_tree id --groups definitelynotarealuser | grep -q "no such user"
|
|
||||||
systemd-run -q -t --property SystemCallFilter=~open_tree groups definitelynotarealuser | grep -q "no such user"
|
|
||||||
set -o pipefail
|
|
||||||
# getent shows no output when the entry is not found, but exists with 2, while sd-run crashing will exit
|
|
||||||
# with 1
|
|
||||||
assert_rc 2 systemd-run -q -t --property SystemCallFilter=~open_tree getent passwd definitelynotarealuser
|
|
||||||
assert_rc 2 systemd-run -q -t --property SystemCallFilter=~open_tree getent group definitelynotarealgroup
|
|
||||||
systemctl start systemd-userdbd.socket systemd-userdbd.service
|
|
||||||
fi
|
|
||||||
|
|||||||
Loading…
x
Reference in New Issue
Block a user